Difference between revisions of "Openssl"

From DWIKI
m
 
(15 intermediate revisions by the same user not shown)
Line 8: Line 8:


== Tools ==
== Tools ==
 
*openssl
*sslscan  
*sslscan  
*sclient
*sclient
 
*[[gnutls-cli]]


== Documentation and HOWTOs ==
== Documentation and HOWTOs ==
Line 31: Line 31:
*[https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL]
*[https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL]


 
*[https://www.howtouselinux.com/post/certificate-chain Check SSL Certificate Chain with OpenSSL Examples]
=== Dovecot and ssl ===
=== Dovecot and ssl ===


Line 174: Line 174:
  mkdir newcerts
  mkdir newcerts
  (perform secret rituals)
  (perform secret rituals)




Line 180: Line 183:


= FAQ =
= FAQ =
== Order of certificates in bundle==
Root CA comes last




Line 187: Line 193:


try adding -cert
try adding -cert
 
=== Secure Renegotiation IS NOT supported ===
Probably using wrong TLS version


=== Can't use SSL_get_servername ===
=== Can't use SSL_get_servername ===
Line 192: Line 204:
Try using hostname instead of IP address
Try using hostname instead of IP address


===write:errno=104===
=== write:errno=104 ===
 
server reset the connection
server reset the connection
===no peer certificate available===
Could be trying to talk tls to ssl?


== unable to load client certificate private key file ==
== unable to load client certificate private key file ==
Line 217: Line 233:
Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.
Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.


 


== check certificate chain ==
== check certificate chain ==
Line 223: Line 240:
        
        


 


=== Some of the output ===
=== Some of the output ===
Line 236: Line 254:


i: issuer ( openssl x509 -noout -in foo.crt -issuer )
i: issuer ( openssl x509 -noout -in foo.crt -issuer )
OR
openssl s_client -showcerts -verify 5 -connect ldap.example.com:636  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'
or
openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'


== check expiration date ==
== check expiration date ==
Line 241: Line 265:
  echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates
  echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates


&nbsp;
 
 
openssl x509 -enddate -noout -in file.pem


== 139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE ==
== 139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE ==
Line 272: Line 298:
seems to be an lftp issue
seems to be an lftp issue


==unsupported certificate purpose==
== unsupported certificate purpose ==
 
??
??
&nbsp;


== ssllabs checks ==
== ssllabs checks ==


=== Chain issues Contains anchor ===
=== Chain issues: Incorrect order, Contains anchor ===


TODO
Could be the topmost cert in the bundle provided, try removing it


&nbsp;
&nbsp;


=== check smtp submission ===
=== Chain issues: Contains anchor ===
 
Seems to mean there's a root ca in the bundle
 
== check smtp submission ==
 
echo -n "username" | base64
echo -n "password" | base64
 
openssl s_client -connect mail.host.com:587 -starttls smtp -crlf
 
EHLO foo.bar
AUTH LOGIN
 
base64username
 
base64password
 
OR
 
echo -ne '\0username\0password'| base64
AUTH LOGING output_of_that_echo
 
===Peer's Certificate issuer is not recognized.===
 
=p12 / pkcs12=
https://fileinfo.com/extension/p12
 
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
 
 


openssl s_client -connect mail.host.com:587 -starttls smtp -tls1_
===server certificate does NOT include an ID which matches the server name===
todo

Latest revision as of 12:14, 29 September 2022

Links


Tools

Documentation and HOWTOs

Dovecot and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem

In dovecot.conf:

ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
ssl_key_file = /usr/local/etc/myserver.key
#optional, only if you want to require client to provide cert
#ssl_ca_file = /usr/local/etc/intermediate.pem

Courier-imap and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
cat myserver.key >> IMAP.EXAMPLE.COM.crt

In imapd-ssl:

TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem

Network Solutions certificates bundle

See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt

 

Comodo bundle order

COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )

Generate a signing request

openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr

The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!

Tips&Tricks

Create private key (using config file)

openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key

Create CSR using config file

openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr

Convert der to pem

openssl x509 -inform der -in certificate.cer -out certificate.pem

Creating CSR for multiple hosts

For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html

Remove password from private key

https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase

Examining certificates

openssl verify cert.pem
openssl x509 -in cacert.pem -noout -text
openssl x509 -in foo.pem  -inform pem -noout -text 
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

with expiration date:

openssl x509 -noout -text -enddate -in ca.crt
  1. to check CN
openssl x509 -in server.crt -noout -subject
openssl pkcs12 -info -in keyStore.p12
openssl pkcs12 -info -in keyStore.pfx


Checking a service

  1. Note -CApath should point to your local collection of public CA certs
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
openssl s_client -connect imap.example.com:143 -starttls imap
openssl s_client -connect web.server:443 -showcerts
openssl s_client -connect webmail.example.com:443 -servername vhost.example.com

Just check expiration date:

 openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates

 

Check your site


gnutls-cli

echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
echo quit | gnutls-cli --port 465 servac.skk | grep Status

check if certs match

TODO: -clr_check too

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum 
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum 
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

These values show match Also:

openssl verify -CAfile ca-bundle foo_bar.crt

A script to do these checks: [sslcheck]

Creating your own CA and signing with it

(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)

cd /etc/ssl
mkdir newcerts
(perform secret rituals)





FAQ

Order of certificates in bundle

Root CA comes last


using s_client

no client certificate sent

try adding -cert

 

Secure Renegotiation IS NOT supported

Probably using wrong TLS version

Can't use SSL_get_servername

Try using hostname instead of IP address

write:errno=104

server reset the connection

no peer certificate available

Could be trying to talk tls to ssl?

unable to load client certificate private key file

Verification error: unable to verify the first certificate

problem missing CA cert

error 20 at 0 depth lookup: unable to get local issuer certificate

you probably need to provide the right -CAfile maybe self signed?

 

Verify return code: 21 (unable to verify the first certificate)

Probably requires bundle

 

Bad certificate (code 42)

Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.

 

check certificate chain

openssl s_client -connect www.example.com:443 -showcerts
      

 

Some of the output

Certificate chain

0 s:CN = foo.local
  i:CN = foo.local-CA

0: first in chain

s: subject  ( openssl x509 -noout -in foo.crt -subject )

i: issuer ( openssl x509 -noout -in foo.crt -issuer )


OR

openssl s_client -showcerts -verify 5 -connect ldap.example.com:636  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}' 

or

openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'

check expiration date

echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates


openssl x509 -enddate -noout -in file.pem

139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines

or a file is in DER format

SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line

??

 

 

check if webserver supports old tls

openssl s_client -connect www.example.com:443 -tls1
openssl s_client -connect www.example.com:443 -tls1_1

or when vhost:

 openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1

 

ERROR: Certificate verification: Not trusted

seems to be an lftp issue

unsupported certificate purpose

??

 

ssllabs checks

Chain issues: Incorrect order, Contains anchor

Could be the topmost cert in the bundle provided, try removing it

 

Chain issues: Contains anchor

Seems to mean there's a root ca in the bundle

check smtp submission

echo -n "username" | base64
echo -n "password" | base64
openssl s_client -connect mail.host.com:587 -starttls smtp -crlf
EHLO foo.bar
AUTH LOGIN

base64username

base64password

OR

echo -ne '\0username\0password'| base64
AUTH LOGING output_of_that_echo

Peer's Certificate issuer is not recognized.

p12 / pkcs12

https://fileinfo.com/extension/p12

openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem


server certificate does NOT include an ID which matches the server name

todo