Difference between revisions of "OpenSSL"

From Indie IT Wiki
Line 150: Line 150:
  
 
https://letsencrypt.org/certificates/
 
https://letsencrypt.org/certificates/
 +
 +
-----BEGIN CERTIFICATE-----
 +
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
 +
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
 +
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
 +
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
 +
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
 +
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
 +
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
 +
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
 +
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
 +
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
 +
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
 +
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
 +
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
 +
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
 +
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
 +
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
 +
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
 +
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
 +
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
 +
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
 +
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
 +
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
 +
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
 +
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
 +
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
 +
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
 +
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
 +
nLRbwHOoq7hHwg==
 +
-----END CERTIFICATE-----
  
 
...then run the commands below, and on the last command select the new certs with a star in the box '''[*]''' to add them...
 
...then run the commands below, and on the last command select the new certs with a star in the box '''[*]''' to add them...
Line 155: Line 186:
 
  sudo -i
 
  sudo -i
 
  cd /usr/share/ca-certificates/
 
  cd /usr/share/ca-certificates/
 +
nano r3-dst-root-x3.crt  (copy contents of above)
 
  wget --no-check-certificate -O isrgrootx1.crt <nowiki>https://letsencrypt.org/certs/isrgrootx1.pem</nowiki>
 
  wget --no-check-certificate -O isrgrootx1.crt <nowiki>https://letsencrypt.org/certs/isrgrootx1.pem</nowiki>
 
  wget --no-check-certificate -O isrg-root-x1-cross-signed.crt <nowiki>https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem</nowiki>
 
  wget --no-check-certificate -O isrg-root-x1-cross-signed.crt <nowiki>https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem</nowiki>
 
  dpkg-reconfigure ca-certificates
 
  dpkg-reconfigure ca-certificates

Revision as of 10:12, 19 November 2021

Version

openssl version

Ciphers

List

openssl ciphers -v 'ALL:!aNULL'

Count Types

openssl ciphers -V 'ALL:COMPLEMENTOFALL' | awk '{print $4}' | sort | uniq -c

SSLv3

openssl ciphers -V 'ALL:COMPLEMENTOFALL' | sort | grep ' SSLv3 '

TLSv1

openssl ciphers -V 'ALL:COMPLEMENTOFALL' | sort | grep ' TLSv1 '

TLSv1.2

openssl ciphers -V 'ALL:COMPLEMENTOFALL' | sort | grep ' TLSv1.2 '

Check Dovecot SSL TLS Port 995

The important option is the -CApath which will fix the verify error:num=20:unable to get local issuer certificate message...

openssl s_client -CApath /etc/ssl/certs/ -connect localhost:995 -quiet

HOWTO: Verify ssl cert and get info

SSL Checker

Get full info

true | openssl s_client -connect www.cyberciti.biz:443 -showcerts

Just verify

true | openssl s_client -connect www.cyberciti.biz:443 -showcerts >/dev/null

Thanks - https://twitter.com/nixcraft/status/829333893044015104

HOWTO: Generate Wildcard SSL Certificate

openssl req -new -newkey rsa:2048 -nodes -out star_bloggs_com.csr -keyout star_bloggs_com.key -subj "/C=GB/ST=Kent/L=Folkestone/O=Bloggs Ltd/OU=IT/CN=*.bloggs.com/emailAddress=joe@bloggs.com"

Export To Microsoft IIS

openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt -certfile domain.ca-bundle

HOWTO: Check Details Of SSL Certificate Signing Request

openssl req -text -noout -verify -in domain_com.csr

Thanks - https://www.sslshopper.com/article-most-common-openssl-commands.html

HOWTO: Check Details Of SSL Certificate

openssl x509 -text -noout -in domain_com.crt

HOWTO: Check Dates Of SSL Certificate

openssl s_client -connect www.domain.com:443 | openssl x509 -noout -dates

HOWTO: Check For The OpenSSL Heartbleed Bug in Debian Ubuntu Linux?

sudo lsb_release -a
sudo apt-cache policy openssl
sudo openssl version -a
sudo dpkg -l openssl
sudo apt-get changelog openssl
openssl s_client -connect domain.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe

If you are running Ubuntu 13.04 you will not have an updated package, so you must do it manually...

sudo -i
mkdir opensslfix
cd opensslfix
apt-get build-dep openssl
apt-get source openssl
cd openssl-1.0.1c/
nano Configure
   add -DOPENSSL_NO_HEARTBEATS to $debian_cflags (line 109)
dpkg-buildpackage -uc -b
cd ..
dpkg -l | grep -w 'libssl\|openssl'
dpkg -i *.deb

Restart all services which use openssl...

sudo service apache2 restart
sudo service proftpd restart
sudo service webmin restart
sudo service ssh restart

http://www.circl.lu/pub/tr-21/

http://www.websightdesigns.com/posts/view/how-to-upgrade-openssl-on-ubuntu-13-04

Testing tool - https://github.com/FiloSottile/Heartbleed

https://ssllabs.com

http://filippo.io/Heartbleed/

http://heartbleed.com/

https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability

http://www.ubuntu.com/usn/usn-2165-1/

http://askubuntu.com/questions/444848/why-unattended-upgrades-does-not-fix-heartbleed-bug

http://askubuntu.com/questions/444817/am-i-affected-heartbleed-bug

http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl/444905#444905

http://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087

What is a passphrase and how can I change the passphrase on my private key file?

A passphrase is a word or phrase that protects private key files. It prevents unauthorized users from encrypting them. Usually it's just the secret encryption/decryption key used for Ciphers.

To change the passphrase you simply have to read it with the old pass-phrase and write it again, specifying the new pass-phrase.

You can accomplish this with the following commands:

openssl rsa -des3 -in myserver.key -out server.key.new
mv server.key.new myserver.key

The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.

How To Reconfigure SSL Certificates In Ubuntu Debian

Add your certificate files to /usr/share/ca-certificates/ and run dpkg-reconfigure ca-certificates.

Own Mail Server

openssl s_client -showcerts -connect mail.domain.co.uk:995 -CApath /etc/ssl/certs -servername mail.domain.co.uk

Copy and paste all of the lines inbetween and including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a single file then run the reconfigure command.

sudo dpkg-reconfigure ca-certificates

Let's Encrypt

https://letsencrypt.org/certificates/

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

...then run the commands below, and on the last command select the new certs with a star in the box [*] to add them...

sudo -i
cd /usr/share/ca-certificates/
nano r3-dst-root-x3.crt  (copy contents of above)
wget --no-check-certificate -O isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget --no-check-certificate -O isrg-root-x1-cross-signed.crt https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
dpkg-reconfigure ca-certificates