OpenSSL

From Indie IT Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Version

openssl version

Ciphers

List

openssl ciphers -v 'ALL:!aNULL'

Count Types

openssl ciphers -V 'ALL:COMPLEMENTOFALL' | awk '{print $4}' | sort | uniq -c

SSLv3

openssl ciphers -V 'ALL:COMPLEMENTOFALL' | sort | grep ' SSLv3 '

TLSv1

openssl ciphers -V 'ALL:COMPLEMENTOFALL' | sort | grep ' TLSv1 '

TLSv1.2

openssl ciphers -V 'ALL:COMPLEMENTOFALL' | sort | grep ' TLSv1.2 '

Check Dovecot SSL TLS Port 995

The important option is the -CApath which will fix the verify error:num=20:unable to get local issuer certificate message... 

openssl s_client -CApath /etc/ssl/certs/ -connect localhost:995 -quiet

HOWTO: Verify ssl cert and get info

SSL Checker

Get full info 

true | openssl s_client -connect www.cyberciti.biz:443 -showcerts

Just verify 

true | openssl s_client -connect www.cyberciti.biz:443 -showcerts >/dev/null

Thanks - https://twitter.com/nixcraft/status/829333893044015104

HOWTO: Generate Wildcard SSL Certificate

openssl req -new -newkey rsa:2048 -nodes -out star_bloggs_com.csr -keyout star_bloggs_com.key -subj "/C=GB/ST=Kent/L=Folkestone/O=Bloggs Ltd/OU=IT/CN=*.bloggs.com/emailAddress=joe@bloggs.com"

Export To Microsoft IIS

openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt -certfile domain.ca-bundle

HOWTO: Check Details Of SSL Certificate Signing Request

openssl req -text -noout -verify -in domain_com.csr

Thanks - https://www.sslshopper.com/article-most-common-openssl-commands.html

HOWTO: Check Details Of SSL Certificate

openssl x509 -text -noout -in domain_com.crt

HOWTO: Check Dates Of SSL Certificate

openssl s_client -connect www.domain.com:443 | openssl x509 -noout -dates

HOWTO: Check SSL Certificate using STARTTLS on SMTP

openssl s_client -starttls smtp -crlf -connect mail.myserver.co.uk:25

HOWTO: Check For The OpenSSL Heartbleed Bug in Debian Ubuntu Linux?

sudo lsb_release -a
sudo apt-cache policy openssl
sudo openssl version -a
sudo dpkg -l openssl
sudo apt-get changelog openssl

openssl s_client -connect domain.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe

If you are running Ubuntu 13.04 you will not have an updated package, so you must do it manually... 

sudo -i
mkdir opensslfix
cd opensslfix
apt-get build-dep openssl
apt-get source openssl
cd openssl-1.0.1c/
nano Configure
   add -DOPENSSL_NO_HEARTBEATS to $debian_cflags (line 109)
dpkg-buildpackage -uc -b
cd ..
dpkg -l | grep -w 'libssl\|openssl'
dpkg -i *.deb

Restart all services which use openssl... 

sudo service apache2 restart
sudo service proftpd restart
sudo service webmin restart
sudo service ssh restart

http://www.circl.lu/pub/tr-21/

http://www.websightdesigns.com/posts/view/how-to-upgrade-openssl-on-ubuntu-13-04

Testing tool - https://github.com/FiloSottile/Heartbleed

https://ssllabs.com

http://filippo.io/Heartbleed/

http://heartbleed.com/

https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability

http://www.ubuntu.com/usn/usn-2165-1/

http://askubuntu.com/questions/444848/why-unattended-upgrades-does-not-fix-heartbleed-bug

http://askubuntu.com/questions/444817/am-i-affected-heartbleed-bug

http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl/444905#444905

http://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087

What is a passphrase and how can I change the passphrase on my private key file?

A passphrase is a word or phrase that protects private key files. It prevents unauthorized users from encrypting them. Usually it's just the secret encryption/decryption key used for Ciphers.

To change the passphrase you simply have to read it with the old pass-phrase and write it again, specifying the new pass-phrase.

You can accomplish this with the following commands: 

openssl rsa -des3 -in myserver.key -out server.key.new
mv server.key.new myserver.key

The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.

How To Reconfigure SSL Certificates In Ubuntu Debian

Add your certificate files to /usr/share/ca-certificates/ and run dpkg-reconfigure ca-certificates.

Own Mail Server

openssl s_client -showcerts -connect mail.domain.co.uk:995 -CApath /etc/ssl/certs -servername mail.domain.co.uk

Copy and paste all of the lines inbetween and including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a single file then run the reconfigure command. 

sudo dpkg-reconfigure ca-certificates

Let's Encrypt

https://letsencrypt.org/certificates/ 

-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

...then run the commands below, and on the last command select the new certs with a star in the box [*] to add them... 

sudo -i
cd /usr/share/ca-certificates/
nano r3-dst-root-x3.crt  (copy contents of above)
wget --no-check-certificate -O isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
wget --no-check-certificate -O isrg-root-x1-cross-signed.crt https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
dpkg-reconfigure ca-certificates
Retrieved from ‘https://wiki.indie-it.com/index.php?title=OpenSSL&oldid=2541