OpenSSL

From Indie IT Wiki
Jump to: navigation, search

HOWTO: Verify ssl cert and get info

Get full info

true | openssl s_client -connect www.cyberciti.biz:443 -showcerts

Just verify

true | openssl s_client -connect www.cyberciti.biz:443 -showcerts >/dev/null

Thanks - https://twitter.com/nixcraft/status/829333893044015104

HOWTO: Generate Wildcard SSL Certificate

openssl req -new -newkey rsa:2048 -nodes -out star_bloggs_com.csr -keyout star_bloggs_com.key -subj "/C=GB/ST=Kent/L=Folkestone/O=Bloggs Ltd/OU=IT/CN=*.bloggs.com/emailAddress=joe@bloggs.com"

HOWTO: Check Details Of SSL Certificate Signing Request

openssl req -text -noout -verify -in domain_com.csr

Thanks - https://www.sslshopper.com/article-most-common-openssl-commands.html

HOWTO: Check Details Of SSL Certificate

openssl x509 -text -noout -in domain_com.crt

HOWTO: Check For The OpenSSL Heartbleed Bug in Debian Ubuntu Linux?

sudo lsb_release -a
sudo apt-cache policy openssl
sudo openssl version -a
sudo dpkg -l openssl
sudo apt-get changelog openssl
openssl s_client -connect domain.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe

If you are running Ubuntu 13.04 you will not have an updated package, so you must do it manually...

sudo -i
mkdir opensslfix
cd opensslfix
apt-get build-dep openssl
apt-get source openssl
cd openssl-1.0.1c/
nano Configure
   add -DOPENSSL_NO_HEARTBEATS to $debian_cflags (line 109)
dpkg-buildpackage -uc -b
cd ..
dpkg -l | grep -w 'libssl\|openssl'
dpkg -i *.deb

Restart all services which use openssl...

sudo service apache2 restart
sudo service proftpd restart
sudo service webmin restart
sudo service ssh restart

http://www.circl.lu/pub/tr-21/

http://www.websightdesigns.com/posts/view/how-to-upgrade-openssl-on-ubuntu-13-04

Testing tool - https://github.com/FiloSottile/Heartbleed

https://ssllabs.com

http://filippo.io/Heartbleed/

http://heartbleed.com/

https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability

http://www.ubuntu.com/usn/usn-2165-1/

http://askubuntu.com/questions/444848/why-unattended-upgrades-does-not-fix-heartbleed-bug

http://askubuntu.com/questions/444817/am-i-affected-heartbleed-bug

http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl/444905#444905

http://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087

What is a passphrase and how can I change the passphrase on my private key file?

A passphrase is a word or phrase that protects private key files. It prevents unauthorized users from encrypting them. Usually it's just the secret encryption/decryption key used for Ciphers.

To change the passphrase you simply have to read it with the old pass-phrase and write it again, specifying the new pass-phrase.

You can accomplish this with the following commands:

openssl rsa -des3 -in myserver.key -out server.key.new
mv server.key.new myserver.key

The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.