OpenSSL
Version
openssl version
Ciphers
List
openssl ciphers -v 'ALL:!aNULL'
Count Types
openssl ciphers -V 'ALL:COMPLEMENTOFALL' | awk '{print $4}' | sort | uniq -c
SSLv3
openssl ciphers -V 'ALL:COMPLEMENTOFALL' | sort | grep ' SSLv3 '
TLSv1
openssl ciphers -V 'ALL:COMPLEMENTOFALL' | sort | grep ' TLSv1 '
TLSv1.2
openssl ciphers -V 'ALL:COMPLEMENTOFALL' | sort | grep ' TLSv1.2 '
Check Dovecot SSL TLS Port 995
The important option is the -CApath which will fix the verify error:num=20:unable to get local issuer certificate message...
openssl s_client -CApath /etc/ssl/certs/ -connect localhost:995 -quiet
HOWTO: Verify ssl cert and get info
Get full info
true | openssl s_client -connect www.cyberciti.biz:443 -showcerts
Just verify
true | openssl s_client -connect www.cyberciti.biz:443 -showcerts >/dev/null
Thanks - https://twitter.com/nixcraft/status/829333893044015104
HOWTO: Generate Wildcard SSL Certificate
openssl req -new -newkey rsa:2048 -nodes -out star_bloggs_com.csr -keyout star_bloggs_com.key -subj "/C=GB/ST=Kent/L=Folkestone/O=Bloggs Ltd/OU=IT/CN=*.bloggs.com/emailAddress=joe@bloggs.com"
Export To Microsoft IIS
openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.crt -certfile domain.ca-bundle
HOWTO: Check Details Of SSL Certificate Signing Request
openssl req -text -noout -verify -in domain_com.csr
Thanks - https://www.sslshopper.com/article-most-common-openssl-commands.html
HOWTO: Check Details Of SSL Certificate
openssl x509 -text -noout -in domain_com.crt
HOWTO: Check Dates Of SSL Certificate
openssl s_client -connect www.domain.com:443 | openssl x509 -noout -dates
HOWTO: Check For The OpenSSL Heartbleed Bug in Debian Ubuntu Linux?
sudo lsb_release -a sudo apt-cache policy openssl sudo openssl version -a sudo dpkg -l openssl sudo apt-get changelog openssl
openssl s_client -connect domain.com:443 -tlsextdebug 2>&1| grep 'server extension "heartbeat" (id=15)' || echo safe
If you are running Ubuntu 13.04 you will not have an updated package, so you must do it manually...
sudo -i mkdir opensslfix cd opensslfix apt-get build-dep openssl apt-get source openssl cd openssl-1.0.1c/ nano Configure add -DOPENSSL_NO_HEARTBEATS to $debian_cflags (line 109) dpkg-buildpackage -uc -b cd .. dpkg -l | grep -w 'libssl\|openssl' dpkg -i *.deb
Restart all services which use openssl...
sudo service apache2 restart sudo service proftpd restart sudo service webmin restart sudo service ssh restart
http://www.circl.lu/pub/tr-21/
http://www.websightdesigns.com/posts/view/how-to-upgrade-openssl-on-ubuntu-13-04
Testing tool - https://github.com/FiloSottile/Heartbleed
http://www.ubuntu.com/usn/usn-2165-1/
http://askubuntu.com/questions/444848/why-unattended-upgrades-does-not-fix-heartbleed-bug
http://askubuntu.com/questions/444817/am-i-affected-heartbleed-bug
http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl/444905#444905
What is a passphrase and how can I change the passphrase on my private key file?
A passphrase is a word or phrase that protects private key files. It prevents unauthorized users from encrypting them. Usually it's just the secret encryption/decryption key used for Ciphers.
To change the passphrase you simply have to read it with the old pass-phrase and write it again, specifying the new pass-phrase.
You can accomplish this with the following commands:
openssl rsa -des3 -in myserver.key -out server.key.new mv server.key.new myserver.key
The first time you're asked for a PEM pass-phrase, you should enter the old pass-phrase. After that, you'll be asked again to enter a pass-phrase - this time, use the new pass-phrase. If you are asked to verify the pass-phrase, you'll need to enter the new pass-phrase a second time.
How To Reconfigure SSL Certificates In Ubuntu Debian
Add your certificate files to /usr/share/ca-certificates/
and run dpkg-reconfigure ca-certificates
.
Own Mail Server
openssl s_client -showcerts -connect mail.domain.co.uk:995 -CApath /etc/ssl/certs -servername mail.domain.co.uk
Copy and paste all of the lines inbetween and including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- into a single file then run the reconfigure command.
sudo dpkg-reconfigure ca-certificates
Let's Encrypt
https://letsencrypt.org/certificates/
...then run the commands below, and on the last command select the new certs with a star in the box [*] to add them...
sudo -i cd /usr/share/ca-certificates/ wget --no-check-certificate -O isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem wget --no-check-certificate -O isrg-root-x1-cross-signed.crt https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem dpkg-reconfigure ca-certificates