OpenSSL
# Glossaries
* SSL - Secure Socket Layer
* CSR - Certificate Signing Request
* TLS - Transport Later Sequrity
* PEM - Pravacy Enhanced Mail
* DER - Distiguished Encoding Rules
* SHA - Secure Hash Algorithm
* PKCS - Public-key Cryptography Standards
* tampering : 改竄
* snooping : 盗聴
* snoofing : なりすまし
* (to hide one's original IP address and pretend to have another IP address)
* replay : 再送
* confidentiality : どの暗号化関数を使用しているかを機密にすること
* integrity : データを積分すること(すべてのデータが正しいかチェック)e.g. checksum
!!! Tip
SSL/TCP enables transparent "consinstency" and "integrity".
* entropy : 乱雑さの度合い
* a way of measurement of the energy that is present in a system
* the entropy is 128 bit : 128 bit の全ビットが 0 , 1 ともに半々の確率で起こりうる状態
* EGADS : entropy getting tool
* stunnel : a tool which can adopt every protocol to that on SSL
* CRL : certificate revocation list : 証明書が失効する日付を書いたリスト
* HTTPS := HTTP/SSL/TLS
# How to Wrap HTTP Server into HTTPS
Just use `stunnel` to wrap HTTP into HTTPS (:= HTTP/SSL/TLS)
Private Key Generation
~~~sh
## ECDSA (secp256k1)
$ openssl ecparam -list_curves
$ openssl ecparam -name secp256k1 -out secp256k1.pem ## this outs the generator G of secp256k1 curves
$ openssl ecparam -in secp256k1.pem -genkey -noout -out secpr256k1-key.pem ## this creates a new private key
## RSA (2048bit)
$ openssl genpkey -algorithm RSA -out rsa2048-key.pem -pkeyout rsa_keygen_bits:2048 rsa_keygen_pubexp:3
## RSA (with password:xxxxxxxx)
$ openssl genpkey -algorithm RSA -out rsa_with_passwd-key.pem -aes-128-cbc -pass pass:xxxxxxxx
~~~
Certification Generation (with priv-key.pem)
~~~sh
$ openssl req -new -x509 -key priv-key.pem -out selfcert.pem -days 366 ## This generates self certification
~~~
Dowonload `stunnel` and `vim /etc/stunnel/stunnel.conf`
Do `mkdir /home/ghasshee/myopenssl && mkdir /home/ghasshee/myopenssl/stunnel`
~~~sh
cert = /home/ghasshee/myopenssl/selfcert.pem
key = /home/ghasshee/myopenssl/privkey_rsa2048.pem
sslVersion = TLSv1
; client = yes
chroot = /home/ghasshee/myopenssl/stunnel
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
options = NO_SSLv2
options = NO_SSLv3
[https]
accept = 4999
connect = 4000
TIMEOUTclose = 0
~~~
see the ports
~~~
$ sudo lsof -i
~~~
then start stunnel
~~~
$ stunnel
~~~
see the ports
~~~
$ sudo lsof -i
...
stunnel 22540 nobody 7u IPv4 1028319 0t0 TCP *:hfcs-manager (LISTEN)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~~~
References : http://fm4dd.com/openssl/stunnel-howto.htm
# The Tips of `OPENSSL`
## Generate Private Keys
~~~
openssl ecparam -list_curves
openssl ecparam -name secp521r1 -genkey
openssl ecparam -name secp521r1 -out secp521r1.pem
openssl ecparam -name secp521r1 -genkey -noout -out secp521r1-key.pem
openssl ecparam -in secp521r1.pem -text -noout
➜ ~
➜ ~ openssl ecparam -in secp521r1.pem -text -noout
ASN1 OID: secp521r1
NIST CURVE: P-521
➜ ~ openssl ecparam -in secp521r1.pem -text -param_enc explicit -noout
Field Type: prime-field
Prime:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff
A:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:fc
B:
51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85:
40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e:
f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd:
3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f:
d4:6b:50:3f:00
Generator (uncompressed):
04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66:
23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af:
60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d:
c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9:
7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b:
c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57:
9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99:
5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70:
86:a2:72:c2:40:88:be:94:76:9f:d1:66:50
Order:
01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01:
48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f:
b7:1e:91:38:64:09
Cofactor: 1 (0x1)
Seed:
d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84:
aa:a0:da:64:ba
➜ ~
~~~
## Create new Private Key and Certificate Signing Request
~~~
openssl req -out geekflare.csr -newkey rsa:2048 -nodes -keyout geekflare.key
~~~
Above command will generate CSR and 2048-bit RSA key file. If you intend to use this certificate in Apache or Nginx, then you need to send this CSR file to certificate issuer authority, and they will give you signed certificate mostly in der or pem format which you need to configure in Apache or Nginx web server.
## Create Self-Signed Certificate
~~~
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -keyout gfselfsigned.key -out gfcert.pem
~~~
Above command will generate a self-signed certificate and key file with 2048-bit RSA. I have also included sha256 as it’s considered most secure at the moment.
Tip: by default, it will generate self-signed certificate valid for only one month so you may consider defining –days parameter to extend the validity.
Ex: to have self-signed valid for two years.
~~~
openssl req -x509 -sha256 -nodes -days 730 -newkey rsa:2048 -keyout gfselfsigned.key -out gfcert.pem
~~~
## Verify CSR file
~~~
openssl req -noout -text -in geekflare.csr
~~~
Verification is essential to ensure you are sending CSR to issuer authority with required details.
## Create RSA Private Key
~~~
openssl genrsa -out private.key 2048
~~~
If you just need to generate RSA private key, you can use above command. I have included 2048 for stronger encryption.
## Remove Passphrase from Key
~~~
openssl rsa -in certkey.key -out nopassphrase.key
~~~
If you are using passphrase in key file and using Apache then every time you start, you have to enter the password. If you are annoyed with entering a password, then you can use above openssl rsa -in geekflare.key -check to remove the passphrase key from existing key.
## Verify Private Key
~~~
openssl rsa -in certkey.key –check
~~~
If you doubt on your key file, you can use above command to check.
## Verify Certificate File
~~~
openssl x509 -in certfile.pem -text –noout
~~~
If you would like to validate certificate data like CN, OU, etc. then you can use above command which will give you certificate details.
8Verify the Certificate Signer Authority
~~~
openssl x509 -in certfile.pem -noout -issuer -issuer_hash
~~~
Certificate issuer authority signs every certificate and in case you need to check them, you can use above command.
9Check Hash Value of A Certificate
~~~
openssl x509 -noout -hash -in bestflare.pem
~~~
## Convert DER to PEM format
~~~
openssl x509 –inform der –in sslcert.der –out sslcert.pem
~~~
Usually, certificate authority will give you SSL cert in .der format, and if you need to use them in apache or .pem format, you can use above command to convert them.
11Convert PEM to DER format
~~~
openssl x509 –outform der –in sslcert.pem –out sslcert.der
~~~
In case you need to change .pem format to .der
## Convert Certificate and Private Key to PKCS#12 format
~~~
openssl pkcs12 –export –out sslcert.pfx –inkey key.pem –in sslcert.pem
~~~
If you need to use a cert with the java application or with any other who accept only PKCS#12 format, you can use above command, which will generate single pfx containing certificate & key file.
Tip: you can also include chain certificate by passing –chain as below.
~~~
openssl pkcs12 –export –out sslcert.pfx –inkey key.pem –in sslcert.pem -chain cacert.pem
~~~
## Create CSR using existing private key
~~~
openssl req –out certificate.csr –key existing.key –new
~~~
If you don’t want to create a new private key instead using existing one, you can go with above command.
## Check contents of PKCS12 format cert
~~~
openssl pkcs12 –info –nodes –in cert.p12
~~~
PKCS12 is binary format so you won’t be able to view the content in notepad or another editor. So you got to use above command to see the contents of PKCS12 format file.
## Convert PKCS12 format to PEM certificate
~~~
openssl pkcs12 –in cert.p12 –out cert.pem
~~~
If you wish to use existing pkcs12 format with Apache or just in pem format, this will be useful.
## Test SSL certificate of particular URL
~~~
openssl s_client -connect yoururl.com:443 –showcerts
~~~
I use this quite often to validate the SSL certificate of particular URL from the server. This is very handy to validate the protocol, cipher, and cert details.
## Find out OpenSSL version
~~
openssl version
~~~
If you are responsible for ensuring OpenSSL is secure then probably one of the first things you got to do is to verify the version.
# Check PEM File Certificate Expiration Date
~~~
openssl x509 -noout -in certificate.pem -dates
~~~
Useful if you are planning to put some monitoring to check the validity. It will show you date in notBefore and notAfter syntax. notAfter is one you will have to verify to confirm if a certificate is expired or still valid.
Ex:
~~~sh
[root@Chandan opt]# openssl x509 -noout -in bestflare.pem -dates
notBefore=Jul 4 14:02:45 2015 GMT
notAfter=Aug 4 09:46:42 2015 GMT
[root@Chandan opt]#
~~~
## Check Certificate Expiration Date of SSL URL
openssl s_client -connect secureurl.com:443 2>/dev/null | openssl x509 -noout –enddate
Another useful if you are planning to monitor SSL cert expiration date remotely or particular URL.
Ex:
~~~
[root@Chandan opt]# openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -enddate
notAfter=Dec 8 00:00:00 2015 GMT
~~~
## Check if SSL V2 or V3 is accepted on URL
To check SSL V2
~~~
openssl s_client -connect secureurl.com:443 -ssl2
~~~
To Check SSL V3
~~~
openssl s_client -connect secureurl.com:443 –ssl3
~~~
To Check TLS 1.0
~~~
openssl s_client -connect secureurl.com:443 –tls1
~~~
To Check TLS 1.1
~~~
openssl s_client -connect secureurl.com:443 –tls1_1
~~~
To Check TLS 1.2
~~~
openssl s_client -connect secureurl.com:443 –tls1_2
~~~
If you are securing web server and need to validate if SSL V2/V3 is enabled or not, you can use above command. If activated, you will get “CONNECTED” else “handshake failure.”
## Verify if particular cipher is accepted on URL
~~~
openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect secureurl:443
~~~
If you are working on security findings and pen test results show some of the weak ciphers is accepted then to validate, you can use above command.
Of course, you will have to change the cipher and URL, which you want to test against. If the mentioned cipher is accepted, then you will get “CONNECTED” else “handshake failure.”