Openssl: Difference between revisions
From Federal Burro of Information
Jump to navigationJump to search
No edit summary |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 33: | Line 33: | ||
== enumerate an | == enumerate an endpoint == | ||
ssl_enum.sh | |||
<pre> | |||
#! /bin/bash | #! /bin/bash | ||
Line 48: | Line 48: | ||
done | done | ||
done | done | ||
</pre> | |||
== Matching key with cert == | == Matching key with cert == | ||
Line 60: | Line 60: | ||
https://www.sslshopper.com/ssl-checker.html | https://www.sslshopper.com/ssl-checker.html | ||
Qualys: | |||
https://www.ssllabs.com/ssltest/ | https://www.ssllabs.com/ssltest/ | ||
== 10 years in ine line == | |||
<pre> | |||
openssl req -x509 \ | |||
-newkey rsa:4096 \ | |||
-keyout key.pem \ | |||
-out cert.pem \ | |||
-sha256 -days 3650 \ | |||
-nodes -subj "/C=CA/ST=Ontario/L=Toronto/O=InnoCorpCom/OU=Tax/CN=proxied.encryptions.svc.cluster.local" | |||
</pre> |
Latest revision as of 18:55, 3 June 2024
connect to ssl at the command line:
https:
openssl s_client -connect server:443
smtp tls:
openssl s_client -connect server:25 -starttls smtp
more here: http://www.madboa.com/geek/openssl/
CA or not CA
Web Server Cert:
X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE
CA Cert:
X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE
Supported Cyphers
You are configuring your favourite app that uses openssl libs. You give it a "cyphers string". Am I allowing bad varitions?
openssl ciphers -v TLSv1.2:+TLSv1.1:+SHA384:+SHA256:+SHA1:+MD5
Will spit out a lit of the supported cypher variations.
enumerate an endpoint
ssl_enum.sh
#! /bin/bash serverport=$1 echo testing against $serverport for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do openssl s_client -connect $serverport \ -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c" done done
Matching key with cert
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in privateKey.key | openssl md5 openssl req -noout -modulus -in CSR.csr | openssl md5
Certificate Verification Tools
https://www.sslshopper.com/ssl-checker.html
Qualys:
https://www.ssllabs.com/ssltest/
10 years in ine line
openssl req -x509 \ -newkey rsa:4096 \ -keyout key.pem \ -out cert.pem \ -sha256 -days 3650 \ -nodes -subj "/C=CA/ST=Ontario/L=Toronto/O=InnoCorpCom/OU=Tax/CN=proxied.encryptions.svc.cluster.local"