Openssl: Difference between revisions

From Federal Burro of Information
Jump to navigationJump to search
No edit summary
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 32: Line 32:
Will spit out a lit of the supported cypher variations.
Will spit out a lit of the supported cypher variations.


== enumerate an endpoint ==
ssl_enum.sh
<pre>
#! /bin/bash
serverport=$1
echo testing against $serverport
for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do
    for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
        openssl s_client -connect $serverport \
            -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
    done
done
</pre>


== Matching key with cert ==
== Matching key with cert ==


  openssl x509 -noout -modulus -in certificate.crt | openssl md5
  openssl x509 -noout -modulus -in certificate.crt | openssl md5
  openssl rsa -noout -modulus -in privateKey.key | openssl md5
  openssl rsa -noout -modulus -in privateKey.key | openssl md5
  openssl req -noout -modulus -in CSR.csr | openssl md5
  openssl req -noout -modulus -in CSR.csr | openssl md5
== Certificate Verification Tools ==
https://www.sslshopper.com/ssl-checker.html
Qualys:
https://www.ssllabs.com/ssltest/
== 10 years in ine line ==
<pre>
openssl req -x509 \
-newkey rsa:4096 \
-keyout key.pem \
-out cert.pem \
-sha256 -days 3650 \
-nodes -subj "/C=CA/ST=Ontario/L=Toronto/O=InnoCorpCom/OU=Tax/CN=proxied.encryptions.svc.cluster.local"
</pre>

Latest revision as of 18:55, 3 June 2024

connect to ssl at the command line:

https: 

openssl s_client -connect server:443

smtp tls: 

openssl s_client -connect server:25 -starttls smtp

more here: http://www.madboa.com/geek/openssl/


CA or not CA

Web Server Cert: 

       X509v3 extensions:
           X509v3 Basic Constraints: critical
               CA:FALSE

CA Cert: 

      X509v3 extensions:
          X509v3 Basic Constraints: critical
              CA:TRUE

Supported Cyphers

You are configuring your favourite app that uses openssl libs. You give it a "cyphers string". Am I allowing bad varitions? 

openssl ciphers -v TLSv1.2:+TLSv1.1:+SHA384:+SHA256:+SHA1:+MD5

Will spit out a lit of the supported cypher variations.


enumerate an endpoint

ssl_enum.sh 

#! /bin/bash

serverport=$1
echo testing against $serverport

for v in ssl2 ssl3 tls1 tls1_1 tls1_2; do
    for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
        openssl s_client -connect $serverport \
            -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
    done
done

Matching key with cert

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

Certificate Verification Tools

https://www.sslshopper.com/ssl-checker.html

Qualys: 

https://www.ssllabs.com/ssltest/

10 years in ine line

openssl req -x509 \
 -newkey rsa:4096 \
 -keyout key.pem \
 -out cert.pem \
 -sha256 -days 3650 \
 -nodes -subj "/C=CA/ST=Ontario/L=Toronto/O=InnoCorpCom/OU=Tax/CN=proxied.encryptions.svc.cluster.local"
Retrieved from "https://wiki.quadratic.net/index.php?title=Openssl&oldid=31890"