This document serves both as an rudimentary introduction to openssl command line interface and a step by step guide to setup HTTPs server.
0) Setup
openssl config contains the information about path to the various files that are required and other default settings while creating/signing certificate, and some policy information.
The default config is /etc/ssl/openssl.cnf or /usr/lib/ssl/openssl.cnf depending on your installation. By default openssl would be using one of these. If you want to make changes to the config, copy it to a local location and make the changes. To let openssl use the new config you will have to pass in a parameter "-config
A) Designate a directory to be the root directory.
B) Copy the openssl.cnf to our experimental directory
snape@hogwarts:~/ssl$ cp /usr/lib/ssl/openssl.cnf .
snape@hogwarts:~/ssl$ ls -al
total 20
drwxr-xr-x 3 hogwarts hogwarts 4096 2011-07-21 17:30 .
drwxr-xr-x 44 hogwarts hogwarts 4096 2011-07-21 17:26 ..
-rw-r--r-- 1 hogwarts hogwarts 9374 2011-07-21 17:30 openssl.cnf
snape@hogwarts:~/ssl$
snape@hogwarts:~/ssl$ ls -al
total 20
drwxr-xr-x 3 hogwarts hogwarts 4096 2011-07-21 17:30 .
drwxr-xr-x 44 hogwarts hogwarts 4096 2011-07-21 17:26 ..
-rw-r--r-- 1 hogwarts hogwarts 9374 2011-07-21 17:30 openssl.cnf
snape@hogwarts:~/ssl$
C) If you care to look inside openssl.cnf, it would contain a
"[ ca_default ]" section.
[ CA_default ]
dir = ./demoCA # Where everything is kept
It specifies the default configuration parameters for the CA operations
Note the value for the config "dir". This is the root directory for the CA
It is possible to keep every bit information spread out in different locations. But it would only make maintainence difficult. For this purpose, lets group everything under one directory.
D) Create directories and files required for the CA operation. These will be explained later in the doc.
snape@hogwarts:~/ssl$ mkdir demoCA
snape@hogwarts:~/ssl$ mkdir demoCA/certs
snape@hogwarts:~/ssl$ mkdir demoCA/crl
snape@hogwarts:~/ssl$ mkdir demoCA/newcerts
snape@hogwarts:~/ssl$ mkdir demoCA/private
snape@hogwarts:~/ssl$ echo "00" > demoCA/serial
snape@hogwarts:~/ssl$ touch demoCA/index.txt
snape@hogwarts:~/ssl$
Now that the basic set up is done. We need to first setup the CAsnape@hogwarts:~/ssl$ mkdir demoCA/certs
snape@hogwarts:~/ssl$ mkdir demoCA/crl
snape@hogwarts:~/ssl$ mkdir demoCA/newcerts
snape@hogwarts:~/ssl$ mkdir demoCA/private
snape@hogwarts:~/ssl$ echo "00" > demoCA/serial
snape@hogwarts:~/ssl$ touch demoCA/index.txt
snape@hogwarts:~/ssl$
1) Create keys for CA
snape@hogwarts:~/ssl$ openssl genrsa 1024 > demoCA/private/ca.key
Generating RSA private key, 1024 bit long modulus
...............................................++++++
............................++++++
e is 65537 (0x10001)
snape@hogwarts:~/ssl$
This creates a rsa key of 1024 bits length and write the key to demoCA/private/ca.key
By default, genrsa creates a key of length 512 bits. To be safe, key of length atleast 1024bits is required.
2) Create certificate request for CA
openssl's req command is used to create the certificate request. Certificate request captures formal information about country,state, organisation etc.
The request is then signed with the private key of the applicant which is not published outside. The request contains only the public key of the applicant, now in our case it is the CA itself.
snape@hogwarts:~/ssl$ openssl req -new -key demoCA/private/ca.key -out demoCA/reqs/ca.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:DL
Locality Name (eg, city) []:DL
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC Corp
Organizational Unit Name (eg, section) []:SWD Labs
Common Name (eg, YOUR name) []:SWD CA
Email Address []:swd_ca@abc.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:ABC Corp
snape@hogwarts:~/ssl$
snape@hogwarts:~/ssl$ ls -l demoCA/reqs/ca.req
-rw-r--r-- 1 hogwarts hogwarts 712 2011-07-21 17:56 demoCA/reqs/ca.req
snape@hogwarts:~/ssl$
Note the default values presented by openssl. Those are taken from the openssl.cnf.
The certificate request is now created inside demoCA/reqs/ .
snape@hogwarts:~/ssl$ openssl req -in demoCA/reqs/ca.req -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=IN, ST=DL, L=DL, O=ABC Corp, OU=SWD Labs, CN=SWD CA/emailAddress=swd_ca@abc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:bf:60:2e:91:81:0f:1d:ca:53:a2:53:f6:6a:
4f:da:ea:96:72:b9:0f:d3:4a:a3:66:b5:8b:60:cc:
74:b0:04:01:92:6e:53:29:6c:e3:92:8b:5b:98:e1:
16:bb:68:aa:1a:e9:af:f4:6a:87:89:22:88:a1:47:
51:ac:88:a9:41:4e:3b:23:15:fe:ab:3a:0d:7b:6e:
46:ec:78:c4:26:77:f5:f1:44:f6:12:2f:d6:f8:93:
be:d9:96:a6:8c:a5:2d:da:38:42:78:8f:cf:48:4e:
ca:70:05:4c:74:2f:bb:3b:84:8a:20:e2:85:39:19:
99:bb:d2:19:6b:0a:10:56:8f
Exponent: 65537 (0x10001)
Attributes:
unstructuredName :ABC Corp
Signature Algorithm: sha1WithRSAEncryption
1a:4d:c9:64:60:54:69:02:29:d0:6d:bb:6d:fc:74:db:e1:92:
7b:a3:91:7d:79:fc:01:38:d8:13:3c:e9:dd:a6:7a:ad:15:4f:
92:33:25:d5:a9:44:b8:e7:1a:10:6d:b4:e0:06:82:51:fe:c1:
7c:0c:4f:e4:5e:99:ee:ed:67:1c:70:a7:3e:e9:06:cb:be:c5:
93:3a:af:e5:4a:0b:ec:22:16:2b:43:7f:88:91:8d:f5:de:45:
5a:b3:03:93:6d:57:b9:88:79:95:85:94:1b:a5:2a:fb:b7:68:
0c:08:68:22:ad:5b:a8:5d:27:c7:0f:ca:d5:1c:78:11:59:c9:
ed:64
-----BEGIN CERTIFICATE REQUEST-----
MIIB1jCCAT8CAQAwfTELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkRMMQswCQYDVQQH
EwJETDERMA8GA1UEChMIQUJDIENvcnAxETAPBgNVBAsTCFNXRCBMYWJzMQ8wDQYD
VQQDEwZTV0QgQ0ExHTAbBgkqhkiG9w0BCQEWDnN3ZF9jYUBhYmMuY29tMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFv2AukYEPHcpTolP2ak/a6pZyuQ/TSqNm
tYtgzHSwBAGSblMpbOOSi1uY4Ra7aKoa6a/0aoeJIoihR1GsiKlBTjsjFf6rOg17
bkbseMQmd/XxRPYSL9b4k77ZlqaMpS3aOEJ4j89ITspwBUx0L7s7hIog4oU5GZm7
0hlrChBWjwIDAQABoBkwFwYJKoZIhvcNAQkCMQoTCEFCQyBDb3JwMA0GCSqGSIb3
DQEBBQUAA4GBABpNyWRgVGkCKdBtu238dNvhknujkX15/AE42BM86d2meq0VT5Iz
JdWpRLjnGhBttOAGglH+wXwMT+Reme7tZxxwpz7pBsu+xZM6r+VKC+wiFitDf4iR
jfXeRVqzA5NtV7mIeZWFlBulKvu3aAwIaCKtW6hdJ8cPytUceBFZye1k
-----END CERTIFICATE REQUEST-----
snape@hogwarts:~/ssl$
If you dont want openssl to print the encoded certificate request at the end of the command, pass "-noout" option. This option is available for many other similar commands like x509 and crl
3) Self Sign CA certificate
Now that we have created a certificate request for the CA, we have to self sign with the private key to create CA certificate.
To sign a certificate we use "openssl ca" command. We take the certificate request as input [-in ]. We sign it with the private key of the CA [-key]. We output the signed certificate [-out].
In our case, we are creating the CA certificate which has to be selfsigned [ -selfsign ]. The -extensions option tells openssl to use the config params from the section v3_ca as the x509 v3 extension values.
Note in the output, X509v3 Basic Constraints section, it says CA is true. For a normal server certificate, it will be false.
snape@hogwarts:~/ssl$ openssl ca -keyfile demoCA/private/ca.key -in demoCA/reqs/ca.req -out demoCA/private/ca.crt -selfsign -extensions v3_ca
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jul 21 12:49:43 2011 GMT
Not After : Jul 20 12:49:43 2012 GMT
Subject:
countryName = IN
stateOrProvinceName = DL
organizationName = ABC Corp
organizationalUnitName = SWD Labs
commonName = SWD CA
emailAddress = swd_ca@abc.com
X509v3 extensions:
X509v3 Subject Key Identifier:
C0:DE:24:C5:63:5E:2C:48:68:A8:67:88:9E:79:A3:1D:31:ED:69:D5
X509v3 Authority Key Identifier:
keyid:C0:DE:24:C5:63:5E:2C:48:68:A8:67:88:9E:79:A3:1D:31:ED:69:D5
DirName:/C=IN/ST=DL/O=ABC Corp/OU=SWD Labs/CN=SWD CA/emailAddress=swd_ca@abc.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jul 20 12:49:43 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
snape@hogwarts:~/ssl$
When this command executes, openssl updates various files inside our demoCA directory. It takes back up of "serial" file and increments the value in it. Serial file generally contains the serial number to use at the time of creating the certificate. It updates index.txt file with the entry for the new certificate. A copy of the newly created certificate is kept inside demoCA/newcerts as serialnumber.pem, ie 00.pem .
You can verify the status of the certificate by giving the serial number as in the following :
snape@hogwarts:~/ssl$ openssl ca -status 00 -verbose
Using configuration from /usr/lib/ssl/openssl.cnf
00=Valid (V)
snape@hogwarts:~/ssl$ openssl ca -status 01
Using configuration from /usr/lib/ssl/openssl.cnf
Serial 01 not present in db.
Error verifying serial 01!
snape@hogwarts:~/ssl$
To verify the contents of the certificate / To print the certificate in human readable formUsing configuration from /usr/lib/ssl/openssl.cnf
00=Valid (V)
snape@hogwarts:~/ssl$ openssl ca -status 01
Using configuration from /usr/lib/ssl/openssl.cnf
Serial 01 not present in db.
Error verifying serial 01!
snape@hogwarts:~/ssl$
snape@hogwarts:~/ssl$ openssl x509 -in demoCA/private/ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IN, ST=DL, O=ABC Corp, OU=SWD Labs, CN=SWD CA/emailAddress=swd_ca@abc.com
Validity
Not Before: Jul 21 12:49:43 2011 GMT
Not After : Jul 20 12:49:43 2012 GMT
Subject: C=IN, ST=DL, O=ABC Corp, OU=SWD Labs, CN=SWD CA/emailAddress=swd_ca@abc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c5:bf:60:2e:91:81:0f:1d:ca:53:a2:53:f6:6a:
4f:da:ea:96:72:b9:0f:d3:4a:a3:66:b5:8b:60:cc:
74:b0:04:01:92:6e:53:29:6c:e3:92:8b:5b:98:e1:
16:bb:68:aa:1a:e9:af:f4:6a:87:89:22:88:a1:47:
51:ac:88:a9:41:4e:3b:23:15:fe:ab:3a:0d:7b:6e:
46:ec:78:c4:26:77:f5:f1:44:f6:12:2f:d6:f8:93:
be:d9:96:a6:8c:a5:2d:da:38:42:78:8f:cf:48:4e:
ca:70:05:4c:74:2f:bb:3b:84:8a:20:e2:85:39:19:
99:bb:d2:19:6b:0a:10:56:8f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C0:DE:24:C5:63:5E:2C:48:68:A8:67:88:9E:79:A3:1D:31:ED:69:D5
X509v3 Authority Key Identifier:
keyid:C0:DE:24:C5:63:5E:2C:48:68:A8:67:88:9E:79:A3:1D:31:ED:69:D5
DirName:/C=IN/ST=DL/O=ABC Corp/OU=SWD Labs/CN=SWD CA/emailAddress=swd_ca@abc.com
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
09:55:77:5d:be:2c:31:20:65:19:85:dc:5e:b5:c7:2e:48:79:
86:21:22:a3:16:75:87:b3:8c:ab:c6:14:4c:78:80:c2:15:1f:
78:71:5b:8e:e4:f4:13:0e:06:c9:56:a2:c4:42:ac:16:9a:27:
e4:a8:89:50:41:16:5c:76:ce:9a:9b:d1:e7:d9:0d:c7:d9:1f:
af:08:c5:ea:c1:10:00:09:1b:5c:5f:00:1e:58:f2:3c:9d:15:
52:a0:47:e0:4c:a0:44:2f:5a:31:8d:5d:6a:b5:2a:90:dd:72:
d0:5a:96:63:16:eb:0d:b5:6f:a1:1a:7d:0c:a5:2d:3c:af:49:
d1:b9
snape@hogwarts:~/ssl$
With this, we are done with setting up the Certificate Authority.
3a) If all you need is one single CA certificate for testing purpose, the following "openssl req" command can do the work for you.
openssl req -newkey rsa:1024 -keyout ca.key -x509 -new -out ca.crt -extensions v3_ca -config ./openssl.cnf
Note that this command combines the multi step process of creating key, certificate request and signing that to produce a request into one single step. The important option here is "-x509", which when passed, the command would output a self-signed certificate. On the down side, openssl will not update the data base it maintains for certificate management. Use this if and only if you need one single CA certificate to test something quickly.
4) Create keys for Server
Just for convenience, create a directory called server. Lets keep every thing about the server here.
snape@hogwarts:~/ssl$ mkdir server
snape@hogwarts:~/ssl$ openssl genrsa 1024 > server/server.key
Generating RSA private key, 1024 bit long modulus
.......................................++++++
......................++++++
e is 65537 (0x10001)
snape@hogwarts:~/ssl$
snape@hogwarts:~/ssl$ openssl genrsa 1024 > server/server.key
Generating RSA private key, 1024 bit long modulus
.......................................++++++
......................++++++
e is 65537 (0x10001)
snape@hogwarts:~/ssl$
5) Create certificate request for the Server
Now create the certificate request for the server as we did for the CA. Now we will be using the server's key to sign the request.
snape@hogwarts:~/ssl$ openssl req -new -key server/server.key -out server/server.req
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:DL
Locality Name (eg, city) []:DL
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Magick Corp
Organizational Unit Name (eg, section) []:Herbs
Common Name (eg, YOUR name) []:magick
Email Address []:elder_wand@magick.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Magick Corp
snape@hogwarts:~/ssl$
openssl req -new -out server/server.req -newkey rsa:1024 -keyout server/server.key
6) Sign Server certificate with that of CA
In a normal case, you would create the certificate request and do lot of paper work and apply for the certificate from Verisign or one such authority. Then the authority is supposed to check the validity of the information provided in the certificate request and then sign and issue the certificate for the requested amount of days.
For our experimental purposes, none of these are required.
Certificate authority takes in the certificate request, checks the signature and signs it with CA private key.
snape@hogwarts:~/ssl$ openssl ca -policy policy_anything -cert ./demoCA/private/ca.crt -keyfile ./demoCA/private/ca.key -out server/server.crt -infiles server/server.req
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 22 12:26:58 2011 GMT
Not After : Jul 21 12:26:58 2012 GMT
Subject:
countryName = IN
stateOrProvinceName = DL
localityName = DL
organizationName = Magick Corp
organizationalUnitName = Herbs
commonName = magick
emailAddress = elder_wand@magick.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:37:94:E3:9A:32:F9:81:AE:D6:1B:7A:BC:19:40:FB:DC:89:5F:3A
X509v3 Authority Key Identifier:
keyid:C0:DE:24:C5:63:5E:2C:48:68:A8:67:88:9E:79:A3:1D:31:ED:69:D5
Certificate is to be certified until Jul 21 12:26:58 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
snape@hogwarts:~/ssl$
After this, there will be one copy of the signed certificate inside ./demoCA/newcerts. Note in the x509v3 extensions, CA field is set to false. If CA is authorising another company for signing certificates, this would be set to true. Such a CA is called an intermediate CA. Generally an ICA is used to issue to certificates for the internal purposes within an organisation.Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 22 12:26:58 2011 GMT
Not After : Jul 21 12:26:58 2012 GMT
Subject:
countryName = IN
stateOrProvinceName = DL
localityName = DL
organizationName = Magick Corp
organizationalUnitName = Herbs
commonName = magick
emailAddress = elder_wand@magick.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AB:37:94:E3:9A:32:F9:81:AE:D6:1B:7A:BC:19:40:FB:DC:89:5F:3A
X509v3 Authority Key Identifier:
keyid:C0:DE:24:C5:63:5E:2C:48:68:A8:67:88:9E:79:A3:1D:31:ED:69:D5
Certificate is to be certified until Jul 21 12:26:58 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
snape@hogwarts:~/ssl$
Note the option, "policy policy_anything". The values for this option is defined inside the config file. If an ICA is issuing certificates, it might so want that the organisation name of the request must match with that of CA's, etc., Take a look at the section policy_match for sample settings. If any of the policy did not match, openssl would not issue the signed certificate
7) Setup Server
I am going to take apache as the sample server as I am comfortable with it.
Build and install apache with mod_ssl support.
while configuring apache, you have to give " --enable-ssl " option to the configure script, to enable mod_ssl support.
Check the apache build has mod_ssl support
snape@hogwarts:~/httpd_new/bin$ ./httpd -l | grep ssl
mod_ssl.c
snape@hogwarts:~/httpd_new/bin$
The configuration information I describe below has been tested for apache version 2.2.17. If you are running a different version , refer apache documents for doing similar changes. Essentials remain the same.
Now we have to fiddle with the apache config to run https service.
Open httpd.conf and search for ssl.
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
Uncomment the line that includes httpd-ssl.conf. Apache has nicely put every config required for HTTPs into this config file to keep this clean. Note that there are various ways of achieving the same effect which I will not dive into to limit the scope of this document.
Open and edit the exta/httpd-ssl.conf. Look for Listen directive. Change it to the port you want HTTPs to run. Also you need to edit the respective Virtual Host for the port.
The other two important directives are SSLCertificateFile and SSLCertificateKeyFile. Make them point to server's ssl certificate file and server's key file.
SSLCertificateFile "/home/hogwarts/ssl/server/server.crt"
SSLCertificateKeyFile "/home/hogwarts/ssl/server/server.key"
There are various other directives related fine tuing SSL, like supported SSL versions, CipherSuite. Refer apache doc for this.
Now start apache and we are running HTTPs.
Additional note : Make sure the key file as well as the certificate file are not accessible publicly outside the server environment. It is even better to have them encrypted and pass in the pass phrase while starting the server.
8) Test Server
We can use openssl itself to test that SSL setup is fine. "openssl s_client" simulates a very basic SSL client. It can connect any SSL server and initiate SSL connection.
Lets try to connect to the server we just started.
snape@hogwarts:~/httpd_new/conf$ openssl s_client -host localhost -port 4443 -CAfile /home/hogwarts/ssl/demoCA/private/ca.crt
CONNECTED(00000003)
depth=1 /C=IN/ST=DL/O=ABC Corp/OU=SWD Labs/CN=SWD CA/emailAddress=swd_ca@abc.com
verify return:1
depth=0 /C=IN/ST=DL/L=DL/O=Magick Corp/OU=Herbs/CN=magick/emailAddress=elder_wand@magick.com
verify return:1
---
Certificate chain
0 s:/C=IN/ST=DL/L=DL/O=Magick Corp/OU=Herbs/CN=magick/emailAddress=elder_wand@magick.com
i:/C=IN/ST=DL/O=ABC Corp/OU=SWD Labs/CN=SWD CA/emailAddress=swd_ca@abc.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5jCCAk+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJJTjEL
MAkGA1UECBMCREwxETAPBgNVBAoTCEFCQyBDb3JwMREwDwYDVQQLEwhTV0QgTGFi
czEPMA0GA1UEAxMGU1dEIENBMR0wGwYJKoZIhvcNAQkBFg5zd2RfY2FAYWJjLmNv
bTAeFw0xMTA3MjIxMjI2NThaFw0xMjA3MjExMjI2NThaMIGEMQswCQYDVQQGEwJJ
TjELMAkGA1UECBMCREwxCzAJBgNVBAcTAkRMMRQwEgYDVQQKEwtNYWdpY2sgQ29y
cDEOMAwGA1UECxMFSGVyYnMxDzANBgNVBAMTBm1hZ2ljazEkMCIGCSqGSIb3DQEJ
ARYVZWxkZXJfd2FuZEBtYWdpY2suY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDamPVMVN6gfiFMM+nbTyDb6Kn1gTg3vaGskvTgpPVCW1n3E2TfOJLbB5Mv
jnFRFCpHepPE3wYMF6gR+nvfosudEcFK0ArFqK/2KEDUIChOuToDhf+CaKlSR+n/
VZa+bBpZOIiQ9bA6+rGu5x7eLfR74sxxuDkTH6T3ABZk6vvRxQIDAQABo3sweTAJ
BgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0
aWZpY2F0ZTAdBgNVHQ4EFgQUqzeU45oy+YGu1ht6vBlA+9yJXzowHwYDVR0jBBgw
FoAUwN4kxWNeLEhoqGeInnmjHTHtadUwDQYJKoZIhvcNAQEFBQADgYEAmM7TYu05
vlV/R8sRw9IEHiO0Vi5Lr/gDhkGCQ2S/AvEW0/rYhwcATqzNyBZ4VJ1Y2AqfgHI6
IgWnQe4VlGoln1f0i3h9goJd90bsTlRyXVQogL1TIZ8J9XfgQckqmrMLLakJBJdT
0GnKmm98kvTuwIRnGhZQdduo3clYED5EPJk=
-----END CERTIFICATE-----
subject=/C=IN/ST=DL/L=DL/O=Magick Corp/OU=Herbs/CN=magick/emailAddress=elder_wand@magick.com
issuer=/C=IN/ST=DL/O=ABC Corp/OU=SWD Labs/CN=SWD CA/emailAddress=swd_ca@abc.com
---
No client certificate CA names sent
---
SSL handshake has read 1317 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 3D7A440647B20BFEFEF0574590384BC9D23434E6CFBA3D76654169F8C8693C47
Session-ID-ctx:
Master-Key: 63F2E1EBABEEF4DC4AABEDCC0D4B86E421E378822238DFEA9CF2E6D1520089C1E73313C3D05AA7181251A8C85C8454FE
Key-Arg : None
Start Time: 1312195153
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Options host and port together identify the host machine and port number where the SSL service is running. CAfile is to give the path to the file containing trusted ssl certificates.CONNECTED(00000003)
depth=1 /C=IN/ST=DL/O=ABC Corp/OU=SWD Labs/CN=SWD CA/emailAddress=swd_ca@abc.com
verify return:1
depth=0 /C=IN/ST=DL/L=DL/O=Magick Corp/OU=Herbs/CN=magick/emailAddress=elder_wand@magick.com
verify return:1
---
Certificate chain
0 s:/C=IN/ST=DL/L=DL/O=Magick Corp/OU=Herbs/CN=magick/emailAddress=elder_wand@magick.com
i:/C=IN/ST=DL/O=ABC Corp/OU=SWD Labs/CN=SWD CA/emailAddress=swd_ca@abc.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5jCCAk+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJJTjEL
MAkGA1UECBMCREwxETAPBgNVBAoTCEFCQyBDb3JwMREwDwYDVQQLEwhTV0QgTGFi
czEPMA0GA1UEAxMGU1dEIENBMR0wGwYJKoZIhvcNAQkBFg5zd2RfY2FAYWJjLmNv
bTAeFw0xMTA3MjIxMjI2NThaFw0xMjA3MjExMjI2NThaMIGEMQswCQYDVQQGEwJJ
TjELMAkGA1UECBMCREwxCzAJBgNVBAcTAkRMMRQwEgYDVQQKEwtNYWdpY2sgQ29y
cDEOMAwGA1UECxMFSGVyYnMxDzANBgNVBAMTBm1hZ2ljazEkMCIGCSqGSIb3DQEJ
ARYVZWxkZXJfd2FuZEBtYWdpY2suY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDamPVMVN6gfiFMM+nbTyDb6Kn1gTg3vaGskvTgpPVCW1n3E2TfOJLbB5Mv
jnFRFCpHepPE3wYMF6gR+nvfosudEcFK0ArFqK/2KEDUIChOuToDhf+CaKlSR+n/
VZa+bBpZOIiQ9bA6+rGu5x7eLfR74sxxuDkTH6T3ABZk6vvRxQIDAQABo3sweTAJ
BgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0
aWZpY2F0ZTAdBgNVHQ4EFgQUqzeU45oy+YGu1ht6vBlA+9yJXzowHwYDVR0jBBgw
FoAUwN4kxWNeLEhoqGeInnmjHTHtadUwDQYJKoZIhvcNAQEFBQADgYEAmM7TYu05
vlV/R8sRw9IEHiO0Vi5Lr/gDhkGCQ2S/AvEW0/rYhwcATqzNyBZ4VJ1Y2AqfgHI6
IgWnQe4VlGoln1f0i3h9goJd90bsTlRyXVQogL1TIZ8J9XfgQckqmrMLLakJBJdT
0GnKmm98kvTuwIRnGhZQdduo3clYED5EPJk=
-----END CERTIFICATE-----
subject=/C=IN/ST=DL/L=DL/O=Magick Corp/OU=Herbs/CN=magick/emailAddress=elder_wand@magick.com
issuer=/C=IN/ST=DL/O=ABC Corp/OU=SWD Labs/CN=SWD CA/emailAddress=swd_ca@abc.com
---
No client certificate CA names sent
---
SSL handshake has read 1317 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 3D7A440647B20BFEFEF0574590384BC9D23434E6CFBA3D76654169F8C8693C47
Session-ID-ctx:
Master-Key: 63F2E1EBABEEF4DC4AABEDCC0D4B86E421E378822238DFEA9CF2E6D1520089C1E73313C3D05AA7181251A8C85C8454FE
Key-Arg : None
Start Time: 1312195153
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
The s_client command initiates an ssl connection with the server. Once the handshake is done, it waits for user input from stdin. We can then send protocol specific message to the server and ensure that the connection is sane.
If the handshake succeeds, verify return is code reported to be "0". Otherwise it contains the ssl specific error message. For example if our trust store is empty, the error message that is returned is
Verify return code: 21 (unable to verify the first certificate)
Note that irrespective of whether the handshake succeeds or not, you can continue to use the session.
"openssl s_client" command can be tuned in various ways, like enabling only tls, verifying with peer verification.
Another option worth mentioning is "starttls". This is a special option which is required when testing ssl servers for smtp, pop3. The secure version of these protocols, expect the client to first send a STARTTLS command and then initiate ssl handshake.
9) Test an ssl client
Conversely, if we are doing an ssl client implementation, which is mostly the case, we would want a ready made server to test. "openssl s_server" commands provides very basic functionalities of an ssl server.
To start a very basic ssl server,
openssl s_server -accept 8443 -key /home/hogwarts/ssl/server/server.key -cert /home/hogwarts/ssl/server/server.crt
This starts an ssl server that binds to port number 8443. Server key and certificate are located by the key and cert options.
If an ssl enabled client connects to this server, it presents its certificate and follows the ssl handshake procedure on the socket connection. Any incoming data on the socket to the server is displayed on stdout and data typed in stdin is sent out to the ssl client.
To start a very basic http server,
openssl s_server -accept 8443 -key /home/hogwarts/ssl/server/server.key -cert /home/hogwarts/ssl/server/server.crt -www
This starts an https server which sends out stats on ssl parameters negotiated during the connection establishment, for any HTTPs request.
If the response to be sent out is stored in a file, use -WWW option instead of -www. Server then assumes the current directory as the root directory of the server. Any request for the server path /<path> is resolved relative to the current directory. That is, if your current directory contains a file userlist, the client can request for it by the url https://localhost:8443/userlist and so on.
The WWW option by default adds its own HTTP status and other headers. If you have the whole http response stored in a file, use -HTTP option. This is similar to WWW option, just that openssl would assume it contains the necessary HTTP status headers and the response.
There are other options to tune the server to only accept connections for particular ssl version and/or cipher suite. "msg" option can be used to print out protocol message that can be of help for debugging, whereas "state" option enables just printing the state of the ssl handshake.
No comments:
Post a Comment