OpenSSL: Difference between revisions
From charlesreid1
No edit summary |
No edit summary |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
==New Instructions: From Homebrew== | ==New Instructions: From Homebrew== | ||
Use homebrew: | |||
<pre> | <pre> | ||
$ brew install openssl | $ brew install openssl | ||
</pre> | </pre> | ||
which will helpfully inform you of how to add additional certificate files: | |||
<pre> | |||
A CA file has been bootstrapped using certificates from the system | |||
keychain. To add additional certificates, place .pem files in | |||
/usr/local/etc/openssl/certs | |||
and run | |||
/usr/local/opt/openssl/bin/c_rehash | |||
</pre> | |||
See also: [[Certificates]] | |||
==Old Instructions: From Source== | ==Old Instructions: From Source== | ||
| Line 34: | Line 49: | ||
* Issuing a certificate for a wireless network | * Issuing a certificate for a wireless network | ||
There are multiple other uses (beyond the scope of this page). | There are multiple other uses (beyond the scope of this page). See [[Certificates]] page. | ||
=Receiving, Printing, Inspecting Server Certificates= | |||
If you want to receive a server certificate, you can call OpenSSL like this: | |||
<pre> | |||
$ openssl s_client -connect bettercrypto.org:443 | |||
</pre> | |||
This creates a connection to the server. It does not do anything with that connection. | |||
==Example Certificates== | |||
===Bettercrypto.org=== | |||
Here is the output of the above command when connecting to Bettercrypto.org: | |||
<pre> | |||
$ openssl s_client -connect bettercrypto.org:443 | |||
CONNECTED(00000003) | |||
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA | |||
verify error:num=20:unable to get local issuer certificate | |||
verify return:0 | |||
--- | |||
Certificate chain | |||
0 s:/C=AT/CN=www.bettercrypto.org/emailAddress=aaron@lo-res.org | |||
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA | |||
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA | |||
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority | |||
--- | |||
Server certificate | |||
-----BEGIN CERTIFICATE----- | |||
MIIHSDCCBjCgAwIBAgIHBqbTp3YiezANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE | |||
BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE | |||
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs | |||
YXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MTEyNDE5 | |||
MTMwMVoXDTE2MTEyNDEyMTMyNVowTTELMAkGA1UEBhMCQVQxHTAbBgNVBAMTFHd3 | |||
dy5iZXR0ZXJjcnlwdG8ub3JnMR8wHQYJKoZIhvcNAQkBFhBhYXJvbkBsby1yZXMu | |||
b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp5RRL0YQLqbmjS5u | |||
ZWow6qAlAiUNjNoJg4zFkAYBR4QMtC/xSUADGSzxnItkVleerLS840InFbdq5Mtl | |||
lftidQP7pmUXlH5m13vKx0BTcAzjn+BB89Bj+pCyAIN8VZ6xLFn6Ft6FM0DvIERV | |||
z153jyfSUTjVU6YxMjU2NmwMS5atvxfEUyX6Qnxbtm4fzYVdpEOAmawUAlTfPEsh | |||
MhTj4IJi29Ao7OKsBVMwUexcJN6H9bTTk58Ty6BFzeCpicXHz52N9f5W05jjsogh | |||
0/DUu/ADM2oOFOQ/2Mn0nga1jKqpSbyzQHsle+8PeyLw0CH9e4SN634AjYvYEyq9 | |||
2sHsk0qrHgyrSAER1CNRpAvWYOT2QZu4MfhxEkzDIpEITG8Nr/51TbOhPYx2QFDw | |||
60/zrEpOfp5kXRtHSblIg3J+GFq/TdTI5Zn3oVe1H1RCSCTYpC/vaNZRdNbii1Qr | |||
Uupesq+vVCA3UKcpy0q9vYzm0r5WCJp4pEnnFUEA+BknyJpgcazE1eGh9loU9LHR | |||
mNVIaoo1SOPUMh0ZCS0u9C6N2D3ibH6vl2Pfuow2+iFqb39PYZIsSs1DUSL2DMqr | |||
PnnY79/WerBShR/A3Zg6bIJQ1FgqD7hmIiTrb5xWCwu0UMBIYRRuJDfhG43+0AMM | |||
gFHX0yZjF2ebb28oVf7QVstplh8CAwEAAaOCAuswggLnMAkGA1UdEwQCMAAwCwYD | |||
VR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQpYar8ImQL | |||
ZFAlmgvoPe2a4N+GxjAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAx | |||
BgNVHREEKjAoghR3d3cuYmV0dGVyY3J5cHRvLm9yZ4IQYmV0dGVyY3J5cHRvLm9y | |||
ZzCCAVYGA1UdIASCAU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIB | |||
KjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBk | |||
ZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRo | |||
b3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp | |||
bmcgdG8gdGhlIENsYXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhl | |||
IFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVu | |||
ZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBv | |||
YmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNz | |||
bC5jb20vY3J0MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzAB | |||
hi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2Ew | |||
QgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5j | |||
bGFzczEuc2VydmVyLmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0 | |||
c3NsLmNvbS8wDQYJKoZIhvcNAQELBQADggEBAIOOf1X3AaAfyu5gVAsn8KUnU3Qx | |||
lhKpKrnj3nnmg17rmyAAHD41hDO90D4pMvUMLDVSsSRhBa6E6/n8ClNgp3eCSMB2 | |||
cvsBgeEEPCnHzDpprxut3jzRR6rHeHHxU1eDjOnhGtR+gpcydqVm+mp4d33CFKkK | |||
d7YXiuiS6sGIVZjIb0ftebFuN2AfzcN7e24f8I/cJ05fPyk8zzbmgUN9xug8P8tm | |||
z1RMz6nQvFO8m574zqk1Ftd4xie1oxtNC8epW8GynIY6A0paSJ1usceQc6B/+seD | |||
AboJ32ea+ygkmxD1CqEEzPuyk5HbEwFVt91GiaZs8mgdKs2n1uODVNd0bkw= | |||
-----END CERTIFICATE----- | |||
subject=/C=AT/CN=www.bettercrypto.org/emailAddress=aaron@lo-res.org | |||
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA | |||
--- | |||
No client certificate CA names sent | |||
--- | |||
SSL handshake has read 5186 bytes and written 712 bytes | |||
--- | |||
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA | |||
Server public key is 4096 bit | |||
Secure Renegotiation IS supported | |||
Compression: NONE | |||
Expansion: NONE | |||
SSL-Session: | |||
Protocol : TLSv1 | |||
Cipher : DHE-RSA-AES128-SHA | |||
Session-ID: D52006EF0762A74D4E05770F5309CD5C00FDB7A53CC35F3322845D1275B8874B | |||
Session-ID-ctx: | |||
Master-Key: 2A03332AE4CA944C52E994F6FBB99B515FCF34E2B19399BC6197FD2B028A4155C9BE7F59D17C27C680CC9AE6988324B3 | |||
Key-Arg : None | |||
Start Time: 1472311402 | |||
Timeout : 300 (sec) | |||
Verify return code: 0 (ok) | |||
--- | |||
</pre> | |||
===Charlesreid1.com=== | |||
Now here's the public certificate information for my own website, which is HTTPS-enabled: | |||
<pre> | |||
$ openssl s_client -connect charlesreid1.com:443 | |||
CONNECTED(00000003) | |||
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA | |||
verify error:num=19:self signed certificate in certificate chain | |||
verify return:0 | |||
--- | |||
Certificate chain | |||
0 s:/OU=GT32590455/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=charlesreid1.com | |||
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 | |||
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 | |||
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA | |||
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA | |||
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA | |||
--- | |||
Server certificate | |||
-----BEGIN CERTIFICATE----- | |||
MIIEozCCA4ugAwIBAgIDBo77MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT | |||
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy | |||
NTYgQ0EgLSBHMzAeFw0xNTA4MjcyMjA2NDFaFw0xODA4MjgwNTI5MzBaMIGUMRMw | |||
EQYDVQQLEwpHVDMyNTkwNDU1MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv | |||
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW | |||
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEZMBcGA1UEAxMQY2hhcmxlc3JlaWQxLmNv | |||
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJUR2TU/1isdMd2rCBDt | |||
QMUmDCnpzVSNCf8JIZ+x20uNchD2OxGlAR1LhRC5vxTQ1yQb3cSQdnW4TsRc3p2n | |||
rkiPkpBgrchoc3xjtV4e0j4UyiYW1KiULaDmviPFphI2nGiRDXH76pPAPInW4VJZ | |||
lczVhzwUB01CmyatisAlj3j0bxRLS9/1oCtdX8g66Edd3YGsQA07H3krP1c5BJ2L | |||
wwVrDFj43UMt1H0wYd7gTrR+7tjAvXpT5p5A2Z2Xb2NivLpnvS56t/3GrmZRplDw | |||
2ydxpVuOiTlQ92eyTkB1l+pRUW5uUnzaH/xhWMV7QeB8AtSq+5LbPh9WCNJqpqhc | |||
TqsCAwEAAaOCAUgwggFEMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/PiCMtZ | |||
MFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNkLmNv | |||
bTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYDVR0P | |||
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHREE | |||
FDASghBjaGFybGVzcmVpZDEuY29tMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9n | |||
di5zeW1jYi5jb20vZ3YuY3JsMAwGA1UdEwEB/wQCMAAwQQYDVR0gBDowODA2BgZn | |||
gQwBAgEwLDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xl | |||
Z2FsMA0GCSqGSIb3DQEBCwUAA4IBAQBbYrAtVyIMs8ChuVc8k/YkPuEwMRiuSfMY | |||
N4Lka4f5Ppsh2cDHp3c8pab2vfwgEhhxOmD/OOu14YD+2mlKsowHN/DI1MvmNlz2 | |||
WRRePK0/EUBmx2MDmXynMF6Hpokj/1EaPLBTdrsTs8WQqr2NefP8kPpc5xRjdeUV | |||
d9PBOo+6spYQtkytdiZ7QQ2IfkQGdTM22RCw0objLmx/J9NAN0sSYw57N1AVl+/C | |||
rUiobEWQpcQUSlXYgMnskOix1/hMqlEy0q6wlftJU0pYu7wVeSpWrdMQ5riCKak1 | |||
qJKI8cuwH59zhDApxxA0TKKRIAUUnIZz1PfHyvTwORhyazVdDBDL | |||
-----END CERTIFICATE----- | |||
subject=/OU=GT32590455/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=charlesreid1.com | |||
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 | |||
--- | |||
No client certificate CA names sent | |||
--- | |||
SSL handshake has read 3817 bytes and written 328 bytes | |||
--- | |||
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA | |||
Server public key is 2048 bit | |||
Secure Renegotiation IS supported | |||
Compression: NONE | |||
Expansion: NONE | |||
SSL-Session: | |||
Protocol : TLSv1 | |||
Cipher : DHE-RSA-AES256-SHA | |||
Session-ID: 838C7A9FA1BB9710EAA378E80215BC2615919AB84C9B8390BAAC4BC8988DF8C2 | |||
Session-ID-ctx: | |||
Master-Key: 1AE23441EF85FCBC985091D9F54BDE4ACF4F9F5B3AA64179783F9538CA6E64C7E60A4100240EBB2FD94CA36F1EFFA2E7 | |||
Key-Arg : None | |||
Start Time: 1472311510 | |||
Timeout : 300 (sec) | |||
Verify return code: 0 (ok) | |||
--- | |||
closed | |||
</pre> | |||
Some important information to note: I paid a very modest fee (about $30) for my SSL certificate, purchased through RapidSSL. I validated my identity by proving to RapidSSL that I had control of the domain I was purchasing a certificate for - listed on the certificate itself ("Domain Control Validated"): | |||
<pre> | |||
subject=/OU=GT32590455/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=charlesreid1.com | |||
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 | |||
</pre> | |||
As far as RapidSSL was concerned, that was enough for them to issue a certificate. That certificate is now a certification that whoever controls that private key now has control over the (encryption-based) electronic identity of that server. | |||
=Checking for Logjam= | |||
Logjam is an attack affecting DHE crypto ciphers. It is a MITM attack in which the attacker forces the sheep to a lower grade of DHE encryption, one that is open to a known vulnerability and therefore allows the attacker to crack the private key and read encrypted traffic. | |||
Checking for logjam: | |||
* https://bettercrypto.org/blog/2015/05/20/tls-logjam/ | |||
* https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ | |||
(Note: commands given include a -cipher "EDH", but on the Mac the version of OpenSSL installed with Homebrew cannot find a crypto method named "EDH". | |||
=References= | =References= | ||
http://www.openssl.org/source/ | http://www.openssl.org/source/ | ||
=Flags= | |||
[[Category:Security]] | [[Category:Security]] | ||
| Line 45: | Line 250: | ||
[[Category:HTTPS]] | [[Category:HTTPS]] | ||
[[Category:SSL]] | [[Category:SSL]] | ||
[[Category:Heartbleed]] | |||
Latest revision as of 06:21, 26 February 2017
Configure
New Instructions: From Homebrew
Use homebrew:
$ brew install openssl
which will helpfully inform you of how to add additional certificate files:
A CA file has been bootstrapped using certificates from the system keychain. To add additional certificates, place .pem files in /usr/local/etc/openssl/certs and run /usr/local/opt/openssl/bin/c_rehash
See also: Certificates
Old Instructions: From Source
Configure 32 bit:
./Configure --prefix=${HOME}/pkg/openssl/1.0.0_32
Configure 64 bit:
./Configure darwin64-x86_64-cc --prefix=${HOME}/pkg/openssl/1.0.0_64
or just run ./Configure and follow the instructions.
Installing New Certificates
To install new certificates, put them in /usr/local/opt/openssl/certs
Once you do that, run /usr/local/opt/openssl/bin/c_rehash
This can be useful for a couple of different things:
- Using Stunnel to route arbitrary traffic through SSL, which requires a certificate (see RaspberryPi/Reverse_SSH, RaspberryPi/SSH_Stunnel, and RaspberryPi/Reverse_SSH_Stunnel for applications)
- Setting up an HTTPS-capable web server
- Issuing a certificate for a wireless network
There are multiple other uses (beyond the scope of this page). See Certificates page.
Receiving, Printing, Inspecting Server Certificates
If you want to receive a server certificate, you can call OpenSSL like this:
$ openssl s_client -connect bettercrypto.org:443
This creates a connection to the server. It does not do anything with that connection.
Example Certificates
Bettercrypto.org
Here is the output of the above command when connecting to Bettercrypto.org:
$ openssl s_client -connect bettercrypto.org:443
CONNECTED(00000003)
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=AT/CN=www.bettercrypto.org/emailAddress=aaron@lo-res.org
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHSDCCBjCgAwIBAgIHBqbTp3YiezANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE
BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs
YXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MTEyNDE5
MTMwMVoXDTE2MTEyNDEyMTMyNVowTTELMAkGA1UEBhMCQVQxHTAbBgNVBAMTFHd3
dy5iZXR0ZXJjcnlwdG8ub3JnMR8wHQYJKoZIhvcNAQkBFhBhYXJvbkBsby1yZXMu
b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp5RRL0YQLqbmjS5u
ZWow6qAlAiUNjNoJg4zFkAYBR4QMtC/xSUADGSzxnItkVleerLS840InFbdq5Mtl
lftidQP7pmUXlH5m13vKx0BTcAzjn+BB89Bj+pCyAIN8VZ6xLFn6Ft6FM0DvIERV
z153jyfSUTjVU6YxMjU2NmwMS5atvxfEUyX6Qnxbtm4fzYVdpEOAmawUAlTfPEsh
MhTj4IJi29Ao7OKsBVMwUexcJN6H9bTTk58Ty6BFzeCpicXHz52N9f5W05jjsogh
0/DUu/ADM2oOFOQ/2Mn0nga1jKqpSbyzQHsle+8PeyLw0CH9e4SN634AjYvYEyq9
2sHsk0qrHgyrSAER1CNRpAvWYOT2QZu4MfhxEkzDIpEITG8Nr/51TbOhPYx2QFDw
60/zrEpOfp5kXRtHSblIg3J+GFq/TdTI5Zn3oVe1H1RCSCTYpC/vaNZRdNbii1Qr
Uupesq+vVCA3UKcpy0q9vYzm0r5WCJp4pEnnFUEA+BknyJpgcazE1eGh9loU9LHR
mNVIaoo1SOPUMh0ZCS0u9C6N2D3ibH6vl2Pfuow2+iFqb39PYZIsSs1DUSL2DMqr
PnnY79/WerBShR/A3Zg6bIJQ1FgqD7hmIiTrb5xWCwu0UMBIYRRuJDfhG43+0AMM
gFHX0yZjF2ebb28oVf7QVstplh8CAwEAAaOCAuswggLnMAkGA1UdEwQCMAAwCwYD
VR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQpYar8ImQL
ZFAlmgvoPe2a4N+GxjAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAx
BgNVHREEKjAoghR3d3cuYmV0dGVyY3J5cHRvLm9yZ4IQYmV0dGVyY3J5cHRvLm9y
ZzCCAVYGA1UdIASCAU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIB
KjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBk
ZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRo
b3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhl
IFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVu
ZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBv
YmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNz
bC5jb20vY3J0MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzAB
hi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2Ew
QgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5j
bGFzczEuc2VydmVyLmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0
c3NsLmNvbS8wDQYJKoZIhvcNAQELBQADggEBAIOOf1X3AaAfyu5gVAsn8KUnU3Qx
lhKpKrnj3nnmg17rmyAAHD41hDO90D4pMvUMLDVSsSRhBa6E6/n8ClNgp3eCSMB2
cvsBgeEEPCnHzDpprxut3jzRR6rHeHHxU1eDjOnhGtR+gpcydqVm+mp4d33CFKkK
d7YXiuiS6sGIVZjIb0ftebFuN2AfzcN7e24f8I/cJ05fPyk8zzbmgUN9xug8P8tm
z1RMz6nQvFO8m574zqk1Ftd4xie1oxtNC8epW8GynIY6A0paSJ1usceQc6B/+seD
AboJ32ea+ygkmxD1CqEEzPuyk5HbEwFVt91GiaZs8mgdKs2n1uODVNd0bkw=
-----END CERTIFICATE-----
subject=/C=AT/CN=www.bettercrypto.org/emailAddress=aaron@lo-res.org
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5186 bytes and written 712 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES128-SHA
Session-ID: D52006EF0762A74D4E05770F5309CD5C00FDB7A53CC35F3322845D1275B8874B
Session-ID-ctx:
Master-Key: 2A03332AE4CA944C52E994F6FBB99B515FCF34E2B19399BC6197FD2B028A4155C9BE7F59D17C27C680CC9AE6988324B3
Key-Arg : None
Start Time: 1472311402
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Charlesreid1.com
Now here's the public certificate information for my own website, which is HTTPS-enabled:
$ openssl s_client -connect charlesreid1.com:443
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=GT32590455/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=charlesreid1.com
i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEozCCA4ugAwIBAgIDBo77MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA4MjcyMjA2NDFaFw0xODA4MjgwNTI5MzBaMIGUMRMw
EQYDVQQLEwpHVDMyNTkwNDU1MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEZMBcGA1UEAxMQY2hhcmxlc3JlaWQxLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJUR2TU/1isdMd2rCBDt
QMUmDCnpzVSNCf8JIZ+x20uNchD2OxGlAR1LhRC5vxTQ1yQb3cSQdnW4TsRc3p2n
rkiPkpBgrchoc3xjtV4e0j4UyiYW1KiULaDmviPFphI2nGiRDXH76pPAPInW4VJZ
lczVhzwUB01CmyatisAlj3j0bxRLS9/1oCtdX8g66Edd3YGsQA07H3krP1c5BJ2L
wwVrDFj43UMt1H0wYd7gTrR+7tjAvXpT5p5A2Z2Xb2NivLpnvS56t/3GrmZRplDw
2ydxpVuOiTlQ92eyTkB1l+pRUW5uUnzaH/xhWMV7QeB8AtSq+5LbPh9WCNJqpqhc
TqsCAwEAAaOCAUgwggFEMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/PiCMtZ
MFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNkLmNv
bTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHREE
FDASghBjaGFybGVzcmVpZDEuY29tMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9n
di5zeW1jYi5jb20vZ3YuY3JsMAwGA1UdEwEB/wQCMAAwQQYDVR0gBDowODA2BgZn
gQwBAgEwLDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xl
Z2FsMA0GCSqGSIb3DQEBCwUAA4IBAQBbYrAtVyIMs8ChuVc8k/YkPuEwMRiuSfMY
N4Lka4f5Ppsh2cDHp3c8pab2vfwgEhhxOmD/OOu14YD+2mlKsowHN/DI1MvmNlz2
WRRePK0/EUBmx2MDmXynMF6Hpokj/1EaPLBTdrsTs8WQqr2NefP8kPpc5xRjdeUV
d9PBOo+6spYQtkytdiZ7QQ2IfkQGdTM22RCw0objLmx/J9NAN0sSYw57N1AVl+/C
rUiobEWQpcQUSlXYgMnskOix1/hMqlEy0q6wlftJU0pYu7wVeSpWrdMQ5riCKak1
qJKI8cuwH59zhDApxxA0TKKRIAUUnIZz1PfHyvTwORhyazVdDBDL
-----END CERTIFICATE-----
subject=/OU=GT32590455/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=charlesreid1.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3817 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 838C7A9FA1BB9710EAA378E80215BC2615919AB84C9B8390BAAC4BC8988DF8C2
Session-ID-ctx:
Master-Key: 1AE23441EF85FCBC985091D9F54BDE4ACF4F9F5B3AA64179783F9538CA6E64C7E60A4100240EBB2FD94CA36F1EFFA2E7
Key-Arg : None
Start Time: 1472311510
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
Some important information to note: I paid a very modest fee (about $30) for my SSL certificate, purchased through RapidSSL. I validated my identity by proving to RapidSSL that I had control of the domain I was purchasing a certificate for - listed on the certificate itself ("Domain Control Validated"):
subject=/OU=GT32590455/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=charlesreid1.com issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
As far as RapidSSL was concerned, that was enough for them to issue a certificate. That certificate is now a certification that whoever controls that private key now has control over the (encryption-based) electronic identity of that server.
Checking for Logjam
Logjam is an attack affecting DHE crypto ciphers. It is a MITM attack in which the attacker forces the sheep to a lower grade of DHE encryption, one that is open to a known vulnerability and therefore allows the attacker to crack the private key and read encrypted traffic.
Checking for logjam:
- https://bettercrypto.org/blog/2015/05/20/tls-logjam/
- https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
(Note: commands given include a -cipher "EDH", but on the Mac the version of OpenSSL installed with Homebrew cannot find a crypto method named "EDH".
References
http://www.openssl.org/source/