Configure

New Instructions: From Homebrew

Use homebrew:

$ brew install openssl

which will helpfully inform you of how to add additional certificate files:

A CA file has been bootstrapped using certificates from the system
keychain. To add additional certificates, place .pem files in
  /usr/local/etc/openssl/certs

and run
  /usr/local/opt/openssl/bin/c_rehash

Old Instructions: From Source

Configure 32 bit:

./Configure --prefix=${HOME}/pkg/openssl/1.0.0_32

Configure 64 bit:

./Configure darwin64-x86_64-cc --prefix=${HOME}/pkg/openssl/1.0.0_64

or just run ./Configure and follow the instructions.

Installing New Certificates

To install new certificates, put them in /usr/local/opt/openssl/certs

Once you do that, run /usr/local/opt/openssl/bin/c_rehash

This can be useful for a couple of different things:

Using Stunnel to route arbitrary traffic through SSL, which requires a certificate (see RaspberryPi/Reverse_SSH, RaspberryPi/SSH_Stunnel, and RaspberryPi/Reverse_SSH_Stunnel for applications)
Setting up an HTTPS-capable web server
Issuing a certificate for a wireless network

There are multiple other uses (beyond the scope of this page). See Certificates page.

Receiving, Printing, Inspecting Server Certificates

If you want to receive a server certificate, you can call OpenSSL like this:

$ openssl s_client -connect bettercrypto.org:443

This creates a connection to the server. It does not do anything with that connection.

Example Certificates

Bettercrypto.org

Here is the output of the above command when connecting to Bettercrypto.org:

$ openssl s_client -connect bettercrypto.org:443
CONNECTED(00000003)
depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=AT/CN=www.bettercrypto.org/emailAddress=aaron@lo-res.org
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHSDCCBjCgAwIBAgIHBqbTp3YiezANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE
BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs
YXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MTEyNDE5
MTMwMVoXDTE2MTEyNDEyMTMyNVowTTELMAkGA1UEBhMCQVQxHTAbBgNVBAMTFHd3
dy5iZXR0ZXJjcnlwdG8ub3JnMR8wHQYJKoZIhvcNAQkBFhBhYXJvbkBsby1yZXMu
b3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp5RRL0YQLqbmjS5u
ZWow6qAlAiUNjNoJg4zFkAYBR4QMtC/xSUADGSzxnItkVleerLS840InFbdq5Mtl
lftidQP7pmUXlH5m13vKx0BTcAzjn+BB89Bj+pCyAIN8VZ6xLFn6Ft6FM0DvIERV
z153jyfSUTjVU6YxMjU2NmwMS5atvxfEUyX6Qnxbtm4fzYVdpEOAmawUAlTfPEsh
MhTj4IJi29Ao7OKsBVMwUexcJN6H9bTTk58Ty6BFzeCpicXHz52N9f5W05jjsogh
0/DUu/ADM2oOFOQ/2Mn0nga1jKqpSbyzQHsle+8PeyLw0CH9e4SN634AjYvYEyq9
2sHsk0qrHgyrSAER1CNRpAvWYOT2QZu4MfhxEkzDIpEITG8Nr/51TbOhPYx2QFDw
60/zrEpOfp5kXRtHSblIg3J+GFq/TdTI5Zn3oVe1H1RCSCTYpC/vaNZRdNbii1Qr
Uupesq+vVCA3UKcpy0q9vYzm0r5WCJp4pEnnFUEA+BknyJpgcazE1eGh9loU9LHR
mNVIaoo1SOPUMh0ZCS0u9C6N2D3ibH6vl2Pfuow2+iFqb39PYZIsSs1DUSL2DMqr
PnnY79/WerBShR/A3Zg6bIJQ1FgqD7hmIiTrb5xWCwu0UMBIYRRuJDfhG43+0AMM
gFHX0yZjF2ebb28oVf7QVstplh8CAwEAAaOCAuswggLnMAkGA1UdEwQCMAAwCwYD
VR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBQpYar8ImQL
ZFAlmgvoPe2a4N+GxjAfBgNVHSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAx
BgNVHREEKjAoghR3d3cuYmV0dGVyY3J5cHRvLm9yZ4IQYmV0dGVyY3J5cHRvLm9y
ZzCCAVYGA1UdIASCAU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIB
KjAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBk
ZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRo
b3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhl
IFN0YXJ0Q29tIENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVu
ZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBv
YmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNz
bC5jb20vY3J0MS1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzAB
hi1odHRwOi8vb2NzcC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2Ew
QgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5j
bGFzczEuc2VydmVyLmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0
c3NsLmNvbS8wDQYJKoZIhvcNAQELBQADggEBAIOOf1X3AaAfyu5gVAsn8KUnU3Qx
lhKpKrnj3nnmg17rmyAAHD41hDO90D4pMvUMLDVSsSRhBa6E6/n8ClNgp3eCSMB2
cvsBgeEEPCnHzDpprxut3jzRR6rHeHHxU1eDjOnhGtR+gpcydqVm+mp4d33CFKkK
d7YXiuiS6sGIVZjIb0ftebFuN2AfzcN7e24f8I/cJ05fPyk8zzbmgUN9xug8P8tm
z1RMz6nQvFO8m574zqk1Ftd4xie1oxtNC8epW8GynIY6A0paSJ1usceQc6B/+seD
AboJ32ea+ygkmxD1CqEEzPuyk5HbEwFVt91GiaZs8mgdKs2n1uODVNd0bkw=
-----END CERTIFICATE-----
subject=/C=AT/CN=www.bettercrypto.org/emailAddress=aaron@lo-res.org
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5186 bytes and written 712 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: D52006EF0762A74D4E05770F5309CD5C00FDB7A53CC35F3322845D1275B8874B
    Session-ID-ctx:
    Master-Key: 2A03332AE4CA944C52E994F6FBB99B515FCF34E2B19399BC6197FD2B028A4155C9BE7F59D17C27C680CC9AE6988324B3
    Key-Arg   : None
    Start Time: 1472311402
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Charlesreid1.com

Now here's the public certificate information for my own website, which is HTTPS-enabled:

$ openssl s_client -connect charlesreid1.com:443
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/OU=GT32590455/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=charlesreid1.com
   i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEozCCA4ugAwIBAgIDBo77MA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
NTYgQ0EgLSBHMzAeFw0xNTA4MjcyMjA2NDFaFw0xODA4MjgwNTI5MzBaMIGUMRMw
EQYDVQQLEwpHVDMyNTkwNDU1MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEZMBcGA1UEAxMQY2hhcmxlc3JlaWQxLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJUR2TU/1isdMd2rCBDt
QMUmDCnpzVSNCf8JIZ+x20uNchD2OxGlAR1LhRC5vxTQ1yQb3cSQdnW4TsRc3p2n
rkiPkpBgrchoc3xjtV4e0j4UyiYW1KiULaDmviPFphI2nGiRDXH76pPAPInW4VJZ
lczVhzwUB01CmyatisAlj3j0bxRLS9/1oCtdX8g66Edd3YGsQA07H3krP1c5BJ2L
wwVrDFj43UMt1H0wYd7gTrR+7tjAvXpT5p5A2Z2Xb2NivLpnvS56t/3GrmZRplDw
2ydxpVuOiTlQ92eyTkB1l+pRUW5uUnzaH/xhWMV7QeB8AtSq+5LbPh9WCNJqpqhc
TqsCAwEAAaOCAUgwggFEMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/PiCMtZ
MFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNkLmNv
bTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHREE
FDASghBjaGFybGVzcmVpZDEuY29tMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6Ly9n
di5zeW1jYi5jb20vZ3YuY3JsMAwGA1UdEwEB/wQCMAAwQQYDVR0gBDowODA2BgZn
gQwBAgEwLDAqBggrBgEFBQcCARYeaHR0cHM6Ly93d3cucmFwaWRzc2wuY29tL2xl
Z2FsMA0GCSqGSIb3DQEBCwUAA4IBAQBbYrAtVyIMs8ChuVc8k/YkPuEwMRiuSfMY
N4Lka4f5Ppsh2cDHp3c8pab2vfwgEhhxOmD/OOu14YD+2mlKsowHN/DI1MvmNlz2
WRRePK0/EUBmx2MDmXynMF6Hpokj/1EaPLBTdrsTs8WQqr2NefP8kPpc5xRjdeUV
d9PBOo+6spYQtkytdiZ7QQ2IfkQGdTM22RCw0objLmx/J9NAN0sSYw57N1AVl+/C
rUiobEWQpcQUSlXYgMnskOix1/hMqlEy0q6wlftJU0pYu7wVeSpWrdMQ5riCKak1
qJKI8cuwH59zhDApxxA0TKKRIAUUnIZz1PfHyvTwORhyazVdDBDL
-----END CERTIFICATE-----
subject=/OU=GT32590455/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=charlesreid1.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3817 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 838C7A9FA1BB9710EAA378E80215BC2615919AB84C9B8390BAAC4BC8988DF8C2
    Session-ID-ctx:
    Master-Key: 1AE23441EF85FCBC985091D9F54BDE4ACF4F9F5B3AA64179783F9538CA6E64C7E60A4100240EBB2FD94CA36F1EFFA2E7
    Key-Arg   : None
    Start Time: 1472311510
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

Some important information to note: I paid a very modest fee (about $30) for my SSL certificate, purchased through RapidSSL. I validated my identity by proving to RapidSSL that I had control of the domain I was purchasing a certificate for - listed on the certificate itself ("Domain Control Validated"):

subject=/OU=GT32590455/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=charlesreid1.com
issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3

As far as RapidSSL was concerned, that was enough for them to issue a certificate. That certificate is now a certification that whoever controls that private key now has control over the (encryption-based) electronic identity of that server.

Checking for Logjam

Logjam is an attack affecting DHE crypto ciphers. It is a MITM attack in which the attacker forces the sheep to a lower grade of DHE encryption, one that is open to a known vulnerability and therefore allows the attacker to crack the private key and read encrypted traffic.

Checking for logjam:

(Note: commands given include a -cipher "EDH", but on the Mac the version of OpenSSL installed with Homebrew cannot find a crypto method named "EDH".

References

http://www.openssl.org/source/

Flags

OpenSSL

From charlesreid1

Contents