SSL: Difference between revisions

From 太極
Jump to navigation Jump to search
Line 60: Line 60:


= Check openssl location =
= Check openssl location =
It seems fedora/redhat has the latest version of openssl package while debian/ubuntu lags behind. For example [https://nvd.nist.gov/vuln/detail/CVE-2022-1292 openssl 1.1.1o] was released by fedora 6/13 but ubuntu still has 1.1.1f released 5/4. See also the [https://github.com/openssl/openssl/tags releases] tags of openssl.
It seems fedora/redhat has the latest version of openssl package while <s>debian/ubuntu lags behind</s> (Ubuntu 22.04 moves to 3.0.2 branch but Ubuntu 20.04 is still on the 1.1.1 branch). For example [https://nvd.nist.gov/vuln/detail/CVE-2022-1292 openssl 1.1.1o] was released by fedora 6/13 but ubuntu still has 1.1.1f released 5/4. See also the [https://github.com/openssl/openssl/tags releases] tags of openssl.


A more general way is to use '''openssl version -d'''
A more general way is to use '''openssl version -d'''

Revision as of 08:48, 17 June 2022

Install commercial SSL certificate

Create self-signed certificates

How to Create a Self-Signed Certificate in Linux

Check openssl version

http://askubuntu.com/questions/504928/how-to-check-which-openssl-version-is-use-by-apache-on-ubuntu-12-04

odroid@odroid:~$ apt-cache policy openssl
openssl:
  Installed: 1.0.2g-1ubuntu4.5
  Candidate: 1.0.2g-1ubuntu4.5
  Version table:
 *** 1.0.2g-1ubuntu4.5 500
        500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages
        500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf Packages
        100 /var/lib/dpkg/status
     1.0.2g-1ubuntu4 500
        500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages

# Ubuntu 14.04
$ openssl version 
OpenSSL 1.0.1f 6 Jan 2014
# Macbook Pro 10.11
$ openssl version 
OpenSSL 0.9.8zh 14 Jan 2016

Check TLS version

Check openssl location

It seems fedora/redhat has the latest version of openssl package while debian/ubuntu lags behind (Ubuntu 22.04 moves to 3.0.2 branch but Ubuntu 20.04 is still on the 1.1.1 branch). For example openssl 1.1.1o was released by fedora 6/13 but ubuntu still has 1.1.1f released 5/4. See also the releases tags of openssl.

A more general way is to use openssl version -d

# On Ubuntu 14.04
$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
$ ls /usr/lib/ssl
certs  misc  openssl.cnf  private
$ ls -l /usr/lib/ssl
total 4
lrwxrwxrwx 1 root root   14 Oct  7 11:03 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 4096 Feb 11 09:12 misc
lrwxrwxrwx 1 root root   20 Jan 30 15:42 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root   16 Oct  7 11:03 private -> /etc/ssl/private
$ ls -l /etc/ssl/certs | head
total 912
lrwxrwxrwx 1 root root     26 Oct  7 11:03 00673b5b.0 -> thawte_Primary_Root_CA.pem
lrwxrwxrwx 1 root root     45 Oct  7 11:03 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem
lrwxrwxrwx 1 root root     29 Oct  7 11:03 024dc131.0 -> Microsec_e-Szigno_Root_CA.pem
lrwxrwxrwx 1 root root     31 Oct  7 11:03 02b73561.0 -> Comodo_Secure_Services_root.pem
lrwxrwxrwx 1 root root     36 Oct  7 11:03 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem
lrwxrwxrwx 1 root root     25 Oct  7 11:03 034868d6.0 -> Swisscom_Root_EV_CA_2.pem
lrwxrwxrwx 1 root root     16 Oct  7 11:03 03f2b8cf.0 -> WoSign_China.pem
lrwxrwxrwx 1 root root     41 Oct  7 11:03 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root     40 Oct  7 11:03 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem
$ ls -l /etc/ssl/certs | wc -l
533

# On Macbook Pro 10.11
$ openssl version -d
OPENSSLDIR: "/System/Library/OpenSSL"
$ ls -l /System/Library/OpenSSL
total 8
drwxr-xr-x  2 root  wheel    68 May 15  2016 certs
drwxr-xr-x  8 root  wheel   272 May 15  2016 misc
-rw-r--r--  1 root  wheel  9390 May 15  2016 openssl.cnf
drwxr-xr-x  2 root  wheel    68 May 15  2016 private
$ ls -l /System/Library/OpenSSL/certs/
$ # empty results

openssl & patch bug

brb@vm-1404:~$ sudo dpkg -l | grep  openssl
ii  libgnutls-openssl27:amd64   2.12.23-12ubuntu2.2   amd64        GNU TLS library - OpenSSL wrapper
ii  openssl                     1.0.1f-1ubuntu2.15    amd64        Secure Sockets Layer toolkit - cryptographic utility
ii  python-openssl              0.13-2ubuntu6         amd64        Python 2 wrapper around the OpenSSL library
brb@vm-1404:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.1 LTS
Release:	14.04
Codename:	trusty

brb@vm-1404:~$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Jun 20 18:54:02 UTC 2014
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 
OPENSSLDIR: "/usr/lib/ssl"

brb@vm-1404:~$ sudo apt-get changelog openssl | grep CVE-2014-0224
    - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
    - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
    - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
    - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
    - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
    - CVE-2014-0224

Encrypting and decrypting files

Encrypting and decrypting files with OpenSSL

Let's Encrypt SSL

It takes less than 5 minutes for the whole process!

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot --apache

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

So we can add the following line to the cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. sudo crontab -e

30 2 * * 1 certbot renew >> /var/log/le-renew.log

Note if you currently have already had a working SSL certificate (eg from a purchased one), then even you have removed the certificate from the relevant Apache files you still can't run through sudo certbot. But once your current working SSL certificate expires, sudo certbot will successfully go through even you don't manually remove the certificate from your system.

pem file

CSR files

What Are CSR Files and How Do You Create Them

Monitoring Website SSL/TLS Certificate Expiration Times