SSL: Difference between revisions
Line 29: | Line 29: | ||
= Check TLS version = | = Check TLS version = | ||
[https://stackoverflow.com/a/55764641 Command prompt to check TLS version required by a host] | * [https://www.cdn77.com/tls-test TLS Checker] - Check the SSL/TLS setup of your server or CDN | ||
* [https://stackoverflow.com/a/55764641 Command prompt to check TLS version required by a host] | |||
<pre> | <pre> | ||
nmap --script ssl-enum-ciphers -p 443 www.google.com | nmap --script ssl-enum-ciphers -p 443 www.google.com |
Revision as of 08:21, 22 October 2020
Install commercial SSL certificate
- https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority
- Installing a SSL certificate on Apache
- https://www.namecheap.com/support/live-chat/ssl.aspx
- How To Set Up a Host Name with DigitalOcean This includes information about WHOIS, changing domain server, configuring domain (A record, AAAA record, CNAME record, MX record, et al)
Check openssl version
odroid@odroid:~$ apt-cache policy openssl openssl: Installed: 1.0.2g-1ubuntu4.5 Candidate: 1.0.2g-1ubuntu4.5 Version table: *** 1.0.2g-1ubuntu4.5 500 500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages 500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf Packages 100 /var/lib/dpkg/status 1.0.2g-1ubuntu4 500 500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages # Ubuntu 14.04 $ openssl version OpenSSL 1.0.1f 6 Jan 2014 # Macbook Pro 10.11 $ openssl version OpenSSL 0.9.8zh 14 Jan 2016
Check TLS version
- TLS Checker - Check the SSL/TLS setup of your server or CDN
- Command prompt to check TLS version required by a host
nmap --script ssl-enum-ciphers -p 443 www.google.com
Check openssl location
A more general way is to use openssl version -d
# On Ubuntu 14.04 $ openssl version -d OPENSSLDIR: "/usr/lib/ssl" $ ls /usr/lib/ssl certs misc openssl.cnf private $ ls -l /usr/lib/ssl total 4 lrwxrwxrwx 1 root root 14 Oct 7 11:03 certs -> /etc/ssl/certs drwxr-xr-x 2 root root 4096 Feb 11 09:12 misc lrwxrwxrwx 1 root root 20 Jan 30 15:42 openssl.cnf -> /etc/ssl/openssl.cnf lrwxrwxrwx 1 root root 16 Oct 7 11:03 private -> /etc/ssl/private $ ls -l /etc/ssl/certs | head total 912 lrwxrwxrwx 1 root root 26 Oct 7 11:03 00673b5b.0 -> thawte_Primary_Root_CA.pem lrwxrwxrwx 1 root root 45 Oct 7 11:03 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem lrwxrwxrwx 1 root root 29 Oct 7 11:03 024dc131.0 -> Microsec_e-Szigno_Root_CA.pem lrwxrwxrwx 1 root root 31 Oct 7 11:03 02b73561.0 -> Comodo_Secure_Services_root.pem lrwxrwxrwx 1 root root 36 Oct 7 11:03 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem lrwxrwxrwx 1 root root 25 Oct 7 11:03 034868d6.0 -> Swisscom_Root_EV_CA_2.pem lrwxrwxrwx 1 root root 16 Oct 7 11:03 03f2b8cf.0 -> WoSign_China.pem lrwxrwxrwx 1 root root 41 Oct 7 11:03 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem lrwxrwxrwx 1 root root 40 Oct 7 11:03 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem $ ls -l /etc/ssl/certs | wc -l 533 # On Macbook Pro 10.11 $ openssl version -d OPENSSLDIR: "/System/Library/OpenSSL" $ ls -l /System/Library/OpenSSL total 8 drwxr-xr-x 2 root wheel 68 May 15 2016 certs drwxr-xr-x 8 root wheel 272 May 15 2016 misc -rw-r--r-- 1 root wheel 9390 May 15 2016 openssl.cnf drwxr-xr-x 2 root wheel 68 May 15 2016 private $ ls -l /System/Library/OpenSSL/certs/ $ # empty results
openssl & patch bug
- Check out https://launchpad.net/ubuntu/+source/openssl to see the latest openssl version (number may be different for each of Ubuntu version). As of this writing, the latest openssl on Ubuntu 14.04 is 1.0.1f-1ubuntu2.15 and for Ubuntu 12.04 it is 1.0.1-4ubuntu5.31 (this kind of representation can be obtained using the sudo dpkg -l | grep openssl command; see below). The full list of the publishing history can be accessed through View full publishing history link. From there, we can restrict to Target = Trusty, for example.
- http://askubuntu.com/questions/444702/how-to-patch-the-heartbleed-bug-cve-2014-0160-in-openssl. The following is an output after running sudo apt-get update; sudo apt-get upgrade.
brb@vm-1404:~$ sudo dpkg -l | grep openssl ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.2 amd64 GNU TLS library - OpenSSL wrapper ii openssl 1.0.1f-1ubuntu2.15 amd64 Secure Sockets Layer toolkit - cryptographic utility ii python-openssl 0.13-2ubuntu6 amd64 Python 2 wrapper around the OpenSSL library
- http://www.liquidweb.com/kb/update-and-patch-openssl-on-ubuntu-for-the-ccs-injection-vulnerability/. As you can see although a bug in OpenSSL has been found affecting versions 1.0.1 through 1.0.1f (inclusive), and openssl version is still 1.0.1f in Ubuntu 14.04.1, the build date is on June 2014. So it is safe.
brb@vm-1404:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.1 LTS Release: 14.04 Codename: trusty brb@vm-1404:~$ openssl version -a OpenSSL 1.0.1f 6 Jan 2014 built on: Fri Jun 20 18:54:02 UTC 2014 platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 OPENSSLDIR: "/usr/lib/ssl" brb@vm-1404:~$ sudo apt-get changelog openssl | grep CVE-2014-0224 - debian/patches/CVE-2014-0224-regression2.patch: accept CCS after - debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using - debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec - debian/patches/CVE-2014-0224-2.patch: don't accept zero length master - debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in - CVE-2014-0224
Let's Encrypt SSL
- Let's Encrypt通用憑證上線了!
- https://letsencrypt.org/getting-started/ & https://letsencrypt.org/how-it-works/ & https://certbot.eff.org/#ubuntuxenial-apache: install python-certbot-apache package
- How To Secure Apache with Let's Encrypt on Ubuntu 16.04: install python-certbot-apache package
- How to Install Let’s Encrypt on Apache2: install python-letsencrypt-apache package
It takes less than 5 minutes for the whole process!
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache sudo certbot --apache
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
So we can add the following line to the cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. sudo crontab -e
30 2 * * 1 certbot renew >> /var/log/le-renew.log
Note if you currently have already had a working SSL certificate (eg from a purchased one), then even you have removed the certificate from the relevant Apache files you still can't run through sudo certbot. But once your current working SSL certificate expires, sudo certbot will successfully go through even you don't manually remove the certificate from your system.
pem file
- Mentioned by KeeWeb
- What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
- How to get .pem file from .key and .crt files?
CSR files
What Are CSR Files and How Do You Create Them
Monitoring Website SSL/TLS Certificate Expiration Times
- How to check TLS/SSL certificate expiration date from command-line
DOM="www.cyberciti.biz" PORT="443" echo | openssl s_client -servername $DOM -connect $DOM:$PORT \ | openssl x509 -noout -dates