SSL
Jump to navigation
Jump to search
Install commercial SSL certificate
- https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority
- Installing a SSL certificate on Apache
- https://www.namecheap.com/support/live-chat/ssl.aspx
- How To Set Up a Host Name with DigitalOcean This includes information about WHOIS, changing domain server, configuring domain (A record, AAAA record, CNAME record, MX record, et al)
Create self-signed certificates
How to Create a Self-Signed Certificate in Linux
Check openssl version
odroid@odroid:~$ apt-cache policy openssl
openssl:
Installed: 1.0.2g-1ubuntu4.5
Candidate: 1.0.2g-1ubuntu4.5
Version table:
*** 1.0.2g-1ubuntu4.5 500
500 http://ports.ubuntu.com/ubuntu-ports xenial-updates/main armhf Packages
500 http://ports.ubuntu.com/ubuntu-ports xenial-security/main armhf Packages
100 /var/lib/dpkg/status
1.0.2g-1ubuntu4 500
500 http://ports.ubuntu.com/ubuntu-ports xenial/main armhf Packages
# Ubuntu 14.04
$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
# Macbook Pro 10.11
$ openssl version
OpenSSL 0.9.8zh 14 Jan 2016
Check TLS version
- TLS Checker - Check the SSL/TLS setup of your server or CDN
- Checking remote host TLS / SSL Version with nmap / openssl
- Command prompt to check TLS version required by a host
nmap --script ssl-enum-ciphers -p 443 www.google.com
- Check for SMTP TLS from command line with OpenSSL
openssl s_client -connect mail.example.com:25 -starttls smtp
-
How to check SMTP connection from Command Line ( Linux )?
openssl s_client -connect smtp.pepipost.com:587 -starttls smtp
- Using curl-TLS Everything curl
- How to find out which TLS version the Git command is using?
Check openssl location
It seems fedora/redhat has the latest version of openssl package while debian/ubuntu lags behind (Ubuntu 22.04 moves to 3.0.2 branch but Ubuntu 20.04 is still on the 1.1.1 branch). For example openssl 1.1.1o was released by fedora 6/13 but ubuntu still has 1.1.1f released 5/4 on openssl 1.1.1 branch. See also the releases tags of openssl.
A more general way is to use openssl version -d
# On Ubuntu 14.04 $ openssl version -d OPENSSLDIR: "/usr/lib/ssl" $ ls /usr/lib/ssl certs misc openssl.cnf private $ ls -l /usr/lib/ssl total 4 lrwxrwxrwx 1 root root 14 Oct 7 11:03 certs -> /etc/ssl/certs drwxr-xr-x 2 root root 4096 Feb 11 09:12 misc lrwxrwxrwx 1 root root 20 Jan 30 15:42 openssl.cnf -> /etc/ssl/openssl.cnf lrwxrwxrwx 1 root root 16 Oct 7 11:03 private -> /etc/ssl/private $ ls -l /etc/ssl/certs | head total 912 lrwxrwxrwx 1 root root 26 Oct 7 11:03 00673b5b.0 -> thawte_Primary_Root_CA.pem lrwxrwxrwx 1 root root 45 Oct 7 11:03 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem lrwxrwxrwx 1 root root 29 Oct 7 11:03 024dc131.0 -> Microsec_e-Szigno_Root_CA.pem lrwxrwxrwx 1 root root 31 Oct 7 11:03 02b73561.0 -> Comodo_Secure_Services_root.pem lrwxrwxrwx 1 root root 36 Oct 7 11:03 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem lrwxrwxrwx 1 root root 25 Oct 7 11:03 034868d6.0 -> Swisscom_Root_EV_CA_2.pem lrwxrwxrwx 1 root root 16 Oct 7 11:03 03f2b8cf.0 -> WoSign_China.pem lrwxrwxrwx 1 root root 41 Oct 7 11:03 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem lrwxrwxrwx 1 root root 40 Oct 7 11:03 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem $ ls -l /etc/ssl/certs | wc -l 533 # On Macbook Pro 10.11 $ openssl version -d OPENSSLDIR: "/System/Library/OpenSSL" $ ls -l /System/Library/OpenSSL total 8 drwxr-xr-x 2 root wheel 68 May 15 2016 certs drwxr-xr-x 8 root wheel 272 May 15 2016 misc -rw-r--r-- 1 root wheel 9390 May 15 2016 openssl.cnf drwxr-xr-x 2 root wheel 68 May 15 2016 private $ ls -l /System/Library/OpenSSL/certs/ $ # empty results
openssl & patch bug
- Check out https://launchpad.net/ubuntu/+source/openssl to see the latest openssl version (number may be different for each of Ubuntu version). As of this writing, the latest openssl on Ubuntu 14.04 is 1.0.1f-1ubuntu2.15 and for Ubuntu 12.04 it is 1.0.1-4ubuntu5.31 (this kind of representation can be obtained using the sudo dpkg -l | grep openssl command; see below). The full list of the publishing history can be accessed through View full publishing history link. From there, we can restrict to Target = Trusty, for example.
- http://askubuntu.com/questions/444702/how-to-patch-the-heartbleed-bug-cve-2014-0160-in-openssl. The following is an output after running sudo apt-get update; sudo apt-get upgrade.
brb@vm-1404:~$ sudo dpkg -l | grep openssl ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.2 amd64 GNU TLS library - OpenSSL wrapper ii openssl 1.0.1f-1ubuntu2.15 amd64 Secure Sockets Layer toolkit - cryptographic utility ii python-openssl 0.13-2ubuntu6 amd64 Python 2 wrapper around the OpenSSL library
- http://www.liquidweb.com/kb/update-and-patch-openssl-on-ubuntu-for-the-ccs-injection-vulnerability/. As you can see although a bug in OpenSSL has been found affecting versions 1.0.1 through 1.0.1f (inclusive), and openssl version is still 1.0.1f in Ubuntu 14.04.1, the build date is on June 2014. So it is safe.
brb@vm-1404:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.1 LTS
Release: 14.04
Codename: trusty
brb@vm-1404:~$ openssl version -a
OpenSSL 1.0.1f 6 Jan 2014
built on: Fri Jun 20 18:54:02 UTC 2014
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64
OPENSSLDIR: "/usr/lib/ssl"
brb@vm-1404:~$ sudo apt-get changelog openssl | grep CVE-2014-0224
- debian/patches/CVE-2014-0224-regression2.patch: accept CCS after
- debian/patches/CVE-2014-0224.patch: set the CCS_OK flag when using
- debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
- debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
- debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
- CVE-2014-0224
Encrypting and decrypting files
Encrypting and decrypting files with OpenSSL
Let's Encrypt SSL
- Let's Encrypt通用憑證上線了!
- https://letsencrypt.org/getting-started/ & https://letsencrypt.org/how-it-works/ & https://certbot.eff.org/#ubuntuxenial-apache: install python-certbot-apache package
- How To Secure Apache with Let's Encrypt on Ubuntu 16.04: install python-certbot-apache package
- How to Install Let’s Encrypt on Apache2: install python-letsencrypt-apache package
It takes less than 5 minutes for the whole process!
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-apache sudo certbot --apache
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. The Let's Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
So we can add the following line to the cron job that will execute the letsencrypt-auto renew command every Monday at 2:30 am. sudo crontab -e
30 2 * * 1 certbot renew >> /var/log/le-renew.log
Note if you currently have already had a working SSL certificate (eg from a purchased one), then even you have removed the certificate from the relevant Apache files you still can't run through sudo certbot. But once your current working SSL certificate expires, sudo certbot will successfully go through even you don't manually remove the certificate from your system.
pem file
- Mentioned by KeeWeb
- What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
- How to get .pem file from .key and .crt files?
CSR files
What Are CSR Files and How Do You Create Them
Monitoring Website SSL/TLS Certificate Expiration Times
- How to check TLS/SSL certificate expiration date from command-line
DOM="www.cyberciti.biz" PORT="443" echo | openssl s_client -servername $DOM -connect $DOM:$PORT \ | openssl x509 -noout -dates