About Crypto

Contents

About Crypto
1. ssl-cert
2. Custom CA Certificates
OpenSSL
CAcert root-certificate

ssl-cert

Please do yourself a favor and install package "ssl-cert"

   1 aptitude install ssl-cert

package contains make-ssl-cert
creates group ssl-cert and fixes unix filesystem permissions
- directory /etc/ssl/private must
  - be owned by root:ssl-cert
  - have unix filesystem permissions 740
  - this ensures that group members
    - can read contained files
    - cannot traverse or list directory contents
files contained by directory /etc/ssl/private must
- be owned by root:ssl-cert
- have unix filesystem permissions 640"

Sample listing
ls -l /etc/ssl/

   1 insgesamt 48
   2 drwxr-xr-x 2 root root     20480 Dez 13 12:45 certs/
   3 -rw-r--r-- 1 root root     10835 Jul 29  2012 openssl.cnf
   4 drwx--x--- 2 root ssl-cert    34 Jul 23  2014 private/

Users that must be able to read a system private key, must be member of group "ssl-cert" (like www-data). A user whose group member ship has changed during a session has to logout an login a again (e.g. systemctl restart apache2).

   1 root@mail /etc/apache2/sites-enabled # adduser www-data ssl-cert
   2 Füge Benutzer »www-data« der Gruppe »ssl-cert« hinzu ...
   3 Benutzer www-data wird zur Gruppe ssl-cert hinzugefügt.
   4 Fertig.
   5 root@mail /etc/apache2/sites-enabled # systemctl restart apache2.service
   6

make-ssl-cert

Snakeoil

This is great for the purpose of testing and fast results. Generates a self-signed certificate and places it under the correct path, ownership and permissions.

   1 make-ssl-cert generate-default-snakeoil --force-overwrite

This creates a 2048bit-RSA-keypair, signs the pubkey as a x509-certificate with the private key and places the files with the correct permissions in the following positions:

   1 root@mail /etc # ll /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/certs/ssl-cert-snakeoil.pem
   2 -rw-r--r-- 1 root root     1029 Dez 13 12:45 /etc/ssl/certs/ssl-cert-snakeoil.pem
   3 -rw-r----- 1 root ssl-cert 1708 Dez 13 12:45 /etc/ssl/private/ssl-cert-snakeoil.key

But never think of going live with a self-signed certificate! This is security by obscurity.

If there is no trust anchor (signature of a certificate authority you trust), anybody located between Alice and Bob can break the chain and present you a totally different self-signed certificate with the same subject (like a proxy). It can probably even be crafted to collide with your hash/fingerprint, so you won't ever be able to detect it.

Quick selfsigned cert with SAN

make-ssl-cert can work with openssl templates like
/usr/share/ssl-cert/ssleay.cnf

   1 #
   2 # SSLeay example configuration file.
   3 #
   4 
   5 RANDFILE                = /dev/urandom
   6 
   7 [ req ]
   8 default_bits            = 2048
   9 default_keyfile         = privkey.pem
  10 distinguished_name      = req_distinguished_name
  11 prompt                  = no
  12 policy                  = policy_anything
  13 req_extensions          = v3_req
  14 x509_extensions         = v3_req
  15 
  16 [ req_distinguished_name ]
  17 commonName                      = @HostName@
  18 
  19 [ v3_req ]
  20 basicConstraints        = CA:FALSE
  21 subjectAltName          = @SubjectAltName@

The following command opens a debconf dialogue and where subject und subject alternative names are asked and generates a file which contains a self-sgned certificate and the private key.

   1 make-ssl-cert /usr/share/ssl-cert/ssleay.cnf output_file.pem

Quick selfsign with SAN

With openssl version < 1.1.1

Option 1 - change config

If you like subject alternative names you could add something like the following to /etc/ssl/openssl.cnf

   1 [ v3_req_git ]
   2 basicConstraints        = CA:FALSE
   3 keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
   4 subjectAltName          = DNS:git1.1a.rockstable.it,DNS:git1.2a.rockstable.it

And use it with -reqexts v3_req_git or -extensions v3_req_git.

   1 CERT_CN="git.rockstable.it"
   2 openssl req -x509 -newkey rsa:4096 \
   3         -keyout "/etc/ssl/private/$CERT_CN.key" \
   4         -out "/etc/ssl/certs/$CERT_CN.crt" \
   5         -subj "/CN=$CERT_CN" \
   6         -days 1825 \
   7         -nodes \
   8         -extensions v3_req_git

Option 2 - specify on cli

Create and load the openssl-config on the cli via nested sub-shells:

   1 CERT_CN="git.rockstable.it"
   2 openssl req -x509 -newkey rsa:4096 \
   3         -keyout /etc/ssl/private/$CERT_CN.key \
   4         -out /etc/ssl/certs/$CERT_CN.crt \
   5         -subj "/CN=$CERT_CN" \
   6         -days 1825 \
   7         -nodes \
   8         -extensions SAN \
   9         -config <(cat /etc/ssl/openssl.cnf \
  10                 <(printf "[SAN]\nsubjectAltName=DNS:git1.1a.rockstable.it,DNS:git1.2a.rockstable.it"))

With openssl version >= 1.1.1

It has become much easier since us can now use the option -addext ext

   1 CERT_CN="git.rockstable.it"
   2 openssl req -x509 -newkey rsa:4096 \
   3         -keyout /etc/ssl/private/$CERT_CN.key \
   4         -out /etc/ssl/certs/$CERT_CN.crt \
   5         -subj "/CN=$CERT_CN" \
   6         -days 1825 \
   7         -nodes \
   8         -addext "subjectAltName = DNS:git1.1a.rockstable.it,DNS:git1.2a.rockstable.it"

Fix permissions

   1 find /etc/ssl/private -type f  \
   2         -exec chgrp ssl-cert {} \; \
   3         -exec chmod 640 {} \;

Custom CA Certificates

Please do not put them in /etc/ssl/certs directly, use /usr/local/share/ca-certificates and perform

   1 update-ca-certificates
   2 Updating certificates in /etc/ssl/certs...
   3 1 added, 0 removed; done.
   4 Running hooks in /etc/ca-certificates/update.d...
   5 done.

OpenSSL

Extract certificates from server

Quickly extract some certificate file from a server

   1 DIR_TMP="$(mktemp -d)"
   2 install -m 0700 -d "$DIR_TMP"
   3 openssl s_client \
   4         -showcerts -verify 5 \
   5         -connect rockstable.it:443 < /dev/null \
   6         | awk '/BEGIN/,/END/{
   7             if(/BEGIN/){a++};
   8             out="'"$DIR_TMP"'/cert"a".crt";
   9             print > out }'
  10 echo
  11 ls -1 "$DIR_TMP/"*

Certificate chain verification

Create a directory like /etc/ssl/certs/, which may be used with option -CApath

   1 mkdir workspace/hashed;
   2 for EACH in /root/workspace/source-crt/*; do
   3         openssl x509 -hash -in "$EACH" -noout \
   4         |xargs -I {} ln -sv "$EACH" {}.0;
   5 done

Now you may verify against this specific certificate directory

   1 openssl s_client \
   2         -CApath "/root/workspace/hashed/" -showcerts \
   3         -connect remote-server.domain.tld:port

Strict starttls against a smtp-server using the default -CAfile

   1 openssl s_client \
   2         -verify_return_error -verify_hostname \
   3         -CAfile /etc/ssl/certs/ca-certificates.crt
   4         -starttls smtp -showcerts \
   5         -connect remote-server.domain.tld:25

Check for certificate expiration

   1 openssl s_client \
   2         -showcerts -starttls smtp \
   3         -connect remote-server.domain.tld:port <<< QUIT \
   4         |sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
   5         |openssl x509 -noout -subject -dates

Check fingerprints

Determine fingerprints

   1 openssl x509 -in certificate.pem -noout -fingerprint -sha1
   2 openssl x509 -in certificate.pem -noout -fingerprint -sha256
   3 openssl x509 -in certificate.pem -noout -fingerprint -sha512

Diffie-Hellman Parameters

   1 SIZES="512 1024 2048 4096"
   2 for NUMBITS in $SIZES; do
   3         openssl dhparam -out dh_${NUMBITS}.pem $NUMBITS;
   4 done

Generate or renew files with Diffie-Hellman-Parameters

Here's a little script that generates the DH-Parameters and stores them in a safe way.

/usr/local/sbin/dh_renew.sh

   1 #!/bin/bash -eu
   2 
   3 # AUTOMATE EXCHANGE OF DH-PARAMERTER
   4 # GENERATION OF FILES TAKES A WHILE
   5 # DUE TO LIMITED ENTROPY IN VMS
   6 
   7 umask 022
   8 
   9 DIR_TMP="$(mktemp -d)"
  10 DIR_DST="/etc/ssl/dhparam"
  11 
  12 if ! dpkg-query -s ssl-cert |grep -q "ok installed" ; then
  13         echo "Please install ssl-cert first. Exiting …"
  14         exit 2
  15 fi
  16 
  17 install -o root -g ssl-cert -m 750 -d "$DIR_DST"
  18 
  19 echo -e '\nGenerating files in tmp-dir:'
  20 for SIZE in 512 1024 2048 4096; do
  21         FILE_PATH_TMP="$DIR_TMP/dhparam_${SIZE}.tmp"
  22         openssl dhparam -out "$FILE_PATH_TMP" "$SIZE"
  23         chown root:ssl-cert "$FILE_PATH_TMP"
  24         chmod 640 "$FILE_PATH_TMP"
  25 done
  26 
  27 echo -e '\nMoving files to destination:'
  28 for FILE_PATH_SRC in ${DIR_TMP}/*.tmp; do
  29         FILE_NAME="$(basename "$FILE_PATH_SRC")"
  30         FILE_PATH_DST="$DIR_DST/${FILE_NAME%.tmp}.pem"
  31         mv -v "$FILE_PATH_SRC" "$FILE_PATH_DST"
  32 done
  33 
  34 echo -e '\nCleaning up:'
  35 [ -n "$DIR_TMP" ] && [ -d "$DIR_TMP" ] && grep -q '^/tmp/.\+' <<< "$DIR_TMP" && \
  36         rm -rv "$DIR_TMP"
  37 
  38 cat <<- EOF
  39 
  40         You should now restart your services:
  41                 postfix reload
  42                 systemctl restart apache2.service
  43 
  44 EOF

   1 chmod u+x /usr/local/sbin/dh_renew.sh
   2 /usr/local/sbin/dh_renew.sh

This will take some time!

Conversions

CER to PEM

   1 CERT="certificate"
   2 openssl x509 \
   3         -inform der \
   4         -in "$CERT".cer \
   5         -out "$CERT".pem

PKCS12

When certifcates are encrypted in RC2-CBC oder 3DES_CBC the option -legacy will be necessary.

   1 CERT="certificate"
   2 openssl pksc12 -in "$CERT".pfx -info

Please also see: FreeKB: OpenSSL - Display the contents of a PKCS12 file

Exclude CBC ciphers

As a positive list for inclusiuon

   1 CIPHER=HIGH;
   2 openssl ciphers "$CIPHER" \
   3          |grep -Eo ':[^:]+CBC[^:]+:' \
   4          |sed 's/^:/:-/;s/:$//' \
   5          |tr -d '\n' \
   6          |sed "s/^/$CIPHER/"
   7 HIGH:-ECDHE-PSK-AES256-CBC-SHA384:-SRP-DSS-AES-256-CBC-SHA:-SRP-AES-256-CBC-SHA:-DHE-PSK-AES256-CBC-SHA384:-DHE-PSK-AES256-CBC-SHA:-PSK-AES256-CBC-SHA384:-ECDHE-PSK-AES128-CBC-SHA256:-SRP-DSS-AES-128-CBC-SHA:-SRP-AES-128-CBC-SHA:-DHE-PSK-AES128-CBC-SHA256:-DHE-PSK-AES128-CBC-SHA:-PSK-AES128-CBC-SHA256

As a block list for exclusion

   1 tobias@libertas ..kstable IT/Projekte/BEBAWA_HBL/OpenVPN % CIPHER=HIGH;
   2 openssl ciphers "$CIPHER" \
   3          |grep -Eo ':[^:]+CBC[^:]+:' \
   4          |sed 's/:$//' \ 
   5          |tr -d '\n'
   6 :ECDHE-PSK-AES256-CBC-SHA384:SRP-DSS-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA:PSK-AES256-CBC-SHA384:ECDHE-PSK-AES128-CBC-SHA256:SRP-DSS-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA:PSK-AES128-CBC-SHA256

CAcert root-certificate

http://www.cacert.org/certs/root.crt

Configurations

Services

Misc

Navigation