OpenSSL

From Wikislax

Revision as of 21:27, 5 July 2012 (view source) WikiSysop (Talk | contribs) ← Older edit		Latest revision as of 07:47, 8 July 2012 (view source) WikiSysop (Talk | contribs) (→Installing OpenSSL)
Line 50:		Line 50:
	# cd /usr/local/openssl-x.y.z		# cd /usr/local/openssl-x.y.z
	# make install		# make install
		+	# make clean
	# cd ../lib		# cd ../lib
	# mv libssl* ../lib64		# mv libssl* ../lib64

---

Latest revision as of 07:47, 8 July 2012

What is OpenSSL ?

The SSL protocol has been created by Netscape to securitize communications made over TCP/IP. SSL affords encrypting the data and authenticating the parties on the wire using various methods and algorithms. SSL is the base layer to ensure confidentiality on essential TCP protocols such as smtp http pop3 nntp imap ldap. SSL encapsulates these services (and others…) using alternate protocol names and port numbers :

Protocol	Port #	Secure Protocol	Secure Port #	Service
SMTP	25	SMTPS	465	Mail exchange
HTTP	80	HTTPS	443	Web browsing
POP3	110	POP3S	993	Mail retrieval
NTTP	119	NTTPS	563	News exchange
IMAP	143	IMAPS	995	Mail retrieval
LDAP	389	LDAPS	636	Ldap Directory

OpenSSL is an OpenSource SSL implementation available on OpenBSD, FreeBSD, and Linux. The official documentation can be found on the official http site openssl.org but is somewhat cryptic. man openssl is a better option.

Installing OpenSSL

Beware : to avoid breaking other software in the distribution, openssl-x.y.z can be replaced only by a minor fix update. Be sure to check the current version number using ls /usr/lib64/*ssl* first. Installing OpenSSL is otherwise quite straigthforward :

# tar -C /usr/local -xvf openssl-x.y.z.tar.gz
# cd /usr/local
# chown -R root openssl-x.y.z
# chgrp -R root openssl-x.y.z
# cd openssl-x.y.z
# vi README
# vi INSTALL
# make clean
# ./config --prefix=/usr/local --openssldir=/etc/ssl shared
# make
# make test
# cd /var/log/packages
# removepkg openssl-x.y.z-X86_64-2
# removepkg openssl-solibs-x.y.z-X86_64-2
# cd /usr/local/openssl-x.y.z
# make install
# make clean
# cd ../lib
# mv libssl* ../lib64
# mv libcrypto* ../lib64
# cd pkgconfig
# mv *ssl.pc ../../lib64/pkgconfig
# mv *crypto.pc ../../lib64/pkgconfig
# cd /usr/lib64
# ln -sf /usr/local/lib64/libssl.so.0.9.8 libssl.so.0
# ln -sf /usr/local/lib64/libcrypto.so.0.9.8 libcrypto.so.0
# ldconfig
# cd /etc/ssl
# cp -r man /usr/local
# rm -r man
# reboot

There is no option in .config to choose the target library directory. This is by default in lib. On this 64-bits system, we prefer to keep all 64-bits libraries in lib64 so we do the move manually. Reboot later affords making sure that nothing was by the install and that the system is able to boot normally.

Using OpenSSL

Except for managing certificates (see the next paragraph) OpenSSL is not used directly but thru libraries to encapsulate other protocols such as smtp http pop3 nntp imap ldap.

Using Certificates

Using a server certificate will afford remote smtp http pop3 nntp imap ldap clients to make sure that they are connected to the right site. The server certificate contains the full domain name and other information, signed by a Certificate Authority.

To effect the real checking the clients need to get copies of the server and Certificate Authority certificates. The server certificate comes as part of the SSL protocol. The Certificate Authority certificate however must be present on the client.

This is the case for most commercial Certificate Authority certificates, that are preinstalled. Being your own Certificate Authority will save the cost of purchasing a server certificate and renewing it yearly, but it will be necessary to install the Certificate Authority certificate on every client using your services.

The home of the OpenSSL configuration is /etc/ssl. It initially include directories certs misc private to store the certificates, and a configuration file openssl.cnf, that must be edited first. You might want to change dir and certificate to these values :

dir 		= /etc/ssl		# Where everything is kept
certificate	= $dir/certs/cacert.pem	# The CA certificate

To create a self-signed certification authority certificate :

Beware : for the certification to work, it is not possible to create a certification authority certificate and a server certificate with the same DN (X500 Directory Name).

# cd /etc/ssl
# openssl req -new -x509 -days 3650 -keyout private/cakey.pem -out certs/cacert.pem -config openssl.cnf

Generating a 1024 bit RSA private key
.........++++++
.............++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Rennes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Studioware
Organizational Unit Name (eg, section) []:CA
Common Name (eg, YOUR name) []:Studioware.com
Email Address []:ca@studioware.com

To create a server certificate request :

Beware : for a server certificate, the common name must be the fully qualified domain name. A reverse DNS entry should also exist.

# cd /etc/ssl
# mkdir newcerts
# openssl req -new -keyout newcerts/mtakey.pem -out newcerts/mtareq.pem -days 3650 -config openssl.cnf

Generating a 1024 bit RSA private key
................................++++++
..................++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:Rennes
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Studioware
Organizational Unit Name (eg, section) []:MTA
Common Name (eg, YOUR name) []:inner.studioware.com
Email Address []:mta@studioware.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

To sign the server certificate request :

# cd /etc/ssl
# cat </dev/null >index.txt
# cat >serial
01
<ctrl>d
# cat newcerts/mtareq.pem newcerts/mtakey.pem > newcerts/mta.pem
# openssl ca -policy policy_anything -out newcerts/mtacert.pem -config openssl.cnf -infiles newcerts/mta.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
       Serial Number: 1 (0x1)
       Validity
           Not Before: Jan  2 13:40:43 2007 GMT
           Not After : Jan  2 13:40:43 2008 GMT
       Subject:
           countryName               = FR
           localityName              = Rennes
           organizationName          = Studioware
           organizationalUnitName    = MTA
           commonName                = Jean-Pierre Menicucci
           emailAddress              = ca@studioware.com
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:FALSE
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               06:08:16:E7:C0:A3:D3:9A:D1:92:4A:6F:B8:6E:E8:28:47:79:BD:12
           X509v3 Authority Key Identifier:
               keyid:92:59:DF:C2:26:D6:54:46:46:A8:10:4E:56:CB:09:A2:E9:B4:86:93

Certificate is to be certified until Jan  2 13:40:43 2008 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

To remove the pass phrase from the server private key :

Beware : it is necessary to remove this pass phrase so that sendmail could start without any human intervention.

# openssl rsa -in newcerts/mtakey.pem -out newcerts/mtakey.pem.unsecure
Enter pass phrase for newcerts/mtakey.pem:
writing RSA key

To move the files to the right directories with the right rights and clean up :

# cd newcerts
# ls
01.pem  mta.pem  mtacert.pem  mtakey.pem  mtakey.pem.unsecure  mtareq.pem
# mv mtacert.pem ../certs
# mv mtakey* ../private
# rm 01.pem mta.pem mtareq.pem
# cd ../certs
# chmod go+r *
# cd ../private
# chmod go-r *

To check an external certificate

For OpenSSL to check an external certificate, you need to place in your /etc/ssl/certs directory a copy of its Certification Authority certificate and a symbolic link to this copy. The name of this link must be based on the certificate hash code (see http://www.sendmail.org/~ca/email/starttls.html). This can be done in this way :

# C=CertificateFileName
# ln -s $C `openssl x509 -noout -hash < $C`.0

Creating VMs

Main Page

OpenLDAP