SSL_ | Grav

Verify wether a server is sending a verifyable CA chain

posted Feb 4, 2015, 6:59 AM by Daniele Albrizio (updated May 22, 2017, 6:07 AM)

Sometimes some weird hangs or trust problems are being reported on systems using an incomplete certificate repository or non-updated ones. The only way is to provide the full certification chain server-side.

To verify servers are correctly sending all necessary cryptographic code you may issue the following command:

$ openssl s_client -CAfile /etc/ssl/certs/<your root CA certificate>.pem -connect <server-fqdn>:<ssl-service-port>

e.g. (complete chain: verify error "self signed certificate in certificate chain" may be ignored since it is referring to the root CA AddTrust External CA Root):

$ openssl s_client -CAfile /etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem -connect gino.units.it:443 | head -15
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=gino.units.it
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgIQL5gV6MAGC9mwMq39qSluSDANBgkqhkiG9w0BAQsFADBk

incomplete chain results in following error:

depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 2
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=mail.dimpo.units.it
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
---

Result of complete chain verification should be

    Verify return code: 0 (ok)
---

read:errno=0

On StartTLS capable servers

$ openssl s_client -CAfile /etc/ssl/certs/<your root CA certificate>.pem -connect <server-fqdn>:<ssl-service-port> -starttls <proto>

where proto is one of: smtp pop3 imap ftp xmpp xmpp-server telnet irc mysql postgres lmtp nntp sieve ldap

Redirect all http to https in Apache

posted Jul 24, 2014, 4:02 AM by Daniele Albrizio (updated May 22, 2017, 6:08 AM)

Inside virtualhost section for your port 80 webserver, put these lines:

RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]

a2enmod rewrite
service apache2 restart

all done.

How to view and download and verify server SSL/TLS certificate and connection

posted May 3, 2011, 7:40 AM by Daniele Albrizio (updated May 22, 2017, 6:12 AM)

$ openssl s_client -connect host:port

Famous "over SSL" protocols table

Protocol    Port
https    443/tcp
nntps    563/tcp
ldaps    636/tcp
ftps-data    989/tcp
telnets  992/tcp
imaps    993/tcp
ircs     994/tcp
pop3s    995/tcp
ssmtp    465/tcp

To verify connection parameters you need at least to specify a CA certificate, at most a client secret key and public certificate.

$ openssl s_client -CAfile /etc/ssl/certs/AddTrust_External_Root.pem -connect host:443
$ openssl s_client -CAfile /etc/ssl/certs/AddTrust_External_Root.pem -cert /my/cert.pub -key /my/key.priv -connect host:443

Successful connection ends with: Verify return code: 0 (ok)

Compute the fingerprint of an ssh public key

posted Jan 19, 2011, 12:51 PM by Daniele Albrizio (updated May 22, 2017, 6:12 AM)

$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

2048 d4:55:b1:gf:f4:94:22:e4:2c:5d:dd:90:43:cd:32:11 /etc/ssh/ssh_host_rsa_key.pub

Verify the signature (.sig) associated to a file

posted Jan 19, 2011, 12:45 PM by Daniele Albrizio (updated May 22, 2017, 6:13 AM)

$ gpg --verify file.sig file.to.verify or $ wget -O - http://site.org/file.asc | gpg --verify - file.to.verify

Verificare che la chiave pubblica, la certificate sign request e quella privata corrispondano

posted Jan 19, 2011, 12:41 PM by Daniele Albrizio (updated May 22, 2017, 6:13 AM)

Bisogna verificare in effetti che le chiavi abbiano lo stesso modulo. Per praticità di comparazione, ne calcoleremo il valore MD5:

$ openssl x509 -noout -modulus -in server.pem | openssl md5
$ openssl rsa -noout -modulus -in server.key | openssl md5
$ openssl req -noout -modulus -in server.csr | openssl md5

Verificare la correttezza della CA-Chain

posted Jan 19, 2011, 12:40 PM by Daniele Albrizio (updated May 22, 2017, 6:13 AM)

$ openssl verify -CAfile cachain.pem servercaert.pem

Se la catena non è completa viene visualizzato un errore del tipo: "error 20 at 0 depth lookup:unable to get local issuer certificate"