openssl

About This Presentation

Title:

openssl

Description:

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2 ... (TLS v1) network protocols and related cryptography standards required by them. ... – PowerPoint PPT presentation

Number of Views:955

Avg rating:3.0/5.0

Slides: 18

Provided by: OnnoW2

Category:

more less

Transcript and Presenter's Notes

Title: openssl

1
openssl

Onno W. Purbo
onno_at_indo.net.id

2
Reference

http//www.openssl.org
http//www.linuxdoc.org
http//www.redhat.com

3
OpenSSL

OpenSSL is a cryptography toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and
Transport Layer Security (TLS v1) network
protocols and related cryptography standards
required by them.

4
OpenSSL

The openssl program is a command line tool for
using the various cryptography functions of
OpenSSL's crypto library from the shell. It can
be used for
Creation of RSA, DH and DSA key parameters
Creation of X.509 certificates, CSRs and CRLs
Calculation of Message Digests
Encryption and Decryption with Ciphers
SSL/TLS Client and Server Tests
Handling of S/MIME signed or encrypted mail

5
Standard Commands

Asn1parse - Parse an ASN.1 sequence.
Ca - Certificate Authority (CA) Management.
Ciphers - Cipher Suite Description Determination.
Crl - Certificate Revocation List (CRL)
Management.
Crl2pkcs7 - CRL to PKCS7 Conversion.
Dgst - Message Digest Calculation.
Dh - Diffie-Hellman Parameter Management.
Obsoleted by dhparam.
Dsa - DSA Data Management.

6
Standard Commands

Dsaparam - DSA Parameter Generation.
Enc - Encoding with Ciphers.
Errstr - Error Number to Error String Conversion.
Dhparam - Generation and Management of
Diffie-Hellman Parameters.
Gendh - Generation of Diffie-Hellman Parameters.
Obsoleted by dhparam.
Gendsa - Generation of DSA Parameters.
Genrsa - Generation of RSA Parameters.

7
Standard Commands

Ocsp - Online Certificate Status Protocol
utility.
Passwd - Generation of hashed passwords.
Pkcs7 - PKCS7 Data Management.
Rand - Generate pseudo-random bytes.
Req - X.509 Certificate Signing Request (CSR)
Management.
Rsa - RSA Data Management.
Rsautl - RSA utility for signing, verification,
encryption, and decryption.

8
Standard Commands

s_client - This implements a generic SSL/TLS
client which can establish a transparent
connection to a remote server speaking SSL/TLS.
It's intended for testing purposes only and
provides only rudimentary interface functionality
but internally uses mostly all functionality of
the OpenSSL ssl library.

9
Standard Commands

s_server - This implements a generic SSL/TLS
server which accepts connections from remote
clients speaking SSL/TLS. It's intended for
testing purposes only and provides only
rudimentary interface functionality but
internally uses mostly all functionality of the
OpenSSL ssl library. It provides both an own
command line oriented protocol for testing SSL
functions and a simple HTTP response facility to
emulate an SSL/TLS-aware webserver.

10
Standard Commands

s_time - SSL Connection Timer.
sess_id - SSL Session Data Management.
Smime - S/MIME mail processing.
Speed - Algorithm Speed Measurement.
Verify - X.509 Certificate Verification.
Version - OpenSSL Version Information.
X509 - X.509 Certificate Data Management.

11
/etc/httpd/conf/

root_at_linux conf ls -l
total 68
lrwxrwxrwx 1 root root 37 May 2 0406
Makefile -gt ../../../usr/share/ssl/certs/Makefile
-rw-r--r-- 1 root root 348 Aug 24 2000
access.conf
-rw-r--r-- 1 root root 40561 Aug 24 2000
httpd.conf
-rw-r--r-- 1 root root 357 Aug 24 2000
srm.conf
drwx------ 2 root root 4096 May 2 0406
ssl.crl
drwx------ 2 root root 4096 May 2 0406
ssl.crt
drwx------ 2 root root 4096 May 2 0943
ssl.csr
drwx------ 2 root root 4096 May 2 0406
ssl.key
drwx------ 2 root root 4096 May 2 0406
ssl.prm

12
make usage

root_at_linux conf make usage
This makefile allows you to create
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make
SOMETHING.crt".
To create a key and a test certificate in one
file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make
genkey".
To create a CSR for use with Apache, run "make
certreq".
To create a test certificate for use with Apache,
run "make testcert".

13
Private Key
14
make server.key

root_at_linux conf make server.key
umask 77 \
/usr/bin/openssl genrsa -des3 -rand 1024 gt
server.key
0 semi-random bytes loaded
Generating RSA private key, 512 bit long modulus
...
..
e is 65537 (0x10001)
Enter PEM pass phrase
Verifying password - Enter PEM pass phrase

15
More server.key

root_at_linux conf more server.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type 4,ENCRYPTED
DEK-Info DES-EDE3-CBC,317BF4C50E1C590B
X/V5VDJxPg702miehbOCsumLf2QS9vpO2YxI9BLsNrtBkPyN36
3UEVQ9Hsrpct
mQhDa/BXuUFqKtZcGJJef2kIhwqe1L5oW0RBRk5XJvOtVWkxo
bEuRq28f76j
9gtNW9O12tTXEgnGR5KOWdUEOCtLyCgs2YMfUwloGYzc26l
w9n77VI7g0RC
ViiNdZLGWlg2ywFBXGVBHeuo2a8NHXxOTuFdPdBP0UCodknzd
Af761FZPJDg0
HEvFzHUpoEExn00NzBUj0YvkUMtOXi4Q9GNB1V7UUiAJNwUZXj
bjRgbUXfSMcZ
ZY9LkHoc4cq5F4wIN8O4KLkTfzLENdbbFP04R2BJ5ASx4r7GA
DaeCMaXUYuqU
DjP5gGDIG0lHXSnn31tPBZeVXAcYEmDU2Zbch5PxPs
-----END RSA PRIVATE KEY-----

16
Private Key

root_at_linux conf openssl rsa -noout -text -in
server.key
read RSA key
Enter PEM pass phrase
Private-Key (512 bit)
modulus
00a3f65cc53972548041946aa0ae0c
7cebd8acf5
publicExponent 65537 (0x10001)
privateExponent
1008c2afc2db6c6a127fba21b6839e
fae374e1
prime1
00d3a3994f43bab397a3bc58e358ce
c69aad
prime2
00c6547729cf8d8c6af076e561dbc3
33ac69

17
Certificate Signing Request
18
make CSR

root_at_linux conf make server.csr
umask 77 \
/usr/bin/openssl req -new -key server.key -out
server.csr
Using configuration from /usr/share/ssl/openssl.cn
f
Enter PEM pass phrase
You are about to be asked to enter information
that will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave
some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

19
Make CSR ...

Country Name (2 letter code) AUID
State or Province Name (full name)
Some-StateDKI
Locality Name (eg, city) Jakarta
Organization Name (eg, company) Internet Widgits
Pty LtdFree Agent
Organizational Unit Name (eg, section) Owner
Common Name (eg, your name or your server's
hostname) www.purbo.org
Email Address onno_at_indo.net.id
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password apa kabar
An optional company name purbo.org
root_at_linux conf

20
Server.csr

This is the server certificate signing request
for Apache/mod_ssl corresponding to the
../ssl.crt/server.crt file.
Then it contains the CSR which you can send to a
public Certification Authority (CA) for
requesting a real signed certificate (which then
can replace the ../ssl.crt/server.crt file).

21
More server.csr

root_at_linux conf more server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBezCCASUCAQAwgYsxCzAJBgNVBAYTAklEMQwwCgYDVQQIEw
NES0kxEDAOBg
BAcTB0pha2FydGExEzARBgNVBAoTCkZyZWUgQWdlbnQxDjAMBg
NVBAsTBU93bm
MRYwFAYDVQQDEw13d3cucHVyYm8ub3JnMR8wHQYJKoZIhvcNAQ
kBFhBvbm5vQG
ZG8ubmV0LmlkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKP2XM
U5clSAQZRqoK
aHiFnbiIcyt/vgx301kwmkH1DdRncuR74mIPAjSxA9Mik5cPUO
UtCQmw7LCbfO
rPUCAwEAAaA0MBgGCSqGSIb3DQEJAjELEwlwdXJiby5vcmcwGA
YJKoZIhvcNAQ
MQsTCWFwYSBrYWJhcjANBgkqhkiG9w0BAQQFAANBADnl/mBcXO
kFv6I8PV5oWC
BH5Ppxx0T4bON2vaE2DPiEdneWdbt5QoJBw7AO1zWuGSxhQDEx
4RaEx6sEfXX2
-----END CERTIFICATE REQUEST-----
root_at_linux conf

22
Server.csr

root_at_linux conf openssl req -noout -text -in
server.csr
Using configuration from /usr/share/ssl/openssl.cn
f
Certificate Request
Data
Version 0 (0x0)
Subject CID, STDKI, LJakarta, OFree
Agent, OUOwner, CNwww.purbo.org/Emailonno_at_indo.
net.id
Subject Public Key Info
Public Key Algorithm rsaEncryption
RSA Public Key (512 bit)
Modulus (512 bit)
00a3f65cc5397254804194
6aa0ae0c
03d32293970f50e52d0909b0ecb09b
7cebd8acf5
Exponent 65537 (0x10001)

23
Server.csr ..

Attributes
unstructuredName purbo.org
challengePassword apa kabar
Signature Algorithm md5WithRSAEncryption
39e5fe605c5ce905bfa23c3d5e68
582f9b04
7e4fa71c744f86ce376bda1360cf
88476779
675bb79428241c3b00ed735ae192
c6140313
1e11684c7ab047d75f6d
root_at_linux conf

24
Digital Certificate (Self Signed)
25
Make CRT

root_at_linux conf
root_at_linux conf make server.crt
umask 77 \
/usr/bin/openssl req -new -key server.key -x509
-days 365 -out server.crt
Using configuration from /usr/share/ssl/openssl.cn
f
Enter PEM pass phrase
You are about to be asked to enter information
that will be incorporated
into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave
some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

26
Make CRT ..

-----
Country Name (2 letter code) AUID
State or Province Name (full name)
Some-StateDKI
Locality Name (eg, city) Jakarta
Organization Name (eg, company) Internet Widgits
Pty LtdFree Agent
Organizational Unit Name (eg, section) Owner
Common Name (eg, your name or your server's
hostname) www.purbo.org
Email Address onno_at_indo.net.id
root_at_linux conf

27
/etc/httpd/conf/ssl.crt

The ssl.crt/ directory of Apache/mod_ssl where
PEM-encoded X.509 Certificates for SSL are
stored.
server.crt - is the server certificate for
Apache/mod_ssl, configured with the
SSLCertificateFile directive.

28
More server.crt

root_at_linux conf more server.crt
-----BEGIN CERTIFICATE-----
MIIC9TCCApgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMA
kGA1UEBhMCSU
DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1
UEChMKRnJlZS
Z2VudDEOMAwGA1UECxMFT3duZXIxFjAUBgNVBAMTDXd3dy5wdX
Jiby5vcmcxHz
BgkqhkiG9w0BCQEWEG9ubm9AaW5kby5uZXQuaWQwHhcNMDEwNT
AzMDE0MTE1Wh
MDIwNTAzMDE0MTE1WjCBizELMAkGA1UEBhMCSUQxDDAKBgNVBA
gTA0RLSTEQMA
A1UEBxMHSmFrYXJ0YTETMBEGA1UEChMKRnJlZSBBZ2VudDEOMA
wGA1UECxMFT3
ZXIxFjAUBgNVBAMTDXd3dy5wdXJiby5vcmcxHzAdBgkqhkiG9w
0BCQEWEG9ubm
aW5kby5uZXQuaWQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAo/
ZcxTlyVIBBlG
rgxoeIWduIhzK3DHfTWTCaQfUN1Gdy5HviYg8CNLED0yKTlw
9Q5S0JCbDssJ
69is9QIDAQABo4HrMIHoMB0GA1UdDgQWBBT995mg/pKwzq5yZS
SK9jCpxRzbtT
uAYDVR0jBIGwMIGtgBT995mg/pKwzq5yZSSK9jCpxRzbtaGBka
SBjjCBizELMA
A1UEBhMCSUQxDDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYX
J0YTETMBEGA1
ChMKRnJlZSBBZ2VudDEOMAwGA1UECxMFT3duZXIxFjAUBgNVBA
MTDXd3dy5wdX
Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2k
LZtwY
-----END CERTIFICATE-----
root_at_linux conf

29
Server.crt

root_at_linux conf openssl x509 -noout -text -in
server.crt
Certificate
Data
Version 3 (0x2)
Serial Number 0 (0x0)
Signature Algorithm md5WithRSAEncryption
Issuer CID, STDKI, LJakarta, OFree
Agent, OUOwner, CNwww.purbo.or
g/Emailonno_at_indo.net.id
Validity
Not Before May 3 014115 2001 GMT
Not After May 3 014115 2002 GMT
Subject CID, STDKI, LJakarta, OFree
Agent, OUOwner, CNwww.purbo.o
rg/Emailonno_at_indo.net.id
Subject Public Key Info

30
Server.crt ..

Public Key Algorithm rsaEncryption
RSA Public Key (512 bit)
Modulus (512 bit)
00a3f65cc5397254804194
6aa0ae0c
Exponent 65537 (0x10001)
X509v3 extensions
X509v3 Subject Key Identifier
FDF799A0FE92B0CEAE726524
8AF630A9
X509v3 Authority Key Identifier
keyidFDF799A0FE92B0CEAE72
65248A
DirName/CID/STDKI/LJakarta/OFr
ee Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo
.net.id
serial00
X509v3 Basic Constraints
CATRUE
Signature Algorithm md5WithRSAEncryption
8daf9e12ee9042e40cfc40ddf7b0
086f17d5
root_at_linux conf

31
Testing s_client
32
S_client

root_at_linux conf openssl s_client -host
localhost -port 443
CONNECTED(00000003)
depth0 /CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno
_at_indo.net.id
verify errornum18self signed certificate
verify return1
depth0 /CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno
_at_indo.net.id
verify return1
---
Certificate chain
0 s/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id
i/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id

33
S_client
Command Line

root_at_linux conf openssl s_client -host
localhost -port 443
CONNECTED(00000003)
depth0 /CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno
_at_indo.net.id
verify errornum18self signed certificate
verify return1
depth0 /CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno
_at_indo.net.id
verify return1
---
Certificate chain
0 s/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id
i/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id

34
S_client

root_at_linux conf openssl s_client -host
localhost -port 443
CONNECTED(00000003)
depth0 /CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno
_at_indo.net.id
verify errornum18self signed certificate
verify return1
depth0 /CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno
_at_indo.net.id
verify return1
---
Certificate chain
0 s/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id
i/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id

Self Sign Cerificate
35
S_client ..

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC9TCCApgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMA
kGA1UEBhMCSU
DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1
UEChMKRnJlZS
Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2k
LZtwY
-----END CERTIFICATE-----
subject/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id
issuer/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id

36
S_client ..

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC9TCCApgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMA
kGA1UEBhMCSU
DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1
UEChMKRnJlZS
Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2k
LZtwY
-----END CERTIFICATE-----
subject/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id
issuer/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id

Siapa Anda..
37
S_client ..

---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC9TCCApgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBizELMA
kGA1UEBhMCSU
DDAKBgNVBAgTA0RLSTEQMA4GA1UEBxMHSmFrYXJ0YTETMBEGA1
UEChMKRnJlZS
Qw4hIPMdJ5eer6qBUaiIl5G9yurxeAOPkSd58OVsmX1KwQIm2k
LZtwY
-----END CERTIFICATE-----
subject/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id
issuer/CID/STDKI/LJakarta/OFree
Agent/OUOwner/CNwww.purbo.org/Emailonno_at_indo.ne
t.id

Issuer / Cerificate Authority
38
S_client ..

---
No client certificate CA names sent
---
SSL handshake has read 1221 bytes and written 314
bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 512 bit
SSL-Session
Protocol TLSv1
Cipher EDH-RSA-DES-CBC3-SHA
Session-ID
Session-ID-ctx
Master-Key F597E6EEDB4B6C6FADFC7AEDDC0E66F474
0E7EB8486F03
Key-Arg None
Start Time 988936497
Timeout 300 (sec)
Verify return code 0 (ok)

39
S_client ..

---
No client certificate CA names sent
---
SSL handshake has read 1221 bytes and written 314
bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 512 bit
SSL-Session
Protocol TLSv1
Cipher EDH-RSA-DES-CBC3-SHA
Session-ID
Session-ID-ctx
Master-Key F597E6EEDB4B6C6FADFC7AEDDC0E66F474
0E7EB8486F03
Key-Arg None
Start Time 988936497
Timeout 300 (sec)
Verify return code 0 (ok)

Master Key
40
S_client ..

---
GET /
lt!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2
Final//EN"gt
ltHTMLgt
ltHEADgt
ltTITLEgtTest Page for the Apache Web Server on
Red Hat Linuxlt/TITLEgt
lt/HEADgt
lt!-- Background white, links blue (unvisited),
navy (visited), red (active) --gt ltBODY
BGCOLOR"FFFFFF"gt
ltH1 ALIGN"CENTER"gtTest Pagelt/H1gt
This page is used to test the proper operation
of the Apache Web server after it has been
installed. If you can read this page, it means
that the Apache Web server installed at this site
is working properly.
lt/HTMLgt
closed
root_at_linux conf