Openssl: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
| Line 53: | Line 53: | ||
done | done | ||
</pre> | </pre> | ||
Example: | |||
<pre> | |||
./check_ciphers.sh iwillfearnoevil.com:443 | |||
Obtaining cipher list from OpenSSL 1.1.1f 31 Mar 2020. | |||
Testing TLS_AES_256_GCM_SHA384...NO (SSL_CTX_set_cipher_list) | |||
Testing TLS_CHACHA20_POLY1305_SHA256...NO (SSL_CTX_set_cipher_list) | |||
Testing TLS_AES_128_GCM_SHA256...NO (SSL_CTX_set_cipher_list) | |||
Testing ECDHE-ECDSA-AES256-GCM-SHA384...YES | |||
Testing ECDHE-RSA-AES256-GCM-SHA384...YES | |||
Testing DHE-DSS-AES256-GCM-SHA384...YES | |||
Testing DHE-RSA-AES256-GCM-SHA384...YES | |||
Testing ECDHE-ECDSA-CHACHA20-POLY1305...YES | |||
Testing ECDHE-RSA-CHACHA20-POLY1305...YES | |||
</pre> | |||
[[Category:openssl]] | [[Category:openssl]] | ||
Revision as of 11:29, 21 September 2023
Stuff you need to remember for openssl
For creating a self signed certificate chain, having a password makes things more of a PITA..
- Process to create chain without a password:
openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 36500 -key ca.key -out ca.crt openssl genrsa -out client.key 4096 openssl req -new -key client.key -out client.csr openssl x509 -req -days 36500 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt openssl rsa -in client.key -out client.priv cat client.crt ca.crt client.priv > client.pem openssl x509 -text -noout -in ./client.pem
If you WANT a password set for the certificate, then the genrsa command needs -des3 added as a switch. That will require a password at that point. Source Link for how to
check ciphers for cert
#!/usr/bin/env bash
#https://blog.lxsang.me/post/id/31
# OpenSSL requires the port number.
SERVER=$1
# cool way to set defaults, if set or set default
# short circuit logic. Spiffy trick.
#DELAY=${2:-} || DELAY=1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
error=$(echo -n $result | cut -d':' -f6)
echo NO \($error\)
else
if echo $result | grep -q "Verify return code: 0 (ok)"; then
echo YES
else
echo UNKNOWN RESPONSE
echo $result
fi
fi
sleep $DELAY
done
Example:
./check_ciphers.sh iwillfearnoevil.com:443 Obtaining cipher list from OpenSSL 1.1.1f 31 Mar 2020. Testing TLS_AES_256_GCM_SHA384...NO (SSL_CTX_set_cipher_list) Testing TLS_CHACHA20_POLY1305_SHA256...NO (SSL_CTX_set_cipher_list) Testing TLS_AES_128_GCM_SHA256...NO (SSL_CTX_set_cipher_list) Testing ECDHE-ECDSA-AES256-GCM-SHA384...YES Testing ECDHE-RSA-AES256-GCM-SHA384...YES Testing DHE-DSS-AES256-GCM-SHA384...YES Testing DHE-RSA-AES256-GCM-SHA384...YES Testing ECDHE-ECDSA-CHACHA20-POLY1305...YES Testing ECDHE-RSA-CHACHA20-POLY1305...YES