tls
TLS is Transport Layer Security. It used to be called SSL: the Secure Sockets Layer. It has to do with encrypted IP traffic.
Apache SSL steps
- Generate a host key:
openssl genrsa -out foo.com.key 2048 - Generate a CSR from that key:
openssl req -new -key foo.com.key -out foo.com.csr
To set up VirtualHosts, follow this template: https://cwiki.apache.org/confluence/display/HTTPD/NameBasedSSLVHosts
Examples
Download a certificate from an https server
get_certificate_from_server() {
hostname="$1"
port="${2:-443}"
ip_address="$(dig +short "$hostname")"
echo |
openssl s_client -servername "$hostname" -connect "${ip_address}:${port}" 2>/dev/null |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
}
get_certificate_from_server github.com
Show info about a certificate file
openssl x509 -noout -text -in foo.pem
Validate a keys / cert pair
To validate that a particular key was used to generate a certificate, useful for testing https key/crt files, do the following and make sure the modulus sections match:
openssl rsa -noout -text -in server.key | grep -i -A9 modulus
openssl x509 -noout -text -in server.crt | grep -i -A9 modulus
Or as a function:
function crt-key-compare {
if [ ! -f "$1" ] || [ ! -f "$2" ] ; then
echo "ERROR: check that both files exist."
return 1
fi
if [[ "$1" != *crt* ]] || [[ "$2" != *key* ]] ; then
echo "usage: crt-key-compare <server.crt> <server.key>" ;
else
crt_modulus=$(openssl x509 -in "$1" -modulus | grep Modulus) || return 1
key_modulus=$(openssl rsa -in "$2" -modulus | grep Modulus) || return 1
if diff <(echo "$crt_modulus") <(echo "$key_modulus") ; then
echo "key and crt match."
else
echo "key and crt do not match"
fi
fi
}
See some information about a server's certificate
SERVER_NAME=linuxforums.org
SERVER_PORT=443
openssl s_client -connect "${SERVER_NAME}:${SERVER_PORT:-443}"
See just the dates of a webserver's SSL certificate
check-server-cert-dates() {
test -z "$1" && { echo "Usage: check-server-cert-dates <servername> [port]" ; return 1 ; }
openssl s_client -connect "${1}:${2:-443}" 2>/dev/null </dev/null |
openssl x509 -noout -dates
}
Show the issuer and dates of a certificate
This is useful when you're moving certs between issuers, for instance if you moved from letsencrypt to something else, then later get an expiration notice from letsencrypt, and want to verify that you're not using that certificate anymore:
openssl s_client -connect ${REMOTE_HOST}:443 2>/dev/null </dev/null |
openssl x509 -noout -issuer -dates
The output will be something like:
issuer= /C=US/O=DigiCert Inc/CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
notBefore=Feb 18 00:00:00 2022 GMT
notAfter=Oct 5 23:59:59 2022 GMT
Encrypt a file
openssl enc -aes-256-cbc -salt -in yourfile -out yourfile.enc
Decrypt a file
openssl enc -aes-256-cbc -d -in encryptedfile.enc -out decryptedfile
Encrypt / Decrypt bash functions
function encrypt_file() { openssl enc -aes-256-cbc -salt -in "$1" -out "$1.enc" ; }
function decrypt_file() { openssl enc -aes-256-cbc -d -in "$1" -out "$1.dec" ; }
Perform a benchmark
You can run benchmarks on one or more ciphers or digests using openssl speed.
openssl speed -seconds 5 -evp sha256 sha512
See Also
- https://datatracker.ietf.org/doc/html/rfc5246 - The Transport Layer Security (TLS) Protocol Version 1.2
- https://github.com/cloudflare/cfssl - CFSSL: Cloudflare's PKI and TLS toolkit https://cfssl.org
- https://tls12.xargs.org - Every byte of a TLS connection explained and reproduced
- https://github.com/FiloSottile/mkcert - simple local dev Certificate Authority
- https://www.tutorialsteacher.com/https/ssl-certificate-format - Good overview of certificate formats, including diagrams
- https://shkspr.mobi/blog/2022/01/should-you-use-lets-encrypt-for-internal-hostnames
- https://badssl.com: Hosting a variety of ssl failure modes, this site is a great resource when writing code that needs to handle all of these different scenarios.