I have a domain mydomain.com with some sub level domains like

• nexus.mydomain.com
• svn.mydomain.com
• www.mydomain.com

Now I need a self signed certificate for all these domains because I want to use them over HTTPS. There are some steps to do this. First of all: you don’t need for this propose your own root certificate. You should replace all occurence of mydomain.com with your own domain name and sub domains.

On the gentoo server where the apache should host the domains, I have to create the certificate. I do following steps:

1. Generate a private key

   openssl genrsa -des3 -out server.key 1024
   

2. Generate a CSR (Certificate Signing Request)

   openssl req -new -key mydomain.key -out mydomain.csr
   
   Country Name (2 letter code) [DE]:DE
   State or Province Name (full name) [Sachsen]:Sachsen
   Locality Name (eg, city) [Leipzig]:Leipzig
   Organization Name (eg, company) [My Company Ltd]:mydomain.com
   Organizational Unit Name (eg, section) []:Information Technology
   Common Name (eg, your name or your server's hostname) []:mydomain.com
   Email Address []:thomas dot wabner at mydomain dot com
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
   

3. Remove Passphrase from Key

   cp mydomain.key mydomain.key.org
   openssl rsa -in mydomain.key.org -out mydomain.key
   

4. Generating a Self-Signed Certificate

   To include all required subdomains a extensions file must be used. For example I have created a file /home/waffel/ssl/mydomain_extensions with following content:

   [ mydomain_http ]
   nsCertType      = server
   keyUsage        = digitalSignature,nonRepudiation,keyEncipherment
   extendedKeyUsage        = serverAuth
   subjectKeyIdentifier    = hash
   authorityKeyIdentifier  = keyid,issuer
   subjectAltName          = @mydomain_http_subject
   [ mydomain_http_subject ]
   DNS.1 = www.mydomain.com
   DNS.2 = nexus.mydomain.com
   DNS.3 = trac.mydomain.com
   DNS.4 = svn.mydomain.com
   

   The last command to create the certificate is:

   openssl x509 -req -days 365 -in mydomain.csr -signkey mydomain.key -out mydomain.crt -extfile /home/waffel/ssl/mydomain_extensions -extensions mydomain_http
   

In the apache configuration for the ssl host’s I have enabled the ssl module with following content:

...
ServerAlias svn.mydomain.com trac.mydomain.com nexus.mydomain.com

        ErrorLog /var/log/apache2/ssl_mydomain_error_log
        <IfModule log_config_module>
                TransferLog /var/log/apache2/ssl_mydomain_access_log
        </IfModule>

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
        SSLCertificateFile /etc/apache2/ssl/mydomain.crt
        SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key
        SSLCertificateChainFile /etc/ssl/cacert.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory "/var/www/localhost/cgi-bin">
                SSLOptions +StdEnvVars
        </Directory>
        <IfModule log_config_module>
                CustomLog /var/log/apache2/ssl_mydomain_request_log \
                        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
        </IfModule>
...

For exmaple if you need such certificate to connect your maven with a self installed nexus repositiory over https you can follow the article from ahoehma.

A more detailed description with some beckground information about the certificate creation can be found here.

Ubuntu默认的数字证书有效期只有一个月，到期后，可以重新申请一个：

cd /etc/ssh

openssl req  -new -x509 -days 3650 -key ../private/ssl-cert-snakeoil.key  -out ssl-cert-snakeoil.pem

反正只是自己使用，也不用再签名什么的了，完整的流程可以参考Openssl简明使用手册，以及基于 OpenSSL 的 CA 建立及证书签发。

此外第三方免费的SSL认证有CAcert.org，可惜直到目前他们都没有得到Mozilla的认可，根证书不能进入Firefox，更不用说IE了，所以没什么用。

通常情况，要申请成默认根证书，需要通过Webtrust的审计，$75,000 up-front plus ~$10,000 per year。还真是要不少银子

어제 올린 포스트에서 언급했듯이, 오늘은 Decryption 쪽을 포스팅해본다. 오늘 올릴 소스코드는 완전한 것이 아니라, 어떤 method의 한 부분을 보여주는데, 적어도 OpenSSL의 함수를 사용하는 부분에 대해서만은 완전한 소스의 형태를 갖추고 있다.

	const char *validationRawData = [validataionData bytes];
	if( validataionData )
	{
		int validationLength = [validataionData length];
		int totalLength = 0; // For decrypted length

		int result = 0;
		unsigned char inputBuffer[8], outputBuffer[8];
		int inputLength = 0, outputLength = 0;

		bzero( inputBuffer, sizeof( inputBuffer ) );
		bzero( outputBuffer, sizeof( outputBuffer ) );

		char finalBuffer[64];
		bzero( finalBuffer, sizeof( finalBuffer ) );

		// Initialize cipher context
		EVP_CIPHER_CTX ctx;
		EVP_CIPHER_CTX_init( &ctx );

		// Copy a key
		unsigned char keyForDES[8];
		memcpy( keyForDES, kKeyText, 8 ); // "LXFExpor"

		result = EVP_DecryptInit( &ctx, EVP_des_ecb(), keyForDES, NULL);
		if( result )
		{

			int byteLeft = validationLength;
			int bytesToCopy = 0;
			int inputLoc = 0, outputLoc = 0;

			while( byteLeft > 0 )
			{
				if( byteLeft < 8 )
				{
					bytesToCopy = byteLeft;
					byteLeft = 0;
				}
				else
				{
					bytesToCopy = 8;
					byteLeft -= 8;
				}

				bzero( inputBuffer, sizeof( inputBuffer ) );
				memcpy( inputBuffer, validationRawData + inputLoc, bytesToCopy );
				inputLoc += bytesToCopy;

				bzero( outputBuffer, sizeof( outputBuffer ) );
				inputLength = bytesToCopy;
				result = EVP_DecryptUpdate( &ctx, outputBuffer, &outputLength, inputBuffer, inputLength );
				if( result )
				{
					memcpy( finalBuffer + outputLoc, outputBuffer, outputLength );
					outputLoc += outputLength;

					isSuccessful = YES;
				}
				else
				{
					isSuccessful = NO;
					break;
				}
			}

			bzero( outputBuffer, sizeof( outputBuffer ) );
			result = EVP_DecryptFinal( &ctx, outputBuffer, &outputLength );
			if( result )
			{
				memcpy( finalBuffer + outputLoc, outputBuffer, outputLength );
				outputLoc += outputLength;

				totalLength = outputLoc;

				isSuccessful = YES;
			}
			else
				isSuccessful = NO;

		}
		else
			isSuccessful = NO;

역시 주의할 부분은 EVP_DecryptUpdate() 함수의 호출부분이다. 이 함수의 호출 결과가 바로 바로 생각하는 단계의 것을 반영하지 않고, 다음 단계에 가서야 반영될 수있다. 직접 디버깅해 보면 좋을 것이다.

덧대서 말하자면 Mac에서는 libcrypto.dylib과 libssl.dylib을 링크해야 한다.
Windows에서는 좀 다르다. 현재 비공식 배포판이 있는데, Unix나 Mac의 것과 조금 다른 이름의 라이브러리로 되어 있다.
쉽게 파악할 수있기에 여기서는 설명을 하지 않겠다.

여기서 잠깐 부언 설명을 하자면, output buffer와 input buffer의 데이터 타입이 unsigned char의 어레이로 되어 있다. 이 점은 참 시사하는 바가 있다. 물론 사용할 수있는 암호화 기법마다 키의 길이가 다르고 output으로 나오는 길이가 다르기 때문에 int나 long이나 혹은 long long과 같은 데이터 타입을 사용하기가 좀 그렇다. char의 어레이로 하는 편이 여러가지로 난데, 여기엔 아마 또 하나의 고려사항이 있는 듯하다. byte ordering이 그것이다. 다양한 플랫폼으로 포팅을 할 때, 유념해야 할 사항 중의 하나가 바로 byte ordering이다. 의외로 미국에는 특히 인도계나 중국계가 그런데, Unix를 모르는 전산과 출신들이 많다. 컴퓨터하면 Windows만 아는 것이다. 근데 생각해 보자, 전산을 한 사람이 Windows는 모를 수있어도, Unix를 모른다는게 말이 되는가? 내가 본 소스 중에 이 byte ordering을 생각하지 않고 막 짠 것들이 꽤 있다. 근데, 자기가 테스트 한 머신에서는 되니까 그냥 되는구나하고 submit를 해 버린거다. 경력 15년이란다.. 어이그.. 내가 그런 것들 밑에서 일한다는게.. 정말..
아무튼… 그 소스 코드는 Unix를 모르는, Windows만 아는 사람이 만든거다. Unix를 쓰면 바로 Byte Ordering에 노출될텐데 말이지. 하긴…Intel Processor가 골치 아픈 구조이긴 하다. 세상의 거의 모든 Processor들이 다 Big Endian인데, Intel Processor들은 혼자서 Little Endian이다. 이거 참 웃기는 구조다. 통신도 Big Endian이 기본이다. 거의 모든 표준 규약이 Big Endian을 기반으로 한다. 왜 인텔의 프로세서 디자이너들은 little endian으로 만들었을까? 하다 못해 ARM core도 인텔이 fab을 한건 little endian으로 돈다. 다른 업체들이 만든건 Big Endian으로 돌지..
뭐 투덜대는건 그만하고… OpenSSL의 이런 구조는 porting할때 상당히 편하게 만드는 구조다. 이런 면은 참 생각을 잘하고 만든거 같다.

근데.. 그래도 역시 처음 사용하는 사람을 어리둥정하게 만드는 것은, 어디서부터 시작해야할지 모르게 만드는 함수 이름들과 MAN 페이지의 설명.. 이 OpenSSL을 보면, C++의 namespace보다 Objective-C처럼 클래스나 메소드 이름을 잘 정하는 것이 실제로 더 생산성을 높이고 관리하게 편하게 만드는 것이라는 것을 알 수있다. 물론 기본을 잘하고 namespace가 있으면 더 좋겠지만, 실제론 그런가?

근데 Cocoa나 Foundation 클래스 중에 이 OpenSSL을 wrapping해서 만든게 분명 있을텐데… KeyChain에 관련된 것과 CFAuthorization인가 등이 관련이 있을거 같은데 (그리고 특히 Keychain에 관련된 것들은 확실히 사용하고 있다.), 아무리 봐도 직접적으로 DES나 RSA, MD5, blowfish등을 언급한 도큐먼트가 Cocoa엔 없다.. 이거 참……

참.. 그리고 Mac에는 이거 외에도 또 암호화 기술을 사용할 수있게 하는 것이 있다. CC_로 시작되는 건데, 이름하여 Common Crypto API다. 몇가지 함수 이름을 보자면 CC_MD5_Init, CC_SHA1_Update, CCCryptorCreate 등등이다.

지금보니 뭔가 구조가 OpenSSL의 것과 비슷하다.
CCCryptorCreate(), CCCryptorUpdate(), CCCryptorFinal()… 비슷하지 않은가?
함수 이름들이 훨씬 정리가 잘 되어 있다. 근데 Mac이외에는 이 Common Crypto API의 MAN페이지가 검색되지 않는 것으로 보아, Apple사가 만들고 Mac에서만 쓰이는 것 같다.
혹은 BSD? 음.. 제목쪽에 BSD Library Functions Manual 라고 써져있는 것으로 보아 BSD Unix에서 쓰이는 것인가보다.

ADDED : 보니까 이 Common Crypto library는 Apple의 Open Source인 것같다.
여기 링크가 있다. http://developer.apple.com/opensource/security/

OpenSSL을 사용하려고 하면 몇가지 문제에 봉착하게 된다.

우선 쉽게 설명이 잘 되어 있는 문서가 전무하다. OpenSSL 웹사이트를 가면 몇가지 설명을 볼 수가 있는데, 대개 제대로 설명이 안되어 있다.  예를 들어 DES로 encryption과 decryption을 한다고 하자. MAN -s 3 ssl 로 OpenSSL에 대한 설명을 보면, 뭘 어디서부터 손대야 할지 알 수가 없다. 그래서 찾다 찾다 DES를 직접 건드려보기로 했다. 이때 중요한 함수가 몇개 있다.

void DES_random_key(DES_cblock *ret);

int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule);
int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule);
int DES_set_key_checked(const_DES_cblock *key,
       DES_key_schedule *schedule);
void DES_set_key_unchecked(const_DES_cblock *key,
       DES_key_schedule *schedule);

void DES_set_odd_parity(DES_cblock *key);
int DES_is_weak_key(const_DES_cblock *key);

void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
       DES_key_schedule *ks, int enc);

여기서 어떤 함수를 써야 하는지 파악하기 위해서, 간단한 예제라도 있으면 좋겠는데, 전혀 그렇지 않다.
굳이 찾자면, OpenSSL의 test 폴더에 있는 샘플 코드를 보는 것이다.
아무튼 MAN 페이지를 아무리 찾아봐도, 저 schedule 변수가 뭐할때 쓰는건지, checked와 unchecked key의 차이는 뭔지 알 수가 없다. 물론 이것은 암호화 자체의 spec에 준하는 함수이기 때문에 DES 자체를 이해하는 것이 필요하다. 하지만 DES 문서를 봐도 때로는 알 수가 없다.
그러다가 OpenSSL의 mailing list에서, 직접 특정 암호화 함수를 사용하지 말고 high-level 함수를 이용하는 것이 더 좋다라는 답변을 들었다. 음.. 그게 뭐지? 힌트로 얻은 것이 EVP_EncryptInit_ex()였다.
아.. command라인에서 쓰더라도 openssl 명령을 쓰고 그 옆에 어떤 암호화 기법을 쓸지를 정해주지 않던가? (물론 바로 암호화 명령을 써도 되지만) 음.. 함수들도 그렇게 구성이 되어 있구나.. 그런 것을 알게 되었다. 근데 이런 설명이 MAN 페이지엔 제대로 되어 있지 않다. (혹 이 시점에서 MAN 페이지 구석 구석 찾아보고 “있는데?” 하는 분들 있을지 모르겠다. 여기서 말하고자 하는 건, 눈에 확 띄지 않는다는 뜻이다. )

그래서 MAN 페이지를 뚤어지게 찾아보다가 찾아내서 만든 코드가 아래의 코드다.

- (char *)generateCipherText:(NSString *)inputString withCipherTextLength:(int *)cipherTextLength
{
	BOOL isSuccessful = YES;

	const char *inputCString = [inputString cStringUsingEncoding:NSASCIIStringEncoding];
	int sourceLength = strlen( inputCString );

	int result = 0;
	unsigned char inputBuffer[16], outputBuffer[16];
	int outputLength = 0;
	int inputLength = 0;

	bzero( inputBuffer, 16 );
	bzero( outputBuffer, 16 );

	char *finalBuffer;
	finalBuffer = (char *)malloc( 64 );
	bzero( finalBuffer, 64 );

	// Initialize cipher context
	EVP_CIPHER_CTX ctx;
	EVP_CIPHER_CTX_init( &ctx );

	// Copy a key
	unsigned char keyForDES[8];
	memcpy( keyForDES, kKeyText, 8 ); // "LXFExpor"

	result = EVP_EncryptInit(&ctx, EVP_des_ecb(), keyForDES, NULL);
	if( result )
	{
		int byteLeft = sourceLength;
		int bytesToCopy;
		int inputLoc = 0, outputLoc = 0;

		while( byteLeft > 0 )
		{
			if( byteLeft < 8 )
			{
				bytesToCopy = byteLeft;
				byteLeft = 0;
			}
			else
			{
				bytesToCopy = 8;
				byteLeft -= 8;
			}

			bzero( inputBuffer, 16 );
			memcpy( inputBuffer, inputCString+inputLoc, bytesToCopy );
			inputLoc += bytesToCopy;

			bzero( outputBuffer, 16 );
			inputLength = bytesToCopy;
			result = EVP_EncryptUpdate(&ctx, outputBuffer, &outputLength, inputBuffer, inputLength);
			if( result )
			{
				memcpy( finalBuffer+outputLoc, outputBuffer, outputLength );
				outputLoc += outputLength;
			}
			else
			{
				isSuccessful = NO;
				break;
			}
		}

		bzero( outputBuffer, 16 );
		result = EVP_EncryptFinal( &ctx, outputBuffer, &outputLength );
		if( result )
		{
			memcpy( finalBuffer+outputLoc, outputBuffer, outputLength );
			outputLoc += outputLength;

			*cipherTextLength = outputLoc;

			isSuccessful = YES;
		}
		else
		{
			isSuccessful = NO;
		}
	}
	else
		isSuccessful = NO;

	EVP_CIPHER_CTX_cleanup(&ctx);

	if( isSuccessful == NO )
	{
		NSGetCriticalAlertPanel( @"Cirtical Information", @"It couldn't create a registration file.", @"OK", nil, nil );

		return (char *)-1;
	}
	else
		return finalBuffer;
}

위의 코드는 암호화를 하는 부분, 즉 cipher 과정이다. 혹 암호화에 익숙하지 않으신 분들에겐 encryption이란 말이 더 편하게 들릴지 모르겠다. encryption == cipher, decryption == decipher로 이해하시면 되겠다.

간단해 보이지 않는가? 암호화 하는 부분만 떼어내면 참 간단한 코드다. 그런데 이게 예가 MAN page에 나오질 않는다.
Oreilly에서 OpenSSL에 관련된 책이 단 한권 나오긴 한다. 물론 SSL에 대한 것이어서 암호화에 대한 것보단 socket을 열어서 SSH로 connection을 하는 쪽에 더 촛점이 맞추어져 있는거 같긴하다. 그 부분으로써 암호화에 대한 설명이 나온다. 왜냐하면 SSH 세션을 열면, 그 안에서 통신의 안전을 위해서 암호화 기법이 사용되기 때문이다.

근데 보기엔 간단해 보이지만, 저 코드를 완성하는데 꼬박 하루가 걸렸다. 왜일까?
OpenSSL의 구현에 묘한 점이 있기때문인데, 바로 EVP_EncryptUpdate()이 호출되는 부분이다. 앞에서 언급한 “도대체 어디서부터 시작해야 하나”라는 것이 OpenSSL을 사용하기 힘들게 만드는 첫번째 이유라면, 두번째가 바로 이 함수때문 같다. (암호화 자체를 이해하는거야… 당연히 암호화에 대해 아는 사람이 OpenSSL을 시도하는 거라고 생각하니 제끼고.. )

이 함수가 동작하는데 좀 묘한 면이 있는데.. 사실 Encryption을 할때와 Decryptiond을 할때가 조금 패턴이 다르다.
즉 이 함수가 호출될때, input에 들어있는 original text가 output에 encryption이 되어서 바로 들어갈때도 있고, 아닐때도 있다는 것이다. 아마 기억에 encryption때는 바로 바로 들어갔던거 같고, decryption때가 바로 안들어가고, 그 다음 iteration때 들어갔던 것 같다. 그때, outputLength가 실제 변환된 것만큼 되지 않고 0으로 되더라는 것이다. 그래서.. 아.. 뭘 잘못 사용하고 있나보다 하고 그거 알아내려다가 하루 웬 종일 지나갔다. 알고보니 다음 단계에서 세팅되는 것이다.
아마 decryption때 그런것 같은데, encryption때는 EVP_EncryptFinal()가 호출되기 직전, 즉 마지막으로 encryption을 할때 그랬던 것같다. 아 맞다. 그런 거 같다. 그래서 outputLength가 0이 되더라도 놀라지 말고 끝까지, 즉 EVP_EncryptFinal()를 호출하라는 것이다.

OpenSSL이 이렇게 움직이는 이유는 bit stuffing때문인거 같다. MPEG4/H-264의 CABAC을 구현할때랑 JPEG Encoder/Decoder를 구현할때, 이 bit stuffing을 많이 사용했는데, 처음 구현할때는 고생했다. (USC에서..) 근데 회사에서 하니 아무래도 한번 해 본거라, 대충 어떻게 할지 방향이 이미 잡혀 있기에 고생 자체는 안했다. 시간이 들었을 뿐.
근데 내가 bit stuffing을 구현하는 것은 modulo 연산을 이용해서, 실제 일정 길이의 비트가 필요하기 전에, 그것을 충분히 대응해 줄 수있게 버퍼를 미리 채워주게 구현해서 아무런 문제가 없는데, 아마 그렇게 구현하지 않으면 (modulo 연산이 생각보다 헷갈린 면이 있어서 ), 해당 스텝내에 encoding 혹은 decoding을 하려 하면, 일정양의 비트 데이터를 확보해야 하는데, 미처 준비가 안될 수있다. 그럼 다음 스템으로 그 처리를 넘기면 그때는 확실하게 확보가 되기 때문에 (아닐 수도 있다. 데이터의 끝부분에서 미쳐 준비가 안되는 일이 생기곤 한다. ) 그렇게 구현이 되었겠다 싶다.

이런 설명이 있어야 한다. 없으니 제대로 동작하는데도 마치 안되는 것처럼 생각되어서 하루를 낭비하지 않는가?
으… USC에서 내 개인 프로젝트 못하고 이것으로 하루 웬종일 썼다.

다음에는 decoding 부분을 포스팅해 보겠다.

OpenSSL – The Open Source toolkit for SSL/TLS
http://www.openssl.org/

OpenSSL is currently in a release cycle. The fourth beta is now released.
This is expected be the final or penultimate beta depending on the number
of bugs reported.

The beta release is available for download via HTTP and FTP from the
following master locations (the various FTP mirrors you can find under
http://www.openssl.org/source/mirror.html):

o http://www.openssl.org/source/
o ftp://ftp.openssl.org/source/

The file names of the beta are:

o openssl-1.0.0-beta4.tar.gz
Size: 4000628
MD5 checksum: f22750164e1db42145803fed8104df57
SHA1 checksum: f590232651b9033365e0aa9a2279cdef6519884c

The checksums were calculated using the following command:

openssl md5 < openssl-1.0.0-beta4.tar.gz
openssl sha1 < openssl-1.0.0-beta4.tar.gz

Please download and test them as soon as possible. This new OpenSSL
version incorporates 120 documented changes and bugfixes to the
toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES).

Also check the latest snapshots at ftp://ftp.openssl.org/snapshot/
or CVS (see http://www.openssl.org/source/repos.html) to avoid
reporting previously fixed bugs.

Since the third beta, the following has happened:

- Initial TLS session renegotiation fix
- TLS ticket and SNI coexistance fix
- Several DTLS fixes and updates.
- Custom OCSP headers.
- Check return values properly on some functions.
- Some documentation for X509 chain verification functions.
- Time routines fixed for CRL generation.
- Additional PRNG duplication protection.
- Cross compilation updates.
- Build system fixes including VMS.
- Other bug fixes.

Reports and patches should be sent to openssl-bugs@openssl.org.
Discussions around the development of OpenSSL should be sent to
openssl-dev@openssl.org. Anything else should go to
openssl-users@openssl.org.

The best way, at least on Unix, to create a report is to do the
following after configuration:

make report

That will do a few basic checks of the compiler and bc, then build
and run the tests. The result will appear on screen and in the file
“testlog”. Please read the report before sending it to us. There
may be problems that we can’t solve for you, like missing programs.

Yours,
The OpenSSL Project Team…

Mark J. Cox Ben Laurie Andy Polyakov
Ralf S. Engelschall Richard Levitte Geoff Thorpe
Dr. Stephen Henson Bodo Möller Ulf Möller
Lutz Jänicke Nils Larsch

Es algo bastante extendido en Internet. MD5 y SHA1 sirve para comprobar la integridad de un fichero.

Es decir si ese fichero ha podido ser modificado o no.

Naturalmente es un tema bastante importante ya que, con este tipo de métodos podemos verificar que realmente estamos descargando y usando algo que proviene de la fuente original y no ha sido modificado por terceros.

Empezaremos por MD5 de echo es el más conocido y extendido por Internet.

Que es MD5?

Es uno de los algoritmos de reducción criptográficos diseñados por el profesor Ronald Rivest del MIT (Massachusetts Institute of Technology, Instituto Tecnológico de Massachusetts). Fue desarrollado en 1991 como reemplazo del algoritmo MD4 después de que Hans Dobbertin descubriese su debilidad.A pesar de su amplia difusión actual, la sucesión de problemas de seguridad detectados desde que, en 1996, Hans Dobbertin anunciase una colisión de hash plantea una serie de dudas acerca de su uso futuro.

Como comentaba antes, MD5 es el sistema más utilizado.

Comprobando MD5 en Windows

Veamos un ejemplo:

Nos queremos descargar una ISO de Debian, por ejemplo vamos a la página de descargas.

Pagina de descargas de Debian

Nos descargamos la ISO.

La página de descargas ya nos ofrece un fichero para comprobar las firmas que es este:

Fichero MD5

Vamos a sacar el MD5 de la imagen del CD de Debian en Windows. Yo lo he echo con el programa MD5SUM.

Lo podemos descargar de aqui:

MD5SUM

Después de descargarlo y probarlo nos sale esto:

Como veis nos da el hash, ahora vamos a comprobarlo con el hash que nos ofrecen:

Si miráis en la web que os he pasado antes la de Fichero MD5. Podemos ver que la firma ofrecida y la que hemos comprobado son iguales. Es decir, la ISO que tenemos es totalmente original.

Comprobando MD5 en Ubuntu:

Primero de todo instalaremos un paquete que nos hace falta:

sudo apt-get install sleuthkit

Instalamos el paquete y ya podemos comprobar la integridad del fichero.

Con esto obtenemos el hash MD5 en Ubuntu

Comprobando MD5 en MAC OS X

En MAC utilizaremos una herramienta que nos comprueba el hash, lo podemos encontrar aquí:

MD5

Lo utilizamos y calculamos el hash MD5 que queramos:

Ahora vamos por el SHA1.

Aunque no tan utilizado como el MD5, se tiende a migrar ya hacia el SHA1.

es un sistema de funciones hash criptográficas relacionadas de la Agencia de Seguridad Nacional de los Estados Unidos y publicadas por el National Institute of Standards and Technology (NIST). El primer miembro de la familia fue publicado en 1993 es oficialmente llamado SHA. Sin embargo, hoy día, no oficialmente se le llama SHA-0 para evitar confusiones con sus sucesores. Dos años más tarde el primer sucesor de SHA fue publicado con el nombre de SHA-1. Existen cuatro variantes más que se han publicado desde entonces cuyas diferencias se basan en un diseño algo modificado y rangos de salida incrementados: SHA-224, SHA-256, SHA-384, y SHA-512 (llamándose SHA-2 a todos ellos).

Vamos a ver como podemos comprobar la firma SHA1.

En la misma imagen de Debian.

Primero vemos como la página nos ofrece las firmas de hash

Hashes SHA1

Comprobando firmas sha1 en Windows

Para hacer la comprobación de sha1 nos tenemos que descargar el ejecutable, lo podemos encontrar aqui:

Sha1sum

Lo ejecutamos y comprobamos la firma

Ya tenemos nuestra firma SHA1 que podemos comprobar con nuestro fichero.

Comprobando Sha1 en Ubuntu.

Con el paquete que instalamos antes no haría falta instalar nada más.

Miremos como se hace:

Ya tenemos nuestra firma en sha1.

Comprobando Sha1 en MAC OS X

Por último en mac, para hacerlo utilizaremos la librería de openssl +sha1

veamos el comando sería así:

/usr/bin/openssl sha1 fichero

Asi que veamos un ejemplo:

Y hasta aquí todo, espero que desde ahora vigiléis lo que os bajais.

Saludos

Well, I would like to use DES or BASE64 which are symmetric, i.e. encryption of a plain text produces a cypher text, and description of the cypher text produce the original plain text.

However, only by reading its MAN page, it turned out to be very very very difficult to understand and use it.

Even at the OpenSSL web site, there was no good tutorial on how to use it.

I wasted almost a whole day to figure out how to use it, and fortunately I think I found it.

Well, if you download the source codes, there is a directory for testing, “test”. And there is a destest.c.

And.. here is the one from Google code search.

Pretty similar to setting up SSL on unix/linux and actually not that hard to do. Just a few things to remember as a checklist.

If your Apache install didn’t include openSSL then you’ll need to download a few things:

Normally you can find mod_ssl.so in your apache install directory in modules.
In conf/extras you’ll find httpd_ssl.conf

Or just download Apache with openSSL here. Next step is to create a certificate. Only thing to look at really is your server name in your httpd.conf file (found in the conf/ directory). You use your server name in your certificate setup – these must match otherwise you’ll get errors (it’ll still work though).

Setting SSL with Apache 2.x on Windows

There are just a few quick and easy steps to generate a certificate without a passphrase for Apache. First you have to generate a key for your host:

[root@heimdull]# openssl genrsa 1024 > host.key
Generating RSA private key, 1024 bit long modulus
..........................................++++++
.........++++++
e is 65537 (0x10001)

Generating RSA private key, 1024 bit long modulus.............
.............................++++++.........++++++e is 65537 (0x10001)

Now you have your host key file that you will use in the Apache configuration file and to generate the actual certificate

[root@heimdull]# openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:GB
State or Province Name (full name) [Berkshire]:Berkshire
Locality Name (eg, city) [Newbury]: Newbury
Organization Name (eg, company) [My Company Ltd]:My Company Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.myserver.com
Email Address []:

Now you have to move these files somewhere that is related to you Apache installation and in your httpd.conf or httpd-ssl.conf file you will need these lines:

SSLEngine on
  SSLCertificateFile /Apache-home/ssl/host.crt
  SSLCertificateKeyFile /Apache-home/ssl/host.key

Apa itu VPN

Virtual Private Netwok (VPN) merupakan suatu bentuk private network yang melalui (tunneled) public network (internet), dengan menekankan pada keamanan data dan akes global melalui internet. Sebuah VPN memiliki kemampuan best-effort, atau memiliki Service Level Agreement (SLA) antara pelanggan VPN dengan provider layanan VPN. Secara umum, sebuah VPN memiliki topologi yang lebih kompleks dibanding point-to-point. Sebuah VPN memungkinkan pengguna komputer untuk mengakses jaringan lewat sebuah IP address yang berbeda dengan IP address sebenarnya yang dipakai untuk menghubungkan komputer pengguna ke internet.

Cara Install OpenVPN di Ubuntu

Apabila tampilan berakhir seperti ini maka anda sudah berhasil menginstall openvpn di komputer anda.

Unpacking libpkcs11-helper1 (from …/libpkcs11-helper1_1.05-1_i386.deb) …

Selecting previously deselected package openvpn-blacklist.

Unpacking openvpn-blacklist (from …/openvpn-blacklist_0.3_all.deb) …

Selecting previously deselected package openvpn.

Unpacking openvpn (from …/openvpn_2.1~rc11-1ubuntu3_i386.deb) …

Processing triggers for man-db …

Setting up openssl-blacklist (0.4.2ubuntu1) …

Setting up libpkcs11-helper1 (1.05-1) …

Setting up openvpn-blacklist (0.3) …

Setting up openvpn (2.1~rc11-1ubuntu3) …

* Restarting virtual private network daemon(s)… * No VPN is running.

Processing triggers for libc6 …

ldconfig deferred processing now taking place

Reading package lists… Done

Building dependency tree

Reading state information… Done

Reading extended state information

Initializing package states… Done

Writing extended state information… Done

brokenz@brokenz:~$

Konfigurasi OpenVPN

Sebelum melakukan konfigurasi langkah pertama yang kita lakukan adalah inisialisasi beberapa variabel system yang akan digunakan nanti. Ikuti langkah-langkah dibawah ini, pertama kita akan menginialisasi lokasi direktori dari OpenVPN, direktori /etc/openvpn merupakan tempat file konfigurasi, file privat keys server dan penyimpanan sertifikat digital server.

brokenz@brokenz:~$ export OPENVPN=/etc/openvpn

Selanjutnya kita inisialisasi direktori yang akan digunakan untuk menyimpan file public keys dan privat keys yang nanti dihasilkan pada saat proses pembuatan keys.

brokenz@brokenz:~$ export KEY_DIR=$OPENVPN/keys

Selanjutnya adalah inisialisasi dari panjang keys yang akan digunakan VPN nanti, yang perlu diingat disini adalah semakin panjang keys yang kita buat akan semakin tinggi tingkat security tapi akan berakibat semakin lama waktu koneksi yang akan kita butuhkan.

brokenz@brokenz:~$ export KEY_SIZE=1024

Selanjutnya adalah inisialisasi kode negara, propinsi, kota, organisasi, email dan nama untuk digital certificate. Inisialisasi ini dibuat untuk mempersingkat waktu pembuatan digital certificate.

brokenz@brokenz:~$ export KEY_COUNTRY=ID

brokenz@brokenz:~$ export KEY_PROVINCE=”Jatim”

brokenz@brokenz:~$ export KEY_CITY=”Surabaya”

brokenz@brokenz:~$ export KEY_ORG=”OSUM”

brokenz@brokenz:~$ export KEY_EMAIL=”satriyaningjagat@gmail.com”

brokenz@brokenz:~$ export KEY_COMMON=”Lukman Prihandika”

brokenz@brokenz:~$ export KEY_CONFIG=$OPENVPN/openssl.conf

Kemudian kita copy file openssl.conf di /usr/share/doc/openvpn/examples/easy-rsa/ ke direktori /etc/openvpn/

brokenz@brokenz:~$ su -

Password:

Script started, file is /var/log/activities/20091031-22:11.42-root.log

root@brokenz:~# cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf /etc/openvpn/

Poco a poco, cada día van apareciendo en nuestra vida los certificados digitales que nos sirven para identificarnos y firmar de forma digital las acciones que realizamos en internet. Pero si lo que necesitas es tener unos cuantos certificados para realizar tus pruebas de programación, estarías muy limitado con los certificados que podrás obtener de forma gratuita.

Para ello lo mejor que puedes hacer es crear tu propia entidad certificadora, utilizando el proyecto OpenSSL. Con ello podrás generar tanto certificados de servidor como de cliente para poder hacer todas las pruebas que necesites. Vamos por partes:

Instalar el software

Para instalar openSSL en linux, sólo es necesario introducir el siguiente comando en el terminal

apt-get install openssl

Para obtener la versión para Windows, puedes bajar los binarios desde aquí.

Como ayuda para facilitar la creación de certificados crearemos los siguientes ficheros de configuración:

config1.txt con el siguiente contenido

basicConstraints = critical,CA:FALSE
extendedKeyUsage = serverAuth

config2.txt con el siguiente contenido

basicConstraints = critical,CA:FALSE
extendedKeyUsage = clientAuth

Crear la entidad certificadora

Los primero que hay que hacer es crear las claves de la entidad certificadora, que será la que genere el resto de certificados. Desde el terminal sólo tendrás que introducir la siguiente instrucción:

openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -days 3650 -out cacert.pem

Lo que significa que estamos creando una nueva entidad que generará certificados X509 con algoritmo de encriptación rsa de 2048 bytes. Generará la clave privada de la entidad en el fichero cakey.pem y la clave publica en el cacert.pem.

El parámetro -days con 3650 indica que la entidad certificadora no expirará en 10 años.

Nos pedirá una contraseña para nuestra entidad certificadora, que es muy importante no perder. Nos pedirá también una serie de datos (País, Nombre de Empresa…), que nos identifica como entidad certificadora.

Este paso sólo es necesario realizarlo la primera vez, o cuando la entidad certificadora que teníamos haya expirado.

Generar certificado de servidor

Podemos crear tantos certificados de servidor como queramos, siguiendo estos pasos:

Primero generamos la clave privada del nuevo certificado digital:

openssl genrsa -des3 -out serv-priv.pem -passout pass:password 2048

Con esto generamos la clave privada la cual tendrá un algoritmo de cifrado triple des (-des3) de 2048 y se almacenara en el fichero (-out) serv-priv.pem y con el comando -passout pass: indicamos la contraseña para nuestra clave privada.

El siguiente paso es generar la petición del certificado para indicar el propietario del mismo:

openssl req -new -subj "/DC=fsandin.wordpress.com/OU=wordpress.com/CN=fsandin"
-key serv-priv.pem -passin pass:password -out petic-certificado-serv.pem

Con el parametro -subj le indicamos a quien pertenece el certificado, para ello ponemos entre comillas cada uno de los apartados que identifican al servidor, separados por / . Le asociamos a la petición la clave privada que hemos hecho en el comando anterior -key serv-priv.pem utilizando la contraseña de la clave privada -passing pass:password. La petición se almacenará en el fichero petic-certificado-serv.perm

Por último generamos el certificado:

openssl x509 -CA cacert.pem -CAkey cakey.pem -req -in petic-certificado-serv.pem
-days 3650 -extfile config1.txt -sha1 -CAcreateserial -out servidor-cert.pem

Con esto estamos creando un certificado del tipo x509 cuya entidad certificadora está en cacert.pem, su clave privada en cakey.pem y que el certificado a generar tendrá las especificaciones definidas en el apartado anterior, almacenadas en el fichero de petición petic-certificado-serv.pem.

El certificado tendrá una validez de diez años y su uso estará destinado para ser certificado de servidor (descrito en el fichero de configuración config1.txt)

Para algunos servidores (como apache), los ficheros necesarios para utilizar el certificado son servidor-cert.pem y serv-priv.pem. Para IIS se necesita realizar la importación, por lo que será necesario exportarlo con el siguiente comando.

openssl pkcs12 -export -in servidor-cert.pem -inkey serv-priv.pem -certfile
cacert.pem -out cert-serv-pck12.p12

Generar certificado de cliente

Igual que para los certificados para servidor, empezamos generando la clave privada del cliente:

openssl genrsa -des3 -passout pass:password -out client-priv.pem 2048

Ahora generamos la petición del certificado:

openssl req -new -key client-priv.pem -passin pass:password -subj
"/CN=NOMBRE Nombre y Apellidos - NIF 00000000A/OU=wordpress.com
/DN=fsandin.wordpress.com" -out petic-cert-client.pem

Si estructuramos el parámetro -subj igual que los certificados de identificación (DNIe, FNMT…) le indicamos a quién pertenece el certificado y podremos simular el comportamiento de los mismos.

Emitimos el certificado cliente :

openssl x509 -CA cacert.pem -CAkey cakey.pem -req -in petic-cert-client.pem
-set_serial 3 -days 365 -extfile config2.txt -sha1 -out client-cert.pem

El certificado tendrá una validez de un año, el número de certificado indicado con el parámetro -set_serial debería ser único.

Al ejecutar esta línea nos pedirá el password que le pusimos a nuestra entidad certificadora obteniendo finalmente el fichero client-cert.pem que es nuestro certificado.

Y por último vamos a exportarlo para enviárselo a su nuevo dueño. Para ello necesitamos crear con nuestro certificado un fichero comprimido en formato pkcs12.

openssl pkcs12 -export -in client-cert.pem -inkey client-priv.pem
-certfile cacert.pem -out cert-cliente-pck12.p12

Al ejecutar esto nos pedirá la contraseña del certificado cliente, un Export Password, que es la contraseña que teneis que poner para comprimir el archivo y que será la que se necesita para importarla en el navegador. Por último pedirá que verifiquéis el Export Password para confirmar que se ha introducido correctamente.

Fuente: bulma.net

Network Security with OpenSSL

By Pravir Chandra , Matt Messier, John Viega

Below are the procedures to install a LAMP stack the easy way using YUM. I prefer to remove the pre packaged RMPs, and compile the libraries manually however this can be a lengthy process. With that in mind here is the easy way!

Section 1 (Operating System Installation)
1.1 If you have not already installed CentOS, use the configuration options below.
1.2 If you have a fully functional OS up and running, check the settings below.

Section 2 (Installation of Apache)
2.1 Download and install apache.
yum install httpd httpd-devel httpd-server
2.2 Configure Apache to start on all run levels
chkconfig --level 012345 httpd on
2.3 (optional step) Enable clean URLs
vi /etc/httpd/conf/httpd.conf
Add the following lines to the modules section
LoadModule rewrite_module modules/mod_rewrite.so
AddModule mod_rewrite.c
Add the following lines to your virtual host
Directory /var/www/example.com
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
/Directory

Section 3 (Installation of MySQL)
3.1 Download and install MySQL Server
yum install mysql mysql-devel mysql-server
3.2 Change config to start MySQL at all run levels.
chkconfig --level 012345 mysqld on
3.3 Start the MySQL server
/etc/init.d/mysqld start
3.4 Change the root password
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h localhost.localdomain password 'new-password'

Section 4 (Installation of programming libraries)
4.1 Download and install the PHP, Perl, and Python Libraries
(Note you may only need PHP)
yum install perl perl-devel
yum install php php-mysql php-devel php-mbstring php-mcrypt php-gd
4.2 Edit the php config file
vi /etc/php.ini
Change the memory limit to 128MB
memory_limit = 16M --> 128M
Enable mbstring
;mbstring.http_input = auto

Section 5 (Installation of OpenSSL)
5.1 Download and install OpenSSL
yum install openssl
5.2
openssl genrsa 1024 > is418.key
5.3
chmod 400 is418.key
5.4
openssl req -new -x509 -nodes -sha1 -days 50 -key is418.key > is418.cert
5.5
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Colorado
Locality Name (eg, city) [Newbury]:Denver
Organization Name (eg, company) [My Company Ltd]:is418 @ ITT-Tech
Organizational Unit Name (eg, section) []:B Team
Common Name (eg, your name or your server’s hostname) []:node1.bteam.is418.net
Email Address []:tkuennen@ieee.org

Section 6 (Installation of PHPMyAdmin)
Download and install PHPMyAdmin
6.1 Promote yourself to root
su -
6.2 Change to your web directory
cd /var/www/html
6.3 Download PHPMyAdmin
wget -c http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.9.5-englis…
6.4 Unzip the package
tar xvfz phpMyAdmin-2.11.9.5-english.tar.gz
6.5 Move the install directory to a human readable format
mv phpMyAdmin-2.11.9.5-english phpmyadmin
6.6 Change to the phpmyadmin directory
cd phpmyadmin
6.7 Copy the samle php file to the running config file
cp config.sample.inc.php config.inc.php
6.8. Open the new config file and edit the server string
vi config.inc.php
:
$cfg['Servers'][$i]['auth_type'] = ‘http‘; # default is cookies
:
6.9. Restart Apache
/etc/init.d/httpd restart

Test the installation by navigating to your web server via a browser.
https://your.domain.com/phpmyadmin/

Section 7 (Installing Drupal)
7.1 Download Drupal
wget http://drupal.org/files/projects/drupal-x.x.tar.gz
7.2 Extract the package
tar -zxvpf drupal-x.x.tar.gz
7.3 Move the files to the /var/www/html directory
mv drupal-x.x/* drupal-x.x/.htaccess /var/www/html
7.4 Create the settings file from the template
cp /var/www/html/default.settings.php /var/www/html/setting.php
7.5 Change permissions for the installation process
chmod a+w sites/default/settings.php
7.6 Create the database
mysqladmin -u username -p create databasename
7.7 Run the install script
point to https://localhost and follow the onscreen instructions

Last Thursday I presented an afternoon overview on Web Services to a group. We were using soapUI to demonstrate some SOAP Web Services written for a customer, and I wanted to demonstrate also that it is just as easy to call public services which are remote. For this I chose the Amazon Product Advertising API, partly due to the fact that it’s already an example on Eviware’s soapUI website, and partly because Amazon is such a well-known company. This post is a very short follow-up to explain how to do properly, something which I had to use a nasty workaround for during the afternoon.

The problem was the signature required in the header of the SOAP request, which I had to drop-to an executable I had written to generate. I would rather have used an off-the-shelf tool, but I couldn’t get openssl to work (completely due to user-error you understand).

I knew it was one of a few gotchas that was giving me the problem but I didn’t have the time to figure it out. Now I have, so what follows is, in as few a number of steps as I can manage, a 1-2-3 of how to send a request to the Amazon Product Advertising API.

Before we begin, sign-up to Amazon AWS. Amazon will send you an email – follow the link provided in the email and grab your AWS Access Key ID and Secret Access Key and paste them somewhere – we’ll need them in a moment.

To send a SOAP request (without WS-Security):

1. Run soapUI
2. Create a new project with the Product Advertising API’s WSDL by entering the URL:

http://webservices.amazon.com/AWSECommerceService/
AWSECommerceService.wsdl

3. In the Navigator pane on the left of the soapUI main window, find the request for the ItemSearch action and paste in:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://webservices.amazon.com/AWSECommerceService/2009-10-01">
   <soapenv:Header xmlns:aws="http://security.amazonaws.com/doc/2007-01-01/">
      <aws:AWSAccessKeyId>?</aws:AWSAccessKeyId>
      <aws:Timestamp>?</aws:Timestamp>
      <aws:Signature>?</aws:Signature>
   </soapenv:Header>
   <soapenv:Body>
      <ns:ItemSearch>
         <ns:AWSAccessKeyId>?</ns:AWSAccessKeyId>
         <ns:Shared>
            <ns:SearchIndex>DVD</ns:SearchIndex>
         </ns:Shared>
         <ns:Request>
            <ns:Title>Allo Allo</ns:Title>
         </ns:Request>
      </ns:ItemSearch>
   </soapenv:Body>
</soapenv:Envelope>

4. Replace the search criteria if you don’t wish to search for Allo Allo DVDs (I do – it is hilarious)
5. Insert your AWS Access Key ID in the two places provided.
6. Choose a date and time for the timestamp. Right now will do.
7. Concatenate the name of the action you are invoking and the timestamp in the format YYYY-MM-DDTHH:MM:SSZ, e.g. ItemSearch2009-10-11T16:11:30Z.
8. Generate the signature using openssl as follows, inserting your Secret Access Key where indicated:

$ echo -n ItemSearch2009-10-11T16:11:30Z | openssl dgst -sha256 -hmac secret_access_key -binary | openssl enc -base64

9. Paste the timestamp and the signature into the request where indicated and click the ‘Play’ button in soapUI to send the request. If all is well you’ll get a set of results from Amazon.

If you don’t have openssl you can download it from http://www.openssl.org/. There are links to binaries there, including for Windows.

The -n option to echo is very important, and was where my problem lay. On UNIX it suppresses the carriage return – important since we don’t want a carriage return as part of the text to be signed. On Windows however there is no equivalent (to my knowledge) and including the carriage return gives the wrong signature.

My best suggestion for a workaround for Windows is as follows. Open up notepad and write the text to be signed “ItemSearch2009-10-11T16:11:30Z” into it with no newline after. Save it, making sure to save with ANSI encoding (an option in the Save Dialog). Then at the prompt, execute the following command, again inserting your Secret Access Key where indicated, and the filename of the file that you just created.

$ openssl dgst -sha256 -hmac secret_access_key -binary filename | openssl enc -base64

If you’re not using openssl, or you just want verification, assuming the hypothetical Secret Access Key of 1234, I get the following:

$ echo -n ItemSearch2009-10-11T16:11:30Z | openssl dgst -sha256 -hmac 1234 -binary | openssl enc -base64

FRnAn5puzTwI47vJ33sQHYQ9SSSIBjChTKd8u8Mbfs4=

If you’re getting the same then you’re okay

Full documentation of the Amazon Web Services security can be found here.

GNU Wget is a popular file download program, being installed by default on many Linux distributions. Recent Mac OS versions don’t ship Wget, though – Apple ships cURL instead.

Fink provides a wget package that installs Wget. It includes SSL (https) support provided by Mac OS built-in OpenSSL.  There’s a problem with that, though: on Mac OS versions earlier than 10.6, Apple’s OpenSSL doesn’t use the trusted root certificates available on the system (the ones listed by Keychain.app), so it is not able to validate SSL certificates on its own. Note that OpenSSL itself (independently of being shipped with Mac OS) isn’t distributed with root certificates by default.

Because of this, on Mac OS versions earlier than 10.6 the command

wget https://fedorahosted.org

won’t work:

ERROR: cannot verify fedorahosted.org's certificate,
issued by `/C=US/O=Equifax/OU=Equifax Secure
Certificate Authority':
Unable to locally verify the issuer's authority.
To connect to fedorahosted.org insecurely, use
`--no-check-certificate'.
Unable to establish SSL connection.

There are a couple of options to circumvent this. As the error message says, it’s possible to use –no-check-certificate, which is insecure. Another option is –ca-certificate=file where file is a bundle of trusted certification authority certificates. Fink provides a package called ca-bundle that installs a convenient file containing a bundle of CA certificates commonly used by open source Web browsers. After running

fink install ca-bundle

you should be able to use /sw/etc/ssl/certs/ca-bundle.crt with Wget:

wget --ca-certificate=/sw/etc/ssl/certs/ca-bundle.crt \
https://fedorahosted.org

Fortunately, you may specify that option in one of Wget’s startup files (e.g. $HOME/.wgetrc or /sw/etc/wgetrc) by adding the following line to your startup file of choice:

ca_certificate = /sw/etc/ssl/certs/ca-bundle.crt

And voilà!, you may use wget as usual:

wget https://fedorahosted.org

This is particularly useful if you’re using Wget as your DownloadMethod and Fink needs to download a source file from an https URL.

PHPMailer es una clase php para enviar emails basada en el componente active server ASPMail. Permite de una forma sencilla tareas complejas como por ejemplo:

• Enviar mensajes de correo con ficheros adjuntos (attachments)
• Enviar mensajes de correo en formato HTML

Con PHPMailer se pueden enviar emails vía sendmail, PHP mail(), o con SMTP.

Entre las nuevas cualidades esta la posibilidad de enviar Emails utilizando el servidor SMTP de Gmail, con lo cual resolvemos el problema de no tener un servidor SMTP para hacer los envíos.

Para hacer una prueba de como enviar emails  utilizando el servidor SMTP de Gmail necesitamos:

• Un servidor local instalado como puede ser XAMPP
• Tener instalado OpenSSL (XAMPP ya incorpora esa librería)
• PHPMailer(la versión en este ejemplo es la v5 )
• Una Cuenta de Gmail

Lo primero será descomentar de php.ini la librería openSSL , guardar cambios y reiniciar el servidor. (quitar el ; de delante)

;extension=php_openssl.dll

Una vez descargarda la librería PHPMailer y creada nuestra cuenta de Gmail, descomprimimos la carpeta que contiene las librerías.

Abrimos un editor e introducimos el código siguiente.

<?php
include_once('./phpmailerv5/class.phpmailer.php'); //incluimos la ruta a la clase phpmailer

$mail = new PHPMailer();
$mail->IsSMTP();// envío vía SMTP

$mail->SMTPAuth = true; // turn on SMTP authentication
$mail->SMTPSecure = "ssl"; // sets the prefix to the server
$mail->Host = 'smtp.gmail.com';
$mail->Port = 465;

$mail->Body="<P>Email utilizando PHPMailer y Gmail</P> ";  // cuerpo del mensaje

// Introducimos la información del remitente del mensaje

$mail->From = "tu_cuenta@gmail.com";  // se puede usar la misma cuenta u otra
$mail->FromName = "Nombre Remite";//Asunto
$mail->Subject = "PHPMailer Test Gmail";

// y los destinatarios del mensaje. Podemos especificar más de un destinatario
$mail->AddAddress('destino@mail.com','nombre_destinatario');
$mail->AddAttachment("ruta/images/phpmailer.gif");// adjuntamos un imagen o un file opcional

Guardamos el script con un nombre (ej. mail.php) y nos vamos a nuestro localhost y lo ejecutamos.

Si queremos mandar un email con imágenes adjuntas y un diseño más completo tan solo tenemos que diseñar un documento html con cualquier editor, por ejemplo dreamweaver, e incluirlo en nuestro script de la siguiente manera.

<?php
include_once ('./phpmailerv5/class.phpmailer.php'); //incluimos la clase phpmailer
$mail = new PHPMailer();
$mail->IsSMTP(); // send via SMTP
$mail->SMTPAuth = true; // turn on SMTP authentication
$mail->SMTPSecure = "ssl"; // sets the prefix to the server
$mail->Host = 'smtp.gmail.com';
$mail->Port = 465;
$mail->Username = 'tu_cuenta@gmail.com'; // SMTP username
$mail->Password = '**********'; // SMTP password
$mail->AltBody = 'Para ver el mensaje use un visor de email compatible con HTML'; // mensaje opcional

Guardamos el script con un nombre (ej. mail2.php) y nos vamos a nuestro localhost y lo ejecutamos.

el resultado de su envío sería el siguiente:

Y eso es todo.

In order to make our life easier, first let’s create two aliases to encrypt (sslenc) and decrypt (ssldec) files in the command line using OpenSSL, respectively:

In order to encrypt a file, say filename.txt, you should do something like this:

which first encrypts the input file to filename.txt.enc (“enc” suffix  is there just to tell you that it is encrypted) and then the rm command removes the input file. To decrypt it into new_filename.txt use the following:

.

Now back to beginning: let’s explain the various flags in the aliases given in the top:

• aes-256-cbc: a command to encrypt using the Advanced Encryption Standard cipher with key size of 256 bit, which makes use of the Cipher-Block Chaining mode. Currently aes-256-cbc is the the standard cipher choice of the US government. You may change this command (i.e., “aes-256-cbc”) by “enc -aes-256-cbc” which means the same thing, but in a longhand: encrypt (enc) using the cipher, aes-256-cbc.
• -salt: adds strength to the encryption and should always be used. (see wikipedia page for salt).
• -a: indicates that the encrypted output will be base64 encoded, this allows you to view it in a text editor or paste it in an email (optional).
• -d: for file decryption.

You may also be interested in the wikipedia article which talks about the key size.

Reference: link.

Update :

After disable all the virtual host, and enable only the secure one (using the configuration below), everything work as expected.

To make sure, the server talk in a secure mode (using ssl), try access the server using http://

http://openthinklabs.wm:443

If you receive a bad request information from the browser, like the one below :

Your ssl configuration is correct.

If you see plain text, you willl get ssl_error_rx_record_too_long error when accessing the page using https.

After following tutorial at [1] i get ssl_error_rx_record_too_long error.

.

Didn’t find any solution yet …

Here is my virtual host setting :

NameVirtualHost *:443
<VirtualHost *:443>
	ServerAdmin wildan.m@gmail.com
        ServerName openthinklabs.wm

	DocumentRoot /home/wildan/jobstuff/OpenThinkLabs/webapps/openthinklabs

	<Directory "/home/wildan/jobstuff/OpenThinkLabs/webapps/openthinklabs">
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
		# This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                #RedirectMatch ^/$ /apache2-default/
	</Directory>

	ErrorLog /var/log/apache2/openthinklabs_error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel debug

	CustomLog /var/log/apache2/openthinklabs.log combined
ServerSignature On

SSLEngine On
SSLCertificateFile /etc/apache2/ssl.cert/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key

#SSLCertificateChainFile /etc/apache2/ssl.cert/my-ca.crt
#SSLCACertificateFile /etc/apache2/ssl.cert/my-ca.crt

JkMount /alfresco ajp13
JkMount /alfresco/* ajp13

JkMount /cas ajp13
JkMount /cas/* ajp13

<Location /alfresco>
AuthType CAS
AuthName "CAS"
require valid-user
CASScope /alfresco
</Location>

<Location /share>
AuthType CAS
AuthName "CAS"
require valid-user
CASScope /share
</Location>

<Location /examples>
AuthType CAS
AuthName "CAS"
require valid-user
CASScope /examples
</Location>

</VirtualHost>

References :

[1]. http://www.tc.umn.edu/~brams006/selfsign.html

Its easier than you think it is!

Here’s what you should do

1. create a private key of N bit long

2. extract public key from the private key juist generated

Details

Now the HOW

Create a Private key

$ openssl genrsa -out privatekey.txt 1024

- genrsa tells openssl to generate the private key of 1024 bit long modulus and save it into the files privatekey.txt

Extract Public key from the Private key

$ openssl rsa -in privatekey.txt -pubout -out publickey.txt

- pubout argument tells openssl to extract the publib key from the private key stored in the files privatekey.txt and store it in the file publickey.txt

DKIM is a posible application of them.

Esta es una guía para ayudar en la instalación de Apache2 con soporte para SSL en un servidor Ubuntu 9.04 (Jaunty). Esta guía asume que para esto ya se tiene instalado un stack LAMP (Linux, Apache, MySQL y PHP) en la máquina donde se desea realizar la instalación. No será necesario contar con el stack completo sin embargo si es necesario al menos contar con Apache2 instalado en el equipo.

Para verificar que efectivamente contamos con todos los requisitos tecleamos en la terminal:

sudo apt-get install apache2 apache2.2-common apache2-utils openssl openssl-blacklist openssl-blacklist-extra


Para configurar un servidor seguro, se utiliza en este caso criptografía de clave pública para crear un par de llaves, una pública y una privada. En la mayoría de los casos, el certificado que se genera localmente en el equipo tiene que ser enviado junto con varios requisitos a una Autoridad Certificadora (CA por sus siglas en inglés). La CA verifica su petición y su identidad, y luego le devuelve un certificado para asegurar el servidor. En este caso como no tenemos ni el dinero ni el tiempo suficiente (:D) tendremos que crear nuestro propio certificado, firmado por nosotros mismos. Sin embargo, es importante recalcar que estos certificados no deberán ser utilizados en ambientes de producción. El problema con este tipo de certificados es que no son aceptados de manera automática por los navegadores, por lo que tendremos que (al menos en FireFox) crear una excepción para el sitio con el cerficado que estamos creando nosotros. Pero para fines de demostrar los pasos será más que suficiente.

Primero: Generamos un CSR (Petición de Firma de Certificado)

Para generar el CSR debemos crear nuestra llave (key):

openssl genrsa -des3 -out server.key 4096


Puede ejecutar su propio servidor sin una clave. Esto es conveniente proque no necesitaría en este caso estar introduciendo la clave cada que requiera iniciar el servidor de https. Pero es demasiado inseguro, no recomendable ya que compromete seriamente la seguridad del sistema. De cualquier manera, es posible elegir ejecutar el servidor seguro sin clave eliminando la opción -des3 con lo que el comando quedaría de la siguiente manera:

openssl rsa -in server.key -out server.key.insegura


Al ejecutar este comando en cualquiera de sus dos formas presentadas anteriormente el sistema nos requerirá varia información que acompañará al certificado, la ubicación de la companía, el nombre de la misma, el nombre de quien firma el certificado y varias cosas mas. Todos estos datos son guardados en el archivo /etc/ssl/openssl.cnf. Si se requieren mas llaves para mas servidores o sitios que se ejecutarán en el mismo equipo se pueden agregar mendiante:

openssl req -new -key server.key -out server.csr


Este certificado (el archivo server.csr en este caso) es el que deberemos enviar a la Autoridad Certificadora (CA).

Una vez que hemos generado nuestro certificado necesitamos instalarlo en el servidor.

Segundo: Crear un Certificado Firmado por nosotros mismos.
Para firmar nuestro certificado de manera local ejecutamos:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt


El comando anterior nos va a requerir que introduzcamos la clave de nuestra llave (si optamos por utilizar una clave segura, de otro modo no solicitará esta información), que es la clave que introdujimos al crear nuestra Petición de Firma de Certificado (CSR). Una vez que hemos ingresado la clave correcta, se generará un cerficiado y se almacenará con el nombre server.crt en nuestro servidor.

Tercero: Instalar el Certificado
Para instalar el certificado vamos a copiar los archivos server.crt y server.key a un directorio donde en adelante podremos almacenar todos los certificados de nuestro equipo.

Vamos a crear un directorio ssl dentro del directorio de configuración de apache y enseguida copiamos los archivos generados:

sudo mkdir /etc/apache2/ssl/
sudo cp server.crt /etc/apache2/ssl/
sudo cp server.key /etc/apache2/ssl/


Cuarto: Habilitar el módulo SSL para Apache2
Ejecutamos el siguiente comando:

sudo a2enmod ssl


Quinto: Crear y habilitar el sitio SSL
Vamos a crear un VirtualHost para nuestro sitio:
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.misitio.com

Luego, editamos el archivo www.misitio.com

sudo gedit /etc/apache2/sites-available/www.misitio.com
Y lo dejamos con el siguiente contenido:

<VirtualHost *:443>
    ServerAdmin webmaster@localhost
	ServerName www.misitio.com
	LogLevel warn
	ErrorLog /var/log/apache2/www.misitio.com.error.log
	CustomLog /var/log/apache2/www.misitio.com.access.log combined

	DocumentRoot /var/www/www.misitio.com/

	<Directory /var/www/www.misitio.com/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

        SSLEngine On
        SSLCertificateFile    /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</VirtualHost>

Por último, habilitamos el sitio que acabamos de crear:


sudo a2ensite www.misitio.com


Sexto: Habilitar Apache2 para que escuche en el puerto 443.
Necesitamos editar el archivo ports.conf:


sudo gedit /etc/apache2/ports.conf


Al abrirlo se ve de la siguiente manera:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default

NameVirtualHost *:80
Listen 80
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443

Vamos a agregar el NameVirtualHost al puerto de https (443). Así que al terminar deberá quedar de esta manera :

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default

NameVirtualHost *:80
Listen 80
# SSL name based virtual hosts are not yet supported, therefore no
NameVirtualHost *:443
Listen 443


No hay que olvidar editar el archivo /etc/hosts si se esta corriendo de manera local el sitio www.misitio.com y apuntarlo a 127.0.0.1

Ahora reiniciamos el servidor:

sudo /etc/init.d/apache2 restart


Si se ha optado por utilizar una llave con clave, el servidor requerirá que tecleemos la contraseña para poder continuar, en caso contrario no arrancará el servicio.

Séptimo: Acceder al servidor.
Ahora es posible acceder al servidor en la dirección https://www.misitio.com. Si se ha utilizado un certificado que nostros mismos hemos firmado, el navegador nos indicará que ha fallado la conexión segura, es cuestión de ignorar simplemente el mensaje y agregar una excepción de seguridad para nuestro sitio.

Come promesso, oggi configuriamo per bene apache, con un occhio per il firewall.

Iniziamo col dire che bisogna installare Apache e controllare che il modulo sia caricato.

Questo modulo è sicuramente presente, ma potrebbe essere commentato.

Lo cerchiamo nel file httpd.conf (nella mia macchina risiede in /etc/httpd/conf/httpd.conf)

#LoadModule ssl_module modules/mod_ssl.so

Se lo è, lo decommentiamo.

LoadModule ssl_module modules/mod_ssl.so

Se non fosse presente, (nel caso si usi una versione di apache < 1.3) ci basta scaricarlo e installarlo da qui.

A questo punto possiamo preoccuparci di due cose fondamentali:

1. Trovare il file ssl.conf (per me risiede in /etc/httpd/conf.d/ssl.conf)
2. Decidere dove dire al server su quale porta stare in ascolto

Infatti una volta trovati i file httpd.conf e ssl.conf, dobbiamo inserire soltanto su uno dei due file le porte su cui stare in ascolto.

Avendo deciso di usare soltano una connessione cifrata, quindi l’utilizzo del protocollo https, diremo al web server di rimanere in ascolto sultanto sulla porta 443 (invece della porta 80 – http).

Io ho deciso di scriverlo su httpd.conf.

#Listen 80
Listen 443

A questo punto dobbiamo soltanto decidere l’indirizzo del nostro server e creare un VirtualHost sul file ssl.conf.

Facciamo un po’ di chiarezza su questo file.

Tutto ciò che è definito all’esterno di <VirtualHost> vale per tutte le pagine, mentre ciò che è definito all’interno vale soltanto per le pagine che appartengono a quell’indirizzo.

Prima di continuare, facciamo un passo in dietro. Nella prima parte abbiamo creato i cetificati per il server e per il client che vuole entrare nel sito tramite certificato.

Per quanto riguarda il server, consiglio di mettere chiave e certificato in una cartella apposita, per esempio /etc/httpd/ssl, così da saperlo ritrovare ed utilizzare facilmente. In questa sede faremo riferimento a questa configurazione.

Scegliamo l’indirizzo per il server. Io ho usato 192.168.0.2 (originale eh???) ed editiamo il file ssl.conf in questo modo:

NameVirtualHost 192.168.0.2:443
<VirtualHost 192.168.0.2:443>
  #DI DEFAULT SU LINUX C'è QUESTA ROOT
  DocumentRoot "/var/www/html"
  SSLEngine on
  SSLOptions +StrictRequire
  <Directory />
    SSLRequireSSL
  </Directory>
  SSLProtocol -all +TLSv1 +SSLv3
  SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
  #QUESTO è IL CERTIFICATO DEL SERVER
  SSLCertificateFile /etc/httpd/ssl/server.crt
  #QUESTA è LA CHIAVE DEL SERVER
  SSLCertificateKeyFile /etc/httpd/ssl/server.key
  #NOI VOGLIAMO CHE L'INDEX NON RICHIEDA IL CERTIFICATO
  SSLVerifyClient none
  #CERTIFICATO DELLA CA
  SSLCACertificateFile /etc/httpd/ssl/CA.crt
  #MA NELLA ZONA "https://192.168.0.2/secure"
  #VOGLIAMO CHE VENGA RICHIESTO IL CERTIFICATO
  <Location /secure>
    SSLVerifyClient require
    SSLVerifyDepth 1
  </Location>
  SSLProxyEngine off
  <IfModule mime.c>
    AddType application/x-x509-ca-cert      .crt
    AddType application/x-pkcs7-crl         .crl
  </IfModule>
  #SERVE PER IE
  SetEnvIf User-Agent ".*MSIE.*" \
  nokeepalive ssl-unclean-shutdown \
  downgrade-1.0 force-response-1.0
</VirtualHost>

Ora non ci resta che riavviare httpd

[root@frontend~] /etc/init.d/httpd restart

Se funziona ci chiederà la pass-phrase del server.

Ultimo accorgimento:

siccome siamo degli esperti in sicurezza dobbiamo anche settare il firewall da permettere in entrata soltanto comunicazioni sulla porta 443.

Quindi:

[root@frontend~] iptables -t filter -I INPUT -p tcp --dport 443 -j ACCEPT

A questo punto è davvero tutto.

Se avete domande… fate pure. Ciao!

PS: un grazie va anche ad akane. Il server lo abbiamo configurato insieme.

Di recente ho dovuto configurare un web server in modo da permettere una connessione cifrata per una zona “sicura” del sito.

La prima domanda è stata: ma come lo creo un certificato? Chi me lo firma?

Praticamente potremmo scegliere di farcelo firmare da alcune CA (Certification Autority) vere, pagando le stesse perché certifichino che il mio sito è sicuro.

Ma io devo soltanto fare delle prove… e allora come faccio?

La risposta è openssl.

Piccola spiegazione di quello che faremo:

• Creazione certificato e chiave CA
• Creazione certificato e chiave Server
• Creazione certificato e chiave Client

Per quanto riguarda il Server, lo configureremo in modo che la pagina iniziale, nonostante (https://frontend/index.html) sia consultabile da tutti, mentre la sezione https://frontend/secure sia visibile soltanto con un certificato.

Praticamente ho assunto il ruolo di CA, di server e infine anche di client (per testarlo).

Il primo passo sarà creare una chiave privata ed un certificato standard X.509 per la CA.

LATO CA

Quindi digitiamo da root:

[root@localhost ~]# openssl genrsa -des3 -out CA.key 2048

Praticamente stiamo richiedendo la generazione di una chiave privata RSA utilizzando l’algoritmo Triple DES, salvata con il nome CA.key. Di default la lunghezza è 512 bit, ma noi l’abbiamo richiesta da 2048 bit.

Durante la creazione della chiave ci verrà richiesta una “pass-phrase”. Dobbiamo assolutamente ricordarcela perché verrà richiesta ogni volta che useremo la chiave privata della CA.

Generating RSA private key, 2048 bit long modulus
..................................................................
........................+++
...............+++
e is 65537 (0x10001)
Enter pass phrase for CA.key:
Verifying - Enter pass phrase for CA.key:

Dalla chiave possiamo ora creare il certificato:

[root@localhost ~]# openssl req -new -key CA.key -x509 -days 3650 -out CA.crt

Il nostro certificato, firmato con la chiave CA.key avrà il nome CA.crt.

• new : vuoldire nuova richiesta
• key : specifichiamo con quale chiave firmare il certificato
• x509 : è il formato del certificato
• days : il tempo in giorni di validità del certificato (3650 giorni = 10 anni)
• out : il file che conterrà il certificato

A questo punto, durante la creazione del certificato, dovremo inserire dei dati che di default sono quelli dentro le parentesi quadre:

Enter pass phrase for CA.key:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IT
State or Province Name (full name) [Berkshire]: Italy
Locality Name (eg, city) [Newbury]: Perugia
Organization Name (eg, company) [My Company Ltd]: Company New
Organizational Unit Name (eg, section) []: CA NEW
Common Name (eg, your name or your server's hostname) []: CA NEW
Email Address []: nostra@mail.bo

NB: Abbiamo appena creato la chiave della CA e il rispettivo certificato.

LATO SERVER

Traformiamcii da SERVER e generiamo la chiave privata per il server con il nome server.key:

[root@localhost ~] openssl genrsa -des3 -out server.key 1024

Ora possiamo creare dalla chiave la RICHIESTA DI CERTIFICATO che sarà in un secondo momento elaborata dalla CA per la creazione del certificato, firmato con la chiave privata della CA.

[root@localhost ~]# openssl req -new -key server.key -out server.csr -config /usr/share/ssl/openssl.cnf

NB: con l’opzione -config dobbiamo specificare il percorso del file openssl.cnf. Nel mio caso (Scientific Linux) era contenuto in /usr/share/ssl/openssl.cnf

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: IT
State or Province Name (full name) [Berkshire]: Italy
Locality Name (eg, city) [Newbury]: Perugia
Organization Name (eg, company) [My Company Ltd]: Pava
Organizational Unit Name (eg, section) []: Web Server        
Common Name (eg, your name or your server's hostname) []:frontend/secure
Email Address []:info@miosito.it 

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

IMPORTANTE:  Su “Common Name” dobbiamo specificare perfettamente quale zona sarà cifrata. Se cambiamo nome al sito i semplicemente alla parte che vogliamo sia sicura, dobbiamo generare un altro certificato e specificare il nuovo hostname.
Mentre gli ultimi due campi solitamente sono lasciati vuoti.

Ora possiamo diventare di nuovo la grande CA ed elaborare la richiesta del server, firmandola con la chiave privata della CA, ottenendo così il certificato:

[root@localhost ~]# openssl x509 -req -in server.csr -out server.crt -sha1 -CA CA.crt -CAkey CA.key -CAcreateserial -days 2190
Signature ok
subject=/C=IT/ST=Italy/L=Miacittà/O=Perugia  Azienda/OU=Servizi
Web/CN=frontend/secure/emailAddress=info@miosito.it
Getting CA Private Key
Enter pass phrase for CA.key:

NB: la pass-phrase scelta per il server, dovrà essere inserita ogni volta che il servizio “httpd”  viene riavviato.
Esiste un modo per settarlo una volta in modo che venga memorizzato, ma non verrà trattato qui, ora.

LATO CLIENT

Lavoriamo ora per creare il certificato del client così da testare il server.
Creiamo prima di tutto la chiave per il cliente

[root@localhost ~]# openssl genrsa -out client.key 1024

Proseguiamo con la richiesta di certificato:

[root@localhost ~]# openssl  req -new -key client.key -out client.csr -config /usr/share/ssl/openssl.cnf

Ora trasformandoci da CA possiamo esportare il certificato del cliente in formato pem:

[root@localhost ~]# openssl x509 -CA CA.crt -CAkey CA.key -csr -in client.csr -out client.pem -days 100

Ed infine convertirlo in formato .p12 per permettere l’importazione nel browser dell’utente:

[root@localhost ~]# openssl pkcs12 -export -clcerts -in client.pem -inkey client.key -out client.p12

A questo punto il client dovrà installare il proprio certificato sul browser semplicemente importando il file “client.p12” sul browser andando sulla sezione “certificati personali” e facendo un “import”.
Il client è ora pronto a visualizzare l’intero sito, comprendente la zona “sicura”.

——————————————————————————-

Nella seconda parte, configureremo il nostro Web Server, con tanto di iptables.

Bye bye