recentpopularlog in

kme : openssl   46

cmd - openssl hangs and does not exit - Stack Overflow | https://stackoverflow.com/
<code class="language-bash">echo | openssl s_client -showcerts -connect google.com:443 > cert.txt</code> or <code class="language-bash">openssl s_client -showcerts -connect google.com:443 </dev/null >cert.txt</code>
openssl  s_client  annoyance  solution 
7 weeks ago by kme
Fixing SSL CA certificates with OpenSSL from MacPorts - andatche.com
MacPorts now offers a Methode that syncs certificates from the system keychain:
<code class="language-bash">sudo port install certsync
sudo port load certsync</code>
As for the missing dependency, consider filing a bug.
openssl  macports  macos  ca  cacert  certificate  curl  maybesolution 
september 2019 by kme
How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL
How to View a Certificate Thumbprint as SHA-256, SHA-1 or MD5 using OpenSSL How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL
openssl  x509  crypto  ssl  certificate  sha1  sha256  hash  fingerprint  commandline  solution 
june 2019 by kme
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them | https://support.ssl.com/
Microsofty things use the '.cer' extension (which is interchangeable with '.crt'), and are often DER-encoded. PEM-encoded certs are "ASCII (Base64) armored data" prefixed with a "-----BEGIN CERTIFICATE-----" line.

Here's how to "cat" a DER-encoded certificate:
<code class="language-bash">
openssl x509 -in certificate.der -inform der -text -noout
</code>

And here's how to convert one in that format to the format expected on a Debian GNU/Linux system:
<code class="language-bash">
openssl x509 -in cert.crt -inform der -outform pem -out cert.crt
</code>

NB: the '.crt' extension seems to be important, otherwise 'sudo update-ca-certificates' doesn't pick up on new ones that you've added to /usr/local/share/ca-certificates.
ssl  certs  cacert  certificates  openssl  sysadmin  webmaster  crypto  fuckina  solution  importexport  conversion 
january 2019 by kme
openssl - how to extract issuer certificate from other certificate - Stack Overflow | https://stackoverflow.com/
This might work *if* the certificate embeds a URL for the issuer. This wasn't the case for my organization.
openssl  ssl  ca  certs  issuer  commandline  sysadmin  networking  sortof  solution 
january 2019 by kme
ssl - How to add an enterprise certificate authority (CA) to git on cygwin (and some linux distros) - Stack Overflow
git-remote-https will read the following files for ca certificates:
<code>/etc/ssl/certs/ca-bundle.crt
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
</code>

If you edit these files, they will be overwritten each time the Cygwin setup is run and there is an update for the ca-certificates package.

The correct/proper solution is to add the certificate to the pick up directory and run the pickup script, update-ca-trust:
<code class="language-bash">curl -sL http://ca.pdinc.us > /etc/pki/ca-trust/source/anchors/ca.pdinc.us.pem \
&& update-ca-trust
</code>

The post install script for the ca-certificates package will automatically rerun the update-ca-trust script on every upgrade. For more information:
<code class="language-bash">man update-ca-trust</code>
cacert  certificate  openssl  curl  cygwin  sysadmin  solution 
january 2018 by kme
How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL | Symantec | https://knowledge.symantec.com/
Seems to work, even though '-fingerprint' doesn't seem to be in the 'openssl' man page:
<code class="language-bash">
# SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]

# SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

# MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]</code>

If they came from Windows (in .cer) format, use '-inform der' (DER = Distinguished Encoding Rule). Der!
<code class="language-bash">
openssl x509 -inform der -in SomeIssuer.cer -fingerprint -sha1 -noout
</code>
ssl  openssl  cacert  ca  certificate  fingerprint  commandline  cli  solution 
january 2018 by kme
ssl - How to create a self-signed certificate with openssl? - Stack Overflow | https://stackoverflow.com/
You can do that in one command:
<code class="language-bash">
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
</code>

You can also add -nodes if you don't want to protect your private key with a passphrase, otherwise it will prompt you for "at least a 4 character" password. The days parameter (365) you can replace with any number to affect expiration date. It will then prompt you for things like "Country Name" but you can just hit enter and accept defaults.

Self-signed certs are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a CA.
openssl  cs  selfsignedcertificate  selfsigned  certificate  webmaster  reference 
december 2017 by kme
Certificate Decoder - Decode certificates to view their contents
<code class="language-bash">openssl x509 -in certificate.crt -text -noout</code>

This works for .pem files, but not .crt files, because I still don't know the difference.
certificate  ssl  decoder  openssl  ca  webapp  webmaster  solution 
november 2017 by kme
security - How to verify the SSL fingerprint by command line? (wget, curl, ...) - Ask Ubuntu
The Syntevo SmartGit client was asking me to verify a SHA1 fingerprint that I thought was the SSH fingerprint, but it was this. And here's how to get that fingerprint:

<code class="language-bash">
echo -n | openssl s_client -connect torproject.org:443 \
-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
> ./torproject.pem
</code>

Get SHA-1 fingerprint:
<code class="language-bash">
openssl x509 -noout -in torproject.pem -fingerprint -sha1
</code>

Get SHA-256 fingerprint:
<code class="language-bash">
openssl x509 -noout -in torproject.pem -fingerprint -sha256
</code>
ssl  openssl  certificate  sha1  fingerprint  sysadmin  webmaster  solution 
october 2017 by kme
curl: SSL certificate problem: unable to get local issuer certificate · Issue #2 · torch/ezinstall · GitHub
See: http://stackoverflow.com/questions/3777075/ssl-certificate-rejected-trying-to-access-github-over-https-behind-firewall

Solution 2 in Post#3 is the correct and secure way to do it.
2. Actually install root certificates. Curl guys extracted for you certificates from mozilla:

http://curl.haxx.se/docs/caextract.html

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.
solution  curl  ssl  ca  castore  certificates  openssl  git 
march 2016 by kme
git - SSL certificate rejected trying to access GitHub over HTTPS behind firewall - Stack Overflow
See below for 'configure' flags that were necessary to get 'curl' to look in the right place for the PEM certficate bundle.
Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:

$ cd /usr/ssl/certs
$ curl https://curl.haxx.se/ca/cacert.pem |
awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash


I actually used this script:
wget -O - http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'


Then I cheated off of the MacPorts Portfile for 'curl' (source: https://trac.macports.org/browser/trunk/dports/net/curl/Portfile) to discover the "--with-ca-bundle=/path/to/curl-ca-bundle.crt" 'configure' flag which seems to have done the trick.

Also useful, in extreme circumstances, how to get Git to ignore SSL certs altogether:
$ env GIT_SSL_NO_VERIFY=true git clone https://github...
git  github  curl  ssl  cacert  castore  certificates  cs  openssl  solution  fuckina 
march 2016 by kme
libcurl - Install curl with openssl - Stack Overflow
I had also added:

export LDFLAGS="-L$HOME/opt/lib"
export CPPFLAGS="-I$HOME/opt/include"
export CFLAGS="-I$HOME/opt/include"


to my .bashrc, and I was required to build the .so version of OpenSSL with: "./config shared --prefix=$HOME/opt" in order not to get errors like:
$ make
LINK git-imap-send
imap-send.o(.text+0x1db5): In function `cram':
: undefined reference to `HMAC_cleanup'
collect2: ld returned 1 exit status


How to build curl with the local libcrypto (usw.):
./configure --with-ssl --with-libssl-prefix=/usr/local/ssl
openssl  curl  git  build  toolchain  compiler  solution 
march 2016 by kme
existential type crisis : Diagnosis of the OpenSSL Heartbleed Bug
What can we learn from this?

I'm a fan of C. It was my first programming language and it was the first language I felt comfortable using professionally. But I see its limitations more clearly now than I have ever before.

Between this and the GnuTLS bug, I think that we need to do three things:

Pay money for security audits of critical security infrastructure like OpenSSL
Write lots of unit and integration tests for these libraries
Start writing alternatives in safer languages

Given how difficult it is to write safe C, I don't see any other options. I would donate to this effort. Would you?
openssl  blog  vulnerability  ssl  programming  security  clanguage 
april 2014 by kme
Installing "Links" Web browser
When linking to a custom-built OpenSSL installation (e.g., compiling MOSH from source), set OPENSSL_LIBS and OPENSSL_CFLAGS as intimated below:

prefix=/usr
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=${prefix}/include
Name: OpenSSL
Description: Secure Sockets Layer and cryptography libraries and tools
Version: 0.9.7b
Requires:
Libs: -L${libdir} -lssl -lcrypto -ldl
Cflags: -I${includedir}
openssl  buildproblems  fromsource  compiler  ldflags  cflags  solution  mosh 
april 2013 by kme
Certificate Installation with OpenSSL - Other People's Certificates
(Partial) solution to verifying a CA certificate using 'certtool' and a "trusted" MD5 fingerprint.

Used this on 1/1/2010 to verify the SPI (Software in the Public Interest) CA for getting the Debian 'apt' keys.
openssl  webmaster  sysadmin  solution  certificates  castore  ca  ssl 
january 2010 by kme

Copy this bookmark:





to read