recentpopularlog in

kme : ssl   98

« earlier  
How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL
How to View a Certificate Thumbprint as SHA-256, SHA-1 or MD5 using OpenSSL How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL
openssl  x509  crypto  ssl  certificate  sha1  sha256  hash  fingerprint  commandline  solution 
june 2019 by kme
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them | https://support.ssl.com/
Microsofty things use the '.cer' extension (which is interchangeable with '.crt'), and are often DER-encoded. PEM-encoded certs are "ASCII (Base64) armored data" prefixed with a "-----BEGIN CERTIFICATE-----" line.

Here's how to "cat" a DER-encoded certificate:
<code class="language-bash">
openssl x509 -in certificate.der -inform der -text -noout
</code>

And here's how to convert one in that format to the format expected on a Debian GNU/Linux system:
<code class="language-bash">
openssl x509 -in cert.crt -inform der -outform pem -out cert.crt
</code>

NB: the '.crt' extension seems to be important, otherwise 'sudo update-ca-certificates' doesn't pick up on new ones that you've added to /usr/local/share/ca-certificates.
ssl  certs  cacert  certificates  openssl  sysadmin  webmaster  crypto  fuckina  solution  importexport  conversion 
january 2019 by kme
curl - ERROR: The certificate of `raw.githubusercontent.com' is not trusted - Stack Overflow | https://stackoverflow.com/
In my case, 'wget' gave a better error message than 'curl', and it told me that my organization was using a fake root CA, and 'wget' didn't recognize *its* issuer.

Solution for a Debian system at https://pinboard.in/u:kme/b:c57651a965b4 (convert issuer CA to PEM-encoded .crt, put in /usr/local/share/ca-certificates, and run 'sudo update-ca-certificates)
github  errormessage  ssl  cacert  certificates  crypto  headache 
january 2019 by kme
python - urllib and "SSL: CERTIFICATE_VERIFY_FAILED" Error - Stack Overflow | https://stackoverflow.com/
My solution was actually to install the ISSUER certificate for our organizations root CA (which hijacks GitHub, and others) into /usr/local/share/ca-certificates, then run 'sudo update-ca-certificates'.

If the certificate is available in DER format (might be the case if you got it from somewhere Microsofty), you can convert using 'openssl'.
<code class="language-bash">
openssl x509 -in YourOrgRootCA.der -inform der -outform pem -out YourOrgRootCA.crt
</code>

The '.crt' extension seems to be required, otherwise 'update-ca-certificates' won't pick up the new certificates.
python  seaborn  ssl  cacert  certificates  headache  maybesolution 
january 2019 by kme
openssl - how to extract issuer certificate from other certificate - Stack Overflow | https://stackoverflow.com/
This might work *if* the certificate embeds a URL for the issuer. This wasn't the case for my organization.
openssl  ssl  ca  certs  issuer  commandline  sysadmin  networking  sortof  solution 
january 2019 by kme
perl - How to tell CPAN about path to make and cc - Stack Overflow | https://stackoverflow.com/

In cpan_home/CPAN/Config.pm (or via o conf):

<code class="language-perl">'make_arg' => q[CC=/path/to/c-compiler]</code>
cpan  ssl  ssleay  perl  module  compiler  errormessage  solution 
february 2018 by kme
How to View a Certificate Fingerprint as SHA-256, SHA-1 or MD5 using OpenSSL | Symantec | https://knowledge.symantec.com/
Seems to work, even though '-fingerprint' doesn't seem to be in the 'openssl' man page:
<code class="language-bash">
# SHA-256
openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]

# SHA-1
openssl x509 -noout -fingerprint -sha1 -inform pem -in [certificate-file.crt]

# MD5
openssl x509 -noout -fingerprint -md5 -inform pem -in [certificate-file.crt]</code>

If they came from Windows (in .cer) format, use '-inform der' (DER = Distinguished Encoding Rule). Der!
<code class="language-bash">
openssl x509 -inform der -in SomeIssuer.cer -fingerprint -sha1 -noout
</code>
ssl  openssl  cacert  ca  certificate  fingerprint  commandline  cli  solution 
january 2018 by kme
curl - SSL CA Certificates | https://curl.haxx.se/
Yeah, except the '--cacert pemfile.pem' option never seems to work without just resorting to '--insecure' also.
If you use the 'openssl' tool, this is one way to get extract the CA cert for a particular server:
<code class="language-bash">openssl s_client -showcerts -servername server -connect server:443 > cacert.pem</code>
- type "quit", followed by the "ENTER" key
- The certificate will have "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.
- If you want to see the data in the certificate, you can do: "openssl x509 -inform PEM -in certfile -text -out certdata" where certfile is the cert you extracted from logfile. Look in certdata.
- If you want to trust the certificate, you can add it to your CA certificate store or use it stand-alone as described. Just remember that the security is no better than the way you obtained the certificate.


Convert from crt (IE / Windows, DER format) to PEM format:
<code class="language-bash">openssl x509 -inform DES -in yourdownloaded.crt -out outcert.pem -text</code>
webdevel  debugging  curl  ssl  certs  ca  security  dammitbrain  reference 
december 2017 by kme
Firefox 3 and Self-Signed Certs | https://www.gerv.net/
Leaving aside the fact that many people who use this model for SSH don't bother to do 1) in practice but just say "OK" and hope, it is our assertion that no-one has yet come up with a UI that makes this model of crypto (known as Key Continuity Management - KCM - or "the SSH model") understandable to Joe Public. You can't provide him with a string of hex characters and expect it to read it over the phone to his bank. What he does instead is just click "OK", which might as well be labelled "Yeah, Whatever", and hopes for the best. The same thing happens when he gets "key changed!" warnings, even scary ones.

The first important thing to note about this model is that key changes are an expected part of life. No-one does or should use the same key for ever, and key compromise or discovered weakness means that keys change. So the user is going to get a series of alerts over time, some of which indicate an OK condition, and some of which indicate a dangerous condition. It is our assertion that no UI can navigate Joe through this complexity in a safe way.

Usability research tells us that repeated security dialogs and warnings habituate users into just clicking "OK" - it's the "Yeah, Whatever" thing again. If that dialog mostly indicates a benign condition but occasionally indicates a serious one, then the problem is compounded. This happens no matter what the dialog says. UI designers can work on the wording for a year, but whatever it is, it'll eventually just get ignored.


Also:
However, running your own CA has its own hidden costs - and you normally discover them after a key compromise when you have to update all the certificates at once, and everyone has to learn a lot about crypto really quickly. A simpler solution is just to get in touch with StartCom, or budget for a few expenditures of $14.95 or whatever, and use the same public CA system everyone else does.
firefox  ssl  ca  security  selfsignedcertificate  selfsigned  certificate  browser  crypto 
december 2017 by kme
openssl s_client using a proxy - Stack Overflow | https://stackoverflow.com/


You can use proxytunnel:

proxytunnel -p yourproxy:8080 -d www.google.com:443 -a 7000

and then you can do this:

openssl s_client -connect localhost:7000 -showcerts

Hope this can help you!
proxy  debugging  http  https  webdevel  sysadmin  webmaster  ssl  cert  cacert  solution 
december 2017 by kme
Certificate Decoder - Decode certificates to view their contents
<code class="language-bash">openssl x509 -in certificate.crt -text -noout</code>

This works for .pem files, but not .crt files, because I still don't know the difference.
certificate  ssl  decoder  openssl  ca  webapp  webmaster  solution 
november 2017 by kme
bitbucket - Smartgit SHA fingerprint of the certificate does not match - Stack Overflow
What I was flipping out about was actually the SHA1 hash for the SSL cerficate for the GitLab host, *not* the SHA1 SSH host fingerprint.

I wasn't getting man-in-the-middled by SmartGit after all.
syntevo  smartgit  ssl  sha1  certificate  hash  solution 
october 2017 by kme
security - How to verify the SSL fingerprint by command line? (wget, curl, ...) - Ask Ubuntu
The Syntevo SmartGit client was asking me to verify a SHA1 fingerprint that I thought was the SSH fingerprint, but it was this. And here's how to get that fingerprint:

<code class="language-bash">
echo -n | openssl s_client -connect torproject.org:443 \
-CAfile /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
> ./torproject.pem
</code>

Get SHA-1 fingerprint:
<code class="language-bash">
openssl x509 -noout -in torproject.pem -fingerprint -sha1
</code>

Get SHA-256 fingerprint:
<code class="language-bash">
openssl x509 -noout -in torproject.pem -fingerprint -sha256
</code>
ssl  openssl  certificate  sha1  fingerprint  sysadmin  webmaster  solution 
october 2017 by kme
How to install certificates for command line - Ask Ubuntu
The ca-certificates package has the instructions in its README.Debian:

If you want to install local certificate authorities to be implicitly trusted, please put the certificate files as single files ending with .crt into /usr/local/share/ca-certificates/ and re-run update-ca-certificates.

Note that it mentions a directory different from the other answers here:

/usr/local/share/ca-certificates/

After copying into /usr/local/share/ca-certificates/ you can then update the cert's permissions and run sudo update-ca-certificates as mentioned in Telegraphers answer. You will see in the output that the cert was added.


Also notable (not strictly true, since .cer files are a Windows thing, binary, in ASN.1/DER format):
Extensions .crt, .pem and .cer are interchangeable, just change the file name extension, they have the same form.
ssl  certificate  ubuntu  linux  sysadmin  howto  solution  ca 
june 2017 by kme
Can a BlueCoat SSL Proxy steal your password? : networking
If there's a certificate in the chain that doesn't match, it's most likely an internal certificate from your organisation. If it is, then they're performing TLS inspection and they can see your details.
ssl  tls  proxy  ca  snooping  surveillance  security  privacy 
june 2017 by kme
How to install certificates for command line - Ask Ubuntu
For everything to work and not only your browser, you need to add that CA certificate to the system's trusted CA repository.

In ubuntu:

Go to /usr/share/ca-certificates/
Create a new folder, i.e. "sudo mkdir school"
Copy the .crt file into the school folder
Make sure the permissions are OK (755 for the folder, 644 for the file)
Run "sudo update-ca-certificates"
sysadmin  ubuntu  linux  ca  certificates  ssl  github  mitm  solution 
june 2017 by kme
Security: Verified HTTPS with SSL/TLS — urllib3 dev documentation
What I ended up doing was just installing 'python27' from MacPorts.
Certain Python distributions (specifically, versions of Python earlier than 2.7.9) and older OpenSSLs have restrictions that prevent them from using the SNI (Server Name Indication) extension. This can cause unexpected behaviour when making some HTTPS requests, usually causing the server to present the a TLS certificate that is not valid for the website you’re trying to access.
mac  osx  python  errormessage  ssl  annoyance  urllib 
april 2016 by kme
mk-ca-bundle
This script lives in lib/mk-ca-bundle.pl in current curl distributions.
ssl  certs  curl  certificates  ca  solution 
march 2016 by kme
Does curl have a --no-check-certificate option like wget? - Unix & Linux Stack Exchange
Yes. From the manpage:

-k, --insecure (SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used.
You may use the following command to apply the changes for all connections:
<code class="language-bash">echo insecure >> ~/.curlrc</code>

On Windows just create .curlrc text file with 'insecure' text in it in your HOME dir.

Also interesting:
Worth noting that unlike wget's --no-check-certificate, this disables certificate chain checking but leaves other validation enabled. For example, if the server is using a certificate for the wrong hostname, it will still be rejected. This is good if you just want to accept self-signed certificates. This is bad if you just want to download something from raw.githubusercontent.com, which is currently serving the wrong certificate. – Tom Anderson Apr 16 '14 at 11:49
curl  ssl  webmaster  webdevel 
march 2016 by kme
linux - git clone: fatal: Unable to find remote helper for 'https' - Stack Overflow
In my case, I need to compile 'libcurl' from source, and then also provide a PEM-format CA bundle so that I wouldn't get the "unable to get local issuer certificate" error. Have a look at bookmarks tagged openssl+curl+solution, or the Portfile for MacPorts' curl-ca-bundle.
git  ssl  https  certificates  curl  solution 
march 2016 by kme
curl: SSL certificate problem: unable to get local issuer certificate · Issue #2 · torch/ezinstall · GitHub
See: http://stackoverflow.com/questions/3777075/ssl-certificate-rejected-trying-to-access-github-over-https-behind-firewall

Solution 2 in Post#3 is the correct and secure way to do it.
2. Actually install root certificates. Curl guys extracted for you certificates from mozilla:

http://curl.haxx.se/docs/caextract.html

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.
solution  curl  ssl  ca  castore  certificates  openssl  git 
march 2016 by kme
git - SSL certificate rejected trying to access GitHub over HTTPS behind firewall - Stack Overflow
See below for 'configure' flags that were necessary to get 'curl' to look in the right place for the PEM certficate bundle.
Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:

$ cd /usr/ssl/certs
$ curl https://curl.haxx.se/ca/cacert.pem |
awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash


I actually used this script:
wget -O - http://curl.haxx.se/ca/cacert.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "cert" n ".pem"}'


Then I cheated off of the MacPorts Portfile for 'curl' (source: https://trac.macports.org/browser/trunk/dports/net/curl/Portfile) to discover the "--with-ca-bundle=/path/to/curl-ca-bundle.crt" 'configure' flag which seems to have done the trick.

Also useful, in extreme circumstances, how to get Git to ignore SSL certs altogether:
$ env GIT_SSL_NO_VERIFY=true git clone https://github...
git  github  curl  ssl  cacert  castore  certificates  cs  openssl  solution  fuckina 
march 2016 by kme
php - Authenticating a self-signed certificate for LDAPS connection - Stack Overflow
You have to explicitly tell the LDAP client to ignore untrusted certificates. You can do so by adding the following to your ldap.conf file:

TLS_REQCERT never
ssl  tls  selfsigned  certificate  php  ldap  solution 
february 2016 by kme
existential type crisis : Diagnosis of the OpenSSL Heartbleed Bug
What can we learn from this?

I'm a fan of C. It was my first programming language and it was the first language I felt comfortable using professionally. But I see its limitations more clearly now than I have ever before.

Between this and the GnuTLS bug, I think that we need to do three things:

Pay money for security audits of critical security infrastructure like OpenSSL
Write lots of unit and integration tests for these libraries
Start writing alternatives in safer languages

Given how difficult it is to write safe C, I don't see any other options. I would donate to this effort. Would you?
openssl  blog  vulnerability  ssl  programming  security  clanguage 
april 2014 by kme
« earlier      
per page:    204080120160

Copy this bookmark:





to read