Archive

Posts Tagged ‘openssl’

Secure Hashing Algorithms SHA-1 and SHA-2

May 15th, 2015 No comments

First implemented by the National Security Agency (NSA) in 1993, the Secure Hashing Algorithm (SHA) is used by certification authorities such as Verisign and Thawte to sign certificates and Certificate Revocation Lists. SHA is used to generate unique hash values from files.

This is the SHA-1 hash fingerprint from the bbc.co.uk website:

root@raspberrypi:/# echo | openssl s_client -connect bbc.co.uk:443 2>/dev/null | openssl x509 -fingerprint -noout
SHA1 Fingerprint=EA:D2:F2:79:18:A0:CD:2B:10:3B:12:01:CF:B1:9E:CC:AF:0F:28:0C

SHA versions:

  • SHA0 Obsoleted
  • SHA1 Currently the most widely implemented
  • SHA2 Stronger than SHA-1 due to longer hash (SHA224, SHA256, SHA384 and SHA512)

As part of their SHA-2 migration plan, Microsoft, Google, and Mozilla have announced that they will stop trusting SHA-1 certificates. Google began phasing out trust in SHA-1 certificates in November 2014. Read more…

Categories: Network Design, Security Tags: ,

OpenSSL – Self Signed Certificates / Becoming a Root CA

February 10th, 2015 No comments

Following on from the brief personal aide-memoir: OpenSSL – Generate CSR and Test x509 Certificate, this post contains the recipe to generate a self-signed certificate and use this as a CA, to sign other certificates. This is because the term “Self signed certificate” is really incorrect, the proper phrase ought to be “Being your own Certificate Authority”, (or CA)
– You have the “root key”
– And you can “sign” other certificates
Read more…

Categories: Security Tags: ,

OpenSSL Client Commands – Check the Contents of an SSL Certificate

March 7th, 2014 No comments

Here are a list of useful OpenSSL commands which might be useful to use in a Bash script:

Determine who issued the certificate:
$ echo | openssl s_client -connect server.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Company Inc/CN=www.server.com Read more…

Categories: SSL/TLS Tags: , ,

SSL/TLS Handshake and Record Data Protocol

March 3rd, 2014 No comments

When an TLS/SSL session (such as HTTPS (default port 443) is established an SSL handshake or exchange of messages occur between the client (initiating the connection) – and a server. (See this post for an explanation of SSL certificates and encoding).

The first set of messages are called the Handshake Protocol after which both client and server enter the Record (or Data) Protocol. The messages exchanged during the Handshake Protocol achieves the following: Read more…

Categories: Security, SSL/TLS Tags: ,

OpenSSL – Generate CSR and Test Signed x.509 Certificate

August 28th, 2012 No comments

Another personal aide-memoir for SSL testing:
This method uses OpenSSL to create public/private keys pair and submit the public key to a Certificate Signing Authority to be signed by that CA. The procedure uses various methods to test certificates and SSL connections to web servers: Read more…

Categories: Security Tags: ,