openssl

OpenSSL und Custom Certificates

Written by  on Oktober 26, 2019
openssl version -a
...
OPENSSLDIR: "/usr/local/ssl"
...

Place cert.pem File here (Liste of custom certificates)
See also:
Stackoverflow
MadBoa
Der Ordner ./certs da drin funktioniert nicht – zumindest nicht bei mir

MobaXterm und OpenSSL 1.1.1d

Written by  on Oktober 15, 2019

OpenSSL 1.1.1d bricht leider mit einem Fehler ab

gcc  -I. -Icrypto/include -Iinclude  -Wall -O3 -fomit-frame-pointer -DTERMIOS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_  IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_A  SM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR=""/usr/local/ssl"" -DENGINESDIR=""/usr/local/lib/engines-1.1"" -DNDEBUG  -MMD -MF crypto/dso/dso_dlfcn.d.tm  p -MT crypto/dso/dso_dlfcn.o -c -o crypto/dso/dso_dlfcn.o crypto/dso/dso_dlfcn.c
crypto/dso/dso_dlfcn.c: In function 'dlfcn_pathbyaddr':
crypto/dso/dso_dlfcn.c:409:5: error: unknown type name 'Dl_info'
     Dl_info dli;
     ^
crypto/dso/dso_dlfcn.c:422:5: warning: implicit declaration of function 'dladdr' [-Wimplicit-function-declaration]
     if (dladdr(addr, &dli)) {
     ^
crypto/dso/dso_dlfcn.c:423:30: error: request for member 'dli_fname' in something not a structure or union
         len = (int)strlen(dli.dli_fname);
                              ^
crypto/dso/dso_dlfcn.c:432:25: error: request for member 'dli_fname' in something not a structure or union
         memcpy(path, dli.dli_fname, len);
                         ^
Makefile:2735: recipe for target 'crypto/dso/dso_dlfcn.o' failed
make[1]: *** [crypto/dso/dso_dlfcn.o] Error 1
make[1]: Leaving directory '/drives/c/temp/openssl-1.1.1d'
Makefile:174: recipe for target 'all' failed
make: *** [all] Error 2

Ursache ist diese Änderung im Code
Wurde mit dieser Issue eingeführt
Build läuft wie gewohnt durch, wenn man die Datei crypto/dso/dso_dlfcn.c aus 1.1.1c verwendet.

Bugreport Unable to compile OpenSSL 1.1.1d on Cygwin

OpenSSL PFX aus geschütztem Key erzeugen

Written by  on Februar 5, 2019
 openssl pkcs12 -export -in "${FILE}.cer" -inkey "${FILE}.key" -passin pass:$PASS -out "${FILE}.pfx" -name "${FILE}_$(date +%Y%m%d_%H%M%S)" -passout pass:$PASS

-name … Friendly Name / Alias
-passout … Passwort fürs PFX
-passin … Passwort vom KEY

OpenSSL PFX erzeugen

Written by  on Februar 2, 2019
openssl pkcs12 -export -out ${FILE}.pfx -inkey ${FILE}.key -in ${FILE}.cer

openssl nameopt

Written by  on Dezember 18, 2018

OpenSSL unterstützt eine nette Option, falls man den Output in einem Script weiterverarbeiten will.
Hier die normale Ausgabe:

openssl x509 -in test.cer -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            55:0d:00:d6:79:bf:17:7b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Google Trust Services, CN = Google Internet Authority G3
        Validity
            Not Before: Nov 27 14:02:00 2018 GMT
            Not After : Feb 19 14:02:00 2019 GMT
        Subject: C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com

Und hier die Multiline Ausgabe:

openssl x509 -in test.cer -noout -text -nameopt multiline
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            55:0d:00:d6:79:bf:17:7b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            countryName               = US
            organizationName          = Google Trust Services
            commonName                = Google Internet Authority G3
        Validity
            Not Before: Nov 27 14:02:00 2018 GMT
            Not After : Feb 19 14:02:00 2019 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            localityName              = Mountain View
            organizationName          = Google LLC
            commonName                = *.google.com

Dokumentation

Compiler Zeit Openssl 1.1.1 Pre7

Written by  on Juni 8, 2018

Auf Quadcore Intel(R) Core(TM) i5-3427U CPU @ 1.80GHz mit Virenscanner

./config no-async && time make
real    1h 36m 37s
user    5m 9.02s
sys     1h 22m 34s

Auf Quadcore Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz mit Windows Defender

./config no-async && time make
real    11m 16.66s
user    3m 13.19s
sys     4m 27.34s

So gefühlt, rechnet der i5 also 5 Minuten statt 3 Minuten. Aber die System-Time scheint vom Virenscanner zu kommen.

Warum man auf OpenSSL 1.1.1 wartet

Written by  on Juni 6, 2018

Schön langsam wird es Zeit fürs neue OpenSSL 1.1.1. Das will man haben, damit endlich TLS 1.3 in der Breite verfügbar wird.
Aber es gibt weitere interessante Änderungen.
SNI ist ab dann der Standard für s_client.
Bei s_client -starttls werden mehr Protokolle wie LDAP unterstützt.

openssl 1.1.1-pre1 in mobaxterm

Written by  on Februar 15, 2018

OpenSSL testet an einer neuen Version herum. Aber auch OpenSSL 1.1.1-pre1 lässt sich nicht ohne weiters in MobaXTerm bauen.
Bekanntes Problem, gleiche Lösung:

$ make clean && ./config && make
crypto/async/arch/async_posix.o:async_posix.c:(.text+0xe): undefined reference to `getcontext'
crypto/async/arch/async_posix.o:async_posix.c:(.text+0x56): undefined reference to `getcontext'
crypto/async/arch/async_posix.o:async_posix.c:(.text+0xd4): undefined reference to `makecontext'
crypto/async/async.o:async.c:(.text+0x34): undefined reference to `setcontext'
collect2: error: ld returned 1 exit status
Makefile:728: recipe for target 'libcrypto.dll.a' failed
make[1]: *** [libcrypto.dll.a] Error 1
make[1]: Leaving directory '/home/mobaxterm/_work/openssl-1.1.1-pre1'
Makefile:143: recipe for target 'all' failed
make: *** [all] Error 2
Command exited with non-zero status 2
$ make clean && ./config no_async && make
$ apps/openssl.exe version
OpenSSL 1.1.1-pre1 (alpha) 13 Feb 2018

OpenSSL in MobaXterm

Written by  on November 8, 2017

Neue OpenSSL Version kompilieren in MobaXterm bricht einfach ab mit Fehlermeldung

./config && make
...
...
...
gcc  -I. -Iinclude -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC-DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR=""/usr/local/ssl"" -DENGINESDIR=""/usr/local/lib/engines-1.1"" -D TERMIOS -DL_ENDIAN -Wall -O3 -fomit-frame-pointer  -D_WINDLL -MMD -MF ssl/tls_srp.d.tmp -MT ssl/tls_srp.o -c -o ssl/tls_srp.o ssl/tls_srp.c
ar  r libssl.a ssl/bio_ssl.o ssl/d1_lib.o ssl/d1_msg.o ssl/d1_srtp.o ssl/methods.o ssl/pqueue.o ssl/record/dtls1_bitmap.o ssl/record/rec_layer_d1.o ssl/record/rec_layer_s3.o ssl/record/ssl3_buffer.o ssl/record/ssl3_record.o ssl/s3_cbc.o ssl/s3_enc.o ssl/s3_lib.o ssl/s3_msg.o ssl/ssl_asn1.o ssl/ssl_cert.o ssl/ssl_ciph.o ssl/ssl_conf.o ssl/ssl_err.o ssl/ssl_init.o ssl/ssl_lib.o ssl/ssl_mcnf.o ssl/ssl_rsa.o ssl/ssl_sess.o ssl/ssl_stat.o ssl/ssl_txt.o ssl/ssl_utst.o ssl/statem/statem.o ssl/statem/statem_clnt.o ssl/statem/statem_dtls.o ssl/statem/statem_lib.o ssl/statem/statem_srvr.o ssl/t1_enc.o ssl/t1_ext.o ssl/t1_lib.o ssl/t1_reneg.o ssl/t1_trce.o ssl/tls_srp.o
ar: creating libssl.a
ranlib libssl.a || echo Never mind.
/bin/make -f ./Makefile.shared -e \
        PLATFORM=Cygwin-x86 \
        PERL="/usr/bin/perl" SRCDIR='.' DSTDIR="." \
        INSTALLTOP='/usr/local' LIBDIR='lib' \
        LIBDEPS=' '""' ' \
        LIBNAME=crypto SHLIBVERSION=1.1 \
        STLIBNAME=libcrypto.a \
        SHLIBNAME=libcrypto.dll.a SHLIBNAME_FULL=cygcrypto-1.1.dll \
        CC='gcc' CFLAGS='-DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR=""/usr/local/ssl"" -DENGINESDIR=""/usr/local/lib/engines-1.1"" -DTERMIOS -DL_ENDIAN -Wall -O3 -fomit-frame-pointer  -D_WINDLL' \
        LDFLAGS='' SHARED_LDFLAGS='-shared ' \
        RC='windres' SHARED_RCFLAGS='' \
        link_shlib.cygwin-shared
make[2]: Entering directory '/drives/c/temp/openssl-1.1.0g'
/usr/bin/perl ./util/mkrc.pl cygcrypto-1.1.dll | windres  -o rc.o
LD_LIBRARY_PATH=:/bin gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DOPENSSLDIR="/usr/local/ssl" -DENGINESDIR="/usr/local/lib/engines-1.1" -DTERMIOS -DL_ENDIAN -Wall -O3 -fomit-frame-pointer -D_WINDLL -shared -shared -Wl,--enable-auto-image-base -Wl,-Bsymbolic -Wl,--out-implib,libcrypto.dll.a rc.o -o cygcrypto-1.1.dll -Wl,--whole-archive libcrypto.a -Wl,--no-whole-archive
libcrypto.a(async_posix.o):async_posix.c:(.text+0xe): undefined reference to `getcontext'
libcrypto.a(async_posix.o):async_posix.c:(.text+0x56): undefined reference to `getcontext'
libcrypto.a(async_posix.o):async_posix.c:(.text+0xd4): undefined reference to `makecontext'
libcrypto.a(async.o):async.c:(.text+0x34): undefined reference to `setcontext'
collect2: error: ld returned 1 exit status
Makefile.shared:243: recipe for target 'link_shlib.cygwin' failed
make[2]: *** [link_shlib.cygwin] Error 1
make[2]: Leaving directory '/drives/c/temp/openssl-1.1.0g'
Makefile:639: recipe for target 'libcrypto.dll.a' failed
make[1]: *** [libcrypto.dll.a] Error 2
make[1]: Leaving directory '/drives/c/temp/openssl-1.1.0g'
Makefile:130: recipe for target 'all' failed
make: *** [all] Error 2

Lösung:

./config no-async && make

Der Build läuft durch und baut eine funktionierende exe

$ apps/openssl.exe version
OpenSSL 1.1.0g  2 Nov 2017

Verify X509 Certificate

Written by  on September 8, 2017

Es ist nicht ausreichend nur den Private Key zu überprüfen!
OpenSSL bietet auch eine einfache Möglichkeit einen CSR zu prüfen:

openssl req -in example.csr -verify
verify OK

Beim Public Key wird es komplizierter. Einzig eine Prüfung mit der Signatur der übergeordneten CA hilft. Hier eine erste Version eines Prüfscriptes.

#!/bin/bash
if [[ $# -ne 1 ]]; then
  echo "Wrong number of arguments."
  exit 1
fi

FILE=$1

# Allows to configure different openssl version
OPENSSL=$(which openssl)
TEMPDIR="/tmp
USERAGENT="CustomUserAgent"
# A proxy server would also get configured here
WGETOPTS="--user-agent=${USERAGENT} --timeout=5 --tries=1 -e"

SIGNER=$($OPENSSL x509 -in ${FILE} -text -noout | grep "CA Issuers - URI:http" | cut -d":" -f2- | tr -d '\r')
if [[ -z $SIGNER ]]; then
  echo "No issuer certificate found for download."
  exit 1
fi
SIGNERFILE=$(awk -F'/' '{print $NF}' <<<$SIGNER)

/usr/bin/wget $WGETOPTS $SIGNER -O $TEMPDIR/$SIGNERFILE >/dev/null 2>&1

# Try to convert to PEM
$OPENSSL x509 -inform der -in $TEMPDIR/$SIGNERFILE -out $TEMPDIR/$SIGNERFILE.cer 2>/dev/null
if [[ -s $TEMPDIR/$SIGNERFILE.cer ]]; then
  # use converted file, if conversation was successfull
  SIGNERFILE="$SIGNERFILE.cer"
fi
echo -n "Certificate verification: "
$OPENSSL verify -CAfile $TEMPDIR/$SIGNERFILE -partial_chain $FILE 2>&1 | grep -e "certificate signature failure" -e "OK" | cut -d":" -f2

# Cleanup
if [[ ! -z $SIGNERFILE ]]; then
  /bin/rm $TEMPDIR/$SIGNERFILE*
fi