openssl

What version of wget supports SHA2?

Written by  on Dezember 14, 2015

I’ve already asked that question at Stackoverflow but it seems there is not a simple answer about that, or maybe just nobody ever thought about that before!
From what I found out earlier in „wget isn’t checking CRLs“, I see there is no need to verify the CRL with SHA2, because this simply won’t happen.
My best guess about that question is, that it simply depends on the used openssl version. There is some evidence – my wget here is linked against the openssl library. You might check for yourself with

$ ldd $(which wget)
...
        libssl.so.1.0.0 => /lib/i386-linux-gnu/libssl.so.1.0.0 (0xb76d3000)
...

Or you simply check, what you’ve got installed on your system

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

From the date you might find out, that your openssl version for sure supports SHA2! According to openssl 0.9.8 changelog each version since 0.9.8o, 01 Jun 2010, supports the SHA2 hash algorithms.

wget isn’t checking CRLs?

Written by  on Dezember 1, 2015

Just a wild theory, but wget is not checking for revoked certificates.
How did I come to this conclusion – and how did I try to verify that?

First some infos about versions – which may be rather important on that topic.

wget --version
GNU Wget 1.15 built on linux-gnu.
openssl version
OpenSSL 1.0.1f 6 Jan 2014

Check about the current certificate, like mine here at https://www.höllrigl.at -> you’ll see a certificate from „StartCom Class 1 Primary Intermediate Server CA“ CA and a CRL at http://crl.startssl.com/crt1-crl.crl

So I’m checking about where to find the CRL and get a nice list

# dig crl.startssl.com +short
www.startssl.com.edgesuite.net.
a1603.g1.akamai.net.
92.122.206.27
92.122.206.10

So let’s see if we find some traffic that goes there – first I tried a ping:

# tcpdump -i eth0 host crl.startssl.com
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:34:23.967704 IP 192.168.3.1 > a92-122-206-10.deploy.akamaitechnologies.com: ICMP echo request, id 18687, seq 1, length 64
21:34:24.016819 IP a92-122-206-10.deploy.akamaitechnologies.com > 192.168.3.1: ICMP echo reply, id 18687, seq 1, length 64

Next thing, fetch that URL with wget

# wget https://www.höllrigl.at
--2015-11-30 21:35:46--  https://www.xn--hllrigl-90a.at/
Resolving www.höllrigl.at (www.xn--hllrigl-90a.at)... 193.239.248.170, 2a04:5540:1:41::10
Connecting to www.höllrigl.at (www.xn--hllrigl-90a.at)|193.239.248.170|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.2’

    [ <=>                                                                                                                                                                                             ] 29,620      --.-K/s   in 0.05s

2015-11-30 21:35:48 (594 KB/s) - ‘index.html.2’ saved [29620]

Now I’d like to show to you the dumped packages in tcpdump – but there are none.
Other strong indicators are, that there only started to be a ‚–crl-file=file‘ option to wget starting with 1.16, which allows you to check your certificate against a locally stored CRL file.

Link des Tages

Written by  on Juni 14, 2015

Gute SSL Konfiguration kann so einfach sein: Mozilla SSL Configuration Generator

openssl ciphers

Written by  on Mai 26, 2015

Wie erzeuge ich eine sinnvolle Liste von Ciphers?

Möglichkeit 1: Schau nach, was andere tun – zum Beispiel bei bettercrypto.org

Möglichkeit 2: Erzeuge eine Liste mit openssl. Das ist auch interessant um zu erfahren was sich hinter Kürzeln wie HIGH, LOW oder EXPORT verbirgt:

$ openssl ciphers 'HIGH'
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ADH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA

Oder auch, was verbiete ich mit !RC4:

$ openssl ciphers 'RC4'
ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EXP-ADH-RC4-MD5:EXP-RC4-MD5

Siehe dazu auch www.openssl.org

openssl genrsa

Written by  on Mai 16, 2015

Und noch eine alte Notiz von mir – mal eben schnell einen Key und CSR anlegen Beispiel:

openssl genrsa -out ~/höllrigl.at.ssl/höllrigl.at.key 2048
openssl req -new -sha256 -key ~/höllrigl.at.ssl/höllrigl.at.key -out ~/höllrigl.at.ssl/höllrigl.at.csr