openssl
What version of wget supports SHA2?
I’ve already asked that question at Stackoverflow but it seems there is not a simple answer about that, or maybe just nobody ever thought about that before!
From what I found out earlier in „wget isn’t checking CRLs“, I see there is no need to verify the CRL with SHA2, because this simply won’t happen.
My best guess about that question is, that it simply depends on the used openssl version. There is some evidence – my wget here is linked against the openssl library. You might check for yourself with
$ ldd $(which wget) ... libssl.so.1.0.0 => /lib/i386-linux-gnu/libssl.so.1.0.0 (0xb76d3000) ...
Or you simply check, what you’ve got installed on your system
$ openssl version OpenSSL 1.0.1f 6 Jan 2014
From the date you might find out, that your openssl version for sure supports SHA2! According to openssl 0.9.8 changelog each version since 0.9.8o, 01 Jun 2010, supports the SHA2 hash algorithms.
wget isn’t checking CRLs?
Just a wild theory, but wget is not checking for revoked certificates.
How did I come to this conclusion – and how did I try to verify that?
First some infos about versions – which may be rather important on that topic.
wget --version GNU Wget 1.15 built on linux-gnu. openssl version OpenSSL 1.0.1f 6 Jan 2014
Check about the current certificate, like mine here at https://www.höllrigl.at -> you’ll see a certificate from „StartCom Class 1 Primary Intermediate Server CA“ CA and a CRL at http://crl.startssl.com/crt1-crl.crl
So I’m checking about where to find the CRL and get a nice list
# dig crl.startssl.com +short www.startssl.com.edgesuite.net. a1603.g1.akamai.net. 92.122.206.27 92.122.206.10
So let’s see if we find some traffic that goes there – first I tried a ping:
# tcpdump -i eth0 host crl.startssl.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 21:34:23.967704 IP 192.168.3.1 > a92-122-206-10.deploy.akamaitechnologies.com: ICMP echo request, id 18687, seq 1, length 64 21:34:24.016819 IP a92-122-206-10.deploy.akamaitechnologies.com > 192.168.3.1: ICMP echo reply, id 18687, seq 1, length 64
Next thing, fetch that URL with wget
# wget https://www.höllrigl.at --2015-11-30 21:35:46-- https://www.xn--hllrigl-90a.at/ Resolving www.höllrigl.at (www.xn--hllrigl-90a.at)... 193.239.248.170, 2a04:5540:1:41::10 Connecting to www.höllrigl.at (www.xn--hllrigl-90a.at)|193.239.248.170|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html.2’ [ <=> ] 29,620 --.-K/s in 0.05s 2015-11-30 21:35:48 (594 KB/s) - ‘index.html.2’ saved [29620]
Now I’d like to show to you the dumped packages in tcpdump – but there are none.
Other strong indicators are, that there only started to be a ‚–crl-file=file‘ option to wget starting with 1.16, which allows you to check your certificate against a locally stored CRL file.
Link des Tages
Gute SSL Konfiguration kann so einfach sein: Mozilla SSL Configuration Generator
openssl ciphers
Wie erzeuge ich eine sinnvolle Liste von Ciphers?
Möglichkeit 1: Schau nach, was andere tun – zum Beispiel bei bettercrypto.org
Möglichkeit 2: Erzeuge eine Liste mit openssl. Das ist auch interessant um zu erfahren was sich hinter Kürzeln wie HIGH, LOW oder EXPORT verbirgt:
$ openssl ciphers 'HIGH' ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:AECDH-DES-CBC3-SHA:ADH-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA
Oder auch, was verbiete ich mit !RC4:
$ openssl ciphers 'RC4' ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AECDH-RC4-SHA:ADH-RC4-MD5:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EXP-ADH-RC4-MD5:EXP-RC4-MD5
Siehe dazu auch www.openssl.org
openssl genrsa
Und noch eine alte Notiz von mir – mal eben schnell einen Key und CSR anlegen Beispiel:
openssl genrsa -out ~/höllrigl.at.ssl/höllrigl.at.key 2048
openssl req -new -sha256 -key ~/höllrigl.at.ssl/höllrigl.at.key -out ~/höllrigl.at.ssl/höllrigl.at.csr