Connecting the world…

OpenSSL

OpenSSL for testing TLS

I was looking for a way to test the TLS configuration of a secure mail server and stumbled across a website called “OpenSSL Command-Line HOWTO”. This websites explains how to test a TLS connection using OpenSSL.

The s_client and s_server options provide a way to launch SSL-enabled command-line clients and servers. There are other examples of their use scattered around this document, but this section is dedicated solely to them.

In this section, I assume you are familiar with the specific protocols at issue: SMTP, HTTP, etc. Explaining them is out of the scope of this article.

You can test, or even use, an SSL-enabled SMTP server from the command line using the s_client option. Secure SMTP servers offer secure connections on up to three ports: 25 (TLS), 465 (SSL) and 587 (TLS). Some time around the OpenSSL 0.9.7 release, the openssl binary was given the ability to use STARTTLS when talking to SMTP servers.

# port 25/TLS; use same syntax for port 587
openssl s_client –connect mail.booches.nl:25 –starttls smtp

# port 465/SSL
openssl s_client –connect mail.booches.nl:465

RFC821 suggests (although it falls short of explicitly specifying) the two charaters “<CRLF>” as line-terminator. Most mail agents do not care about this and accept either “<LF>” or “<CRLF>” as line-terminators, but Qmail does not. If you want to comply to the letter with RFC821 and/or communicate with Qmail, use also the –crlf option:

openssl s_client –connect mail.booches.nl:25 –starttls smtp –crlf

OpenSSL & Cygwin – Certificate Authority

I am using OpenSSL in conjunction with Cygwin on my Windows laptop to generate Certificate Signing Request and other SSL certificate related issues. Today I configured my own Certificate Authority, using the following guideline.

Preparations

First I created some directories, like shown below:

mkdir /home/sslCA
cd /home/sslCA
mkdir certs private newcerts

Next I created a serial file which will be used to name the new certificates generated and an index.txt file.

echo 1000 > serial
touch index.txt

Generating the CA

After setting up the appropriate directory, I generated the Certificate Authority, like shown below.

cd /home/sslCA
openssl.exe req –new –x509 –days 3650 –extensions v3_ca \
-keyout private/cakey.pem –out cacert.pem \
-config /usr/ssl/openssl.cnf

The command above generates the following output:

Generating a 1024 bit RSA private key
.++++++
…………………++++++
writing new private key to ‘private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:
State or Province Name (full name) [Some-State]:Noord-Brabant
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:4IP BV
Organizational Unit Name (eg, section) []:IP Consultancy
Common Name (eg, YOUR name) []:4IP Root CA
Email Address []:

Now I have a running Certificate Authority, which is ready to signing new certificates.

SubjectAltNames

If you would like to add SubjectAltNames to your certificate, you can add the names by adding them to an extensions file. Below is an example of the file, which I named booches.extensions.cnf

basicConstraints=CA:FALSE
subjectKeyIdentifier = hash

[alt_names]
DNS.1 = *.booches.nl

ad

Performing an SSL Request

I used the following command, with it’s output, to generate an SSL Certificate Signing Request.

cd /home/sslCA
openssl req -sha256 –new –nodes \
-out cert-www-4ip-nl.pem \
-keyout private/priv-www-4ip-nl.pem \
-config /usr/ssl/openssl.cnf

Generating a 1024 bit RSA private key
………..++++++
….++++++
writing new private key to ‘private/priv-www-4ip-nl.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [NL]:NL
State or Province Name (full name) [Some-State]:Noord-Brabant
Locality Name (eg, city) []:Eindhoven
Organization Name (eg, company) [Internet Widgits Pty Ltd]:4IP BV
Organizational Unit Name (eg, section) []:IP Consultancy
Common Name (eg, YOUR name) []:www.4ip.nl
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signing CSR

The last step in the process is signing the CSR. I used the following command to sign the CSR.

openssl ca –config /usr/ssl/openssl.cnf \
-out sslcert-www-4ip-nl.pem \
-extfile booches.extensions.cnf\
-infiles cert-www-4ip-nl.pem

When you want to configure a certificate to use with Windows Server 2003 IAS vor MS-PEAP authentication, you have to add the option ‘-extensions server_ext’. This command results in the following output:

Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for /home/sslCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: Sep 30 11:01:11 2009 GMT
Not After : Sep 28 11:01:11 2019 GMT
Subject:
countryName               = NL
stateOrProvinceName       = Noord-Brabant
organizationName          = 4IP BV
organizationalUnitName    = IP Consultancy
commonName                = www.4ip.nl
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:6B:52:95:B6:2D:26:76:C1:CD:E9:3C:58:E5:89:B4:26:34:83:43
X509v3 Authority Key Identifier:
keyid:64:6A:E7:65:B0:96:F6:56:49:A2:4D:EA:7F:68:3F:18:D1:86:2B:0E

Certificate is to be certified until Sep 28 11:01:11 2019 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Now I have all the appropriate files:

  • Certificate: /home/sslCA/sslcert-www-4ip-nl.pem
  • Key: /home/sslCA/private/priv-www-4ip-nl.pem

Converting to PKCS#12

Windows environments normally use PKCS#12 files. The following command generates a PKCS#12 file with the user certificate, the private key and the CA certificate:

cd /home/sslCA

openssl pkcs12 –export –out www-4ip-nl.pfx \
-inkey private/priv-www-4ip-nl.pem \
-in sslcert-www-4ip-nl.pem \
-certfile cacert.pem

This commands generates the appropriate PFX file (www-4ip-nl.pfx) for specific Windows environments, like IIS. Other usefull commands to convert certificate formats can be found here.

I added the following lines to openssl.cnf to use the extensions option for EAP authentication with Windows Server 2003 IAS.

[ client_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ server_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

Custom ringtones and SMS sounds on iPhone 3G

I received an iPhone 3G with a new cell phone contract. I started to play a little with it and noticed that there are only a few ringtones on the iPhone. Of course you can get more ringtones, but you have to get them through iTunes and pay for them, and that is not my intention.

I started to search the internet and already Jailbreaked my iPhone. This is cool, because I installed OpenSSH and OpenSSL. Now I can use an SSH client, or WinSCP to browse my iPhone. I read on the internet that you can only use file with the extension .m4r as ringtone on the iPhone. Maybe that is true, maybe it isn’t. I tried to copy an MP3 file to the ringtones folder (/Library/Ringtones). After rebooting the iPhone, the MP3 file wasn’t recognized by the iPhone as a ringtone.

After some more searching I found a website on the internet, which explained how to create custom ringtones by just using iTunes. I followed the steps of the article and it works great.

Click HERE for the complete article.

Next I started playing with the SMS sounds. These are also not easy to replace with your own sounds. So I looked at the internet again and found a nice video on YouTube demonstrating how to customize your SMS sounds. This video is using WinSCP to copy the necessary files to your iPhone. The folder, which contains the SMS sounds, can be found under /System/Library/Audio/UISounds.

Click HERE to see the video. The quality isn’t very good, but it worked for me.

Cygwin with OpenSSL for CSR generation

A lot of services, which are published to the Internet, are secured with SSL certificates. A lot of times we use SSL certificates to secure communications when implementing ISA reverse proxy servers, Citrix Secure Gateway servers and/or Cisco WebVPN portals.

When you want to secure a connection with a SSL certificate you have to create a Certificate Signing Request (CSR) and get the CSR signed by a Certificate Authority (CA). This can be done by a “real” CA, like GeoTrust or Verisign, or you can configure your own CA and sign your own CSR.

There are a lot of ways for generating CSR’s. In first I always used what the customers could offer me. This could be the Cisco ASA firewall, a Windows server with IIS or the Juniper SA appliance. Sometimes could take a couple of hours before I could finally generate a CSR. While generating a CSR, a private key is also generated. When using customer equipment for generating the CSR, it could happen that the customer deletes the private key, which makes the CSR useless.

A colleague of mine often has the same problems and he started using Cygwin with OpenSSL under Windows. I have to say, GREAT. I started using it myself. A great advantage is that I can use my own laptop and I don’t have to depend on the customers equipments. Furthermore, and maybe the most important, I know what I am doing during the generation and signing of certificates, so I will never delete the wrong files.

Normally I generate a new private key per certificate and I use the following commands for generating the private key, CSR and the actual certificate.

1. Generate a private key
openssl.exe genrsa -out private-www-booches-nl.key 2048

2. Generate the CSR, fill in the required information (common name is the most important)
openssl.exe req -sha256 -new -key private-www-booches-nl.key -out csr-www-booches-nl.csr

3. The CSR is uploaded to the CA. The CA sends you the SSL certificate, which I save as www-booches-nl.crt

4. Create the actual SSL certificate
openssl.exe pkcs12 -export -out www-booches-nl.pfx -inkey private-www-booches-nl.key -in www-booches-nl.crt

When using an Open Source web server you have to use a certificate with a DER format. The first 3 steps, as shown above, are still the same. You can use the following steps to create a DER file.

4. Put the key file code at the end of the crt file
cat private-www-booches-nl.key >> www-booches-nl.crt

5. Create the DER file
openssl.exe x509 -in www-booches-nl.crt -inform PEM -out www-booches-nl.der -outform DER

It is also possible that you need a PEM certificate instead of a PFX certificate. Below you see the command to create a PEM certificate from a PFX certificate.

6. Create the PEM file
openssl.exe pkcs12 -in www-booches-nl.pfx -out www-booches-nl.pem -nodes

7. Check the CSR content
openssl.exe req -text -noout -in csr-www.booches.nl-csr

Using Cygwin with OpenSSL really makes it easier when working with CSR’s and certificates. A very usefull website with “The Most Common OpenSSL Commands” can be found here (in Dutch).