Posts tagged ssl

openssl: s_client to check certificates

posted on 2016-03-18 13:47:07

In short:

openssl s_client -connect <domain.de>:443

SSL certificate check from shell

posted on 2016-02-05 12:53:33

This will show the complete certificate:

echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -text

Exchange the -text flag with any other object which are present in the certificate to get different results. (I.e. -subject or -dates.)

OpenSSL Ciphers

posted on 2014-12-10 18:00:06

This will show you the currently availably secure ciphers:

openssl ciphers 'HIGH:MEDIUM:!MD5:!RC4:!aNULL:!eNULL:!EXPORT:!SEED:!PSK' | sed 's/:/\n/g'

The sed afterwards is just so you will have the output with one cipher per line.

The part after 'ciphers' and before the pipe is what you actually have to put into your apache config.

MySQL-over-SSL

posted on 2014-08-08 14:45:03

How to use SSL/TLS for mysql connections? We shall see.

This guide assumes you have mysqld already installed and have root access on the box you are working on. All this was done a debian 7 install.

check if your mysqld supports it

This means, if the mysql install was compiled with the right flags.

  • connect to mysql
  • show variables like 'have_ssl';
  • DISABLED = capable, but was not started with the option on
  • YES = SSL capable and enabled

Example:

[sjas@box ~]$ mysql -uroot -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 65
Server version: 5.5.38-0+wheezy1 (Debian)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show variables like 'have_ssl';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_ssl      | DISABLED |
+---------------+----------+
1 row in set (0.00 sec)

mysql> quit
Bye
[sjas@box ~]$

cert 101

To use a public key infrastructure here, you have to have a root certificate (coming from a CA, which is short for certificate authority).

Thus a private key for the CA is generated and a certificate.

Next step is creating the server private key, and creating a certificate request from it. This request is used with the CA cert and the CA key, to create the actual server certificate.

This procedure is repeated for the client.


Finally, on client side, to use SSL/TLS, you have to use these: The CA cert, the client cert and the client key

Finally, on server side, to use SSL/TLS, you have to use these: The CA cert, the server cert and the server key

All these will be self-signed (self-generated, and not signed by an actual CA like Thawte or Digicert) and created by the next script.

create certificates

This script is handy, put it into a file and make it executable for usage:

#!/bin/bash

echo $'\e[1;33m''clean environment'$'\e[0m'
rm -rf mynewcerts
mkdir mynewcerts
cd mynewcerts

echo $'\e[1;33m''NOTE:'$'\e[0m'
echo $'\e[1;33m''USE DIFFERENT COMMON NAMES'$'\e[0m'
echo $'\e[1;33m''FOR ALL CERTS.'$'\e[0m'

echo $'\e[1;33m''create ca cert'$'\e[0m'
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3650 -key ca-key.pem -out ca-cert.pem

echo $'\e[1;33m''Create server certificate, remove passphrase, and sign it'$'\e[0m'
echo $'\e[1;33m''server-cert.pem = public key, server-key.pem = private key'$'\e[0m'
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

echo $'\e[1;33m''Create client certificate, remove passphrase, and sign it'$'\e[0m'
echo $'\e[1;33m''client-cert.pem = public key, client-key.pem = private key'$'\e[0m'
openssl req -newkey rsa:2048 -days 3650 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

echo $'\e[1;33m''verify certs'$'\e[0m'
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

echo $'\e[1;33m''move server files to /etc/mysql/ssl'$'\e[0m'
mkdir - /etc/mysql/ssl
cp ca-cert.pem server-cert.pem server-key.pem /etc/mysql/ssl

echo $'\e[1;33m''TESTING Howto:'$'\e[0m'
echo $'\e[1;33m''service mysql stop'$'\e[0m'
echo $'\e[1;33m''mysqld --ssl-ca=/etc/mysql/ssl/ca-cert.pem --ssl-cert=/etc/mysql/ssl/server-cert.pem --ssl-key=/etc/mysql/ssl/server-key.pem'$'\e[0m'
echo $'\e[1;33m''Then in second console window:'$'\e[0m'
echo $'\e[1;33m''connect to this server, cd into mynewcerts folder'$'\e[0m'
echo $'\e[1;33m''mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem  --ssl-key=client-key.pem -uroot -p'$'\e[0m'

This will create and do:

  • a CA key and certificate
  • a server privatekey, cert request and cert
  • and a client privatekey, cert and request
  • move the server-files to /etc/mysql/ssl

The requests are actually not important, once the certificates are generated. They are left in, in case a recreation of the certificates, i.e. with new CA data, is to be made.

Leave the passphrases blank and look out, so you have differing common names. If you use the same common names, you will have problems later on.

testing

Both these can be done on the same server.

server side

On server side, you have to use these files:

  • ca-cert.pem
  • server-cert.pem
  • server-key.pem

Create a directory in your mysql folder, here named /etc/mysql/ssl, and put these files into there.

Then stop mysqld, if running:

$ service mysql stop
$ mysqld --ssl-ca=/etc/mysql/ssl/ca-cert.pem --ssl-cert=/etc/mysql/ssl/server-cert.pem --ssl-key=/etc/mysql/ssl/server-key.pem

The MySQL server has to be properly started with these SSL options, else SSL would be turned of on server-side. On how to automate this, see the end of this guide.

client side

On client side, you have to use these files:

  • ca-cert.pem
  • client-cert.pem
  • client-key.pem

So from within the mynewcerts folder the script just created, run from a second shell this:

$ mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem  --ssl-key=client-key.pem -uroot -p

After entering your password, you are at the mysql prompt. Use \s to check the output.

You might get something along these lines:

mysql> \s
--------------
mysql  Ver 14.14 Distrib 5.5.38, for debian-linux-gnu (x86_64) using readline 6.2

Connection id:          40
Current database:
Current user:           root@localhost
SSL:                    Cipher in use is DHE-RSA-AES256-SHA
Current pager:          stdout
Using outfile:          ''
Using delimiter:        ;
Server version:         5.5.38-0+wheezy1 (Debian)
Protocol version:       10
Connection:             Localhost via UNIX socket
Server characterset:    latin1
Db     characterset:    latin1
Client characterset:    utf8
Conn.  characterset:    utf8
UNIX socket:            /var/run/mysqld/mysqld.sock
Uptime:                 1 hour 29 min 28 sec

Threads: 1  Questions: 116  Slow queries: 0  Opens: 171  Flush tables: 1  Open tables: 41  Queries per second avg: 0.021
--------------

mysql>

If the SSL: ... line actually shows a cipher (and is not just empty), your setup works.

\q to exit from the mysql shell, then pkill mysql to kill the mysql server you just started by hand (see server section above).

The above can be done shorter, try this line:

mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem  --ssl-key=client-key.pem -uroot -p -sss -e \s | grep SSL

proper setup

To have the mysqld starting properly, you have to pass the SSL options to the init script.

This is easiest done like this: (Another copy&paste section, this can be pasted directly to the shell.)

cat <<EOHD >> /etc/mysql/conf.d/ssl.cnf
[mysqld]
ssl-ca   = /etc/mysql/ssl/ca-cert.pem
ssl-cert = /etc/mysql/ssl/server-cert.pem
ssl-key  = /etc/mysql/ssl/server-key.pem
EOHD

The /etc/mysql/my.cnf should include the following line:

#
# * IMPORTANT: Additional settings that can override those from this file!
#   The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir /etc/mysql/conf.d

... so the previously generated file will work. Then do:

service mysql stop  ## in case it started somehow
service mysql start

Of course, you should test your work again via the mysql client (see client section above and look at the output of \s).

Otherwise, pass the client privkey, client cert and CA cert to the machines you actually want to secure and be happy you have encrypted mysql traffic.

force SSL usage

Further you can also force users to use SSL, when creating them within mysql.

From the mysql prompt:

mysql> GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'password-to-change' REQUIRE SSL WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;

Then this will work: (From within the folder where the certs are located, of course.)

$ mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -ussluser -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 57
...

but not this:

$ mysql -u ssluser -p
Enter password:
ERROR 1045 (28000): Access denied for user 'ssluser'@'localhost' (using password: YES)

Keep in mind, that the ssluser account created above is intended to replace the root account. That is the reason he got rights for everything (*.*) and can grant/revoke rights (WITH GRANT OPTION). Use a more fine-granular approach if you want to create accounts for your customers, else they could kill your DB as they wish.

remote access

In order to tell mysql to grant access to from remote machines:

$ vim /etc/mysql/my.cnf

and comment out:

bind-address = 127.0.0.1

exchanging keys and certs between machines

At last the note, exchanging privatekeys should never take place over unencrypted channels. Try scp, sftp or mailing the three files via a password encrypted compressed archive (zip, tar, 7z, ...) and passing the password through a separate channel.

Everything else is just plain bad style.

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apache2.4, apachebench, apple, applet, arcconf, arch, architecture, areca, arping, asa, asdm, autoconf, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blockdev, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, configuration management, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fdisk, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, global, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pct, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plasma, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pveam, pvecm, pvesm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, quickshare, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x11vnc, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh


Unless otherwise credited all material Creative Commons License by sjas