Soporte linux | Nautilux

Herramientas de usuario

Herramientas del sitio

Traza: certificados.ssl
linux:seguridad:certificados.ssl

Certificados SSL

Ver

Ver datos del certificado en texto 

openssl x509 -text < /etc/ssl/private/ssl.crt
nmap --script ssl-cert -p 25 smtpext1

Ver cifrados soportados (SSLv3) 

nmap --script ssl-enum-ciphers -p 9041 websrv1-test

Ver longitud de la clave privada 

openssl rsa -in ssl.key -text -noout  | head

Ver fecha de vencimiento remoto web 

echo | openssl s_client -connect correo01.pm.rosario.gov.ar:993 2>/dev/null | openssl x509 -noout -dates

Ver fecha de vencimiento remoto smtp con TLS 

echo | openssl s_client -connect smtpext1:25 -starttls smtp 2>/dev/null | openssl x509 -noout -dates

Encadenar 

cat www.example.com.crt bundle.crt > www.example.com.chained.crt
cat ssl.crt sub.class1.server.ca.pem >ssl.chained.crt

Encadenar para nginx / haproxy:

certificado - intermedia - CA 

cat your_domain.crt intermediate.crt root.crt >> ssl-bundle.crt
cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ssl-bundle.crt

Certificado - CA bundle 

cat your_domain.crt your_domain.ca-bundle >> ssl-bundle.crt

Verificar remoto 

openssl s_client -CApath /etc/ssl/certs/ -host tomcat1.pm.rosario.gov.ar -port 9061 -quiet
openssl s_client -CAfile /etc/ssl/certs/ca.pem -host tomcat1.pm.rosario.gov.ar -port 9061 -quiet
openssl s_client -connect www.godaddy.com:443

Verificar remoto toda la cadena 

echo | openssl s_client -connect t-s3.rosario.gob.ar:443 -verify_return_error -verify_depth 2 -quiet | grep verify
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = rosario.gob.ar
verify return:1

Chequear soporte TLS v1.2 

openssl s_client -connect google.com:443 -tls1_2

Ver ciphers soportados 

sslscan --no-failed localhost:993

Keystore java

Openjdk vienen las CA en el paquete ca-certificates-java keytool -keystore /etc/ssl/certs/java/cacerts -list -storepass changeit

Java Sun vienen las CA con el propio paquete keytool -keystore /etc/java-6-sun/security/cacerts -list -storepass changeit

Importar certificado a Sun keytool -importcert -alias mycacert -file mycacert.pem -trustcacerts -noprompt -storepass changeit -keystore /etc/java-6-sun/security/cacerts

Verificar el certificado importado keytool -list -alias mycacert -noprompt -storepass changeit -keystore /etc/java-6-sun/security/cacerts

Importar al keystore una key sin crs
traer la CA de Comodo 

wget http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt

convertir el certificado a p12 

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore tomcatp12.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias pm.rosario.gov.ar

importarlo al keystore 

openssl pkcs12 -export -in ../2017/pm.rosario.gov.ar/STAR_pm_rosario_gov_ar.crt -inkey ../2017/pm.rosario.gov.ar/pm.rosario.gov.ar.key -out server.p12 -name pm.rosario.gov.ar -CAfile COMODORSADomainValidationSecureServerCA.crt -caname root

ver el contenido del keystore 

keytool -list -keystore tomcatp12.jks  -v | less

Probar desde java un keystore

Para revisar si el java keystore tiene el CA cert de una url

Usa java para conectarse a un servidor SSL y verifica el cert

Codigo fuente SSLPoke.java 

import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import java.io.*;

/** Establish a SSL connection to a host and port, writes a byte and
 * prints the response. See
 * http://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services
 */
public class SSLPoke `
    public static void main(String[] args) `
        if (args.length != 2) `
            System.out.println("Usage: "+SSLPoke.class.getName()+" <host> <port>");
            System.exit(1);
        `
        try `
            SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
            SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket(args[0], Integer.parseInt(args[1]));

            InputStream in = sslsocket.getInputStream();
            OutputStream out = sslsocket.getOutputStream();

            // Write a test byte to get a reaction :)
            out.write(1);

            while (in.available() > 0) `
                System.out.print(in.read());
            `
            System.out.println("Successfully connected");

        ` catch (Exception exception) `
            exception.printStackTrace();
        `
    `
`

Compilación para generar el .class javac SSLPoke.java

Probar un servidor java SSLPoke sua1-test.pm.rosario.gov.ar 8443 java SSLPoke www.rosario.gov.ar 443

Respuesta si tiene el CA 

Successfully connected

Respuesta si no tiene CA 

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
        at SSLPoke.main(SSLPoke.java:23)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
        ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
        ... 15 more

Importar una CA al keystore de java

Si el java no tiene la CA para validar el certificado importarlo al truststore / kaystore de java

Bajar el certificado del servidor echo -n | openssl s_client -connect sua1-test.pm.rosario.gov.ar:8443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > pm.crt

Importarlo al jeystore de java keytool -import -v -trustcacerts -alias PM -file pm.crt -keystore /etc/ssl/certs/java/cacerts -keypass changeit -storepass changeit

linux/seguridad/certificados.ssl.txt · Última modificación: 2021/03/30 12:43 por grillo