Morioh
Login
Jermey Padberg

Jermey Padberg

4 years ago

How to Verify A Connection is Secure Using OpenSSL | Liquid Web

What is OpenSSL?

OpenSSL is a free and open-source software cryptography library that provides cryptographic functionality to applications to ensure secure internet communication. It is widely used on many server applications, and it is available for most Unix-like operating systems (including Solaris, Linux, Mac OS X, the four open-source BSD operating systems), OpenVMS and Microsoft Windows.

Besides that, OpenSSL is also a fully equipped instrumentation for implementation of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

With the OpenSSL toolkit, we can perform various SSL related tasks along with a variety of cryptographic functions. Among these other tasks, we can generate CSRs (Certificate Signing Requests) and private keys. We can perform an SSL certificate installation, or we can convert our certificates into different formats. Then, we can verify its details or even extract information about the certificate.

If we are talking about cryptographic function, we can use it for file encryption and decryption purposes along with generating password hashes.

However, today, we are going to dedicate ourselves to a completely different function of this free toolkit – verifying a secure connection.

Prerequisites

One of the Unix/Linux OS platforms, which include the OpenSSL program by default. On Microsoft Windows, we must download and install OpenSSL from a binary and install it.

Getting Started

As the natural environment for OpenSSL is a Unix platform, we will assume we are working on one. Before we start with checking our connections, we need to make sure our OpenSSL is up to date, so let us check which version are we running with the following command.

[root@host ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

For those a bit more experienced and interested in the full details, we can append the -a flag.

[root@host ~]# openssl version -a
OpenSSL 1.0.2k-fips 26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic
[root@host ~]#

In most cases, we will be using the system-supplied version of OpenSSL. However, if we find ourselves in need of an upgrade, we will need to download the latest version, extract it and compile from source.

There is not a specific help keyword among OpenSSL commands, but if we append a flag that OpenSSL does not recognize to our command, a help text will be provided to us. To examine the available options of this powerful tool, we can use the following command.

root@host:~# openssl help
Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dhparam
dsa               dsaparam          ec                ecparam
enc               engine            errstr            gendsa
genpkey           genrsa            help              list
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              rehash
req               rsa               rsautl            s_client
s_server          s_time            sess_id           smime
speed             spkac             srp               storeutl
ts                verify            version           x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4
md5               rmd160            sha1              sha224
sha256            sha3-224          sha3-256          sha3-384
sha3-512          sha384            sha512            sha512-224
sha512-256        shake128          shake256          sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb
sm4-ctr           sm4-ecb           sm4-ofb

root@host:~#

For additional guidance, feel free to explore the man pages using the following command.

[root@host ~]# man openssl

#tutorials #aes #cast #ciphers #csr #security

How to Verify A Connection is Secure Using OpenSSL | Liquid Web
2.65 GEEK