Differences

This shows you the differences between two versions of the page.

--- linux:ssl [2022/06/11 14:29] – [SSL.test sll] admin
+++ linux:ssl [2024/11/09 13:13] (current) – [SSl certificates] admin
@@ Line 1: / Line 1: @@
 ====== Linux SSL  ======
+  * проверить сертификаты [[https://www.ssllabs.com/ssltest/analyze.html?d=ip2u.ru&latest|SSLabs test https]]
   * сайт рассказывающий про технические детали SSL TLS https://tls.dxdt.ru
   * Управление сертификатами - https://github.com/cloudflare/cfssl
+  * книга все что нужно знать - [[https://drive.google.com/file/d/1dIeaGXgGDRMHExbeFx8xWAPx_aElpmo7/view?usp=sharing|TLS Mastery]]
+  * https://medium.com/@seabro/how-to-create-selfsigned-ca-and-custom-wildcard-ssl-certificate-1112ed2080f7
+===== SSl certificates =====
-===== SSL.test sll =====
+<code BASH>
-<code>
+# Example get and install https://discuss.elastic.co/t/error-response-from-daemon-get-https-docker-elastic-co-v2-x509-certificate-signed-by-unknown-authority/281754
+curl --trace - https://docker.elastic.co:443
+cd ~
+openssl s_client -showcerts -connect www.domain.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >domain.com.crt
+sudo cp domain.com.crt /usr/local/share/ca-certificates
+sudo update-ca-certificates
+</code>
+<code BASH>
+openssl s_client -connect bot.ip2u.ru:4443 -showcerts
+openssl s_client -showcerts -connect www.domain.com:443
+openssl s_client -showcerts -connect bot.ip2u.ru:4443 </dev/null 2>/dev/null|openssl x509 -outform PEM >ip2u_ru.crt
+cat ./ip2u_ru.crt
+sudo cp ./ip2u_ru.crt /usr/local/share/ca-certificates/ip2u.ru.crt
+sudo update-ca-certificates
+openssl s_client -showcerts -connect bot.ip2u.ru:4443
+openssl s_client -CAfile ./ip2u_ru.crt -connect bot.ip2u.ru:4443
+curl --verbose  bot.ip2u.ru:4443
+</code>
+===== Linux SSL key managment  =====
+  * update ca certificate on ubuntu  https://www.dmosk.ru/miniinstruktions.php?mini=root-ca-linux
+  * https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-a-certificate-authority-ca-on-centos-8-ru - centos ca
+  * https://jamielinux.com/docs/openssl-certificate-authority/ - manual ca
+  * https://smallstep.com/hello-mtls/doc/server/nginx - cert auth nginx
+  * https://github.com/smallstep/cli#installation-guide - pki script managment
+  * https://github.com/OpenVPN/easy-rsa asy-rsa is a CLI utility to build and manage a PKI CA
+===== Linux MTLS =====
+https://get.localhost.direct/ \\
+  * https://victoronsoftware.com/posts/mtls/
+  * https://smallstep.com/hello-mtls/doc/server/nginx - cert auth nginx
+  * https://www.dmosk.ru/miniinstruktions.php?mini=nginx-mtls#client
+===== OpenSSL key manipulating =====
+<code BASH>
+ ssh-keygen -l -f ./id_rsa_1.pub
+SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXX8 m@domain.ru (RSA)
+ openssl pkey -in ./id_rsa_1.pub -noout -text
+</code>
+===== SSL.https test TLS/sll =====
+<code BASH>
 # проверить установление соединение - можно указать версию -tls1 -tls1_2
 openssl s_client -servername ip2u.ru -tlsextdebug  -connect ip2u.ru:443
 wget -v --debug https://127.0.0.1:443 --header "Host: wiki.ip2u.net"
 # -k insecure
 curl -v -H 'Host: wiki.ip2u.ru' https://127.0.0.1:443/something
+# CURL проверить корректность установки сертификата
+date; curl -vIs4 https://wiki.ip2u.ru 2>&1 | egrep -i "(connected|* ssl|issuer|subject)"
+Sat Jun 11 19:31:48 +05 2022
+* Connected to wiki.ip2u.ru (172.67.198.111) port 443 (#0)
+* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
+*  subject: CN=*.ip2u.ru
+*  subjectAltName: host "wiki.ip2u.ru" matched cert's "*.ip2u.ru"
+*  issuer: C=US; O=Let's Encrypt; CN=E1
+*  SSL certificate verify ok.
+# проверить сертификат на origin server cloudflare
+curl -svo /dev/null --resolve wiki.ip2u.ru:443:212.237.56.234 https://wiki.ip2u.ru/
+* Added wiki.ip2u.ru:443:212.237.56.234 to DNS cache
+* Hostname wiki.ip2u.ru was found in DNS cache
+*   Trying 212.237.56.234:443...
+* TCP_NODELAY set
+* Connected to wiki.ip2u.ru (212.237.56.234) port 443 (#0)
+* ALPN, offering h2
+* ALPN, offering http/1.1
+* successfully set certificate verify locations:
+*   CAfile: /etc/ssl/certs/ca-certificates.crt
+  CApath: /etc/ssl/certs
+} [5 bytes data]
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+} [512 bytes data]
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+{ [122 bytes data]
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+{ [25 bytes data]
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+{ [1321 bytes data]
+* TLSv1.3 (OUT), TLS alert, unknown CA (560):
+} [2 bytes data]
+* SSL certificate problem: unable to get local issuer certificate
+* Closing connection 0
 </code>
+===== SSL.https install certificate CA =====
+<code BASH>
+# Install certificate and chains - check GOST ciper
+STR=$(openssl ciphers|  sed 's/:/\n/g' | grep -i gost)
+echo $STR
+openssl s_client -showcerts -verify 5 -connect esia.gosuslugi.ru:443
+openssl x509 -in server_cert_esia.pem -noout -text
+# выгружаем сертификаты, переходим по iisue uri и загружаем CRT друг за другом до CA
+# download CA
+wget http://reestr-pki.ru/cdp/guc_gost12.crt
+# der->pem конвертация
+openssl x509 -inform der -in guc_gost12.crt -out GUC_gost12.pem
+# проверить информацию
+openssl x509 -in GUC_gost12.pem -noout -text
+# установить CA debian
+cp GUC_gost12.pem /usr/local/share/ca-certificates/GUC_gost12.crt
+update-ca-certificates
+#проверить
+#info:
+#cert guc_gost12.crt
+#/usr/share/ca-certificates
+#/usr/local/share/ca-certificates
+curl -vvv  https://esia.gosuslugi.ru/
+</code>