linux:ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
linux:ssl [2022/06/11 14:32] – [SSL.test sll] adminlinux:ssl [2024/11/09 13:13] (current) – [SSl certificates] admin
Line 1: Line 1:
 ====== Linux SSL  ====== ====== Linux SSL  ======
 +  * проверить сертификаты [[https://www.ssllabs.com/ssltest/analyze.html?d=ip2u.ru&latest|SSLabs test https]]
   * сайт рассказывающий про технические детали SSL TLS https://tls.dxdt.ru   * сайт рассказывающий про технические детали SSL TLS https://tls.dxdt.ru
   * Управление сертификатами - https://github.com/cloudflare/cfssl   * Управление сертификатами - https://github.com/cloudflare/cfssl
 +  * книга все что нужно знать - [[https://drive.google.com/file/d/1dIeaGXgGDRMHExbeFx8xWAPx_aElpmo7/view?usp=sharing|TLS Mastery]] 
 +  * https://medium.com/@seabro/how-to-create-selfsigned-ca-and-custom-wildcard-ssl-certificate-1112ed2080f7
  
 +===== SSl certificates =====
  
-===== SSL.test sll =====+<code BASH> 
 +# Example get and install https://discuss.elastic.co/t/error-response-from-daemon-get-https-docker-elastic-co-v2-x509-certificate-signed-by-unknown-authority/281754 
 +curl --trace - https://docker.elastic.co:443 
 +cd ~ 
 +openssl s_client -showcerts -connect www.domain.com:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >domain.com.crt 
 +sudo cp domain.com.crt /usr/local/share/ca-certificates 
 +sudo update-ca-certificates 
 +</code> 
 + 
 +<code BASH> 
 +openssl s_client -connect bot.ip2u.ru:4443 -showcerts 
 +openssl s_client -showcerts -connect www.domain.com:443 
 +openssl s_client -showcerts -connect bot.ip2u.ru:4443 </dev/null 2>/dev/null|openssl x509 -outform PEM >ip2u_ru.crt 
 +cat ./ip2u_ru.crt 
 +sudo cp ./ip2u_ru.crt /usr/local/share/ca-certificates/ip2u.ru.crt 
 +sudo update-ca-certificates 
 +openssl s_client -showcerts -connect bot.ip2u.ru:4443 
 +openssl s_client -CAfile ./ip2u_ru.crt -connect bot.ip2u.ru:4443 
 +curl --verbose  bot.ip2u.ru:4443 
 +</code> 
 +===== Linux SSL key managment  ===== 
 +  * update ca certificate on ubuntu  https://www.dmosk.ru/miniinstruktions.php?mini=root-ca-linux 
 +  * https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-a-certificate-authority-ca-on-centos-8-ru - centos ca 
 +  * https://jamielinux.com/docs/openssl-certificate-authority/ - manual ca 
 +  * https://smallstep.com/hello-mtls/doc/server/nginx - cert auth nginx 
 +  * https://github.com/smallstep/cli#installation-guide - pki script managment 
 +  * https://github.com/OpenVPN/easy-rsa asy-rsa is a CLI utility to build and manage a PKI CA 
 + 
 +===== Linux MTLS ===== 
 +https://get.localhost.direct/ \\ 
 +  * https://victoronsoftware.com/posts/mtls/ 
 +  * https://smallstep.com/hello-mtls/doc/server/nginx - cert auth nginx 
 +  * https://www.dmosk.ru/miniinstruktions.php?mini=nginx-mtls#client 
 +===== OpenSSL key manipulating ===== 
 + 
 +<code BASH> 
 + ssh-keygen -l -f ./id_rsa_1.pub 
 +4096 SHA256:XXXXXXXXXXXXXXXXXXXXXXXXXXX8 [email protected] (RSA) 
 + 
 + openssl pkey -in ./id_rsa_1.pub -noout -text 
 +</code> 
 + 
 + 
 +===== SSL.https test TLS/sll =====
 <code BASH> <code BASH>
 # проверить установление соединение - можно указать версию -tls1 -tls1_2 # проверить установление соединение - можно указать версию -tls1 -tls1_2
Line 23: Line 70:
 *  issuer: C=US; O=Let's Encrypt; CN=E1 *  issuer: C=US; O=Let's Encrypt; CN=E1
 *  SSL certificate verify ok. *  SSL certificate verify ok.
 +
 +# проверить сертификат на origin server cloudflare 
 +curl -svo /dev/null --resolve wiki.ip2u.ru:443:212.237.56.234 https://wiki.ip2u.ru/
 +* Added wiki.ip2u.ru:443:212.237.56.234 to DNS cache
 +* Hostname wiki.ip2u.ru was found in DNS cache
 +*   Trying 212.237.56.234:443...
 +* TCP_NODELAY set
 +* Connected to wiki.ip2u.ru (212.237.56.234) port 443 (#0)
 +* ALPN, offering h2
 +* ALPN, offering http/1.1
 +* successfully set certificate verify locations:
 +*   CAfile: /etc/ssl/certs/ca-certificates.crt
 +  CApath: /etc/ssl/certs
 +} [5 bytes data]
 +* TLSv1.3 (OUT), TLS handshake, Client hello (1):
 +} [512 bytes data]
 +* TLSv1.3 (IN), TLS handshake, Server hello (2):
 +{ [122 bytes data]
 +* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
 +{ [25 bytes data]
 +* TLSv1.3 (IN), TLS handshake, Certificate (11):
 +{ [1321 bytes data]
 +* TLSv1.3 (OUT), TLS alert, unknown CA (560):
 +} [2 bytes data]
 +* SSL certificate problem: unable to get local issuer certificate
 +* Closing connection 0
 +
 </code> </code>
  
 +
 +===== SSL.https install certificate CA =====
 +
 +<code BASH>
 +# Install certificate and chains - check GOST ciper
 +STR=$(openssl ciphers|  sed 's/:/\n/g' | grep -i gost)
 +echo $STR
 +
 +openssl s_client -showcerts -verify 5 -connect esia.gosuslugi.ru:443 
 +openssl x509 -in server_cert_esia.pem -noout -text  
 +# выгружаем сертификаты, переходим по iisue uri и загружаем CRT друг за другом до CA
 +
 +# download CA
 +wget http://reestr-pki.ru/cdp/guc_gost12.crt
 +# der->pem конвертация
 +openssl x509 -inform der -in guc_gost12.crt -out GUC_gost12.pem
 +# проверить информацию
 +openssl x509 -in GUC_gost12.pem -noout -text
 +# установить CA debian
 +cp GUC_gost12.pem /usr/local/share/ca-certificates/GUC_gost12.crt
 +
 +update-ca-certificates
 +
 +#проверить
 +
 +#info:
 +#cert guc_gost12.crt
 +#/usr/share/ca-certificates
 +#/usr/local/share/ca-certificates
 +
 +curl -vvv  https://esia.gosuslugi.ru/
 +</code>
  • linux/ssl.1654957949.txt.gz
  • Last modified: 2022/06/11 14:32
  • by admin