Dec 052010
 

OpensslIn a previous article we saw the basics of encryption and asymmetric key used in the e-mail. On Linux the most used and popular programthat deals with security and encryption is OpenSSL .

OpenSSL is an open source implementation of the SSL and TLS protocols. The core library (written in the C programming language) implements the basic cryptographic functions and provides various utility functions. Wrappers allowing the use of the OpenSSL library in a variety of computer languages are available.

Versions are available for most Unix-like operating systems (including Solaris, Linux, Mac OS X and the four open source BSD operating systems), OpenVMS and Microsoft Windows. IBM provides a port for the System i (OS/400). OpenSSL is based on SSLeay by Eric A. Young and Tim Hudson, development of which unofficially ended around December 1998, when Young and Hudson both started to work for RSA Security.

Today we will see some practical uses of programs that rely on OpenSSL.



A fundamental use of OpenSSL is to create your own Certification Authority (CA) with which you can generate certificates to be used later in other programs. Since this is a long topic it’s not discussed in this article, where we will use the simplest and least common of the OpenSSL programs.

Connect to a https service

Sometimes is useful to have the equivalent of a “telnet myservice 80 “, but with sites in https a telnet don’t work so you need an openssl command:

openssl s_client -connect host:443 -state -debug
GET / HTTP/1.0

You’ll get a very long output, but you’ll be able to do some test/debug also on the encrypted http.

Generate random numbers or strings

To generate random strings you can use the openssl rand; to generate a random integer you can use:

root@laptop:~# echo $(openssl rand 4 | od -DAn)
1173091498

While if you want to generate a base64 string (perhaps to get a random password)

root@laptop:~# openssl rand -base64 6
Cki3awd4

Verify an online certificate from the command line

Not always the most advanced clients are also the more comfortable to see a certificate with this command you can verify a certificate from an https site or maybe a ldaps:

root@laptop:~#openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd
.......

And if just need to check if the certificate is about to expire, check for the dates with another openssl command in pipe:

root@laptop:~# openssl s_client -connect google.com:443|openssl x509 -dates -noout
 
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
notBefore=Dec 18 00:00:00 2009 GMT
notAfter=Dec 18 23:59:59 2011 GMT

Extract information from a certificate

An SSL certificate contains a wide range of information: issuer, valid dates, subject, and some hardcore crypto stuff. The x509 subcommand is the entry point for retrieving this information.The examples below all assume that the certificate you want to examine is stored in a file named cert.pem.

Using the -text option will give you the full breadth of information.

openssl x509 -text -in cert.pem

You can get specific information using the appropriate flag:

# who issued the cert?
openssl x509 -noout -in cert.pem -issuer
 
# to whom was it issued?
openssl x509 -noout -in cert.pem -subject
 
# for what dates is it valid?
openssl x509 -noout -in cert.pem -dates
 
# the above, all at once
openssl x509 -noout -in cert.pem -issuer -subject -dates
 
# what is its hash value?
openssl x509 -noout -in cert.pem -hash
 
# what is its MD5 fingerprint?
openssl x509 -noout -in cert.pem -fingerprint

Generate a MD5 hash

Openssl can be used also to generate the md5 of a text or a file:

cat yourfile | openssl md5

or

echo -n "your text to be hashed" |openssl md5

benchmarking with OpenSSL

Openssl include a function to benchmark your system, simply write:

openssl speed

And you’ll get a long report like this one (centrino 1.5 GHZ)

OpenSSL 0.9.8o 01 Jun 2010
built on: Wed Nov 17 17:54:03 UTC 2010
options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall
available timing options: TIMES TIMEB HZ=100 [sysconf value]
timing function used: times
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md2                855.18k     1732.09k     2342.00k     2575.00k     2662.40k
mdc2                 0.00         0.00         0.00         0.00         0.00
md4              16213.70k    56706.21k   157499.53k   287899.83k   381457.07k
md5              13040.86k    43134.65k   112426.54k   185555.70k   228296.58k
hmac(md5)        12273.58k    41765.66k   109326.48k   184496.49k   230343.74k
sha1             11414.65k    33576.61k    72414.64k   102876.35k   117894.33k
rmd160            8291.07k    21482.65k    41282.44k    53895.00k    58734.43k
rc4              86563.98k    95285.79k    97506.37k    97709.46k    98543.12k
des cbc          11432.19k    11648.68k    11724.95k    11777.63k    11772.70k
des ede3          4123.07k     4138.75k     4154.66k     4162.05k     4128.22k
idea cbc             0.00         0.00         0.00         0.00         0.00
seed cbc             0.00         0.00         0.00         0.00         0.00
rc2 cbc          13996.01k    14320.10k    14542.58k    14539.74k    14484.95k
rc5-32/12 cbc        0.00         0.00         0.00         0.00         0.00
blowfish cbc     43255.37k    47920.37k    48867.76k    49545.33k    50041.82k
cast cbc         30137.81k    32121.24k    32618.69k    33104.10k    32622.36k
aes-128 cbc      36708.83k    39138.84k    39454.24k    39498.27k    39419.55k
aes-192 cbc      31592.87k    33304.60k    33824.65k    33721.11k    33996.80k
aes-256 cbc      27789.41k    29194.84k    29362.74k    29735.88k    29732.65k
camellia-128 cbc        0.00         0.00         0.00         0.00         0.00
camellia-192 cbc        0.00         0.00         0.00         0.00         0.00
camellia-256 cbc        0.00         0.00         0.00         0.00         0.00
sha256            7809.17k    18163.74k    32279.64k    39705.60k    42603.65k
sha512            2230.23k     8900.15k    13026.93k    18077.35k    20271.08k
aes-128 ige      37110.42k    39163.19k    40161.57k    40480.51k    39874.08k
aes-192 ige      31960.03k    33877.76k    34103.64k    34365.44k    34357.85k
aes-256 ige      28192.66k    29575.37k    29714.13k    29876.08k    29675.52k
                  sign    verify    sign/s verify/s
rsa  512 bits 0.001703s 0.000145s    587.1   6896.0
rsa 1024 bits 0.009800s 0.000494s    102.0   2026.0
rsa 2048 bits 0.062584s 0.001759s     16.0    568.5
rsa 4096 bits 0.433333s 0.006440s      2.3    155.3
                  sign    verify    sign/s verify/s
dsa  512 bits 0.001529s 0.001768s    654.0    565.7
dsa 1024 bits 0.004945s 0.005793s    202.2    172.6
dsa 2048 bits 0.017221s 0.019843s     58.1     50.4

Benchmark remote connections

The s_time option lets you test connection performance. The most simple invocation will run for 30 seconds, use any cipher, and use SSL handshaking to determine number of connections per second, using both new and reused sessions:

openssl s_time -connect remote.host:443

Beyond that most simple invocation, s_time gives you a wide variety of testing options.

# retrieve remote test.html page using only new sessions
openssl s_time -connect remote.host:443 -www /test.html -new
 
# similar, using only SSL v3 and high encryption (see
# ciphers(1) man page for cipher strings)
openssl s_time 
  -connect remote.host:443 -www /test.html -new 
  -ssl3 -cipher HIGH
 
# compare relative performance of various ciphers in
# 10-second tests
IFS=":"
for c in $(openssl ciphers -ssl3 RSA); do
  echo $c
  openssl s_time -connect remote.host:443 
    -www / -new -time 10 -cipher $c 2>&1 | 
    grep bytes
  echo
done

References:

http://www.madboa.com/geek/openssl/


Popular Posts:

flattr this!

  5 Responses to “7 Practical uses of Openssl”

  1. Excellent article, the secure telnet equivalent is very useful for debugging a server it only provides secure connections.

    Thank you.

  2. Nice one. I’ve not used the rand or speed programs.

    You might consider adding enc(1) into the mix here. I regularly use it to AES-encrypt / decrypt arbitrary files.

    I think plenty of folks don’t realize that there is a lot more than cert management provided by openssl.

  3. There ‘s probably a typo in

    echo -n “your text to be ashed” |openssl md5

    You meant “hashed”, I guess.

  4. You don’t need to use OpenSSL to generate random numbers—your kernel will give you cryptographic-strength random bits directly from /dev/random and dev/urandom—which is what OpenSSL would be using anyway.

    Also, nobody should be using MD5 any more.

 Leave a Reply

(required)

(required)


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>