OpenSSL

Voir aussi :

• Infrastructure de Gestion de Clefs
• Mod_SSL

On line tools:

• http://www.sslshopper.com/ssl-certificate-tools.html

• http://huddledmasses.org/code-signing-with-openssl-and-powershell/
• http://www.top20toolbar.com/misc/codesigncert.htm

• http://isc.sans.edu/diary.html?storyid=8686

 openssl s_client -connect isc.sans.org:443

on line tools:

• Thawte SSL Toolbox Check certificate installation

On this page you'll find how to create only one file which contains your certificate and others chain certificates (Concatenate them in one), like, I think, you could have only one configuration directive to use : the CertificateFile, and to not need the CertificateChainFile anymore :

http://help.globalscape.com/help/eft5/admin/certificate_chaining.htm

http://www.fil.univ-lille1.fr/~wegrzyno/portail/PAC/Doc/TP5/tp-certif002.html

  # Génération des clés
  openssl genrsa -out maCle.pem 1024
  # Exportation de la partie publique
  openssl rsa -in maCle.pem -pubout -out maClePublique.pem

La CSR (Certificate Signing Request) est un fichier contenant les informations de votre demande de certificat, y compris votre clé publique.

  openssl req -nodes -newkey rsa:2048 -keyout monserveur.key -out serveur.csr

https://www.golinuxcloud.com/create-certificate-authority-root-ca-linux/#Step_4_Create_Certificate_Authority_Certificate

Afficher les données d'un CSR:

openssl req -in theCertificateSigningResquest.csr -noout -text

Afficher les données d'un certificat encodé PEM:

openssl x509 -in theCertificate.crt -noout -text

CVE-2014-0160, CVE-2014-0160 on nist.gov

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

• Thawte SSL Toolbox Check certificate installation
• Heartbleed test

L'analyse de l'APRIL : “HeartBleed, tous à poil sur Internet”

On ne peut pas crypter un fichier avec une clé publique, la taille ne correspondra pas à l’algorithme. On créé donc un secret aléatoire que l'on chiffre avec la clé publique (asymétrique) et avec lequel on chiffre le fichier (symétrique). Pour déchiffrer la fichier on retrouve le secret en le déchiffrant avec la clé privée.

# blowfish may be faster in code implementation,
# but recent cpu embed hard coded aes which should be faster ;-)
#ALGO=-blowfish
ALGO=-aes256
 
# Create a random secret:
#  - secret size must be compatible with RSA
#  - use hex because base64 add newline
#    which will shorter the secret in next commands
#    because only first line will be used.
SECRET=`openssl rand -hex 64`
 
# encrypt the secret:
echo $SECRET \
 | openssl rsautl -encrypt -inkey /home/debian/.ssl/public.pem -pubin -out ${THE_FILE}.key
# encrypt file with the secret:
echo $SECRET \
 | openssl enc $ALGO -pbkdf2 -salt -pass stdin -in $THE_FILE -out ${THE_FILE}.ssl
 
# decrypt the secret:
SECRET=`openssl rsautl -decrypt -inkey ~/.ssl/private.pem -in ${THE_FILE}.key`
# decrypt the file:
echo $SECRET \
 | openssl enc -d $ALGO -pbkdf2 -salt -pass stdin -in ${THE_FILE}.ssl -out ${THE_FILE}.clear

Sources:

• https://wiki.openssl.org/index.php/Enc
• https://unix.stackexchange.com/questions/507131/openssl-1-1-1b-warning-using-iter-or-pbkdf2-would-be-better-while-decrypting
• https://www.devco.net/archives/2006/02/13/public_-_private_key_encryption_using_openssl.php
• https://linuxconfig.org/using-openssl-to-encrypt-messages-and-files-on-linux
• https://raymii.org/s/tutorials/Encrypt_and_decrypt_files_to_public_keys_via_the_OpenSSL_Command_Line.html