Useful OpenSSL Tricks

By Van Emery

——————————————————————————–
Introduction
OpenSSL deserves a lot of credit. It is an extremely useful, valuable Open Source project. When people talk about how successful Apache is, rock-solid crypto toolkits like OpenSSL and OpenSSH should also be mentioned. Here are a few (of the many) functions that I have found useful, along with examples of how to use them:

•Base64 Encoding and Decoding
•Symmetric Encryption and Decryption of Files
•Cryptographic Hashing of Files
•S_CLIENT SSL/TLS Test Utility
These examples assume that you are using a Unix-like OS, with OpenSSL 0.9.6b or higher.

——————————————————————————–

Base64 Encode/Decode
Base64 encoding is a standard method for converting 8-bit binary information into a limited subset of ASCII characters for safe transport through e-mail systems, and other systems that are not 8-bit safe. With OpenSSL, it is very easy to encode and decode Base64 data:

$ openssl enc -base64 -in myfile -out myfile.b64

$ openssl enc -d -base64 -in myfile.b64 -out myfile.decrypt

Symmetric Encryption/Decryption of Files
As you can imagine, being able to encrypt and decrypt files with strong ciphers is a useful function. With OpenSSL, you can even use the commands in shell scripts. Here are some command line examples using the Blowfish, Triple DES, and CAST5 ciphers:

$ openssl enc -e -a -salt -bf -in tomcat.jpg -out tomcat.blowfish
enter bf-cbc encryption password:
Verifying password – enter bf-cbc encryption password:

$ openssl enc -d -a -bf -in tomcat.blowfish -out tomcat-decrypt.jpg
enter bf-cbc decryption password:

$ openssl enc -e -a -salt -des3 -in tomcat.jpg -out tomcat.des3
enter des-ede3-cbc encryption password:
Verifying password – enter des-ede3-cbc encryption password:

$ openssl enc -d -a -des3 -in tomcat.des3 -out tomcat-des3.jpg
enter des-ede3-cbc decryption password:

$ openssl enc -e -a -salt -cast5-cbc -in tomcat.jpg -out tomcat.cast5
enter cast5-cbc encryption password:
Verifying password – enter cast5-cbc encryption password:

$ openssl enc -d -a -cast5-cbc -in tomcat.cast5 -out tomcat-cast5.jpg
enter cast5-cbc decryption password:

If the file will not be transported as an e-mail attachment, you can forego the -a argument, which base64 encodes and decodes the ciphertext. Sometimes this is referred to as “ASCII armor”. The non-base64 encoded files should be smaller. Here is an example using the CAST5-CBC algorithm:

$ openssl enc -e -salt -cast5-cbc -in tomcat.jpg -out tomcat.nob64
enter cast5-cbc encryption password:
Verifying password – enter cast5-cbc encryption password:

$ openssl enc -d -cast5-cbc -in tomcat.nob64 -out tomcat-nob64.jpg
enter cast5-cbc decryption password:

Cryptographic Hashing Functions
What if you want to check to see that a file has not been tampered with? One simple way to do this is a cryptographic hashing function. This will give you a fixed-length string (called a message digest) given an input file of any length. SHA-1 and RIPE-MD160 are considered current; MD-5 is considered outdated.

$ openssl dgst -sha1 -c tomcat.jpg
SHA1(tomcat.jpg)= 92:b1:9b:96:ef:45:c3:89:b4:2e:e6:96:5b:43:bf:02:66:4a:47:8f

$ openssl dgst -ripemd160 -c tomcat.jpg
RIPEMD160(tomcat.jpg)= 68:f2:05:a9:9d:52:f1:cc:04:ed:d7:1e:42:80:0a:b8:c0:e6:cc:6d

$ openssl dgst -md5 -c tomcat.jpg
MD5(tomcat.jpg)= e7:13:d6:a7:cc:16:e3:da:0a:f7:ab:5a:fa:e3:3b:34
You can see that the md5sum utility that is shipped with most GNU/Linux distributions returns the same value as the openssl md5 message digest:

$ md5sum tomcat.jpg
e713d6a7cc16e3da0af7ab5afae33b34 tomcat.jpg
The OpenSSL dgst (message digest/hashing) command also has numerous options for signing digests, verifying signatures, etc.

S_CLIENT SSL/TLS Test Utility
OpenSSL has a great test utility available, called s_client. This lets you test servers that use SSL/TLS with a powerful command line utility. The following is an example of using s_client to view information about a secure web server:

$ openssl s_client -connect http://www.redhat.com:443

CONNECTED(00000003)
depth=0 /C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/CN=www.redhat.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/CN=www.redhat.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/CN=www.redhat.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/CN=www.redhat.com
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

Server certificate
—–BEGIN CERTIFICATE—–
MIID3TCCA0qgAwIBAgIQC4A9mzg//B7clolOw0V4WzANBgkqhkiG9w0BAQQFADBf
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDExMTE0MDAwMDAwWhcNMDMxMjA1MjM1OTU5WjCBgTELMAkGA1UEBhMCVVMx
FzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMQ8wDQYDVQQHFAZEdXJoYW0xFjAUBgNV
BAoUDVJlZCBIYXQsIEluYy4xFzAVBgNVBAsUDldlYiBPcGVyYXRpb25zMRcwFQYD
VQQDFA53d3cucmVkaGF0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
4MFi5Xg1rYKETCZ4inSeLJwK4/g/WcOI8JUpH7aK/Hm/e8Lz0uwagzEg/EQnACGl
o6HZsAwlNwV/H4LDXhf4I7NIfgLHmrp6qY1e3SX5qfAAPbxFl4ghiGzNdlTR2Pkn
XQhj/0eW8Pt7NdmQ6LDaMHxb2WchBQYVTYC/cK2zU+8CAwEAAaOCAXkwggF1MAkG
A1UdEwQCMAAwCwYDVR0PBAQDAgWgMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9j
cmwudmVyaXNpZ24uY29tL1JTQVNlY3VyZVNlcnZlci5jcmwwgawGA1UdIASBpDCB
oTCBngYLYIZIAYb4RQEHAQEwgY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZl
cmlzaWduLmNvbS9DUFMwYgYIKwYBBQUHAgIwVjAVFg5WZXJpU2lnbiwgSW5jLjAD
AgEBGj1WZXJpU2lnbidzIENQUyBpbmNvcnAuIGJ5IHJlZmVyZW5jZSBsaWFiLiBs
dGQuIChjKTk3IFZlcmlTaWduMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAZBgpghkgBhvhFAQYPBAsWCTg3ODA1MTU1NjA0BggrBgEFBQcBAQQoMCYwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQQF
AAN+AEBUhe0gnMw8OWcnKA5XnoglC3V9v//UIZh7lVJCaMA/K2tFAiRlmkGPsim7
H8rHpZhtTOUBqZl6PuA/VJD2wCECJ+uUYx0zUh1dKwoJKWgcaBQOQ6GsCgxsOB2a
i6wMUcAlqHZULjF1mDkM4bu0gNmLXpIMIsw9UotTvz/O
—–END CERTIFICATE—–
subject=/C=US/ST=North Carolina/L=Durham/O=Red Hat, Inc./OU=Web Operations/CN=www.redhat.com
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

No client certificate CA names sent

SSL handshake has read 1549 bytes and written 314 bytes

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 97D3E2DF903F5757AF8BED807F5FD9665F43300F139BDFCD1701974D97E5C5CA
Session-ID-ctx:
Master-Key: 4B2295AEDCE520F4615769135FB65EBD6E2345C88FCE4EB7450B71B17FD1A2B4460D751DC3DF05C311DA54B02A7B04D1
Key-Arg : None
Start Time: 1063899107
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

Once you have connected, you can manually type in any commands you want, such as “GET /” and “HEAD / HTTP/1.0” for secure web servers. There are also options like -no_tls1 and -no_ssl2 that let you specify which version of SSL/TLS that you want to connect with.

The -showcerts and -debug options are also worth a look.

——————————————————————————–

Resources
•OpenSSL home page
•man openssl
•man enc
•man dgst
•man s_client

http://www.vanemery.com/Linux/Apache/openSSL.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: