The STRENGTH keyword serves a special purpose: it will not introduce or remove any suites, but it will sort them in order of descending cipher strength. Automatic sorting is an interesting idea, but it makes sense only in a perfect world in which cipher suites can actually be compared by cipher strength alone. In most cases, the highest-strength suites are not typically required. You often have them in your configuration only to interoperate with picky clients.
There are two types of errors you might experience while working on your configuration. The first is a result of a typo or an attempt to use a keyword that does not exist:. Another possibility is that you end up with an empty list of cipher suites, in which case you might see something similar to the following:. You can invoke the benchmark using the speed command. If you invoke speed without any parameters, OpenSSL produces a lot of output, little of which will be of interest.
A better approach is to test only those algorithms that are directly relevant to you. The first part of the resulting output consists of the OpenSSL version number and compile-time configuration. The rest of the output contains the benchmark results.
RSA is most commonly used at bits. In my results, one CPU of the tested server can perform about 1, sign server operations and 22, verify client operations every second. In practice, you care more about the sign operations because servers are designed to provide services to a great many clients.
The clients, on the other hand, are typically communicating with only a small number of servers at the same time. You should be able to compare how compile-time options affect speed or how different versions of OpenSSL compare on the same platform.
You can also verify that the hardware acceleration is in place. Using the benchmark results to estimate deployment performance is not straightforward because of the great number of factors that influence performance in real life. Further, many of those factors lie outside TLS e.
At best, you can use these numbers only for a rough estimate. But before you can do that, you need to consider something else. By default, the speed command will use only a single process. Most servers have multiple cores, so to find out how many TLS operations are supported by the entire server, you must instruct speed to use several instances in parallel.
You can achieve this with the -multi switch. As expected, the performance is about two times better. We have to assume that the server will do other things, not only TLS handshakes. Because I also have session resumption enabled on the server—and that bypasses public encryption—I know that the performance will be even better.
As an illustration, take a look at the performance differences on a server that supports AES-NI hardware acceleration. I got the following with a software-only implementation:. And here we see how the GCM performance is three to four times better:. Then there is ChaChaPoly, which is a relatively recent addition.
Starting with OpenSSL 3. Going through the process is very educational, because it forces you to think about every aspect, even the smallest details. The educational aspect of setting a private CA is the main reason why I would recommend doing it, but there are others. Similarly, client certificates—which provide two-factor authentication—can significantly increase the security of your sensitive web applications.
The biggest challenge in running a private CA is not setting everything up but keeping the infrastructure secure. For example, the root key must be kept offline because all security depends on it. As you go through this section you will create two configuration files: one to control the root CA root-ca.
Although you should be able to do everything from scratch just by following my instructions, you can also download the configuration file templates from my GitHub account. As a bonus, the subordinate CA will be technically constrained , which means that it will be allowed to issue certificates only for the allowed hostnames. After the setup is complete, the root certificate will have to be securely distributed to all intended clients.
Once the root is in place, you can begin issuing client and server certificates. The main limitation of this setup is that the OCSP responder is chiefly designed for testing and can be used only for lighter loads.
Creating a new CA involves several steps: configuration, creation of a directory structure and initialization of the key files, and finally generation of the root key and certificate. This section describes the process as well as the common CA operations. Before we can actually create a CA, we need to prepare a configuration file root-ca. OpenSSL configuration files are powerful; before you proceed I suggest that you familiarize yourself with their capabilities man config on the command line.
Because the syntax is flexible, information needs to be provided only once:. For full information on each setting, consult the documentation for the ca command man ca on the command line. Most of the settings are self-explanatory; we mostly tell OpenSSL where we want to keep our files.
Because this root CA is going to be used only for the issuance of subordinate CAs, I chose to have the certificates valid for 10 years. For the signature algorithm, the secure SHA is used by default. The third part contains the configuration for the req command, which is going to be used only once, during the creation of the self-signed root certificate.
The most important parts are in the extensions: the basicConstraints extension indicates that the certificate is a CA, and keyUsage contains the appropriate settings for this scenario:. The fourth part of the configuration file contains information that will be used during the construction of certificates issued by the root CA.
All certificates will be CAs, as indicated by the basicConstraints extension, but we set pathlen to zero, which means that further subordinate CAs are not allowed. All subordinate CAs are going to be constrained, which means that the certificates they issue will be valid only for a subset of domain names and restricted uses. Second, the nameConstraints extension limits the allowed hostnames only to example.
If you wanted, you could restrict each subordinate CA to a small domain namespace. If you mark this extension as critical, such platforms will reject your certificates.
The fifth and final part of the configuration specifies the extensions to be used with the certificate for OCSP response signing. This certificate is not a CA, which you can see from the extensions:. The next step is to create the directory structure specified in the previous section and initialize some of the files that will be used during the CA operation:.
Certificate storage; new certificates will be placed here as they are issued. This directory is used for the certificate database index and the files that hold the next certificate and CRL serial numbers. OpenSSL will create some additional files as needed. This is very useful if you ever end up creating and deploying multiple CA certificates with the same distinguished name common if you make a mistake and need to start over ; conflicts will be avoided, because the certificates will have different serial numbers.
We take two steps to create the root CA. First, we generate the key and the CSR. In the second step, we create a self-signed certificate. Immediately after the root CA creation, it should contain only one line:. Status flag V for valid, R for revoked, E for expired. To issue a certificate, invoke the ca command with the desired parameters. If you have a distinguished name, you can look for the serial number in the database.
Second, use the root CA to issue a certificate. I reduced the lifetime of the new certificate to days from the default of 3, For that reason, you want to keep the lifetime as short as possible.
A good choice is 30 days, provided you are prepared to generate a fresh certificate that often:. Now you have everything ready to start the OCSP responder. For testing, you can do it from the same machine on which the root CA resides. However, for production you must move the OCSP responder key and certificate elsewhere:. You can test the operation of the OCSP responder using the following command line:. The process of subordinate CA generation largely mirrors the root CA process.
In this section, I will only highlight the differences where appropriate. For everything else, refer to the previous section. To generate a configuration file sub-ca.
If you used a proper web server for the OCSP responder, you could avoid using special ports altogether. With this change, whoever is preparing the CSR can put the required alternative names in it, and the information from there will be picked up and placed in the certificate.
The only difference is in the keyUsage and extendedKeyUsage extensions. Note that we specify the basicConstraints extension but set it to false.
If we left this extension out, we might end up using one specified in the CSR:. Just use a different directory name, for example, sub-ca. As before, we take two steps to create the subordinate CA. All the necessary information will be picked up from the configuration file when we use the -config switch.
In the second step, we get the root CA to issue a certificate. When a new certificate is requested, all its information will be presented to you for verification before the operation is completed.
Pay special attention to the certificate distinguished name and the basicConstraints and subjectAlternativeName extensions. CRL generation and certificate revocation are the same as for the root CA.
For them, the solution is to invest in a Hardware Security Module HSM , which is a type of product specifically designed to make key extraction impossible, even with physical access to the server. To make this work, HSMs not only generate and store keys, but also perform all necessary operations e.
HSMs are typically very expensive. Indeed, the earlier versions of this very book used this command in the examples.
However, genrsa is a legacy command and should no longer be used. There is an entire new family of commands that deal with private keys in a unified manner i. You should also be aware that genrsa outputs keys in a legacy format. Nystrom and B. Kaliski, November This is nothing to worry about.
It only means that the suite is compatible with this old and obsolete protocol version. Your configuration will not downgrade to SSL 3. However, because robust forward security is a key feature in TLS 1. Gillmor, August Buy Now. Getting Started. Building OpenSSL. Examine Available Commands. Building a Trust Store. Manual Conversion. Key and Certificate Management.
Key Generation. Key size The default key sizes might not be secure, which is why you should always explicitly configure key size. Passphrase Using a passphrase with a key is optional, but strongly recommended. Creating Certificate Signing Requests. Note According to Section 5. Unattended CSR Generation.
Signing Your Own Certificates. Creating Certificates Valid for Multiple Hostnames. Warning When a certificate contains alternative names, all common names are ignored. Examining Certificates. Examining Public Certificates. Key and Certificate Conversion. PKCS 8 key The new default format for the private key store.
PKCS 7 Conversion. Obtaining Supported Suites. Suite name Required minimum protocol version 12 Key exchange algorithm Authentication algorithm Encryption algorithm and strength MAC integrity algorithm. Note You may notice that all TLS 1. Understanding Security Levels. Table 1. Allows all features enabled at compile time. Level 1 The security level corresponds to a minimum of 80 bits of security.
Level 2 Security level set to bits of security. Level 3 Security level set to bits of security. Level 4 Security level set to bits of security. Level 5 Security level set to bits of security. Configuring TLS 1. Note Even though there is a separate configuration string for TLS 1. Recommended Suite Configuration. Generating DH Parameters. Legacy Suite Configuration. This is determined at compile time and must be the first cipher string specified.
This currently means those with key lengths larger than bits, and some cipher suites with bit keys. No longer supported.
Including and bit algorithms. There are two keywords for TLS 1. These keywords do not affect protocol configuration, just the suites. Obsolete and insecure. Note The digest algorithm keywords select only suites that validate data integrity at the protocol level. Removed in 1. This is currently the anonymous DH algorithms. OpenSSL can be used to generate password hashes through the passwd command. This facility can be used to automate user provisioning, or to conduct system wide password updates.
If your authentication system does not support MD5, passwords can be created with crypt:. Certificate Authorities CAs are responsible for issuing digital certificates, and proving the identity of the entity requesting the certificate.
Digital certificates contain several pieces of information, including: a certificate version, a serial number to uniquely identify the certificate, an attribute Issuer to identity the organization who issued the certificate, a range of dates the certificate is valid, an attribute Subject to identify the site the certificate has been issued to, and a digital signature.
The digital signature is used by clients and servers to ensure that the individual represented by the certificate is actually who they say they are. When an organization wants to request a digital certificate from a certificate authority, they will need to submit a certificate signing request CSR.
The certificate signing request contains a public key, a common name e. The following example shows how to generate a certificate signing request:. During the request generation process, two bit RSA keys are generated, and various pieces of information are gathered.
The openssl utility will prompt for a pass-phrase, which is used to encrypt the contents of the private key. Once the keys are generated, the private key will be PEM encoded and placed in the file secret. The certificate signing request is placed in the file cert. This file contains the public key, locality information, and a common name to uniquely identify the site.
You can print the contents of the certificate signing request with the req command:. Once you have verified the certificate signing request, you can submit the contents to your favorite Certificate Authority.
The certificate authority will use the contents of this file along with their private key to generate a digital signature. The certificate authority will also assign an expiration date, and incorporate additional attributes to uniquely identify the certificate authority. Digital certificates can be stored in several formats. OpenSSL can print the contents of both certificate formats with the x commands. The following example will print the contents of the PEM encoded certificate cert.
As mentioned above, digital certificates can be stored in a variety of formats. This can cause problems when a certificate needs to be migrated between heterogeneous web servers, or distributed between application components. Once the certificate has been converted, it will be placed in the file cert.
The ssl-service-check script can be used to check if an SSL-enabled website is handling new connections. If the server fails to return a valid response, a message is logged via syslog, and an E-mail is send to the on call pager.
For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page.
OpenSSL is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes subject to some simple license conditions. For a list of vulnerabilities, and the releases in which they were found and fixes, see our Vulnerabilities page.
0コメント