|
Espace Wiki ∂'Alembert Espace Guide de survie du SysAdmin Espace Guide de survie du Développeur Espace Institut ∂’Alembert Le Site Aide PmWikiFr Help PmWiki |
Vous êtes dans un espace restreint en écriture. Note de SécuritéLes recommandations de l'ANSSI indique qu'il ne faut pas utiliser SSL mais lui préférer le protocole TLS en version 1.0 minimum est . Mozilla propose, pour des navigateurs modernes, d'utiliser TLS 1.1 au minimum. Il offre egalement un outil de configuration SSL pour apache, nginx, HAproxy et AWS ELB Création d'une certificat autosigné
openssl req -x509 -newkey rsa:2048 -days 365 -out test.crt -keyout test.key [...]
cat <<-EOT | openssl req -x509 -newkey rsa:2048 -days 365 -nodes -out test.crt -keyout test.key FR Institut d'Alembert hub.dalembert.upmc.fr prout@dalembert.upmc.fr EOT [...] Lecture d'une certificat
$ openssl x509 -in test.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 14877383625278772316 (0xce7715955bf4545c) Signature Algorithm: sha1WithRSAEncryption Issuer: C=FR, ST=France, O=Institut d'Alembert, CN=hub.dalembert.upmc.fr/emailAddress=prout@dalembert.upmc.fr Validity Not Before: Oct 19 17:00:38 2015 GMT Not After : Nov 18 17:00:38 2015 GMT Subject: C=FR, ST=France, O=Institut d'Alembert, CN=hub.dalembert.upmc.fr/emailAddress=prout@dalembert.upmc.fr Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c3:a2:5b:b8:57:f6:c7:ec:d6:19:3b:d0:e2:78: c1:1a:a3:d6:2f:c4:f9:2e:41:40:d6:35:72:64:d8: 3d:db:0e:d5:a7:09:d4:3b:dd:1e:5e:bf:30:6a:8d: 50:1c:0d:5a:15:86:46:26:1a:b2:2f:72:09:1b:52: e9:e2:24:a1:76:71:eb:6f:8c:08:a4:8b:cf:f1:db: 70:50:82:b5:02:49:f5:7f:c3:2f:ae:b2:22:83:f4: e5:85:22:1f:4c:fd:3e:9b:bc:4e:4a:1e:1a:54:c4: d4:da:21:1b:1c:3e:03:c7:f3:2f:d0:8c:e5:e5:1e: 11:c9:9f:99:cb:20:76:36:2e:6c:3e:ac:c7:d5:68: d5:0f:5d:99:aa:ff:3f:ef:5d:6e:6d:0e:7e:0e:d7: 11:52:d4:73:91:8f:95:eb:e1:49:e1:41:1b:1a:f1: c2:97:a2:8b:fa:26:dd:b5:38:97:ee:96:29:a1:72: 67:c4:71:a3:eb:ee:53:b6:42:aa:00:a6:87:d1:83: 69:a6:76:10:9b:06:25:f0:79:3f:3f:3a:f3:60:bd: d8:5e:bf:33:9f:0f:3f:e2:49:8e:bc:96:ee:62:0b: de:32:1b:ea:b7:2f:96:2d:d9:98:2b:6a:e8:93:38: 98:60:16:ca:7c:46:d1:15:e3:ef:ab:63:2f:e5:12: b8:29 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: E8:95:3F:4D:64:30:B9:0C:CE:EA:80:2F:F6:8C:38:FE:39:15:FA:CD X509v3 Authority Key Identifier: keyid:E8:95:3F:4D:64:30:B9:0C:CE:EA:80:2F:F6:8C:38:FE:39:15:FA:CD X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 08:5a:da:8d:84:8f:40:ff:50:05:d6:19:02:bf:4d:4a:fd:45: 0a:99:52:16:cf:62:17:6c:55:38:b1:57:99:e8:3e:4e:3a:66: f2:86:93:c9:08:a6:83:f0:f9:b1:6a:82:25:b2:fb:f8:9c:48: 77:37:f5:35:85:6a:72:5e:49:57:d7:e4:d3:5c:3d:f9:21:d6: f8:d7:fb:24:48:64:c9:d0:66:0a:c7:1a:a9:e0:0b:3b:ac:a0: 81:1e:f7:18:f5:9b:cd:26:b2:51:7e:9d:1d:d0:59:48:9b:a3: d2:78:3d:7a:27:d2:22:35:ee:ce:0e:03:0b:98:28:99:f9:3e: f7:6c:f8:53:5f:70:75:39:1d:b0:34:96:30:2c:03:ab:28:9c: dc:59:f3:5c:e5:f8:55:ad:9f:00:bb:15:71:c3:83:b0:a0:71: 30:d0:01:7b:c8:38:92:32:1c:fd:38:11:51:d3:d2:fc:de:07: b5:17:b7:35:d8:cd:69:2b:61:95:d8:8a:d2:a8:36:84:ab:5e: b7:01:9c:5b:cc:35:57:49:3e:e0:f0:e5:21:c3:15:a6:65:fb: 8b:f5:11:a4:47:3d:0a:6a:bf:66:9e:f7:c0:29:60:d5:fd:1b: 3e:c5:32:61:f8:01:0a:5d:1e:a8:36:07:ca:d9:02:a3:f0:45: 88:11:e0:70 Opérations AvancéesDétections des versionsl'ANSSI fourni des scripts pour testers les versions de SSL/TLS coté client et coté serveur. PrérequisIl faut, sous débian, recompiler la paquet tests des serveursfor v in ssl2 ssl3 tls1 tls1_1 tls1_2; do echo -n "$v " openssl s_client -cipher ALL -connect www.dalembert.upmc.fr:443 -$v </dev/null >&/dev/null || echo -n 'not ' echo 'supported' done tests des clients
# openssl req -x509 -newkey rsa:2048 -nodes -out test.crt -keyout test.key Generating a 2048 bit RSA private key ............................................................................................................+++ .....................................+++ writing new private key to 'test.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:France Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Institut d'Alembert Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:hub.dalembert.upmc.fr Email Address []:prout@dalembert.upmc.fr
$ openssl s_server -cipher ALL -cert test.crt -key test.pem -tls1 -www -accept 4000 Using default temp DH parameters Using default temp ECDH parameters ACCEPT tester une connexion avec opensslIci on test un serveur imap & openssl s_client -connect imap.dalembert.upmc.fr:995 CONNECTED(00000003) depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3 verify return:1 depth=0 C = FR, L = Paris, O = Universit\C3\A9 Paris 6 Pierre et Marie Curie, CN = imap.dalembert.upmc.fr verify return:1 --- Certificate chain 0 s:C = FR, L = Paris, O = Universit\C3\A9 Paris 6 Pierre et Marie Curie, CN = imap.dalembert.upmc.fr i:C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3 1 s:C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 3 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA --- [...] No client certificate CA names sent --- SSL handshake has read 3290 bytes and written 650 bytes Verification: OK --- New, SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated [...] --- +OK dovecot ready. On voit avec que la validation SSL fonctionne: SSL handshake has read 3290 bytes and written 650 bytes Verification: OK Et que dovecot a prit la main +OK dovecot ready. |