Thursday, April 4, 2013

OpenSSL trick#3 s_server

Okay this is the final tip and trick with openssl.

Most web systems engineers, 1st use of the openssl utility is for creating a csr and/or using the s_client to pull a cert from an active website. In this post we are going to talk about the s_server option. It's one of my most  favorite option within openssl function, but most likely; " nobody ever uses or heard of it".

s_server is used mainly if you want to test a certificate before you upload it onto a webserver,  server-load-balancer, or into  a SSL inspection device ( SSL-DPI, DLP appliance, firewalls, DoS Layer7 application monitoring appliances,........)

1st I'm going to walk you thru the process to create a csr ( certificate signing request ) and a self-sign certificate.

A: We will have to make a key, this is a private key and is used by the web-server. It's the key that basically says " I can decode the data"

sh-3.2$ openssl genrsa -des3 -out www.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................................................................+++
.+++
e is 65537 (0x10001)
Enter pass phrase for www.key:
Verifying - Enter pass phrase for www.key:
sh-3.2$


B: now we make a CSR. In the real life, this CSR would be submitted to a CA to be signed

openssl req -new -key www.key -out www.csr

note: It's going to prompt you for some site specific information & details

sh-3.2$ openssl req -new -key www.key -out www.csr
Enter pass phrase for www.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:IL
Locality Name (eg, city) []:Harlem Park
Organization Name (eg, company) [Internet Widgits Pty Ltd]:socpuppets
Organizational Unit Name (eg, section) []:myblog example
Common Name (eg, YOUR name) []:KenFelix
Email Address []:kfelix@hyperfeed.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
sh-3.2$

 

Up to this point we have a CSR that could be sent to a ssl order site, for purchasing a certificate.
 http://www.sslshopper.com/ 

C: Here we are going to sign our own cert;

 sh-3.2$ cp www.key  www.key.backup

sh-3.2$ openssl rsa -in www.key.backup -out www.key
Enter pass phrase for www.key.backup:
writing RSA key


sh-3.2$ cat www.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuSAZNXq9MXIiuFjHv6sRWn3Xj0nWgO6E0Dwedcj2wQpvgtOd
+Q5ZYh7au8qUznlvXPAsW7/GB21xu5rinOGhzm1QSg9FbFpGzNOB1vvSWewzhsVo
ddceeuXRz4VYSCfPBGmQ+H6guBAsIeRX0xUObRgsXb7rtce5k9oRe+5uBYLwMboL
ytaLzU8EnJcLWKfQf9w/OGPHMiF3pfOTXi8G0LGdsGMjdP3jFdrHgRbgtjLSMLTY
9wEnMCYNe4yi5UZa861P4pyCSAyWEaLtdMT1lwTKPS/UGG+kiIpJAD7CjvYDO8Bu
eSbEGtCoVTNSOJ3xfzDG2iqg9Uz8n2TNnq9UdQIDAQABAoIBAG6Q8z1zryenCYGc
1MBvBZBMdMBJ02lyC7TrEy459tZYyz0R8tnbbhsiXnWmirW+5XpWn8e0hCvPfAwW
d55HTIKj2z5AXLBYQsz2zid+g6XdYvDtWnR3JOc199e/xnhh/kyeWE1yI7+LOTCM
1r9lZhZWR7k93D3Xqcjah3LDdsam5jnSv/yWbrgrWqsiqg7HbQ7IsKgUHKqVFxCv
Qj4N1k43+nVpcJe+jHx1FFv33wa5bhVbGgCvCDrqH0ZXMLVqsbUDf2iF5Zo8Y6Yb
SFcCFRKx3SC59uheYMM1YuiNwa/g/QUt3L7qZAKH1qyfyr5rkciqT3GfJQ5NmNCP
g59y/EECgYEA8OQ0ZFljD+o6h0VIqTmeqKoIi+cIysEWjtdI/2HxhzK4eVAeavWL
nEqAonu7EnXuCfTFkqPDwfZR7zDmPOWhHfe4U6KsxF5NPpQOg/4bOI4BDQlsMNNa
mG5KyyKar9wszPWHfXXdilqOnblokg6VVI+GOXqkK4LG6El3tGSdlkkCgYEAxLyB
ISLY4ENxtZxI0PTkvYcs0nUm5PUXt7RLM5YAfQOAt8WhaN5dW/O/b23zDMW2uMfj
nGxE79qtm50UrIZugHFSNTctUws71+ztuSYEvU4I4YKRSwNUsKH79LQG+UWp02kC
0IP90rWSd04d0QK2HMwc0s4oK2bdW9v18JeeHM0CgYEAlpK+oP8yqa8KeKV5HrYy
k1D9WJ3IZBw/wneVXHTXaV/t6X6IFOl5I+956paWv5pReY2ztc6BvYr/ehjBwczz
Ye0HHdgwT+p2NCiNzjmWwEobJBAAvaBPH7rJK6JsuIJSyqaq02RKX4HtZW+QisNs
2leAWgtr9Pqg5G+P0IWX72kCgYBKUkQd9oIjxpbQWugPOFSpXMWMBAHbgNOi7JN0
O3iXwZkA08I0UbzHHf/14n1tF8v9ZlYQI76vNddb8C19N5PLJgQ+YkfXFWlYGwN7
bGdh9Hbaam7k/a8iwy7htJjl1nFfkk4j45kh3sIkG/ibmwCdRGanJIZ8TvHU3/W7
HCv5CQKBgDZDIu8PTDeMc32yVzmBZGyFtDR+w2E0uamWG9pf7pgrP5zO7T70YRab
2y9R529+NwUXw95Immha7Ln1vYW3QvCRdWiqoEUcWIDwooUimVhICqOeb7PNgSJx
8gf+VhL/AKF7/3q/xftPPSfJp5f8WVQEBFLrAYxW4gGSwHrG7cOb
-----END RSA PRIVATE KEY-----
sh-3.2$



note: This key is the server private-key, and that means you protect this key. If this key is compromised, than all security is lost, and you would have to renew the key and re-sign the cert with the new key.

If you had generated a CSR and submitted it to a CA, you would probably destroy the cert and key, and craft a new CSR with a new key.

D: Now we self-sign our csr , & with the private-key that has any passphrases removed;

sh-3.2$ openssl x509 -req -days 1 -in www.csr -signkey www.key  -out webserver.crt
Signature ok
subject=/C=US/ST=IL/L=Harlem Park/O=socpuppets/OU=myblog example/CN=KenFelix/emailAddress=kfelix@hyperfeed.com
Getting Private key
sh-3.2$



noted the -signkey and how it tells you it's a private-key :)

So up to step D, all website would have to generate a key + csr. Step D is only used in this case, since I'm cheap,  and did not want to have a cert signed by a recognize CA ( certificate Authority ).

So I could valid my work by re-reading the newly crafted/ordered certificate back, with openssl;

openssl x509 -in webserver.crt -noout  -text

Output was not shown due to size.

Okay now for s_server, you have a certificate signed by a CA,  or self-sign certificate,  and let's say now you want to test it's functionality.

1: 1st let's start up openssl with  ssl_server ( hench the name s_server ) and we will attach our cert and key to this server .

By default  openssl s_server runs on port#4433 and uses tls1. I'm going to demostrate port #443, which requires  root access to bind to a port <1023

sh-3.2$ sudo openssl s_server -key www.key -cert webserver.crt -www  -port 443
Password:
Sorry, try again.
Password:
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT


note: if you don't have permission for the port you will get the following error on screen

bind: Permission denied

 But for testing, you can  & should use the default 4433/tcp.port unless,  you have other specific issues.

2: (optional) we validate we have a listener on  the tcp.port 443 in my example;



sh-3.2$ netstat -an -f inet | grep  443
tcp4       0      0  *.443                  *.*                    LISTEN
sh-3.2$


3: okay so we have a listener  bound to tcp/443 & with my newly crafted certificate and key, let's test with a browser locally to localhost

OKAY this looks good;





and



And finally when we completed the acceptance, we get a page  that spells out  a lot of good details;




 and finally, we can see the messages in a unix shell;


 sh-3.2$ sudo openssl s_server -key www.key -cert webserver.crt -www  -port 443
Password:
Sorry, try again.
Password:
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT



Other cool cmdline options; -state and -msg if you need debug details , and verbose vrs terse outputs;


 sh-3.2$ sudo openssl s_server -key www.key -cert webserver.crt -www  -port 443 -state
Password:
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write session ticket A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
SSL3 alert read:warning:close notify
ACCEPT
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write session ticket A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
ACCEPT



And finally, you can control the server ciphers and  ssl protocol type ( tls  vrs  ssl ). You might want to do this, if you restrict the server to a cipher specific listing and want to test functionality;

sh-3.2$ sudo openssl s_server -key www.key -cert webserver.crt -www  -port 443 -ssl3 -cipher RC4-MD5
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT


and



Okay to recap, the s_server allows us to test certificates and keys, and to validate the ssl function.

Son in a few of my past roles, we always run into that web-developer, or the security guy doing ssl-inspection, and when he/she has problems, they always either blame the network, server or certificate.

With s_server, you can validate the certificate/key, and dis-prove any function discrepancies with the certificate/key.

I also like doing the above, when customer give me an unknown  cert/key of an questionablebackground, and I have doubts or faith in the certificate/key combo.

But I will warn you, if you can read-in a certificate  &  from  the cmd line with openssl x509 -in "certificate name", than 9 out of 10 times, the cert is going to work. But that process alone,  does not validate the server  private-key.

Where I seen the biggest issues at,  was when I did ssl-inspections and clients gave me the wrong key for the certificate. And in some appliances, it's a bear or challenging to  remove improper cert/key combos. Openssl s_server can easily test and eliminate these problems before installation & setup.

This last examples, show 2 instance of the wrong key being used;  with  a certificate , and one  that challenges for the passpharses that was left in a key.

note: You probably don't want this, due to http-servers daemons, would not load the key until you  input the passphrase

So once again , the s_server can identifiy that issues , before it becomes an issues. :


i.e

sh-3.2$ sudo openssl s_server -key mykey.key -cert webserver.crt -www  -port 443
Password:
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
3344:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_cmp.c:406:



sh-3.2$ sudo openssl s_server -key server.key -cert webserver.crt -www  -port 443
Enter pass phrase for server.key:
Using default temp DH parameters
Using default temp ECDH parameters
error setting private key
3350:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_cmp.c:406:
sh-3.2$



So if you dealing with the real world, and some it ITshop gives you a cert/key and  it either;

  • doesn't work
  • give you a host of problems
  • or you have doubts


Test it with Openssl and with the  s_server option.

I hope this post has been helpful,  and entertaining

Ken Felix
Freelance Network/Security Engineer

kfelix a-t hyperfeed d-o-t com



No comments:

Post a Comment