OpenSSL

From Ye Ole Stash
Jump to: navigation, search

Contents

Apache Settings for SSL

Whatever you do the very least you need to do is turn off SSLv2!!
  • Pretty decent settings for Apache/Mod_SSL. These cover most modern browsers. There are more secure options but they might limit access.
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

SSL Cert Generation (Self Signed)

No CSR

openssl genrsa 2048 > $yourkey
openssl req -new -x509 -nodes -sha1 -days 3650 -key $yourkey.key > $yourcert.cert

Create PEM

cat $yourcert.cert $yourkey.key > $yourpem.pem

With CSR

View Cert

openssl x509 -noout -text -in $server.crt

CLI Tests/Checks

Web
  • openssl s_client -host $HOST -port 443 -[ssl3/ssl2]
This is a great way to check if your webserver is still running sslV2 which is bad!


Related Scripts

  • If you go to your SSL directory and run this (assuming all your ssl configfiles are in here) it should add the SSLv3 setting on CentOS4 boxes. The V3 is default on RHEL/CENTOS 5 boxes. 
for i in `ls`;do
 sed -i '/SSLCipherSuite/ a\
     SSLProtocol SSLv3' $i
done
Retrieved from "http://www.misterx.org/wiki/index.php/OpenSSL"
Personal tools