Wow! Our OpenSSL section sucks. Rewrite it because there is nothing
else to do at 4:00 in the morning. Ensure to cover: o How ports interact with base and port versions of OpenSSL; o Generating certificates; o Generating CA keys; o Add an example of using certificates with Sendmail. Needs severe beating for keeping me up: Brad Davis :-)
This commit is contained in:
Tom Rhodes
parent
222b6c71c2
commit
014520247e
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=22182
1 changed files with 196 additions and 27 deletions
|
|
@ -3636,44 +3636,213 @@ jdoe@example.org</screen>
|
|||
</sect1>
|
||||
|
||||
<sect1 id="openssl">
|
||||
<sect1info>
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
<surname>Rhodes</surname>
|
||||
<contrib>Written by: </contrib>
|
||||
</author>
|
||||
</authorgroup>
|
||||
</sect1info>
|
||||
<title>OpenSSL</title>
|
||||
<indexterm>
|
||||
<primary>security</primary>
|
||||
<secondary>OpenSSL</secondary>
|
||||
</indexterm>
|
||||
<indexterm><primary>OpenSSL</primary></indexterm>
|
||||
|
||||
<para>As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
|
||||
system. <ulink url="http://www.openssl.org/">OpenSSL</ulink>
|
||||
provides a general-purpose cryptography library, as well as the
|
||||
Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
|
||||
Security v1 (TLSv1) network security protocols.</para>
|
||||
<para>One feature that many users overlook is the
|
||||
<application>OpenSSL</application> toolkit included
|
||||
in &os;. <application>OpenSSL</application> provides an
|
||||
encryption transport layer on top of the normal communications
|
||||
layer; thus allowing it to be intertwined with many network
|
||||
applications and services.</para>
|
||||
|
||||
<para>However, one of the algorithms (specifically IDEA)
|
||||
included in OpenSSL is protected by patents in the USA and
|
||||
elsewhere, and is not available for unrestricted use.
|
||||
IDEA is included in the OpenSSL sources in FreeBSD, but it is not
|
||||
built by default. If you wish to use it, and you comply with the
|
||||
license terms, enable the <makevar>MAKE_IDEA</makevar> switch in
|
||||
<filename>/etc/make.conf</filename> and
|
||||
rebuild your sources using <command>make world</command>.</para>
|
||||
<para>Some uses of <application>OpenSSL</application> may include
|
||||
encrypted authentication of mail clients, web based transactions
|
||||
such as credit card payments and more. Many ports such as
|
||||
<filename role="package">www/apache13-SSL</filename>, and
|
||||
<filename role="package">mail/sylpheed-claws</filename>
|
||||
will offer compilation support for building with
|
||||
<application>OpenSSL</application>.</para>
|
||||
|
||||
<para>Today, the RSA algorithm is free for use in USA and other
|
||||
countries. In the past it was protected by a patent.</para>
|
||||
<note>
|
||||
<para>In most cases the ports collection will attempt to build
|
||||
the <filename role="package">security/openssl</filename>
|
||||
unless the <makevar>WITH_OPENSSL_BASE</makevar> make variable
|
||||
is explicitly set to <quote>yes</quote>.</para>
|
||||
</note>
|
||||
|
||||
<indexterm>
|
||||
<primary>OpenSSL</primary>
|
||||
<secondary>install</secondary>
|
||||
</indexterm>
|
||||
<para>The version of <application>OpenSSL</application> included
|
||||
in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3),
|
||||
Transport Layer Security v1 (TLSv1) network security protocols
|
||||
and can be used as a general cryptographic library for use
|
||||
with applications.</para>
|
||||
|
||||
<note>
|
||||
<para>While <application>OpenSSL</application> supports the
|
||||
<acronym>IDEA</acronym> algorithm, it is disabled by default
|
||||
due to United States patents. To use it, the license should
|
||||
be reviewed and, if the restrictions are acceptable, the
|
||||
<makevar>MAKE_IDEA</makevar> variable must be set in
|
||||
<filename>make.conf</filename>.</para>
|
||||
</note>
|
||||
|
||||
<para>Perhaps one of the most common uses of
|
||||
<application>OpenSSL</application> provide certificates for
|
||||
use with software applications. These certificates ensure
|
||||
that the credentials of the company or individual is valid
|
||||
and are not fraudulent. If the certificate in question has
|
||||
not been verified by one of the several Certificate Authorities,
|
||||
or <acronym>CA</acronym>s, a warning is usually produced. A
|
||||
Certificate Authority is a company, such as VeriSign, who will
|
||||
sign certificates in order to validate credentials of individuals
|
||||
or companies. This process has a cost associated with it and
|
||||
is definitely not a requirement for using certificates; however,
|
||||
it can put some of the more paranoid users at ease.</para>
|
||||
|
||||
<sect2>
|
||||
<title>Source Code Installations</title>
|
||||
|
||||
<para>OpenSSL is part of the <literal>src-crypto</literal> and
|
||||
<literal>src-secure</literal> <application>CVSup</application> collections. See the <link
|
||||
linkend="mirrors">Obtaining FreeBSD</link> section for more
|
||||
information about obtaining and updating FreeBSD source
|
||||
code.</para>
|
||||
<title>Generating Certificates</title>
|
||||
|
||||
<indexterm>
|
||||
<primary>OpenSSL</primary>
|
||||
<secondary>certificate generation</secondary>
|
||||
</indexterm>
|
||||
|
||||
<para>To generate a certificate, the following command is
|
||||
available:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput>
|
||||
Generating a 1024 bit RSA private key
|
||||
................++++++
|
||||
.......................................++++++
|
||||
writing new private key to 'cert.pem'
|
||||
-----
|
||||
You are about to be asked to enter information that will be incorporated
|
||||
into your certificate request.
|
||||
What you are about to enter is what is called a Distinguished Name or a DN.
|
||||
There are quite a few fields but you can leave some blank
|
||||
For some fields there will be a default value,
|
||||
If you enter '.', the field will be left blank.
|
||||
-----
|
||||
Country Name (2 letter code) [AU]:<userinput><replaceable>US</replaceable></userinput>
|
||||
State or Province Name (full name) [Some-State]:<userinput><replaceable>PA</replaceable></userinput>
|
||||
Locality Name (eg, city) []:<userinput><replaceable>Pittsburgh</replaceable></userinput>
|
||||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>My Company</replaceable></userinput>
|
||||
Organizational Unit Name (eg, section) []:<userinput><replaceable>Systems Administrator</replaceable></userinput>
|
||||
Common Name (eg, YOUR name) []:<userinput><replaceable>localhost.example.org</replaceable></userinput>
|
||||
Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput>
|
||||
|
||||
Please enter the following 'extra' attributes
|
||||
to be sent with your certificate request
|
||||
A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
|
||||
An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
|
||||
|
||||
<para>Notice the response directly after the
|
||||
<quote>Common Name</quote> prompt shows a domain name.
|
||||
This prompt requires a server name to be entered for
|
||||
verification purposes; placing anything but a domain name
|
||||
would yield a useless certificate. Other options for
|
||||
instance expire time, alternate encryption algorithms, etc.
|
||||
are available. A complete list may be obtained by viewing
|
||||
the &man.openssl.1; manual page.</para>
|
||||
|
||||
<para>A file, <filename>cert.pem</filename> should now exist in
|
||||
the directory which the aforementioned command was issued. This
|
||||
is the certificate which may be sent to any one of the many
|
||||
<acronym>CA</acronym>s for signing.</para>
|
||||
|
||||
<para>In cases where a signature from a <acronym>CA</acronym> is
|
||||
not required, a self signed certificate can be created. First,
|
||||
generate the <acronym>CA</acronym> key:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>openssl gendsa -des3 -out \
|
||||
<filename>myca.key</filename> 1024</userinput></screen>
|
||||
|
||||
<para>Use this key to create the certificate:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key \
|
||||
<filename>myca.key</filename> -out <filename>new.crt</filename></userinput></screen>
|
||||
|
||||
<para>Two new files should appear in the directory: a certificate
|
||||
authority signature file, <filename>myca.key</filename> and the
|
||||
certificate itself, <filename>new.crt</filename>. These should
|
||||
be placed in a directory, preferably under
|
||||
<filename role="directory">/etc</filename>, which is readable
|
||||
only by root. Permissions of 0700 should be fine for this and
|
||||
they can be set with the <command>chmod</command>
|
||||
utility.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Using Certificates, an Example</title>
|
||||
|
||||
<para>So what can these files do? A good use would be to
|
||||
encrypt connections to the <application>Sendmail</application>
|
||||
<acronym>MTA</acronym>. This would dissolve the use of clear
|
||||
text authentication for users who send mail via the local
|
||||
<acronym>MTA</acronym>.</para>
|
||||
|
||||
<note>
|
||||
<para>This is not the best use in the world as some
|
||||
<acronym>MUA</acronym>s will present the user with an
|
||||
error if they have not installed the certificate locally.
|
||||
Refer to the documentation included with the software for
|
||||
more information on certificate installation.</para>
|
||||
</note>
|
||||
|
||||
<para>The following lines should be placed inside the
|
||||
local <filename>.mc</filename> file:</para>
|
||||
|
||||
<programlisting>dnl SSL Options
|
||||
define(`confCACERT_PATH',`/etc/certs')dnl
|
||||
define(`confCACERT',`/etc/certs/new.crt')dnl
|
||||
define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
|
||||
define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
|
||||
define(`confTLS_SRV_OPTIONS', `V')dnl</programlisting>
|
||||
|
||||
<para>Where <filename role="directory">/etc/certs/</filename>
|
||||
is the directory to be used for storing the certificate
|
||||
and key files locally. The last few requirements are a rebuild
|
||||
of the local <filename>.cf</filename> file. This is easily
|
||||
achieved by typing <command>make</command>
|
||||
<parameter>install</parameter> within the
|
||||
<filename role="directory">/etc/mail</filename>
|
||||
directory. Follow that up with <command>make</command>
|
||||
<parameter>restart</parameter> which should start the
|
||||
<application>Sendmail</application> daemon.</para>
|
||||
|
||||
<para>If all went well there will be no error messages in the
|
||||
<filename>/var/log/maillog</filename> file and
|
||||
<application>Sendmail</application> will show up in the process
|
||||
list.</para>
|
||||
|
||||
<para>For a simple test, simply connect to the mail server
|
||||
using the &man.telnet.1; utility:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>telnet <replaceable>example.com</replaceable> 25</userinput>
|
||||
Trying 192.0.34.166...
|
||||
Connected to <hostid role="fqdn">example.com</hostid>.
|
||||
Escape character is '^]'.
|
||||
220 <hostid role="fqdn">example.com</hostid> ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
|
||||
<userinput>ehlo <replaceable>example.com</replaceable></userinput>
|
||||
250-pittgoth.com Hello example.com [192.0.34.166], pleased to meet you
|
||||
250-ENHANCEDSTATUSCODES
|
||||
250-PIPELINING
|
||||
250-8BITMIME
|
||||
250-SIZE
|
||||
250-DSN
|
||||
250-ETRN
|
||||
250-AUTH LOGIN PLAIN
|
||||
250-STARTTLS
|
||||
250-DELIVERBY
|
||||
250 HELP
|
||||
<userinput>quit</userinput>
|
||||
221 2.0.0 <hostid role="fqdn">example.com</hostid> closing connection
|
||||
Connection closed by foreign host.</screen>
|
||||
|
||||
<para>If the <quote>STARTTLS</quote> line appears in the output
|
||||
then everything is working correctly.</para>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue