Wow! Our OpenSSL section sucks. Rewrite it because there is nothing
else to do at 4:00 in the morning. Ensure to cover: o How ports interact with base and port versions of OpenSSL; o Generating certificates; o Generating CA keys; o Add an example of using certificates with Sendmail. Needs severe beating for keeping me up: Brad Davis :-)
This commit is contained in:
Tom Rhodes
parent
222b6c71c2
commit
014520247e
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=22182
1 changed files with 196 additions and 27 deletions
|
|
@ -3636,44 +3636,213 @@ jdoe@example.org</screen>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
<sect1 id="openssl">
|
<sect1 id="openssl">
|
||||||
|
<sect1info>
|
||||||
|
<authorgroup>
|
||||||
|
<author>
|
||||||
|
<firstname>Tom</firstname>
|
||||||
|
<surname>Rhodes</surname>
|
||||||
|
<contrib>Written by: </contrib>
|
||||||
|
</author>
|
||||||
|
</authorgroup>
|
||||||
|
</sect1info>
|
||||||
<title>OpenSSL</title>
|
<title>OpenSSL</title>
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>security</primary>
|
<primary>security</primary>
|
||||||
<secondary>OpenSSL</secondary>
|
<secondary>OpenSSL</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
<indexterm><primary>OpenSSL</primary></indexterm>
|
|
||||||
|
|
||||||
<para>As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
|
<para>One feature that many users overlook is the
|
||||||
system. <ulink url="http://www.openssl.org/">OpenSSL</ulink>
|
<application>OpenSSL</application> toolkit included
|
||||||
provides a general-purpose cryptography library, as well as the
|
in &os;. <application>OpenSSL</application> provides an
|
||||||
Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
|
encryption transport layer on top of the normal communications
|
||||||
Security v1 (TLSv1) network security protocols.</para>
|
layer; thus allowing it to be intertwined with many network
|
||||||
|
applications and services.</para>
|
||||||
|
|
||||||
<para>However, one of the algorithms (specifically IDEA)
|
<para>Some uses of <application>OpenSSL</application> may include
|
||||||
included in OpenSSL is protected by patents in the USA and
|
encrypted authentication of mail clients, web based transactions
|
||||||
elsewhere, and is not available for unrestricted use.
|
such as credit card payments and more. Many ports such as
|
||||||
IDEA is included in the OpenSSL sources in FreeBSD, but it is not
|
<filename role="package">www/apache13-SSL</filename>, and
|
||||||
built by default. If you wish to use it, and you comply with the
|
<filename role="package">mail/sylpheed-claws</filename>
|
||||||
license terms, enable the <makevar>MAKE_IDEA</makevar> switch in
|
will offer compilation support for building with
|
||||||
<filename>/etc/make.conf</filename> and
|
<application>OpenSSL</application>.</para>
|
||||||
rebuild your sources using <command>make world</command>.</para>
|
|
||||||
|
|
||||||
<para>Today, the RSA algorithm is free for use in USA and other
|
<note>
|
||||||
countries. In the past it was protected by a patent.</para>
|
<para>In most cases the ports collection will attempt to build
|
||||||
|
the <filename role="package">security/openssl</filename>
|
||||||
|
unless the <makevar>WITH_OPENSSL_BASE</makevar> make variable
|
||||||
|
is explicitly set to <quote>yes</quote>.</para>
|
||||||
|
</note>
|
||||||
|
|
||||||
<indexterm>
|
<para>The version of <application>OpenSSL</application> included
|
||||||
<primary>OpenSSL</primary>
|
in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3),
|
||||||
<secondary>install</secondary>
|
Transport Layer Security v1 (TLSv1) network security protocols
|
||||||
</indexterm>
|
and can be used as a general cryptographic library for use
|
||||||
|
with applications.</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>While <application>OpenSSL</application> supports the
|
||||||
|
<acronym>IDEA</acronym> algorithm, it is disabled by default
|
||||||
|
due to United States patents. To use it, the license should
|
||||||
|
be reviewed and, if the restrictions are acceptable, the
|
||||||
|
<makevar>MAKE_IDEA</makevar> variable must be set in
|
||||||
|
<filename>make.conf</filename>.</para>
|
||||||
|
</note>
|
||||||
|
|
||||||
|
<para>Perhaps one of the most common uses of
|
||||||
|
<application>OpenSSL</application> provide certificates for
|
||||||
|
use with software applications. These certificates ensure
|
||||||
|
that the credentials of the company or individual is valid
|
||||||
|
and are not fraudulent. If the certificate in question has
|
||||||
|
not been verified by one of the several Certificate Authorities,
|
||||||
|
or <acronym>CA</acronym>s, a warning is usually produced. A
|
||||||
|
Certificate Authority is a company, such as VeriSign, who will
|
||||||
|
sign certificates in order to validate credentials of individuals
|
||||||
|
or companies. This process has a cost associated with it and
|
||||||
|
is definitely not a requirement for using certificates; however,
|
||||||
|
it can put some of the more paranoid users at ease.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>Source Code Installations</title>
|
<title>Generating Certificates</title>
|
||||||
|
|
||||||
<para>OpenSSL is part of the <literal>src-crypto</literal> and
|
<indexterm>
|
||||||
<literal>src-secure</literal> <application>CVSup</application> collections. See the <link
|
<primary>OpenSSL</primary>
|
||||||
linkend="mirrors">Obtaining FreeBSD</link> section for more
|
<secondary>certificate generation</secondary>
|
||||||
information about obtaining and updating FreeBSD source
|
</indexterm>
|
||||||
code.</para>
|
|
||||||
|
<para>To generate a certificate, the following command is
|
||||||
|
available:</para>
|
||||||
|
|
||||||
|
<screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput>
|
||||||
|
Generating a 1024 bit RSA private key
|
||||||
|
................++++++
|
||||||
|
.......................................++++++
|
||||||
|
writing new private key to 'cert.pem'
|
||||||
|
-----
|
||||||
|
You are about to be asked to enter information that will be incorporated
|
||||||
|
into your certificate request.
|
||||||
|
What you are about to enter is what is called a Distinguished Name or a DN.
|
||||||
|
There are quite a few fields but you can leave some blank
|
||||||
|
For some fields there will be a default value,
|
||||||
|
If you enter '.', the field will be left blank.
|
||||||
|
-----
|
||||||
|
Country Name (2 letter code) [AU]:<userinput><replaceable>US</replaceable></userinput>
|
||||||
|
State or Province Name (full name) [Some-State]:<userinput><replaceable>PA</replaceable></userinput>
|
||||||
|
Locality Name (eg, city) []:<userinput><replaceable>Pittsburgh</replaceable></userinput>
|
||||||
|
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>My Company</replaceable></userinput>
|
||||||
|
Organizational Unit Name (eg, section) []:<userinput><replaceable>Systems Administrator</replaceable></userinput>
|
||||||
|
Common Name (eg, YOUR name) []:<userinput><replaceable>localhost.example.org</replaceable></userinput>
|
||||||
|
Email Address []:<userinput><replaceable>trhodes@FreeBSD.org</replaceable></userinput>
|
||||||
|
|
||||||
|
Please enter the following 'extra' attributes
|
||||||
|
to be sent with your certificate request
|
||||||
|
A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
|
||||||
|
An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
|
||||||
|
|
||||||
|
<para>Notice the response directly after the
|
||||||
|
<quote>Common Name</quote> prompt shows a domain name.
|
||||||
|
This prompt requires a server name to be entered for
|
||||||
|
verification purposes; placing anything but a domain name
|
||||||
|
would yield a useless certificate. Other options for
|
||||||
|
instance expire time, alternate encryption algorithms, etc.
|
||||||
|
are available. A complete list may be obtained by viewing
|
||||||
|
the &man.openssl.1; manual page.</para>
|
||||||
|
|
||||||
|
<para>A file, <filename>cert.pem</filename> should now exist in
|
||||||
|
the directory which the aforementioned command was issued. This
|
||||||
|
is the certificate which may be sent to any one of the many
|
||||||
|
<acronym>CA</acronym>s for signing.</para>
|
||||||
|
|
||||||
|
<para>In cases where a signature from a <acronym>CA</acronym> is
|
||||||
|
not required, a self signed certificate can be created. First,
|
||||||
|
generate the <acronym>CA</acronym> key:</para>
|
||||||
|
|
||||||
|
<screen>&prompt.root; <userinput>openssl gendsa -des3 -out \
|
||||||
|
<filename>myca.key</filename> 1024</userinput></screen>
|
||||||
|
|
||||||
|
<para>Use this key to create the certificate:</para>
|
||||||
|
|
||||||
|
<screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key \
|
||||||
|
<filename>myca.key</filename> -out <filename>new.crt</filename></userinput></screen>
|
||||||
|
|
||||||
|
<para>Two new files should appear in the directory: a certificate
|
||||||
|
authority signature file, <filename>myca.key</filename> and the
|
||||||
|
certificate itself, <filename>new.crt</filename>. These should
|
||||||
|
be placed in a directory, preferably under
|
||||||
|
<filename role="directory">/etc</filename>, which is readable
|
||||||
|
only by root. Permissions of 0700 should be fine for this and
|
||||||
|
they can be set with the <command>chmod</command>
|
||||||
|
utility.</para>
|
||||||
|
</sect2>
|
||||||
|
|
||||||
|
<sect2>
|
||||||
|
<title>Using Certificates, an Example</title>
|
||||||
|
|
||||||
|
<para>So what can these files do? A good use would be to
|
||||||
|
encrypt connections to the <application>Sendmail</application>
|
||||||
|
<acronym>MTA</acronym>. This would dissolve the use of clear
|
||||||
|
text authentication for users who send mail via the local
|
||||||
|
<acronym>MTA</acronym>.</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>This is not the best use in the world as some
|
||||||
|
<acronym>MUA</acronym>s will present the user with an
|
||||||
|
error if they have not installed the certificate locally.
|
||||||
|
Refer to the documentation included with the software for
|
||||||
|
more information on certificate installation.</para>
|
||||||
|
</note>
|
||||||
|
|
||||||
|
<para>The following lines should be placed inside the
|
||||||
|
local <filename>.mc</filename> file:</para>
|
||||||
|
|
||||||
|
<programlisting>dnl SSL Options
|
||||||
|
define(`confCACERT_PATH',`/etc/certs')dnl
|
||||||
|
define(`confCACERT',`/etc/certs/new.crt')dnl
|
||||||
|
define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
|
||||||
|
define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
|
||||||
|
define(`confTLS_SRV_OPTIONS', `V')dnl</programlisting>
|
||||||
|
|
||||||
|
<para>Where <filename role="directory">/etc/certs/</filename>
|
||||||
|
is the directory to be used for storing the certificate
|
||||||
|
and key files locally. The last few requirements are a rebuild
|
||||||
|
of the local <filename>.cf</filename> file. This is easily
|
||||||
|
achieved by typing <command>make</command>
|
||||||
|
<parameter>install</parameter> within the
|
||||||
|
<filename role="directory">/etc/mail</filename>
|
||||||
|
directory. Follow that up with <command>make</command>
|
||||||
|
<parameter>restart</parameter> which should start the
|
||||||
|
<application>Sendmail</application> daemon.</para>
|
||||||
|
|
||||||
|
<para>If all went well there will be no error messages in the
|
||||||
|
<filename>/var/log/maillog</filename> file and
|
||||||
|
<application>Sendmail</application> will show up in the process
|
||||||
|
list.</para>
|
||||||
|
|
||||||
|
<para>For a simple test, simply connect to the mail server
|
||||||
|
using the &man.telnet.1; utility:</para>
|
||||||
|
|
||||||
|
<screen>&prompt.root; <userinput>telnet <replaceable>example.com</replaceable> 25</userinput>
|
||||||
|
Trying 192.0.34.166...
|
||||||
|
Connected to <hostid role="fqdn">example.com</hostid>.
|
||||||
|
Escape character is '^]'.
|
||||||
|
220 <hostid role="fqdn">example.com</hostid> ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
|
||||||
|
<userinput>ehlo <replaceable>example.com</replaceable></userinput>
|
||||||
|
250-pittgoth.com Hello example.com [192.0.34.166], pleased to meet you
|
||||||
|
250-ENHANCEDSTATUSCODES
|
||||||
|
250-PIPELINING
|
||||||
|
250-8BITMIME
|
||||||
|
250-SIZE
|
||||||
|
250-DSN
|
||||||
|
250-ETRN
|
||||||
|
250-AUTH LOGIN PLAIN
|
||||||
|
250-STARTTLS
|
||||||
|
250-DELIVERBY
|
||||||
|
250 HELP
|
||||||
|
<userinput>quit</userinput>
|
||||||
|
221 2.0.0 <hostid role="fqdn">example.com</hostid> closing connection
|
||||||
|
Connection closed by foreign host.</screen>
|
||||||
|
|
||||||
|
<para>If the <quote>STARTTLS</quote> line appears in the output
|
||||||
|
then everything is working correctly.</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue