OpenSSL tricks – checking https ports
Checking whether or not your web server is running is pretty simple – telnet to port 80, issue a HEAD request, and make sure you get a valid response. What’s less well known is how to test an https session – in this post I’ll go through the nice tool the OpenSSL toolkit gives us.
People think of OpenSSL as a collection of libraries that enable us to build in SSL support to a variety of things – webservers, LDAP servers, etc. OpenSSL also happens to be a toolkit in binary form that’s built along with the libraries, and it’s a pretty powerful bit of kit.
First of all, we can use the s_client functionality to test an https connection:
bash-3.2$ openssl s_client -connect www.siliconbunny.com:443 CONNECTED(00000003) depth=0 /C=GB/ST=Berkshire/L=Crowthorne/O=Silicon [email protected].com verify error:num=18:self signed certificate verify return:1 depth=0 /C=GB/ST=Berkshire/L=Crowthorne/O=Silicon [email protected].com verify return:1 --- Certificate chain 0 s:/C=GB/ST=Berkshire/L=Crowthorne/O=Silicon [email protected].com i:/C=GB/ST=Berkshire/L=Crowthorne/O=Silicon [email protected].com --- Server certificate -----BEGIN CERTIFICATE----- MIIDpjCCAo4CAQAwDQYJKoZIhvcNAQEEBQAwgZgxCzAJBgNVBAYTAkdCMRIwEAYD VQQIEwlCZXJrc2hpcmUxEzARBgNVBAcTCkNyb3d0aG9ybmUxFjAUBgNVBAoTDVNp bGljb24gQnVubnkxHTAbBgNVBAMTFHd3dy5zaWxpY29uYnVubnkuY29tMSkwJwYJ KoZIhvcNAQkBFhp3ZWJtYXN0ZXJAc2lsaWNvbmJ1bm55LmNvbTAeFw0wNDA4MTcy MjExMTJaFw0xNDA4MTUyMjExMTJaMIGYMQswCQYDVQQGEwJHQjESMBAGA1UECBMJ QmVya3NoaXJlMRMwEQYDVQQHEwpDcm93dGhvcm5lMRYwFAYDVQQKEw1TaWxpY29u IEJ1bm55MR0wGwYDVQQDExR3d3cuc2lsaWNvbmJ1bm55LmNvbTEpMCcGCSqGSIb3 DQEJARYad2VibWFzdGVyQHNpbGljb25idW5ueS5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDfMrAWj1SU9IKclxLucFaptJZ3eehlV7VI+gNjeIV1 bLTaBvIR/k4e2dYArG05ZZwXu+N8zvqDQfzJaFV4z5a/1nGjzx63VexRM6ix79NX I1/hJ3m6qU+C0Iy0lbKIy60r8F3DS5N+URZDHyQTb0zV9c9+4WFPpc6J+zDeRP0r WfF2CDzSV16snTonLzSe7NAL0Br9+5sp26vERX0+Syg1pSG15c3YKMnaNbF8dquE UC1SAso8PPgKdw9Fle38ulWbX6Lr6gXEWvo1Vb61SEiTz+pcv4fPXtHix4knifIF kqs+rvELYCGuIWV0gTFuF3/opGazSRub8U2Af9QjjJvdAgMBAAEwDQYJKoZIhvcN AQEEBQADggEBANnYch3XCiteZRnzeVtmmmDjpn7OVfc/V9QzL8mVTVdopd/oVScI 4gyz2lDpLxiLeXA86WDpai2rys7aXGjwIBtSaHHt1O5bYG6kR+H3RLunklIaJhBr 0bj9Hffa15POEEctZdfMO3OJ/4nR8Bd6lJRllvF4qkDsbKnwEXd/IB33sVtvtNxM LUAgtq8BaeLysUMxVRbsFJ01J6uyv6Y6OtzY3QedkP+ig3+IkWqgPm1zTh1CflSH OUXeMQnPl8mN6s7deg1WBmiSgc6um3Tb5NoL1CmRPamJip5DqPffR+EboxReRiRJ fofgD0cIKKghQsHXxWL8OcqrfDQpC9BgUWw= -----END CERTIFICATE----- subject=/C=GB/ST=Berkshire/L=Crowthorne/O=Silicon [email protected].com issuer=/C=GB/ST=Berkshire/L=Crowthorne/O=Silicon [email protected].com --- No client certificate CA names sent --- SSL handshake has read 1630 bytes and written 316 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 80F355438981C329BEF0BB1CCA4936906EE0A0F71C0B7AD4A873629081E7452A Session-ID-ctx: Master-Key: BD04DC16B134FBB2B5F5833FEB72853245EC060536AD6F4A6FEBA7DFD47F607693795F9CE3B1F291593E489B685FAE70 Key-Arg : None Start Time: 1260328910 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
This allows us to form a proper SSL connection to the web server – we can see the certificate, check it’s validity, and then run our HEAD request check as well. We’re not just doing a basic “are you listening?” check – openssl is forming the same https connection a client would, so this is very handy when checking out certificate mis-matches or bizarre client errors.
Within the same session we can then start talking http and check our server is doing the right thing:
HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 09 Dec 2009 02:02:43 GMT Server: Apache X-Pingback: http://grond.gaeltd.com/xmlrpc.php Cache-Control: max-age=0 Expires: Wed, 09 Dec 2009 02:02:43 GMT Vary: Accept-Encoding,User-Agent Connection: close Content-Type: text/html; charset=UTF-8 closed
Worst case you can do this testing direct on your web server, but pretty much most machines should have OpenSSL installed, and at a minimum you should look at adding it to your collection of tools on your laptop or memory stick.
Another interesting and lesser known use of OpenSSL is for file encryption.
This is an example using OpenSSL’s enc function to encrypt a text file using the Blowfish cipher:
bash-3.2$ openssl enc -e -a -salt -bf -in testfile.txt -out testfile.blowfish enter bf-cbc encryption password: Verifying password - enter bf-cbc encryption password:
You’re prompted twice to enter a password to be used, then OpenSSL will encrypt the file for you.
Decrypting a file is very similar – calling the enc function in decrypt mode (-d) and changing your input and output files:
bash-3.2$ openssl enc -d -a -bf -in testfile.blowfish -out tomcat-testfile.txt enter bf-cbc decryption password:
Using OpenSSL like this for file encryption gives you simple, easy access to quite strong encryption algorithms, but without the hassle of managing key files that you get with PGP – so can be an ideal solution for things like managing sensitive webserver log files.
The last OpenSSL trick to look at is hashing functions – specifically we want to calculate a message digest to check that a file hasn’t been tampered with.
Although outdated md5 is still the most commonly used hash function to check a file’s integrity – most often you’ll be looking at md5 checksums to verify a large file has been fully downloaded, or that it’s not been tampered with.
All we need to do is call OpenSSL with it’s digest function, specify the hash algorithm to use, and then give it a file to check. Classic case here – I want to verify that the checksum for the VPN software I’ve downloaded matches up:
bash-3.2$ openssl dgst -md5 -c Tunnelblick_3.0b22.dmg MD5(Tunnelblick_3.0b22.dmg)= 5b:d3:6d:2a:06:22:9f:58:00:01:f8:e1:15:48:7c:d9
Although md5 is the most common hash function in use, it’s considered outdated and has been deprecated in favour of stronger functions like SHA-1 – which are just as easy to use via OpenSSL:
bash-3.2$ openssl dgst -sha1 -c Tunnelblick_3.0b22.dmg SHA1(Tunnelblick_3.0b22.dmg)= 7f:56:1c:96:68:4a:fc:b3:f6:27:99:11:41:89:ed:7e:30:97:28:7f
Hopefully this has given you an idea of the power and flexibility of the OpenSSL tookit. A big advantage of utilising OpenSSL in this way is that it can easily be scripted, given you some very powerful tools for carrying out simple sanity checks on remote, publicly accessible servers.