Tuesday, September 05, 2006

Using Root Certificates with OpenSSL on FreeBSD

I'm reading a great book on Apache security.

One of the examples involves using the openssl client program to analyze a chain of certificates.

In the following example I use openssl to connect to www.thawte.com, but I do not provide a location to find root certificates.


orr:/home/richard$ openssl s_client -host www.thawte.com -port 443
CONNECTED(00000003)
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty)
Ltd/OU=Security/CN=www.thawte.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDRDCCAq2gAwIBAgIQaS8vV/TrQ/S1Mg+/74dipDANBgkqhkiG9w0BAQQFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNjA3MDQxMTM5MTdaFw0w
NzA3MTYwOTMzMDlaMIGKMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xJDAiBgNVBAoTG1RoYXd0ZSBDb25zdWx0
aW5nIChQdHkpIEx0ZDERMA8GA1UECxMIU2VjdXJpdHkxFzAVBgNVBAMTDnd3dy50
aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/h9nzmXfQkZsJ
CjznxdLV8/Ebms8qzEjO8KnHyT4+94cI0WjjlyqJH1ZgLM2/dccKS4vj6X7nl/vY
6o1ZT3pn+o6C3vl3EdMiLzKcQLpq+da03Y2xrtgIe070zCbQb4r7um4A/QFDrHAR
fgC4PllHGnmPFDXsiA4OKGIQ65vcGwIDAQABo4HnMIHkMCgGA1UdJQQhMB8GCCsG
AQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMDYGA1UdHwQvMC0wK6ApoCeGJWh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVTR0NDQS5jcmwwcgYIKwYBBQUHAQEE
ZjBkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUF
BzAChjJodHRwOi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dD
X0NBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAINguft3Ek1x
X6aiP9/QCrwHJErYrwEtRkURG+ghVVTCEhtZrqD5LdUHionIkmfgu5FSvrSN3VH/
JdOv3qngubpcTfhOHLxNuML5WB6Rwul5gfONsUFEoEPOMGxF4x22b7iG6QA5j42U
eop6NkYq4HtuOqKNcy9zuyDpzVA/EZus
-----END CERTIFICATE-----
subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty)
Ltd/OU=Security/CN=www.thawte.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 2214 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: BF365536023EF272C68C3A9420364D68BF6363FB59461B1BF9BB9C36A6BA8FA9
Session-ID-ctx:
Master-Key: 9B6224C8083E007C2D4797B9D92317B213AD53FC6C5EF693FC17D
8D3B3B9B918D7E03317C67BCE5699CF102ED707B5C6
Key-Arg : None
Start Time: 1157455445
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 05 Sep 2006 11:25:22 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 25062
Connection: close
Content-Type: text/html

closed

The return code

Verify return code: 20 (unable to get local issuer certificate)

is the important item here.

FreeBSD's base installation does not include the ca-root.crt file expected with other Unix-like systems. That file is available as the security/ca-roots port, however.

orr:/root# setenv PACKAGESITE
ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/
orr:/root# pkg_add -vr ca-roots
looking up ftp2.freebsd.org
connecting to ftp2.freebsd.org:21
setting passive mode
opening data connection
initiating transfer
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/
ca-roots.tbz...x +CONTENTS
x +COMMENT
x +DESC
x +MTREE_DIRS
x share/certs/ca-root.crt
tar command returns 0 status
Done.
extract: Package name is ca-roots-1.2
extract: CWD to /usr/local
extract: execute 'mkdir -p /usr/local/share/certs'
extract: /usr/local/share/certs/ca-root.crt
extract: execute 'ln -s /usr/local/share/certs/ca-root.crt /etc/ssl/cert.pem'
extract: CWD to .
Running mtree for ca-roots-1.2..
mtree -U -f +MTREE_DIRS -d -e -p /usr/local >/dev/null
Attempting to record package into /var/db/pkg/ca-roots-1.2..
Package ca-roots-1.2 registered in /var/db/pkg/ca-roots-1.2

With these SSL Certificate Authority root certificates installed, I use openssl in this manner.

orr:/home/richard$ openssl s_client -host www.thawte.com -port 443
-CAfile /etc/ssl/cert.pem
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify return:1
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify return:1
depth=0 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty) Ltd/OU=Security/CN=www.thawte.com
verify return:1
---
Certificate chain
0 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty)
Ltd/OU=Security/CN=www.thawte.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDRDCCAq2gAwIBAgIQaS8vV/TrQ/S1Mg+/74dipDANBgkqhkiG9w0BAQQFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNjA3MDQxMTM5MTdaFw0w
NzA3MTYwOTMzMDlaMIGKMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xJDAiBgNVBAoTG1RoYXd0ZSBDb25zdWx0
aW5nIChQdHkpIEx0ZDERMA8GA1UECxMIU2VjdXJpdHkxFzAVBgNVBAMTDnd3dy50
aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/h9nzmXfQkZsJ
CjznxdLV8/Ebms8qzEjO8KnHyT4+94cI0WjjlyqJH1ZgLM2/dccKS4vj6X7nl/vY
6o1ZT3pn+o6C3vl3EdMiLzKcQLpq+da03Y2xrtgIe070zCbQb4r7um4A/QFDrHAR
fgC4PllHGnmPFDXsiA4OKGIQ65vcGwIDAQABo4HnMIHkMCgGA1UdJQQhMB8GCCsG
AQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMDYGA1UdHwQvMC0wK6ApoCeGJWh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVTR0NDQS5jcmwwcgYIKwYBBQUHAQEE
ZjBkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUF
BzAChjJodHRwOi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dD
X0NBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAINguft3Ek1x
X6aiP9/QCrwHJErYrwEtRkURG+ghVVTCEhtZrqD5LdUHionIkmfgu5FSvrSN3VH/
JdOv3qngubpcTfhOHLxNuML5WB6Rwul5gfONsUFEoEPOMGxF4x22b7iG6QA5j42U
eop6NkYq4HtuOqKNcy9zuyDpzVA/EZus
-----END CERTIFICATE-----
subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty)
Ltd/OU=Security/CN=www.thawte.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 2214 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 3121A8A4A5DFE70DABA68C5354C2DE89996F622CE7A323F97EB3E87390594F6B
Session-ID-ctx:
Master-Key: E4C5A3B6B5DFF98BFAF2C9CCF8E86083B2D03EE06984707EF238
F431531F00D9CEA3579E6386E9DB13C57EB84B3E2BAF
Key-Arg : None
Start Time: 1157455485
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 05 Sep 2006 11:26:02 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 25062
Connection: close
Content-Type: text/html

closed

Now we see

Verify return code: 0 (ok)

which means the certificate presented by the Web server is legitimate.

1 comment:

Anonymous said...
This comment has been removed by a blog administrator.