Using Root Certificates with OpenSSL on FreeBSD

I'm reading a great book on Apache security.

One of the examples involves using the openssl client program to analyze a chain of certificates.

In the following example I use openssl to connect to www.thawte.com, but I do not provide a location to find root certificates.


orr:/home/richard$ openssl s_client -host www.thawte.com -port 443
CONNECTED(00000003)
 depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty) 
      Ltd/OU=Security/CN=www.thawte.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDRDCCAq2gAwIBAgIQaS8vV/TrQ/S1Mg+/74dipDANBgkqhkiG9w0BAQQFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNjA3MDQxMTM5MTdaFw0w
NzA3MTYwOTMzMDlaMIGKMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xJDAiBgNVBAoTG1RoYXd0ZSBDb25zdWx0
aW5nIChQdHkpIEx0ZDERMA8GA1UECxMIU2VjdXJpdHkxFzAVBgNVBAMTDnd3dy50
aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/h9nzmXfQkZsJ
CjznxdLV8/Ebms8qzEjO8KnHyT4+94cI0WjjlyqJH1ZgLM2/dccKS4vj6X7nl/vY
6o1ZT3pn+o6C3vl3EdMiLzKcQLpq+da03Y2xrtgIe070zCbQb4r7um4A/QFDrHAR
fgC4PllHGnmPFDXsiA4OKGIQ65vcGwIDAQABo4HnMIHkMCgGA1UdJQQhMB8GCCsG
AQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMDYGA1UdHwQvMC0wK6ApoCeGJWh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVTR0NDQS5jcmwwcgYIKwYBBQUHAQEE
ZjBkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUF
BzAChjJodHRwOi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dD
X0NBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAINguft3Ek1x
X6aiP9/QCrwHJErYrwEtRkURG+ghVVTCEhtZrqD5LdUHionIkmfgu5FSvrSN3VH/
JdOv3qngubpcTfhOHLxNuML5WB6Rwul5gfONsUFEoEPOMGxF4x22b7iG6QA5j42U
eop6NkYq4HtuOqKNcy9zuyDpzVA/EZus
-----END CERTIFICATE-----
subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty) 
 Ltd/OU=Security/CN=www.thawte.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 2214 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: BF365536023EF272C68C3A9420364D68BF6363FB59461B1BF9BB9C36A6BA8FA9
    Session-ID-ctx: 
    Master-Key: 9B6224C8083E007C2D4797B9D92317B213AD53FC6C5EF693FC17D
                8D3B3B9B918D7E03317C67BCE5699CF102ED707B5C6
    Key-Arg   : None
    Start Time: 1157455445
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 05 Sep 2006 11:25:22 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 25062
Connection: close
Content-Type: text/html

closed

The return code


    Verify return code: 20 (unable to get local issuer certificate)

is the important item here.

FreeBSD's base installation does not include the ca-root.crt file expected with other Unix-like systems. That file is available as the security/ca-roots port, however.


orr:/root# setenv PACKAGESITE 
 ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/
orr:/root# pkg_add -vr ca-roots
looking up ftp2.freebsd.org
connecting to ftp2.freebsd.org:21
setting passive mode
opening data connection
initiating transfer
Fetching ftp://ftp2.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/
 ca-roots.tbz...x +CONTENTS
x +COMMENT
x +DESC
x +MTREE_DIRS
x share/certs/ca-root.crt
tar command returns 0 status
 Done.
extract: Package name is ca-roots-1.2
extract: CWD to /usr/local
extract: execute 'mkdir -p /usr/local/share/certs'
extract: /usr/local/share/certs/ca-root.crt
extract: execute 'ln -s /usr/local/share/certs/ca-root.crt /etc/ssl/cert.pem'
extract: CWD to .
Running mtree for ca-roots-1.2..
mtree -U -f +MTREE_DIRS -d -e -p /usr/local >/dev/null
Attempting to record package into /var/db/pkg/ca-roots-1.2..
Package ca-roots-1.2 registered in /var/db/pkg/ca-roots-1.2

With these SSL Certificate Authority root certificates installed, I use openssl in this manner.


orr:/home/richard$ openssl s_client -host www.thawte.com -port 443
 -CAfile /etc/ssl/cert.pem
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify return:1
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify return:1
depth=0 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty) Ltd/OU=Security/CN=www.thawte.com
verify return:1
---
Certificate chain
 0 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty) 
   Ltd/OU=Security/CN=www.thawte.com
   i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDRDCCAq2gAwIBAgIQaS8vV/TrQ/S1Mg+/74dipDANBgkqhkiG9w0BAQQFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNjA3MDQxMTM5MTdaFw0w
NzA3MTYwOTMzMDlaMIGKMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xJDAiBgNVBAoTG1RoYXd0ZSBDb25zdWx0
aW5nIChQdHkpIEx0ZDERMA8GA1UECxMIU2VjdXJpdHkxFzAVBgNVBAMTDnd3dy50
aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/h9nzmXfQkZsJ
CjznxdLV8/Ebms8qzEjO8KnHyT4+94cI0WjjlyqJH1ZgLM2/dccKS4vj6X7nl/vY
6o1ZT3pn+o6C3vl3EdMiLzKcQLpq+da03Y2xrtgIe070zCbQb4r7um4A/QFDrHAR
fgC4PllHGnmPFDXsiA4OKGIQ65vcGwIDAQABo4HnMIHkMCgGA1UdJQQhMB8GCCsG
AQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBMDYGA1UdHwQvMC0wK6ApoCeGJWh0
dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVTR0NDQS5jcmwwcgYIKwYBBQUHAQEE
ZjBkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUF
BzAChjJodHRwOi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dD
X0NBLmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAINguft3Ek1x
X6aiP9/QCrwHJErYrwEtRkURG+ghVVTCEhtZrqD5LdUHionIkmfgu5FSvrSN3VH/
JdOv3qngubpcTfhOHLxNuML5WB6Rwul5gfONsUFEoEPOMGxF4x22b7iG6QA5j42U
eop6NkYq4HtuOqKNcy9zuyDpzVA/EZus
-----END CERTIFICATE-----
subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting (Pty) 
 Ltd/OU=Security/CN=www.thawte.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 2214 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 3121A8A4A5DFE70DABA68C5354C2DE89996F622CE7A323F97EB3E87390594F6B
    Session-ID-ctx: 
    Master-Key: E4C5A3B6B5DFF98BFAF2C9CCF8E86083B2D03EE06984707EF238
                F431531F00D9CEA3579E6386E9DB13C57EB84B3E2BAF
    Key-Arg   : None
    Start Time: 1157455485
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Tue, 05 Sep 2006 11:26:02 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 25062
Connection: close
Content-Type: text/html

closed

Now we see


    Verify return code: 0 (ok)

which means the certificate presented by the Web server is legitimate.

Search This Blog

TaoSecurity Blog

Using Root Certificates with OpenSSL on FreeBSD

Comments

Popular posts from this blog

Zeek in Action Videos

MITRE ATT&CK Tactics Are Not Tactics

New Book! The Best of TaoSecurity Blog, Volume 4