====== SSL, OpenSSL ======

===== Обо всём и ни о чём =====

  * [[http://www.madboa.com/geek/openssl/#cert-test|OpenSSL Command-Line HOWTO]]
  * [[https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO17482|SSL Certificate Installation for Nginx Server]]
  * [[http://blog.valqk.com/archives/RapidSSL-+-Intermediate-Certificates-+-Nginx-RapidSSL-unrecognized-issuer-problem.-48.html|RapidSSL + Intermediate Certificates + Nginx - RapidSSL unrecognized issuer problem]]
  * [[http://habrahabr.ru/company/tuthost/blog/150433/|Цифровые SSL сертификаты. Разновидности, как выбрать?]]
  * http://xgu.ru/wiki/OpenSSL
  * https://sslcertificate.ru/clients/knowledgebase.php?action=displayarticle&id=27
  * [[https://mozilla.github.io/server-side-tls/ssl-config-generator/|Генератор безопасного конфига от Mozilla]]
  * https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#The_BEAST_attack_and_RC4

===== Уязвимости =====

Poodle
  * http://poodlebleed.com/
  * https://www.tinfoilsecurity.com/poodle
  * https://entrust.ssllabs.com/index.html
  * https://www.ssllabs.com/ssltest/
  * https://pentest-tools.com/network-vulnerability-scanning/ssl-poodle-scanner

FREAK
  * https://tools.keycdn.com/freak

LogJam
  * https://weakdh.org/sysadmin.html

SHA1
  * https://shachecker.com/
  * https://shaaaaaaaaaaaaa.com/

===== GlobalSign =====

https://support.globalsign.com/customer/portal/articles/1290470-install-certificate---nginx

Your GlobalSign SSL Certificate\\
↓\\
GlobalSign Intermediate Certificate\\
↓\\
GlobalSign Root Certificate

<code>
-----BEGIN CERTIFICATE-----
#Your GlobalSign SSL Certificate#
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
#GlobalSign Intermediate Certificate#
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
#GlobalSign Root Certificate#
-----END CERTIFICATE-----
</code>

===== SSL.com =====

  * [[https://www.ssl.com/article/ssl-com-root-certificates/|SSL.com Root Certificates]]
  * [[https://www.ssl.com/article/certificate-order-page-information/|Certificate Order Page Information]]
  * [[https://www.ssl.com/article/intermediate-certificate-download/|Intermediate Certificate Download]]
  * [[https://support.ssl.com/Knowledgebase/Article/View/14/0/certificate-installation-apache--mod_ssl--openssl|Installing your Certificate on Apache Mod_SSL / OpenSSL]]

===== HowTo =====

==== Как проверить, что SSL3 не используется на вашем сервере ====

<code>
$ openssl s_client -connect rtfm.wiki:443 -ssl3
CONNECTED(00000003)
23036:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64/src/ssl/s3_pkt.c:1145:SSL alert number 40
23036:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64/src/ssl/s3_pkt.c:566:
</code>

Если **handshake failure**, то всё ОК.

==== Проверить, что ключ соответствует сертификату ====

<code>
openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5
</code>

Значения должны совпадать.

==== Как посмотреть какой используется сертификат SHA1 или SHA2 ====

  * [[http://stackoverflow.com/questions/26473076/how-do-i-check-if-my-ssl-certificate-is-sha1-or-sha2-on-the-commandline|How do I check if my SSL Certificate is SHA1 or SHA2 on the commandline]]
  * [[http://stackoverflow.com/questions/25810999/check-if-my-ssl-certificate-is-sha1-or-sha2|Check if my SSL Certificate is SHA1 or SHA2]]
  * [[https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1|Why Google is Hurrying the Web to Kill SHA-1]]

<code>openssl s_client -connect www.yoursite.com:443 < /dev/null 2> /dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"</code>

===== Comodo RapidSSL =====

[[https://sslanalyzer.comodoca.com|SSL чекер от Comodo]] выдает сообщение ''Trusted by Mozilla? "No (unable to get local issuer certificate)"''. Скорее всего неправильный порядок сертификатов в цепочке.

Bundle делаем так

<code>cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt</code>

Пример для Apache

https://www.namecheap.com/support/knowledgebase/article.aspx/9423/0/installing-a-ssl-certificate-on-apache

comodo
<code>
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
</code>

  * [[https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO6252|Installation Instructions for Apache]]
  * [[https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=INFO1548|RapidSSL Intermediate CAs]]
  * [[https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO5292|How to remove a private key password using OpenSSL]]

===== VerySign =====

  * Корневой сертификат - [[https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=SO4785&actp=LIST&viewlocale=en_US|скачать]]
  * Промежуточный сертификат - [[https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=AR657&searchid=1361532303504|скачать]]