SSL, OpenSSL

• OpenSSL Command-Line HOWTO
• SSL Certificate Installation for Nginx Server
• RapidSSL + Intermediate Certificates + Nginx - RapidSSL unrecognized issuer problem
• Цифровые SSL сертификаты. Разновидности, как выбрать?
• http://xgu.ru/wiki/OpenSSL
• https://sslcertificate.ru/clients/knowledgebase.php?action=displayarticle&id=27
• Генератор безопасного конфига от Mozilla
• https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html#The_BEAST_attack_and_RC4

Poodle

• http://poodlebleed.com/
• https://www.tinfoilsecurity.com/poodle
• https://entrust.ssllabs.com/index.html
• https://www.ssllabs.com/ssltest/
• https://pentest-tools.com/network-vulnerability-scanning/ssl-poodle-scanner

FREAK

• https://tools.keycdn.com/freak

LogJam

• https://weakdh.org/sysadmin.html

SHA1

• https://shachecker.com/
• https://shaaaaaaaaaaaaa.com/

https://support.globalsign.com/customer/portal/articles/1290470-install-certificate---nginx

Your GlobalSign SSL Certificate
↓
GlobalSign Intermediate Certificate
↓
GlobalSign Root Certificate

-----BEGIN CERTIFICATE-----
#Your GlobalSign SSL Certificate#
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
#GlobalSign Intermediate Certificate#
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
#GlobalSign Root Certificate#
-----END CERTIFICATE-----

• SSL.com Root Certificates
• Certificate Order Page Information
• Intermediate Certificate Download
• Installing your Certificate on Apache Mod_SSL / OpenSSL

$ openssl s_client -connect rtfm.wiki:443 -ssl3
CONNECTED(00000003)
23036:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64/src/ssl/s3_pkt.c:1145:SSL alert number 40
23036:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-64/src/ssl/s3_pkt.c:566:

Если handshake failure, то всё ОК.

openssl x509 -noout -modulus -in cert.crt | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5

Значения должны совпадать.

• How do I check if my SSL Certificate is SHA1 or SHA2 on the commandline
• Check if my SSL Certificate is SHA1 or SHA2
• Why Google is Hurrying the Web to Kill SHA-1

openssl s_client -connect www.yoursite.com:443 < /dev/null 2> /dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"

SSL чекер от Comodo выдает сообщение Trusted by Mozilla? "No (unable to get local issuer certificate)". Скорее всего неправильный порядок сертификатов в цепочке.

Bundle делаем так

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt

Пример для Apache

https://www.namecheap.com/support/knowledgebase/article.aspx/9423/0/installing-a-ssl-certificate-on-apache

comodo

Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Certificate - www_example_com.crt (or the subdomain you gave them)

cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

• Installation Instructions for Apache
• RapidSSL Intermediate CAs
• How to remove a private key password using OpenSSL

• Корневой сертификат - скачать
• Промежуточный сертификат - скачать