Changes between Version 11 and Version 12 of SecurityInfo


Ignore:
Timestamp:
01/25/14 17:05:40 (3 years ago)
Author:
chris
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • SecurityInfo

    v11 v12  
    11= Transition Network Security Information = 
    22 
    3 The Transition Network has a {{{*.transitionnetwork.org}}} SSL certificate from [https://gandi.net/ Gandi] which is used by web servers and mail servers. 
     3The three Transition Network servers, wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer all have a {{{*.transitionnetwork.org}}} SSL certificate from [https://gandi.net/ Gandi] which is used by web servers and mail servers. 
    44 
    55== Getting a new certificate == 
    66 
    7 See the steps followed in 2013 on ticket:475#comment:2 and 2014 on ticket:685#comment:2  
     7See the steps followed in 2013 on ticket:475#comment:2 and 2014 on ticket:685#comment:2.  
    88 
    99== Checking the HTTPS certificates == 
     
    1414 
    1515 * [https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org puffin] 
    16  * [https://www.ssllabs.com/ssltest/analyze.html?d=kiwi%2etransitionnetwork%2eorg&s=81%2e95%2e52%2e78 kiwi] 
     16 * [https://www.ssllabs.com/ssltest/analyze.html?d=penguin.transitionnetwork.org penguin] 
     17 * [https://www.ssllabs.com/ssltest/analyze.html?d=parrot.transitionnetwork.org parrot] 
    1718 
    1819See also ticket:409 on which some issues were resolved. 
     
    2526 
    2627{{{ 
    27 $ mkdir -p ~/.cert/www.transitionnetwork.org/ 
    28 $ cd ~/.cert/www.transitionnetwork.org/ 
     28mkdir -p ~/.cert/www.transitionnetwork.org/ 
     29cd ~/.cert/www.transitionnetwork.org/ 
    2930}}} 
    3031 
     
    3233 
    3334{{{ 
    34 $ openssl s_client -showcerts -connect www.transitionnetwork.org:443 
     35openssl s_client -showcerts -connect www.transitionnetwork.org:443 
    3536}}} 
    3637 
    37 Sample output: 
     38Look at the end of the output, you will have one of these: 
    3839 
    3940{{{ 
    40 CONNECTED(00000003) 
    41 depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org 
    42 verify error:num=20:unable to get local issuer certificate 
    43 verify return:1 
    44 depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org 
    45 verify error:num=27:certificate not trusted 
    46 verify return:1 
    47 depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org 
    48 verify error:num=21:unable to verify the first certificate 
    49 verify return:1 
    50 --- 
    51 Certificate chain 
    52  0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org 
    53    i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 
    54 -----BEGIN CERTIFICATE----- 
    55 MIIE9zCCA9+gAwIBAgIRALwjak7zR7NnERA/olIDh34wDQYJKoZIhvcNAQEFBQAw 
    56 QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu 
    57 ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEwMDIxMDAwMDAwMFoXDTExMDIxMDIzNTk1 
    58 OVowazEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQL 
    59 ExtHYW5kaSBTdGFuZGFyZCBXaWxkY2FyZCBTU0wxIDAeBgNVBAMUFyoudHJhbnNp 
    60 dGlvbm5ldHdvcmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA 
    61 s2ncTx3xMZdby9RhGMrGC3KN9Yr4NiyWYumj/9OROyaTpbsTRGy0N46cis1uY03p 
    62 84aWNns6o0TYIqn4XOXco+DWeGjMzMHQ19YKQ2cZ0k+YtjRPT9ss8lXjTJaLK1np 
    63 mbp5LaWgZLB+pUFzK9JZJOMCx6B6hJKUDOb3Fgakqujm74aT+bc3iAK7EKvZwUbq 
    64 E22Q1Yiae6g3Zd9gQ+yBI7MNg5Kygm8SE3LZ9dntnC+CzgO7t5GvAhnJdfVoHLuC 
    65 6IDtUlCx1Z7wmDl4tm7qcSaUdd4DGFocIqSpSRayqtAFNH9WnpwMxBROwyChsmFj 
    66 FRdHg7D6OYdS9NnpTx/LfwIDAQABo4IBvjCCAbowHwYDVR0jBBgwFoAUtqj/oqgv 
    67 0KbNS7Fo8+dQEDGneSEwHQYDVR0OBBYEFJM3Cz6AmNOWJySAjBgOd9a4nF36MA4G 
    68 A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB 
    69 BggrBgEFBQcDAjBWBgNVHSAETzBNMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUH 
    70 AgEWLmh0dHA6Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3Bk 
    71 Zi8wPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlT 
    72 dGFuZGFyZFNTTENBLmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0 
    73 dHA6Ly9jcnQuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYB 
    74 BQUHMAGGFWh0dHA6Ly9vY3NwLmdhbmRpLm5ldDA5BgNVHREEMjAwghcqLnRyYW5z 
    75 aXRpb25uZXR3b3JrLm9yZ4IVdHJhbnNpdGlvbm5ldHdvcmsub3JnMA0GCSqGSIb3 
    76 DQEBBQUAA4IBAQCtxu5tBJAnP7xOL5QkUAFyKoSkbHV1i7kc3MqH5h/gbW16lJQa 
    77 ke+Ac5M6/AHGc2vK+lKJWvQlVUqynECFjlvfTdD/WQFDcZYEkXrs85aB0ilSHHpr 
    78 GCAO8182Y6p2jQSVtkP+cPUH0oOKW1KHBlDkWhU0iy+ooInJu7zy7yvPNxPC3mC+ 
    79 TxWmcshBcPLkW1E6NPXrVx1WK9NdYvAn78/kWg2oZxBg/BuDO2UdNhBU824rYvAp 
    80 P/Jd/eOoGzT7/JRtbF/xiO5Y10TPT2sjrFLpQodULgnN5TxsE1NcaOqzdDRxaUjb 
    81 kUoWZpr6aCIzXPYmtlvmwXVWy+UH8b5A+ZRj 
    82 -----END CERTIFICATE----- 
    83 --- 
    84 Server certificate 
    85 subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org 
    86 issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 
    87 --- 
    88 No client certificate CA names sent 
    89 --- 
    90 SSL handshake has read 1967 bytes and written 319 bytes 
    91 --- 
    92 New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA 
    93 Server public key is 2048 bit 
    94 Secure Renegotiation IS NOT supported 
    95 Compression: NONE 
    96 Expansion: NONE 
    97 SSL-Session: 
    98     Protocol  : TLSv1 
    99     Cipher    : DHE-RSA-AES256-SHA 
    100     Session-ID: D4C55538C4247FF187A1A8C130EA58195580A2996BF8F5343A5512CD8BF38719 
    101     Session-ID-ctx:  
    102     Master-Key: 4C739F03DE2A480D751D7B18A0E7A397B2FD9E8C7763153A91EF6356797BA7653D50D210D22CDB6BC49F787C8399DCBD 
    103     Key-Arg   : None 
    104     Krb5 Principal: None 
    105     Start Time: 1289253341 
    106     Timeout   : 300 (sec) 
    10741    Verify return code: 21 (unable to verify the first certificate) 
    108 --- 
     42}}} 
     43 
     44{{{ 
     45    Verify return code: 19 (self signed certificate in certificate chain) 
    10946}}} 
    11047 
    11148Note the error at the end, '''"Verify return code: 21 (unable to verify the first certificate)"'''. 
    11249 
    113 Copy from the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem. 
     50Copy from the {{{-----BEGIN CERTIFICATE-----}}} to the {{{-----END CERTIFICATE-----}}} which starts with {{{ 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org}}}, and save it in your {{{~/.cert/www.transitionnetwork.org/}}} directory as {{{www.transitionnetwork.org.pem}}}. 
    11451 
    11552This certificate was issued by Gandi, so you need to get the various certificates [http://wiki.gandi.net/en/ssl/intermediate?rev=1236084787 from gandi.net] and change them into pem format: 
     
    12764 
    12865{{{ 
    129 $ c_rehash ~/.cert/www.transitionnetwork.org/ 
     66c_rehash ~/.cert/www.transitionnetwork.org/ 
    13067}}} 
    13168 
     
    13370 
    13471{{{ 
    135 $ openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443 
     72openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443 
    13673}}} 
    13774