wiki:SecurityInfo

Version 6 (modified by chris, 6 years ago) (diff)

--

Transition Network Security Information

HTTPS

There is a page for users on the main wiki, following is some more techie info.

Check the SSL cert on the command line

The following is based on instructions from nixCraft, see also ticket:165.

Create directory to store certificate: 

$ mkdir -p ~/.cert/www.transitionnetwork.org/
$ cd ~/.cert/www.transitionnetwork.org/

Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server: 

$ openssl s_client -showcerts -connect www.transitionnetwork.org:443

Sample output: 

CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
   i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
-----BEGIN CERTIFICATE-----
MIIE9zCCA9+gAwIBAgIRALwjak7zR7NnERA/olIDh34wDQYJKoZIhvcNAQEFBQAw
QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu
ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEwMDIxMDAwMDAwMFoXDTExMDIxMDIzNTk1
OVowazEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQL
ExtHYW5kaSBTdGFuZGFyZCBXaWxkY2FyZCBTU0wxIDAeBgNVBAMUFyoudHJhbnNp
dGlvbm5ldHdvcmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
s2ncTx3xMZdby9RhGMrGC3KN9Yr4NiyWYumj/9OROyaTpbsTRGy0N46cis1uY03p
84aWNns6o0TYIqn4XOXco+DWeGjMzMHQ19YKQ2cZ0k+YtjRPT9ss8lXjTJaLK1np
mbp5LaWgZLB+pUFzK9JZJOMCx6B6hJKUDOb3Fgakqujm74aT+bc3iAK7EKvZwUbq
E22Q1Yiae6g3Zd9gQ+yBI7MNg5Kygm8SE3LZ9dntnC+CzgO7t5GvAhnJdfVoHLuC
6IDtUlCx1Z7wmDl4tm7qcSaUdd4DGFocIqSpSRayqtAFNH9WnpwMxBROwyChsmFj
FRdHg7D6OYdS9NnpTx/LfwIDAQABo4IBvjCCAbowHwYDVR0jBBgwFoAUtqj/oqgv
0KbNS7Fo8+dQEDGneSEwHQYDVR0OBBYEFJM3Cz6AmNOWJySAjBgOd9a4nF36MA4G
A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjBWBgNVHSAETzBNMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUH
AgEWLmh0dHA6Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3Bk
Zi8wPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlT
dGFuZGFyZFNTTENBLmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0
dHA6Ly9jcnQuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYB
BQUHMAGGFWh0dHA6Ly9vY3NwLmdhbmRpLm5ldDA5BgNVHREEMjAwghcqLnRyYW5z
aXRpb25uZXR3b3JrLm9yZ4IVdHJhbnNpdGlvbm5ldHdvcmsub3JnMA0GCSqGSIb3
DQEBBQUAA4IBAQCtxu5tBJAnP7xOL5QkUAFyKoSkbHV1i7kc3MqH5h/gbW16lJQa
ke+Ac5M6/AHGc2vK+lKJWvQlVUqynECFjlvfTdD/WQFDcZYEkXrs85aB0ilSHHpr
GCAO8182Y6p2jQSVtkP+cPUH0oOKW1KHBlDkWhU0iy+ooInJu7zy7yvPNxPC3mC+
TxWmcshBcPLkW1E6NPXrVx1WK9NdYvAn78/kWg2oZxBg/BuDO2UdNhBU824rYvAp
P/Jd/eOoGzT7/JRtbF/xiO5Y10TPT2sjrFLpQodULgnN5TxsE1NcaOqzdDRxaUjb
kUoWZpr6aCIzXPYmtlvmwXVWy+UH8b5A+ZRj
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1967 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: D4C55538C4247FF187A1A8C130EA58195580A2996BF8F5343A5512CD8BF38719
    Session-ID-ctx: 
    Master-Key: 4C739F03DE2A480D751D7B18A0E7A397B2FD9E8C7763153A91EF6356797BA7653D50D210D22CDB6BC49F787C8399DCBD
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1289253341
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Note the error at the end, "Verify return code: 21 (unable to verify the first certificate)".

Copy from the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem.

This certificate was issued by Gandi, so you need to get the various certificates from gandi.net and change them into pem format: 

wget http://crt.gandi.net/GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem

Create symbolic links to files named by the hash values using c_rehash, enter: 

$ c_rehash ~/.cert/www.transitionnetwork.org/

To confirm you have the correct and working certificates, enter: 

$ openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443

And you should now output like above but with this at the end: 

    Verify return code: 0 (ok)