| | 1 | There is [https://wiki.transitionnetwork.org/Security a page for users on the main wiki], following is some more techie info. |
| | 2 | |
| | 3 | == Check the SSL cert on the command line == |
| | 4 | |
| | 5 | The following is based on [http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/ instructions from nixCraft]. |
| | 6 | |
| | 7 | Create directory to store certificate: |
| | 8 | |
| | 9 | {{{ |
| | 10 | $ mkdir -p ~/.cert/www.transitionnetwork.org/ |
| | 11 | $ cd ~/.cert/www.transitionnetwork.org/ |
| | 12 | }}} |
| | 13 | |
| | 14 | Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server: |
| | 15 | |
| | 16 | {{{ |
| | 17 | $ openssl s_client -showcerts -connect www.transitionnetwork.org:443 |
| | 18 | }}} |
| | 19 | |
| | 20 | Sample output: |
| | 21 | |
| | 22 | {{{ |
| | 23 | CONNECTED(00000003) |
| | 24 | depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org |
| | 25 | verify error:num=20:unable to get local issuer certificate |
| | 26 | verify return:1 |
| | 27 | depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org |
| | 28 | verify error:num=27:certificate not trusted |
| | 29 | verify return:1 |
| | 30 | depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org |
| | 31 | verify error:num=21:unable to verify the first certificate |
| | 32 | verify return:1 |
| | 33 | --- |
| | 34 | Certificate chain |
| | 35 | 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org |
| | 36 | i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA |
| | 37 | -----BEGIN CERTIFICATE----- |
| | 38 | MIIE9zCCA9+gAwIBAgIRALwjak7zR7NnERA/olIDh34wDQYJKoZIhvcNAQEFBQAw |
| | 39 | QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu |
| | 40 | ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEwMDIxMDAwMDAwMFoXDTExMDIxMDIzNTk1 |
| | 41 | OVowazEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQL |
| | 42 | ExtHYW5kaSBTdGFuZGFyZCBXaWxkY2FyZCBTU0wxIDAeBgNVBAMUFyoudHJhbnNp |
| | 43 | dGlvbm5ldHdvcmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA |
| | 44 | s2ncTx3xMZdby9RhGMrGC3KN9Yr4NiyWYumj/9OROyaTpbsTRGy0N46cis1uY03p |
| | 45 | 84aWNns6o0TYIqn4XOXco+DWeGjMzMHQ19YKQ2cZ0k+YtjRPT9ss8lXjTJaLK1np |
| | 46 | mbp5LaWgZLB+pUFzK9JZJOMCx6B6hJKUDOb3Fgakqujm74aT+bc3iAK7EKvZwUbq |
| | 47 | E22Q1Yiae6g3Zd9gQ+yBI7MNg5Kygm8SE3LZ9dntnC+CzgO7t5GvAhnJdfVoHLuC |
| | 48 | 6IDtUlCx1Z7wmDl4tm7qcSaUdd4DGFocIqSpSRayqtAFNH9WnpwMxBROwyChsmFj |
| | 49 | FRdHg7D6OYdS9NnpTx/LfwIDAQABo4IBvjCCAbowHwYDVR0jBBgwFoAUtqj/oqgv |
| | 50 | 0KbNS7Fo8+dQEDGneSEwHQYDVR0OBBYEFJM3Cz6AmNOWJySAjBgOd9a4nF36MA4G |
| | 51 | A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB |
| | 52 | BggrBgEFBQcDAjBWBgNVHSAETzBNMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUH |
| | 53 | AgEWLmh0dHA6Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3Bk |
| | 54 | Zi8wPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlT |
| | 55 | dGFuZGFyZFNTTENBLmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0 |
| | 56 | dHA6Ly9jcnQuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYB |
| | 57 | BQUHMAGGFWh0dHA6Ly9vY3NwLmdhbmRpLm5ldDA5BgNVHREEMjAwghcqLnRyYW5z |
| | 58 | aXRpb25uZXR3b3JrLm9yZ4IVdHJhbnNpdGlvbm5ldHdvcmsub3JnMA0GCSqGSIb3 |
| | 59 | DQEBBQUAA4IBAQCtxu5tBJAnP7xOL5QkUAFyKoSkbHV1i7kc3MqH5h/gbW16lJQa |
| | 60 | ke+Ac5M6/AHGc2vK+lKJWvQlVUqynECFjlvfTdD/WQFDcZYEkXrs85aB0ilSHHpr |
| | 61 | GCAO8182Y6p2jQSVtkP+cPUH0oOKW1KHBlDkWhU0iy+ooInJu7zy7yvPNxPC3mC+ |
| | 62 | TxWmcshBcPLkW1E6NPXrVx1WK9NdYvAn78/kWg2oZxBg/BuDO2UdNhBU824rYvAp |
| | 63 | P/Jd/eOoGzT7/JRtbF/xiO5Y10TPT2sjrFLpQodULgnN5TxsE1NcaOqzdDRxaUjb |
| | 64 | kUoWZpr6aCIzXPYmtlvmwXVWy+UH8b5A+ZRj |
| | 65 | -----END CERTIFICATE----- |
| | 66 | --- |
| | 67 | Server certificate |
| | 68 | subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org |
| | 69 | issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA |
| | 70 | --- |
| | 71 | No client certificate CA names sent |
| | 72 | --- |
| | 73 | SSL handshake has read 1967 bytes and written 319 bytes |
| | 74 | --- |
| | 75 | New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA |
| | 76 | Server public key is 2048 bit |
| | 77 | Secure Renegotiation IS NOT supported |
| | 78 | Compression: NONE |
| | 79 | Expansion: NONE |
| | 80 | SSL-Session: |
| | 81 | Protocol : TLSv1 |
| | 82 | Cipher : DHE-RSA-AES256-SHA |
| | 83 | Session-ID: D4C55538C4247FF187A1A8C130EA58195580A2996BF8F5343A5512CD8BF38719 |
| | 84 | Session-ID-ctx: |
| | 85 | Master-Key: 4C739F03DE2A480D751D7B18A0E7A397B2FD9E8C7763153A91EF6356797BA7653D50D210D22CDB6BC49F787C8399DCBD |
| | 86 | Key-Arg : None |
| | 87 | Krb5 Principal: None |
| | 88 | Start Time: 1289253341 |
| | 89 | Timeout : 300 (sec) |
| | 90 | Verify return code: 21 (unable to verify the first certificate) |
| | 91 | --- |
| | 92 | }}} |
| | 93 | |
| | 94 | Copy from the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem. |
| | 95 | |
| | 96 | This certificate was issued by Gandi, so you need to get "Certification Authority Root Certificate": |
| | 97 | |
| | 98 | {{{ |
| | 99 | $ wget http://crt.gandi.net/GandiStandardSSLCA.crt -O ~/.cert/www.transitionnetwork.org/gandi.pem |
| | 100 | }}} |
| | 101 | |
| | 102 | Create symbolic links to files named by the hash values using c_rehash, enter: |
| | 103 | |
| | 104 | {{{ |
| | 105 | $ c_rehash ~/.cert/www.transitionnetwork.org/ |
| | 106 | }}} |
| | 107 | |
| | 108 | To confirm you have the correct and working certificates, enter: |
| | 109 | |
| | 110 | {{{ |
| | 111 | $ openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443 |
| | 112 | }}} |
