wiki:SecurityInfo

Version 8 (modified by chris, 4 years ago) (diff)

--

Transition Network Security Information

The Transition Network has a *.transitionnetwork.org SSL certificate from Gandi which is used by web servers and mail servers.

Getting a new certificate

See the steps followed in 2013 on trac:ticket/475#comment:2

Checking the HTTPS certificates

There is a page for users on the main wiki, following is some more techie info.

You can check the servers here:

See also ticket:409 on which some issues were resolved.

Check the SSL cert on the command line

The following is based on instructions from nixCraft, see also ticket:165.

Create directory to store certificate:

$ mkdir -p ~/.cert/www.transitionnetwork.org/
$ cd ~/.cert/www.transitionnetwork.org/

Retrieve the www.transitionnetwork.org certificate provided by the Transition Network web server:

$ openssl s_client -showcerts -connect www.transitionnetwork.org:443

Sample output:

CONNECTED(00000003)
depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
   i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
-----BEGIN CERTIFICATE-----
MIIE9zCCA9+gAwIBAgIRALwjak7zR7NnERA/olIDh34wDQYJKoZIhvcNAQEFBQAw
QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu
ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEwMDIxMDAwMDAwMFoXDTExMDIxMDIzNTk1
OVowazEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQL
ExtHYW5kaSBTdGFuZGFyZCBXaWxkY2FyZCBTU0wxIDAeBgNVBAMUFyoudHJhbnNp
dGlvbm5ldHdvcmsub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
s2ncTx3xMZdby9RhGMrGC3KN9Yr4NiyWYumj/9OROyaTpbsTRGy0N46cis1uY03p
84aWNns6o0TYIqn4XOXco+DWeGjMzMHQ19YKQ2cZ0k+YtjRPT9ss8lXjTJaLK1np
mbp5LaWgZLB+pUFzK9JZJOMCx6B6hJKUDOb3Fgakqujm74aT+bc3iAK7EKvZwUbq
E22Q1Yiae6g3Zd9gQ+yBI7MNg5Kygm8SE3LZ9dntnC+CzgO7t5GvAhnJdfVoHLuC
6IDtUlCx1Z7wmDl4tm7qcSaUdd4DGFocIqSpSRayqtAFNH9WnpwMxBROwyChsmFj
FRdHg7D6OYdS9NnpTx/LfwIDAQABo4IBvjCCAbowHwYDVR0jBBgwFoAUtqj/oqgv
0KbNS7Fo8+dQEDGneSEwHQYDVR0OBBYEFJM3Cz6AmNOWJySAjBgOd9a4nF36MA4G
A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjBWBgNVHSAETzBNMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUH
AgEWLmh0dHA6Ly93d3cuZ2FuZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3Bk
Zi8wPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlT
dGFuZGFyZFNTTENBLmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0
dHA6Ly9jcnQuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYB
BQUHMAGGFWh0dHA6Ly9vY3NwLmdhbmRpLm5ldDA5BgNVHREEMjAwghcqLnRyYW5z
aXRpb25uZXR3b3JrLm9yZ4IVdHJhbnNpdGlvbm5ldHdvcmsub3JnMA0GCSqGSIb3
DQEBBQUAA4IBAQCtxu5tBJAnP7xOL5QkUAFyKoSkbHV1i7kc3MqH5h/gbW16lJQa
ke+Ac5M6/AHGc2vK+lKJWvQlVUqynECFjlvfTdD/WQFDcZYEkXrs85aB0ilSHHpr
GCAO8182Y6p2jQSVtkP+cPUH0oOKW1KHBlDkWhU0iy+ooInJu7zy7yvPNxPC3mC+
TxWmcshBcPLkW1E6NPXrVx1WK9NdYvAn78/kWg2oZxBg/BuDO2UdNhBU824rYvAp
P/Jd/eOoGzT7/JRtbF/xiO5Y10TPT2sjrFLpQodULgnN5TxsE1NcaOqzdDRxaUjb
kUoWZpr6aCIzXPYmtlvmwXVWy+UH8b5A+ZRj
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.transitionnetwork.org
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1967 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: D4C55538C4247FF187A1A8C130EA58195580A2996BF8F5343A5512CD8BF38719
    Session-ID-ctx: 
    Master-Key: 4C739F03DE2A480D751D7B18A0E7A397B2FD9E8C7763153A91EF6356797BA7653D50D210D22CDB6BC49F787C8399DCBD
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1289253341
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Note the error at the end, "Verify return code: 21 (unable to verify the first certificate)".

Copy from the "-----BEGIN CERTIFICATE-----" to the "-----END CERTIFICATE-----" , and save it in your ~/.cert/www.transitionnetwork.org/ directory as www.transitionnetwork.org.pem.

This certificate was issued by Gandi, so you need to get the various certificates from gandi.net and change them into pem format:

wget http://crt.gandi.net/GandiStandardSSLCA.crt
wget http://crt.usertrust.com/UTNAddTrustServer_CA.crt
wget http://crt.usertrust.com/AddTrustExternalCARoot.crt
openssl x509 -inform DER -in GandiStandardSSLCA.crt -out GandiStandardSSLCA.pem
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem
openssl x509 -inform DER -in UTNAddTrustServer_CA.crt -out UTNAddTrustServer_CA.pem

Create symbolic links to files named by the hash values using c_rehash, enter:

$ c_rehash ~/.cert/www.transitionnetwork.org/

To confirm you have the correct and working certificates, enter:

$ openssl s_client -CApath ~/.cert/www.transitionnetwork.org/ -connect www.transitionnetwork.org:443

And you should now output like above but with this at the end:

    Verify return code: 0 (ok)