openssl

sendmail dh key too small

Tue, 08/04/2015 - 21:17 — sandip

Logjam broke Sendmail?

Generate new DH keys file:

cd /etc/pki/tls/certs
openssl dhparam -out dhparams.pem 2048

Edit sendmail.mc:

define(`confDH_PARAMETERS';,`/etc/pki/tls/certs/dhparams.pem')dnl

Update sendmail.cf and restart:

cd /etc/mail
make
service sendmail restart

Refer to https://weakdh.org/sysadmin.html for other service fixes.

md5 and sha1 digest with openssl

Thu, 08/30/2012 - 17:00 — sandip

md5 digest:

echo -n 'md5 digest of text' | openssl dgst -md5
841fc570f41fad1a64cc237b16127225

sha1 digest:

echo -n 'sha1 digest of text' | openssl dgst -sha1
80efdb4abbeb92c0ea15a4146d68c39adff5ad47

md5
openssl

sandip's blog
Login or register to post comments
Read more

base64 encoding decoding with openssl

Thu, 08/30/2012 - 16:28 — sandip

Base64 encoding with openssl:

echo -n 'encode this with base64' | openssl enc -base64
ZW5jb2RlIHRoaXMgd2l0aCBiYXNlNjQ=

Base64 decoding with openssl:

echo 'ZW5jb2RlIHRoaXMgd2l0aCBiYXNlNjQ=' | openssl enc -base64 -d
encode this with base64

sandip's blog
Login or register to post comments
Read more

Shadow password hash explained

Sat, 07/11/2009 - 00:05 — sandip

You can programmatically generate shadow password hash via:

$ openssl passwd -1 -salt G5cYam5w test.123
$1$G5cYam5w$z0NDUjMRX4xVBKw9Nb6YL0

-1 means md5
G5cYam5w is a random salt (minimum 8)
test.123 is the password

Here is the breakdown:

The first $1 means that it is an md5 hash.
The second $G5cYam5w is a random salt.
The third $z0NDUjMRX4xVBKw9Nb6YL0 is the md5 hash.

sandip's blog
Login or register to post comments

Checking Ubuntu Servers for openssh and openssl vulnerable keys

Sun, 06/22/2008 - 21:33 — sandip

Update openssh and openssl packages

# apt-get update # apt-get install openssh openssl
Install openssh-blacklist and openssl-blacklist

# apt-get install openssh-blacklist openssl-blacklist
Check all ssh compromised keys via:

# ssh-vulnkeys -a
Check all ssl keys and certificates via:

# openssl-vulnkeys *.key *.pem

Note: Plesk specific ssl certs are stored at "/opt/psa/var/certificates/"

sandip's blog
Login or register to post comments

Static compile of openssl, apache, mod_ssl and php

Tue, 02/26/2008 - 16:47 — wizap

As of this writing, the latest versions were:

apache_1.3.41
php-4.4.8
openssl-0.9.8g
mod_ssl-2.8.31-1.3.41

Once the files are downloaded and extracted; config, compile and install in the below order:

Install openssl:

$ ./config --prefix=/usr/local --openssldir=/usr/local/openssl $ make # make install
mod_ssl patch:

$ ./configure \ --with-ssl=../openssl-0.9.8g \ --with-apache=../apache_1.3.41
Pre-configure apache:

$ ./configure
Install php:

$ ./configure \ --with-gd \ --with-jpeg-dir \ --with-png-dir \ --with-zlib-dir \ --with-freetype \ --with-freetype-dir=/usr/lib \ --enable-gd-native-ttf \ --enable-memory-limit \ --with-ldap \ --with-mysql \ --with-apache=../apache_1.3.41 $ make # make install
Install apache

$ SSL_BASE=../openssl-0.9.8g \ ./configure \ --prefix=/usr/local/apache \ --enable-module=rewrite \ --enable-module=so \ --activate-module=src/modules/php4/libphp4.a \ --enable-module=ssl

wizap's blog
Login or register to post comments

STARTTLS: CRLFile missing (RESOLVED)

Fri, 10/19/2007 - 10:20 — sandip

When starting sendmail, I would get the below messgage:

Oct 18 23:59:01 srv02 sendmail[20857]: alias database /etc/aliases rebuilt by root
Oct 18 23:59:01 srv02 sendmail[20857]: /etc/aliases: 79 aliases, longest 22 bytes, 860 bytes total
Oct 18 23:59:01 srv02 sendmail[20862]: starting daemon (8.13.1): SMTP+queueing@01:00:00
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS: CRLFile missing
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, Diffie-Hellman init, key=512 bit (1)
Oct 18 23:59:01 srv02 sendmail[20862]: STARTTLS=server, init=1
Oct 18 23:59:01 srv02 sendmail[20862]: started as: /usr/sbin/sendmail -bd -q1h
Oct 18 23:59:01 srv02 sm-msp-queue[20872]: starting daemon (8.13.1): queueing@01:00:00

Although, sendmail would still run without the CRL File and just complain about it missing. A quick way to include it in the sendmail configuration is to download revoke.crl from cacert.org, add the below option in sendmail.mc and rebuild the sendmail conf file as below.

Download revoke.crl:

# cd /usr/share/ssl/certs
# wget http://www.cacert.org/revoke.crl

Add the below line to "/etc/mail/sendmail.mc" just below the "confSERVER_KEY":

define(`confCRL', `/usr/share/ssl/certs/revoke.crl')

Rebuild sendmail conf by running make:

# cd /etc/mail
# make

Check sendmail.cf with the revoke.crl listed as below:

O CRLFile=/usr/share/ssl/certs/revoke.crl

Now restarting sendmail should not complain about the missing Certificate Revocation List (CRL) File.

sandip's blog
Login or register to post comments

Static compile and install of apache + mod_ssl + php on FC4

Tue, 05/22/2007 - 15:24 — sandip

Latest Compile with pdo drivers for mysql along with mod_security.

NOTE:
Remove the MySQL-shared rpm else openssl will not work.

# rpm -e MySQL-shared-5.0.20a-0.glibc23

Navigation