Wednesday, October 7, 2009

OpenSSL Usage tips

OpenSSL can be a complicated application to be sure. This page intends to shed some light on how to accomplish some typical operations, such as viewing a certificates details or creating a SSL (client) connection to an email server that supports STARTTLS.

View a certificates' details
openssl x509 -in filename.crt -noout -text

Where filename corresponds to the X.509 certificate file, which typically would end in .crt, .cert or .pem. See also: man x509

Viewing the details of a certificate revocation list (CRL)
openssl crl -in filename -noout -text

Where filename corresponds to the CRL file, which typically would end in .crl or .pem. See also: man crl

DER to PEM conversion
Converts a DER format certificate to PEM - which is more widely used in applications such as apache.
openssl x509 -out exported-pem.crt -outform pem -text -in derfile.crt -inform der

See also: man x509

Generate the hash value from a certificate
Sometimes useful when you want to store multiple CA certificates as separate files in a directory configured into your application.
openssl x509 -hash -noout -in certfile.pem

See also: man x509

Testing STARTTLS
Connects to a mail server and starts TLS session, shows all the server certs (certificate chain) with -showcerts.
openssl s_client -connect test.smtp.org:25 -starttls smtp -showcerts

Note: only support in newer versions of openssl (check man page for -starttls option) See also: man s_client
Posted by at No comments:

Tuesday, October 6, 2009

What is UMASK?

UMASK is a Unix environment variable which automatically sets file permissions on newly created files.

The UMASK variable can be confusing to use, because it does work as a mask. In other words, you set the permissions that you do not want in the UMASK.

To calculate permissions which will result from specific UMASK values, subtract the UMASK from 666 for files and from 777 for directories.

If you want all files created with permissions of 666, set your UMASK to 000. Alternatively, if you want all files created with permissions of 000, set your UMASK to 666.

A reasonable value for UMASK is 022, which will cause files to be created with permissions of 644 (rw-r--r--) and directories to be created with permissions of 755 (rwxr-xr-x).

A more secure value for UMASK is 066, which will cause files to be created with permissions of 600 (rw-------) and directories to be created with permissions of 700 (rwx------).

UMASK is nomally defined in the .profile or .login user startup files.
Posted by at 1 comment:
Subscribe to: Posts (Atom)