Difference between revisions of "How to handle OpenSSL and not get hurt"

From PDP/Grid Wiki
Jump to navigationJump to search
 
(69 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Stuff you wished to know before you every needed to touch the OpenSSL library ==
+
== Intro ==
  
On the web OpenSSL is poorly documented and even the book '''Network Security with OpenSSL''' doesn't touch the advanced inner workings of the library. There are more gems in the documentation of the OpenSSL source tarballs.
+
=== Stuff you wished to know before you every needed to touch the OpenSSL library ===
  
 +
This page is constructed as a personal '''braindump''' to be able to share some point of reference with those involved with OpenSSL. On the web OpenSSL is poorly documented and even the book '''Network Security with OpenSSL''' doesn't touch the advanced inner workings of the library. The library and its CLI tools are a part of our everyday Grid life and working with it, as intimately as developing callback functions and home-brew proxy certificate verification routines, has let me research how stuff works deeply from within the rabbit hole of the library itself.
  
Use the source! When you're looking for anything particular or specialized and you really wish to know how OpenSSL is handling this: '''Use the Source!'''
+
=== Use the source! ===
  
== What does that library call really do? ==
+
When in true doubt: Use the source! When you're '''looking for anything particular or specialized''' and you really wish to know how OpenSSL is handling this: '''Use the Source!'''. There are more gems in the documentation of the OpenSSL source tarballs and it's easily grep-able.
  
There exists '''X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)''' and '''X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)'''. The difference is that the '''X509_STORE_CTX_get_chain()''' will only return a reference to the certificate chain (type '''STACK_OF (X509) *''') from within the X509_STORE_CTX structure and the '''X509_STORE_CTX_get1_chain()''' will make a duplicate certificate chain that will need to be '''free()''''d.
+
== Down the rabbit hole... ==
  
 +
=== Background information ===
  
Freeing a '''STACK_OF (X509) *''' is not to be done with just '''free()'''. That will create a memory leak. Also a '''X509_free (X509) *''' and using a '''STACK_OF (X509) *''' as input will create a memory leak. The proper way to free a '''STACK_OF (X509) *''' is to use '''sk_X509_pop_free(st, free_func)''', where for '''free_func''' you should use '''X509_free'''. Example: '''sk_X509_pop_free(chain, X509_free)'''.
+
This section will have all kinds of background information regarding OpenSSL, Proxy certificates, CAs, formatting details and other (hopefully) useful tidbits.
Warning: do not get confused with '''sk_X509_free()''' which will accept the '''STACK_OF (<type>) *''', but does not ''pop'' the stack to free all the individual certificates of the chain (which will be equal to an instant memory leakage for any certificate chain longer then one certificate).
 
  
 +
Go to: [[How to handle OpenSSL and not get hurt background information]]
  
To get the '''issuer DN''' and '''subject DN''' you can use constructions like:
+
=== What does that library call really do? ===
char * cert_DN  = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
 
char * issuer_DN = X509_NAME_oneline (X509_get_issuer_name (cert), NULL, 0);
 
or
 
char cert_DN[255];
 
char issuer_DN[255];
 
X509_NAME_oneline (X509_get_subject_name (cert), cert_DN, 255);
 
X509_NAME_oneline (X509_get_issuer_name (cert), issuer_DN, 255);
 
  
In the first construction you'll need to free both the cert_DN and the issuer_DN. In the second example a static buffer is used and filled by the X509_NAME_oneline() routines.
+
So, how does that library call REALLY work and what am I expect to do? To free, or not to free, that is the question...
  
 +
Go to: [[How to handle OpenSSL and not get hurt and what does that library call really do?]]
  
== Interesting OpenSSL CLI need-to-knows ==
+
Also added some OCSP related information.
  
=== s_client foo ===
+
=== Interesting OpenSSL CLI need-to-knows ===
  
example: openssl s_client -connect 127.0.0.1:13050 -msg -nbio -ssl3 -CApath ~/dvl/ca/ -cert ~/dvl/ca/newcert.pem -key ~/dvl/ca/newkey.pem
+
This page hold all kinds of OpenSSL CLI tool tips and tricks.
  
 +
Go to: [[How to handle OpenSSL and not get hurt using the CLI]].
  
==== -CAfile vs. -CApath ====
+
== Contact and contribute ==
  
Using the -CAfile <specific CA file> will send this certificate over the wire to the server-side. This will typically fail the verification of the certificate chain at the server-side, because it is not allowed to transfer the self-signed certificates. The trust-anchors should be installed at the service, not transfered by the client (for obvious reasons). The -CAfile <file> will also be used for the verification of the server-side certificate, but it's safer to use the -CApath <path to one or more CA certificates> option.
+
I'd like to invite everybody who reads this to contribute tips, tricks, {code,wiki}-patches, need-to-knows, pitfalls, quirks, interesting routines, &c to this page directly or for external to Nikhef people through my email address.
  
 
+
You can contact me via email: okoeroo apestaartje nikhef punt nl.
==== How to calculate the hash used by CA files ====
 
 
 
OpenSSL CLI and the OpenSSL library functions will search in a default path and/or a given path to the needed (installed) CA files when it needs to verify a certificate chain. By convention a client (and server) will never provide the (final) CA certificate to the connected peer. The trust in the peer certificate (chain) has to be completed by adding the CA certificate(s) to the chain for it to verify completely.
 
 
 
This means that the OpenSSL CLI tool and/or library functions need to search one or more (stated) paths for the use CA files by the peers. OpenSSL will search in the -CApath directory by the hash of the used CA.
 
 
 
Run the following command:
 
openssl x509 -hash -noout -in cacert.pem
 
0e52ca4f
 
 
 
Copy or rename the cacert.pem file to '''0e52ca4f.0'''. The '''.0'''
 

Latest revision as of 22:10, 23 November 2012

Intro

Stuff you wished to know before you every needed to touch the OpenSSL library

This page is constructed as a personal braindump to be able to share some point of reference with those involved with OpenSSL. On the web OpenSSL is poorly documented and even the book Network Security with OpenSSL doesn't touch the advanced inner workings of the library. The library and its CLI tools are a part of our everyday Grid life and working with it, as intimately as developing callback functions and home-brew proxy certificate verification routines, has let me research how stuff works deeply from within the rabbit hole of the library itself.

Use the source!

When in true doubt: Use the source! When you're looking for anything particular or specialized and you really wish to know how OpenSSL is handling this: Use the Source!. There are more gems in the documentation of the OpenSSL source tarballs and it's easily grep-able.

Down the rabbit hole...

Background information

This section will have all kinds of background information regarding OpenSSL, Proxy certificates, CAs, formatting details and other (hopefully) useful tidbits.

Go to: How to handle OpenSSL and not get hurt background information

What does that library call really do?

So, how does that library call REALLY work and what am I expect to do? To free, or not to free, that is the question...

Go to: How to handle OpenSSL and not get hurt and what does that library call really do?

Also added some OCSP related information.

Interesting OpenSSL CLI need-to-knows

This page hold all kinds of OpenSSL CLI tool tips and tricks.

Go to: How to handle OpenSSL and not get hurt using the CLI.

Contact and contribute

I'd like to invite everybody who reads this to contribute tips, tricks, {code,wiki}-patches, need-to-knows, pitfalls, quirks, interesting routines, &c to this page directly or for external to Nikhef people through my email address.

You can contact me via email: okoeroo apestaartje nikhef punt nl.

Retrieved from "https://wiki.nikhef.nl/grid/index.php?title=How_to_handle_OpenSSL_and_not_get_hurt&oldid=8702"