OpenSSL

From Gentoo Linux Wiki

Jump to: navigation, search

This article is still a Stub. You can help Gentoo-Wiki by expanding it.

How to use OpenSSL in your programs. Example code can be found at http://www.rtfm.com/openssl-examples/.

One needs valid certificates in order to use these examples. Here is how to generate them:

Get CA.sh. That script should come along with your OpenSSL library installation (at least this is the case with Gentoo Linux).

Contents

[edit] First step

Inside the example code directory do 

mkdir newca
cd newca
cp /etc/ssl/misc/CA.sh .
./CA.sh -newca

will create a new CA. Remember the passphrase as you will need it to sign certificates. 

cp demoCA/cacert.pem ../root.pem

[edit] Second step 

./CA.sh -newreq

will create a certificate and a certification request. Set the passphrase to 'password' as this is hard-coded in the examples' source code. It is important to set the Common Name to 'localhost'.

[edit] Third step 

./CA.sh -sign

will sign your newly created certificate. Enter the password for your CA which you have defined in step 1.

[edit] Fourth step 

cat newreq.pem newkey.pem newcert.pem > ../localhost.pem
cd ..
ln -s localhost.pem server.pem
ln -s localhost.pem client.pem

Maybe you also want to issue 

openssl dhparam 1024 -2 -out dh1024.pem -outform PEM

in order to update the DH parameters.

The above setup will only work for local testing. If you want to use OpenSSL to connect between different hosts, you either have to disable the common name and host name comparison in client.c in order to be able to use the same certificate on all hosts which may pose a security problem, or repeat steps two and three above with the correct host names (FQDN - fully qualified domain name, ie. host name plus domain name) instead of 'localhost'.

Final note: if the SSL_get_verify_result() method in client.c returns the error code 10 (outdated certificate), also check the CA's certificate (root.pem) expiration date! In my case, I tried to set the expiration time 100 years in the future -- which resulted in a point of time in the past possibly due to a number overflow.

Retrieved from "http://gentoo-wiki.com/OpenSSL"
Personal tools