no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.

@@ Line 1: / Line 1: @@
+====== Generate CA + certificate ======
+<code>
+openssl genrsa -out rootCAKey.pem 2048
+openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 7300 -out rootCACert.pem
+openssl x509 -in rootCACert.pem -text
+openssl x509 -outform der -in rootCACert.pem -out rootCACert.crt
+-- generate server cert
+openssl genrsa -out ServerKey.pem 2048
+openssl req -new -sha256 -nodes \
+  -key ServerKey.pem -out ServerRequest.csr -reqexts san -config \
+  <(echo "[req]";
+    echo distinguished_name=req;
+    echo "[san]";
+    echo "subjectAltName=DNS:example.com,DNS:www.example.net,IP:10.0.0.1"
+    ) \
+  -subj "/CN=example.com"
+printf "[san]\nsubjectAltName = DNS:example.com,DNS:www.example.net,IP:10.0.0.1\n" >v3.ext
+openssl x509 -req -sha256 -in ServerRequest.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out ServerCert.pem -days 3650 -extfile v3.ext -extensions san
+openssl pkcs12 -export -out cert.pfx -inkey ServerKey.pem -in ServerCert.pem -certfile rootCACert.pem
+</code>
+Show certificate request <code>openssl req -in ServerRequest.csr -noout -text</code>
+====== Check TLS ======
+<code>nmap --script ssl-enum-ciphers janforman.com -p 443</code>
+====== Prefer PolyChacha in TLS 1.3 ======
+add in /etc/ssl/openssl.conf or /etc/crypto-policies/back-ends/opensslcnf.config
+<code>
+openssl_conf = default_conf
+[default_conf]
+ssl_conf = ssl_sect
+[ssl_sect]
+system_default = system_default_sect
+[system_default_sect]
+Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_256_GCM_SHA384
+Options = ServerPreference
+</code>
+====== PuTTY CAC ======
+PuTTY CAC is a fork of the PuTTY, a popular Secure Shell (SSH) terminal. PuTTY CAC adds the ability to use the Windows Certificate API (CAPI) or a Public Key Cryptography Standards (PKCS) library to perform SSH public key authentication using a private key associated with a certificate that is stored on a hardware token.
+[[https://github.com/NoMoreFood/putty-cac/releases/|Download]]
+===== SSH generate key =====
+<code>ssh-keygen -t ecdsa -b 384 -m PEM -C "Comment" -f ./key.pem</code>
+<code>openssl req -key ./key.pem -new -nodes -x509 -days 365 -out key_certificate.pem</code>
+<code>openssl pkcs12 -export -inkey key.pem -in key_certificate.pem -out key.p12</code>
+===== PuTTY Key Generator =====
+====== Cert Identity Search ======
+https://crt.sh/
+====== OpenSSL conf ======
+CentOS location
+<code>/etc/pki/tls/openssl.conf</code>
+====== PGP Keyserver ======
+[[https://keyserver.pgp.com/vkd/GetWelcomeScreen.event]]
+===== Hardware Acceleration =====
+Check if AES-NI is enabled
+<code>grep -m1 -o aes /proc/cpuinfo</code>
+Check speed
+<code>
+openssl speed aes-128-cbc
+openssl speed -evp aes-128-cbc
+openssl speed -evp chacha20
+</code>
+===== Check OpenSSL throughput =====
+<code>dd if=/dev/zero count=100 bs=1M | ssh -c aes128-cbc localhost "cat >/dev/null"</code>
+===== Performance remarks =====
+^Decrypting a 1MB file on the Galaxy Nexus (OMAP 4460 chip)^^
+| AES-128-GCM |        41.6ms |
+| ChaCha20-Poly1305 |  13.2ms |
+AES128 vs AES256 1.38x faster\\
+AES128 faster on desktop due to AES-NI HW Acceleration
+AES-NI is between 4-8x the performance of AES\\
+ChaCha20-Poly1305 faster on mobile phones or slower HW
+==== AWS Graviton2 performance ====
+| AES 128bit GCM | 2482MB/s |
+| AES 256bit GCM | 2014MB/s |
+| ChaCha20-Poly1305 | 731MB/s |
+==== GT-AX6000 Broadcom ====
+| AES 128bit GCM | 783MB/s |
+| AES 256bit GCM | 673MB/s |
+| ChaCha20-Poly1305 | 297MB/s |
+==== RaspberryPI 4 Broadcom ====
+| AES 128bit GCM | 783MB/s |
+| AES 256bit GCM | 673MB/s |
+| ChaCha20-Poly1305 | 297MB/s |
+===== OpenSSL Cipher list =====
+<code>
+# openssl ciphers | sed 's/\:/\n/gi'
+</code>
+===== OpenSSL Performance test =====
+<code># openssl speed md5 sha1 sha256 sha512 des des-ede3 aes-128-cbc aes-192-cbc aes-256-cbc rsa2048 dsa2048</code>
+===== My preferred string for now =====
+Functional with HTTP/2 protocol
+<code>ssl_session_timeout 4h;
+ssl_session_cache shared:SSL:40M;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers on;
+ssl_ciphers !aNULL:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";</code>
+===== Test StartTLS =====
+<code>
+openssl s_client -connect ip:21 -starttls ftp -showcerts
+openssl s_client -connect ip:25 -starttls smtp -showcerts
+</code>
+===== Encrypt tar with password =====
+Compress and encrypt
+<code>tar cvfz - * | openssl enc -e -aes128 -out secured.tar.gz</code>
+Decrypt and decompress
+<code>openssl enc -d -aes128 -in secured.tar.gz | tar xvz -C test</code>
+===== Install additional CA in CentOS / Redhat =====
+<code>
+place CA here -> /etc/pki/tls/certs/cert.pem
+yum install /usr/bin/c_rehash
+c_rehash
+</code>
+===== Self signed certificate + altname =====
+<code>
+set -e
+if [ -z "$1" ]; then
+  hostname="$HOSTNAME"
+else
+  hostname="$1"
+fi
+local_openssl_config="
+[ req ]
+prompt = no
+distinguished_name = req_distinguished_name
+x509_extensions = san_self_signed
+[ req_distinguished_name ]
+CN=$hostname
+[ san_self_signed ]
+subjectAltName = DNS:$hostname, DNS:localhost
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = CA:true
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign
+extendedKeyUsage = serverAuth, clientAuth, timeStamping
+"
+openssl req \
+  -newkey rsa:2048 -nodes \
+  -keyout "$hostname.key.pem" \
+  -x509 -sha256 -days 3650 \
+  -config <(echo "$local_openssl_config") \
+  -out "$hostname.cert.pem"
+openssl x509 -noout -text -in "$hostname.cert.pem"
+</code>

wiki.janforman.com

User Tools

Site Tools

Differences

Page Tools