Differences between revisions 10 and 16 (spanning 6 versions)
Revision 10 as of 2023-04-06 16:38:03
Size: 1700
Editor: DominicRicottone
Comment:
Revision 16 as of 2023-06-21 09:01:26
Size: 2146
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:

----



== Installation ==

Most [[Linux]] and [[BSD]] distributions offer an `openssl` package.
Line 42: Line 50:
For details on how to use this configuration, see the following articles for [[NGINX/SSL|NGINX]]. For details on how to use this configuration, see the following articles for [[Nginx/Encryption|Nginx]].

----



== Encrypted Telnet ==

To test an encrypted connection as with [[Telnet#SMTP|telnet(1)]], try:

{{{
openssl s_client -starttls smtp -connect mail.example.com:587

openssl s_client -connect -connect mail.example.com:465
}}}
Line 56: Line 78:
[[Encryption/SSL|SSL]]

[[Encryption/TLS|TLS]]
Line 57: Line 83:

[[Encryption/Quictls|Quictls]]

OpenSSL

OpenSSL provides the cryptographic libraries libcrypto (crypto(7ssl)) and libssl (ssl(7ssl)), as well as the utility openssl(1ssl).

Contents

  1. OpenSSL
    1. Installation
    2. Certificates
      1. Usage
    3. Diffie-Hellman Parameters
    4. Encrypted Telnet
    5. See also

Installation

Most Linux and BSD distributions offer an openssl package.

Certificates

It is highly recommended to not use openssl(1ssl)-generated certificates for web encryption. Clients have no reason to trust a self-signed certificate unless you

  1. operate your own certificate authority (strongly not recommended)

  2. configure all client machines

Usage

To generate a certificate and private key simultaneously, try: 

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /path/to/domain-name.com/key.pem -out /path/to/domain-name.com/cert.pem

Diffie-Hellman Parameters

ssl(7ssl) defaults to 1024-bit keys, which lags behind the modern standard of 2048-bits. This is a particular problem for software that defer cryptographic decisions to ssl(7ssl) at runtime, such as nginx(8). One of the most common cryptographic decisions that is affected by this situation is the selection of parameters for Diffie-Hellman key exchanges.

To generate a stronger configuration, try: 

openssl dhparam -out /path/to/dhparam.pem 4096

For details on how to use this configuration, see the following articles for Nginx.

Encrypted Telnet

To test an encrypted connection as with telnet(1), try: 

openssl s_client -starttls smtp -connect mail.example.com:587

openssl s_client -connect -connect mail.example.com:465

See also

openssl(1ssl)

crypto(7ssl)

ssl(7ssl)

SSL

TLS

LibreSSL

Quictls

CategoryRicottone

Encryption/OpenSSL (last edited 2023-06-21 09:01:26 by DominicRicottone)