openssl.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>OpenSSL</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Security" href="security.html" />
<link rel="PREVIOUS" title="Firewalls" href="firewalls.html" />
<link rel="NEXT" title="VPN over IPsec" href="ipsec.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="firewalls.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
<td width="10%" align="right" valign="bottom"><a href="ipsec.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="OPENSSL" name="OPENSSL">14.10 OpenSSL</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Written by:</span> Tom Rhodes.</i> 

<p>One feature that many users overlook is the <b class="APPLICATION">OpenSSL</b> toolkit
included in FreeBSD. <b class="APPLICATION">OpenSSL</b> provides an encryption transport
layer on top of the normal communications layer; thus allowing it to be intertwined with
many network applications and services.</p>

<p>Some uses of <b class="APPLICATION">OpenSSL</b> may include encrypted authentication
of mail clients, web based transactions such as credit card payments and more. Many ports
such as <a href="http://www.FreeBSD.org/cgi/url.cgi?ports/www/apache13-ssl/pkg-descr"><tt
class="FILENAME">www/apache13-ssl</tt></a>, and <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/mail/sylpheed-claws/pkg-descr"><tt
class="FILENAME">mail/sylpheed-claws</tt></a> will offer compilation support for building
with <b class="APPLICATION">OpenSSL</b>.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> In most cases the ports collection will attempt to build the <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/security/openssl/pkg-descr"><tt
class="FILENAME">security/openssl</tt></a> unless the <tt
class="MAKEVAR">WITH_OPENSSL_BASE</tt> make variable is explicitly set to ``yes''.</p>
</blockquote>
</div>

<p>The version of <b class="APPLICATION">OpenSSL</b> included in FreeBSD supports Secure
Sockets Layer v2/v3 (SSLv2/SSLv3), Transport Layer Security v1 (TLSv1) network security
protocols and can be used as a general cryptographic library for use with
applications.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> While <b class="APPLICATION">OpenSSL</b> supports the <acronym
class="ACRONYM">IDEA</acronym> algorithm, it is disabled by default due to United States
patents. To use it, the license should be reviewed and, if the restrictions are
acceptable, the <tt class="MAKEVAR">MAKE_IDEA</tt> variable must be set in <tt
class="FILENAME">make.conf</tt>.</p>
</blockquote>
</div>

<p>Perhaps one of the most common uses of <b class="APPLICATION">OpenSSL</b> provide
certificates for use with software applications. These certificates ensure that the
credentials of the company or individual is valid and are not fraudulent. If the
certificate in question has not been verified by one of the several Certificate
Authorities, or <acronym class="ACRONYM">CA</acronym>s, a warning is usually produced. A
Certificate Authority is a company, such as VeriSign, who will sign certificates in order
to validate credentials of individuals or companies. This process has a cost associated
with it and is definitely not a requirement for using certificates; however, it can put
some of the more paranoid users at ease.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN20850" name="AEN20850">14.10.1 Generating
Certificates</a></h2>

<p>To generate a certificate, the following command is available:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">openssl req -new -nodes -out req.pem -keyout cert.pem</kbd>
Generating a 1024 bit RSA private key
................++++++
.......................................++++++
writing new private key to 'cert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<kbd class="USERINPUT"><var
class="REPLACEABLE">US</var></kbd>
State or Province Name (full name) [Some-State]:<kbd class="USERINPUT"><var
class="REPLACEABLE">PA</var></kbd>
Locality Name (eg, city) []:<kbd class="USERINPUT"><var
class="REPLACEABLE">Pittsburgh</var></kbd>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<kbd class="USERINPUT"><var
class="REPLACEABLE">My Company</var></kbd>
Organizational Unit Name (eg, section) []:<kbd class="USERINPUT"><var
class="REPLACEABLE">Systems Administrator</var></kbd>
Common Name (eg, YOUR name) []:<kbd class="USERINPUT"><var
class="REPLACEABLE">localhost.example.org</var></kbd>
Email Address []:<kbd class="USERINPUT"><var
class="REPLACEABLE">trhodes@FreeBSD.org</var></kbd>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<kbd class="USERINPUT"><var
class="REPLACEABLE">SOME PASSWORD</var></kbd>
An optional company name []:<kbd class="USERINPUT"><var
class="REPLACEABLE">Another Name</var></kbd>
</pre>

<p>Notice the response directly after the ``Common Name'' prompt shows a domain name.
This prompt requires a server name to be entered for verification purposes; placing
anything but a domain name would yield a useless certificate. Other options for instance
expire time, alternate encryption algorithms, etc. are available. A complete list may be
obtained by viewing the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=openssl&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">openssl</span>(1)</span></a> manual
page.</p>

<p>A file, <tt class="FILENAME">cert.pem</tt> should now exist in the directory which the
aforementioned command was issued. This is the certificate which may be sent to any one
of the many <acronym class="ACRONYM">CA</acronym>s for signing.</p>

<p>In cases where a signature from a <acronym class="ACRONYM">CA</acronym> is not
required, a self signed certificate can be created. First, generate the <acronym
class="ACRONYM">CA</acronym> key:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">openssl gendsa -des3 -out \
<tt class="FILENAME">myca.key</tt> 1024</kbd>
</pre>

<p>Use this key to create the certificate:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">openssl req -new -x509 -days 365 -key \
<tt class="FILENAME">myca.key</tt> -out <tt class="FILENAME">new.crt</tt></kbd>
</pre>

<p>Two new files should appear in the directory: a certificate authority signature file,
<tt class="FILENAME">myca.key</tt> and the certificate itself, <tt
class="FILENAME">new.crt</tt>. These should be placed in a directory, preferably under
<tt class="FILENAME">/etc</tt>, which is readable only by <tt class="USERNAME">root</tt>.
Permissions of 0600 should be fine for this and they can be set with the <tt
class="COMMAND">chmod</tt> utility.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN20904" name="AEN20904">14.10.2 Using Certificates, an
Example</a></h2>

<p>So what can these files do? A good use would be to encrypt connections to the <b
class="APPLICATION">Sendmail</b> <acronym class="ACRONYM">MTA</acronym>. This would
dissolve the use of clear text authentication for users who send mail via the local
<acronym class="ACRONYM">MTA</acronym>.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> This is not the best use in the world as some <acronym
class="ACRONYM">MUA</acronym>s will present the user with an error if they have not
installed the certificate locally. Refer to the documentation included with the software
for more information on certificate installation.</p>
</blockquote>
</div>

<p>The following lines should be placed inside the local <tt class="FILENAME">.mc</tt>
file:</p>

<pre class="PROGRAMLISTING">
dnl SSL Options
define(`confCACERT_PATH',`/etc/certs')dnl
define(`confCACERT',`/etc/certs/new.crt')dnl
define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
</pre>

<p>Where <tt class="FILENAME">/etc/certs/</tt> is the directory to be used for storing
the certificate and key files locally. The last few requirements are a rebuild of the
local <tt class="FILENAME">.cf</tt> file. This is easily achieved by typing <tt
class="COMMAND">make</tt> <var class="PARAMETER">install</var> within the <tt
class="FILENAME">/etc/mail</tt> directory. Follow that up with <tt
class="COMMAND">make</tt> <var class="PARAMETER">restart</var> which should start the <b
class="APPLICATION">Sendmail</b> daemon.</p>

<p>If all went well there will be no error messages in the <tt
class="FILENAME">/var/log/maillog</tt> file and <b class="APPLICATION">Sendmail</b> will
show up in the process list.</p>

<p>For a simple test, simply connect to the mail server using the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=telnet&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">telnet</span>(1)</span></a> utility:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">telnet <var
class="REPLACEABLE">example.com</var> 25</kbd>
Trying 192.0.34.166...
Connected to <tt class="HOSTID">example.com</tt>.
Escape character is '^]'.
220 <tt
class="HOSTID">example.com</tt> ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
<kbd class="USERINPUT">ehlo <var class="REPLACEABLE">example.com</var></kbd>
250-example.com Hello example.com [192.0.34.166], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
<kbd class="USERINPUT">quit</kbd>
221 2.0.0 <tt class="HOSTID">example.com</tt> closing connection
Connection closed by foreign host.
</pre>

<p>If the ``STARTTLS'' line appears in the output then everything is working
correctly.</p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="firewalls.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="ipsec.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Firewalls</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">VPN over IPsec</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>