1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
\chapter{Included programs}
\section{The ``srptool'' program\index{srptool}}
\label{srptool}
The ``srptool'' is a very simple program that emulates the programs in the
\emph{Stanford SRP libraries}.
It is intended for use in places where you don't expect SRP
authentication to be the used for system users.
Traditionally \emph{libsrp} used two files. One called 'tpasswd' which holds usernames
and verifiers, and 'tpasswd.conf' which holds generators and primes.
\par
How to use srptool:
\begin{itemize}
\item To create tpasswd.conf which holds the g and n values for
SRP protocol (generator and a large prime), run:
\begin{verbatim}
$ srptool --create-conf /etc/tpasswd.conf
\end{verbatim}
\item This command will create /etc/tpasswd and will add user 'test' (you will also
be prompted for a password). Verifiers are stored by default in the
way libsrp expects.
\begin{verbatim}
$ srptool --passwd /etc/tpasswd \
--passwd-conf /etc/tpasswd.conf -u test
\end{verbatim}
\item This command will check against a password. If the password matches
the one in /etc/tpasswd you will get an ok.
\begin{verbatim}
$ srptool --passwd /etc/tpasswd \
--passwd-conf /etc/tpasswd.conf --verify -u test
\end{verbatim}
\end{itemize}
\section{The ``gnutls-cli-debug'' program\index{gnutls-cli-debug}}
This program was created to assist in debugging \gnutls{}, but it
might be useful to extract a \tls{} server's capabilities.
It's purpose is to connect onto a \tls{} server, perform
some tests and print the server's capabilities. An example output is:
\begin{verbatim}
crystal:/cvs/gnutls/src$ ./gnutls-cli-debug localhost -p 5556
Resolving 'localhost'...
Connecting to '127.0.0.1:5556'...
Checking for TLS 1.0 support... yes
Checking for SSL 3.0 support... yes
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether we need to disable TLS 1.0... no
Checking whether the server ignores the RSA PMS version... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... yes
Checking for certificate information...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
# valid since: Sat Jul 7 13:18:00 EEST 2001
# expires at: Sun Jul 7 13:18:00 EEST 2002
# serial number: 01
# fingerprint: 43 ab a2 a7 d3 6a 28 02 60 73 b4 a5 c3 84 0a 3f
# version: #3
# public key algorithm: RSA
# Modulus: 1024 bits
# Subject's DN: C=GR,ST=Attiki,L=Athina,O=GNUTLS,OU=GNUTLS dev.,CN=localhost,EMAIL=root@localhost
# Issuer's DN: C=GR,ST=Attiki,L=Athina,O=GNUTLS,OU=GNUTLS dev.,CN=GNUTLS TEST CA,EMAIL=gnutls-dev@gnupg.org
Checking for trusted CAs...
- Server's trusted authorities:
[0]: C=GR,ST=Attiki,L=Athina,O=GNUTLS,OU=GNUTLS dev.,CN=GNUTLS TEST CA,EMAIL=gnutls-dev@gnupg.org
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... no
Checking for export-grade ciphersuite support... no
Checking for ephemeral Diffie Hellman support... no
Checking for ephemeral Diffie Hellman prime size... N/A
Checking for AES cipher support... yes
Checking for 3DES cipher support... yes
Checking for ARCFOUR cipher support... yes
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for max record size (TLS extension)... yes
Checking for OpenPGP authentication support (TLS extension)... no
\end{verbatim}
\section{The ``certtool'' program\index{certtool}}
This is a program to generate X.509 certificates, certificate requests, CRLs and
private keys. The program can be used interactively or non interactively by
specifying the \emph{--template} command line option. See \emph{doc/certtool.cfg},
in the distribution, for an example of a template file.
How to use certtool interactively:
\begin{itemize}
\item To create a self signed certificate, use the command:
\begin{verbatim}
$ certtool --generate-privkey --outfile ca-key.pem
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem
\end{verbatim}
Note that a self-signed certificate usually belongs to a certificate
authority, that signs other certificates.
\item To create a private key, run:
\begin{verbatim}
$ certtool --generate-privkey --outfile key.pem
\end{verbatim}
\item To create a certificate request, run:
\begin{verbatim}
$ certtool --generate-request --load-privkey key.pem --outfile request.pem
\end{verbatim}
\item To generate a certificate using the previous request, use the command:
\begin{verbatim}
$ certtool --generate-certificate --load-request request.pem --outfile cert.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
\end{verbatim}
\item To view the certificate information, use:
\begin{verbatim}
$ certtool --certificate-info --infile cert.pem
\end{verbatim}
\item To generate a PKCS \#12 structure using the previous key and certificate, use the command:
\begin{verbatim}
$ certtool --load-certificate cert.pem --load-privkey key.pem --to-p12 \
--outder --outfile key.p12
\end{verbatim}
\end{itemize}
\par
Certtool's template file format:
\begin{itemize}
\item Firstly create a file named 'cert.cfg' that contains the information
about the certificate. An example file is listed below.
\item Then execute
\begin{verbatim}
$ certtool --generate-certificate cert.pem --load-privkey key.pem \
--template cert.cfg \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
\end{verbatim}
\end{itemize}
\par
An example certtool template file:
\begin{verbatim}
# X.509 Certificate options
#
# DN options
# The organization of the subject.
organization = "Koko inc."
# The organizational unit of the subject.
unit = "sleeping dept."
# The locality of the subject.
# locality =
# The state of the certificate owner.
state = "Attiki"
# The country of the subject. Two letter code.
country = GR
# The common name of the certificate owner.
cn = "Cindy Lauper"
# A user id of the certificate owner.
#uid = "clauper"
# If the supported DN OIDs are not adequate you can set
# any OID here.
# For example set the X.520 Title and the X.520 Pseudonym
# by using OID and string pairs.
#dn_oid = "2.5.4.12" "Dr." "2.5.4.65" "jackal"
# This is deprecated and should not be used in new
# certificates.
# pkcs9_email = "none@none.org"
# The serial number of the certificate
serial = 007
# In how many days, counting from today, this certificate will expire.
expiration_days = 700
# X.509 v3 extensions
# A dnsname in case of a WWW server.
#dns_name = "www.none.org"
# An IP address in case of a server.
#ip_address = "192.168.1.1"
# An email in case of a person
email = "none@none.org"
# An URL that has CRLs (certificate revocation lists)
# available. Needed in CA certificates.
#crl_dist_points = "http://www.getcrl.crl/getcrl/"
# Whether this is a CA certificate or not
#ca
# Whether this certificate will be used for a TLS client
#tls_www_client
# Whether this certificate will be used for a TLS server
#tls_www_server
# Whether this certificate will be used to sign data (needed
# in TLS DHE ciphersuites).
signing_key
# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is prefered to use different
# keys for encryption and signing.
#encryption_key
# Whether this key will be used to sign other certificates.
#cert_signing_key
# Whether this key will be used to sign CRLs.
#crl_signing_key
# Whether this key will be used to sign code.
#code_signing_key
# Whether this key will be used to sign OCSP data.
#ocsp_signing_key
# Whether this key will be used for time stamping.
#time_stamping_key
\end{verbatim}
|