tag:blogger.com,1999:blog-3615332969083650973.post7843677231293215350..comments2024-03-23T07:59:04.047-04:00Comments on sysadvent: Day 3 - Debugging SSL/TLS With openssl(1)Jordan Sisselhttp://www.blogger.com/profile/13694925032675599790noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-3615332969083650973.post-34976300367322853152012-06-19T10:42:46.157-04:002012-06-19T10:42:46.157-04:00I've worked on a few servers that have had maj...I've worked on a few servers that have had major issues with their SSL management, they should hire someone like you or employed <a href="https://www.ssl247.co.uk/ssl-certificates" rel="nofollow">SSL certificate consultants</a> to sort it out. The average qualified server engineer that I've come across doesn't have a clue about this stuff.Anonymoushttps://www.blogger.com/profile/03782268467140618013noreply@blogger.comtag:blogger.com,1999:blog-3615332969083650973.post-9389239465385352902012-04-06T13:53:37.093-04:002012-04-06T13:53:37.093-04:00This was an awesomely written and thorough post wh...This was an awesomely written and thorough post which fixed my ssl issue for me. Thanks much, tell me if I can send you some beer money!Unknownhttps://www.blogger.com/profile/03612545388732430509noreply@blogger.comtag:blogger.com,1999:blog-3615332969083650973.post-48966409432978335082011-01-12T02:58:29.398-05:002011-01-12T02:58:29.398-05:00For non-HTTP SSL/TLS debugging, I often need to us...For non-HTTP SSL/TLS debugging, I often need to use STARTTLS, and for that I quite like "gnutls-cli" instead of OpenSSL. Given the --starttls option, gnutls-cli will pass through text normally, like netcat, until you send EOF (Ctrl-D), at which point it starts TLS negotiation.<br /><br />For most protocols, this helps:<br /><br />function starttls { gnutls-cli --x509cafile /etc/ssl/cert.pem --starttls --crlf "$@"; }<br /><br />Downside is that it doesn't support a capath-style directory containing CA certs, so you need a bundle file.Phil Phttps://www.blogger.com/profile/03639902544065628008noreply@blogger.comtag:blogger.com,1999:blog-3615332969083650973.post-78092124005201525542010-12-05T17:38:05.971-05:002010-12-05T17:38:05.971-05:00This one works remarkably well:
"Hosting mul...This one works remarkably well:<br /><br />"Hosting multiple SSL vhosts on a single IP/Port/Certificate with Apache2"<br /><br />http://blog.revolunet.com/index.php/reseau/administration/hosting-multiple-ssl-vhosts-on-a-single-ipportcertificate-with-apache2<br /><br />We use it in combination with SimpleProxy forwarding HTTPS to the webserver(s), while ignoring the Apache reverse and caching proxy.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3615332969083650973.post-59639268912344456592010-12-03T22:59:40.421-05:002010-12-03T22:59:40.421-05:00This is great, definitely cribbing for the work wi...This is great, definitely cribbing for the work wiki :)Brandon Bowmanhttps://www.blogger.com/profile/08535194166365589105noreply@blogger.comtag:blogger.com,1999:blog-3615332969083650973.post-73388764650604129002010-12-03T16:12:51.647-05:002010-12-03T16:12:51.647-05:00Regarding not being able to set up SSL on name-bas...Regarding not being able to set up SSL on name-based vhosts: have you experimented with SNI (Server Name Indication)?<br /><br />https://secure.wikimedia.org/wikipedia/en/wiki/Server_Name_Indication<br /><br />http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNIUnknownhttps://www.blogger.com/profile/00694987770316665070noreply@blogger.comtag:blogger.com,1999:blog-3615332969083650973.post-58971561015784305592010-12-03T10:29:19.830-05:002010-12-03T10:29:19.830-05:00I've found this site to have some great walkth...I've found this site to have some great walkthroughs for certificates:<br />http://gagravarr.org/writing/openssl-certs/index.shtml<br /><br />It was particularly helpful was when I needed to know how to generate the hashed link to the cert for installing a self signed CA into openssl.Mark Careynoreply@blogger.comtag:blogger.com,1999:blog-3615332969083650973.post-39042640981014813472010-12-03T09:50:40.213-05:002010-12-03T09:50:40.213-05:00There's another, better engineered way to get ...There's another, better engineered way to get multiple ssl-vhosts on one IP: SNI<br /><br />To find out more go to http://en.wikipedia.org/wiki/Server_Name_Indication#The_fixHinnerknoreply@blogger.com