Thursday, September 5, 2024

mutual ssl client server

To test mutual SSL (two-way SSL)
authentication using curl, you need to set up a server that requires client certificates for access, and then use curl to make
requests to this server with the appropriate client certificate.

Here’s a step-by-step guide for setting up and
testing mutual SSL with curl:

1. Generate Certificates

If you haven’t already, you need to generate the necessary certificates. Here’s a brief overview:

    a. Create a CA (Certificate Authority):

    bash

    # Generate CA private key                                                 
        openssl genpkey -algorithm RSA -out ca.key                            
    # Generate CA certificate                                                 
       openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt
    b. Generate a server certificate:   

# Generate server private key                                                                                   
     openssl genpkey -algorithm RSA -out server.key                                                             
# Generate server CSR                                                                                           
    openssl req -new -key server.key -out server.csr                                                            
# Sign the server CSR with the CA certificate                                                                   
     openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256


c. Generate a client certificate:

bash                                                                                                      
# Generate client private key                                                                             
openssl genpkey -algorithm RSA -out client.key                                                            # Generate client CSR
openssl req -new -key client.key -out client.csr                                                          
# Sign the client CSR with the CA certificate                                                     
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256

2. Set Up the Server

For this example, let’s assume you’re using an Nginx server. Configure it to use mutual SSL:

Nginx configuration (e.g., /etc/nginx/nginx.conf or a server block configuration file):

nginx
 

bash
For this example, let’s assume you’re using an Nginx server. Configure it to use mutual SSL:

Nginx configuration (e.g., /etc/nginx/nginx.conf or a server block configuration file):
nginx                                                              
server {                                                           
     listen 443 ssl;                                               
    # Path to your server certificate and private key              
    ssl_certificate /etc/ssl/certs/server.crt;                     
     ssl_certificate_key /etc/ssl/private/server.key;              
   # Path to CA certificate for verifying client certificates      
    ssl_client_certificate /etc/ssl/certs/ca.crt;                  
    ssl_verify_client on;                                          
   location / {                                                    
     root /usr/share/nginx/html;                                   
     index index.html index.htm;                                   
    }                                                              
 }                                                                 
After updating the configuration, restart Nginx:

sudo systemctl restart nginx

Configure Apache

 a. Copy Certificates to Apache Directories:

Place your certificates and keys in a secure directory, for example:

bash

sudo cp server.crt /etc/ssl/certs/
sudo cp server.key /etc/ssl/private/
sudo cp ca.crt /etc/ssl/certs/
sudo cp client.crt /etc/ssl/certs/
sudo cp client.key /etc/ssl/private/

b. Edit Apache Configuration:

You need to configure Apache to use the server certificate and to request a client certificate. This is typically done in a virtual host configuration file or in the main Apache configuration file.

For Ubuntu/Debian, edit the file /etc/apache2/sites-available/000-default.conf. For RHEL/CentOS, edit /etc/httpd/conf.d/ssl.conf or a similar file.

Add or update the following directives:

apache

<VirtualHost *:443>
    ServerName example.com
    DocumentRoot /var/www/html

    # Enable SSL
    SSLEngine on

    # Server Certificate
    SSLCertificateFile /etc/ssl/certs/server.crt
    SSLCertificateKeyFile /etc/ssl/private/server.key

    # CA Certificate
    SSLCACertificateFile /etc/ssl/certs/ca.crt

    # Request a client certificate
    SSLVerifyClient require
    SSLVerifyDepth 1

    # Additional SSL settings
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLHonorCipherOrder on

    # DocumentRoot settings
    <Directory /var/www/html>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

c. Enable SSL Module and Site Configuration:

On Debian/Ubuntu:

bash

sudo a2enmod ssl
sudo a2ensite default-ssl

On RHEL/CentOS: You might already have SSL enabled; just ensure the configuration file is included and correctly set.

d. Restart Apache:

Apply the configuration changes by restarting Apache:

bash

sudo systemctl restart apache2  # For Debian/Ubuntu
sudo systemctl restart httpd    # For RHEL/CentOS


3. Test with curl
Use curl to make a request to the server with mutual SSL:

curl -v https://your-server-domain/ --cert client.crt --key client.key --cacert ca.crt


Explanation:


    --cert
         client.crt: Specifies the client certificate to use.
    --key
         client.key: Specifies the private key associated with the client
         certificate.
    --cacert
         ca.crt: Specifies the CA certificate used to verify the server's
        certificate.



Example output:

plaintext

*   Trying <server-ip>...

* TCP_NODELAY set

* Connected to your-server-domain (<server-ip>) port 443 (#0)

* schannel: SSL/TLS connection with your-server-domain port 443 (step 1/3)

* schannel: setting hostname via SNI

* schannel: SSL/TLS connection with your-server-domain port 443 (step 2/3)

* schannel: SSL/TLS connection with your-server-domain port 443 (step 3/3)

* Server certificate:

* subject:CN=your-server-domain

* start date:Sep  1 00:00:00 2024 GMT

* expire date: Sep  1 00:00:00 2025 GMT

* subjectAltName: host "your-server-domain" matched cert's "your-server-domain"

* issuer: CN=My CA

* SSL certificate verify ok.

> GET / HTTP/1.1

> Host: your-server-domain

> User-Agent: curl/7.64.1

> Accept: */*

>

< HTTP/1.1 200 OK

< Server: nginx/1.18.0
< Date: Mon, 02 Sep 2024 00:00:00 GMT

< Content-Type: text/html
< Content-Length: 612

< Last-Modified: Mon, 02 Sep 2024 00:00:00 GMT
< Connection: keep-alive

< ETag: "5f2e3b7d-264"
< Accept-Ranges: bytes

<


<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style> /* Add some basic styling here */</style></head>
<body>
    <h1>Welcome to nginx!</h1>
    <p>If you see this page, the nginx web server is successfully installed and working.</p>
</body>
</html>

* Connection #0 to host your-server-domain left intact If curl successfully connects and retrieves content, mutual SSL is working correctly. If there are issues, check both server and client logs for troubleshooting.
If curl successfully connects and retrieves content, mutual SSL is working correctly. If there are issues, check both server and client logs for troubleshooting.

Wednesday, September 4, 2024

What is DevOps

 

  • What is DevOps


DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.

What is DevOps?

Under a DevOps model, development and operations teams are no longer “siloed.” Sometimes, these two teams are merged into a single team where the engineers work across the entire application lifecycle, from development and test to deployment to operations, and develop a range of skills not limited to a single function.

In some DevOps models, quality assurance and security teams may also become more tightly integrated with development and operations and throughout the application lifecycle. When security is the focus of everyone on a DevOps team, this is sometimes referred to as DevSecOps.

These teams use practices to automate processes that historically have been manual and slow. They use a technology stack and tooling which help them operate and evolve applications quickly and reliably. These tools also help engineers independently accomplish tasks (for example, deploying code or provisioning infrastructure) that normally would have required help from other teams, and this further increases a team’s velocity.

  • What is Automation, Scaling, Infrastructure
  • Why DevOps is Important, etc

Wednesday, December 6, 2023

grep urls from bash script

 grep -rnE "script|link"  app/Views/ | awk '!/base_url/' | awk '!/site_url/' | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | sort -u |uniq >> url.txt

Friday, October 13, 2023

Windows tool for creating a self-signed certificate

 

Windows tool for creating a self-signed certificate.

https://sourceforge.net/projects/portecle/

kindly install portecle tool from above link. The steps for creating the certificate that we need are as given below :

1) Install the tool from above link.
2) Go to File -> New Keystore -> PKCS #12. Click on Okay.
3) Go to Tools -> Generate Key Pair. Select RSA. Enter 2048 and click on Okay.
4) Select SHA256 with RSA in the dropdown list. Enter roughly the details asked
in the form. Click on Okay.
5) Enter an Alias in the dialog box and click on Okay. Key Pair generation
successful message is displayed.
6) Now, right click on the keypair (identified by the alias) displayed and click
on export.

The other opensource tool is - openSSL.

Wednesday, October 4, 2023

How To Create PKCS #12 For Your Application

 This post is about creating PKCS #12 to serve e.g. your content via HTTPS in your application itself or in another web container (such a Tomcat or another application server).

The PKCS #12 format is a binary format for storing cryptography objects. It usually contains the server certificate, any intermediate certificates (i.e. chain of trust), and the private key, all of them in a single file. A PKCS #12 file may be encrypted and signed. PKCS #12 files are usually found with the extensions .pfx and .p12.

The PKCS #12 is similar to JKS format, but you can use it not only in Java but also in other libraries in C, C++ or C# etc, so I prefer this type of a keystore to be more general.

To use PKCS #12 inside your application, you have two way how to do it:

The first option is fast and simple, but not suitable for production environment. The second option is about creating CSR to be signed by any trusted Certificate Authority (CA).

When you need to create a new certificate as quickly as possible, run the following two commands:

openssl req -x509 -newkey rsa:4096 -keyout myPrivateKey.pem -out myCertificate.crt -days 3650 -nodes

openssl – the command for executing OpenSSL.

req – certificate request and certificate generating utility in OpenSSL.

-x509 – used to generate a self-signed certificate.

-newkey rsa:4096 - option to create a new certificate request and a new private key, rsa:4096 means generating an RSA key nbits in size.

-keyout myPrivateKey.pem – use the private key file myPrivateKey.pem as the private key to combining with the certificate.

-out myCertificate.crt – use myCertificate.crt as the output certificate name.

-days 3650 – specifies the number of days to certify the certificate for.

-nodes - a created private key will not be encrypted.

openssl pkcs12 -export -out keyStore.p12 -inkey myPrivateKey.pem -in myCertificate.crt

openssl – the command for executing OpenSSL.

pkcs12 – the PKCS #12 utility in OpenSSL.

-export - the option specifies that a PKCS #12 file will be created.

-out keyStore.p12 – specifies a filename to write the PKCS #12 file to.

-inkey myPrivateKey.pem – file to read private key from.

-in myCertificate.crt – the filename to read the certificate.

The wizard will prompt you for an export password. If filled, this password will be used as a key store password.

And that is all you need, use keyStore.p12 in your application.

openssl req -new -newkey rsa:4096 -out request.csr -keyout myPrivateKey.pem -nodes

openssl – the command for executing OpenSSL.

req – certificate request and certificate generating utility in OpenSSL.

-newkey rsa:4096 - option to create a new certificate request and a new private key, rsa:4096 means generating an RSA key nbits in size.

-keyout myPrivateKey.pem – use the private key file myPrivateKey.pem as the private key to combining with the certificate.

-out request.csr – use request.csr as the certificate signing request in the PKCS #10 format.

-nodes - a created private key will not be encrypted.

openssl req -new -key myPrivateKey.pem -out request.csr

openssl – the command for executing OpenSSL.

req – certificate request and certificate generating utility in OpenSSL.

-new - generates a new certificate request.

-key myPrivateKey.pem – specifies the file to read the private key from.

-out request.csr – use request.csr as the certificate signing request in the PKCS#10 format.

Now it is time to send request.csr as a result of the previous step to your CA (Certificate Authority) to be signed.

You are almost done. When you get a new certificate for your request.csr from your CA, use it together with a private key to create a PKCS#12 file:

openssl pkcs12 -export -out keyStore.p12 -inkey privateKey.pem -in certificate.crt -certfile CA.crt

openssl – the command for executing OpenSSL.

pkcs12 – the PKCS #12 utility in OpenSSL.

-export - the option specifies that a PKCS #12 file will be created.

-out keyStore.p12 – specifies a filename to write the PKCS #12 file to.

-inkey myPrivateKey.pem – file to read private key from.

-in myCertificate.crt – the filename to read the certificate.

-certfile CA.crt – optional parameter to read additional certificates from, useful to create a complete trust chain.

The output file keyStore.p12 is what you need to add to your application. When you filled an export password use it as a key store password in a configuration file.

Tuesday, August 29, 2023

MYSQLCHECK - TABLE MAINTENANCE PROGRAM

 

MYSQLCHECK - TABLE MAINTENANCE PROGRAM

HELP

mysqlcheck --help

RUN PROGRAM

mysqlcheck employees staff

mutual ssl client server

To test mutual SSL (two-way SSL) authentication using curl, you need to set up a server that requires client certificates for access, and th...