OpenSSL is an open source implementation of the SSL and TLS protocols. It provides an encryption transport layer on top of the normal communications layer, allowing it to be intertwined with many network applications and services.
The version of OpenSSL included in FreeBSD supports the Secure Sockets Layer 3.0 (SSLv3) and Transport Layer Security 1.0/1.1/1.2 (TLSv1/TLSv1.1/TLSv1.2) network security protocols and can be used as a general cryptographic library. In FreeBSD 12.0-RELEASE and above, OpenSSL also supports Transport Layer Security 1.3 (TLSv1.3).
OpenSSL is often used to encrypt
authentication of mail clients and to secure web based
transactions such as credit card payments. Some ports, such as
www/apache24 and
databases/postgresql11-server, include a
compile option for building with
OpenSSL. If selected, the port will
add support using OpenSSL from the
base system. To instead have the port compile against
OpenSSL from the
security/openssl port, add the following to
/etc/make.conf
:
DEFAULT_VERSIONS+= ssl=openssl
Another common use of OpenSSL is to provide certificates for use with software applications. Certificates can be used to verify the credentials of a company or individual. If a certificate has not been signed by an external Certificate Authority (CA), such as http://www.verisign.com, the application that uses the certificate will produce a warning. There is a cost associated with obtaining a signed certificate and using a signed certificate is not mandatory as certificates can be self-signed. However, using an external authority will prevent warnings and can put users at ease.
This section demonstrates how to create and use certificates on a FreeBSD system. Refer to Section 29.5.2, “Configuring an LDAP Server” for an example of how to create a CA for signing one's own certificates.
For more information about SSL, read the free OpenSSL Cookbook.
To generate a certificate that will be signed by an
external CA, issue the following command
and input the information requested at the prompts. This
input information will be written to the certificate. At the
Common Name
prompt, input the fully
qualified name for the system that will use the certificate.
If this name does not match the server, the application
verifying the certificate will issue a warning to the user,
rendering the verification provided by the certificate as
useless.
#
openssl req -new -nodes -out req.pem -keyout cert.key -sha256 -newkey rsa:2048
Generating a 2048 bit RSA private key ..................+++ .............................................................+++ writing new private key to 'cert.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:
US
Locality Name (eg, city) []:
PA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Pittsburgh
Organizational Unit Name (eg, section) []:
My Company
Common Name (eg, YOUR name) []:
Systems Administrator
Email Address []:
localhost.example.org
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
trhodes@FreeBSD.org
Another Name
Other options, such as the expire time and alternate encryption algorithms, are available when creating a certificate. A complete list of options is described in openssl(1).
This command will create two files in the current
directory. The certificate request,
req.pem
, can be sent to a
CA who will validate the entered
credentials, sign the request, and return the signed
certificate. The second file,
cert.key
, is the private key for the
certificate and should be stored in a secure location. If
this falls in the hands of others, it can be used to
impersonate the user or the server.
Alternately, if a signature from a CA is not required, a self-signed certificate can be created. First, generate the RSA key:
#
openssl genrsa -rand -genkey -out cert.key 2048
0 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus .............................................+++ .................................................................................................................+++ e is 65537 (0x10001)
Use this key to create a self-signed certificate. Follow the usual prompts for creating a certificate:
#
openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:
US
Locality Name (eg, city) []:
PA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Pittsburgh
Organizational Unit Name (eg, section) []:
My Company
Common Name (e.g. server FQDN or YOUR name) []:
Systems Administrator
Email Address []:
localhost.example.org
trhodes@FreeBSD.org
This will create two new files in the current directory: a
private key file
cert.key
, and the certificate itself,
cert.crt
. These should be placed in a
directory, preferably under /etc/ssl/
,
which is readable only by root
. Permissions of
0700
are appropriate for these files and
can be set using chmod
.
One use for a certificate is to encrypt connections to the Sendmail mail server in order to prevent the use of clear text authentication.
Some mail clients will display an error if the user has not installed a local copy of the certificate. Refer to the documentation included with the software for more information on certificate installation.
In FreeBSD 10.0-RELEASE and above, it is possible to create a
self-signed certificate for
Sendmail automatically. To enable
this, add the following lines to
/etc/rc.conf
:
sendmail_enable="YES"
sendmail_cert_create="YES"
sendmail_cert_cn="localhost.example.org
"
This will automatically create a self-signed certificate,
/etc/mail/certs/host.cert
, a signing key,
/etc/mail/certs/host.key
, and a
CA certificate,
/etc/mail/certs/cacert.pem
. The
certificate will use the Common Name
specified in sendmail_cert_cn
. After saving
the edits, restart Sendmail:
#
service sendmail restart
If all went well, there will be no error messages in
/var/log/maillog
. For a simple test,
connect to the mail server's listening port using
telnet
:
#
telnet
Trying 192.0.34.166... Connected to example.com. Escape character is '^]'. 220 example.com ESMTP Sendmail 8.14.7/8.14.7; Fri, 18 Apr 2014 11:50:32 -0400 (EDT)example.com
25ehlo
250-example.com Hello example.com [192.0.34.166], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH LOGIN PLAIN 250-STARTTLS 250-DELIVERBY 250 HELPexample.com
quit
221 2.0.0 example.com closing connection Connection closed by foreign host.
If the STARTTLS
line appears in the
output, everything is working correctly.
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.