I-Space Research Labs


How to set up OCSP using OpenSSL

by on Feb.26, 2012, under Security, Tech Stuff

Like a lot of Open Source projects, while there are *tons* of documentation on OpenSSL, there is a dearth of useful documentation. It seems like everyone in the know assumes that everyone else is also in the know. I don’t know. But what I do know is how to set up OpenSSL to use OCSP. If you’re a good CA admin, you’re dutifully revoking certificates, regenerating your CRL, and making it available for your servers to download and enjoy. That’s the Old Way. The New Way is to use OCSP… in all reality, I doubt a lot of people are even revoking certs, much less needing to check if one that they issued has been revoked, but hey… it’s cool and you get to have bragging rights to all your geek friends.

Assuming that you already have an OpenSSL Certificate Authority set up, you will need to make a couple of changes to your openssl.cnf file. Add a new line to the usr_cert stanza

[ usr_cert ]
authorityInfoAccess = OCSP;URI:http://<uri to server>

create a new stanza

[ v3_OCSP ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = OCSPSigning

For this example, the OCSP server will be running on ca.isrlabs.net on port 8888, so the authorityInfoAccess line will look like:

authorityInfoAccess = OCSP;URI:http://ca.isrlabs.net:8888

This line will add a new attribute to issued certs that tells clients where the CA’s OCSP server is located so it can check the validity of the cert. The new v3 template assigns a neccesary attribute “OCSPSigning” to any certificate issued under this template. We will need to issue an OCSP signing certificate to the OCSP server with the OCSPSigning attribute, otherwise signature verification will fail when a cert is being checked. This is the first thing we will do:

openssl req -new -nodes -out ca.isrlabs.net.csr -keyout ca.isrlabs.net.key -extensions v3_OCSP

Sign the request with the CA signing key:

openssl ca -in auth.isrlabs.net.csr -out auth.isrlabs.net.crt -extensions v3_OCSP

OpenSSL should show the signing request, look for this in the X509v3 extensions:

X509v3 Extended Key Usage:
OCSP Signing

Sign and commit the request. Now, issue a throwaway cert and sign it

openssl req -new -nodes -out dummy.isrlabs.net.csr -keyout dummy.isrlabs.net.key

openssl ca -in dummy.isrlabs.net.csr -out dummy.isrlabs.net.crt

Next, start up the OCSP server.

openssl ocsp -index /etc/pki/CA/index.txt -port 8888 -rsigner ca.isrlabs.net.crt -rkey ca.isrlabs.net.key -CA /etc/pki/CA/cacert.pem -text -out log.txt

 Once the dummy cert has been been issued and the OCSP server started, we can test the cert using the “openssl ocsp” command. To verify a certificate with OpenSSL, the command syntax is:

openssl ocsp -CAfile <cafile pem> -issuer <issuing ca pem> -cert <certificate to check> -url <url to OCSP server> -resp_text

So to test our dummy file:

openssl ocsp -CAfile cacert.pem -issuer cacert.pem -cert dummy.isrlabs.net.crt -url http://ca.isrlabs.net:8888 -resp_text

There’s going to be a large block of text flooding the screen. Some of the more important text:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response

Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 922CD93C975EDC121DB25B1A55BA9B544E06F9B3
Issuer Key Hash: 322A8DBF79BE1A934543DC4F24FC69220A2803BA
Serial Number: 06
Cert Status: good

Response verify OK

dummy.isrlabs.net.crt: good
This Update: Feb 27 00:55:54 2012 GMT

Now revoke the cert, regenerate the CRL and restart the OCSP server (the server must be restarted every time a cert is issued or revoked). If the OCSP signing certificate was not issued with the OCSPSigning attribute, OpenSSL will gripe that the verification did not work properly. Reissue the signing cert with the OCSPSigning attribute for the server.

openssl ca -revoke /etc/pki/CA/newcerts/06.pem

openssl ca -gencrl -out /etc/pki/CA/crl.pem

Now we can verify the certificate again:

openssl ocsp -CAfile /etc/pki/CA/cacert.pem -issuer /etc/pki/CA/cacert.pem -cert dummy.isrlabs.net.crt -url http://ca.isrlabs.net:8888 -resp_text

OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response

Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 922CD93C975EDC121DB25B1A55BA9B544E06F9B3
Issuer Key Hash: 322A8DBF79BE1A934543DC4F24FC69220A2803BA
Serial Number: 06
Cert Status: revoked
Revocation Time: Feb 27 01:07:36 2012 GMT
This Update: Feb 27 01:12:08 2012 GMT

Response verify OK
dummy.isrlabs.net.crt: revoked
This Update: Feb 27 01:12:08 2012 GMT
Revocation Time: Feb 27 01:07:36 2012 GMT

 If you were to install this cert on a website, and the CA certificate was installed, any modern browser should refuse to connect to the site as the cert has been revoked.

Leave a Comment :, more...

VLAN hopping and now to defend against it

by on Feb.11, 2012, under Security

Back a while ago, I had this idea I came up with while studying for the CCNA exam. The book I was reading said that switchports on a Cisco switch, by default are an “dynamic desirable” trunking mode. Basically what this means is that if you plug another switch into a port set to this, the port will become a trunk, and will trunk down all the VLANs that it’s aware of.

So my first thought was “well cool, I could carry a 2950 with me on the next pen test”, but that’s sort of unwieldy. If there only was a way to do this with Linux! Well, yes, it turns out, there is a way, and it’s from a utility that I’ve heard of before, but never really played with. It’s called Yersinia, named after y pestis, better known as the Black Death.

Yersinia is focused a lot on network attacks, and lets you do all sorts of nasty things like set up DTP trunking, delete VLANs, mess with spanning tree, etc… and the devs are nice enough to include a GTK interface.

So let’s set up the situation: we’re on a penetration test, we’re inside the building. We plug in to an open jack but find that we’re on a VLAN that is fairly restricted. Oh darn. Well, maybe the network guy wasn’t as security conscious as he thought, and just dropped a few ports into a VLAN behind an ACL (probably, since he left a live port open!). If he didn’t reconfigure the switchport, it’s in dynamic desirable status, and we can access any VLAN that the switch knows about by telling the switch that we would like to set up our port as a trunk.

Fire up Yersinia and select “Launch Attack”, and select the DTP (Dynamic Trunking Protocol) tab. Select “Enable trunk” and hit OK. Or if you’re a CLI monkey yersinia dtp -attack 1 -i eth0. If everything goes right, once spanning-tree quits shitting itself, you will be sitting on a fresh, new trunk port. What can we do from here? Well, a lot… we can hop out of the confined VLAN we’re in and directly access any VLAN that the switch is trunking. Server VLAN? Sure. And we’re going to zip right on past any ACLs that may be in place because anything we do is going to be from within the same VLAN as the target. Maybe a little ARP poisoning for some good ol’MITM action? Yep. We can do that too, and Yersinia is set up to make it happen.

How do we prevent this from happening? A good start is shutting down any unused ports on your switches! For the live ports, you need to force your edge ports into access mode, or have then not negotiate trunking with whatever is plugged into it. This is done on a per-port basis:

switchport mode access – this will force the port into an “access only” mode, effectively disabling trunking

switchport nonegotiate – Prohibit the port from negotiating trunking

Is there a way to catch someone doing this? Well, it’s a pain in the ass, but basically (at least on a 2950), you have to enable trunk event logging on a per-port basis (logging event trunk-status). If you’re going to do this, you may as well just do it right and force your ports into access mode and be done with it. But you will see events like this:

%DTP-5-TRUNKPORTON: Port Fa0/24 has become dot1q trunk

Unfortunately, Cisco didn’t see fit to set up a logging event for when someone tries to trunk on an access port, so you’re not going to make any noise

Leave a Comment :, more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...


All entries, chronologically...