Qualys Blog

www.qualys.com

OpenSSL Cookbook 2nd Edition Released

Today we’re releasing the second edition of OpenSSL Cookbook, a free OpenSSL book. This edition is a major update, with some improvements to the existing text and new content added. The new edition has about 95 pages, an increase of about 35 pages.

Here’s a brief overview of what’s new:

  • New chapter Testing with OpenSSL, which focuses on secure server assessment.
  • New section Recommended Configuration, which contains a list of recommended cipher suites. I now prefer to configure OpenSSL by explicitly listing all the suites I wish to enable.
  • New section Creating a Private Certification Authority, which contains a step-by-step guide to creating and deploying a private CA.
  • Updated SSL/TLS Deployment Best Practices to v1.4. Important changes in this version include SHA1 deprecation and SSL 3 weaknesses (POODLE).

Another important improvement is that I am switching from updating OpenSSL Cookbook once in a while (the previous edition was released in October 2013) to making small changes as the need arises. There still might be further editions, but only when and if new content is added.

OpenSSL Cookbook draws from the content written for my bigger work, Bulletproof SSL and TLS. If you’re looking for a complete guide to the world of SSL/TLS and Internet PKI, give the bigger book a try.

That said, the main goals of OpenSSL Cookbook are to be useful, short, and contain documentation for everything you might want to do with it as a user (i.e., no programming). If you’re looking for something and you can’t find it in this book, please get in touch to propose improvements.

2 responses to “OpenSSL Cookbook 2nd Edition Released”

  1. Hi Ivan & Co.,

    Thanks so much for your helpful book.
    I have a specific question about your coverage of OCSP-stapling (https://www.feistyduck.com/library/openssl%2dcookbook/online/ch-testing-with-openssl.html#testing-ocsp-stapling).

    In that short section, you show the stapled OCSP output resulting from

    “$ echo | openssl s_client -connect http://www.feistyduck.com:443 -status” (this command referred to below as )

    The resulting output printed in the book contains the line: “Cert Status: good”

    Following the output, there is only one line of OpenSLL-Cookbook explanation:

    “The certificate status good means that the certificate has not been revoked.” (this explanation referred to below as )

    It is natural to assume that implies that has performed a full signature verification of the stapled certificate and that the line of output “Cert Status: good” is output conditionally on the successful execution of .

    Yet, one would expect an explicit explanation, leaving room for doubt. The possibility that “Cert Status: good” is simply the content of the stapled OCSP response, regardless of signature verification. In that case, we assume that carries the implied meaning “… according to the stapled OCSP-response, which must have it’s signature separately verified.

    In contrast, for both of the other types of revocation checking:

    (1) CRL-revocation-list-checking
    [https://www.feistyduck.com/library/openssl%2dcookbook/online/ch-testing-with-openssl.html#checking-crl-revocation]
    (2) OCSP-request-response (find “submit OCSP request”)
    [https://www.feistyduck.com/library/openssl%2dcookbook/online/ch-testing-with-openssl.html#testing-ocsp-revocation]

    the “OpenSSL Cookbook” shows explicit methods (recipes) to go the extra distance and complete the verification manually using the information already yielded by openssl. It would be a very human to infer that reason “OpenSSL Cookbok” does not include a separate recipe for full validation of a stapled OCSP-reponse is because it is not necessary – i.e. already did it.

    It would be helpful if this section were less ambiguous and, if required, a recipe for verifying the signature of the stapled OCSP were included.

    This answer on “stackoverflow” strongly says separate steps apart from are required:
    https://security.stackexchange.com/questions/120311/openssl-certificate-revocation-check-in-client-program-using-ocsp-stapling-2/120312#120312

    Thank you for your time and helpfulness

    Craig Hicks

    • Hi Craig. Thank you for your detailed post. You’re right, that part in OpenSSL Cookbook could be done better.

      Checking of the security of an OCSP response is not done by default in OpenSSL. To enable it you need to have the correct certificates to check with and that requires a couple of additional steps that I don’t show in the book.

      I am going to add it to my TODO list to fix soon.

Leave a Reply