Transport Layer Security (TLS)

Transport Layer Security (TLS) is the successor of Secure Sockets Layer (SSL). OpenSSL is the most famous open source implementation.

OpenSSL

  • Base64 encode/decode:

    $ openssl enc -base64 -e -in test.txt -out test.b64
$ openssl enc -base64 -d -in test.b64 -out test.txt
$ openssl base64 -e -in test.txt -out test.b64
$ openssl base64 -d -in test.b64 -out test.txt

  • Symmetric encryption/decryption:

    $ openssl enc -des -e -in test.txt -out test.des -pass pass:qwe123
$ openssl enc -des -d -in test.des -out test.txt -pass pass:qwe123

    If you want to transport the encrypted file as an e-mail attachment, use the -a/-base64 option:

    $ openssl enc -des -a -e -in test.txt -out test.des -pass pass:qwe123
$ openssl enc -des -a -d -in test.des -out test.txt -pass pass:qwe123

  • Message digest commands:

    $ openssl dgst -md5 test.txt
MD5(test.txt)= ba1f2511fc30423bdbb183fe33f3dd0f
$ openssl md5 test.txt
MD5(test.txt)= ba1f2511fc30423bdbb183fe33f3dd0f

  • Pass phrase arguments from man 1 openssl:

    Several commands accept password arguments, typically using
-passin and -passout for input and output passwords respec-
tively. These allow the password to be obtained from a variety
of sources. Both of these options take a single argument whose
format is described below. If no password argument is given and
a password is required then the user is prompted to enter one:
this will typically be read from the current terminal with echo-
ing turned off.

pass:password
          the actual password is password. Since the password is
          visible to utilities (like ’ps’ under Unix) this form
          should only be used where security is not important.

env:var   obtain the password from the environment variable var.
          Since the environment of other processes is visible on
          certain platforms (e.g. ps under certain Unix OSes)
          this option should be used with caution.

file:pathname
          the first line of pathname is the password. If the
          same pathname argument is supplied to -passin and
          -passout arguments then the first line will be used
          for the input password and the next line for the out-
          put password. pathname need not refer to a regular
          file: it could for example refer to a device or named
          pipe.

fd:number read the password from the file descriptor number.
          This can be used to send the data via a pipe for exam-
          ple.

stdin     read the password from standard input.

Stunnel

  • VNC server tunnel configure vnc-server-tunnel.cfg:

    [vnc-server-tunnel]
cert = /etc/pki/tls/certs/certificate.pem
key = /etc/pki/tls/certs/key.pem
accept = 6900
connect = 5900

  • VNC client tunnel configure vnc-client-tunnel.cfg:

    [vnc-client-tunnel]
client = yes
connect = example.com:6900
accept = 5900

    Start the tunnel:

    # stunnel vnc-client-tunnel.cfg

    And use vncviewer to connect:

    $ vncviewer 5900

Misc

TLS cert/keys usually stored at /etc/pki/. See: https://fedoraproject.org/wiki/PackagingDrafts/Certificates

None: TLS (last edited 2010-09-02 21:57:55 by ZhigangWang)