nmz.me

How to check remote TLS settings

2020-10-16T20:00:00+00:00

Recently helping a friend that was facing problems using some government API between the test and production environment, I suspected that the issue was related to the SSL/TLS version that was enabled on both sites. Here are some handy scripts for checking that setting on remote sites.

nmap --script  ssl-enum-ciphers -p 443 nmz.me

And here’s the output

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-16 17:51 -03
Nmap scan report for nmz.me (104.27.148.109)
Host is up (0.28s latency).
Other addresses for nmz.me (not scanned): 172.67.199.116 104.27.149.109 2606:4700:3034::681b:956d 2606:4700:3036::681b:946d 2606:4700:3036::ac43:c774

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256-draft (ecdh_x25519) - A
|     compressors: 
|       NULL
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds

Here’s another handy script in case you don’t have nmap installed. (Found on StackOverflow)

#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=$1
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
  error=$(echo -n $result | cut -d':' -f6)
  echo NO \($error\)
else
  if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher    :" ]] ; then
    echo YES
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

And this is the sample output:

➜  scripts git:(master) ✗ ./show_ssl_ciphers.sh wsaahomo.afip.gov.ar:443
Obtaining cipher list from OpenSSL 1.1.1f 31 Mar 2020.
Testing TLS_AES_256_GCM_SHA384...NO (SSL_CTX_set_cipher_list)
Testing TLS_CHACHA20_POLY1305_SHA256...NO (SSL_CTX_set_cipher_list)
Testing TLS_AES_128_GCM_SHA256...NO (SSL_CTX_set_cipher_list)
Testing ECDHE-ECDSA-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-GCM-SHA384...YES
Testing DHE-DSS-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-GCM-SHA384...NO (141A318A)
Testing ECDHE-ECDSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-CCM...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES256-CCM...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-DSS-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ADH-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-GCM-SHA256...YES
Testing DHE-DSS-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-GCM-SHA256...NO (141A318A)
Testing ECDHE-ECDSA-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-CCM...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-RSA-AES128-CCM...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA384...YES
Testing DHE-RSA-AES256-SHA256...NO (141A318A)
Testing DHE-DSS-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA256...YES
Testing DHE-RSA-AES128-SHA256...NO (141A318A)
Testing DHE-DSS-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA256...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES256-SHA...YES
Testing DHE-RSA-AES256-SHA...NO (141A318A)
Testing DHE-DSS-AES256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES256-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-AES128-SHA...YES
Testing DHE-RSA-AES128-SHA...NO (141A318A)
Testing DHE-DSS-AES128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-SEED-SHA...NO (sslv3 alert handshake failure)
Testing DHE-RSA-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing DHE-DSS-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-AES128-SHA...NO (sslv3 alert handshake failure)
Testing ADH-SEED-SHA...NO (sslv3 alert handshake failure)
Testing ADH-CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CCM...NO (sslv3 alert handshake failure)
Testing RSA-PSK-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing AES256-GCM-SHA384...YES
Testing AES256-CCM8...NO (sslv3 alert handshake failure)
Testing AES256-CCM...NO (sslv3 alert handshake failure)
Testing ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-AES256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-CHACHA20-POLY1305...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CCM8...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CCM...NO (sslv3 alert handshake failure)
Testing PSK-ARIA256-GCM-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CCM...NO (sslv3 alert handshake failure)
Testing RSA-PSK-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-GCM-SHA256...YES
Testing AES128-CCM8...NO (sslv3 alert handshake failure)
Testing AES128-CCM...NO (sslv3 alert handshake failure)
Testing ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-AES128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CCM8...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CCM...NO (sslv3 alert handshake failure)
Testing PSK-ARIA128-GCM-SHA256...NO (sslv3 alert handshake failure)
Testing AES256-SHA256...YES
Testing CAMELLIA256-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA256...YES
Testing CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-DSS-AES-256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-RSA-AES-256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-AES-256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing AES256-SHA...YES
Testing CAMELLIA256-SHA...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CBC-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-AES256-CBC-SHA...NO (sslv3 alert handshake failure)
Testing PSK-CAMELLIA256-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-DSS-AES-128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-RSA-AES-128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing SRP-AES-128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing RSA-PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing DHE-PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing RSA-PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing AES128-SHA...YES
Testing SEED-SHA...NO (sslv3 alert handshake failure)
Testing CAMELLIA128-SHA...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CBC-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-AES128-CBC-SHA...NO (sslv3 alert handshake failure)
Testing PSK-CAMELLIA128-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-ECDSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing ECDHE-RSA-NULL-SHA...NO (sslv3 alert handshake failure)
Testing AECDH-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing ECDHE-PSK-NULL-SHA...NO (sslv3 alert handshake failure)
Testing RSA-PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing RSA-PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing DHE-PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing DHE-PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing RSA-PSK-NULL-SHA...NO (sslv3 alert handshake failure)
Testing DHE-PSK-NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-SHA...NO (sslv3 alert handshake failure)
Testing NULL-MD5...NO (sslv3 alert handshake failure)
Testing PSK-NULL-SHA384...NO (sslv3 alert handshake failure)
Testing PSK-NULL-SHA256...NO (sslv3 alert handshake failure)
Testing PSK-NULL-SHA...NO (sslv3 alert handshake failure)

Spring Boot Thymeleaf decorate layout issues

2020-10-01T01:00:00+00:00

If you’re having problems using spring-boot starter web with thymeleaf, and you are using decorate layout… you may be finding that by default it’s not working. To solve this issue, just add the following dependency to your project.

<dependency>
    <groupId>nz.net.ultraq.thymeleaf</groupId>
    <artifactId>thymeleaf-layout-dialect</artifactId>
</dependency>

CA for testing puposes

2019-08-04T13:50:00+00:00

Goals

The goal is to build a PKI scheme with a Root Certificate Authority and an Intermediate Certificate Authority.

I’ve gone through many projects where SSL / TLS Test Certificates, Code Signing, Mail Signatures or PDF Signatures were required.

Nowadays I’m looking for a test scenario with CRL / OCSP Working to get some PDF LTV enabled Signatures.

The whole solution is available at this GitHub repo

At least to try this, you need:

OpenSSL

RootCA

As the PKI chains starts with a Root Authority. Let’s go.

First of all, we must build our directory structure.

There will be:

a private directory to store “private” keys.
a db directory to store our CA Database.
a certs directory to store generated certificates

└── root-ca
    ├── certs
    ├── db
    └── private

Add the OpenSSL ROOT CA config file root-ca.conf

Create the private key of our Root Certificate Authority

openssl genrsa -aes256 -out root-ca/private/root-ca.key.pem 4096
chmod 400 root-ca/private/root-ca.key.pem

Create empty database files

touch ./root-ca/db/root-ca.db
touch ./root-ca/db/root-ca.db.attr
touch ./root-ca/db/root-ca.crt.srl
touch ./root-ca/db/root-ca.crl.srl
echo 00 > ./root-ca/db/root-ca.crt.srl
echo 00 > ./root-ca/db/root-ca.crl.srl

Important note: OpenSSL stores Serial Numbers as Hex (Blocks of two numbers).

Create the Certificate

openssl req -config root-ca.conf \
            -key root-ca/private/root-ca.key.pem \
            -new -x509 -days 7300 -sha256 -extensions root_ca_ext \
            -out root-ca/certs/root-ca.crt

Intermediate CA

Repeat directory structure for our Intermediate CA (int-ca) plus a directory for the Certificate Requests (csr)

├── root-ca
│   ├── certs
│   ├── db
│   └── private
└── int-ca
    ├── certs
    ├── csr
    ├── db
    └── private

Add the Intermediate CA configuration file int-ca.conf

Create the private key

openssl genrsa -aes256 -out int-ca/private/int-ca.key.pem 4096

Create the Certificate Request

openssl req -config ./int-ca.conf \
            -new -sha256 -key ./int-ca/private/int-ca.key.pem \
            -out ./int-ca/csr/int-ca.csr.pem

Sign the request to create the Intermiate Certificate (using root config file)

openssl ca -config root-ca.conf -extensions int_ca_ext \
        -days 7600 -notext -md sha256 \
        -in ./int-ca/csr/int-ca.csr.pem \
        -out ./int-ca/certs/int-ca.cert.pem

SSL/TLS Certificates

First of all, we must setup the TLS CSR config file

Sample bash script for CSR creation and certificate signature

#!/bin/bash
export SAN=DNS:$1
openssl req -new -config conf/TLS.conf -out int-ca/csr/$1.csr -keyout signing-ca/private/$1.key
openssl ca -config ./int-ca.conf -in ./int-ca/csr/$1.csr -out int-ca/certs/$1.crt -extensions server_ext

To call it just run

nicolas@sxm:~/dev/democa$ ./TLS.sh test.nmz.me

Output

nicolas@sxm:~/dev/democa$ ./TLS.sh test.nmz.me
Generating a RSA private key
...................................+++++
..............................................+++++
writing new private key to 'int-ca/private/test.nmz.me.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component         (eg, me)       []:me
2. Domain Component         (eg, nmz)   []:nmz
4. Organization Name        (eg, NMZ)   []:NMZ
5. Organizational Unit Name (eg, section)   []:test
6. Common Name              (eg, FQDN)      []:test.nmz.me
Using configuration from ./int-ca.conf
Enter pass phrase for ./int-ca/private/int-ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Aug 13 00:34:12 2019 GMT
            Not After : Aug 12 00:34:12 2021 GMT
        Subject:
            domainComponent           = me
            domainComponent           = nmz
            organizationName          = NMZ
            organizationalUnitName    = test
            commonName                = test.nmz.me
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                54:A2:35:D4:49:B9:67:2B:61:8F:16:08:85:B7:68:11:E4:21:A9:63
            X509v3 Authority Key Identifier: 
                keyid:6E:6B:78:7D:57:53:F0:86:CE:E8:C8:25:50:1A:ED:FB:2D:2D:60:6F

            X509v3 Subject Alternative Name: 
                DNS:test.nmz.me
Certificate is to be certified until Aug 12 00:34:12 2021 GMT (730 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

End User Certificates

This time, we must setup the EMAIL CSR config file

Sample bash script for CSR creation and certificate signature

#!/bin/bash
openssl req -new -config conf/EMAIL.conf -out int-ca/csr/$1.csr -keyout int-ca/private/$1.key
openssl ca -config ./int-ca.conf -in ./int-ca/csr/$1.csr -out int-ca/certs/$1.crt -extensions email_ext

To call it just run

nicolas@sxm:~/dev/democa$ ./EMAIL.sh email@adress.

Output

nicolas@sxm:~/dev/democa$ ./EMAIL.sh test@test.site
Generating a RSA private key
.....................................................+++++
........................................................................................+++++
writing new private key to 'int-ca/private/test@test.site.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Domain Component         (eg, com)       []:me  
2. Domain Component         (eg, company)   []:nmz
4. Organization Name        (eg, company)   []:NMZ
5. Organizational Unit Name (eg, section)   []:test
6. Common Name              (eg, full name) []:test
7. Email Address            (eg, name@fqdn) []:test@nmz.me
Using configuration from ./int-ca.conf
Enter pass phrase for ./int-ca/private/int-ca.key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 30 23:43:36 2019 GMT
            Not After : Sep 29 23:43:36 2021 GMT
        Subject:
            domainComponent           = me
            domainComponent           = nmz
            organizationName          = NMZ
            organizationalUnitName    = test
            commonName                = test
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                E-mail Protection, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                C9:E8:1E:6B:BB:B2:AA:AF:5F:88:49:9F:FD:3F:B4:CC:A0:20:83:C0
            X509v3 Authority Key Identifier: 
                keyid:6E:6B:78:7D:57:53:F0:86:CE:E8:C8:25:50:1A:ED:FB:2D:2D:60:6F

            X509v3 Subject Alternative Name: 
                email:test@nmz.me
Certificate is to be certified until Sep 29 23:43:36 2021 GMT (730 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

OpenData

2018-01-31T22:08:00+00:00

OpenData

Main Idea: Build a git repo with useful lists of values. Ej. ISO3166, etc.

link

Feel free to fork, extend, or fix. Ideas are welcome. Please contact by Twitter.

NPM - Notebook

2017-11-14T22:08:00+00:00

NPM - Notebook.

Fix owner permissions on npm global package installation. First check that npm prefix is set to /usr/local using “npm config get prefix”

sudo chown -R $(whoami) $(npm config get prefix)/{lib/node_modules,bin,share}

Keytool

2017-09-16T18:00:00+00:00

Keytool

Import CA certificate in TrustStore (Keystore with Trusted Authorities):

keytool -import -trustcacerts -alias myacalias -file ./myac.pem -keystore ./mytruststore.jks

This will add the PEM certificate contained in myac.pem into the keystore mytruststore.jks, and will be identified with mycaalias

OpenSSL

2017-09-16T13:50:00+00:00

OpenSSL

SSL

View server SSL certificate:

openssl s_client -connect www.google.com:443 -showcerts < /dev/null

In case something like this is shown:

CONNECTED(00000003)
140427920371416:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:

The simple explanation of this error is that your Certificate might be using SNI and it’s not supported by your OpenSSL version. This happens if you are using CloudFlare Flex SSL Certificates (As I am).
The workaround is to inform the expected servername. Sample Solution:

openssl s_client -servername nmz.me -connect nmz.me:443 -showcerts < /dev/null

X509 Certificates

Show CRL Contents

To view CRL contents, simply, download CRL File and:

openssl crl -inform DER -text -noout -in mycrl.crl

OCSP Validation

openssl ocsp -issuer ./ac.pem -CAfile ./ca_chain.pem -cert ./mycert.pem -url http://myocsp/ocsp/

To perform OCSP validation, you need:

Issuer Certificate (ac.pem)
Complete certificate chain. This is a single file with all the intermediates issuers certificates, and the root ac certificate appended.(ca_chain.pem)
Certificate you are validating (mycert.pem)
Ocsp responder URL.

Yarn global installed binaries out of path

2017-09-16T13:50:00+00:00

Yarn and JHipster.

After installing JHipster using yarn, the jhipster command was not found. In fact, all binaries installed globally by yarn are missing. It happens because the bin directory for yarn is not in path. Solution: Add the following lines to .profile file

export PATH="$PATH:~/.yarn/bin"

Hello World

2017-09-06T12:50:00+00:00

The one and only way to start. Hello World!