Come verificare un certificato HTTPS più la relativa chain
Siccome Google è il miglior post-it che si possa avere, incollo qui il comando per verificare il certificato SSL e la relativa Chain di un dato server HTTPS con abilitato l’SNI.
echo | openssl s_client -showcerts -connect www.google.com:443 -servername www.google.com | more
In gCloud Storage, our Storage-as-a-Service system, we developed some years ago some chain technologies that allowed us to expand dynamically the features of the Storage subsystem allowing it to translate incoming or outgoing files.
Some while ago we developed a chain that allows our users to securely store a file by ciphering it when it enters in the system and decipher it when it’s fetched, without our party saving the password.
After some thinking we decided to embrace already existing technologies for the purpose, and we decided to rely on openssl for the purpose.
So we had to wrap some code that was able to interact with a spawned openssl process. We did some try-and-guess and surely we did our research on google. After various attempts we found this code that proved to be pretty reliable:
We tried first on our Mac OS machines, then on our FreeBSD server and it worked flawlessly for a couple of years. Recently one of our customer asked for a on-premises installation of a stripped-down clone of gCloud Storage, that had to run on Linux (CentOS if that’s relevant). We were pretty confident that everything would go smoothly but that wasn’t the case. When the system went live we found out that when deciphering the files it would lose some ending blocks.
Long story short we found that on Linux a child process can finish while leaving data still in the stdout buffer while – apparently – it can’t on FreeBSD.
The code we adopted had a specific control to make sure that it wasn’t trying to interact with a dead process. Specifically:
if (!is_resource($process)) break;
was the guilty portion of the code. What was happening was that openssl was closing, the code was detecting it and bailing out before fetching the whole stdout/stderr.
So in the end we came out with this:
public function procOpenHandler($command = '', $stdin = '', $maxExecutionTime = 30) {
$timeLimit = (time() + $maxExecutionTime);
$descriptorSpec = array(
0 => array("pipe", "r"),
1 => array('pipe', 'w'),
2 => array('pipe', 'w')
);
$pipes = array();
$response = new stdClass();
$response->status = TRUE;
$response->stdOut = '';
$response->stdErr = '';
$response->exitCode = '';
$process = proc_open($command, $descriptorSpec, $pipes);
if (!$process) {
// could not exec command
$response->status = FALSE;
return $response;
}
$txOff = 0;
$txLen = strlen($stdin);
$stdoutDone = FALSE;
$stderrDone = FALSE;
// Make stdin/stdout/stderr non-blocking
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
if ($txLen == 0) {
fclose($pipes[0]);
}
while (TRUE) {
if (time() > $timeLimit) {
// max execution time reached
// echo 'MAX EXECUTION TIME REACHED'; die;
@proc_close($process);
$response->status = FALSE;
break;
}
$rx = array(); // The program's stdout/stderr
if (!$stdoutDone) {
$rx[] = $pipes[1];
}
if (!$stderrDone) {
$rx[] = $pipes[2];
}
$tx = array(); // The program's stdin
if ($txOff < $txLen) {
$tx[] = $pipes[0];
}
$ex = NULL;
stream_select($rx, $tx, $ex, NULL, NULL); // Block til r/w possible
if (!empty($tx)) {
$txRet = fwrite($pipes[0], substr($stdin, $txOff, 8192));
if ($txRet !== FALSE) {
$txOff += $txRet;
}
if ($txOff >= $txLen) {
fclose($pipes[0]);
}
}
foreach ($rx as $r) {
if ($r == $pipes[1]) {
$response->stdOut .= fread($pipes[1], 8192);
if (feof($pipes[1])) {
fclose($pipes[1]);
$stdoutDone = TRUE;
}
} else if ($r == $pipes[2]) {
$response->stdErr .= fread($pipes[2], 8192);
if (feof($pipes[2])) {
fclose($pipes[2]);
$stderrDone = TRUE;
}
}
}
if (!is_resource($process)) {
$txOff = $txLen;
}
$processStatus = proc_get_status($process);
if (array_key_exists('running', $processStatus) && !$processStatus['running']) {
$txOff = $txLen;
}
if ($txOff >= $txLen && $stdoutDone && $stderrDone) {
break;
}
}
// Ok - close process (if still running)
$response->exitCode = @proc_close($process);
return $response;
}
Have Fun! 😉
Recently I convinced my boss in switching from Windows-based clients to Mac OS X ones. Unfortunately one of the activity we dealt with required the ability of reading P7M files, that’s files that have been digitally signed and encoded in PCKS#7 SMIME Mail.
I searched a lot but wasn’t able to find a P7M viewer for Mac OS X… With Windows Acrobat Reader itself reads the P7M, while Acrobat for Mac doesn’t…, so I started investigating.
The command line to decode a P7M file is pretty easy:
openssl smime -decrypt -in file_in.pdf.p7m -inform DER -verify -noverify -out file_out.pdf
So the deal was to allow any user to view the files without having to deal with the Terminal.
Luckily enough with a great help from my friend Marco Balestra, we quickly hacked an AppleScript Application that can be used to decrypt the P7M, launch the viewer, and then delete the temporary file.
Here you find it attached. Just Unzip it, right click on the P7M and select “Open with…”
Obviously it comes with no warranties of any kind 🙂
Ermh… I forgot the attachment, here it is: OpenP7M
extract the nectar, burn the tree 