Windows Notes: SSL, TLS, OpenSSL
- The information presented here is intended for educational use by qualified Windows technologists.
- The information presented here is provided free of charge, as-is, with no warranty of any kind.
Introduction
Introductory material can be found on my original OpenSSL web pages: Those pages include steps on how to use the command 'openssl s_client' to do end-to-end testing and debugging.Installing OpenSSL on Windows
Download a kit from here:- http://www.slproweb.com/products/Win32OpenSSL.html (very high quality work from Shining Light Productions; please donate a few dollars if you can)
| Action | Notes |
|---|---|
| hold down the 'Windows' key while you hit the 'r' key | the RUN dialog will appear |
| type cmd then click the OK button | c:\WINDOWS\system32\cmd32.exe will open |
| type cd c:/ then hit the <enter> key | move to root of c drive |
| type cd openss* then hit the <enter> key | drop into a folder |
| type cd bin then hit the <enter> key | openssl.exe lives here |
| type openssl then hit the <enter> key |
Client-Server scripts for Windows demo
The following examples shows how to start a test server (you may need to create a certificate) then start a test client ON THE SAME MACHINE for educational purposes
- Fire up your favorite plain text editor then drag your cursor over the six yellow boxes so you can copy-n-paste the contents into six files onto your desktop
- On my windows system I log in as Neil. This means that my home directory is C:\Users\Neil
- Now drag-n-drop all six files to to YOUR home directory
- Now right-click on the Windows start-button then click on RUN
- Now type CMD then click OK
DOS - Windows "Scripting Basics"
sequence description ------------- ------------------------------------- :: remarks beginning of remarks (to end of line) rem remarks beginning of remarks (to end of line) %= remarks =% embedded remarks ^ line continuation character echo yada display variable "yada" echo ON display commands as they are executed (script tracing) echo OFF disable script tracing
script: ssl-prep1.bat (optional)
Caveat: only execute this script (prep1) if the next script (prep2) fails with an error related to "can't find file openssl.cnf"@echo ON
:: =============================================================
:: title : ssl-prep1.bat
:: purpose : create a self-signed certificate for ssl-server.bat
:: notes : ONLY DO THIS if file "openssl.cnf" is missing
:: platform: DOS/Windows
:: author : Neil Rieck
:: created : 2018-01-30
:: =============================================================
copying the OpenSSL template file
:: copy the file and change the extension
copy c:\OpenSSL-Win32\bin\openssl.cfg openssl.cnf
echo Done
script: ssl-prep2 (one time only)
@echo ON
:: =============================================================
:: title : ssl-prep2.bat
:: purpose : create a self-signed certificate for ssl-server.bat
:: platform: DOS/Windows
:: author : Neil Rieck
:: created : 2018-01-30
::==============================================================
echo Creating Self-Signed Certificate
setlocal
IF EXIST c:\OpenSSL-Win32\bin SET PATH=%PATH%;c:\OpenSSL-Win32\bin
openssl req %= a circumflex continues the line =% ^
-new ^
-nodes ^
-x509 %= x509 as a switch indicates "self signed" =% ^
-config openssl.cnf ^
-days 365 %= will expire in one year =% ^
-set_serial 20180130 %= any big number (here I used ccyymmdd) =% ^
-keyout hack123.key %= I could have created/used a new key with -keyout =% ^
-out hack123.crt %= certificate data will be written here =%
echo Done
endlocal
script: ssl-server1.bat (serves up a fake file)
@echo ON
:: =====================================================
:: title : ssl-server1.bat
:: purpose: ssl server demo for DOS/Windows
:: author : Neil Rieck
:: created: 2018-01-30
:: =====================================================
echo Starting OpenSSL Server1 (simple)
setlocal
IF EXIST c:\OpenSSL-Win32\bin SET PATH=%PATH%;c:\OpenSSL-Win32\bin
openssl s_server ^
-accept 5000 %= listen on port 5000 =% ^
-cert hack123.crt ^
-key hack123.key ^
-debug %= this line is optional =% ^
-www %= barely simulate a webserver =%
echo Done
script: ssl-server2.bat (returns the file you request)
@echo ON
:: =====================================================
:: title : ssl-server2.bat
:: purpose: ssl server demo for DOS/Windows
:: author : Neil Rieck
:: created: 2018-01-30
:: =====================================================
echo Starting OpenSSL Server1 (simple)
setlocal
IF EXIST c:\OpenSSL-Win32\bin SET PATH=%PATH%;c:\OpenSSL-Win32\bin
openssl s_server ^
-accept 5000 %= listen on port 5000 =% ^
-cert hack123.crt ^
-key hack123.key ^
-debug %= this line is optional =% ^
-WWW %= fully simulate a webserver =%
echo Done
script: ssl-client.bat
@echo ON
:: =====================================================
:: title : ssl-client.bat
:: purpose: ssl client demo for DOS/Windows
:: author : Neil Rieck
:: created: 2018-01-30
:: =====================================================
echo Starting OpenSSL client on port 5000
setlocal
IF EXIST c:\OpenSSL-Win32\bin SET PATH=%PATH%;c:\OpenSSL-Win32\bin
openssl s_client ^
-debug %= this is optional =% ^
-connect 127.0.0.1:5000
echo Done
fake web page
This fake web page (index.html) is required by ssl-server2.bat<!DOCTYPE html> <html> <head> <title>index.html</title> </head> <body> <p>This is a test</p> </body> </html>
Example Sessions
Legend:
<ur> user response
<sr> system response
<enter> hit the enter key
| session #1 (server) | session #2 (client) |
|---|---|
<sr> C:\Users\Neil>
<ur> ssl-server1.bat <enter>
<sr> bla...bla...bla...
<sr> bla...bla...bla...
<sr> bla...bla...bla...
|
<sr> C:\Users\Neil> <ur> ssl-client.bat <enter> <sr> bla...bla...bla... <ur> GET / HTTP/1.0<enter> <sr> bla...bla...bla... |
| session #1 (server) | session #2 (client) |
|---|---|
<sr> C:\Users\Neil>
<ur> ssl-server2.bat <enter>
<sr> bla...bla...bla...
<sr> bla...bla...bla...
<sr> bla...bla...bla...
|
<sr> C:\Users\Neil>
<ur> ssl-client.bat <enter>
<sr> bla...bla...bla...
<ur> GET index.html HTTP/1.0<enter>
<sr> bla...bla...bla...
|
External Links
SSL (general)
- http://www.openssl.org/ (the industry-wide home of OpenSSL)
- https://en.wikipedia.org/wiki/Transport_Layer_Security (a.k.a. SSL/TLS)
- http://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
- http://technet.microsoft.com/en-us/library/cc781800(v=ws.10).aspx (SSL/TLS in Windows Server 2003)
- https://en.wikipedia.org/wiki/Public_key_infrastructure (a.k.a. PKI)
- https://en.wikipedia.org/wiki/X.509 (a.k.a. X.509)
- http://tools.ietf.org/html/rfc5246 (a.k.a. rfc-5246)
- http://www.debian-administration.org/articles/618 - Certificate Authority (CA) with OpenSSL
Free OpenSSL books
- https://www.feistyduck.com/library/openssl-cookbook/
- https://www.feistyduck.com/books/apache-security/
OpenSSL Tutorials
- http://users.dcc.uchile.cl/~pcamacho/tutorial/crypto/openssl/openssl_intro.html Save this one to your hard drive
- https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
OpenSSL for Windows
- because many times you can learn more by connecting to an OpenVMS or UNIX platform from your PC
- If you only have one server platform then you have no other choice
- In a pinch, you can put two PCs back-to-back (type "openssl s_server" on one, type "openssl c_client" on the other)
- In a real pinch you can run server and client on the same machine but it's not really the same
- http://www.slproweb.com/products/Win32OpenSSL.html - very high quality work from Shining Light Productions; please donate a few bucks if you can
- http://gnuwin32.sourceforge.net/packages/openssl.htm
Other
- y2k20 in 2020 - are your computer systems ready for it?
- calendar and clock concerns (y2k, etc)
Back to HomeNeil Rieck
Waterloo, Ontario, Canada.