Using OpenSSL to calculate Message Digest
The
md5sum command can be
used to calculate an
MD5 message
digest (MD5 is an abbreviation for "Message-Digest algorithm 5"), which is a
cryptographic hash function. The md5sum program is commonly found on
Linux systems and programs which the provide the same functionality are also
available for Microsoft Windows systems, e.g.
digestIT 2004. But, if such a program isn't present on a system, e.g. an
OS X system, but
OpenSSL is present, you
can use the
openssl command to obtain message digests, which
can allow you to verify that a file, such as an executable file, was not
changed since it was released by the originator.
If you issue the command openssl dgst filename,
openssl will, by default, provide the MD5 checksum for the file. You can
also use other cryptographic hash functions, such as
SHA,
SHA1,
MD2, or you
can specify MD5.
$ openssl dgst images.zip
MD5(images.zip)= 796faa884fb0125eda60cd5e8aa8daa1
$ openssl md5 images.zip
MD5(images.zip)= 796faa884fb0125eda60cd5e8aa8daa1
$ openssl sha1 images.zip
SHA1(images.zip)= 3070ac89b7a4327e217045b1cac790c1dc048d8f
$ openssl sha images.zip
SHA(images.zip)= 021e35f63c55e22355bea99f73df885659a46d15
$ openssl md2 images.zip
MD2(images.zip)= 47bd3f0cc33710997f2fe57b1f7cc2c5
The available message digest options include the following:
MESSAGE DIGEST COMMANDS
md2 MD2 Digest
md5 MD5 Digest
mdc2 MDC2 Digest
rmd160 RMD-160 Digest
sha SHA Digest
sha1 SHA-1 Digest
sha224 SHA-224 Digest
sha256 SHA-256 Digest
sha384 SHA-384 Digest
sha512 SHA-512 Digest
[/security/encryption/openssl]
permanent link
Troubleshooting with openssl
You can use the command
openssl s_client -connect xxx.xxx.xxx.xxx:yyyyy
command, where
xxx.xxx.xxx.xxx is the IP address of the
server and
yyyyy is the port number on the server used for
HTTPS. The port is usually
443, but does not have to be that port. You can, of course, also use
a
fully qualified domain name
(FQDN), such as paypal.com, instead of an IP address.
By using the command, one can determine if a system is responding
correctly using the HTTPS protocol. E.g. below is an example of a query
issued against paypal.com:
$ openssl s_client -connect paypal.com:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgIQPma+WJDWF71INO8b3EN2LDANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMDkwNjEx
MDAwMDAwWhcNMTAwNjExMjM1OTU5WjB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
Q2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBheVBhbCwg
SW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczETMBEGA1UEAxQKcGF5
cGFsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqCjJNlLuv02o0lG7
YPO3vreiUl5ptCTgbLD7TkYRrYivoZQUQZh0whOchbh3kabbPnqyVULcq4dGZeNx
eQLppc0n/YhxJnsPqoBoyg45/Xpc5HWKVuMsDMBRtTLwyjcfH7GVljUiDH/YoKL7
OCtpdJ+mgmLyqTWj+d8DpYWiDA0CAwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYD
VR0PBAQDAgWgMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzIt
Y3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5Bgtg
hkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5j
b20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAW
gBSl7wsRzsBBA6NKZZBIshzgVy19RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUH
MAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDov
L1NWUlNlY3VyZS1HMi1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBu
BggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIa
BBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5j
b20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAA9sBxK8/hfHF6iKghED
jNTMpTLHT3lx8rdHnHD1UN5/lA0H8oMbjt6uzQVp9h9Xv/pOop/ItNNitdffTOnW
fVds+nMb56WSuX1d0fPn5KGGQcTMzTpA5Uxn3qnWXQc92O47qGEZSZ/aEYZjaHn2
VX5MFf2JXX1FQOyL288vCalmGAPLggjo3Hn0tWgK4Dd69l8JPm51FtEyijor/svw
FoxF7cJ6g92mgmu3JC10xhIXYDHiIAiTIzA3KCdAZikM4waZU8quRjgAIGrS0rRa
ohw0aAvy7gUrMWaws7+de3H0y/zQxfEbAsVzZ0+QA2WrGsa6EVKjcwW+VCJSLNZq
NeU=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3029 bytes and written 308 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: E24FE41E08BCBB5246EE5EAC08E7E4ACBB4708F0CD0089E9EF602E4F3C435922
Session-ID-ctx:
Master-Key: FFF8BF97F79796457EE44860212C5F887FFE8F62F4A6FC908DB1A382489BE5C2963C2D5F84BC526911FA5EB096634603
Key-Arg : None
Krb5 Principal: None
Start Time: 1262641575
Timeout : 300 (sec)
Verify return code: 0 (ok)
---You can check the expiration date of an SSL certificate by first retrieving
the certificate using commands such as in the first line below. You can then
check the expiration date with a command such as the one on the next line,
which shows that the current certificate for
PayPal expires at midnight
Greenwich Mean Time (GMT) on
June 11, 2010.
$ echo "" | openssl s_client -connect paypal.com:443 > certificate
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
- G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Net
work
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
verify return:1
DONE
$ openssl x509 -in certificate -noout -enddate
notAfter=Jun 11 23:59:59 2010 GMT
Another example below shows the results returned for a self-signed
certificate:
# echo "" | /usr/local/ssl/bin/openssl s_client -connect 10.10.0.108:443 > certi
ficate
depth=0 /C=EU/ST=SomeState/L=SomeCity/O=SomeOranization/OU=SomeOrganizationUnit/
CN=localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=EU/ST=SomeState/L=SomeCity/O=SomeOranization/OU=SomeOrganizationUnit/
CN=localhost
verify return:1
DONE
# /usr/local/ssl/bin/openssl x509 -in certificate -noout -enddate
notAfter=Feb 12 11:44:04 2018 GMT
References:
-
OpenSSL: Documents, s_client(1)
OpenSSL: The Open Source toolkit for SLS/TLS
-
When does my certificate expire?
barndonhutchinson.com --
Linux, Solaris, and general UNIX notes.
[/security/encryption/openssl]
permanent link
