H2S129: Open.SSL-lit,rev:


Hu: Open-SSL is an open.sourced-software for generating a private | key and an SSL-certificate, a public-key, for the purpose of enabling the TSL-protocol to transport data, via HTTPS, where S means secure, from a browser to a server, and vice versa. HTTP/S works on a toggle-binary, and some finagling would have to occur, in order for simultaneous communication in both. This is not the only | purpose of Open-SSL, however, as Cyber Hashira demonstrates<a-r>, Open-SSL is a general.purpose-cryptographic,generation.tool, that can be used to generate keypairs, masks, and passwords for a diverse | range of functions; it comes with a familyset of built.infunctions<Open-SSL, a-r>

H3S1: Generated.key-certificate are handled by Apache.HTTP-server:

Hu: In the context of WAMP<WP.MIC-H2S34><H2S70><114><fbno><117>, the module that handles HTTP, and by proxy, the HTTP/S transition<Turing> is Apache | Web Server, and I learned this, from the<a-r>tutorials. The private | key and certificate generated by Open-SSL will be stored in a key folder under the path # D:\wamp64\bin\apache\apache2.4.46\conf\key<infyom a-r> The config | files that need to be edited are located in D:\wamp64\bin\apache\apache2.4.46\conf\ and D:\wamp64\bin\apache\apache2.4.46\conf\extra\, indicating that Apache’s web server will be handling and adapting to the changes, in all of these files. Therefore, we can rely on additional | WAMP.less-docs, if these 4 WAMP.only-vids are not enough, adding an extra | magnitude of antifragility<Taleb, a-r>

H4S1: Creating a private key:

Hu: Assuming OpenSSL has already been installed<slproweb>, the first step, according to<infyom>is to 1) open Command Prompt in admin-mode, and create a private | key, by inputting commands, with a specified | syntax, in the command | line. Keep in mind, here, that we are not programming, because none of our inputs are stored, as scripts; we are making function calls, using the command-line, as a user | interface, which means that our interaction with the program, at most, is ceilinged at user. Therefore, the standard of comprehension that I will hold myself to, in using Open-SSL, is analogously | limited; to an extent, I don’t need this knowledge to be scalable, since I will not be building upon these inputs in the future, as long as I can complete the basic, 10 step task, of having HTTPS-established. HTTPS, as well, can be established in a number of other means, and online, there will be different | methods.

H5S1: Accessing Open-SSL:

Hu: Command-line is a general.purpose-interface, analogous to kb+mouse, but with the ability to access H6S1: un.clickable-actions H6S2: deep folders with a single | line H6S3: complex, multi-step actions with a single line. The Open.SSL-install came with folders and files, but no desktop | interface of its own, and this is a valid way to write a program. Rather, all access is by command | line. The Open.SSL-docs, and commands | library<a-r>instructs us the syntax to input, but first:

cd C:\Program Files\OpenSSL-Win64\bin

<WebEncyclop, a-r>: cd, prefix, means “change-directory“. Hu: In the language of general | command line, this single command input, followed by enter, simply allows us to specify the folder containing the Open.SSL-commands, such that our subsequent | entries will trigger this folder, and Open-SSL knows to respond. H6S4: Creating a private key with 2048.bits-encryption<infyom>: Hu: According to Open.SSL-docs, the best | practice is to maintain a different name for the out-key, so I have edited infyom’s code input a bit; I am adhering to this best practice, because I don’t think it changes his implementation, and reduces quantum | error uncertainty<Turing> in this step.

openssl genrsa -aes256 -out private.key 2048
openssl rsa -in private.key -out private.key privateout.key

H7S1: openssl-genrsa: Open-SSL has 2 sets of manual pages /docs/man1.1.1 and /docs/manmaster<anthro>; one claims that gensra command has been deprecated, while the 1.1.1 docs do not hold this claim; infyom’s tutorial uses this command, and is <2.years-old, so we will assume that this is a command that Open-SSL can answer. If not, then we should receive a straightforward rejection, rather than a latenterror, so moving forward with this assumption is safe.

Open.SSL-docs: generate an RSA | private key: H7S2: AES-256:<AWS-docs>: 256-bit Advanced Encryption Standard (AES-256), “one of the strongest block ciphers | available” <Wikipedia>In the United States, AES was announced by the NIST as U.S. FIPS PUB 197 (FIPS 197) on November 26, 2001.<NIST-gov>: The AES algorithm is capable of using cryptographic | keys of 128, 192, and 256 | bits to encrypt
and decrypt data
in blocks of 128 bits<common-denominator>.

Hu: It looks like they just DDOS-themselves, to discourage others from association, and yet, this is a min.natty-sec! H7S3: The output file will be named in private.key, and the size of the private | key, as a total, 2048 bits. It’s not clear whether 2048 is a TSL-requirement or infyom’s personal | choice.

According to Wikipedia<a-r>: The National Security Agency (NSA) reviewed all the AES | finalists, including Rijndael, and stated that all of them were secure enough for U.S. Government non-classified data. In June 2003, the U.S. Government announced that AES could be used to protect classified information:

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET | level. TOP SECRET | information will require use of either the 192 or 256 | key lengths. The implementation of AES in products intended to protect | national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.[14]

H7S4: The expected output # of these actions will be a private.key file, located in C:\Program Files\OpenSSL-Win64\bin #; this is a discrete | programming step, so knowing nothing else afterward, we can move forward #

H7S5: rsa:<Open-SSL>: The rsa command processes RSA keys. They can be converted between various forms and their components printed out.<Gordon, a-r 13:30>: RSA is an algorithm.

openssl rsa -in key.pem -out keyout.pem

Above, code provided by Open-SSL: “to remove the pass | phrase on an RSA private key“.

H8S1: -in filename: This specifies the input filename to read a key from or standard | input if this option is not specified. If the key is encrypted a pass phrase will be prompted for. H8S2: -out filename: This specifies the output filename to write a key to or standard output if this option is not specified. If any encryption options are set then a pass phrase will be prompted for. The output filename should not be the same as the input | filename. H9S1: Confusingly, our source, infyom, violates H8S2 in the Open-SSL docs, and this is corroborated by 3 other videos: WebEncyclop Tutorials, and “Logging stuff we learned”. We will try running the commands in this format, for now; however, there is a fairly significant roadblock: H10S1<fbno>: at no point in these videos do we have much of an intermediate | verification step<Turing>that our idea is working; I try to establish such steps, in<WP.MIC-H2S39><WP.MIC-H2S113>; here, however, I am working with someone.else’s-code, this entity is a step below PHP-group’s credibility, despite using a government.authorizedstandard<AES256>, and I’m voluntarily jumping into this with less than a programmer’s expertise<WP.MIC-H2S37>

The biggest risk, in this project, is that I reach the end, having not succeeded in producing an HTTPS-connection; even the way that, in these videos, the HTTPS-conn is confirmed, by checking the default browser address, demonstrates that this whole operation, down the HTTP-protocol<IETF>level, is shoddy at best; the field is only tangentially related, via the adoption of AES256, to something that also has governmental | approval; and not knowing where in the last 10 steps I may have made a mistake.

I will know, after step 1, for example, whether a file was generated, but I will not know, if this file, if it is generated, is valid, and that could be one of at least 10, upwards of 30-100, or even infinite^10 reasons, why I could have gone wrong. Without the ability to identify an error, I could be committing myself to a huge needle in the haystack search<Turing>, much of which, simply by the incompetence, or negligence of a single | individual, to a degree that is unfathomable to me, as a savant, even by starting. Fortunately, I have, in addition to some minimal confidence in the tutorials, some fallback, in that I can also search for HTTPS-Apache, without WAMP, and survey<anthro>more videos, so we’ll see how far we can get.

H7S6:

Hu: The output I see, after typing and entering openssl genrsa -aes256 -out private.key 2048, immediately after the folder retrieval command. This is also the prompt that infyom reached, in the same step, with the exact | same params. Note that we did not reach a “permission-denied” error, since we ran Command-Prompt as admin.

The pass | phrase that I will use is ‘animals’; this shouldn’t matter, on a local | install. After typing in ‘animals’ and verifying, I can confirm that a private.key file, with the category ‘key-file’, was generated in C:\Program Files\OpenSSL-Win64\bin directory.

H7S7: According to Logging stuff we learned, the next command, openssl rsa -in private.key -out private.key, converts the KEY-file into an RSA-file, even though the first command we ran was already titled “genrsa”🤷. I ran this command twice; first time, I entered a wrong pass-phrase, and second, I entered ‘animals’, and was given authorization differentially, as-expected.

H8S1: In our directory, private.key is updated, after successfully running rsa, but the file type didn’t change.

I will move forward with the assumption that a conversion to RSA was successful<80% 11/25/22>

Note that the size of the file is 2-kb, matching what infyom has. Also, according to WebEncyclop, the second rsa command, is supposed to remove the pass phrase from the priv-key.

H4S2: H6S5: Create an SSL-cert:

openssl req -new -x509 -nodes -sha1 -key private.key -out certificate.crt -days 36500

Code provided by infyom. Logging stuff we learned is in agreement with this code, exactly<anthro>, but WebEncyclop has dropped off, by adding a -config line, specifying a file path to C:\wamp64\bin\apache\apache2.4.51\conf\openssl.cnf<anthro>. He provides no deep explanation for why this config is added, aside from declaring that it’s a path to openssl.cnf, circularly!?, and therefore, we have a 2:1 vote, with a splitdiff, in an area, where’s an uncertainty about criticality; however, WebEncyclop stated, in his video, “make sure” that the config path is correct. Before proceeding, I’m going to check 5 other tutorials, with general Apache HTTPS conversion, for this line, and get a larger sample | size, and check if there are tertiaries. I may also check the testing in the end, to make sure that the 3 videos I’m following are valid | votes, that HTTPS was actually converted | successfully<fin.11-25,22>

H7S1: Anthro-survey:

H8S1: <NetSecProf, a-r>, also uses Apache w/ SSL.

H8S2<Tutor-techie, a-r>: 2 options, to use 1 command to create both key and certificate, line 7, or 3 separate commands, 1/3/5.

H8S3:<Steve-Gordon, 16-min>: Q: Each of the cert-creation statements in H8S1-3 specify a key-file; do these match the name of the key that was created, in the previous | step? Hu: Certainly, in the previous openssl-genpkey command, Gordon specifies -out cakey.pem, which is the -key, that the cert intakes. According to Gordon<anthro>, this whole enterprise enables web browsers to connect to Apache via HTTPS. Web browsers will be willing to do this, when Apache has a valid | digital certificate.

Hu: Certainly, in the previous openssl-genpkey command, Gordon specifies -out cakey.pem, which is the -key, that the cert intakes. According to Gordon<anthro>, this whole enterprise enablesweb browsers to connect to Apache via HTTPS. Web browsers will be willing to do this, when Apache has a valid | digital certificate. Gordon<12:20>: I’m going to create my own authority on my server, and get that to sign the certificate from my web server; generating the authority, and then we’ll create a certificate for the server, and get the authority to sign that.

H7S2: openssl-req:<Open-SSL, a-r>: The req command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out req.pem

Above is code recommended by Open-SSL docs: “Generate a self signed root certificate”, Hu, using key.pem as the privatekey to generate a certificate request | from.

 openssl genrsa -out key.pem 2048
 openssl req -new -key key.pem -out req.pem

Above is code recommended by Open.SSL-docs, and appears to be the local.max-red<anthro>: “create a private | key and then generate a certificate request from it“.

At this point, I feel confident enough to try writing my code, using Open-SSL, and Command-Prompt, simultaneously<calibration>

H8S1: -config filename<1/4>: This allows an alternative configuration file to be specified. Optional; for a description of the default value, see “COMMAND | SUMMARY” in openssl(1).

H8S2: -x509<3/4>:<Open-SSL>: This option outputs a self signed | certificate instead of a certificate request. This is typically | used to generate a test certificate or a self signed root CA. According to <Gordon 15:40>, x509 is a standard.

H8S3: -key filename<2/4>: This specifies the file to read the private | key from. It also accepts PKCS#8 format private keys for PEM format files.

H8S4: -nodes<1.5>: If this option is specified then if a private key is created it will not be encrypted. Hu: Not sure why infyom, our top source #, includes this param, because his code does not create a key<anthro>I’ll probably exclude this.

H8S5: -out filename: This specifies the output | filename to write to or standard | output by default.

H8S6: -days n: When the -x509 | option is being used this specifies the number of days to certify the certificate for, otherwise it is ignoredn should be a positive | integer. The default is 30 | days.

H8S7: It looks more like than 1-cert can be generated from a key, and that the cert-gen does not affect the key, which allows us to test this, without reverse-E the prev-step<Turing>

openssl req -new -x509 -key privateout.key -out https.crt

Hu: The code I’m going with: I cut -nodes, and -sha1, which are undocumented, or unnecessary; I renamed the cert to something I can remember<WP.MIC-H2S37>, and I wrote the private-key name to match the file I set in<H6S4>.

This code is largely coherent with<Steve-Gordon>and<Open-SSL>, but I do have the addition of -x509, due to my specific local-params.

Hu: [D.Top-1] The output after I entered the above code, which is consistent with what<Steve-Gordon>, infyom et al achieved. [D.Top-2] Here, it looks like you can enter at will. [D-3]: The output, to /bin.

H4S3: Migrate the key.cert-pair # to Apache-files:

infyom: Open a directory D:\wamp64\bin\apache\apache2.4.46\conf (Based on where your wamp is installed) and create a key directory. Now, move both files to the key directory.

H5S1: Creating the directory: I created a folder named ssl-key, for my own 🧠, in the \conf of my Apache-ver, and moved https.cert and privateout.key there, from \bin of Open-SSL, as per infyom.

H4S4: Configuring C:\wamp64\bin\apache\apache2.4.51\conf\httpd.conf

<infyom>: and un-comment the following 3 lines one by one.

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

Hu: Indeed, all 3 of these lines, are commented, with a #-prefix, in my default httpd.conf. I made a backup, a snapshot of the file, before any editing, and left it as httpd – backup 11-25.conf, in the same | folder<Turing>The instruction to uncomment these exact 3 lines is corroborated by<logging-stuff>, WebEncyclop, SSL FOR Localhost.

H4S5: Configuring D:\wamp64\bin\apache\apache2.4.46\conf\extra\httpd-ssl.conf:

Hu: It appears that # this file is what was included in the 2nd un-comment in H4S4.

Test: I resumed use of p-dash, which is under the domain of this | apache, and functionality is working after 30-s run, but HTTP has not switched yet.

https://lichess.org/w2BMAWXt/black#67: 34…Rxe6 -10.3 > 34…Bxe6 -0.6, SF.14+NNUE d-28. H5S1: Create a backup in \apache-ver\conf\extra, httpd-ssl – backup 11-26.conf H5S2: Edits to DocumentRoot | ServerName | ServerAdmin: H6S1<anthro>: infyom:

DocumentRoot "${INSTALL_DIR}/www"
ServerName localhost:443
ServerAdmin admin@example.com

H6S2: SSL FOR LOCALHOST:

DocumentRoot "C:/wamp64/www"
ServerName localhost:443
ServerAdmin admin@example.com

H6S3: Logging stuff, aka “I have done this a million times”

DocumentRoot "C:/wamp64/www"
ServerName localhost:443
ServerAdmin admin@example.com

H6S4: Encyclop:

DocumentRoot "C:/wamp64/www"
ServerName localhost:443
ServerAdmin admin@example.com

H6S5: tutor techie: Overall, this guy is the most linear in this phase:

DocumentRoot "${SRVROOT}/htdocs"
ServerName 127.0.0.1:443
ServerAdmin admin@example.com

H5S3: Edits to SSLCertificateKeyFile | SSLCertificateFile: H6S1: infyom:

SSLCertificateKeyFile "${SRVROOT}/conf/key/private.key"
SSLCertificateFile "${SRVROOT}/conf/key/certificate.crt"

H6S2: Logging stuff:

SSLCertificateKeyFile "${SRVROOT}/conf/key/private.key" 
SSLCertificateFile "${SRVROOT}/conf/key/certificate.crt"

H6S3: WebEncyclop:

SSLCertificateKeyFile "C:/wamp/bin/apache/apache2.4.9/conf/key/private.key"
SSLCertificateFile "C:/wamp/bin/apache/apache2.4.9/conf/key/certificate.crt"

H6S4: Tutor techie:

SSLCertificateKeyFile "${SRVROOT}/conf/server.key" 
SSLCertificateFile "${SRVROOT}/conf/server.crt"

https://lichess.org/OPX6WgtH/white#57 29…Rxc4 -1.2 SF.14+NNUE d-35

Bxg7! whereas # Rxd7?? Bxh6 -6 https://lichess.org/OPX6WgtH/white#42

H5S4: My edits:

DocumentRoot "C:/wamp64/www"
ServerName localhost:443
ServerAdmin admin@example.com
SSLCertificateKeyFile "${SRVROOT}/conf/ssl-key/privateout.key" 
SSLCertificateFile "${SRVROOT}/conf/ssl-key/https.crt"

H6S1: Trying a debug-path from 7:07 in tutor-techie:

🤷

H6S2: Using this URL does not work yet, but http is not broken #: https://localhost/

H6S3: After restarting WAMP-server:

The invalid certificate error, as well as the fact that # the connection remains says # “not secure” is consistent with Logging stuff, WebEncyclop<Firefox> for the most part, tutor techie, who does not reveal whether the certificate is invalid, but the connection in the URL bar says not secure, Laravel.Package-Tutorial, same as tutor-techie, both using Chrome.

H6S4: Critical error: https://flare/client-display.php leads to 404 Not Found error.

H5S5: Updating httpd-vhosts.conf, made a backup: httpd-vhosts – backup 11-26, following infyom step-8<fbno>

SSLEngine on
SSLCertificateFile "${SRVROOT}/conf/ssl-key/https.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl-key/privateout.key"

H6S1: I updated this code, between</Directory>and</Virtualhost>according to infyom/Laravel.Package-Tutorial, and changed the port, for the ServerName flare, only, to 443. Now, going to https://flare/client-display.php displays the page properly, while http://flare, without the s, has been disabled, indicating a redirect has been made. personal-dash, and other domains on this server, are unaffected. While it would be optimal # for me to be able to # use both http and https for /flare, like /localhost, I will settle for this implementation, for now. Returning to<WP.MIC-H2S123,H3S4.H4S1-H5S5>

References:

^ https://infyom.com/blog/how-to-enable-localhost-https-ssl-on-wamp-server

Logging stuff we learned
WebEncyclop Tutorials
SSL for LocalHost

OpenSSL general info, playlist: https://www.youtube.com/playlist?list=PLgBMtP0_D_afzNG7Zs2jr8FSoyeU4yqhi by Cyber Hashira, India.

https://slproweb.com/products/Win32OpenSSL.html

https://www.openssl.org/support/

Commands: https://www.openssl.org/docs/manmaster/man1/

This is the OpenSSL | API for the SSL and Crypto | libraries: https://www.openssl.org/docs/manmaster/man3/

Antifragility is a concept of systems developed by Nassim Nicholas Taleb in which they increase in capability to thrive as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures. https://en.wikipedia.org/wiki/Antifragile

The Dark Knight [2008]

https://www.openssl.org/docs/man1.1.1/man1/openssl-genrsa.html

https://www.openssl.org/docs/man1.1.1/man1/openssl-rsa.html

https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html

Gov, NIST. “Announcing the ADVANCED ENCRYPTION STANDARD (AES).” Federal Information Processing Standards Publication, no. 197, 26 Nov. 2001.

https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Cryptographic Standards and Guidelines: https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/archived-crypto-projects/aes-development

NetSecProf
tutor techie

https://www.openssl.org/docs/man1.1.1/man1/openssl-req.html

https://www.openssl.org/docs/man1.1.1/man1/x509.html

Steve Gordon: Associate Professor at Sirindhorn International Institute of Technology (SIIT), Thammasat University, Thailand. Edits to httpd-ssl.conf at 32:14

https://s3.amazonaws.com/smhelpcenter/smhelp941/classic/Content/security/concepts/what_are_pem_files.htm

AWS: Privacy Enhanced Mail (PEM) files are a type of Public Key Infrastructure (PKI) file used for keys and certificates. PEM, initially invented to make e-mail | secure, is now an Internet security standard. HP Service Manager uses OpenSSL libraries to encrypt and decrypt SOAP messages over HTTP and requires | certificates and keys in PEM format. The typical PEM files are:

  • key.pem contains the private encryption key
  • cert.pem contains certificate information

Leave a Reply

Your email address will not be published. Required fields are marked *