Tag Archives: openssl

git send-email and SMTP with SSL

On Fedora 20, when using git send-email I always got this error:

Unable to initialize SMTP properly. Check config and use --smtp-debug. VALUES: server=my.server.com encryption=ssl hello=my.host.com port=465 at /usr/libexec/git-core/git-send-email line 1255.

Even using the suggested parameter –smtp-debug 1 did not help, I get the exactly same output with that parameter. In the end, it turned out the self-signed certificate is not accepted right away (which of course is good) but lead to no specific error message (which is not so good). However, using the parameter –smtp-ssl-cert-path “” disables certificate verification, which already allowed me to send the e-mail.

However, one want to install the certificate in a way that its always accepted. git send-email relies on OpenSSL certificate database. In order to add an additional CA certificate one has to add it to /etc/pki/tls/certs and create a symlink to its hash.

$ curl http://url.to/root.crt -o myroot.crt
$ openssl x509 -noout -in myroot.crt -fingerprint

If you are paranoid, and you should be nowadays, verify your fingerprint at this point 🙂

# mv myroot.crt /etc/pki/tls/certs
# cd /etc/pki/tls/certs
# openssl x509 -in myroot.crt -out myroot.pem -outform PEM
# ln -s myroot.pem `openssl x509 -hash -noout -in myroot.pem`.0

Update:
This works also for Arch Linux, however the OpenSSL certificates are located under /etc/ssl/certs/. Also for SMTP with SSL to work, the following packages are needed

pacman -S perl-net-smtp-ssl perl-authen-sasl

Heartbleed test for OpenVPN

OpenVPN is affected by Heartbleed too

OpenVPN is affected by Heartbleed too

I guess you would not have landed here if you don’t read about Heartbleed. In case you really don’t know what its all about, catch up here. Since OpenVPN makes use of SSL/TLS (and most distributions use OpenSSL as the implementation of choice), OpenVPN is affected too (check the official page). Most test utilities out there can test HTTP and other protocols, however, I didn’t found a test which validates that a OpenVPN installation is safe. So I created one.

You can find the Python script over at Github. My version is an heavily altered version I found at Fox-It created by Jared Stafford and Yonathan Klijnsma.

Right now, the utility only supports UDP (which is used by default). The first arguments need to be the test server which then will be contacted and a TLS session initialized. The script then sends a invalid heartbeat request, which the server will respond to if he is vulnerable.

$ ./heartbleed_test_openvpn.py my.server.com
my.server.com|VULNERABLE

0000 18 03 01 10 13 02 10 00 48 65 61 72 74 62 6C 65 ........Heartble
0010 65 64 20 74 65 73 74 20 70 61 79 6C 6F 61 64 E2 ed test payload.
0020 0B 9E 38 34 EC 3D 66 2B 9C D5 63 00 00 68 C0 14 ..84.=f+..c..h..
0030 C0 0A 22 C0 C0 21 00 39 00 38 00 88 00 87 C0 0F ...".!.9.8......
0040 C0 05 00 35 00 84 C0 21 C4 08 1C 1C C0 1B 00 16 ...5............
0050 00 13 C0 0D C0 03 00 0A C0 13 C0 09 C0 1F C0 1E ................
0060 00 00 00 32                                     ...2

Read more »