ssl


How to retrieve the SSL cert expiration date from a PEM encoded certificate?

We use the following command to get the ending date of PEM encoded certificates that are generated using certbot and Let's Encrypt:

openssl x509 -enddate -noout -in fullchain.pem;

To get a list of all certificates and their expiration dates, we issue the following find command that executes the above snippet on each result while printing the name of the file first.

find ~/certificates/ -name "fullchain.pem" -print -exec openssl x509 -enddate -noout -in '{}' \;

In this example, the certificates are in our home folder under the name ‘certificates’. The results will look like the following sample:

/home/tux/certificates/example.com/fullchain.pem
notAfter=Aug 22 10:12:55 2021 GMT
/home/tux/certificates/site2.example.com/fullchain.pem
notAfter=Nov 22 03:22:44 2021 GMT

Hikvision DVR sending email over GMail

Recently, we were trying to setup the email configuration of a Hikvision DVR which even though it was updated to the latest firmware we would get the message Testing Failed when trying to send an email over GMail.

In the GUI of the DVR there was an option to Enable SSL but no option to enable TLS/STARTTLS. So after consulting the GMail official documentation on how to configure an email client for GMail, we set the SMTP Port to 465 and enabled the SSL option. Then we created an application password for the DVR and tried to test the settings. To our disappointment we got the Testing Failed message.

After reading the latest user manual of the DVR, it mentioned an option to Enable SSL/TLS but not Enable SSL which got us curious. It raised the following question to us: “What if they enabled the TLS functionality but they forgot to update the GUI to match it?”. So we changed the port to 587 and hit Test again.

Guess what ?

It worked!!

It appears that Hikvision enabled the TLS/STARTTLS functionality but forgot to make their GUI reflect the change!

Using the settings depicted in this photo, we were able to send test messages from our Hikvision DVR over GMail using TLS/STARTTLS on port 587 of smpt.gmail.com!
The confirmation of the successful email sending operation.
“TESTING SUCCEEDED.”

A very important note

In the password field, we did not use the password of the Gmail account! We used an Application Password! It is crucial that you activate 2-factor authentication and then create an application password, or else you will not succeed in logging in on your Gmail through your HikVision DVR/NVR.


Ignore SSL certificates for GIT

The background

So, recently a new firewall was installed, this firewall performs SSL/TLS decryption on all encrypted traffic…

In order for machines to continue operating normally, a custom certificate was issued and installed on each one. On certain machines though, the certificate was not installed and this caused verification problems.

The story

While trying to clone a git project from github we got the following output


$ git clone https://github.com/ioi/translation.git
Cloning into 'translation'...
fatal: unable to access 'https://github.com/ioi/translation.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

The horrible solution

To mitigate the problem (not solve it), we directed git to ignore the SSL certificates and not verify them using the following call right before the clone command.


export GIT_SSL_NO_VERIFY=true

As expected, the execution went smoothly after this change


$ git clone https://github.com/ioi/translation.git
Cloning into 'translation'...
remote: Counting objects: 297, done.
remote: Total 297 (delta 0), reused 0 (delta 0), pack-reused 297
Receiving objects: 100% (297/297), 4.40 MiB | 1.50 MiB/s, done.
Resolving deltas: 100% (39/39), done.
Checking connectivity... done.