Re: [AOLSERVER] nsssl - openssl ?
O.K, With a little Makefile and source hacking I got nsopenssl.so to build. (OPENSSL_free isn't in my version of OpenSSL, was it added later? [tclcmds.c]) Now my problem is that the module fails to load the certfile.pem. I created my own self-signed certificate using openssl, and from what I can tell it looks O.K. Has anyone tryed this before? I just think I'm missing something that my brain can't figure out. :-) P.S. The cert was generated from an unencrypted 3DES 1024-bit key if that helps any. Daniel P. Stasinski wrote: I was wondering if there was anything in the works to port nsssl from BSAFE to OpenSSL? It appears that getting your hands on BSAFE would be the first problem. Try nsopenssl at: http://scottg.net/webtools/opennsd/modules/nsopenssl/ Daniel P. Stasinski http://www.disabilities-r-us.com [EMAIL PROTECTED]
Re: [AOLSERVER] nsssl - openssl ?
Make sure your private key is not passphrase-protected; if it is, it'll fail to be loaded by the server. You can use openssl to take the passphrase off, but make sure you lock up this file so that only the server can read it (root will also be able to read it, obviously): openssl rsa -in key1.pem -out key2.pem The latest version is nsopenssl-1.1 and is available at http://scottg.net. You'll want to use this version, and it requires OpenSSL 0.9.6 or higher (though I haven't tested with 0.9.6a yet). /s. O.K, With a little Makefile and source hacking I got nsopenssl.so to build. (OPENSSL_free isn't in my version of OpenSSL, was it added later? [tclcmds.c]) Now my problem is that the module fails to load the certfile.pem. I created my own self-signed certificate using openssl, and from what I can tell it looks O.K. Has anyone tryed this before? I just think I'm missing something that my brain can't figure out. :-) P.S. The cert was generated from an unencrypted 3DES 1024-bit key if that helps any. Daniel P. Stasinski wrote: I was wondering if there was anything in the works to port nsssl from BSAFE to OpenSSL? It appears that getting your hands on BSAFE would be the first problem. Try nsopenssl at: http://scottg.net/webtools/opennsd/modules/nsopenssl/ Daniel P. Stasinski http://www.disabilities-r-us.com [EMAIL PROTECTED]
Re: [AOLSERVER] nsssl - openssl ?
I've always wondered why servers bother to encrypt the private key. The passphrase is right there in the server configuration so why bother? Kris -Original Message- From: AOLserver Discussion [mailto:[EMAIL PROTECTED]]On Behalf Of Scott Goodwin Sent: Mon, 05-14-01 02:40p To: [EMAIL PROTECTED] Subject: Re: [AOLSERVER] nsssl - openssl ? Make sure your private key is not passphrase-protected; if it is, it'll fail to be loaded by the server. You can use openssl to take the passphrase off, but make sure you lock up this file so that only the server can read it (root will also be able to read it, obviously): openssl rsa -in key1.pem -out key2.pem The latest version is nsopenssl-1.1 and is available at http://scottg.net. You'll want to use this version, and it requires OpenSSL 0.9.6 or higher (though I haven't tested with 0.9.6a yet). /s. O.K, With a little Makefile and source hacking I got nsopenssl.so to build. (OPENSSL_free isn't in my version of OpenSSL, was it added later? [tclcmds.c]) Now my problem is that the module fails to load the certfile.pem. I created my own self-signed certificate using openssl, and from what I can tell it looks O.K. Has anyone tryed this before? I just think I'm missing something that my brain can't figure out. :-) P.S. The cert was generated from an unencrypted 3DES 1024-bit key if that helps any. Daniel P. Stasinski wrote: I was wondering if there was anything in the works to port nsssl from BSAFE to OpenSSL? It appears that getting your hands on BSAFE would be the first problem. Try nsopenssl at: http://scottg.net/webtools/opennsd/modules/nsopenssl/ Daniel P. Stasinski http://www.disabilities-r-us.com [EMAIL PROTECTED]
Re: [AOLSERVER] nsssl - openssl ?
I've always wondered why servers bother to encrypt the private key. The passphrase is right there in the server configuration so why bother? I believe that if you use Apache/mod_ssl with an encrypted key, the server will pause at startup time and prompt you to enter the passphrase on the command line. The problems with this approach should be obvious...
Re: [AOLSERVER] nsssl - openssl ?
Rob Mayoff wrote: I believe that if you use Apache/mod_ssl with an encrypted key, the server will pause at startup time and prompt you to enter the passphrase on the command line. The problems with this approach should be obvious... Particularly when it's a remote server. That command-line prompt on the (nonexistent) console is not 100% useful. I discovered this security feature the hard way once.
Re: [AOLSERVER] nsssl - openssl ?
The keyfile was decrypted before I created the CSR. The server dies trying to load the signed (by me) certificate, even though: openssl x509 -noout -text -in certfile.pem Reguritates out the cert information O.K. I guess I failed to mention I'm using nsopenssl 1.1 I must have an older version of OpenSSL, since the OPENSSL_free stub isn't there. I'll try and upgrade OpenSSL and try again. Scott Goodwin wrote: Make sure your private key is not passphrase-protected; if it is, it'll fail to be loaded by the server. You can use openssl to take the passphrase off, but make sure you lock up this file so that only the server can read it (root will also be able to read it, obviously): openssl rsa -in key1.pem -out key2.pem The latest version is nsopenssl-1.1 and is available at http://scottg.net. You'll want to use this version, and it requires OpenSSL 0.9.6 or higher (though I haven't tested with 0.9.6a yet). /s. O.K, With a little Makefile and source hacking I got nsopenssl.so to build. (OPENSSL_free isn't in my version of OpenSSL, was it added later? [tclcmds.c]) Now my problem is that the module fails to load the certfile.pem. I created my own self-signed certificate using openssl, and from what I can tell it looks O.K. Has anyone tryed this before? I just think I'm missing something that my brain can't figure out. :-) P.S. The cert was generated from an unencrypted 3DES 1024-bit key if that helps any. Daniel P. Stasinski wrote: I was wondering if there was anything in the works to port nsssl from BSAFE to OpenSSL? It appears that getting your hands on BSAFE would be the first problem. Try nsopenssl at: http://scottg.net/webtools/opennsd/modules/nsopenssl/ Daniel P. Stasinski http://www.disabilities-r-us.com [EMAIL PROTECTED]
Re: [AOLSERVER] nsssl - openssl ?
I have test platform that contains everything necessary to compile and configure aolserver, nsopenssl, ssldump in a self-contained area to test in. If you can't get it working and you want to try out the test suite, I'll let you know how to download. /s. The keyfile was decrypted before I created the CSR. The server dies trying to load the signed (by me) certificate, even though: openssl x509 -noout -text -in certfile.pem Reguritates out the cert information O.K. I guess I failed to mention I'm using nsopenssl 1.1 I must have an older version of OpenSSL, since the OPENSSL_free stub isn't there. I'll try and upgrade OpenSSL and try again. Scott Goodwin wrote: Make sure your private key is not passphrase-protected; if it is, it'll fail to be loaded by the server. You can use openssl to take the passphrase off, but make sure you lock up this file so that only the server can read it (root will also be able to read it, obviously): openssl rsa -in key1.pem -out key2.pem The latest version is nsopenssl-1.1 and is available at http://scottg.net. You'll want to use this version, and it requires OpenSSL 0.9.6 or higher (though I haven't tested with 0.9.6a yet). /s. O.K, With a little Makefile and source hacking I got nsopenssl.so to build. (OPENSSL_free isn't in my version of OpenSSL, was it added later? [tclcmds.c]) Now my problem is that the module fails to load the certfile.pem. I created my own self-signed certificate using openssl, and from what I can tell it looks O.K. Has anyone tryed this before? I just think I'm missing something that my brain can't figure out. :-) P.S. The cert was generated from an unencrypted 3DES 1024-bit key if that helps any. Daniel P. Stasinski wrote: I was wondering if there was anything in the works to port nsssl from BSAFE to OpenSSL? It appears that getting your hands on BSAFE would be the first problem. Try nsopenssl at: http://scottg.net/webtools/opennsd/modules/nsopenssl/ Daniel P. Stasinski http://www.disabilities-r-us.com [EMAIL PROTECTED]