Re: [AOLSERVER] nsssl - openssl ?

2001-05-14 Thread Tony Wells 

O.K,

With a little Makefile and source hacking I got nsopenssl.so to
build.  (OPENSSL_free isn't in my version of OpenSSL, was it added
later? [tclcmds.c])

Now my problem is that the module fails to load the certfile.pem.  I
created my own self-signed certificate using openssl, and from what I
can tell it looks O.K.  Has anyone tryed this before?  I just think
I'm missing something that my brain can't figure out. :-)

P.S.
The cert was generated from an unencrypted 3DES 1024-bit key if that
helps any.

Daniel P. Stasinski wrote:

   I was wondering if there was anything in the works to port
   nsssl from BSAFE to OpenSSL?  It appears that getting
   your hands on BSAFE would be the first problem.

 Try nsopenssl at:

 http://scottg.net/webtools/opennsd/modules/nsopenssl/

 Daniel P. Stasinski
 http://www.disabilities-r-us.com
 [EMAIL PROTECTED]

Re: [AOLSERVER] nsssl - openssl ?

2001-05-14 Thread Scott Goodwin 

Make sure your private key is not passphrase-protected; if it is, it'll
fail to be loaded by the server. You can use openssl to take the passphrase
off, but make sure you lock up this file so that only the server can read
it (root will also be able to read it, obviously):


openssl rsa -in key1.pem -out key2.pem


The latest version is nsopenssl-1.1 and is available at http://scottg.net.

You'll want to use this version, and it requires OpenSSL 0.9.6 or higher
(though I haven't tested with 0.9.6a yet).

/s.


 O.K,

 With a little Makefile and source hacking I got nsopenssl.so to
 build.  (OPENSSL_free isn't in my version of OpenSSL, was it added
 later? [tclcmds.c])

 Now my problem is that the module fails to load the certfile.pem.  I
 created my own self-signed certificate using openssl, and from what I
 can tell it looks O.K.  Has anyone tryed this before?  I just think
 I'm missing something that my brain can't figure out. :-)

 P.S.
 The cert was generated from an unencrypted 3DES 1024-bit key if that
 helps any.

 Daniel P. Stasinski wrote:
 
I was wondering if there was anything in the works to port
nsssl from BSAFE to OpenSSL?  It appears that getting
your hands on BSAFE would be the first problem.
 
  Try nsopenssl at:
 
  http://scottg.net/webtools/opennsd/modules/nsopenssl/
 
  Daniel P. Stasinski
  http://www.disabilities-r-us.com
  [EMAIL PROTECTED]

Re: [AOLSERVER] nsssl - openssl ?

2001-05-14 Thread Kris Rehberg 

I've always wondered why servers bother to encrypt the private key.  The
passphrase is right there in the server configuration so why bother?

Kris


 -Original Message-
 From: AOLserver Discussion [mailto:[EMAIL PROTECTED]]On Behalf
 Of Scott Goodwin
 Sent: Mon, 05-14-01 02:40p
 To: [EMAIL PROTECTED]
 Subject: Re: [AOLSERVER] nsssl - openssl ?


 Make sure your private key is not passphrase-protected; if it is, it'll
 fail to be loaded by the server. You can use openssl to take the
 passphrase
 off, but make sure you lock up this file so that only the server can read
 it (root will also be able to read it, obviously):


 openssl rsa -in key1.pem -out key2.pem


 The latest version is nsopenssl-1.1 and is available at http://scottg.net.

 You'll want to use this version, and it requires OpenSSL 0.9.6 or higher
 (though I haven't tested with 0.9.6a yet).

 /s.


  O.K,
 
  With a little Makefile and source hacking I got nsopenssl.so to
  build.  (OPENSSL_free isn't in my version of OpenSSL, was it added
  later? [tclcmds.c])
 
  Now my problem is that the module fails to load the certfile.pem.  I
  created my own self-signed certificate using openssl, and from what I
  can tell it looks O.K.  Has anyone tryed this before?  I just think
  I'm missing something that my brain can't figure out. :-)
 
  P.S.
  The cert was generated from an unencrypted 3DES 1024-bit key if that
  helps any.
 
  Daniel P. Stasinski wrote:
  
 I was wondering if there was anything in the works to port
 nsssl from BSAFE to OpenSSL?  It appears that getting
 your hands on BSAFE would be the first problem.
  
   Try nsopenssl at:
  
   http://scottg.net/webtools/opennsd/modules/nsopenssl/
  
   Daniel P. Stasinski
   http://www.disabilities-r-us.com
   [EMAIL PROTECTED]

Re: [AOLSERVER] nsssl - openssl ?

2001-05-14 Thread Rob Mayoff 

 I've always wondered why servers bother to encrypt the private key.  The
 passphrase is right there in the server configuration so why bother?

I believe that if you use Apache/mod_ssl with an encrypted key, the
server will pause at startup time and prompt you to enter the passphrase
on the command line.

The problems with this approach should be obvious...

Re: [AOLSERVER] nsssl - openssl ?

2001-05-14 Thread Michael Roberts 

Rob Mayoff wrote:

 I believe that if you use Apache/mod_ssl with an encrypted key, the
 server will pause at startup time and prompt you to enter the passphrase
 on the command line.

 The problems with this approach should be obvious...

Particularly when it's a remote server.  That command-line prompt on the
(nonexistent) console is not 100% useful.  I discovered this security
feature the hard way once.

Re: [AOLSERVER] nsssl - openssl ?

2001-05-14 Thread Tony Wells 

The keyfile was decrypted before I created the CSR.  The server dies
trying to load the signed (by me) certificate, even though:

openssl x509 -noout -text -in certfile.pem

Reguritates out the cert information O.K.  I guess I failed to mention
I'm using nsopenssl 1.1

I must have an older version of OpenSSL, since the OPENSSL_free stub
isn't there.  I'll try and upgrade OpenSSL and try again.

Scott Goodwin wrote:

 Make sure your private key is not passphrase-protected; if it is, it'll
 fail to be loaded by the server. You can use openssl to take the passphrase
 off, but make sure you lock up this file so that only the server can read
 it (root will also be able to read it, obviously):

 openssl rsa -in key1.pem -out key2.pem

 The latest version is nsopenssl-1.1 and is available at http://scottg.net.

 You'll want to use this version, and it requires OpenSSL 0.9.6 or higher
 (though I haven't tested with 0.9.6a yet).

 /s.

  O.K,
 
  With a little Makefile and source hacking I got nsopenssl.so to
  build.  (OPENSSL_free isn't in my version of OpenSSL, was it added
  later? [tclcmds.c])
 
  Now my problem is that the module fails to load the certfile.pem.  I
  created my own self-signed certificate using openssl, and from what I
  can tell it looks O.K.  Has anyone tryed this before?  I just think
  I'm missing something that my brain can't figure out. :-)
 
  P.S.
  The cert was generated from an unencrypted 3DES 1024-bit key if that
  helps any.
 
  Daniel P. Stasinski wrote:
  
 I was wondering if there was anything in the works to port
 nsssl from BSAFE to OpenSSL?  It appears that getting
 your hands on BSAFE would be the first problem.
  
   Try nsopenssl at:
  
   http://scottg.net/webtools/opennsd/modules/nsopenssl/
  
   Daniel P. Stasinski
   http://www.disabilities-r-us.com
   [EMAIL PROTECTED]

Re: [AOLSERVER] nsssl - openssl ?

2001-05-14 Thread Scott Goodwin 

I have test platform that contains everything necessary to compile and
configure aolserver, nsopenssl, ssldump in a self-contained area to test
in. If you can't get it working and you want to try out the test suite,
I'll let you know how to download.

/s.

 The keyfile was decrypted before I created the CSR.  The server dies
 trying to load the signed (by me) certificate, even though:

 openssl x509 -noout -text -in certfile.pem

 Reguritates out the cert information O.K.  I guess I failed to mention
 I'm using nsopenssl 1.1

 I must have an older version of OpenSSL, since the OPENSSL_free stub
 isn't there.  I'll try and upgrade OpenSSL and try again.

 Scott Goodwin wrote:
 
  Make sure your private key is not passphrase-protected; if it is, it'll
  fail to be loaded by the server. You can use openssl to take the
passphrase
  off, but make sure you lock up this file so that only the server can
read
  it (root will also be able to read it, obviously):
 
  openssl rsa -in key1.pem -out key2.pem
 
  The latest version is nsopenssl-1.1 and is available at
http://scottg.net.
 
  You'll want to use this version, and it requires OpenSSL 0.9.6 or higher
  (though I haven't tested with 0.9.6a yet).
 
  /s.
 
   O.K,
  
   With a little Makefile and source hacking I got nsopenssl.so to
   build.  (OPENSSL_free isn't in my version of OpenSSL, was it added
   later? [tclcmds.c])
  
   Now my problem is that the module fails to load the certfile.pem.  I
   created my own self-signed certificate using openssl, and from what I
   can tell it looks O.K.  Has anyone tryed this before?  I just think
   I'm missing something that my brain can't figure out. :-)
  
   P.S.
   The cert was generated from an unencrypted 3DES 1024-bit key if that
   helps any.
  
   Daniel P. Stasinski wrote:
   
  I was wondering if there was anything in the works to port
  nsssl from BSAFE to OpenSSL?  It appears that getting
  your hands on BSAFE would be the first problem.
   
Try nsopenssl at:
   
http://scottg.net/webtools/opennsd/modules/nsopenssl/
   
Daniel P. Stasinski
http://www.disabilities-r-us.com
[EMAIL PROTECTED]