Help needed with getting SSL installed
I have a Redhat Linux 6.2 server running Apache with mod-ssl. We were using SSH and Teraterm for connecting to the server remotely. Unfortunately that proved to be a security problem, so we are shopping for a solution. We would like to carry on with Teraterm since we have a large number of scripts written for it. The only other option appears to be Teraterm with SSL. I have downloaded the openssl sources and installed them, then I downloaded the SSLtelnet sources from ftp.psych.psy.uq.oz.au and attempted to compile and install them. It would appear that they haven't been looked at since 1996 and as such no longer compile against the most current versions of mod_ssl. I'm running into compile errors, like too few parameters being passed, and it appears that mod_ssl has been modified from the time this version was released. Does anyone have a working copy of SSL Telnetd for Linux, or know where a current working version of ssltelnet can be found. Any and all help would be appreciated. Is this the right way to go? Is anyone working on a SSH2 library for Teraterm? Doug * NOTE: MY EMAIL ADDRESS HAS CHANGED -- PLEASE UPDATE YOUR ADDRESS BOOK. This e-mail may be privileged and confidential. Any use or dissemination of this information by a person other than the intended recipient(s) is not authorized. If you have received this message in error, please notify the sender immediately by reply e-mail and delete the message from your system. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Intermediate signing certs
On Mon, 10 Dec 2001, Bear Giles wrote: Would this be a hassle if you have a root CA with a lot of intermediate signers? That means that you have to store/locate all possible intermediate signers to evaluate a couple of end user certificates. This is why PKCS12 (iirc) provides a mechanism to provide intermediate certs with the final cert. The CA should have a suitable chain for its own certs, and it can return the extra certs with everything that it signs. This likely applies to PKCS7 Signed structure. This doesn't help you when presented a naked cert by a stranger - you still have to locate those intermediate certs - but at that point you have more problems than just finding the intermediate certs. What does it mean to have a full cert chain if the root is a self-signed cert by Bob's Bait Shop and Certificate Authority? Any parseable certificate presented by a strager is good enough to use that public key to send email encrypted to *his* private key. At least if there's no chance for man-in-the-middle. Probably you are talking about verification that stranger is authorized by some big guy to pay..it's completely different issue. Yes, one need (root) certificate of that big guy and intermed certs to verify the chain. You could decide to ignore any cert that's not from a major CA (which would make the stockholders of Verisign very happy), but that misses the point. An individual cert by Verisign really says very little about the person, a cert signed by a small college for its students for internal use may be rock solid. One could care about CA certificates related to his business, either well-known or private ones used to verify access to local resources. On a related note, is there documentation on how to set up a well- behaved certs and PKCS12 bags? I couldn't find anything the last time I checked, but maybe something has come out since then. Any problem with PKCS12 specifications published by RSA Labs? What is well-behaved ? -vf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PrivateKey.
Hello! I use this when initializing. SSL_CTX_use_PrivateKey_file(ssl_ctx, keyfile, SSL_FILETYPE_PEM) what is the correct way of accessing this keyfile later. I.e. I would like to say: skey = ssl_ctx-private_key; or similar. /Douglas __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Help needed with getting SSL installed
-Original Message- From: Doug Poulin [mailto:[EMAIL PROTECTED]] Sent: 10 December 2001 22:51 To: [EMAIL PROTECTED] Subject: Help needed with getting SSL installed I have a Redhat Linux 6.2 server running Apache with mod-ssl. We were using SSH and Teraterm for connecting to the server remotely. Unfortunately that proved to be a security problem, so we are shopping for a solution. We would like to carry on with Teraterm since we have a large number of scripts written for it. The only other option appears to be Teraterm with SSL. I have downloaded the openssl sources and installed them, then I downloaded the SSLtelnet sources from ftp.psych.psy.uq.oz.au and attempted to compile and install them. It would appear that they haven't been looked at since 1996 and as such no longer compile against the most current versions of mod_ssl. I'm running into compile errors, like too few parameters being passed, and it appears that mod_ssl has been modified from the time this version was released. Does anyone have a working copy of SSL Telnetd for Linux, or know where a current working version of ssltelnet can be found. Any and all help would be appreciated. Is this the right way to go? Is anyone working on a SSH2 library for Teraterm? Doug If you look at http://www.openssh.org, you'll see that they have links to various clients for Windows, such as putty. They also have rpms for RedHat (although I can't find any for RedHat 6.2. I still have some copies around myself). You could also consider commercial software such as F-Secure SSH from Datafellows. We have a number of licenses for F-Secure SSH and it is fairly robust. The maintainer of Teraterm SSH is Robert O'Callahan, contact details are at http://www-2.cs.cmu.edu/~roc/. He will be able to tell you if anyone is working on SSH2 support. Teraterm SSL's page is at http://www.infoscience.co.jp/eng/products/ssltterm/index.html, together with contact details. The change log there indicates the last change to Teraterm SSL was over three years ago. Not encouraging. All these pages are linked from the Teraterm Home Page at http://hp.vector.co.jp/authors/VA002416/teraterm.html. Also, as it is only a matter of time before Red Hat drop support for version 6.2, you might consider upgrading to 7.2. This comes with openssh built in. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] More people die each day of AIDS than died in the terrorist attacks on September 11th 2001. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using certificates in IIS
Hi evryone, I have generated my own certificate for testing (I'm just starting to learn about SSL) in my linux box using CA.pl: CA.pl -newca CA.pl -newreq CA.pl -signreq CA.pl -pkcs12 Test certificate Those have been executed inside my Linux box with latest stable version of openssl... and then I try to move my cert to IIS (NT Option Pack 4.0)... when trying to import (newcert.pem as key files and newcert.p12 as certificate) at the key manager I have the following error: Error CAPI2 = 80093005 What am I doing incorrectly? Thanks in advance and best regards... Miguel Ángel Ripalda Marín Siemens Elasa S.A. Technology, RD. System Software Pol. Malpica, D-98 50016 Zaragoza, Spain Phone (34)976 760 300 ext. 451 Fax (34)976 760 346 E-Mail [EMAIL PROTECTED] * AVISO LEGAL * Este mensaje, su contenido y cualquier fichero transmitido con él está dirigido únicamente a su destinatario y es confidencial. Por ello, se informa a quien lo reciba por error o tenga conocimiento del mismo sin ser su destinatario, que la información contenida en él es reservada y su uso no autorizado, por lo que en tal caso le rogamos nos lo comunique por la misma vía o por teléfono (+34 976.760.300), así como que se abstenga de reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su borrado de manera inmediata. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Intermediate signing certs
That's me told then, so to authenticate a certificate you need the whole chain of certs going from the cert to authenticate all the way to a trusted CA. The application I am writing is presented with certs to authenicate from an external source, and the configuration has to hold a pool of trusted certs so you can check the certificates presented. It appears that this pool has to basically have every possible signer in it. I was kind of hoping that I could get away with only a couple of trusted CA's; and traverse the certificate hierarchy to these roots. Hold on, I can't do that because without the intermediate signer certs how can I figure out who signed them? Got it now. Tat. Would this be a hassle if you have a root CA with a lot of intermediate signers? That means that you have to store/locate all possible intermediate signers to evaluate a couple of end user certificates. This is why PKCS12 (iirc) provides a mechanism to provide intermediate certs with the final cert. The CA should have a suitable chain for its own certs, and it can return the extra certs with everything that it signs. This likely applies to PKCS7 Signed structure. This doesn't help you when presented a naked cert by a stranger - you still have to locate those intermediate certs - but at that point you have more problems than just finding the intermediate certs. What does it mean to have a full cert chain if the root is a self-signed cert by Bob's Bait Shop and Certificate Authority? Any parseable certificate presented by a strager is good enough to use that public key to send email encrypted to *his* private key. At least if there's no chance for man-in-the-middle. Probably you are talking about verification that stranger is authorized by some big guy to pay..it's completely different issue. Yes, one need (root) certificate of that big guy and intermed certs to verify the chain. You could decide to ignore any cert that's not from a major CA (which would make the stockholders of Verisign very happy), but that misses the point. An individual cert by Verisign really says very little about the person, a cert signed by a small college for its students for internal use may be rock solid. One could care about CA certificates related to his business, either well-known or private ones used to verify access to local resources. On a related note, is there documentation on how to set up a well- behaved certs and PKCS12 bags? I couldn't find anything the last time I checked, but maybe something has come out since then. Any problem with PKCS12 specifications published by RSA Labs? What is well-behaved ? -vf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP_basic_verify
Hi, I have been trying to figure out what the flags are for this function and have come up with the following, can someone verify? int OCSP_basic_verify(OCSP_BASICRESP *bs, // the OCSP response STACK_OF(X509) *certs, // intermediate signing certs X509_STORE *st, // trusted responder certs unsigned long flags // flags as defined in ocsp.h ); Can someone tell me what the difference between certs and st is? Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Intermediate signing certs
On Tue, 11 Dec 2001, Tat Sing Kong wrote: That's me told then, so to authenticate a certificate you need the whole chain of certs going from the cert to authenticate all the way to a trusted CA. It's unlikely just authentication is of any practical use; authorization is and risk of failure to consider. In case of sending encrypted mail to a stranger: would one care authentication at all? One could just use public key from certificate presented and the message could be just lost in case of bad key. Yes, one should exclude main-in-the-middle and create message content to be useful by a stranger. One could also care whether exactly this stranger was here already. It's unlikely any CA could be useful here. The application I am writing is presented with certs to authenicate from an external source, and the configuration has to hold a pool of trusted certs so you can check the certificates presented. It appears that this pool has to basically have every possible signer in it. I was kind of hoping that I could get away with only a couple of trusted CA's; and traverse the certificate hierarchy to these roots. Hold on, I can't do that because without the intermediate signer certs how can I figure out who signed them? Got it now. Tat. Would this be a hassle if you have a root CA with a lot of intermediate signers? That means that you have to store/locate all possible intermediate signers to evaluate a couple of end user certificates. This is why PKCS12 (iirc) provides a mechanism to provide intermediate certs with the final cert. The CA should have a suitable chain for its own certs, and it can return the extra certs with everything that it signs. This likely applies to PKCS7 Signed structure. This doesn't help you when presented a naked cert by a stranger - you still have to locate those intermediate certs - but at that point you have more problems than just finding the intermediate certs. What does it mean to have a full cert chain if the root is a self-signed cert by Bob's Bait Shop and Certificate Authority? Any parseable certificate presented by a strager is good enough to use that public key to send email encrypted to *his* private key. At least if there's no chance for man-in-the-middle. Probably you are talking about verification that stranger is authorized by some big guy to pay..it's completely different issue. Yes, one need (root) certificate of that big guy and intermed certs to verify the chain. You could decide to ignore any cert that's not from a major CA (which would make the stockholders of Verisign very happy), but that misses the point. An individual cert by Verisign really says very little about the person, a cert signed by a small college for its students for internal use may be rock solid. One could care about CA certificates related to his business, either well-known or private ones used to verify access to local resources. On a related note, is there documentation on how to set up a well- behaved certs and PKCS12 bags? I couldn't find anything the last time I checked, but maybe something has come out since then. Any problem with PKCS12 specifications published by RSA Labs? What is well-behaved ? -vf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Help needed with getting SSL installed
On Mon, Dec 10, 2001 at 02:50:46PM -0800, Doug Poulin wrote: Is this the right way to go? Is anyone working on a SSH2 library for Teraterm? Check out putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Convertion problem
Hi I could not convert my key-cert.pem into a pkcs7 format, even following all the steps in www.binarytool.com/docs/ssl-cert-HOWTO.html to make my cert. After following these steps I wrote in the terminal: openssl pkcs7 -in key-cert.pem -out key-cert.p7b The resulting error was: unable to load PKCS7 object 6671:error:0D081072:asn1 enconding routines:d2i_ASN1_OBJECT:expect.c:217 6671:error:0D091004:asn1 enconding routines:d2i_PKCS7:nested asn1 ress=135529832 offset=4 6671:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_l I´m trying this because I could not include my cert in the PEM format to the internet Explorer too. If anyone know something about it please answer. Thank you Coronel __ Quer ter seu próprio endereço na Internet? Garanta já o seu e ainda ganhe cinco e-mails personalizados. DomíniosBOL - http://dominios.bol.com.br __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
Hi, I want to generate a pkcs10 request with req command line tool but I don't know how to specify a particular key usage. I know I have to work in openssl.cnf line marked 'req_extension'... what kind of string has to be added in that line? Thanks for any help. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re:
[EMAIL PROTECTED] wrote: Hi, I want to generate a pkcs10 request with req command line tool but I don't know how to specify a particular key usage. I know I have to work in openssl.cnf line marked 'req_extension'... what kind of string has to be added in that line? Its req_extensions and you have to add a section name. The syntax of that section is the same as other extensions, see doc/openssl.txt for detailed information. For example: req_extensions = ext_req ... [ext_req] keyUsage = critical, digitalSignature, nonRepudiation A CA may ignore request extension information. OpenSSLs 'ca' command ignores request extension except in the latest development snapshot where this is an option to copy them to the certificate. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
unable to load CA private key
Hello all! First of all, since this problem seems not very difficult... where is the faq of this list?. Now, the problem: merry:/usr/local/ssl# bin/openssl ca -policy policy_anything -out newcert.pem -config openssl.cnf -infiles new.pem Using configuration from openssl.cnf unable to load CA private key Of course, the file exists: merry:/usr/local/ssl# ls -l private/cakey.pem -rw-r--r--1 root staff 963 dic 11 13:44 private/cakey.pem And openssl reads it, too. Any tip?. Thanks in advance, Carlos. ___Carlos Costa Portela_ | e-mail: [EMAIL PROTECTED] | home page: http://casa.ccp.servidores.net | |_Tódalas persoas maiores foron nenos antes, pero poucas se lembran__| __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Intermediate signing certs
This doesn't help you when presented a naked cert by a stranger[...] Any parseable certificate presented by a strager is good enough to use that public key to send email encrypted to *his* private key. At least if there's no chance for man-in-the-middle. Not if the cert denies such use... and at most all it gives you is a secure channel back to the person who sent you a possibly fradulent cert. If you aren't willing to blindly trust their cert, why would you blindly trust a cert chain and root cert (or pointer to same) they send? Probably you are talking about verification that stranger is authorized by some big guy to pay..it's completely different issue. Or authorized to use resources, access data, etc. At an extreme, it might only be used to log the identity of persons in open discussions. That might sound excessive, but the spammers and slanderers may force some forums to go to this extreme. Anyone who posts as [EMAIL PROTECTED] is exactly the type to create their own bogus certs. One could care about CA certificates related to his business, either well-known or private ones used to verify access to local resources. Of course, but what about a case where you've never heard of them before? Your server asks for a cert, they hand over the only one they have, and you're suddenly wondering how much weight to give it. (See comments above.) On a related note, is there documentation on how to set up a well- behaved certs and PKCS12 bags? I couldn't find anything the last time I checked, but maybe something has come out since then. Any problem with PKCS12 specifications published by RSA Labs? What is well-behaved ? It's hard to describe well-behaved because I rarely use Windows clients, and on Unix I tend to use the locally generated stuff with installers. But I've noticed that instead of loading several items separately, on PCs you often get everything in one package. So the question isn't how to create these packages (I assume the library will hand that), but what to put into them. And as my earlier comment suggests, I'm not even sure if this is a PKCS7 or PKCS12 object - I've been working with X.509 certs (and requests) and PKCS8 keys exclusively. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: unable to load CA private key
Carlos Costa Portela wrote: merry:/usr/local/ssl# bin/openssl ca -policy policy_anything -out newcert.pem -config openssl.cnf -infiles new.pem Using configuration from openssl.cnf unable to load CA private key It really means what it says -- the path to the private directory is based on the one set in openssl.cnf. In the case of the default file, it's looking for a 'demoCA/private' directory in the current directory. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL/SOAP: Error opening socket - only in 95/98...
HI, my set up is as follows: Apache 1.3.22 with mod_ssl 2.61 OPENSSL 0.9.5 Tomcat 3.3 SOAP 2.2 JSSE 1.0.2 I have a SOAP client that works perfectly with and without SSL when running the client from Windows 2000 or XP. However when I try to test the client from 95/98 with SSL I get the following error: [SOAPException: faultCode=SOAP-ENV:Client; msg=Error opening socket: null; targetException=java.lang.IllegalArgumentException: Error opening socket:null] I don't know if the problem is with SSL, when I run my client with the following option -Djavax.net.debug=SSL , I don't get any additional information... But none the less it works if I don't use SSL... Thanks Jeremy _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
verify certificate
Dear all, I want to verify a certificate. I used the verify command but I realized that it does check if the certificate is revoked or not. I used this command: openssl verify -CApath /usr/local/ca -CAfile /usr/local/ca/cacert.pem /usr/local/ca/newcerts/new8.pem I get the ok answer even if the new.pem is a revoked certificate. Bearing in mind that I already generated the crl for my ca and the revocation status of the certificate is included in the crl. Please can anybody help me with this problem -- Thanking you Hafida __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: unable to load CA private key
On Tue, 11 Dec 2001, Michael Sierchio wrote: Carlos Costa Portela wrote: merry:/usr/local/ssl# bin/openssl ca -policy policy_anything -out newcert.pem -config openssl.cnf -infiles new.pem Using configuration from openssl.cnf unable to load CA private key It really means what it says -- the path to the private directory is based on the one set in openssl.cnf. In the case of the default file, it's looking for a 'demoCA/private' directory in the current directory. Unfortunately, this is not the problem. It find the correct file: (strace output): open(/usr/local/ssl/private/cakey.pem, O_RDONLY) = 3 [...] read(3, -BEGIN RSA PRIVATE KEY-\n..., 4096) = 963 [...] write(2, unable to load CA private key\n, [...] Another suggestion?. Thanks, of course. Carlos. ___Carlos Costa Portela_ | e-mail: [EMAIL PROTECTED] | home page: http://casa.ccp.servidores.net | |_Tódalas persoas maiores foron nenos antes, pero poucas se lembran__| __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]