Re: [openssl-users] reading DER format public keys

2017-09-15 Thread Viktor Dukhovni 

> On Sep 15, 2017, at 6:24 PM, Michael Richardson  wrote:
> 
>> It is the DER analogue of PEM_read_bio_PUBKEY.  With few exceptions,
>> you can s/PEM_READ_bio/d2i/ to go from reading PEM to reading DER.
> 
> It would be great if there were cross-references...

I should note that the PEM_read_bio routines read data from a file,
while the d2i_PUBKEY() routine decodse data from memory.  The
corresponding "read a file" routines are:

d2i_PUBKEY_bio()
and d2i_PUBKEY_fp()

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] reading DER format public keys

2017-09-15 Thread Michael Richardson 

Viktor Dukhovni  wrote:
> On Fri, Sep 15, 2017 at 11:57:17AM -0400, Michael Richardson wrote:

>> pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);

>> There must be a way to read DER format public keys.
>> I'm suspecting that maybe the magic is in the way the BIO is created?
>> (FAQ question PROG03, hints this for PKCS7 processing).

> The function you're looking for is d2i_PUBKEY(3).  See for example:

> https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L344

Once I realized what this does, I then realized that it wasn't about just
about doing something to setup the bio then I realized that the ruby
interface was in fact calling that.

*THEN* I realized I was feeding a certificate blob into a PK routine, and
that was really the problem.

> It is the DER analogue of PEM_read_bio_PUBKEY.  With few exceptions,
> you can s/PEM_READ_bio/d2i/ to go from reading PEM to reading DER.

It would be great if there were cross-references...

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[



signature.asc
Description: PGP signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Error in X509_check_private_key when using pkcs11 engine (OpenSSL 1.0.2j)

2017-09-15 Thread Dr. Stephen Henson 
On Fri, Sep 15, 2017, Anton Gerasimov wrote:

> So it turns out load_privkey() function of engine_pkcs11.so sets pub_key
> in the returned 'struct ec_key_st' to NULL. Is it a failure inside
> engine_pkcs11.so?
> 

Well sort of. OpenSSL requires that public key components are set for private
keys (except for a legacy RSA case).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Errors when running OpenSSL fipsalgtest.pl

2017-09-15 Thread security veteran 
Hi All:

I was using the fipsalgtest.pl utility for running tests with some input
vectors.

Somehow I ran into the following errors:

Any suggestions will be greatly appreciated.

Thanks.


*Running ECDSA2 tests*

DEBUG: KeyPair, Pass=240, Fail=0

ERROR: PKV mismatch:

"QX = Z87BV029A938A157D32I7662BFBC5252BB1016B9347F7J93" != "QX =
LKJHGB0E5B672ETD46D39D35E2797F8E25C3572D87A29653"

DEBUG: SigGen, Pass=600, Fail=0

ERROR:100E5092:lib=16,func=229,reason=146:file=ec_key.c:line=522

Error setting public key

Error running SigVer

WARNING: error executing test SigVer for command: ../test/fips_ecdsavs
SigVer "/TestVector/ECDSA/req/SigVer.req" "/TestVector/ECDSA/resp/SigVer.
tst"

*Running RSA tests*

FATAL parse error processing line 4

FATAL RSAVTEST file processing error

WARNING: error executing verify test SigGen15 ../test/fips_rsavtest
"/TestVector/RSA/resp/SigGen15_186-3.tst" "/TestVector/RSA/resp/SigGen15_
186-3.ver"
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Error in X509_check_private_key when using pkcs11 engine (OpenSSL 1.0.2j)

2017-09-15 Thread Anton Gerasimov 
So it turns out load_privkey() function of engine_pkcs11.so sets pub_key
in the returned 'struct ec_key_st' to NULL. Is it a failure inside
engine_pkcs11.so?

Thanks,
Anton Gerasimov
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] reading DER format public keys

2017-09-15 Thread Viktor Dukhovni 
On Fri, Sep 15, 2017 at 11:57:17AM -0400, Michael Richardson wrote:

> pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);

> There must be a way to read DER format public keys.
> I'm suspecting that maybe the magic is in the way the BIO is created?
> (FAQ question PROG03, hints this for PKCS7 processing).

The function you're looking for is d2i_PUBKEY(3).  See for example:

https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L344

which parses public keys from "TLSA ? 1 0 " records, which
have a DER encoding of the X.509 SubjectPublicKeyInfo (SPKI) in
the associated-data (4th) RData field.

It is the DER analogue of PEM_read_bio_PUBKEY.  With few exceptions,
you can s/PEM_READ_bio/d2i/ to go from reading PEM to reading DER.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Compatibility of OpenSSL (Debian)

2017-09-15 Thread Joseph Southwell 
See: https://www.openssl.org/blog/blog/2016/08/24/sweet32
> On Sep 15, 2017, at 11:52 AM, Dave Serls  wrote:
> 
> 
> A file DES3 encrypted here by OpenSSL 1.0.1t  3 May 2016 (Debian 7 or earlier 
> version) is not accessible
> by OpenSSL 1.1.0f  25 May 2017 (Debian 9).  Is this expected behavior?
> 
> -- 
> 
> *   Dave Serls Littleton, CO, USA  *
> *   dashs.denver.co.us http://www.dashs.com*
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Compatibility of OpenSSL (Debian)

2017-09-15 Thread Salz, Rich via openssl-users 

 A file DES3 encrypted here by OpenSSL 1.0.1t  3 May 2016 (Debian 7 or 
earlier version) is not accessible
 by OpenSSL 1.1.0f  25 May 2017 (Debian 9).  Is this expected behavior?

https://www.openssl.org/docs/faq.html#USER3


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] reading DER format public keys

2017-09-15 Thread Robert Moskowitz 



On 09/15/2017 11:57 AM, Michael Richardson wrote:

The PEM_* routines, as documented at:
 https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html
do not claim to read DER format input. (Actually they don't say anything about 
DER).
Ruby's library uses:
 pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);

It's documentation claims it read DER, which either it's wrong, or the
underlying ruby extension or SSL code has changed.

There must be a way to read DER format public keys.
I'm suspecting that maybe the magic is in the way the BIO is created?
(FAQ question PROG03, hints this for PKCS7 processing).


I had problems with DER using the command line options.  I can create, 
and display a DER keypair, a CSR, a self-signed cert.  I cannot use a 
CSR to make a cert where everything is DER.  So something is missing 
somewhere.  If you search back a bit, you will find my postings on this 
with the error messages I got.



Going to read the source code.


You are better man than I...

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] documentation for 1.1.0

2017-09-15 Thread Dave Serls 
On Fri, 15 Sep 2017 15:54:16 +
"Salz, Rich via openssl-users"  wrote:

> Links across versions don’t really work since we moved from “crypto” “ssl” to 
> man3, etc.
> Perhaps we should just take them down.

  One might suppose that it "failed" to a secure mode.  Older files will remain 
secure for eternity.
  The user, of course, must be alert to decrypting data prior to upgrade, or 
retaining a down-level 
  openssl environment somewhere close by.  For me, it is only a home-brew 
keyring that quickly got my
  attention.
> 
> 
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


-- 

*   Dave Serls Littleton, CO, USA  *
*   dashs.denver.co.us http://www.dashs.com*

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Compatibility of OpenSSL (Debian)

2017-09-15 Thread Dave Serls 

 A file DES3 encrypted here by OpenSSL 1.0.1t  3 May 2016 (Debian 7 or earlier 
version) is not accessible
 by OpenSSL 1.1.0f  25 May 2017 (Debian 9).  Is this expected behavior?

-- 

*   Dave Serls Littleton, CO, USA  *
*   dashs.denver.co.us http://www.dashs.com*

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] reading DER format public keys

2017-09-15 Thread Salz, Rich via openssl-users 
➢ pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);

That only reads PEM files.  If docs say otherwise, they are wrong.

➢ There must be a way to read DER format public keys.

A raw public key?  Or a cert?  Or a pkcs object?  Anyhow, doc/man3/d2i_X509.pod 
in master.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] reading DER format public keys

2017-09-15 Thread Michael Richardson 

The PEM_* routines, as documented at:
https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html
do not claim to read DER format input. (Actually they don't say anything about 
DER).
Ruby's library uses:
pkey = PEM_read_bio_PUBKEY(bio, NULL, ossl_pem_passwd_cb, (void *)pass);

It's documentation claims it read DER, which either it's wrong, or the
underlying ruby extension or SSL code has changed.

There must be a way to read DER format public keys.
I'm suspecting that maybe the magic is in the way the BIO is created?
(FAQ question PROG03, hints this for PKCS7 processing).

Going to read the source code.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[



signature.asc
Description: PGP signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] documentation for 1.1.0

2017-09-15 Thread Salz, Rich via openssl-users 
Links across versions don’t really work since we moved from “crypto” “ssl” to 
man3, etc.
Perhaps we should just take them down.



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] documentation for 1.1.0

2017-09-15 Thread Michael Richardson 

Many pages like: 
https://www.openssl.org/docs/man1.0.2/crypto/PEM_read_bio_PUBKEY.html
will have a link on the right that says: "1.1.0" version, which I'd rather
read because I'm using 1.1.0+, but it links to:

 https://www.openssl.org/docs/man1.1.0/crypto/pem.html

which does not exist.  Nor does the "master' page at:
 https://www.openssl.org/docs/manmaster/crypto/pem.html

perhaps they are auto-generated, and the auto-generation is failing?

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works| network architect  [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[



signature.asc
Description: PGP signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Richard Olsen 
I created the CA, then created the key for a Server then created a
server.csr and generated the cert.


openssl genrsa -out HOME_Root_CA.key 2048openssl req -x509 -new -nodes
-key HOME_Root_CA.key -sha256 -days 3650 -out HOME_Root_CA.pemopenssl
x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Server
openssl genrsa -out HOME_Server.key 2048
openssl req -new -key HOME_Server.key -out HOME_Server.csr
openssl x509 -req -in HOME_Server.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Server.pem -days 3650
-sha256

The httpd/conf.d/home.conf file has

SSLEngine on
SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem
SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key
SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem
#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

 What i need is for the browser to aknowledge the CA i created. Since
seeing responses to this saying i needed to import the CA into the
browser i have done that and I get an "SCC_ERROR_Untrusted_ISSUER with
that in place.



On Fri, Sep 15, 2017 at 10:06 AM, Wouter Verhelst
 wrote:
>
>
> On 15-09-17 15:58, Richard Olsen wrote:
>> I missed putting in the email  that i created all the certs as listed
>> below. SO i have the CA, Server and Client certs created. And tried to
>> do the pfx file for authentication with a "Soft cert" where i'll have to
>> configure later for a "hard cert" smartcard.
>
> Okay, so what are you trying to do, then?
>
> - If you're trying to do client-side authentication, then you need to
> place your CA certificate in a file that you point to with
> SSLCACertificateFile (see
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
> for the apache 2.2 version of that configuration item). The Server
> certificate can be any (and should probably be a public-trust one).
> - If you're trying to authenticate your server against a private CA,
> then you should import the private CA certificate into your browser
> trust store. For firefox, you do that by going to Preferences ->
> Advanced -> View Certificates -> Authorities -> Import..., and then
> pointing to the .crt file.
>
> Note that while it is allowed, it is absolutely not necessary that your
> server certificate and client certificate are from the same CA.
>
> --
> Wouter Verhelst
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-- 
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699
Email: rol...@quotient-inc.com
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Error in X509_check_private_key when using pkcs11 engine (OpenSSL 1.0.2j)

2017-09-15 Thread Anton Gerasimov 
Greetings,

I'm trying to make OpenSSL (v. 1.0.2j) get client certificate/private
key from a virtual PKCS#11 device, namely SoftHSM. I've imported a
certificate and private key into SoftHSM, configured openssl as
following and run

    openssl s_client -engine pkcs11 -connect mydomain.com:443 -cert
'/path/to/client.pem' -certform PEM -key
'pkcs11:serial=41e0a668eb25afbc;id=%02' -keyform engine

(I've made it take the certificate from a file just to narrow down field
of possible error causes, it gives similar results reading certifivate
from the device as well).

openssl then asks for a PIN and after receiving it returns "error
setting private key" and the following error:

139798174321496:error:0B080075:x509 certificate
routines:X509_check_private_key:unknown key type:x509_cmp.c:368:

After some more debugging I've learned that X509_check_private_key()
fails because EVP_PKEY_cmp() fails which in turn fails because
eckey_pub_cmp() fails (yes, I use an EC key) which fails because "pb",
return value of EC_KEY_get0_public_key() on the second parameter is
NULL. It also looks like both compared keys have 'engine' set to NULL.

I don't quite confident with what's going on here, so I would be
grateful for any help from someone who is closer familiar with OpenSSL
codebase.

Thanks,
Anton Gerasimov


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Wouter Verhelst 


On 15-09-17 15:58, Richard Olsen wrote:
> I missed putting in the email  that i created all the certs as listed
> below. SO i have the CA, Server and Client certs created. And tried to
> do the pfx file for authentication with a "Soft cert" where i'll have to
> configure later for a "hard cert" smartcard.

Okay, so what are you trying to do, then?

- If you're trying to do client-side authentication, then you need to
place your CA certificate in a file that you point to with
SSLCACertificateFile (see
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
for the apache 2.2 version of that configuration item). The Server
certificate can be any (and should probably be a public-trust one).
- If you're trying to authenticate your server against a private CA,
then you should import the private CA certificate into your browser
trust store. For firefox, you do that by going to Preferences ->
Advanced -> View Certificates -> Authorities -> Import..., and then
pointing to the .crt file.

Note that while it is allowed, it is absolutely not necessary that your
server certificate and client certificate are from the same CA.

-- 
Wouter Verhelst
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Richard Olsen 
I missed putting in the email  that i created all the certs as listed
below. SO i have the CA, Server and Client certs created. And tried to do
the pfx file for authentication with a "Soft cert" where i'll have to
configure later for a "hard cert" smartcard.


### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out
HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
HOME-client-cert.pfx

On Fri, Sep 15, 2017 at 9:31 AM, David H. Madden  wrote:

> On 15-Sep-2017 06:24, Richard Olsen wrote:
> > When i click on advanced i see
> >
> > "host.local.com uses and invalid security certificate. The certificate
> is
> > not trusted because the issuer certificate is unknown. The server might
> not
> > be sending the appropriate intermediate certficates. An addistional root
> > certificate may need to be imported.
>
> This is what you should expect to see.  Your browser is telling you that
> your self-signed server certificate isn't part of a chain, where the top
> of the chain is some CA that the browser trusts (because the top-level
> CA is in a configuration file somewhere).
>
> You may be able to import the self-signed server certificate into the
> browser as a trusted root, but the slightly-better option is to set up
> your own top-level CA (whose certificate you import into the browser),
> and then use that CA to create your server and client certificates.
>
> It's a bit more work, but also more useful if you ever want to issue
> certificates for a different server, different client, or issue a new
> certificate after one expires (and not have to update all the
> self-signed stuff.)
>
> Regards,
> --
> Mersenne Law ·  www.mersenne.com  · +1-503-679-1671
> Small Business, Startup & Intellectual Property Law
> 9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223
>
>


-- 
Richard W. Olsen
Sr Security Engineer

6310 Hillside Court, Suite 101
Columbia, MD 21046 USA
Phone: 301-225-9699 <301.225.9699>
Email: rol...@quotient-inc.com
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Richard Olsen 
Sorry I left out half of my message. I created from CA down. As listed
below.


### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out
HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
HOME-client-cert.pfx

On Fri, Sep 15, 2017 at 9:24 AM, Richard Olsen 
wrote:

> I've run out of ideas on this and hope someone here can help me. I'm
> trying to set up SSL with self signed certificates. I'm on RHEL6 with httpd
> 2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the
> following code:
>
> [CODE]
>
> ### Options fed into certs
>
> ## Country Name (2 letter code) [XX]:US
>
> ## State or Province Name (full name) []:STATE
>
> ## Locality Name (eg, city) [Default City]:City
>
> ## Organization Name (eg, company) [Default Company Ltd]:Company
>
> ## Organizational Unit Name (eg, section) []:Section
>
> ## Common Name (eg, your name or your server's hostname) []:host.local.com
>
> ## Email Address []:
>
> # Create private key for CA
>
> openssl genrsa -out HOME_Root_CA.key 2048
>
> # Create CA certificate
>
> openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650
> -out HOME_Root_CA.pem
>
> # Review ticket just created
>
> openssl x509 -in HOME_Root_CA.pem -noout -text
>
> # Create private key for Server
>
> openssl genrsa -out HOME_Server.key 2048
>
> # Create CA certificate
>
> openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out
> HOME_Server.pem
>
> # Review ticket just created
>
> openssl x509 -in HOME_Server.pem -noout -text
>
> # Create private key for Client
>
> openssl genrsa -out HOME_Client.key 2048
>
> # Create Certificate Signing Request (.csr)
>
> openssl req -new -key HOME_Client.key -out HOME_Client.csr
>
> # Generate client certficate based on CA
>
> openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
> HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256
>
> [/CODE]
>
> Then I tried to create a client cert i can import in the browser and be
> authenticated.
>
> [CODE]
>
> # Create Personal Information Exchange (pfx) cert
>
> openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
> HOME-client-cert.pfx
>
> [/CODE]
>
> My ssl config file in /etc/httpd/conf.d/home-test.conf
>
> [CODE]
>
> Listen 443
>
> LoadModule ssl_module modules/mod_ssl.so
>
> DocumentRoot "/var/www/html"
>
> 
>
> 
>
> 
>
> ErrorLog logs/ssl_error_log
>
> TransferLog logs/ssl_access_log
>
> #LogLevel warn
>
> LogLevel debug
>
> SSLEngine on
>
> SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem
>
> SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key
>
> SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem
>
> #SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem
>
> #SSLVerifyClient require
>
> SSLVerifyClient optional
>
> #DocumentRoot "/var/www/html"
>
> 
>
> [/CODE]
>
> So when i try to browse to [url]https://host.local.com[/url] i get the
> error
>
> "The owner of host.local.com has configured their website improperly. To
> protect your information from being stolen, Firefox has not connected to
> this website"
>
> When i click on advanced i see
>
> "host.local.com uses and invalid security certificate. The certificate is
> not trusted because the issuer certificate is unknown. The server might not
> be sending the appropriate intermediate certficates. An addistional root
> certificate may need to be imported.
>
> Error code"SEC_ERROR_UNKNOWN_ISSUER"
>
> I created a Combo.pem file with the CA pem, Server pem, and client pem and
> put it as the SSLCACertificateFile but that didn't work either.
>
> What am i missing, I've been through so many web pages and still can't see
> the problem.
>
>
> Also trying to set up a client/user pkcs12 cert/file to authenticate to
> the above listed webserver.  I have access to a set of certs for a
> different system and in the client.pfx file there are 2 certificates, but
> mine only has one
>



-- 
Richard W. Olsen
Sr Security Engineer

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread David H. Madden 
On 15-Sep-2017 06:24, Richard Olsen wrote:
> When i click on advanced i see
> 
> "host.local.com uses and invalid security certificate. The certificate is
> not trusted because the issuer certificate is unknown. The server might not
> be sending the appropriate intermediate certficates. An addistional root
> certificate may need to be imported.

This is what you should expect to see.  Your browser is telling you that
your self-signed server certificate isn't part of a chain, where the top
of the chain is some CA that the browser trusts (because the top-level
CA is in a configuration file somewhere).

You may be able to import the self-signed server certificate into the
browser as a trusted root, but the slightly-better option is to set up
your own top-level CA (whose certificate you import into the browser),
and then use that CA to create your server and client certificates.

It's a bit more work, but also more useful if you ever want to issue
certificates for a different server, different client, or issue a new
certificate after one expires (and not have to update all the
self-signed stuff.)

Regards,
-- 
Mersenne Law ·  www.mersenne.com  · +1-503-679-1671
Small Business, Startup & Intellectual Property Law
9600 S.W. Oak Street Suite 500 Tigard, Oregon 97223



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Self signed cert issue

2017-09-15 Thread Wouter Verhelst 
On 15-09-17 15:24, Richard Olsen wrote:
> "host.local.com  uses and invalid security
> certificate. The certificate is not trusted because the issuer
> certificate is unknown. The server might not be sending the appropriate
> intermediate certficates. An addistional root certificate may need to be
> imported>
> Error code"SEC_ERROR_UNKNOWN_ISSUER"

This is the normal message you get from firefox when your certificate is
self-signed. It appears because firefox doesn't know the certificate
issuer (obviously), and is important so as to avoid an MITM attack.

You have three options:

- (preferred) use something like letsencrypt to get a public-trusted
certificate (although obviously that won't work if your site is not on
the public Internet)
- Create your own private CA that you then import as trusted into the
browsers on your network (rather a lot of work, but probably the better
option if this isn't just a home experiment)
- Tell Firefox to ignore the fact that it's a self-signed certificate by
clicking on the "Add exception..." button. In the dialog that appears,
make sure that the "Permanently store this exception" option is checked,
and hit "Confirm security exception". You will need to do this on every
machine that wants to connect to your server, for every certificate that
you create in this way, which may be a lot of work; if you don't want
that, see above.

-- 
Wouter Verhelst
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Self signed cert issue

2017-09-15 Thread Richard Olsen 
I've run out of ideas on this and hope someone here can help me. I'm trying
to set up SSL with self signed certificates. I'm on RHEL6 with httpd
2.2.15-60.el6.9_5 using firefox browser. I've created the certs with the
following code:

[CODE]

### Options fed into certs

## Country Name (2 letter code) [XX]:US

## State or Province Name (full name) []:STATE

## Locality Name (eg, city) [Default City]:City

## Organization Name (eg, company) [Default Company Ltd]:Company

## Organizational Unit Name (eg, section) []:Section

## Common Name (eg, your name or your server's hostname) []:host.local.com

## Email Address []:

# Create private key for CA

openssl genrsa -out HOME_Root_CA.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Root_CA.key -sha256 -days 3650 -out
HOME_Root_CA.pem

# Review ticket just created

openssl x509 -in HOME_Root_CA.pem -noout -text

# Create private key for Server

openssl genrsa -out HOME_Server.key 2048

# Create CA certificate

openssl req -x509 -new -nodes -key HOME_Server.key -sha256 -days 3650 -out
HOME_Server.pem

# Review ticket just created

openssl x509 -in HOME_Server.pem -noout -text

# Create private key for Client

openssl genrsa -out HOME_Client.key 2048

# Create Certificate Signing Request (.csr)

openssl req -new -key HOME_Client.key -out HOME_Client.csr

# Generate client certficate based on CA

openssl x509 -req -in HOME_Client.csr -CA HOME_Root_CA.pem -CAkey
HOME_Root_CA.key -CAcreateserial -out HOME_Client.pem -days 3650 -sha256

[/CODE]

Then I tried to create a client cert i can import in the browser and be
authenticated.

[CODE]

# Create Personal Information Exchange (pfx) cert

openssl pkcs12 -export -in HOME_Client.pem -inkey HOME_Client.key -out
HOME-client-cert.pfx

[/CODE]

My ssl config file in /etc/httpd/conf.d/home-test.conf

[CODE]

Listen 443

LoadModule ssl_module modules/mod_ssl.so

DocumentRoot "/var/www/html"







ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

#LogLevel warn

LogLevel debug

SSLEngine on

SSLCertificateFile /var/tmp/HOME-test/HOME_Server.pem

SSLCertificateKeyFile /var/tmp/HOME-test/HOME_Server.key

SSLCACertificateFile /var/tmp/HOME-test/COMBO-test.pem

#SSLCACertificateFile /var/tmp/HOME-test/HOME_Root_CA.pem

#SSLVerifyClient require

SSLVerifyClient optional

#DocumentRoot "/var/www/html"



[/CODE]

So when i try to browse to [url]https://host.local.com[/url] i get the error

"The owner of host.local.com has configured their website improperly. To
protect your information from being stolen, Firefox has not connected to
this website"

When i click on advanced i see

"host.local.com uses and invalid security certificate. The certificate is
not trusted because the issuer certificate is unknown. The server might not
be sending the appropriate intermediate certficates. An addistional root
certificate may need to be imported.

Error code"SEC_ERROR_UNKNOWN_ISSUER"

I created a Combo.pem file with the CA pem, Server pem, and client pem and
put it as the SSLCACertificateFile but that didn't work either.

What am i missing, I've been through so many web pages and still can't see
the problem.


Also trying to set up a client/user pkcs12 cert/file to authenticate to the
above listed webserver.  I have access to a set of certs for a different
system and in the client.pfx file there are 2 certificates, but mine only
has one
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Why wasn't the fix for IP name restrictions included in 1.0.2 ?

2017-09-15 Thread Matt Caswell 


On 15/09/17 00:05, Salz, Rich via openssl-users wrote:
> 
> ➢ But the patch was put in git almost 10 months before 1.0.2 initial 
> release.
> 
> We weren’t using git back then.  So maybe it’s a bad/confusing import.  Maybe 
> matt can explain.
> 

Actually I think we were using git at that point. I calculate it at
about 8 months at the point of that commit before the 1.0.2 release.

IIRC 1.0.2 had a very long and protracted release period. It actually
went into beta at the end of February 2014. Shortly afterwards
heartbleed hit and we had our minds on other things for a bit, so it
didn't get released until January 2015. The 1.0.2 branch was in "feature
freeze" during that whole period - so that is almost certainly the
reason why this wasn't backported.

Perhaps if we had realised in May 2014 that we weren't going to release
1.0.2 for another 8 months then we might have made different decisions.

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users