Re: [openssl-users] Non-self-signed SSL certificates for private hosted DNS zones
Hi Viktor Thanks for this confirmation. I think the correct approach would be to use our internal CA. On Tue, Mar 7, 2017 at 7:16 PM, Viktor Dukhovniwrote: > > > On Mar 7, 2017, at 2:21 AM, Traiano Welcome wrote: > > > > I have a private DNS zone hosted on AWS route 53, only resolvable from > > within some specific VPCs. > > It appears some applications require an SSL certificate associated with > > the private DNS zone, and this SSL certificate should come from a > trusted, > > external certificate provider (cannot be self-signed). > > The "trusted external" CA that issues the not-self-signed end-entity cert > can almost certainly (with appropriate configuration of the client app) > be a private CA that you create and provide to the SSL clients. > > In which case the question below is moot. > > > My questions are: > > > > a) Is this a known use-case? i.e private dns zones requiring > non-self-signed > > certificates? > > I usually use private CA certs for use on non-public networks. > > > b) Since the DNS zone is not resolvable on the public internet, > > how would the certificate validation process occur for applications > > communicating with systems in the private zone ? > > There is some prior history of public CAs issuing certificates for > private namespaces, but IIRC this practice is discouraged and going > away. > > > c) Do SSL certificate providers issue trusted SSL certificates for > private DNS zones? > > It is not really possible for them to know that the names in question > are used in another "private" deployment elsewhere. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] error making Private RSA
> > My source can be viewed at: mt-umunhum-wireless.net/Sources/rsa/rsa.c Gives a 403. > > My main guess is that your allocation for the PEM buffer is too small > > -- is key/key_len pointing to a static buffer? > > It points to a char string Not sure what that means. Please post your code here. It should be something like char key[2048]; int keylen = sizeof key; -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] error making Private RSA
> Not sure this is the proper way to use this mailing system? > > My source can be viewed at: mt-umunhum-wireless.net/Sources/rsa/rsa.c > What version of openssl? I'm guessing 1.0.2. > > Put this line inyour code > ERR_load_ERR_strings(); > And youll get a more informative message. Did this and no improvement. > > I'm using: openssl version > OpenSSL 1.0.1t 3 May 2016 openssl version OpenSSL 1.0.2j-fips 26 Sep 2016 > > > My main guess is that your allocation for the PEM buffer is too small -- > is key/key_len pointing to a static buffer? It points to a char string > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -- William Estrada Mt Umunhum, CA, USA, Earth HTTP:// Mt-Umunhum-Wireless.net Skype: MrUmunhum -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] undefined symbol fabs in file test/ct_test.o in openssl 1.1.0e on solaris
> From: markus.sondereg...@juliusbaer.com > [mailto:markus.sondereg...@juliusbaer.com] > Sent: Tuesday, March 07, 2017 10:49 > To: Michael Wojcik > Subject: Re: undefined symbol fabs in file test/ct_test.o in openssl 1.1.0e on > solaris For threads that originated on openssl-users, please send messages to the list, rather than to me directly. > > >> For the record, we've always just changed the Solaris configuration we use >> in Configure to add -lm. > > I am not an experienced C developer so please can you tell me where in the > Configure file I have to add -lm. This has nothing to do with C development. The OpenSSL Configure process, while conceptually related to that used by some other packages, is an OpenSSL invention. And the use of -lm is an artifact of the toolchain (common to many toolchains for UNIX-like systems); it too has nothing to do with the C language. Also, I've just looked at our Configure and apparently I misremembered; we do not add -lm for the Solaris builds. (We make a number of other changes for that platform, though.) It seems it's not needed for the version of OpenSSL we're currently building. Where you would add -lm depends on what configuration you're using, which in turn depends on which system architecture and toolchain you're using. It also may depend on what version of OpenSSL you're building. I don't have that information, obviously. In OpensSSL 1.0.2j's Configure (and generally for all the 1.0.2 releases, I believe), all the Solaris configure entries have -ldl in their library list. So you can search Configure for "solaris (with the double-quote) at the beginning of a line, then add -lm (with a space) after -ldl on each such line. For example, in vi: :%s/^"solaris.* -ldl/& -lm Whether this also applies to OpenSSL 1.1.0 or whatever you're building, I can't say. Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Non-self-signed SSL certificates for private hosted DNS zones
> On Mar 7, 2017, at 2:21 AM, Traiano Welcomewrote: > > I have a private DNS zone hosted on AWS route 53, only resolvable from > within some specific VPCs. > It appears some applications require an SSL certificate associated with > the private DNS zone, and this SSL certificate should come from a trusted, > external certificate provider (cannot be self-signed). The "trusted external" CA that issues the not-self-signed end-entity cert can almost certainly (with appropriate configuration of the client app) be a private CA that you create and provide to the SSL clients. In which case the question below is moot. > My questions are: > > a) Is this a known use-case? i.e private dns zones requiring non-self-signed > certificates? I usually use private CA certs for use on non-public networks. > b) Since the DNS zone is not resolvable on the public internet, > how would the certificate validation process occur for applications > communicating with systems in the private zone ? There is some prior history of public CAs issuing certificates for private namespaces, but IIRC this practice is discouraged and going away. > c) Do SSL certificate providers issue trusted SSL certificates for private > DNS zones? It is not really possible for them to know that the names in question are used in another "private" deployment elsewhere. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to compile the static binary version of openssl
> On Mar 7, 2017, at 5:28 AM, Yu Chenwrote: > > Currently I'm trying to get a static binary of openssl command via > compilng the openssl-1.1.0e. What do you mean by "static binary"? Is it enough for the "ssl" and "crypto" libraries to be statically linked into the "openssl" executable? Or do you also want the C-library to be statically linked? You may need to disable support for dynamically loadable engines (the "no-engine" option) and dynamic loading of any kind (via the "no-dso" option) in order to get a completely static executable. Is that what you want? > I've tried to configure with no-shared, but the bin/openssl is still > dynamic linked. But it should have static copies of the "ssl" and "crypto" libraries. > Thus I added -static to the end of CFLAG, it just can not get compiled. > Anyone know how to get a static openssl command? thanks in advance. Perhaps "engine" and/or "dso" support requires a dynamic C-library. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to compile the static binary version of openssl
Hi, Currently I'm trying to get a static binary of openssl command via compilng the openssl-1.1.0e. I've tried to configure with no-shared, but the bin/openssl is still dynamic linked. Thus I added -static to the end of CFLAG, it just can not get compiled. Anyone know how to get a static openssl command? thanks in advance. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users