Re: [binc] SSL woes

Sun, 21 Sep 2003 08:19:41 -0700 

Here's all the various outputs:

Log before attempting to connect via SSL

2 kept, 0 deleted.
[EMAIL PROTECTED]: ~]$ tail -f /var/opt/log/bincimap/current
@400000003f6db07f08d066ac 6288 1 [EMAIL PROTECTED]:] Client disconnected
@400000003f6db07f0935fe7c 6293 5 [EMAIL PROTECTED]:] Main server shutting down -
bodies:0 statements:4
@400000003f6db07f093eb10c 6288 2 [EMAIL PROTECTED]:] Unprivileged stub shutting down -
read:4961 bytes, wrote:243762 bytes.
@400000003f6db07f0942f2e4 6292 1 [EMAIL PROTECTED]:] Client disconnected
@400000003f6db07f0994a10c 6292 2 [EMAIL PROTECTED]:] Unprivileged stub shutting down -
read:97 bytes, wrote:323 bytes.
@400000003f6db386394d2aa4 6901 0 [EMAIL PROTECTED]:] Client connected to Binc IMAP from
127.0.0.1
@400000003f6db38d37689bc4 6902 0 [EMAIL PROTECTED]:] User <archon> entered 
authenticated
mode.
@400000003f6db43c0a4fd6d4 6902 1 [EMAIL PROTECTED]:INBOX]
@400000003f6db43c0a6212cc 6902 2 [EMAIL PROTECTED]:INBOX] Main server shutting down -
bodies:0 statements:7
@400000003f6db43c0a8c0ce4 6901 1 [EMAIL PROTECTED]:] Unprivileged stub shutting down -
read:148 bytes, wrote:1626 bytes.


Log AFTER attempting to connect via SSL

2 kept, 0 deleted.
[EMAIL PROTECTED]: ~]$ tail -f /var/opt/log/bincimap/current
@400000003f6db07f08d066ac 6288 1 [EMAIL PROTECTED]:] Client disconnected
@400000003f6db07f0935fe7c 6293 5 [EMAIL PROTECTED]:] Main server shutting down -
bodies:0 statements:4
@400000003f6db07f093eb10c 6288 2 [EMAIL PROTECTED]:] Unprivileged stub shutting down -
read:4961 bytes, wrote:243762 bytes.
@400000003f6db07f0942f2e4 6292 1 [EMAIL PROTECTED]:] Client disconnected
@400000003f6db07f0994a10c 6292 2 [EMAIL PROTECTED]:] Unprivileged stub shutting down -
read:97 bytes, wrote:323 bytes.
@400000003f6db386394d2aa4 6901 0 [EMAIL PROTECTED]:] Client connected to Binc IMAP from
127.0.0.1
@400000003f6db38d37689bc4 6902 0 [EMAIL PROTECTED]:] User <archon> entered 
authenticated
mode.
@400000003f6db43c0a4fd6d4 6902 1 [EMAIL PROTECTED]:INBOX]
@400000003f6db43c0a6212cc 6902 2 [EMAIL PROTECTED]:INBOX] Main server shutting down -
bodies:0 statements:7
@400000003f6db43c0a8c0ce4 6901 1 [EMAIL PROTECTED]:] Unprivileged stub shutting down -
read:148 bytes, wrote:1626 bytes.

No change. Again, openssl just hanged.


Output of CA.pl:

arthur# CA.pl -newcert
Generating a 1024 bit RSA private key
..++++++
.++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Dublin, CA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Silvertree Communications
Organizational Unit Name (eg, section) []:Security Services
Common Name (eg, YOUR name) []:IMAP Certificate
Email Address []:
Certificate (and private key) is in newreq.pem

Config file:

//----------------------------------------------------------------------------
SSL {
    pem file = "/etc/ssl/newreq.pem", /* private key and
                                                      certificate 
                                                      chain PEM file
                                                      name */        

    ca file = "",                                  /* file to use as  
                                                      certificate
                                                      authority */

    cipher list = "!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP",

    verify peer = "no"
}

Result of telnet to port 993:


Result of openssl s_client -connect localhost:993 -crlf
arthur# openssl s_client -connect localhost:993 -crlf
CONNECTED(00000003)


Contents of /etc/ssl/newreq.pem

arthur# vi /etc/ssl/newreq.pem

-----BEGIN RSA PRIVATE KEY-----
<<SNIP>>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<<SNIP>>
-----END CERTIFICATE-----

strace output (running openssl command as root in another window):
[pid 13140] break(0x80b6000)            = 0
[pid 13140] break(0x80b7000)            = 0
[pid 13140] break(0x80b8000)            = 0
[pid 13140] open("/usr/local/openssl/cert.pem", O_RDONLY) = -1 ENOENT (No such file or
directory)
[pid 13140] getpid()                    = 13140 (ppid 77566)

WHy is it trying to find a cert here?



[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] open("/etc/ssl/newreq.pem", O_RDONLY) = 3
[pid 13140] fstat(3, {st_mode=S_IFREG|0644, st_size=2257, ...}) = 0
[pid 13140] break(0x80bc000)            = 0
[pid 13140] read(3, "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info:
DES-EDE3-CBC,2E7685D7CD10FC40\n\n1i7SbZW6w8PB9XjJmFnH4+AO8OvTh82g"..., 16384) = 2257
[pid 13140] close(3)                    = 0
[pid 13140] open("/etc/ssl/newreq.pem", O_RDONLY) = 3
[pid 13140] fstat(3, {st_mode=S_IFREG|0644, st_size=2257, ...}) = 0
[pid 13140] read(3, "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info:
DES-EDE3-CBC,2E7685D7CD10FC40\n\n1i7SbZW6w8PB9XjJmFnH4+AO8OvTh82g"..., 16384) = 2257
[pid 13140] open("/dev/tty", O_RDONLY)  = -1 ENXIO (Device not configured)
[pid 13140] open("/dev/tty", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENXIO (Device not
configured)
[pid 13140] ioctl(0, TIOCGETA, 0x281d2840) = -1 EOPNOTSUPP (Operation not supported)
[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] close(3)                    = 0
[pid 13140] getpid()                    = 13140 (ppid 77566)
[pid 13140] setitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={0, 0}}, 
{it_interval={0,
0}, it_value={0, 0}}) = 0
[pid 13140] write(2, "13140 0 [EMAIL PROTECTED]:] Error initializing Binc IMAP: SSL
negotiation failed: SSL error: unable to use private key in P"..., 226

OK, these lines are vaguely troubling:

[pid 13140] open("/dev/tty", O_RDONLY)  = -1 ENXIO (Device not configured)
[pid 13140] open("/dev/tty", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 ENXIO (Device not
configured)
[pid 13140] ioctl(0, TIOCGETA, 0x281d2840) = -1 EOPNOTSUPP (Operation not supported)
[pid 13140] getpid()                    = 13140 (ppid 77566)

Any insight?
-- 
PGP Key: http://archon.silvertree.org/pgp.txt
"Compassion and retribution are two sides of the same coin. Necessity
dictates on what side the coin will fall."
"Firearms stand next in importance to the Constitution itself. They are the
American people's liberty teeth and keystone under independence." 
-George Washington

Reply via email to