RE: [binc] SSL woes

Scott Schappell Sun, 21 Sep 2003 08:58:22 -0700

-----Original Message-----
From: Stefano Rivera [mailto:[EMAIL PROTECTED]
Sent: Sunday, September 21, 2003 08:37
To: Binc IMAP General
Subject: Re: [binc] SSL woes



Hi Scott (2003.09.21_17:19:43_+0200)
> Output of CA.pl:
> ...
> writing new private key to 'newreq.pem'
> ...
>>
>> That is only the certificate request. You still have to sign it with
>> your CA certificate... Read the SSL Howto on tldp.org for more details.
>>
>>SR
Sorry, didn't respond to the list:

On Sun, Sep 21, 2003 at 05:36:32PM +0200, Stefano Rivera
([EMAIL PROTECTED]) wrote:
> Hi Scott (2003.09.21_17:19:43_+0200)
>
> That is only the certificate request. You still have to sign it with
> your CA certificate... Read the SSL Howto on tldp.org for more details.
>
> SR
       -signcert
           this option is the same as -sign except it expects a self signed
           certificate to be present in the file "newreq.pem".
arthur# CA.pl -signcert
Getting request Private Key
Enter pass phrase for newreq.pem:
Generating certificate request
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Sep 21 15:42:30 2003 GMT
            Not After : Sep 20 15:42:30 2004 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = California
            localityName              = Dublin, CA
            organizationName          = Silvertree Communications
            organizationalUnitName    = Security Services
            commonName                = IMAP Certificate
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            DA:E3:23:7C:1F:B0:83:C4:82:D2:35:38:B9:DF:13:57:94:F2:EF:E9
            X509v3 Authority Key Identifier:

keyid:C7:3E:D7:4D:07:A8:04:3F:4D:70:1E:47:F6:DC:96:49:F5:C9:A8:AB
            DirName:/C=US/ST=CA/L=Dublin/O=Silvertree
Communications/OU=Security/CN=Scott
Schappell/[EMAIL PROTECTED]
            serial:00

Certificate is to be certified until Sep 20 15:42:30 2004 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
arthur# ls -la newcert.pem
-rw-r--r--  1 root  wheel  3733 Sep 21 08:42 newcert.pem

COnfig file change:

SSL {
    pem file = "/etc/ssl/newcert.pem", /* private key and
                                                      certificate
                                                      chain PEM file
                                                      name */

    ca file = "",                                  /* file to use as
                                                      certificate
                                                      authority */

    cipher list = "!ADH:RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP",

    verify peer = "no"


arthur# !openssl
openssl s_client -connect arthur.silvertree.org:993 -crlf
CONNECTED(00000003)


And my oh so lovely strace output:

[pid 14575] break(0x80b5000)            = 0
[pid 14575] break(0x80b6000)            = 0
[pid 14575] break(0x80b7000)            = 0
[pid 14575] break(0x80b8000)            = 0
[pid 14575] open("/usr/local/openssl/cert.pem", O_RDONLY) = -1 ENOENT (No
such file or
directory)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] open("/etc/ssl/newcert.pem", O_RDONLY) = 3
[pid 14575] fstat(3, {st_mode=S_IFREG|0644, st_size=3733, ...}) = 0
[pid 14575] break(0x80bc000)            = 0
[pid 14575] read(3, "Certificate:\n    Data:\n        Version: 3 (0x2)\n
Serial
Number: 2 (0x2)\n        Signature Algorithm: md5WithRSAEncryption"...,
16384) = 3733
[pid 14575] close(3)                    = 0
[pid 14575] open("/etc/ssl/newcert.pem", O_RDONLY) = 3
[pid 14575] fstat(3, {st_mode=S_IFREG|0644, st_size=3733, ...}) = 0
[pid 14575] read(3, "Certificate:\n    Data:\n        Version: 3 (0x2)\n
Serial
Number: 2 (0x2)\n        Signature Algorithm: md5WithRSAEncryption"...,
16384) = 3733
[pid 14575] read(3, "", 16384)          = 0
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] close(3)                    = 0
[pid 14575] getpid()                    = 14575 (ppid 77566)
[pid 14575] setitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={0, 0}},
{it_interval={0,
0}, it_value={0, 0}}) = 0
[pid 14575] write(2, "14575 0 [EMAIL PROTECTED]:] Error initializing
Binc IMAP: SSL
negotiation failed: SSL error: unable to use private key in P"..., 215

Do I need to specify a CA file? Since it's self signed, the FAQ/readme says
"no", but...
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.520 / Virus Database: 318 - Release Date: 9/18/2003

RE: [binc] SSL woes

Reply via email to