Hi again!
On Sat, Dec 13, 2003 at 04:57:49PM +0100, Paolo Nesti Poggi wrote: > I thought I wanted to write this down now, when I'm still new to it. Thanks a lot for your valuable feedback, I'm sure Andreas will update the web to reflect your suggestions (or at least I hope so :) - I think they are excellent improvements. > I found out that the problem was that the certificate had the password > inside and bincimap asked for it (the password) in an endless loop. [..] > I wonder how you get it to work without removing the password from the key. Well, since Binc has to be able to start unattended (unless you want to sit by the console and type in the key passphrase every time someone connects) this isn't really possible. Sure, you could allow for a passphrase to be read from somewhere, but then an attacker gaining root access to your box would just have to read from that somewhere to get the passphrase first, before reading somewhere else to get the actual key - no real gain.. I don't know if Andreas has any thoughts on this, if so, please tell us.. >From the security perspective it is of course desirable to have a passphrase on the key, however with the current design it isn't really possible.. > Inside openssl.conf i find the following note that can be related to that: > # Passwords for private keys if not present they will be prompted for > # input_password = secret > # output_password = secret > > These lines are still commented out in my .cnf, do you know something about > it? I guess they are default passwords that the openssl tool tries to use if they're set, instead of first prompting the user like it does now. > About the "bad certificate" error in the log file: > Trying to connect with Netscape 7 or 4.7 makes no difference (well, although > the text might be slightly different). I get the log below: > @400000003fda4e0b0c83ba4c 3868 0 [EMAIL PROTECTED]:] Error initializing > Binc IMAP: SSL negotiation failed: Internal SSL error: > error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate This is strange.. Netscape 7 should work very well with the certificate. Put the CA certificate (WITHOUT the key!) on the web somewhere, make sure that the web server serves the cert file as the MIME type application/x-x509-ca-cert and just surf to that location with the web browser, you should get a box asking you to trust the new CA, check all appropriate boxes (at least web sites, but I trust it for everything) to add your own CA as a trusted CA in the browser. After that, Netscape should be able to talk to Binc just fine. If you want to have a client certificate as well (verify peer = "yes") then you'll need to make a cert for the user as usual and then convert it to PKCS#12 format for importing to Netscape/Mozilla: #- on client or trusted admin workstation: - openssl req -newkey rsa:2048 -keyout user.key -out user.req #- now copy user.req to CA system, then: - openssl ca -in user.req -out user.cert #- now copy user.cert back to client or trusted admin workstation, then: - openssl pkcs12 -export -out user.p12 -in user.cert -inkey user.key You'll be asked for a couple of different passphrases, the user key one, then the CA key passphrase, then the one for the user key again and finally an "export password" that is used to secure the .p12 file. Go to Netscape, Preferences, Security, Manage certificates, Your own, Import, pick user.p12 and then enter the export password you used earlier. That should be all that's neccessary. (And I should probably put this on LWBI..) > However I will test with other clients too and think that I can just fine > tune the way the certificate is made (changing openssl.conf). > I don't expect it to be a major problem now that the server run as expected > (but I might be surprised :-) Aha, you mean changing things like the policy and usr_flags, yes, that could be useful. You could also try the (pretty general) settings I use in the DIYCA example on LWBI, I haven't used them to create user certificates for import into Netscape, only for import to a smartcard, so would be nice to know if it works. Whenever experimenting with certificates and/or SSL, openssl is a great tool. (Run openssl help to get a list of all of the commands supported, then openssl command -help to get a list of parameters for that command.) You've already used the s_client command, but there's also an s_server which should behave just like Binc, although you have complete control over what's going on with the s_server, so you can find things that may have to be changed with Binc or it's configuration. Note that s_client and s_server don't like PKCS#12 chains however, so you'll want to use the .key and .cert files for experimenting, and when you find out what works just put it together in a .p12 file and import into Netscape. > > openssl s_client -connect localhost:993 -CAfile CADIR/cacert.crt > > Thank you for that, lot of output! Yes, it's somewhat verbose, but that's good. :) Hope the rest of the weekend is good to you! //Peter
