RE: telnetd-ssl

Fri, 07 Jun 2002 06:50:52 -0700


-----Mensaje original-----
De: Jeffrey Altman [mailto:[EMAIL PROTECTED]]
Enviado el: viernes, 07 de junio de 2002 14:57
Para: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Asunto: RE: telnetd-ssl



Then it looks like Debian's telnet does not support client
certificates.  I don't know what "telnet-ssl" is or was.  If this was
Tim Hudson's old implementation using the TELNET AUTH SSL hack then it
should be abandoned in favor of one that supports the IETF TELNET
START_TLS option.  The code that Peter Runestig and I wrote supports
START_TLS as well as the TELNET FORWARD-X option for securing X
Windows sessions.  It also supports TLS session reuse for improved
performance.

 
I think so. I tell this at the responsible of this package on Debian. Is possible he does not know this.

It also provides several sample implementations of the

  X509_to_user()

function so you can specify how your client's certificates once
verified should be mapped to userid's.  You can find it at:

  http://www.runestig.com/osp.html

I have taken a look before. Zanx.

It comes with a client as well.  However, the best TLS Telnet client
for *nix is C-Kermit 8.0:

  http://www.kermit-project.org/ckermit.html

Security description at

  http://www.kermit-project.org/security.html


I will probe. Zanx Jeff and all.


> -----Mensaje original-----
> De: Jeffrey Altman [mailto:[EMAIL PROTECTED]]
> Enviado el: jueves, 06 de junio de 2002 19:58
> Para: [EMAIL PROTECTED]
> CC: [EMAIL PROTECTED]
> Asunto: Re: telnetd-ssl
>
>
> That depends on whose Telnetd you are using and how you want the
> client's to be authorized.
>
> -I'm on a Debian 2.4.6 with telnetd-ssl and telnet-ssl (0.17), openssl =
> 0.9.6-c and their libs, latest libc6 and depending libs. This is testing =
> versi=F3n on Debian.
>
> -I've talked with the responsible of package and he said that the =
> original sources are from telnetssl and he never tested the =
> authentication certificate client. I've tried to do this with this =
> config:
>
> -CA root certificate installed and accessible.
> -Two x509 certs verified certs created with demoCa (signed by CA root =
> certificate):=20
>
> *telnetd cert subject and issuer
>
> subject=3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 =
> S.A./OU=3DTelnet/CN=3Dzidane.in3.es
> issuer =3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 Certificate =
> Authority/OU=3DIN3 Certificate Authority/CN=3DIN3
>
> *newcert cert subject and issuer
>
> subject=3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 =
> S.A./OU=3Dstaff/CN=3D<user name>, where user name is valid user system
> issuer =3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 Certificate =
> Authority/OU=3DIN3 Certificate Authority/CN=3DIN3
>
> -telnetd entry on inetd.conf:
>
> telnets         stream  tcp     nowait  telnetd.telnetd   /usr/sbin/tcpd =
>  /usr/sbin/in.telnetd -z cert=3D/etc/ssl/certs/telnetd.pem -z =
> key=3D/etc/ssl/private/telnetd.key -z certrequired -z secure -z =
> verify=3D1 -z certsok
>
> -command line from bash:
>
> telnet-ssl -z cert=3Dnewcert.pem -z debug -z verbose -z =
> key=3Dnewcert.key -z verify=3D1 zidane.in3.es 992
>
> The exit during execeution of client:
>
> [SSL - attempting to switch on SSL]
> [SSL - handshake starting]
> SSL_connect:UNKWN  before/connect initialization
> SSL_connect:23WCHA SSLv2/v3 write client hello A
> SSL_connect:3RSH_A SSLv3 read server hello A
> Certificate[0] subject=3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 =
> S.A./OU=3DTelnet/CN=3Dzidane.in3.es
> Certificate[0] issuer =3D/C=3DES/ST=3DCastellon/L=3DCastellon/O=3DIN3 =
> Certificate Authority/OU=3DIN3 Certificate Authority/CN=3DIN3 =
> Certificate Authority
> SSL_connect:error in 3RSC_B SSLv3 read server certificate B
> SSL_connect:error in 3RSC_B SSLv3 read server certificate B
> [SSL - FAILED (-1)]
> telnet: Unable to ssl_connect to remote host: Success
> 3752:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate =
> verify failed:s3_clnt.c:769:
> [SSL - SSL_accept error]
> Connection closed by foreign host.
>
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
>
> ------_=_NextPart_001_01C20DFE.B2E6AE54
> Content-Type: text/x-vcard;
>       name="Manuel Guerrero.vcf"
> Content-Description: Manuel Guerrero.vcf
> Content-Disposition: attachment;
>       filename="Manuel Guerrero.vcf"
> Content-Transfer-Encoding: base64
>
> QkVHSU46VkNBUkQNClZFUlNJT046Mi4xDQpOOkd1ZXJyZXJvO01hbnVlbA0KRk46TWFudWVsIEd1
> ZXJyZXJvDQpFTUFJTDtQUkVGO0lOVEVSTkVUOm1ndWVycmVyb0BpbjMuZXMNClJFVjoyMDAxMDUy
> OVQxNjMxMTBaDQpFTkQ6VkNBUkQNCg==
>
> ------_=_NextPart_001_01C20DFE.B2E6AE54--
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
>





 Jeffrey Altman * Sr.Software Designer     Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP
 http://www.kermit-project.org/            Secured with MIT Kerberos, SRP, and
 [EMAIL PROTECTED]               OpenSSL.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

 
BEGIN:VCARD
VERSION:2.1
N:Guerrero;Manuel
FN:Manuel Guerrero
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20010529T163110Z
END:VCARD



Attachment:
smime.p7s

Description: application/pkcs7-signature

Reply via email to