Wanted: OpenBSD Help / Tutoring / Mentoring in Montreal or Toronto

[Implausibility]

Hi.

I'm not exactly new to OpenBSD, but there are a few things that I need some
help with, and fighting through learning them on my own isn't appealing.

I'm looking for some help with:

pf, OpenVPN, web hosting, building a robust mail server

... and would expect to pay you for your time.

Drop me an eMail off-list if you're interested, with your expectations for
your hourly rate.

I'm frequently near Atwater Market in Montréal, or King St. West in Toronto,
but we can meet anywhere near those locations.

-JD.

Re: OpenBSD help

[Alessandro Baggi]

Il 15/12/2015 17:41, Jan Stary ha scritto:

On Dec 15 17:07:59, alessandro.ba...@gmail.com wrote:

Hi list,
I've a firewall on an apu1D running OpenBSD.
Today during a simple management, I've noticed that the system is up since 1
day and 23 hours. Running "cat authlog" I see that the last two logged
session are:

Dec 2 at 12 and today.
Running "last" I see:
myuser  (current session) (still logged in)
reboot ~Sun Dec 13 18:06




Maybe Hacked?
Someone can help me to find what happened?


So your machine rebooted around Dec 13 18:06.
I would guess a power failure.




My machine are under UPS, and on Sun 13 all machines were off and no 
general blackout.

Maybe is cable but I'm not sure. I will check for next "false reboot".

>
> from last(1)
>   The pseudo-user ``reboot'' logs in at reboots of the system; thus
> last
>   reboot will give an indication of mean time between reboot.

I've ridden last manual before post on ml, but thanks for tips.

Re: OpenBSD help

[Kapetanakis Giannis]

On 15/12/15 18:07, Alessandro Baggi wrote:

Hi list,
I've a firewall on an apu1D running OpenBSD.
Today during a simple management, I've noticed that the system is up 
since 1 day and 23 hours. Running "cat authlog" I see that the last 
two logged session are:


Dec 2 at 12 and today.
Running "last" I see:
myuser  (current session) (still logged in)
reboot ~Sun Dec 13 18:06


In my configuration I don't give access from wan and dmz. Access is 
only from LAN ssh key based (key is on a usbdrive) and from console 
and the console machine is off since installation.


Reading other logfile (messages.X.gz, daemon.X.gz...) I can't find 
nothing useful.


I don't think that there is an automatic (magic) reboot and I've no 
configured personal script or other.


Maybe Hacked?

Someone can help me to find what happened?

Thanks in advance.



from last(1)
 The pseudo-user ``reboot'' logs in at reboots of the system; thus last
 reboot will give an indication of mean time between reboot.

G

OpenBSD help

[Alessandro Baggi]

Hi list,
I've a firewall on an apu1D running OpenBSD.
Today during a simple management, I've noticed that the system is up 
since 1 day and 23 hours. Running "cat authlog" I see that the last two 
logged session are:


Dec 2 at 12 and today.
Running "last" I see:
myuser  (current session) (still logged in)
reboot ~Sun Dec 13 18:06


In my configuration I don't give access from wan and dmz. Access is only 
from LAN ssh key based (key is on a usbdrive) and from console and the 
console machine is off since installation.


Reading other logfile (messages.X.gz, daemon.X.gz...) I can't find 
nothing useful.


I don't think that there is an automatic (magic) reboot and I've no 
configured personal script or other.


Maybe Hacked?

Someone can help me to find what happened?

Thanks in advance.

Re: OpenBSD help

[Otto Moerbeek]

On Tue, Dec 15, 2015 at 05:07:59PM +0100, Alessandro Baggi wrote:

> Hi list,
> I've a firewall on an apu1D running OpenBSD.
> Today during a simple management, I've noticed that the system is up since 1
> day and 23 hours. Running "cat authlog" I see that the last two logged
> session are:
> 
> Dec 2 at 12 and today.
> Running "last" I see:
> myuser  (current session) (still logged in)
> reboot ~Sun Dec 13 18:06
> 
> 
> In my configuration I don't give access from wan and dmz. Access is only
> from LAN ssh key based (key is on a usbdrive) and from console and the
> console machine is off since installation.
> 
> Reading other logfile (messages.X.gz, daemon.X.gz...) I can't find nothing
> useful.
> 
> I don't think that there is an automatic (magic) reboot and I've no
> configured personal script or other.
> 
> Maybe Hacked?
> 
> Someone can help me to find what happened?
> 
> Thanks in advance.

reboot ~ is logged by init on system startup. One possible explanation
could be a power failure.

-Otto

Re: Got Cerfiticate how to use it. WAS: Re: OpenSSL On Openbsd help

[Khalid Schofield]

Many thanks to all who gave information. It's been really useful.

So to help others here is a write up:

1) Generate your ssl key file
openssl genrsa -des3 -out server.key 4096

2) Protect your key file (not vital but you should take REAL care over the key 
file)

chmod 400 server.key

3) Generate your certificate signing request that your going to ask the ca of 
your choice to sign for you and say your the proper deal.


openssl req -new -nodes -key server.key -out server.csr

NOTE! This will require no password. If you want to encrypt your certificate 
then you should use the bellow instead:


openssl req -new -des3 -key server.key -out server.csr

4) choose someone cheap (I used godaddy.com) to sign the certificate. Pay them 
money and they send you your signed certificate.


You get back a certificate file.

The company that signed your certificate will have a certificate of their own. 
This is the CA Chain. You have to put this in httpd.conf too.


It is the ca-bundle.crt


Edit /var/www/conf/httpd.conf to look something like this and your done. 
Remember if you used a password on your certificate when you start httpd you 
will be asked to enter the password.


One thing that I found kind of confusing is that you can use virtual hosts for 
SSL but you can only use one! You have to use the default virtual host for ssl 
unless you have different IP's for ip based virtual hosts. The trick is to use 
the VirtualHost _default_:443 host for your SSL website. If you want more 
than one website on SSL then you need more IP's. This is just because of how 
SSL works and not because of apache's limitations.


Here is my test webserver's httpd.conf for apache 1.3 from openbsd 4.3. It's 
not really tweeked I just built the box for testing so ignore all but the ssl 
bits.


Hope you've found this helpful.



#   $OpenBSD: httpd.conf,v 1.22 2008/01/25 09:59:57 sthen Exp $
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See URL:http://www.apache.org/docs/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#
# After this file is processed, the server will look for and process
# /var/www/conf/srm.conf and then /var/www/conf/access.conf
# unless you have overridden these with ResourceConfig and/or
# AccessConfig directives here.
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with / (or drive:/ for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with /, the value of ServerRoot is prepended -- so logs/foo.log
# with ServerRoot set to /usr/local/apache will be interpreted by the
# server as /usr/local/apache/logs/foo.log.
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerType is either inetd, or standalone.  Inetd mode is only supported on
# Unix platforms.
#
ServerType standalone

#
# ServerTokens is either Full, OS, Minimal, or ProductOnly.
# The values define what version information is returned in the
# Server header in HTTP responses.
#
# ServerTokens ProductOnly

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at URL:http://www.apache.org/docs/mod/core.html#lockfile);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot /var/www

#
# The LockFile directive sets the path to the lockfile used when Apache
# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
# its default value. The main reason for changing it is if the logs
# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
# DISK. The PID of the main 

Re: OpenSSL On Openbsd help

[Stuart Henderson]

On 2008-06-15, Stuart Henderson [EMAIL PROTECTED] wrote:
 On 2008-06-14, General Delivery [EMAIL PROTECTED] wrote:
 If, as you've indicated, you're going to use the cert for e-commerce, then
 self-signed is NOT the way to go.

 FREE, no cost, non-testing, one-year SSLs are available from
 http://cert.startcom.org.  starcom's root CA is recognized by the major
 browsers and should satisfy your needs.

 major browsers in the case of Startcom's free certificate means
 Firefox and Safari. Internet Explorer does not have their root key.

oops, s/key/cert/ (unless there's a really big problem ;-)

Got Cerfiticate how to use it. WAS: Re: OpenSSL On Openbsd help

[Khalid Schofield]

Hi,
ok used godaddy in the end and decided to throw both suggestions and use a 
password with a 4096bit certificate.


So I've got my certificate signed back and the key on my box.

I've tried to intergrate it into my system but had no luck.

Running openbsd 4.0 and apache 1.3 . I've loads of virtual hosts on apache 
and I'm now running apache from rc.conf.local with:

 httpd_flads -u -DSSL .

I know un-chrooting's nasty but needed to so don't get to side tracked by 
that. I'll fix my web-apps next week with the new server role.


I've put the certificates in /etc/ssl/server.crt and /etc/ssl/private/server.key

Now what? I only want server.crt to be used for one of my virtual hosts. 
I've tried all sorts but it doesn't seem to work when I try to connect to 
443.


Also apachectl restart doesn't ask for the certificate password. But a 
reboot does. apachectl startssl doesn't ask either.


I've decided to comment out the certificates for the time being. But if 
anyone can help.


My httpd.conf currently looks like this.

#   $OpenBSD: httpd.conf,v 1.19 2006/02/22 15:07:12 henning Exp $
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See URL:http://www.apache.org/docs/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are 
unsure

# consult the online docs. You have been warned.
#
# After this file is processed, the server will look for and process
# /var/www/conf/srm.conf and then /var/www/conf/access.conf
# unless you have overridden these with ResourceConfig and/or
# AccessConfig directives here.
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process 
as a

# whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' 
server,

# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with / (or drive:/ for Win32), 
the

# server will use that explicit path.  If the filenames do *not* begin
# with /, the value of ServerRoot is prepended -- so logs/foo.log
# with ServerRoot set to /usr/local/apache will be interpreted by the
# server as /usr/local/apache/logs/foo.log.
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerType is either inetd, or standalone.  Inetd mode is only supported 
on

# Unix platforms.
#
ServerType standalone

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at URL:http://www.apache.org/docs/mod/core.html#lockfile);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot /var/www

#
# The LockFile directive sets the path to the lockfile used when Apache
# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at
# its default value. The main reason for changing it is if the logs
# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL
# DISK. The PID of the main server process is automatically appended to
# the filename.
#
#LockFile logs/accept.lock

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile logs/httpd.pid
#
# ScoreBoardFile: File used to store internal server process information.
# Not all architectures require this.  But if yours does (you'll know 
because
# this file will be  created when you run Apache) then you *must* ensure 
that

# no two invocations of Apache share the same scoreboard file.
#
ScoreBoardFile logs/apache_runtime_status

#
# In the standard configuration, the server will process httpd.conf,
# srm.conf, and access.conf in that order.  The latter two files are
# now deprecated and not installed any more, as it is recommended that
# all directives be kept in a single file for simplicity.
#
#ResourceConfig conf/srm.conf
#AccessConfig conf/access.conf

#
# Timeout: The number of seconds before receives and sends time out.
#

Re: Got Cerfiticate how to use it. WAS: Re: OpenSSL On Openbsd help

[Rogier Krieger]

On Sun, Jun 15, 2008 at 9:37 AM, Khalid Schofield
[EMAIL PROTECTED] wrote:
 Running openbsd 4.0 and apache 1.3 . I've loads of virtual hosts on
 apache and I'm now running apache from rc.conf.local with:
  httpd_flads -u -DSSL .

That probably is a typo and in your rc.conf.local it would read
httpd_flags? Besides that, you would probably serve yourself with an
upgrade to the latest and greatest (4.3) and do so before you upgrade
your web apps.


 Now what? I only want server.crt to be used for one of my virtual hosts.

That will cost you a bunch of IP addresses, one for each distinct SSL
virtual host. You could start by not using the _default_:443 virtual
host.

If you want to make sure none of your other virtual hosts accidentally
get served via the https port, place each individual SSL'd virtual
host on a separate IP address. There is not really a way around that.
Virtual hosts work by the information from the Host: $virtual_host
header being available. For SSL connections, the crypto work needs to
be done before you get that information (which requires you to choose
your virtual host already to select keys, certificates, etc.).


 I've tried all sorts but it doesn't seem to work when I try to connect to 443.

Have you tried the usual batch of:
+ properly connected cables
+ apache error log upon startup
+ ps output listing the httpd processes
+ netstat output listing you have a listener to the https port
+ firewall rules (tcpdump and pflog0 can come in very handy)


 Also apachectl restart doesn't ask for the certificate password. But a
 reboot does. apachectl startssl doesn't ask either.

If you're switching to chrooted operation soon, you should probably
use stop/start and not restart just to get into the right habit. If
httpd does suprising things, you will want to read its error log.


 I've decided to comment out the certificates for the time being.

You don't really want to do that, given that the server will not
automagically load the certificates out of thin air. You'll want to
make sure that the server can open the files, etc. Again, such is
usually listed in your httpd's error log. If you see error numbers
that do not directly make sense to you, check with errno(2).

Hopefully this helps tracking down the problem,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: Got Cerfiticate how to use it. WAS: Re: OpenSSL On Openbsd help

[Khalid Schofield]

On Sun, 15 Jun 2008, Rogier Krieger wrote:


On Sun, Jun 15, 2008 at 9:37 AM, Khalid Schofield
[EMAIL PROTECTED] wrote:

Running openbsd 4.0 and apache 1.3 . I've loads of virtual hosts on
apache and I'm now running apache from rc.conf.local with:
 httpd_flads -u -DSSL .


That probably is a typo and in your rc.conf.local it would read
httpd_flags? Besides that, you would probably serve yourself with an
upgrade to the latest and greatest (4.3) and do so before you upgrade
your web apps.



Now what? I only want server.crt to be used for one of my virtual hosts.


That will cost you a bunch of IP addresses, one for each distinct SSL
virtual host. You could start by not using the _default_:443 virtual
host.

If you want to make sure none of your other virtual hosts accidentally
get served via the https port, place each individual SSL'd virtual
host on a separate IP address. There is not really a way around that.
Virtual hosts work by the information from the Host: $virtual_host
header being available. For SSL connections, the crypto work needs to
be done before you get that information (which requires you to choose
your virtual host already to select keys, certificates, etc.).


Ok but I should be able to re-use the default host on the box though 
right? Make the default host the website url.?






I've tried all sorts but it doesn't seem to work when I try to connect to 443.


Have you tried the usual batch of:
+ properly connected cables


yes thanks... a hint of sarcasm?


+ apache error log upon startup
+ ps output listing the httpd processes


thanks


+ netstat output listing you have a listener to the https port
+ firewall rules (tcpdump and pflog0 can come in very handy)


or just having something on port 443 indeed which I've not.





Also apachectl restart doesn't ask for the certificate password. But a
reboot does. apachectl startssl doesn't ask either.


If you're switching to chrooted operation soon, you should probably
use stop/start and not restart just to get into the right habit. If
httpd does suprising things, you will want to read its error log.



I've decided to comment out the certificates for the time being.


You don't really want to do that, given that the server will not
automagically load the certificates out of thin air. You'll want to
make sure that the server can open the files, etc.


So nothign useful here.


Again, such is
usually listed in your httpd's error log. If you see error numbers
that do not directly make sense to you, check with errno(2).

Hopefully this helps tracking down the problem,

Rogier


well thanks for your words Rogier. Lots of texts. Guessing the useful bit 
to grep out is _default_:443
Will go back to google. Enjoy your sunday thanks for the test message. 



--
If you don't know where you're going, any road will get you there.

Re: OpenSSL On Openbsd help

[Damien Miller]

On Sat, 14 Jun 2008, Khalid Schofield wrote:

 Hi,
 I need to get a proper signed ssl certificate for my ecommerce website
 hosted on my openbsd box. Getting confused as most websites describe
 how to do this in many different ways and most refere to self signed
 certificates. Wanted to ask the experts before I go and throw $100 at
 the task.

First, I'd recommend that you spend a little time reading up on X.509
certificates and how they relate to public key cryptography. There
are nasty consequences if you get things wrong that extend well past
wasting $100 on a certificate you can't use.

 So do I have to use pass phrases when generating the certificate? If
 I use a pass phrase why? How does it effect the certificate and it's
 use?

Certificates don't have passphrases, private keys do. A key passphrase
gives some measure of protection should the file containing your key
fall into someone else's hands, e.g. by compromising your server. If
you private key is disclosed, an attacker could impersonate your sever.

 Also if I use a pass phrase do I have to tell apache about it? Does it
 go in a config or do I have to enter it when reloading apache?

Putting it in a configuration file would defeat the purpose, no?
Yes, if you use a passphrase then you need to tell Apache about it every
time it is reloaded. For this reason, many web servers do not set
passphrases on their keys.

 Also what command do you use to do this? Please tell all :)

openssl req

OpenSSL is complex and patchily documented, it assumes that its users
are quite familiar with x.509 certificates and public key cryptography.
There are some frontends that make things more simple, and some good
guides on the net. Try typing openssl certificate into your favourite
search engine for a few.

 One last thing who would you recomend to sign my csr?

Go for the cheapest certification authority that is supported by Firefox
and Internet Explorer. Do not be fooled by any claims of premium
certification as the overwhelming majority of users do not check the
CA details.

 Thanks sorry for the stupid questions but I've never done this before
 and risked my actual money (only the companies).

Like I said, risking $100 on a dud cert is the least of your worries.

-d

Re: OpenSSL On Openbsd help

[Dustin Lundquist]

Khalid Schofield wrote:
 So do I have to use pass phrases when generating the certificate? If I
 use a pass phrase why? How does it effect the certificate and it's use?
 
 Also if I use a pass phrase do I have to tell apache about it? Does it
 go in a config or do I have to enter it when reloading apache?
You do not need a pass phrase, in fact usually a pass phrase will
prevent apache from starting until you respond to the prompt to enter
the pass phrase. If your server is going to be somewhere where there
might be a power outage, or rebooted by someone who does not have the
pass phrase it's generally a big headache.

That being said, if there is a risk that someone could read your private
key off your webserver, either by physically stealing the server or an
untrusted admin, a pass phrase isn't a bad idea. But in this case you
have to consider what else would be compromised, and if it's easier just
to revoke that cert and get another one.

My recommendation would be to not use a pass phrase for SSL services,
but use a passphrase for a certificate that you use to sign other
certificates: i.e. VPN user authentication, authenticating SSL users by
issuing them each their own certificate, or similar.

The process of setting up signed cert is as follows:
1. Generate your private key and secure file permissions (you want to do
this in a secure fashion, i.e. on the box directly as a root or a
private user). Guard this file: if it is compromised the security SSL
provides is compromised.:
openssl genrsa -out secure.example.com.key 4096
chmod 400 secure.example.com.key

2. Generate your certificate signing request (CSR), you will be prompted
to answer a bunch of questions country, state, location, organization,
organization unit, common name and email address, answer these accuratly
or else the certificate authority will not sign your key, there is one
of special note: Common Name (CN) needs to be the exact domain name of
your SSL site i.e. secure.example.com in this example:
openssl req -new -nodes -key secure.example.com.key -out
secure.example.com.csr

3. Send the CSR (you can open the file and copy and paste the contents
into an email, or the certificate authority's website) to the
certificate authority along with what ever other documentation they
require (there job is to verify you are who you are requesting a
certificate for before signing the key, they usally require some proof
of domain ownership and everything else you entered in step 2).

4. You will then receive your signed certificate, you can either keep
the certificate in a separate file from your private key, or cat them
together to make a .pem file: cat secure.example.com.key
secure.example.com.cert  secure.example.com.pem; chmod 400
secure.example.com.pem
Configure apache to use your new cert and key:
SSLCertificateFile /etc/ssl/secure.example.com.cert
SSLCertificateKeyFile /etc/ssl/secure.example.com.key
 - or -
SSLCertificateFile /etc/ssl/secure.example.com.key

Since apache is chrooted, have to restart it to read the new key and
certificate.



Dustin Lundquist

Re: OpenSSL On Openbsd help

[Khalid Schofield]

On Sat, 14 Jun 2008, Chris Kuethe wrote:


On 6/14/08, Khalid Schofield [EMAIL PROTECTED] wrote:

 One last thing who would you recomend to sign my csr?


I got my cert through godaddy. ~$20. took about 4hrs, start to finish...


I started looking at godaddy and almost bought a 4 year certificate but 
the website seemed full of rubbish. Cluttered with adverts and you don't 
seem to just be able to order your certificate. You mess around creating 
an account, then entering your address and credit card which they store 
finally allowing you to buy the certificate after 10 minutes of fafing 
around. There cheap though so I'll probably buy through them.




i'm not sure i *recommend* godaddy - nothing about the transaction
made me say i'd never use anyone else or i'd never use them again,
but they did an adequate job at providing a cert that works with
firefox and IE.



Have you had problems with godaddy yet? Anything to say other than so so?




CK

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: OpenSSL On Openbsd help

[Khalid Schofield]

This is REALLY useful. Thanks. Gets right to the matter! Although this 
will fix my issue the other people's replys are an interesting insight and 
I shall follow advice and read about how x509 works.




On Sat, 14 Jun 2008, Dustin Lundquist wrote:


Khalid Schofield wrote:

So do I have to use pass phrases when generating the certificate? If I
use a pass phrase why? How does it effect the certificate and it's use?

Also if I use a pass phrase do I have to tell apache about it? Does it
go in a config or do I have to enter it when reloading apache?

You do not need a pass phrase, in fact usually a pass phrase will
prevent apache from starting until you respond to the prompt to enter
the pass phrase. If your server is going to be somewhere where there
might be a power outage, or rebooted by someone who does not have the
pass phrase it's generally a big headache.

That being said, if there is a risk that someone could read your private
key off your webserver, either by physically stealing the server or an
untrusted admin, a pass phrase isn't a bad idea. But in this case you
have to consider what else would be compromised, and if it's easier just
to revoke that cert and get another one.

My recommendation would be to not use a pass phrase for SSL services,
but use a passphrase for a certificate that you use to sign other
certificates: i.e. VPN user authentication, authenticating SSL users by
issuing them each their own certificate, or similar.

The process of setting up signed cert is as follows:
1. Generate your private key and secure file permissions (you want to do
this in a secure fashion, i.e. on the box directly as a root or a
private user). Guard this file: if it is compromised the security SSL
provides is compromised.:
openssl genrsa -out secure.example.com.key 4096
chmod 400 secure.example.com.key

2. Generate your certificate signing request (CSR), you will be prompted
to answer a bunch of questions country, state, location, organization,
organization unit, common name and email address, answer these accuratly
or else the certificate authority will not sign your key, there is one
of special note: Common Name (CN) needs to be the exact domain name of
your SSL site i.e. secure.example.com in this example:
openssl req -new -nodes -key secure.example.com.key -out
secure.example.com.csr

3. Send the CSR (you can open the file and copy and paste the contents
into an email, or the certificate authority's website) to the
certificate authority along with what ever other documentation they
require (there job is to verify you are who you are requesting a
certificate for before signing the key, they usally require some proof
of domain ownership and everything else you entered in step 2).

4. You will then receive your signed certificate, you can either keep
the certificate in a separate file from your private key, or cat them
together to make a .pem file: cat secure.example.com.key
secure.example.com.cert  secure.example.com.pem; chmod 400
secure.example.com.pem
Configure apache to use your new cert and key:
SSLCertificateFile /etc/ssl/secure.example.com.cert
SSLCertificateKeyFile /etc/ssl/secure.example.com.key
- or -
SSLCertificateFile /etc/ssl/secure.example.com.key

Since apache is chrooted, have to restart it to read the new key and
certificate.



Dustin Lundquist

Re: OpenSSL On Openbsd help

[Hannah Schroeter]

Hi!

Even if I'm not the OP, this is a good guide... Cool.

On Sat, Jun 14, 2008 at 10:42:37AM -0700, Dustin Lundquist wrote:
[...]

The process of setting up signed cert is as follows:
1. Generate your private key and secure file permissions (you want to do
this in a secure fashion, i.e. on the box directly as a root or a
private user). Guard this file: if it is compromised the security SSL
provides is compromised.:
openssl genrsa -out secure.example.com.key 4096
chmod 400 secure.example.com.key

Before all that: umask 077, so there'll be no window of time when the
key will be group/world readable.

[...]

3. Send the CSR (you can open the file and copy and paste the contents
into an email, or the certificate authority's website) to the
certificate authority along with what ever other documentation they
require (there job is to verify you are who you are requesting a
certificate for before signing the key, they usally require some proof
of domain ownership and everything else you entered in step 2).

4. You will then receive your signed certificate, you can either keep
the certificate in a separate file from your private key, or cat them
together to make a .pem file: cat secure.example.com.key
secure.example.com.cert  secure.example.com.pem; chmod 400
secure.example.com.pem
Configure apache to use your new cert and key:
SSLCertificateFile /etc/ssl/secure.example.com.cert
SSLCertificateKeyFile /etc/ssl/secure.example.com.key
 - or -
SSLCertificateFile /etc/ssl/secure.example.com.key

Again, before the cat, use umask 077, for the same reason.

Since apache is chrooted, have to restart it to read the new key and
certificate.

Dustin Lundquist

Again, thanks for the cool explanations and step-by-step kind of guide.
Will probably be helpful for more than the original poster.

Kind regards,

Hannah.

Re: OpenSSL On Openbsd help

[General Delivery]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Khalid Schofield
Sent: Saturday, June 14, 2008 12:34
To: misc@openbsd.org
Subject: OpenSSL On Openbsd help

Hi,
I need to get a proper signed ssl certificate for  my ecommerce website 
hosted on my openbsd box. Getting confused as most websites describe how 
to do this in many different ways and most refere to self signed 
certificates. Wanted to ask the experts before I go and throw $100 at the 
task.

So do I have to use pass phrases when generating the certificate? If I use 
a pass phrase why? How does it effect the certificate and it's use?

Also if I use a pass phrase do I have to tell apache about it? Does it go 
in a config or do I have to enter it when reloading apache?

Also what command do you use to do this? Please tell all :)


One last thing who would you recomend to sign my csr?


Thanks sorry for the stupid questions but I've never done this before and 
risked my actual money (only the companies).

For info. I'm integrating google checkout into my website to do payments. 
Not done this before but paypal is charging me an arm and a leg.


Khalid
==

If, as you've indicated, you're going to use the cert for e-commerce, then
self-signed is NOT the way to go.

FREE, no cost, non-testing, one-year SSLs are available from
http://cert.startcom.org.  starcom's root CA is recognized by the major
browsers and should satisfy your needs.

There is a registration process -- starcom must be convinced that you
control the domains and then sites that you're applying to get certs for.

This can take a bit of time and there are a few pre-requisites.

Also, if it matters to you, starcom is not North American.

/S

Re: OpenSSL On Openbsd help

[Calomel]

Khalid,

A certificate bought from a trusted Certificate Authority simply means
a client can verify the certificate's validity through a third party.
This does not mean the web page data is securely encrypted, does not
mean the data on the site is valid and does not mean that the data can
not be compromised on the client or server machines.

A basic SSL certificate says that the person or persons who bought the
certificate are the same person or persons that own the domain.  This
is the simplest check done by the Certificate Authority when a
certificate request (purchase) is made. The more expensive certs
require that the company ordering the certificate verify their legal
credentials. This may mean they have to FAX proof of their physical
location, their business status (INC, CO, etc.) and contact
information to the Certificate Authority and comply with an
investigation. This extended verification (EV) process is expensive
and can take weeks to complete.

I agree that an expensive SSL cert is only worth the money if the name
of the certificate authority means anything to the clients contacting
your site. 99.9% of the people do not know or care what a CA is.

Hope this helps.

 Guide to SSL Certificates
 https://calomel.org/ssl_certs.html

--
  Calomel @ https://calomel.org
  Open Source Research and Reference


On Sun, Jun 15, 2008 at 03:02:48AM +1000, Damien Miller wrote:
On Sat, 14 Jun 2008, Khalid Schofield wrote:

 Hi,
 I need to get a proper signed ssl certificate for my ecommerce website
 hosted on my openbsd box. Getting confused as most websites describe
 how to do this in many different ways and most refere to self signed
 certificates. Wanted to ask the experts before I go and throw $100 at
 the task.

First, I'd recommend that you spend a little time reading up on X.509
certificates and how they relate to public key cryptography. There
are nasty consequences if you get things wrong that extend well past
wasting $100 on a certificate you can't use.

 So do I have to use pass phrases when generating the certificate? If
 I use a pass phrase why? How does it effect the certificate and it's
 use?

Certificates don't have passphrases, private keys do. A key passphrase
gives some measure of protection should the file containing your key
fall into someone else's hands, e.g. by compromising your server. If
you private key is disclosed, an attacker could impersonate your sever.

 Also if I use a pass phrase do I have to tell apache about it? Does it
 go in a config or do I have to enter it when reloading apache?

Putting it in a configuration file would defeat the purpose, no?
Yes, if you use a passphrase then you need to tell Apache about it every
time it is reloaded. For this reason, many web servers do not set
passphrases on their keys.

 Also what command do you use to do this? Please tell all :)

openssl req

OpenSSL is complex and patchily documented, it assumes that its users
are quite familiar with x.509 certificates and public key cryptography.
There are some frontends that make things more simple, and some good
guides on the net. Try typing openssl certificate into your favourite
search engine for a few.

 One last thing who would you recomend to sign my csr?

Go for the cheapest certification authority that is supported by Firefox
and Internet Explorer. Do not be fooled by any claims of premium
certification as the overwhelming majority of users do not check the
CA details.

 Thanks sorry for the stupid questions but I've never done this before
 and risked my actual money (only the companies).

Like I said, risking $100 on a dud cert is the least of your worries.

-d

Re: OpenSSL On Openbsd help

[Stuart Henderson]

On 2008-06-14, General Delivery [EMAIL PROTECTED] wrote:
 If, as you've indicated, you're going to use the cert for e-commerce, then
 self-signed is NOT the way to go.

 FREE, no cost, non-testing, one-year SSLs are available from
 http://cert.startcom.org.  starcom's root CA is recognized by the major
 browsers and should satisfy your needs.

major browsers in the case of Startcom's free certificate means
Firefox and Safari. Internet Explorer does not have their root key.