Can I resign an existing CA cert without breaking anything?
...a bit naive I know, but I'd rather be safe than regret it a week later ;-) We have an existing internal CA designed around a OpenSSL 0.9.5 signed CA (obviously we're using a newer release of OpenSSL now - but the CA cert was created under 0.9.5). It's all working well - until now. We have found that we cannot sign certs created by Cisco IOS - well it can - but then the Cisco refuses to use it. Upon talking to Cisco, they say it's because our CA has a Serial number of 0 - which is illegal(!?). They said this was a known bug in OpenSSL that was fixed in a later release... Anyway, if all that is true, I'd like to simply re-create the CA cert under a newer OpenSSL release - using the existing private key and serial number 1 - which for some reason is actually available (the first signed cert starts at 2 - don't know why!). If I do that (i.e. openssl req -key existing.key -x509 -new ...), will it break the existing infrastructure? I've gone as far as creating the new CA public key/root cert, and diff'ing it against the old signed cert just shows different serial number, dates and some signature hexes look different. I mean, the public key created from the private key looks identical to the old public key, so existing (old) HTTPS web servers that only accept connections from client certs signed by our (old) CA should happily accept client certs signed by our (new) CA? What about CRL? We make extensive use of CRL to ensure only valid certs are accepted, so I'm worried about that breaking. I pretty sure that is doable - I'm just worried there are know bugs/issues around this that may sting me a week/month later... Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
Bit of a me too here. Just today I noticed an issue whereby running a PHP web page that does LDAP queries across our WAN was hanging forever (not an SSL issue BTW - bad LDAP server). I hit the Stop button and tried reloading to have another go - and the browser's swirly thing swirled away forever - after ten minutes it was still going. A sniffer shows HTTPS traffic between my workstation and the server - but the server never attempted the second LDAP call - which makes me think the request never happened (i.e. something got stuck in SSL land) In the end the only fix was to either kill the browser, or restart the httpd server. That was Mozilla 1.5 under Redhat 8 talking to Apache 1.3.27/mod_ssl-2.8.12-2 Timeout 300 KeepAliveTimeout 15 SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 openssl s_client -connect HOST:PORT -reconnect That appears to work fine here too - I get the reused line... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Is anyone successfully runnin OWA2K behind Apache/mod_ssl?
We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web servers, and want to add OWA2K to the list (that's Outlook Web Access for Microsoft Exchange 2000). It works fine with OWA from Exchange 5.5 - which was basically just HTML plus some javascript - but OWA2K (under IE5+) uses all sorts of whizzy M$ stuff, and doesn't work! If you access OWA2K with a non-IE browser (e.g. Mozilla), OWA2K reverts to the older format and works fine - it just doesn't work well from IE (ironic isn't it :-) It's pretty flakey. IE5.0 works pretty well, IE5.5 works 20% of the time and IE6 just dies. It goes without saying that all these browsers work fine when talking directly to the OWA2K server: it's only via the RP that they fail. I've done packet sniffs and compares and can't see anything out of the ordinary. I think it's an OWA issue, or an IE security-context issue, but can't say for sure. Anyone else got any stories about this? Thanks -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Is anyone successfully running OWA2K behind Apache/mod_ssl?
On Thu, Nov 07, 2002 at 06:57:36AM -0800, David Marshall wrote: The biggest drawbacks to this solution were. a. Every time you reboot/restart IIS on the System where OWA is installed, your security settings will be reset adding Windows Integrated Authentication back to the virtual directories. Strange. We've already done that and it does last through reboots. b. We had to add a virtual host for every OWA site on Apache that we needed to host. In my environment we have 3 exchange servers and 2 routing groups. This meant that as we changed our Exchange Topology, that we would have to re-work the Apache front-end proxy. Ah. That sounds like you're doing this to backend servers - not an OWA frontend server - sorry for not mentioning that - we're using frontend servers - specifically to get around the issues of having multiple Exchange servers. After reading the Microsoft Exchange Front-End/Backend documents http://www.microsoft.com/downloads/release.asp?releaseid=43997 , We decided to evaluate running a Front-End OWA server under SSL with HTTP disabled on a separate system from the other Exchange Servers. In the final analysis, we decided that this was the right answer for us. That's alright. I finally think I've figure it out! The problem was that our Apache reverse-proxy was called proxy.domain, whereas our OWA2K was called owa.domain. Whenever a client asked for https://proxy.domain/exchange/...; that would pass through to owa.domain with a Host: header of proxy.domain (as you would expect). However there is a bug in either OWA or IE5+ that causes OWA2K to generate corrupt XML if the IIS server doesn't recognise the Host: header as being itself. So all we did was tell IIS that proxy.domain was a valid alias for itself, and magically OWA2K started working via the reverse-proxy :-) I feel like I've achieved something this week :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL reverse proxy + Client Cert auth
On Sun, Aug 18, 2002 at 11:40:13PM -0700, Anbuchezhian Chelliah wrote: Hi Danny, I guess I understood your doubt. If not, please ignore this. There should be 'ca-bundle.crt' file in which you can put the third party's certificate and you could make a try. Whoa! If you are running your own CA and only want your https server to accept certs signed by that CA, then YOU MUST NOT USE THE ca-bundle.crt FILE!!! Replace it with your own cacert instead. Otherwise you are actually telling your https server that *any* cert signed by *any* CA is valid - which may not be what you want... This is especially pertinent given the huge SSL hole found in IE/Konqueror recently... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Expired and Revoked Certificates
On Thu, Jun 20, 2002 at 10:04:40AM -0500, Mary Peterson wrote: I have two issues that I wondered if anyone could assist me with: When I test a revoked client certificate against the CRL I get a Security Alert Message that says 'The security certificate for this site has been revoked. This site should not be trusted.' It's a bug with Internet Explorer. I noticed it too. If you used Mozilla - you'd see it report your certificate has expired - i.e. a correct response. Also, when I test an expired client certificate it brings back a 'Page Cannot be Displayed' error message. Does anyone know how I can get it to return a 'Your certificate has expired' error message in place of the 'Page Cannot be Displayed' message? Pretty hard. As your cert has expired, then there is no channel over which to send you that HTML :-) Nope, I'm afraid nothing but the client can give that information. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 1 certificate for several sites using redirection ?
On Wed, Jun 12, 2002 at 01:35:04PM +0100, Peter Viertel wrote: thats basically right. ... Wim Godden wrote: So there's no system which allows me to really proxy pages and 'modify' them so that all future connections go through this 'proxy' as well ? There is one way... It can only work if the internal server has a hostname that can be hijacked by the reverse proxy server. i.e. if you are wanting to do: client --- Internet --- https://www.mycompany.com/ ..then you can do: client --- Internet --- https://www.mycompany.com/ --- Internal --- http://www.mycompany.com/ e.g. on the Internet www.mycompany.com is 1.2.3.4, whereas internally www.mycompany.com is 10.1.2.3 Then you can set up your Apache reverse proxy so that it proxies / - i.e. run www.mycompany.com as a full VirtualHost. Done it - it works :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Details on how to run a CRL?
We are looking at using Client Certs via an internal CA as a cheap way of strong authentication (SecurID costs are killing us!) Obviously we'll have to introduce processes by which leaving staff have their certs revoked, and have quick turnaround on revoking certs when a user reports them lost (yeah, right... :-/) Anyway, I can't think of a way of getting the server to check revocations other than uploading the crl.pem hourly/daily from the CA to each SSL server. This is possible, but I wondered if there is a better way of doing it, or is that how this is meant to be done? I mean, that doesn't look like it'd scale very well... If that is true, can I imply from this that revocation checks basically aren't done on the Internet today? -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Workaround for bug with FakeBasicAuth
I've been trying to get Client cert authentication to work with mod_ssl
2.8.4-8 and have everything working bar directory listings. Apparently this
is a bug that goes back over a year now?
Anyway, I think I have a workaround.
Instead of using FakeBasicAuth, I instead use SSLRequire, and change
CustomLog to fake the auth entry:
i.e.
LogFormat %h %l %u %t \%r\ . standard
LogFormat %h %l SSL:%{SSL_CLIENT_S_DN_EMAIL}e %t \%r\ ... ssl-standard
CustomLog /log/access_log standard
#Override the CustomLog setting for valid SSL Client Certs
CustomLog /log/access_log ssl-standard env=SSL_CLIENT_S_DN_EMAIL
Location ~ /secure
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire +ExportCertData +CompatEnvVars +StdEnvVars
SSLBanCipher NULL-MD5 NULL-SHA
SSLRequire %{SSL_CLIENT_S_DN_OU} in {our dep}
Options none Indexes FollowSymlinks SymLinksIfOwnerMatch
AllowOverride None
order allow,deny
allow from all
/Location
The only concern I have is that I had to set +StdEnvVars in order to get
SSL_CLIENT_S_DN_EMAIL into the environment. Can I access that some other
way, or is the extra load of adding the env vars not bad enough to be
concerned about?
Also, if anyone thinks that's not going to operate the way I think it should
(i.e. only allow OU=our dep access) please let me know :-)
Thanks
--
Cheers
Jason Haar
Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
