Re: CA Key and Self-Signed Server Certificate Generation
At the prompt, I did the following command: # sh sign.sh server.csr : command not foundline: 6: 'usr/sbin/sign.sh: sign.sh: line 15: syntax error near unexpected token `in 'usr/sbin/sign.sh: sign.sh: line 15: `case $CSR in Now, what I don't understand is that I used the syntax as posted on the site. What even puzzles me more is that it should work but it seems that there seems to be something wrong in the code or do I need to specify the path on my env variables? My guess is that the script code somehow got messed up when you copied it from the site, or maybe the script for some reason contains hidden characters. But if the CA.pl script works fine, then use CA.pl instead. Best regards Anders __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie Question SSL Apache
Hallo, I have a question regarding SSLCACertificateFile from the SSL-Apache in http.conf File. I have a server certificate which is issued by our Sub CA. My Question which Certificate must I use the Root CA or the Sub CA Certificate. The Root CA Certificate is issued by DFN-PCA in Hamburg/Germany, and the Sub CA is produced by our selves. TIA R. Markham
Re: Newbie Question SSL Apache
R. Markham wrote: Hallo, I have a question regarding SSLCACertificateFile from the SSL-Apache in http.conf File. I have a server certificate which is issued by our Sub CA. My Question which Certificate must I use the Root CA or the Sub CA Certificate. The Root CA Certificate is issued by DFN-PCA in Hamburg/Germany, and the Sub CA is produced by our selves. This is a question that should be best answered by the issuing CA... ;) As far as I understand it the File pointed at by SSLCACertificateFile must contain both Certs, the Root-CA's and the Sub CA's since Apache sends the complete Certificate chain to the browser. TIA R. Markham Kind regards, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
AW: Newbie Question SSL Apache
Hi Ted, I am rather confused which of the Variable to use. It seems to me they are equal. SSLCACertificateFile and SSLCertificateChainFile Have any idea. Regards Richard Markham -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bernhard Froehlich Gesendet: Mittwoch, 12. Januar 2005 11:54 An: openssl-users@openssl.org Betreff: Re: Newbie Question SSL Apache R. Markham wrote: Hallo, I have a question regarding SSLCACertificateFile from the SSL-Apache in http.conf File. I have a server certificate which is issued by our Sub CA. My Question which Certificate must I use the Root CA or the Sub CA Certificate. The Root CA Certificate is issued by DFN-PCA in Hamburg/Germany, and the Sub CA is produced by our selves. This is a question that should be best answered by the issuing CA... ;) As far as I understand it the File pointed at by SSLCACertificateFile must contain both Certs, the Root-CA's and the Sub CA's since Apache sends the complete Certificate chain to the browser. TIA R. Markham Kind regards, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation - Follow-up
On Tue, Jan 11, 2005, Servie Platon wrote: Hello Dr. Henson, And thank you again for this advice. --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: I suggest you ignore that script: and use the CA.pl script and the appropriate documentation instead. As suggested by you, I used the CA.pl script which works okay. On this issue, I would like to ask some follow-up questions: 1. Do I have to move server.key and ca.key to /etc/ssl/private and ca.crt /etc/ssl/certs directory respectively? If you used CA.pl correctly there wont be a 'server.key' file initially. The private key wil be in newreq.pem. You dont' need to move ca.key at all. What you need to do is move newreq.pem to wherever the server private key needs to go (/etc/ssl/private/server.key) and the same with newcert.pem (the new certificates) and copy the CA certificate which is in demoCA/cacert.pem. 2. Since the command sign.sh server.csr does not work because the sign.sh script is kind of obsoleted already, do I have to move newreq.pem to the directory /etc/ssl/certs if in case I issued the command /etc/ssl/misc/CA.pl -newcert to create a new certificate? And would it be okay if I remove server.csr from the /etc/ssl directory? 3. I would like to secure my keys and certificate by doing a chmod on the following: # chmod 750 /etc/ssl/private/ # chmod 400 /etc/ssl/certs/ca.crt # chmod 400 /etc/ssl/certs/newreq.pem # chmod 400 /etc/ssl/private/ca.key # chmod 400 /etc/ssl/private/server.key Would this be suffice enough as a security measure to protect the integrity of the certificate itself? Yes the 400 permissions is OK, though you only really need it on the private key. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CA Key and Self-Signed Server Certificate Generation - Was
Hello Mr. Ringaby, Thanks for the reply. My guess is that the script code somehow got messed up when you copied it from the site, or maybe the script for some reason contains hidden characters. I think you are right Sir because I copied the script from the site on a windows machine and placed it on my test linux box. But if the CA.pl script works fine, then use CA.pl instead. Definitely, I will use the CA.pl script from here on as suggested by Dr. Henson. Thank you very much again for the help. Best regards Anders Sincerely, Servie __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
micalg
Hello! I found out that openssl smime puts micalg: sha1 either message is hashed with sha1 or any other algorithm. It is hardcoded into current snapshot (20050112) of 0.9.8 version (crypto/pkcs7/pk7_mime.c). RFC 2633 (http://www.ietf.org/rfc/rfc2633.txt) says: ___ The micalg parameter allows for one-pass processing when the signature is being verified. The value of the micalg parameter is dependent on the message digest algorithm(s) used in the calculation of the Message Integrity Check. If multiple message digest algorithms are used they MUST be separated by commas per [MIME-SECURE]. The values to be placed in the micalg parameter SHOULD be from the following: Algorithm Value used MD5 md5 SHA-1 sha1 Any other unknown --- So, is the hard-coded value a bug or a feature? -- SY, Dmitry Belyavsky (ICQ UIN 6575) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: micalg
On Wed, Jan 12, 2005, Dmitry Belyavsky wrote: Hello! I found out that openssl smime puts micalg: sha1 either message is hashed with sha1 or any other algorithm. It is hardcoded into current snapshot (20050112) of 0.9.8 version (crypto/pkcs7/pk7_mime.c). RFC 2633 (http://www.ietf.org/rfc/rfc2633.txt) says: ___ The micalg parameter allows for one-pass processing when the signature is being verified. The value of the micalg parameter is dependent on the message digest algorithm(s) used in the calculation of the Message Integrity Check. If multiple message digest algorithms are used they MUST be separated by commas per [MIME-SECURE]. The values to be placed in the micalg parameter SHOULD be from the following: Algorithm Value used MD5 md5 SHA-1 sha1 Any other unknown --- So, is the hard-coded value a bug or a feature? It's a missing feature :-) I've never seen anything other than sha1 in there so this might not be a problem in practice. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to change/remove p12 file password
Hi, I have a p12 file in which the private key is password protected. I want to remove the private key password. Is there any option in openssl to change/remove the p12's private key password ? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question -- should SSL server send certs for all CAs?
Hi Jeffrey, Thanks for your response. So, is it a standard that the SSL enabled 'server app send the certificate chain, or just something that the app 'should' do? How can I test what certificates the server is actually sending back? I know that uw-imapd doesn't send the whole chain, and that Apache does. Just to give yet another example -- our exim mail server allows TLS for incoming mail. The mail server uses the hash files to find the certificates for the CA, and has a certificate file which contains our own certificate (signed by an Intermediate CA). I thought that the exim server was sending out the Intermediate CA certificate because when I tried to send a message using a slightly older than new version of Linux Mozilla that did not know about the Intermediate CA, it worked. However, I then got complaints for our PC users using the same version of Mozilla that they were getting messages that the Intermediate CA was unknown! I added the Intermediate CA certificate to the end of the server certificate that I was sending back to the client, and now the PC users were happy. Either exim is sending the full chain out and there was a bug in the Windows version of Mozilla that I was running, or, the Unix version of Mozilla i was running did not completely check the chain! Is there a client program I can run on both the Unix and Windows side to test exactly what certificates are being sent from the server to the client? Thanks, Jason Keltz [EMAIL PROTECTED] On Mon, 10 Jan 2005, Jeffrey Altman wrote: The server should send all of the certs which make up the chain but not the root cert. If the root certs is sent, the client must ignore it for purposes of validation of the chain. Microsoft used to distribute Intermediate certs as part of Windows and this resulted in the expectation that clients should have the intermediate certs installed on their machines. Intermediate certs expire more frequently then root certs. The administrators of the servers have a relationship with the issuers of the intermediate certs; the clients do not. Therefore, the server administrators can more easily update the intermediate certs when needed. Inclusion of the intermediate certs on the client requires the administrator of the client to remove the old intermediate cert and replace it with the new one. In practice, this will never happen in most cases because most clients do not have administrators. Jeffrey Altman Jason Keltz wrote: Hi. I have a question with respect to SSL protocol. Is it part of the protocol that the SSL server send to the client the public keys for the CAs making up the certificate chain? or is it acceptable to send just the server public key and expect the client to complete the chain on its own? I can demonstrate with two examples... assume a multi-level certificate chain -- Root CA - Intermediate CA - server I have two programs -- Apache httpd, and uw-imapd, and both operate differently in this respect. In terms of uw-imapd, the client connecting (Thunderbird 0.8) knew about the Root CA and not the intermediate CA. Thunderbird 0.8 was unable to verify the chain, so an SSL connection could not be made. However, placing the public key of the Intermediate CA in the key file for the server made the problem go away. In terms of Apache and running say Opera as a web client -- if the web client doesn't know about the intermediate CA, the server sends the information, and the client trusts the information without a word to the user. If the Root CA certificate is deleted from the client, the server sends both the Root CA public key and the intermediate CA public key, Opera prompts the user letting them know that it doesn't know about any of the 3 components and asking the user if he would like to trust the CAs. The fact that the client even knows about the Root CA means that the server is sending the whole chain along. I'm not writing to ask about either of these programs (Apache/uw-imapd) because that is obviously discussion for a different list. What I'm wondering about is the protocol in general -- should the server send the whole path, or not? Is there a standard? Thanks for any information you can provide.. Jason Keltz [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Win32 OpenSSL feature request
At 05:17 PM 1/11/2005 +0100, Erlend writeth: Hi Would like to see a COM/ActiveX interface to OpenSSL, so I can use it from vb (and possibly other languages too) Best regard Erlend S. E. Hello Erlend, I agree that this would be a really nice feature for VB users - not having to manually load the DLL and define prototypes and all that complex stuff VB doesn't do very easily...just hooking into a type library and having immediate access to all the exposed interfaces would be fantastic. However, the OpenSSL team would have to think about all of the implications of doing this in terms of what it means for OpenSSL in terms of overall system security - what would happen if someone made raw COM calls using an Internet Explorer script? Since OpenSSL has something called BIO for generic I/O, this could potentially open a security loophole in IE to write to any file on the user's system or create new ones - and since a BIO can represent a socket, this opens the door for installing spyware, desktop icons, and viruses without a user noticing and certainly without permission. Stuff like this will have to be addressed before a COM interface is created for increasing programmatic ease-of-use. Thomas J. Hruska [EMAIL PROTECTED] Shining Light Productions Home of the Nuclear Vision scripting language and ProtoNova web server. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question -- should SSL server send certs for all CAs?
On Wed, Jan 12, 2005, Jason Keltz wrote: Hi Jeffrey, Thanks for your response. So, is it a standard that the SSL enabled 'server app send the certificate chain, or just something that the app 'should' do? Its part of the standard. OpenSSL doesn't currently enforce this but it may do at some point. How can I test what certificates the server is actually sending back? The -showcerts option of s_client will do that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to change/remove p12 file password
On Wed, Jan 12, 2005, Jaleel P.A wrote: Hi, I have a p12 file in which the private key is password protected. I want to remove the private key password. Is there any option in openssl to change/remove the p12's private key password ? Currently you have to parse and recreate the PKCS#12 file. There is a function to change a PKCS#12 file password but its not currently available from the command line utility. As for removing the password, that can be can be done. The password however doesn't just belong to he private key, in can apply to certificates and an integrity check too using a mac. There are three different ways to remove the password: 1. Keep encryption and macs but have a NULL password. 2. Keep encryption and macs but have a zero length password. 3. Dont encrypt anything and don't have a mac. The first two can be done with any version of OpenSSL, the last one only with 0.9.8-dev. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Win32 OpenSSL feature request
The first thing is to make the dll's it stdcall friendly. :-) (at least that the state of the art 3 years ago?) Once upon a time I converted the ddls to be directly usable by VB. The main problems are decribed below. I have not ported the changes beyond 0.9.6a, maybe I should retry. A boaring point was the second one. Once you have that, then, well, it is still a pain to set ssl options, since most 'functions' are actually macros around the general ctrl interface etc. Hello Erlend, I agree that this would be a really nice feature for VB users - not having to manually load the DLL and define prototypes and all that complex stuff VB doesn't do very easily...just hooking into a type library and having immediate access to all the exposed interfaces would be fantastic. From sylvest Mon Apr 23 17:46:44 2001 To: openssl-dev@openssl.org Subject: Re: openSSL and Visual basic Hi I wanted to know if anyone has gotten openSSL to work with visual basic. If you have, can you please let me know. It would be greatly appreciated. Thanks Since it happened that last week I was trying to do that for a project, here the result of some rather qd hack with a goal to touch just a minimal number of routines in 0.9.6a - The basic approach is to compile the whole stuff with the /Gz option in order not to modify the 3000 exported function prototypes. - All main routines need a __cdecl main The #define for MAIN, all the *test.c modules, and openssl.c - The pwd_read routine needs some __cdecl in the declaration of signal and a pointer array. - in apps/s_socket.c one call to signal needs an addition of __decl for socket_cleanup - mem.c needed some treatment with Malloc, Free, Realloc The macro CRYPTO_malloc_init needs some fix, easiest way was to call with all parms NULL and tests that in mem.c Goal: allow __stdcall type functions to be passed. - There are 5 modules that call qsort and 2 that call bsearch. Instead of finding all the routines that call them, I copied qsort and bsearch into the source from mfc and made them __stdcall friendly. It seems possible to me to aviod that and replace all the _cmp functions of stack and set comparisions by __cdecl routines, it seems that are not suppoed to be called by applications anyway. - The asm routines : all declarations either need a __cdecl or the asm routines to be modified. With the first option some routines are not callable from VB, so be it for the moment. All ms\test routines passed. I wonder whether one of the friendly developpers would like to work on this for the 0.9.7 version in one way or another, at least to minimise the migration effort a bit. Peter Sylvester __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
[no subject]
What do I need to do to use OpenSSL on a hosting account?Life is that which you make of it! Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone.
Re:
I am creating an e-commerce site and would like ssl certificates.Michael Jackson [EMAIL PROTECTED] wrote: What do I need to do to use OpenSSL on a hosting account?Life is that which you make of it! Do you Yahoo!?Take Yahoo! Mail with you! Get it on your mobile phone.Life is that which you make of it! Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard.
SSL on a hosted site
Can I install this on a hosted site? How does this ensure protection for my costomers? Besides the cost, is there a difference between these SSL certs and ones from Versign or another company? MikeLife is that which you make of it! Do you Yahoo!? The all-new My Yahoo! Get yours free!
Re: SSL on a hosted site
Usually I lurk but I can offer some suggestions. 1) it will depend on the hosting company 2) certs are the same. The issue is that windows knows about certs from companies like verisign and does know know about anything you generate yourself - however technically they are the same. 3) Technically it should be possible to install your own root cert in a client computer. This would make sense if you are doing this in an intranet environment (IE say corporate or government). This totally defeats the premise of having a certification authority. However we all know there is no security in most client computers anyways. (ha!) Furthermore any felon in jail can have his lawyer register a company and then obtain a legit cert from pretty much any official certification authority. On Wed, Jan 12, 2005 at 02:14:52PM -0800, Michael Jackson wrote: Can I install this on a hosted site? How does this ensure protection for my costomers? Besides the cost, is there a difference between these SSL certs and ones from Versign or another company? Mike Life is that which you make of it! - Do you Yahoo!? The all-new My Yahoo! Get yours free! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL on a hosted site
Would openssl be a good choice for creating my own certs? The host for my service is not on a intranet. It is a seperate entity such as godaddy.com. Is it still possible?[EMAIL PROTECTED] wrote: Usually I lurk but I can offer some suggestions.1) it will depend on the hosting company2) certs are the same. The issue is that windows knows about certs from companies like verisign and does know know about anything you generate yourself - however technically they are the same.3) Technically it should be possible to install your own root cert in a client computer. This would make sense if you are doing this in an intranet environment (IE say corporate or government). This totally defeats the premise of having a certification authority. However we all know there is no security in most client computers anyways. (ha!) Furthermore any felon in jail can have his lawyer register a company and then obtain a legit cert from pretty much any official certification authority. On Wed, Jan 12, 2005 at 02:14:52PM -0800, Michael Jackson wrote: ; Can I install this on a hosted site? How does this ensure protection for my costomers? Besides the cost, is there a difference between these SSL certs and ones from Versign or another company? Mike Life is that which you make of it! - Do you Yahoo!? The all-new My Yahoo! Get yours free! __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]Life is that which you make of it! Do you Yahoo!? The all-new My Yahoo! What will yours do?
Re: SSL on a hosted site
Have look at this http://www.schneier.com/paper-pki-ft.txt and some other papers on the that site. I run my own CA because I neither trust nor can I afford Verisign. There's no technical difference in the certs. best regards, Lance http://www.newparticles.com/ Michael Jackson wrote: Can I install this on a hosted site? How does this ensure protection for my costomers? Besides the cost, is there a difference between these SSL certs and ones from Versign or another company? Mike Life is that which you make of it! Do you Yahoo!? The all-new My Yahoo! http://my.yahoo.com Get yours free! smime.p7s Description: S/MIME Cryptographic Signature