Re: CONF_load_bio:missing equal sign
Sigh. The diagnostic is clearly pointing at line 28 of the ssl.conf file - do you think you could post (some context around) line 28 of your ssl.conf file? Harvey, Jody wrote: I am currently setting up Open SSL on a Windows 2k system. I have followed instructions as closely as possible. My problem is when I use this command: C:\Program Files\GnuWin32\binopenssl req -config ssl.conf -newkey rsa:1024 -key out keyreq\server.pf.key -out keyreq\req.pem I get this: error on line 28 of ssl.conf 1100:error:0E066065:configuration file routines:CONF_load_bio:missing equal sign :conf_def.c:366:line 28 I have no clue what is wrong with the conf file. These seems to be nothing out of place. I have looked at the FAQs on the OPenSSL site...no help. Can someone explain or lead me in the right direction? What am I doing wrong? Jody Harvey __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CONF_load_bio:missing equal sign
AH, that's the problem. Those are not commands for OpenSSL, those are commands for the Apache daemon and go in your apache httpd.conf file. Harvey, Jody wrote: Here is line 28 thur 30 of my ssl.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 Is that right? Jody Harvey -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CONF_load_bio:missing equal sign
From man req (which is available at www.openssl.org) RANDFILE This specifies a filename in which random number seed information is placed and read from, or an EGD socket (see RAND_egd(3)). It is used for private key generation. === On Unix I've used something as simple as (date; du) randomfile ... RANDFILE randomfile which just puts something that is always changing (date) and something that is very difficult to predict for past or future dates (the free space on the disk) into a file (this is outside the ssl.conf file tho) but perhaps you could name some Windows log file or something. We're way past this in Unix now because many Unix systems have the /dev/random or /dev/urandom devices - and if these are present OpenSSl doesn't need the RANDFILE. -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CONF_load_bio:missing equal sign
It's not seeing your openssl.conf file - are you sure it is in the right place and that you are correctly pointing to it? The reason I ask is that it was finding it before, so what did you change to make it not find it now? Harvey, Jody wrote: I used the file you sent. Now I am getting: INPUT C:\Program Files\GnuWin32\binopenssl req -config openssl.conf -newkey rsa:1024 -keyout server.pf.key -out req.pem OUPUT error on line -1 of openssl.conf 2352:error:02001002:system library:fopen:No such file or directory:bss_file.c:10 No such file or directory 4:fopen('openssl.conf','rb') 2352:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:107: 2352:error:0E064072:configuration file routines:CONF_load:no such file:conf_def. c:197: Jody Harvey, MCP AFMIC - Publishing BAE Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAILLETTE Frédéric Sent: Wednesday, February 23, 2005 10:57 AM To: openssl-users@openssl.org Subject: Re: CONF_load_bio:missing equal sign (re)Hi, Did you have a valid configuration file ? Try the default file provided by the OpenSSL attached to this mail. Be aware this file is named openssl.cnf ;-) Hope this help Frédéric PS: Sorry for my bad english :-) Harvey, Jody wrote: OK. I think I understand. So I did this: C:\Program Files\GnuWin32\binopenssl req -config openssl.conf -newkey rsa:1024 -keyout server.pf.key -out req.pem And got: error on line -1 of openssl.conf 3700:error:02001002:system library:fopen:No such file or directory:bss_file.c:10 4:fopen('openssl.conf','rb') 3700:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:107: 3700:error:0E064072:configuration file routines:CONF_load:no such file:conf_def. c:197: I am doing this on a Win2K server (not by my own choice). Jody Harvey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles B Cranston Sent: Wednesday, February 23, 2005 10:11 AM To: openssl-users@openssl.org Subject: Re: CONF_load_bio:missing equal sign AH, that's the problem. Those are not commands for OpenSSL, those are commands for the Apache daemon and go in your apache httpd.conf file. Harvey, Jody wrote: Here is line 28 thur 30 of my ssl.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 Is that right? Jody Harvey __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CONF_load_bio:missing equal sign
So is the problem that she has an old distro, or that she is not asking for it correctly, or that she should not be asking at all (that is, those SSL directives should just be removed and nothing put in their place)? Sorry, I don't do any work with Windows so I don't know. Bernhard Froehlich wrote: Charles B Cranston wrote: [...] but perhaps you could name some Windows log file or something. We're way past this in Unix now because many Unix systems have the /dev/random or /dev/urandom devices - and if these are present OpenSSl doesn't need the RANDFILE. Not that I'm a real big fan of Bill, but for technical correctness I'd repeat myself that current versions of Windows (2000 and later Service Packs of NT4, and even CE 2.1, if you're lucky) also have an equivalent (? at least I guess so) source of random, and openssl even uses it! See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/cryptgenrandom.asp Ted ;) -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSA key length and size
Erik Norgaard wrote: pair (n,e) and the private key can be respresented either as a pair (n,d) or in its Chinese Remainder Theorem form (CRT). The latter should be faster, but only applies for keys with more than two primefactors. Oh, I see, you use CRT to designate the key with the added speedup data. Yes, the Chinese Remainder Theorem is the speedup. But I believe it IS used for keys with only two prime factors, which is the usual case? Am I misunderstanding your terminology? The standard def for RSA is ( cleartext ^ E ) ^ D == cleartext mod p*q where D x E is 1 mod phi(p*q) I see only two primefactors: p and q. Over ten years ago I wrote an assembly language implementation of this (heavily cribbed from the RSAREF C) in which I used the CRT speedup. And I was getting a significant speedup from the CRT algorithm, and I only had two prime factors. There is a paper High-Speed RSA Implementation, TR 201 November 1994 (Acrobat .PDF, 497k) at http://www.rsasecurity.com/rsalabs/node.asp?id=2002 (last paper at bottom of page). In general the stuff at the RSA Labs site is pretty good quality. I am interested in your opinion of my idea about securely implementing a session protocol (as you put it). It seems to me that one could use an arbitrary number of transactions to put the key and data into the device, as long as they are masked with a session key. Even if the device is removed prematurely, the adversary can gain no advantage from any information input up to the point of the last operation. The last operation would be a do it now code with the session key. It seems to me this is just about as secure as your idempotent one-transaction model? -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSA key length and size
You should factor in the RSA speedups in your space estimates. Typically a public exponent of 2^16+1 is used so you need not pass this separately for a public key. However, the speedup for the private key operation involves all those other fields in a private key, which expands the space requirements needed considerably. While it is possible to do the private key operation with nothing other than the modulus and private exponent you should try to estimate how long the processor on the Java card would take (years? days? hours?). My gut feeling is that you will not be able to get both a private key and the data to be encrypted into 245 bytes. Erik Norgaard wrote: Hi, Sorry, I haven't written to the list before, if you know of sources of information that will answer my question, please just give me a link. I am programming a JavaCard v2.1, to provide encryption and decryption using either stored private/public keys or keys passed to the input data buffer. The input data buffer is just 245 bytes, and I want to pass the key and the data to be de/encrypted in one go to avoid problems with transient objects and risk of leaving the card in an insecure state. So my question is, say I have an RSA 1024 bit key, how much space does it actually ocupy? AFAIK 128bytes+exponent which is? For signature I need to fit in 20 bytes for a SHA1 digest, leaving some 225bytes for the key - is that possible. For encryption I need to fit in x bytes for a symmetric key to be encrypted - how long a symmetric key should I use? which algorithm? I could use a 768 bit key if that would make things possible. Given a certificate, how do I extract the modulus and exponent? Sorry, I am getting lost in all the different formats and encodings. But so far I only see a blob of data. Is there a standard way of packing modulus and exponent efficiently into a single blob? Thanks a lot, Erik -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSA key length and size
Here's a crazy idea: The computer talking to the Java card rolls a random session key. In the first operation transfer a private key into the device, encrypted by the session key. In the second operation transfer the data to be encrypted and the session key. The Java card can decrypt the private key and use it. Now, the insecure state that occurs between the first and second transfer operation is not a vulnerability, because the adversary would need to know the session key to get the card to actually do anything with the private key? Erik Norgaard wrote: Hi, Sorry, I haven't written to the list before, if you know of sources of information that will answer my question, please just give me a link. I am programming a JavaCard v2.1, to provide encryption and decryption using either stored private/public keys or keys passed to the input data buffer. The input data buffer is just 245 bytes, and I want to pass the key and the data to be de/encrypted in one go to avoid problems with transient objects and risk of leaving the card in an insecure state. So my question is, say I have an RSA 1024 bit key, how much space does it actually ocupy? AFAIK 128bytes+exponent which is? For signature I need to fit in 20 bytes for a SHA1 digest, leaving some 225bytes for the key - is that possible. For encryption I need to fit in x bytes for a symmetric key to be encrypted - how long a symmetric key should I use? which algorithm? I could use a 768 bit key if that would make things possible. Given a certificate, how do I extract the modulus and exponent? Sorry, I am getting lost in all the different formats and encodings. But so far I only see a blob of data. Is there a standard way of packing modulus and exponent efficiently into a single blob? Thanks a lot, Erik -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSA key length and size
Doing it the hard way requires roughly 1.5 times key length number of modular multiplies (assuming about half the bits are ones and half zeroes) so if the shortcutted public key operation takes 17 units of time the non-shortcutted private key operation takes about 1500 (assuming a 1000 bit key). Each operation is a multiply followed by a reduction modulo the modulus, or roughly a division operation (followed by discard of the quotient and retention of the remainder). Since the data is as many bits as the modulus this usually requires a fairly sophisticated subroutine. The two schemes I've seen are to do it one bit at a time (which only requires one comparison to find out what to do) or the algorithm in the RSAREF package which extracts an entire word of the quotient at a time. Pretty neat. Also consider: what happens in the future when you want to move to a 2048 or 4096 bit key? Do you have to wait for a more capable Java card to be marketed? Watch out for elliptic curve because a message usually takes sending TWO group elements, instead of just one as for RSA. This makes the message length twice as long as you otherwise might imagine. If you're just coding a session key for the real data this increase is minimal, but for the kind of embedded computation you're thinking of this can be a real gotcha. Erik Norgaard wrote: Charles B Cranston wrote: You should factor in the RSA speedups in your space estimates. Typically a public exponent of 2^16+1 is used so you need not pass this separately for a public key. However, the speedup for the private key operation involves all those other fields in a private key, which expands the space requirements needed considerably. While it is possible to do the private key operation with nothing other than the modulus and private exponent you should try to estimate how long the processor on the Java card would take (years? days? hours?). My gut feeling is that you will not be able to get both a private key and the data to be encrypted into 245 bytes. Thanks, well, for normal operations the private key to be applied would be stored on the card. But from my experience, I have learnt not to implement restrictions of valid choices unless there is a very good reason. Eliptic Curves may be supported in future cards and solve the space problem. The amount of data that should be de-/encrypted is limited, for example the a symmetric key that is used to encrypt the actual message, or a digest to create a signature. So, I guess this concludes that for the practical puposes, there is room enough :-) Do you know any performance difference for the private key encryption with all components vs. only modulus and exponent? Cheers, Erik -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSA key length and size
Erik Norgaard wrote: Charles B Cranston wrote: Doing it the hard way requires roughly 1.5 times key length number of modular multiplies (assuming about half the bits are ones and half zeroes) so if the shortcutted public key operation takes 17 units of time the non-shortcutted private key operation takes about 1500 (assuming a 1000 bit key). Does this also apply to the old style keys or only in case of CRT type keys? Because, then, in any case I will have that problem when using the public key. Not sure what you mean by old style and/or CRT type keys. If you have a public key with an exponent other than 65537 the public key operation may take longer, but I don't think that is within PKIX standards (other than 3 which does not take longer). Also consider: what happens in the future when you want to move to a 2048 or 4096 bit key? Do you have to wait for a more capable Java card to be marketed? The JavaCard supports RSA 2048 bits, and as of version 2.2 there is support of ECC up to 192 bits, but only for signature. Yes, but I was considering your original problem of getting both the key and the data to be encrypted into the 245 byte buffer. As the key gets longer this problem becomes more stringent. I have a 2.1 card, but it is my intention not to predefine specific key types or lengths, these are chosen when the key is generated, such that newer card will support the new algorithms. The main problem as I see it is that for things to work, the input buffer must grow as longer keys are used or I must support sessions. Watch out for elliptic curve because a message usually takes sending TWO group elements, instead of just one as for RSA. This makes the message length twice as long as you otherwise might imagine. If you're just coding a session key for the real data this increase is minimal, but for the kind of embedded computation you're thinking of this can be a real gotcha. I have only been introduced to ECC, twice as long encrypted output is ok, the problem seems to be with decryption, then I might run out of space. Thanks for the info! Actually this is more El Gamal vs RSA than the elliptic group vs the integer group, but it turns out that RSA on the elliptic group is not very much harder than on the integer group, so you DON'T get the same protection with a much shorter key. But if you use El Gamal you need to send two group elements, so the message size doubles compared to RSA in which only one group element needs to be sent. Hope all this helps! -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Setting startdate + enddate for root certificates?
I've always used the -days option to set the end date, and never really needed to set the start date - if the start date is in the future you can sequester the certificate until that date arrives (modulo distribution issues). I think I use -days 400 for a one-year cert (one year, one month grace, plus a few days extra). I guess it all depends on how fine-grained control over dates that you need for your particular application. I don't expect it would be TOO difficult to put the options into req, but I've had a policy here of trying not to modify the source code, which in 20/20 hindsight may or may not have been a Good Thing. Olaf Gellert wrote: Hi, I was just searching for a way to create root certificates with specified startdate and enddate using openssl. The openssl ca tool supports the according arguments -startdate and -enddate, but obviously openssl req, which is used to generate root certificates, does not. Any other way to do this (besides changing the system time)? Olaf -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Smart cards and private keys
There are very good reasons NOT to allow extraction of a private key from a crypto device. Investigate the vendor's provisions for either backing up or cloning a device. It is possible that the device will export its private key under some kind of protection (like encryption with some master key that the vendor may or may not allow you to know). However, for identity purposes a lost device can be dealt with by simply issuing a new key pair (that is, commanding the device to generate a totally new pair, then export the public key for signature into a new certificate). Thus, any particular vendor may choose not to export a private key under any circumstances. HTH Milan Tomic wrote: Hi, Is it possible to extract private key from some (any) smart card? I'm using ActivCard equipement and it seems that it is not possible? Thank you in advance, Milan -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate Intended Purpose
One could read in openssl.txt (in the doc directory of the OpenSSL source distribution): === Extended Key Usage. This extensions consists of a list of usages. These can either be object short names of the dotted numerical form of OIDs. While any OID can be used only certain values make sense. In particular the following PKIX, NS and MS values are meaningful: Value Meaning - --- serverAuth SSL/TLS Web Server Authentication. clientAuth SSL/TLS Web Client Authentication. codeSigning Code signing. emailProtection E-mail Protection (S/MIME). timeStampingTrusted Timestamping msCodeInd Microsoft Individual Code Signing (authenticode) msCodeCom Microsoft Commercial Code Signing (authenticode) msCTLSign Microsoft Trust List Signing msSGC Microsoft Server Gated Crypto msEFS Microsoft Encrypted File System nsSGC Netscape Server Gated Crypto For example, under IE5 a CA can be used for any purpose: by including a list of the above usages the CA can be restricted to only authorised uses. Note: software packages may place additional interpretations on certificate use, in particular some usages may only work for selected CAs. Don't for example expect just including msSGC or nsSGC will automatically mean that a certificate can be used for SGC (step up encryption) otherwise anyone could use it. Examples: extendedKeyUsage=critical,codeSigning,1.2.3.4 extendedKeyUsage=nsSGC,msSGC === Sorry, I don't know enough about Windows to know how these map to the Certificate Intended Purposes thing. Shaun Lipscombe wrote: * Shaun Lipscombe wrote: How do you go about making a client certificate and making sure that its used for client authentication ONLY. You know the thing you see as Certificate Intended Purposes part within certificate properties when using your browser. Which equates to: how does one set id-kp OBJECT IDENTIFIER to id-kp-serverAuth or id-kp-clientAuth et al , using openssl ? Googling doesn't find much apart from the RFC (which I flicked through). Ta. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: The time of the openssl-ciphers is constant?
If I understand you correctly the time at the server only starts getting bigger proportional to the transfer size when the size of the transfer exceeds some critical value? This is indicative of a fixed portion and a variable portion of the observation, with the fixed portion dominating when the variable portion is small. Are you measuring clock time or CPU time? Tyler Durden wrote: Hello, I am trying to get the transfering time between a client and a server with different size of data because I want to know that ciphers are more efficient and after I can choose the cipher more efficient and secures, because I want build a library for to transfer data in mobile devices (PDA, ...). But I don't understand the results that I have got; the time of the transfering of the client more or less is proporcional to the size of the data but in the server, this only it happens in two of the differents size of data that I try, exactly with the two heavy sizes. The different size that I try are 1 kb, 10kb, 100 kb, 1 Mb, 10 Mb. My, answer is: The time of the transfer of data would have to be proporcional to the size of the data? Thank very much! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Server side of RSA takes longer
For example, the public key operation of RSA, which is done at the client (encoding the session key in the server's public key) is very highly optimized by using 0x10001 (1001) as the public exponent; this requires only 16 multiplies and one add. But the server must decrypt the session key with the server's private key, and even with the precomputed information in the certificate and the Chinese Remainder Theorem speedup this is a more expensive operation. This is an example of an expensive constant-time operation that is only done once, at the server, and could explain your observations. If you really wanted that data, you should try starting the timer after the connection is opened but before sending data. This might require modification to the source code of the server. Tyler Durden wrote: Hello, I am trying to get the transfering time between a client and a server with different size of data because I want to know that ciphers are more efficient and after I can choose the cipher more efficient and secures, because I want build a library for to transfer data in mobile devices (PDA, ...). But I don't understand the results that I have got; the time of the transfering of the client more or less is proporcional to the size of the data but in the server, this only it happens in two of the differents size of data that I try, exactly with the two heavy sizes. The different size that I try are 1 kb, 10kb, 100 kb, 1 Mb, 10 Mb. My, answer is: The time of the transfer of data would have to be proporcional to the size of the data? Thank very much! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Quantum Encryption no protection against man in the middle attack?
Strangely enough, there actually MIGHT be a good reason to use Quantum Encryption. It's a very subtle point, which I will try to explain succinctly below, but unless you're actually interested you might want to hit the delete key now. 1. Perfect Forward Security I hate to invoke Perfect Forward Security because I don't really understand it, and when one pontificates about something that one does not really understand, one often falls into a pit. In fact, basic information theoretics argues that it cannot actually exist. My thinking so far is that, from an information theoretic view, the communications is encrypted by a link key that has three parts: a random number thrown by A, the pre-existing shared secret (or shared key), and a random number thrown by B. Consider this schematic diagram of a man in the middle attack: A X B If A and B do Diffie-Helman key exchange, a passive X cannot eavesdrop, because in addition to the information passed on the link she would need either the random number thrown by A or the random number thrown by B to deduce the resulting link key. The way X defeats this is by an active attack: to B: X plays A while to A: X plays B. Thus a different link key is generated on each side of the link: A X B AX BX link link keykey This will become useful in the section on Mixing in the Key below. A Perfect Forward Security system has the property that even if the shared key subsequently becomes known, it is still not possible to decrypt a prerecorded session. Even if the initial shared key were compromised, it would not be possible to decrypt the recorded conversation without knowing the random numbers throw at A and B, which are now long gone. However, from an information theoretic point of view, with enough computer power one COULD try not only every possible bit pattern of the shared key, but ALSO every possible bit pattern of the two random numbers. This greatly raises the bar, since these numbers can be of arbitrary size. This also reduces the vulnerability, since different random numbers are thrown for each message, breaking one message by deducing the key and random numbers does not help that much with breaking a different prerecorded message, since only the key will be the same. Of course, once the key is known, FUTURE messages can be ACTIVELY attacked as described above. 2. Mixing the key into the protocol Note that up to now I've been VERY careful to specify that the adversary not only has fully capable hardware but also full knowledge of the protocols in use. The reason I've done so is that one of the things A and B can do is to mix the link key information in with the data being sent, so in the above case the fact that one link is using an AX key and the other link is using a (different) BX key would soon be detected. But if the adversary knows that this checking is being done, she can carefully mix out the AX key information in a message from A and then mix in the BX key information before forwarding the message to B. This is similar to why passive mode is required for FTP from behind a NAT box. The active mode FTP control information contains network numbers from the inside of the NAT box, which are pretty useless on the outside. 3. QE and man in the middle NOW we are in a position to see how the combination of QE and key mixing can actually buy us something! Consider the plight of the man in the middle when both are being used. She cannot passively eavesdrop and record for further analysis because of the nature of the quantum transmission. She cannot actively eavesdrop (by doing the above and recording the raw data for further analysis) because she does not currently have the shared key so she cannot mix out and mix in the link key information as described above. Pretty subtle, eh? Thanks for playing the other side of this one, Dave, I think we are a sum that is greater than its parts. It's interesting that it is the only-one-listener nature of the quantum encryption process that forces the distinction between passive eavesdropping (just listening to the wire) and passive man-in-the-middle which involves copying the data from A to B and from B to A without trying to understand what it all means until a later analysis time. -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Quantum Encryption no protection against man in the middle attack?
David Schwartz wrote: Do you agree that: 1) If there exists a shared secret, quantum encryption can provide protection, now and in the future, against MITM attacks or passive interception. I believe so, now that I've read your description. 2) Streams of entangled particles can generate shared secrets where none previously existed. No, not really, since the scheme described on page 80 of the Jan 2005 Scientific American looks vulnerable to a man-in-the-middle attack. I'm *fairly* sure that wrt shared secrets if none previously existed then there is NO way to prevent a man-in-the-middle attack, as there is no way to authenticate your correspondant, however, I am willing to listen to arguments. -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Quantum Encryption no protection against man in the middle attack?
David Schwartz wrote: 2) Streams of entangled particles can generate shared secrets where none previously existed. No, not really, since the scheme described on page 80 of the Jan 2005 Scientific American looks vulnerable to a man-in-the-middle attack. In that case, it generates two shared secrets. Either way, shared secrets are generated where none previously existed. OK, fine, split hairs :-) there are two shared secrets but there are no secrets shared by A and B. There is one shared by A and X and another shared by X and B. I'm *fairly* sure that wrt shared secrets if none previously existed then there is NO way to prevent a man-in-the-middle attack, as there is no way to authenticate your correspondant, however, I am willing to listen to arguments. In this case, it's not an attack. You have a secure channel to the MITM. All that I said is that a shared secret is generated, not that you know who you share that secret with. And, of course, either of the parties to a secret can share it if they want. More hair splitting. You might wonder what good a shared secret is if you have no idea who it's with. The idea is that you authenticate the endpoint right after you establish the shared secret, before you send any sensitive information. The MITM cannot keep the shared secrets the same with both endpoints, so you simply confirm equivalence at the endpoints as the next step. It seems to me that this all depends on an authenticated (but not necessarily secret) channel between the two parties. For example, in the Scientific American article, a man in the middle would have to be able to send back to A, in step 4, what looks to her like B's list of the (randomly generated) filter selections that had been used. Otherwise X still does a man in the middle attack: A tries to talk to B, but X plays B's part, randomly generating a set of detection filter choices and recording both the filter and measurement. X then sends back to A the list of measurements (just as B would have). When A sends X the list of agreed bits, the AX channel is complete. X then sends to B, the article doesn't say but I assume both the choice of sending filters and the sent bits are randomly generated. When B replies with the list of filters he decided to use (thinking he was talking to A) then X completes the channel as if she were A. Now the XB channel is complete. Neither side can detect the man in the middle unless they can sneak some key mixing through X. What this depends on is X being able to masquerade as B when returning the list of detection filter choices to A, and to be able to masquerade as A when sending the list of bits to be used on to B. SO, if you have an authenticated channel you can build a secured channel. No surprise here, if you have an authenticated channel from A to B you can generate a public/private key pair at A and send the public key to B, then have B generate a session key and send it back to A encrypted by the public key just exchanged. This should be somewhat obvious to the readers on the OpenSSL list (:-) since we are using a PKI as exactly this authenticated channel courtesy of the public key of the CA. I wonder what the hardware boxes do. Do you think they display a number on a display, and that Alphonse has to make a phone call to Beauregard, saying Hi Beau, how are the wife Betty and the two boys Barry and Billy? My box says FEED FACE DEAD BEEF. What does your box say?? If the boxes do steps 4 and 5 over the fiber I don't see any way (other than pre built in keys in the boxes) for preventing MIM. For an example not involving any quantum encryption, consider using anonymous DH to establish a connection. Then, over the connection, each end sends the shared secret encrypted with its public key. Each end then validates the signatures and that the shared secrets match. In other words, you do MITM detection as a separate step. Hmm I do not follow here. What good does it do to encrypt the shared secret with THIS side's public key, since the OTHER side would need THIS side's PRIVATE key to do anything useful with it? This makes no sense to me. Each side sends the other side the shared secret encrypted with THE OTHER SIDE'S public key? This allows the other side to decrypt with the other side's private key and check for identity (much like key mixing) but how do you get the other side's public key over here without vulnerability to impersonation? Each end sends the other side the shared secret encrypted with THIS SIDE's private key? Again, how is the other side to get, in an authenticated way, this sides's public key? Are you assuming each side has the other side's certificate, signed by a trusted CA? I guess the fourth possiblility is to send the shared secret encrypted with the other side's private key, again, the question is how do you get it? Do any permutations involving having the other side's private key make any real sense at all? The advantage over using ADH in this same application is the
Re: Quantum Encryption no protection against man in the middle attack?
Well, I think I agree with everything David said, and given his assumptions I believe he is correct. However, it appears that he did NOT carefully read what I had posted. He is assuming the existance of the key (see his first interjection) while my argument was in two parts: If there is NO key then a man in the middle attack succeeds. No matter WHAT medium the transmission is on. If there IS a key then quantum encryption provides no additional protection above and beyond conventional encryption using that key. I can split the second case into two parts: If there IS a key AND there are NO quantum computers then the key provides adequate protection If there IS a key AND there ARE quantum computers then there is no protection against a man in the middle attack (I guess other than making the key have more bits than the largest known quantum computer). In NONE of these three cases does the addition of quantum encryption increase the security. In short, David did not understand my argument. I EXPLICITLY mentioned both the private key concept he assumes AND a PKI-based system, and acknowleged that in the case of the former there is a key transportation problem, while in the latter case you need to have a PKI in place. David, perhaps you could explain to me what, in absence of any prearranged shared secret, the legitimate recipient could POSSIBLY do that an interceptor cannot do, given that they have the same level of functionality in their equipment and the same knowlege of the protocols in use. I think my argument is a little deeper than you first might have realized, and while I'd be glad to acknowlege that you are right if indeed you are right, I don't even have the basic glimmering of an idea how I might be mistaken??? === David Schwartz wrote: Sorry for the late reply: Quantum Cryptography vs the man-in-the-middle attack The recent availability of commercial products for quantum cryptography has generated much press attention, however, any putative value-add for these products escapes this author. Given the traditional man in the middle attack where Vladimir imposes a pair of transceivers between Alice and Bob: +---+++ ++ +++-+ | Alice ++ XC +--+ Vladimir's +--+ XC ++ Bob | +---+++ | Laptop | +++-+ ++ Quantum cryptography on these links does not seem to provide any additional protection. What?! Under the customary and usual assumptions that Vladimir has access to fully functional transceiver equipment and has full knowledge of all communications protocols in use, it just plain not possible for Alice to know she is talking to Bob (and not Vladimir) or for Bob to know he is talking to Alice. What?! How can Vladimir receive the signal if he doesn't know the key? So, if we need either a shared secret or a Public Key Infrastructure to protect against man in the middle attacks anyway, what is the value add of using quantum encryption on the link? The value add is that quantum encryption protects against a man in the middle attack by using a shared secret. This protection is fundamental, in the sense that even if the man in the middle happens to guess the shared secret, he *still* cannot decrypt the signal (unless the correct answer is his one and only guess at the time the signal is sent, and if he guesses wrong, he is detected). The theory is advanced that quantum encryption would provide some protection against the forthcoming quantum computers, but again, this author is not persuaded. Yes, a quantum computer could be used to attack either scheme described, but then we lose, because it is now possible to conduct a man in the middle attack, even though the links themselves are quantum encrypted. Huh? It seems to me to be very clear you have no idea what you're talking about. The problem is that future quantum computers may process information much faster than current ones, and thus may break keys that we consider safe today. However, no amount of computing power can break quantum encryption. In summary, any putative value-add for the use of quantum encryption completely escapes this author, in either the absence or presence of the availability of quantum computers as attack tools. I think you just don't understand how quantum encryption works. The idea with quantum encryption is that you need the key to receive the signal at all, and only one recipient can possibly receive the signal. Thus, without the key at the time of transmission, a MITM cannot rebroadcast the transmission, thus it is impossible for both a MITM and the intended recipient to receive the tranmission. This is a capability that no other form of encryption can provide today. It has the benefit that no conceivable future improvements in computing power can compromise today's communications. To help those not familiar wrap their brains around quantum
Re: Quantum Encryption no protection against man in the middle attack?
David Schwartz wrote: I can split the second case into two parts: If there IS a key AND there are NO quantum computers then the key provides adequate protection No, it doesn't future advances in compution *will* make any given key insecure eventually. Your communications today *will* be known in the future. Wait a second -- isn't this what Perfect Forward Security is all about??? OK, quantum computing protects against a passive eavesdropper man in the middle attack where the adversary just copies input to output without knowing what is going by, but maintains a log of all the communication, to be used as input to some kind of brute force cracker. BUT, changing the key periodically provides the same protection, as long as you re-key before enough traffic has passed by to make this kind of cracking likely. This invokes the cost of out-of-band key distribution for the private key case, and requires a new certificate to be issued every so often (every year or two?) in the PKI case. Note that making the key (certificate) longer, 2048 instead of 1024 etc makes the analysis task that much harder. -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: x509 v4
Having much the same results on my googling -- there is some mention of a PKIPath extension, but I did see a reference to an X509_4thEditionDraftV7.pdf which contains dates roughly simlar to the ones Richard quotes. There was a reference to RFC3281 which talks about attribute certificates, but the version code in those is 0 (version one). If v4 really means anything in itself, it would imply a version code in the certificate of 3... Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Wed, 22 Dec 2004 15:42:00 +0100 (CET), Martin Kouril [EMAIL PROTECTED] said: Kouril.Martin Does somebody know how x509v4 certs differ from x509v3 Kouril.Martin certs? Until just now, I didn't know there was a v4 format. I'm not sure there is, either. All I can find when I search for X.509 v4, are discussions on some mailing lists back in '96 and '01. The '96 discussions indicate that the only difference would be in the notBefore and notAfter fields, to become generalizedTime instead of a CHOICE of different time formats. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DER public key file structure
DER is short for ASN.1 Distinguished Encoding Rules. The actual format of certificates and things are standardized by X.500 but these documents are expensive, so the Internet RFC people have reprinted the information in a series of documents. Take a look at ftp://www.ietf.org/rfc/rfc3280.txt particularly the examples in Appendix C for the DER formats for certificates. As for keys, I think the standards document are the PKCS documents which can be found at http://www.rsasecurity.com/rsalabs look on the left for PKCS and get PKCS #1 RSA Cryptography Standard. Look in chapter 11 ASN.1 syntax 11.1 Key representations 11.1.1 Public-key syntax I think this is right -- good luck! Andrus wrote: I need to decrypt RSA signature using RSA public key. Thanks to Nils Larsch reply I discovered that the following command can be used for this: openssl rsautl -verify -in sig.bin -inkey public.der -pubin -keyform DER -out signout.bin I have a RSA 1024 bits modulus and exponent 3 I need to create a public.der file (160 bytes) from this data to be passed to openssl using not a C language. I looked into openssl sources but havent yet found DER file structure description. Where I can found the DER public file structure description which this command accepts ? Andrus. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRL question
CRLs are signed by the CA certificate whose subsidiary certificates are mentioned (or not) in the CRL. So a CRL is verified just like any other signed document. You need any certificates in the chain, which may or may not be supplied along with the CRL, see PKCS#7 format and/or the openssl crl2pkcs7 command at http://www.openssl.org/docs/apps/crl2pkcs7.html In addition you need an independently trusted copy of the root certificate, just like with verifying ANY certificate or signing. PAILLETTE Frédéric wrote: Hi all ! I don't anderstand how CRL are verified, someone can explain me a little please. CRL are not included in the certificate but a link to the CRL is included in the certificate issuer, no ? If a certificate contains a link, how the pointed CRL is verified ? Bonne chance mon ami -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate revocation REQUEST
One suggestion is to use a signed email (S/MIME) message to a known robot at the CA that would do whatever is needed. Zerg wrote: Hi all. It is nedeed to send from client to server the request for revoking or holding the client's certificate. My chief want that this request for revocation was signed with client's certificate and then it would be checked for signature and proccessed propely on server's side. I am known that there is no certificate revocation request in OpenSSL. Is there the possibility of usage standart features such as CSR,CRL instead of not existing CRR? Any suggestion ? -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Quantum Encryption no protection against man in the middle attack?
Quantum Cryptography vs the man-in-the-middle attack The recent availability of commercial products for quantum cryptography has generated much press attention, however, any putative value-add for these products escapes this author. Given the traditional man in the middle attack where Vladimir imposes a pair of transceivers between Alice and Bob: +---+++ ++ +++-+ | Alice ++ XC +--+ Vladimir's +--+ XC ++ Bob | +---+++ | Laptop | +++-+ ++ Quantum cryptography on these links does not seem to provide any additional protection. Under the customary and usual assumptions that Vladimir has access to fully functional transceiver equipment and has full knowledge of all communications protocols in use, it just plain not possible for Alice to know she is talking to Bob (and not Vladimir) or for Bob to know he is talking to Alice. The traditional method of defense against a man in the middle attack is for Alice and Bob to encrypt their communications traffic using a traditional (private key) encryption system such as DES, Blowfish, or AES. However, in this case Alice and Bob must share a secret key, so key transport becomes an issue. A newer method of defense against such an attack is using a PKI (Public Key Infrastructure). Alice and Bob would exchange certificates, and with knowledge of the associated private keys would compute a shared secret which would then be used in a private key encryption. In order to fool Bob, Vladimir would have to either pass on Alice's certificate unchanged, and KNOW Alice's private key, or else substitute a counterfeit certificate generated with a private key known to him. So he would either have to penetrate Alice's security and steal the private key or he would have to fool a Certificate Authority that Bob trusts into issuing Vladimir a certificate under Alice's name. Key transport is not a problem in this scheme because Alice and Bob would generate key pairs, and send their public keys to Certificate Authorities to be signed into certificates, but their private keys would never leave their security perimeters. So, if we need either a shared secret or a Public Key Infrastructure to protect against man in the middle attacks anyway, what is the value add of using quantum encryption on the link? The theory is advanced that quantum encryption would provide some protection against the forthcoming quantum computers, but again, this author is not persuaded. Yes, a quantum computer could be used to attack either scheme described, but then we lose, because it is now possible to conduct a man in the middle attack, even though the links themselves are quantum encrypted. In summary, any putative value-add for the use of quantum encryption completely escapes this author, in either the absence or presence of the availability of quantum computers as attack tools. -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: data dependence with md5/64-bit RSA?
Jesse Hammons wrote: So to clarify: If I generate a 65-bit key, will I be able to use that 65-bit key to sign any 64-bit value? Yes, but a 65 bit key won't be very secure AT ALL, it will be very easy to factor a modulus that small. Bottom line: asymmetrical (public-key) encryption has a fairly large minimum block size that actually increases as key size increases. This was the killer of an application I was working on some years ago. I tried to redo the design in Elliptic Curve encryption, which (as you probably know) achieves the same security with a somewhat smaller key size. HOWEVER. All the EC methods I studied required TWO group members to be sent in each message, which doubles the message size. If anybody knows an EC method where I can send just one object, you could resurrect my application :-) -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Comodo not getting subject from CSR cert
Suso Banderas wrote: Can anyone respond to this? At least to let me know that I am thinking along the right track? Is there any expectation that the CA should be using the subject from the CSR that the customer sends? I think the standard model is that the CA rejects requests until the client sends one that is acceptable to it. Perhaps they are just optimizing this process. The bottom line is that the CA will sign the things it is willing to sign, and will not sign the things it is NOT willing to sign, and there is no way around this. -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: data dependence with md5/64-bit RSA?
What you may be missing is the data padding stuff, which makes the encrypted payload somewhat longer than just what you pass off to the encoding routine. IIRC it throws an 8-sided die and prepends to the messate either 01 02 02 03 03 03 ... 08 08 08 08 08 08 08 08 also there may be some length fields or something -- consider the fact that the message 0 will ALWAYS encrypt as 0 while the message 1 will ALWAYS encrypt as 1 (!) so you REALLY DO want to mix in some (at-end-ignorable) randomness. If nothing else, to prevent computing the cyphertext of all possible 64 bit messages into a decrypt dictionary. This is a brute force technique to be sure, but it is doable... Jesse Hammons wrote: Jesse Hammons wrote: So to clarify: If I generate a 65-bit key, will I be able to use that 65-bit key to sign any 64-bit value? Yes, but Actually, I have found the answer to be no :-) a 65 bit key won't be very secure AT ALL, it will be very easy to factor a modulus that small. Security is not my goal. This is more of a theoretical exercise that happens to have a practical application for me. Bottom line: asymmetrical (public-key) encryption has a fairly large minimum block size that actually increases as key size increases. Indeed. I have found experimentally that: * The minimum signable data quantity in OpenSSL is 1 byte * The minimum size RSA key that can be used to sign 1 byte is 89 bits * A signature created using a 64-bit RSA key would create a number 64 bits long, BUT: - This is not possible to do in OpenSSL because the maximum signable quantity for a 64 bit RSA key is only a few bits, and OpenSSL input/output is done on byte boundaries Do those number sound right? Thanks, -Jesse __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serializing certificates
Seems to me I saw an option to set the serial number from the command line appear in openssl req but it might be recently added (e.g., check to see if the version you are using is too old to have it implemented!). I've been doing the write-even- number-of-hex-digits-to-file since I started, so I guess it could be that -set_serial n was recently added, or recently documented (:-), or that I just missed it first time around. See if -set_serial n works. Michael Weiner wrote: Is there a way to force a serial number on a created certificate? I have written an automated job that creates a signing certificate every 7 days but for some reason the serial numbers in the certificates is always 0. Any thoughts? -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reverse engineering program protocol under ssl
You're quite welcome. I'm sure the journalling-DLL approach would work just as well. Just for information, if you have administrative access to the server and it is based on Windows, you might be able to save the certificate and key as a .pfx file, then use the OpenSSL pkcs12 command to extract the key. If you have the key, you could use a very simple man in the middle program that just passes the data through. It would not know what it is seeing, but later you could postprocess the dump with the known key and decrypt the traffic. Under Unix a man in the middle program can be done one of three ways: A1: forever { if nonblockingread(a) write(b) if nonblockingread(b) write(a) } A2: forever { select(a,b) if (select(hastraffic,a) and select(canwrite,b) {read(a) write(b)} if (select(hastraffic,b) and select(canwrite,a) {read(b) write(a)} } B: fork(another) forever { blockingread(a) write(b) } another: forever { blockingread(b) write(a) } I belive the one I wrote followed pattern A2. If you just copy and journal bytes any of these would work fine. Now, if you want to actually do SSL on the links, so the man in the middle program is getting decrypted data, one of these might be easier given the restrictions of the OpenSSL read and write primitives. I believe there are some difficulties with nonblocking IO. Are there also some difficulties with select? For the fork case, I suspect using different processes is more safe than using different threads. Is the OpenSSL stuff thread-safe? MacDermid, Kenny wrote: From: Charles B Cranston MacDermid, Kenny wrote: I'm looking to locally reverse engineer a network protocol that's encrypted using ssl. Another method would be to use a man-in-the-middle attack on a third machine, but that machine would need access to the private key of the certificate to be used. Somewhere around I have a generic man-in-the-middle Unix program that I wrote to try to debug some early IMAP problems on the Handspring Visor, but it doesn't have any SSL. I don't actually have access to the server, or the private key it is using. Also I'm guessing the client is smart enough to check the server certificate, so I'm guessing a generic man-in-the-middle is out. Thank you for the reply Charles, Kenny -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reverse engineering program protocol under ssl
MacDermid, Kenny wrote: I'm looking to locally reverse engineer a network protocol that's encrypted using ssl. The program runs under windows and is using ssl dll's. I'm currently trying to work out the easiest solution, and am looking for suggestions. I'm considering either trying to wrap the dll's to read data passed to/from ssl_read/ssl_write, or recompiling the dll's to print the key after the key exchange. Can anyone think of a better way to do this? I can't be the first person looking for this, but I looked through the archive, and online, to no avail. Any ideas? Another method would be to use a man-in-the-middle attack on a third machine, but that machine would need access to the private key of the certificate to be used. Somewhere around I have a generic man-in-the-middle Unix program that I wrote to try to debug some early IMAP problems on the Handspring Visor, but it doesn't have any SSL. -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Issues creating Certificate Authority
It's possible from what you describe that it was a hanging alias, that is, a symbolic link pointing to a file that does not actually exist. This looks like a file initially but gets a file does not exist when you try to actually use it... Dan O'Brien wrote: On Nov 22, 2004, at 1:41 PM, Dr. Stephen Henson wrote: On Mon, Nov 22, 2004, Dan O'Brien wrote: Searched for openssl.cnf and it is on the system: [EMAIL PROTECTED]:/etc/ssl# locate openssl.cnf /usr/lib/ssl/openssl.cnf Is this a clue to the problem? Might be :-) Depends what's in that file. Does it contain a line with: [distinguished_name] on it? Does it have world read permissions? What happens if you include the command line switch: -config /usr/lib/ssl/openssl.cnf to the req command that was failing before? Progress! It appears that although locate indicated the presence of the openssl.cnf file... (as in: [EMAIL PROTECTED]:~$ locate openssl.cnf /usr/lib/ssl/openssl.cnf) ...when I vi'd it as root, the file was blank, and vi indicated that it was making a new file. Adding the -config /usr/lib/ssl/openssl.cnf switch yielded this: [EMAIL PROTECTED]:~# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7000 -config /usr/lib/ssl/openssl.cnf Using configuration from /usr/lib/ssl/openssl.cnf error on line 1074095624 of /usr/lib/ssl/openssl.cnf 1708:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('/usr/lib/ssl/openssl.cnf','rb') 1708:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:106: 1708:error:0E064002:configuration file routines:CONF_load:system lib:conf_lib.c:91: Changing directories and listing showed this: [EMAIL PROTECTED]:/usr/lib/ssl# ls certs lib misc openssl.cnf private ...wherein openssl.cnf was displayed in red text set against a black selection rectangle -- what does this indicate? In any case, all signs pointed to a malfunctioning file, so I rm'd it. You previously suggested that I unpack one from another installation. Unless you have a better idea, I believe the next move will be to try to install 0.9.7e. - Dan O'Brien __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Doubt regarding cert-chain validation (fwd)
I agree -- a lot of the advanced architectures I'm studying have a trust root that is NOT self-signed, instead it is signed by another certificate somewhere else. In a different verification paradigm the certificate in question is NOT in fact a trust point but instead is signed by a chain that leads to ANOTHER trust point. Like this: +---+ | National Root | -- Off-campus | (Self signed) | Trust Point +---+---+ | V On-campus +---+---+ Trust Point -- | Campus Root | +---+---+ | V +---+---+ | End-User Cert | +---+ In this case on-campus verifying parties need only construct the chain up to a trust point (which is NOT self-signed) while off-campus verifying parties continue construction of the chain. Yes, in this particular case, the on-campus verifying parties COULD just trust the National Root, though this situation might obtain while transitioning from a campus root to a national root. It seems to me that it would be useful to be able to designate a set of certificates as trust points and for the process of chain construction to stop when such a point is reached. Have not though through the issues of certificate permissions bits etc. Seems to me the whole idea of construction the chains before examining the bits might already be broken, since the chain construction could conceivably depend on the desired final usage for the end-user certificate and the permissions bits on all the certificates. I think there was some discussion on this either in 3280 or the OpenSSL dox but cannot now remember. Lucenius Jan wrote: On Tue, 16 Nov 2004, David Schwartz wrote: X509_verify_cert will construct the cert chain upto the ROOT CA and then validates the chain and finally verify the self-certificate. What I understand is that this function expects the ROOT CA to be self-signed and it MUST be present in the trusted list. Right. 1. Is it MUST that the Root CA be self-signed. What else would sign the root CA? If something else signed it, it wouldn't be a root CA. The reason is that the trust anchor up to which the application MAY verify need not be the ROOT CA. That is the definition of a root CA. It is the one that you trust. I have thought about that also, especially as there are so many CAs and even root CAs in real world. In theory, if there are very few root CAs, they could cross-sign each other's certificates, i.e. Root CA A signs Root CA B's certificate and vice versa. This does perhaps not help much, only makes it a bit easier to trust, say B if you know that A also trusts B. (like banks trust each other or Dell trusts HP or vice versa :-) . Well, in the case of banks this might prove that you are dealing with the real bank and not a fake one unless both are fake). Would OpenSSL and other software support such cross signing or would they fail because the chain never ends? Jan Is there any standard that indicates that the chain MUST be verified up to the ROOT CA. Is there any way where I can tell the function to return success even if the chain is not complete(upto ROOT CA). You can replace the verify function with your own and declare a success under whatever conditions you want. If you want a quick, ugly way to make intermediate certificates act like root ones, just create your own temporary root and self-signed certificate, add that self-signed certificate to your list of trusted roots. Then, for any intermediate certificate you want to trust, just generate your own certificate signed with your temporary root, and add it to the list of certificates. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: smime certificates
I'm afraid that this is just the way it works. Starting from first principles, there's only a few ways a system COULD be coded to work: 1. decrypt all messages as they are received, so the encryption is only for when the message is actually being transmitted 2. decrypt all messages as they are received, and then re-encrypt them with your choice of symmetric or asymmetric algorithm 3. leave the messages encrypted and require the certificate store to contain the certificates needed to do the decryption, whether those certificates have expired or not 4. leave the messages encrypted and store with each encrypted message the certificate necessary to decrypt it Seems like from what you are telling us (3) is what Outlook does. Note that the real problem here is that you are removing the expired certificates and expecting the old email to still be readable. If you just let the old certificates remain in the machine (which I suspect is the M$ model) it would still work. Yes, there is a question of how to recover from a crashed or lost certificate store on the client machine. But note: 1. Losing a server certificate is no problem, you just generate a new one with a new key pair 2. Losing a personal identity (signature) certificate is no problem, you just generate a new one with a new key pair -- all the already existing signed objects will have a copy of the old certificate stored with them, so the signature can still be validated -- it's just that any new signing has to be done with the new signing certificate 3. Losing a code signing certificate is no problem, same argument 4. SO the **ONLY** case in which certificate escrow has any real meaning is **EXACTLY** the case of a personal privacy (encryption) certificate -- this is where all the argument in fact IS Note: if you can regenerate the old certificate with the old private keys and the old serial number this is tantamount to maintaining an escrowed copy of the old certificate... I thought it was, interestingly All the certificates are generated centrally and not in responce to a certificate request from outlook, So I am able to regenerate the certificate from the origanal keys and request. ... I have proven this by forcing the CA command to produce a new certificate from the original request and original keys with the same serial number. This works - but I was not sure if this is the only way. So I now have to decide, Do I do the above and force renewals to have the same keys, serial number and details from the original req. This is against the rules: certificates have to be unique to the issuer and serial number. You cannot just reissue certificates with different expiration dates and the same serial number. (this is true, isn't it?) or do I tell the end users to open old mail they have to have the expired certificates on the system to. With Outlook, yes. The other alternatives would seem to be difficult to achieve in the context of IMAP, for example, since it would require uploading stuff back into the server: (1) unencrypted message, (2) reencrypted message, or (4) copy of decryption certificate There is a certain trade-off between security and convenience, and you may very well have just run into it. I hope the cobversations in this message help others to realize what is going on. All the best. DEREK -- An Internet-connected Windows machine is tatamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: examples of -extfile file -extensions section
Could someone be so kind as to post examples of their extfile or extensions section? Here's an example of a shell script that generates an entire PKI: root, two intermediates, and one SSL (server) end user. This is one of about 35 of these I did trying to figure out why the IBM HTTP Server and the Novell eDirectory LDAP server didn't like my original PKI design for my campus. #! /bin/sh # Test17 with KeyUsage extension in server cert marked as critical (was hyp1) OPENSSL=/usr/bin/openssl CONFFILE=conf.$$ SNUMFILE=snum.$$ CAV=18 # Generate the Root certificate cat @eof $CONFFILE oid_section = addoid [addoid] # our local object IDs umCPS = 1.3.6.1.4.1.9.1.2.1 [req] # openssl req params prompt = no distinguished_name = dn-param x509_extensions = extend [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = University of Maryland Root CA $CAV 1.DC = umd 2.DC = edu emailAddress = [EMAIL PROTECTED] [extend] # openssl extensions subjectAltName = DNS:umd.edu,email:[EMAIL PROTECTED] issuerAltName = DNS:umd.edu,email:[EMAIL PROTECTED] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true keyUsage = keyCertSign,cRLSign nsCertType = sslCA,emailCA,objCA nsComment = See http://cert.umd.edu/root for details. certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = umCPS CPS = http://cert.umd.edu/certpolicy; @eof $OPENSSL req -config $CONFFILE -x509 -sha1 -newkey rsa:2048 -days 365 \ -passout pass:a -keyout root.key.pem -out root.cert.pem # Generate the Intermediate certificate # sort of sneaky use same file for config and extensions cat @eof $CONFFILE # openssl x509 extfile params extensions = extend [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = University of Maryland Inter $CAV 1.DC = umd 2.DC = edu emailAddress = [EMAIL PROTECTED] [extend] # openssl extensions subjectAltName = DNS:umd.edu,email:[EMAIL PROTECTED] issuerAltName = DNS:umd.edu,email:[EMAIL PROTECTED] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true keyUsage = keyCertSign,cRLSign nsCertType = sslCA,emailCA,objCA nsComment = See http://cert.umd.edu/inter for details. certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = 1.3.6.1.4.1.9.1.2.1 CPS = http://cert.umd.edu/certpolicy; @eof echo 01 $SNUMFILE $OPENSSL req -config $CONFFILE \ -newkey rsa:2048 -passout pass:b -keyout inter.key.pem | $OPENSSL x509 -req -sha1 -extfile $CONFFILE \ -CAserial $SNUMFILE -days 364 -passin pass:a \ -CA root.cert.pem -CAkey root.key.pem -out inter.cert.pem # Generate the server certificate signing certificate # sort of sneaky use same file for config and extensions cat @eof $CONFFILE # openssl x509 extfile params extensions = extend [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = University of Maryland SSL Signing $CAV 1.DC = umd 2.DC = edu emailAddress = [EMAIL PROTECTED] [extend] # openssl extensions subjectAltName = DNS:umd.edu,email:[EMAIL PROTECTED] issuerAltName = DNS:umd.edu,email:[EMAIL PROTECTED] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:true keyUsage = keyCertSign,cRLSign extendedKeyUsage = clientAuth,serverAuth nsCertType = sslCA nsComment = See http://cert.umd.edu/ssign for details. certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = 1.3.6.1.4.1.9.1.2.1 CPS = http://cert.umd.edu/certpolicy; @eof echo 02 $SNUMFILE $OPENSSL req -config $CONFFILE \ -newkey rsa:2048 -passout pass:c -keyout ssign.key.pem | $OPENSSL x509 -req -sha1 -extfile $CONFFILE \ -CAserial $SNUMFILE -days 363 -passin pass:b \ -CA inter.cert.pem -CAkey inter.key.pem -out ssign.cert.pem # Generate a server certificate from CSR in csr.pem cat @eof $CONFFILE extensions = extend [extend] # openssl extensions subjectAltName = email:[EMAIL PROTECTED] issuerAltName = DNS:umd.edu,email:[EMAIL PROTECTED] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always basicConstraints = critical,CA:false keyUsage = critical,Key Encipherment extendedKeyUsage = serverAuth, clientAuth nsCertType = SSL Server nsComment = See http://cert.umd.edu/server for details. certificatePolicies = ia5org,@policy [policy] # certificate policy extension data policyIdentifier = 1.3.6.1.4.1.4305.1.2.1 CPS = http://cert.umd.edu/certpolicy; @eof echo 13 $SNUMFILE $OPENSSL x509 -req -sha1 -extfile $CONFFILE -in csr.pem \ -CAserial $SNUMFILE -days 362 -passin pass:c \ -CA ssign.cert.pem -CAkey ssign.key.pem -out server.cert.pem rm $CONFFILE $SNUMFILE cat root.cert.pem inter.cert.pem
Re: 2 certs on one machine
I think the complication is that he's going to have to use the virtual hosts stuff so that the correct certificate can be returned to each connection, and that this means he's going to have to have two different IP addresses, since there will be no way to determine WHICH certificate to send. This is due to the chicken-and-egg problem of having to know which certificate to send WHEN THE CONNECTION IS OPENED, BEFORE ANY SUBMISSION HEADERS CAN BE READ. So what he needs is: Two different IP addresses. Two different virtual hosts. In Apache they would be identical except for the SSLCertificateFile directive. Bernhard Froehlich wrote: David Smead schrieb: Greetings, I'm running Debian testing. I have a machine with two static IPs, presently on one NIC using a virtual interface. I'd like to make two self-signed certs, one per IP. Is this possible given that the machine only has one hostname? If it matters, the two IPs differ by just the last digit, but one IP is a .com, and the other is a .net. If necessary I can put in a second NIC so that there would be different MACs. [...] I think you're on the wrong list. Using OpenSSL you can make as many certificates as you like. But I think your question is about using certificates in an application like SSHD or HTTPS, which would be more appropriate in that application's mailing lists. At least you should tell us which application you are talking about. ;) Ted ;) -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 2 certs on one machine
I guess my comments were kind of conditioned on the certificate being for HTTPS, however, the underlying problem occurs in all SSL transfers: when multiple domain names resolve to the same IP address there is no way for a server to know which of the certificates to present, and since the negotiation of the secure channel happens before the channel opens there is no way to deduce which domain name was originally given from data given in the channel, since it is not yet open. I guess TLS gets around this, since you could at least theoretically defer switching the channel into secure mode until AFTER enough information has been presented by the initiator for the responder to know which certificate the initiator is going to expect. Charles B Cranston wrote: I think the complication is that he's going to have to use the virtual hosts stuff so that the correct certificate can be returned to each connection, and that this means he's going to have to have two different IP addresses, since there will be no way to determine WHICH certificate to send. This is due to the chicken-and-egg problem of having to know which certificate to send WHEN THE CONNECTION IS OPENED, BEFORE ANY SUBMISSION HEADERS CAN BE READ. So what he needs is: Two different IP addresses. Two different virtual hosts. In Apache they would be identical except for the SSLCertificateFile directive. Bernhard Froehlich wrote: David Smead schrieb: Greetings, I'm running Debian testing. I have a machine with two static IPs, presently on one NIC using a virtual interface. I'd like to make two self-signed certs, one per IP. Is this possible given that the machine only has one hostname? If it matters, the two IPs differ by just the last digit, but one IP is a .com, and the other is a .net. If necessary I can put in a second NIC so that there would be different MACs. [...] I think you're on the wrong list. Using OpenSSL you can make as many certificates as you like. But I think your question is about using certificates in an application like SSHD or HTTPS, which would be more appropriate in that application's mailing lists. At least you should tell us which application you are talking about. ;) Ted ;) -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Key Encryption
You are seriously lost. Private keys and public keys (certificates) are USED in performing RSA encryption, but they are not themselves encoded and/or transmitted under RSA encryption. Yes, keys for private-key encryption are sent under public key encryption, but a key for private key encryption is a very different animal than a private key used for public key encryption. I have some systems running standalone, and far from here. I want to control them using VNC and encrypting the traffic between me and the systems. Those systems are accessible also to other people, so if I install a certificate with unencrypted private key, encrypting is useless, since a thirty part has private key too. I'm assuming the other people have only read access, or else they could install any kind of spy software they wanted. But if they have read access there are no secrets on that machine, they could theoretically clone the machine, feed it the same information they wiretap off the wire, and get the decode. So there's not much hope for secrecy, though you could ENCODE the commands with a private key YOU hold and it would not then be possible for others to counterfeit commands. AH! The other side generates a random symmetric key (lets use the terminology symmetric, private, and public). It encodes that key with your PUBLIC key and sends it on to you. You can then decode it with your closely-held PRIVATE key and use the random symmetric key to exchange information with the other side. This works as long as the temporary ephemeral random symmetric key can be protected from reading on the other side, like if it is kept only in memory and /dev/kmem and other ways to read the memory of an arbitrary process are deactivated. [EMAIL PROTECTED] wrote: Bernhard Froehlich wrote: one silly question: if I generate a request with openssl req -new -keyout mykey.pem -out myreq.pem 265 the private key in mykey.pem is encrypted or not? Since my openssl asks me for a password when using openssl req -new -keyout mykey.pem -out myreq.pem, I'd think the key is encrypted. Maybe your openssl.conf can influence that. If you want to be sure the key is unencrypted use the option -nodes. Sure, but the story is a little bit more complicated. I have some systems running standalone, and far from here. I want to control them using VNC and encrypting the traffic between me and the systems. Those systems are accessible also to other people, so if I install a certificate with unencrypted private key, encrypting is useless, since a thirty part has private key too. BTW, my doubt is: under pcAnywhere and apache I issue certificates with private key taht, AFAIK, should be RSA encrypted, and I supply a password for the pem I generate with openssl req. Therefore how pcAnywhere and apache handle this situation, since they both DON'T ask me for any password? Ciao __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: activity
Ronan wrote: is this list just not that active or do the people on it honestly not know the answers?? Well, let's consider some OTHER hypotheses: 1. The question is so easy that everybody thinks someone else will answer it. That is, the old hands say oh, not AGAIN!!! and are just bone tired of answering the same questions over and over again, even though the answers are in the FAQ, while those of us who are relatively new to the list but DO know the answers sometimes jump in and, in a spirit of gratitude to the old hands who got us to where we are today, try to answer the question. 2. The question is so hard that the few who could really answer it have printed it out and taken it to lunch with them, so they can really analyze the situation without being interrupted by phone calls from pointy-haired bosses yada yada. 3. The question is incomprehensible due to being expressed in such a broken form of English that even a native speaker cannot quite puzzle out what is being asked. I say this as a person who has been struggling to learn a foreign language all my life (on and off) and I must say that I have the greatest sympathy for someone who is trying to learn English as a second language -- yes, it is a REALLY difficult language, but that doesn't help us understand your question any better. Is there any English speaker around there who can help you with making the question more understandable? 4. The question exposes some inherent flaw in the design and/or implementation of the software, and everybody who has invested ego in the software is somewhat embarrased and hence reticent to reply. There are probably more. But I suggest you review the recent exchanges I had with Bilal Shahid. On Nov 2 he posted some general questions about certificates and calling the openssl ca function to generate them. On Nov 2 I read this posting, and didn't understand why he framed the question in quite the way he did, so I tried to diagnose what information he didn't have that would cause a question to be asked in such a way, and I then responded with a list of what I thought might be documentation likely to supply that missing information. On Nov 3 he posted a description of two scenarios he titled Case 1 and Case 2. On Nov 3 I read the scenarios and replied with a fairly complete analysis of his Case 1 and why the failure he was seeing was most probably happening. I also answered some of his questions about how two certificate extensions interact, and explained how the command line arguments to openssl ca were causing the information on what extensions to add to the certificate were coming from two different sections in probably two different configuration files. This is hardly commeasurate with your complaint. As it happens, I have done no actual programming with the OpenSSL library, though I've had extensive experience in using OpenSSL from the command line, and loosely linked to from Perl and C, so I don't personally have the knowlege to answer your question of 4:18 this morning, however, I don't think it is appropriate to post a complaint at 6:39 the same morning. I don't think you can expect free advice with a less than 3 hour turnover, especially when the US is asleep. (Guess I'm assuming Netscape has converted GMT to EST right... :-) Who knows? Maybe somebody printed out your question and is reading it over his lunch, like I did with Bilal's second post... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Some OpenSSL certificate and key questions
; xpserver_ext while generating the Server side certificate) while generating this script. The output of the command (openssl x509 -noout -text -in cert-clt.pem) is the following (again partial output only): X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication AS you can see from this output, the certificate ony has Extended Key Uasge field included and no Key Usage field. Case 2: Following script takes out the -extensions flag: openssl req -new -keyout newreqkey.pem -out newreq.pem -days 730 -passin pass:whatever -passout pass:whatever openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -infiles newreq.pem openssl pkcs12 -export -in newcert.pem -inkey newreqkey.pem -out cert-clt.p12 -clcerts -passin pass:whatever -passout pass:wh atever openssl pkcs12 -in cert-clt.p12 -out cert-clt.pem -passin pass:whatever -passout pass:whatever openssl x509 -inform PEM -outform DER -in cert-clt.pem -out cert-clt.der openssl rsa -in newreqkey.pem -outform DER -out newreqkey.der The output of the command (openssl x509 -noout -text -in cert-clt.pem) is the following (again partial output only): X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: E7:6A:A2:3F:01:96:AB:D2:86:5E:F0:CB:33:A8:15:79:77:7E:BD:D6 X509v3 Authority Key Identifier: keyid:A7:D4:69:D4:9C:9C:7E:25:C6:C8:B0:A6:BC:B6:5C:01:CC:15:E5:9A DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd serial:00 Now this shows us various Key Usage extensions. So basically, I have two different sets of certificates. For Case 1, when the Server sends its certificate to the Client for verification, it fails in the following code: ssl3_get_server_certificate() | -- verify_cert_chain() | --- check_chain_purpose() | ---X509_check_purpose() | --- ku_reject() citing the error Invalid Purpose. For Case 2, no such error happens and Client successfully verfiies the Server certificate nad in reply sends its own (which the Server is currently refusing to verify on the pretext of Bad Signature but that is another story). From the comparision of these two cases of certificate generation it seems to me that Extended Usage Key cannot co-exist with Key Usage field. Of course I am wrong according to the documentation but I haven't yet figured out a way out of this. What I am trying to do is mutual authentication between a 802.1X Supplicant and the FreeRADIUS Server using EAP-TLS. Most of the HOW-TOs that I have read on the internet for carrying out this task mention that ClientAuth/ServerAuth Extended Key Usage MUST be enabled for this authentication to occur. I am not sure whether Case 1 is more appropriate for my task or case 2. Please, do let me know of your comments and any way out of this situation. Thanks, Bilal From: Charles B Cranston [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Some OpenSSL certificate and key questions Date: Tue, 02 Nov 2004 09:10:22 -0500 You should probably read chapter 4 of RFC 3280 http://www.ietf.org/rfc/rfc3280 particularly 4.2.1.3 Key Usage and 4.2.1.13 Extended Key Usage Also the text file openssl.txt in the doc directory of the openssl distribution. I don't use CA (I use x509 instead) so maybe that has something to do with the way you're framing the question, but your term include extensions as some sort of binary thing is difficult to understand. In general, the documentation supplies suggested defaults for dealing with a certificate that does not have the Key Usage or Extended Key Usage extensions (either from being an old-format cert without any extensions or from being a new format cert with either no actual extensions or with extensions of types other than Key Usage/Extended Key Usage). However, the verifying party software (in this case your client) does what its software has been programmed to do, and if this differs from the suggested default behaviour, your only recourse is to put the extensions in and hope that the software at least does the right thing when it had been told explicitly to do so. From rfc3279 Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile: ... 2.3.1 RSA Keys ... If the keyUsage extension is present in an end entity certificate which conveys an RSA public key, any combination of the following values MAY be present: digitalSignature; nonRepudiation; keyEncipherment; and dataEncipherment. If the keyUsage extension is present in a CA
Re: Some OpenSSL certificate and key questions
You should probably read chapter 4 of RFC 3280 http://www.ietf.org/rfc/rfc3280 particularly 4.2.1.3 Key Usage and 4.2.1.13 Extended Key Usage Also the text file openssl.txt in the doc directory of the openssl distribution. I don't use CA (I use x509 instead) so maybe that has something to do with the way you're framing the question, but your term include extensions as some sort of binary thing is difficult to understand. In general, the documentation supplies suggested defaults for dealing with a certificate that does not have the Key Usage or Extended Key Usage extensions (either from being an old-format cert without any extensions or from being a new format cert with either no actual extensions or with extensions of types other than Key Usage/Extended Key Usage). However, the verifying party software (in this case your client) does what its software has been programmed to do, and if this differs from the suggested default behaviour, your only recourse is to put the extensions in and hope that the software at least does the right thing when it had been told explicitly to do so. From rfc3279 Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile: ... 2.3.1 RSA Keys ... If the keyUsage extension is present in an end entity certificate which conveys an RSA public key, any combination of the following values MAY be present: digitalSignature; nonRepudiation; keyEncipherment; and dataEncipherment. If the keyUsage extension is present in a CA or CRL issuer certificate which conveys an RSA public key, any combination of the following values MAY be present: digitalSignature; nonRepudiation; keyEncipherment; dataEncipherment; keyCertSign; and cRLSign. However, this specification RECOMMENDS that if keyCertSign or cRLSign is present, both keyEncipherment and dataEncipherment SHOULD NOT be present. ... From this I would suspect CA certificates should have keyCertSign and end-user certificates should have keyEncipherment, since what the certificate is being used for is to transfer a symmetric key from the client to the server for SSL usage. As for the extended key usage, I would suspect that clientAuth would be right for both CA and end-user certificates. As for the critical bit, I did have to back off the critical bit on Extended Key Usage but I do have it set for Basic Constraints and Key Usage. See paragraph 3 of http://cert.umd.edu/cadoc?ssign At the time I cared about Netscape 4x... 1- I noticed that the cerificates generated with the extensions (extended key usage filed) enabled, do not have other basic key usages like DigitalSignature, Key Rupidiation and Key Encipherment. I mean to say that either the certificate can have an extended key usage OR it can have Digital Signature, Key Rupidiation etc. Is this the correct behavior? Again, I cannot understand your usage of extensions enabled. Perhaps an openssl x509 -noout -text -in cert would shed some more light on what certificate is actually being generated? 2- Is the extended key usage field necessary when we are trying to authenticate a Client to a Server in the 802.1X environment? OR we can authenticate a client to the Server without this extension field as well. As stated, the documentation suggests default behavior if the extension is not present, and for backwards-compatability's sake the behaviour should be to succeed not fail. Thus, unless the Server is being persnickety about requiring the extension, or the extension is marked critical so the server has no choice, the server should honor the certificate without the extension. Your mileage may vary. Offer not valid in sector R or S. Bilal Shahid wrote: Hi, I am a newbie at using openssl and facing numerous problems right now. I am using OpenSSL, FreeRADIUS Server and a DOT1X Supplicant. Basically trying to get the Supplicant to authenticate to the FreeRADIUS Server using EAP-TLS. I used a script (CA.All) to generate the three certificates for root, server and the supplicant. Now here is the problem. If I include extensions (extended key usage field) in my certificates (Client Authenticatio/Server Authentication), my Client always (Supplicant) fails in the following call in the file s3_clnt.c: ssl3_get_server_certificate() | -- verify_cert_chain() | --- check_chain_purpose() | ---X509_check_purpose() | --- ku_reject() Basically, the error that is returned here is X509_V_ERR_INVALID_PURPOSE. I explored till the very lowest level and found out that field x-ex_xkusage is set 0x00 EVEN THOUGH the certificate does have extension enabled in it. On the other hand when I generate all the certificates without the flag extension, I do not see this error. But then, when the Client does finally send
Re: more CSR
Actually you might be confused a little. A CSR is nothing more than a public key bundled with an identity (name). If you already have a CSR you should not also need a public key. If you mean the key to be the private key to a signing CA and the CSR to be for an end-user certificate to be SIGNED by that CA, it would be a different story. However, this appears to be the solution to your immediate problem: [zben-mac-ii:~] zben% man x509 X509(1) OpenSSL NAME x509 - Certificate display and signing utility SYNOPSIS openssl x509 [-inform DER|PEM|NET] [-outform DER|PEM|NET] [-keyform DER|PEM] [-CAform DER|PEM] [-CAkeyform DER|PEM] [-in filename] [-out ... OPTIONS ... SIGNING OPTIONS ... -req by default a certificate is expected on input. With this option a certificate request is expected instead. If you're giving it a CSR you should use the -req option otherwise it will be expecting a certificate, which is sorta what the error diagnostic was trying to tell you: 1530:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE == Word to the wise: it would be a Good Idea to read all the man pages from cover to cover of the openssl keywords you're trying to use, plus the global one, plus the two on the configuration file format, plus the ASCII text files in the doc (docs?) directory of the source code distribution. Ronan wrote: Ronan wrote: openssl x509 -in ./demoCA/rtest.csr -CA ./demoCA/cacert.pem -CAkey ./demoCA/private/cakey.pem -CAserial ./demoCA/serial -out ./demoCA/rtest.pem unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). unable to load certificate 1530:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE this is the error im currently getting. I have generated rtest.key and rtest.csr I have cat'd rtest.key into rtest.csr then run the above... I did this because it compains about needing a key If i dont have to do this please tell me why So its looking for a trsuted certificate how do i do this... this is buggin me i think i've read every document on openssl.org and am still stumped... Someone is bound to have done this before... ronan -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: what is the difference between get and post with ssl?
Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Thu, 28 Oct 2004 18:10:35 +0800, [EMAIL PROTECTED] said: hzhijun i execute the test.html in internet explorer and it return a hzhijun correct index1.html page. But if i change the method from hzhijun 'get' to 'post', it return the message hzhijun hzhijun Method Not Allowed hzhijun The requested method POST is not allowed for the URL /index1.html. hzhijun hzhijun hzhijun why??? First of all, this has absolutely *nothing* to do with SSL (let alone OpenSSL). The POST method usually means you want to send data to a CGI script or something like that. A HTML page usually isn't a CGI script. However, I would think this is really a matter of Apache configuration that has nothing to do with SSL, so you should probably ask on the usual Apache lists to get an accurate answer. Well, what is Apache supposed to do in this case? You have data arguments from the POST, but the URL is for a simple data file fetch. Ignore the arguments and just give you the data file? BTW using a CGI script on GET is one way to do dynamic data. But I can't think of any useful semantic for POST on something that is not a CGI script or other input data handler, so I agree that giving a diagnostic is reasonable in this case. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: CSR signing
The more randomness you put into the random number generator, the better keys you will get. I've been know to use something as simple as (df; date) RANDFILE the theory being that it is hard to predict the exact amount of free file space on (random date in the past) and that the output of date is always changing, but clearly one could do better. You might also investigate the possibility of patches to your operating system to implement /dev/random which uses things like Ethernet packet arrival times to generate random numbers. I know there is a patch for Solaris, we are using it. Linux has it built in. Ronan wrote: I'd suggest you use the CA.pl script instead. That should make things much easier. i have a csr (in pem format(by default)) and a key I want to sign the csr with my domains root CA I want then to change it to pkcs12 format Finally i want to install it onto an Active Directory (win 2000 advanced) machine so i can ssl to the AD using the CA.pl and my current key and csr copy mycsr.csr to newreq.pem and run # /home/local/ssl/misc/CA.pl -sign Signed certificate is in newcert.pem its not there is no newcert.pem is this what im after? /usr/local/ssl/bin/openssl x509 -req -in ./CSR.csr -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./signedcert.pem well it does output signedcert.pem but it gives me this message unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). Signature ok im in csh atm Is this a problem...?? help! Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Customer request
The Doctor wrote: Does anyone here know of such package that uses open source? - Forwarded message from Customer --- 1. Form Content Security. (FormmailEncoder/Decoder) As I understand it, on a secure website the content of a submitted form is protected by SSL from the submitter to the server. The purpose of this software is to protect the information while it travels as an e-mail from your server to the client's computer. There seems to be plenty of e-mail-to-email encryption software around, but this was to only *form*-to-Email package I could find. Anything you find that will achieve this goal is acceptable. NO, it is not usually sent as email from the computer processing the form request to anywhere else. There are usually better ways than email to do this. If you are asking about email from the server BACK to the client (perhaps acking the form submission) then this would be an email to email package. I don't think form-to-email makes much sense, except in cases where the server wants to be very thin, so it turns around and immediately sends the form data as email to somewhere else. OH. Client and submitter are two different people! Nonstandard use of the term client in our argot. OK, you want a thin server to conduct the form submission, then email the results securely to a third party (this is your client). What we would usually do is handle the form submission with a CGI (which can be written in C or Perl or pretty much any language), then have it pipe (Unix term) into a program that would send out the encrypted email. All you need here is a mail program that can do the encryption and can take an outgoing message on standard in. Sorry about the Unix specific nature. All of this is easy hacking under Open Source. HOWEVER. Sometimes email gets lost, or a sending cannot go because of lack of scratch file space or something. How will you handle this? If you take the user's form then fail he will be angry because he did the work for nothing (remember IRS flushing tax forms in the 70s?). If you are going to log them on the server, why bother with email, just ftp the log file over nightly. Doing this with email is kind of a kluge, you should realize that... 2. Newsletter. (NewsLetterPro) We're looking for a high-end package here. The requirements are: - double opt-in - double-opt out - browser-based administration (sending, viewing lists , etc.) - built-in HTML editor for creating newsletters - ability to import and export mailing lists - supports text and HTML formats, lets user choose - free tech support - full user tracking and reporting (who opens them, who unsubscribes, etc.) - bounce filters (removes from list after X bounces) - ability to schedule deliveries - can collect information (name etc) when the user subscribes, and use it to personalize emails - database is fully secure The only other package I found that could do all this was .asp... All this is do-able but unless you can find an already existing package that does what you want, you're looking at hiring a competent and experienced programmer at industry rates. (PLEASE don't think you can hire a high-schooler to do this...) If you can find alternatives that fully meet the objectives, great. I expect to use these elements (appropriately licensed, of course) on other sites in the future, so taking the time to get trouble-free packages now will enhance the experience for both your customers and mine. OTOH if you have this done custom it will do what you want, to the extent that you can express what you want, that it is physically and logically do-able, and that what you want doesn't drift during the software development period. If you use asp there will also be a development (or at least a customization) phase, but there might be things that are doable in a vacuum but that you cannot do because the technical decisions when asp was developed preclude that particular approach. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL without Key?
If by anonymous SSL connection you mean that the client does not need to have a certificate, you just cut the process short. Stop right before the server sends the client the list of CAs for which it is prepared to accept user certificates. In other words, the client authentication part of the SSL protocol can be seen as, in some sense, optional. I admit I am nothing like an expert in this particular area and if anybody on the list feels they could do a better job of answering these questions please jump in. David ARMOUR wrote: Charles, Your anwser makes things clearer to me. As my job is one of automating business processes I tend to always be working as a client. I am recently facing a job where I have to connect to an SMTP server using SSL. (Server does not allow insecure connections.) The mail server in this company is running ESMTP Mirapoint 3.4.4-GR. Up to now I have always faced insecure connections to SMTP servers but now I have to extend my C++ Email library to perform anonymous SSL connections. I purchased a book to learn about OpenSSL ('Network Security with OpenSSL' published by O'Reilly) but I am having some difficulties. There is no example or explanation given for anonymous SSL connections as far as I can see. (I have tested the secure connection using 'stunnel' and I can send all the emails I need from the SMTP server but I would not like to rely on stunnel to make my connection.) Can you advise me on the procedure I need to use to set up the anonymous SSL connection with OpenSSL or point me in the direction of some example code. Thanks, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charles B Cranston Sent: Thursday, October 21, 2004 10:04 PM To: [EMAIL PROTECTED] Subject: Re: SSL without Key? I don't think this is correct at all. I use OpenSSL to generate certificates that are used on Microsoft IIS servers and IBM HTTP servers and Novell eDirectory LDAP servers and IBM Directory Server LDAP servers and all sorts of servers. Now, the vendors may not make it EASY to use non-proprietary certs, and may SUGGEST in their documentation that it does not work (as well)[0,1] with them, and the salesmen certainly may SAY that it does not (really)[0,1] work (well)[0,1] but there is no particular reason you should believe them :-) The answer to the original question is: Only one side needs to have a certificate, so if the server has a certificate, the client can make up a random key (called a session key) and encrypt it with the public key from the certificate, send it up the link to the server, then the server can DECRYPT it with its private (or secret key). Now both sides know the random session key and can use it in a traditional (e.g., non-public) encryption like DES or AES1. Peter O Sigurdson wrote: Hi David You install a certificate for Windows IIS by using the Keymanager key generation wizard, then generate a certificate key request and then have a CA sign the certificate and install it. Detailed instructions are available in the Windows help system. I'm guessing it is analogous for other Windows servers such as Outlook. In any event, Microsoft being propritary probably has no ability to work with or use OpenSSL certificates. But then, OpenSSL can't work with Java Cryptography extension-generated KeyStores. So, your SSL artifacts (ie keys) will always be product-specific. David ARMOUR [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/21/2004 09:31 AM Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject:SSL without Key? Email clients such as Outlook can have a SSL connection to the server as an option. However when these options are selected, the user does not have to provide a key. How does such a system create an SSL connection? How could I use SSL to emulate such action? Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL without Key?
I don't think this is correct at all. I use OpenSSL to generate certificates that are used on Microsoft IIS servers and IBM HTTP servers and Novell eDirectory LDAP servers and IBM Directory Server LDAP servers and all sorts of servers. Now, the vendors may not make it EASY to use non-proprietary certs, and may SUGGEST in their documentation that it does not work (as well)[0,1] with them, and the salesmen certainly may SAY that it does not (really)[0,1] work (well)[0,1] but there is no particular reason you should believe them :-) The answer to the original question is: Only one side needs to have a certificate, so if the server has a certificate, the client can make up a random key (called a session key) and encrypt it with the public key from the certificate, send it up the link to the server, then the server can DECRYPT it with its private (or secret key). Now both sides know the random session key and can use it in a traditional (e.g., non-public) encryption like DES or AES1. Peter O Sigurdson wrote: Hi David You install a certificate for Windows IIS by using the Keymanager key generation wizard, then generate a certificate key request and then have a CA sign the certificate and install it. Detailed instructions are available in the Windows help system. I'm guessing it is analogous for other Windows servers such as Outlook. In any event, Microsoft being propritary probably has no ability to work with or use OpenSSL certificates. But then, OpenSSL can't work with Java Cryptography extension-generated KeyStores. So, your SSL artifacts (ie keys) will always be product-specific. David ARMOUR [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/21/2004 09:31 AM Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject:SSL without Key? Email clients such as Outlook can have a SSL connection to the server as an option. However when these options are selected, the user does not have to provide a key. How does such a system create an SSL connection? How could I use SSL to emulate such action? Regards. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL without Key?
Peter O Sigurdson wrote: This is great information, Can you point me to a HOWTO or other resource regarding importing SSL certs into IIS? For the standard model, where you generate the CSR on the server (so the private key stays in the server the whole time) my standard reference is IIS Security (Marty Jost and Michael Cobb) McGraw Hill/Osborne 2002 but directions can be found at the web pages of all the commercial certificate vendors -- go prowl Thawte or VeriSign and pretend you just paid them $150 for a commercial certificate. For the alternative model where both the certificate and private key are generated externally, I didn't even know if it could be done until this message was just posted on this list: As others have mentioned, you can use OpenSSL to generate the request + key, and once you sign the request you'll then need to create a PKCS-12 file containing the certificate and key, then import that into IIS. I've played with PKCS-12 files for installing USER certificates in clients, but have never played with using it to install SERVER certificates into a server. Take a look at the openssl pkcs12 command. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about extension of a certificate
The .0, .1 etc suffix is from the way the Apache web server (I guess its SSL module) tries to find certificates in a directory. It hashes the subject name then looks for the certificate under hash.0 then hash.1 etc so the digit is used for collisions. I've never seen a .1 and we have a BIG directory. You can either rename the certificate file or keep the descriptive name and add a symbolic link from the hash to the real file name, which is what we do here: http://cert.umd.edu/spickdoc?apache Elie Lalo wrote: Hi, Thx for the reply. The software doesn't expect .0, but I read it somewhere and I wanted to make sure that it is not the case. Elie At 02:27 PM 10/20/2004 -0400, you wrote: No, you can use whatever extension you want. .pem and .cer are often used. Is there some piece of software expecting .0? Hi All, Is it necessary to call a certificate with extension of .0? For example, if we have a certificate of type PEM, is it ok to name it certificate.pem or we have to name it certificatepem.0? I am using openssl-0.9.7d Thanks in advance for the help. Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate check
NO! They are NOT the same. Look at the first few bytes: From the public key: Modulus (1024 bit): 00:cb:aa:35:d5:df:19:39:84:81:36:10:02:84:c3: ^^ ^^ ^^ From the private key: modulus: 00:a6:16:30:78:ca:2e:39:27:32:c9:36:c0:16:55: ^^ ^^ ^^ Nope, this key and cert do not match. Good luck tracking down the problem... Warrick FtizGerald wrote: Oh bother it seems they are the same: From the public key: Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:cb:aa:35:d5:df:19:39:84:81:36:10:02:84:c3: e1:43:e1:be:69:0d:e4:89:eb:9f:ca:45:b8:be:80: b7:e8:c1:ce:29:be:95:fb:20:d7:f3:da:67:b1:e1: c1:8a:fb:ec:ef:1a:2a:d8:e7:67:09:cf:b9:6b:55: f3:28:57:30:f7:fc:f9:23:ab:ea:aa:24:7f:3e:c8: e7:fb:f4:0b:62:03:68:32:23:d7:5d:8c:1d:4c:5d: 8a:a2:b5:3a:ce:00:92:99:1c:fb:d7:a8:f0:a7:93: c5:c8:3c:84:a4:70:a0:02:50:d2:c2:6c:9e:a3:c3: 40:f4:bc:07:59:ac:a1:61:51 Exponent: 65537 (0x10001) From the private key: Private-Key: (1024 bit) modulus: 00:a6:16:30:78:ca:2e:39:27:32:c9:36:c0:16:55: 11:49:8b:d7:d4:22:64:39:c5:c5:87:b0:a3:f0:8f: e8:44:e2:f9:e3:0d:7c:45:80:26:2b:6d:33:9d:26: a6:36:5c:d0:88:0f:28:7c:e8:65:a0:bc:2c:d1:34: 63:56:c6:9b:b2:a7:30:4e:38:d1:9c:51:11:e2:2f: 7b:43:25:56:a7:3c:09:e7:60:5e:d5:7d:6f:e2:39: 7b:88:3f:69:23:ea:9b:f1:81:9d:44:2d:21:6b:f6: 4e:7f:17:cf:0c:d6:7b:51:d0:f5:bb:4c:26:d7:9e: 51:f4:92:5e:92:ba:25:fa:dd publicExponent: 65537 (0x10001) Is there any other test I can run that may help me figure out why this combination seems to fail? -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OT: Books on PKI and IPsec
Can people provide recomendations and other comments on which books to buy on PKI and IPsec Some books I thought cost-effective, from easiest to hardest: Applied Cryptography: Protocols, Algorithms, and Souce Code in C by Bruce Schneier 2nd ed (Wiley 1996) 758 pages of extremely readable reference material on all kinds of symmetric and asymmetric cryptography. A bit dated at this point, for example, there are only a few paragraphs on Elliptic Curve. Look for 3rd edition. Network Security with OpenSSL, John Viega, Matt Messier, and Pravir Chandra (O'Reilly 2002) The Seal book (pictures of seals on the cover). Practical info on OpenSSL plus other topics. I've almost always been impressed with O'Reilly books. I've said there may be a non-O'Reilly book that better addresses your particular concerns, but if you own TWO books on a subject, one should probably be the O'Reilly one. Especially the Nutshell books. Implementing Elliptic Curve Cryptography by Michael Rosing (Manning 1999) There were a bunch of $100 books on Elliptic Curve. This one was about $80 IIRC and is very practical. The author answers his email and was very helpful. I'm still working on understanding optimal normal basis :-) Topics in Algebra, I. N. Herstein 2nd ed (Wiley 1964) This is a college Math 400 level textbook on group theory and other mathematical topics. You can understand RSA at the number-theoretic level but you have to take Euler's theorem as a given. At the group-theoretic level you can prove it as a property of any group*. This book is not an easy read. I have spend more than ten years trying to understand Chapter 2... But I did find in Chapter 7 the existance and uniqueness properties of Gallois fields, which really helped me understand the Elliptic Curve stuff, especially extension fields. * Euler's Theorem: If n is a positive integer and a is relatively prime to n, then a ^ phi(n) = 1 mod n this is a simple number-theory corollary of Lagrange's theorem: if G is a finite group and H is a subgroup of G then o(H) is a divisor of o(G) that is, the size of any subgroup of a group is a submultiple of the size of the original group, and you can then show the desired corollary: if G is a finite group and a belongs-to G then a ^ o(G) = e by considering the subgroup of G generated by a. We pass from group theory to number theory by considering the reduced group Z*[n] which has phi(n) members and the identity (e in this notation) as 1 (one). This is the core of the RSA system where n = pq and phi(n) = (p-1)(q-1) and the decryption recovers the plain text by ending up multiplying it by one... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
A more orthodox bridge certificate configuration
Well, since you didn't like my earlier bridge drawing, there's a more orthodox one below. As for notation: I tend to do a lot of diagrammatic reasoning myself, so I tend to invent notation as I go along. If there is a preferred notation [1] I'd be glad to redo these diagrams in that form. Since a certificate is essentially a public key signed by a private key, I used the notation: +---+ | (Private Key) | +---+ | Public Key | +---+ to denote a generic certificate. The signing private key is in parentheses because it is not actually IN the certificate. If the names in these diagrams are taken as the names of public keys, then (X) means signed with the private key corresponding to the public key X. Note that in the vast majority of cases the public key and private key will NOT match each other. Instead, it will be the private key of a superior CA signing the public key of either an inferior CA or an end user. A relying party may maintain a list of trusted certificates. When a certificate is trusted the signer is irrelevant. So sometimes I show a trusted certificate with a blank in the signer: +-+-+ |T| | +-+-+ | Public Key | +---+ and a flag [T] to show that the buck stops here. It is easy to follow the chain of trust with this notation: +-+-+ +---+ |T| | | (Superior CA) | +-+-+ +---+ ... until end user | Superior CA | | Inferior CA | +---+ +---+ I started representing a certificate as more than just an atomic object while trying to understand networks like this: +-+---+ +-+ |T| | | (B Root) | +-+---+ +-+ | Server Sign | | Server Sign | +--+--+ +--+--+ | | +++ | v +---+---+ | (Server Sign) | +---+ | SSL End User | +---+ in which more than one certificate can be said to have signed an inferior certificate. In this case, it should be obvious that both the trusted and untrusted certificates above should have equal claim on having signed the lower certificate. There is no distinguished signer [2]. Here is the updated bridge diagram. Note that there are a pair of cross-certifying certificates for each member of the bridge (this is what you were complaining about lack of, right?). +-+-+ +-+-+ |T| | |T| | +-+-+ +-+-+ | P Root +-+ +-+ Q Root | +-+-+ | | +-+-+ | v v | | +-+-+ +-+-+ | | +-+ (P Root) | | (Q Root) +-+ | | | +---+ +---+ | | | | | Bridge +--+--+ Bridge | | | | | +---+ | +---+ | | | | | | | | |+++| | | |v v| | | | +-+-+ +-+-+ | | | | | (Bridge) | | (Bridge) | | | | | +---+ +---+ | | | +--+ P Root | | Q Root +--+ | | +-+-+ +-+-+ | | | | | | +---+ +---+ | | | | | v v v v +--+---+--+ +--+---+--+ | (P Root) | | (Q Root) | +-+ +-+ | P End User | | Q End User | +-+ +-+ Unfortunately there are branched certificate chains here, so we just have to hope that the various relying party software modules get fixed up in time for us to actually DEPLOY something like this. So, when a P relying party tries to verify a Q End User certificate (we hope) it ends up with this certificate chain: +-+-+ |T| | +-+-+ Should be part of P's Trusted Certificates |P Root | +---+ +---+ Might be available from either the P LDAP | (P Root)| directory or the bridge LDAP directory +---+ Note: Q End User should NOT be expected to |Bridge | supply this since it is not a member of +---+ the P PKI +---+ Might be available from either the Q LDAP | (Bridge)
Certificate fetching for bridge CA configuration
So, this is perhaps the most simple bridge PKI arrangement: +-+---++-+---+ |T| ||T| | +-+---++-+---+ | P Root++ +---+ Q Root| +-+| | +-+ v v +--+--+ +--+--+ (1) | (P Root) | | (Q Root) | +-+ +-+ | Bridge+--+--+ Bridge| +-+ | +-+ | +-+-+ v v +--+--+ +--+--+ | (Bridge) | | (Bridge) | +-+ +-+ ++ P Sign| | Q Sign++ |+-+ +-+| v v +--+--+ +--+--+ | (P Sign) | | (Q Sign) | +-+ +-+ | P End User | | Q End User | +-+ +-+ Here P and Q are two separate PKIs bridged by the bridge Bridge. Let an email sender (or an SSL server) be the offerer, and let the email reader (or the SSL client) be the relying party (latter is standard usage). An offerer in the Q PKI interacts with a relying party in the P PKI. The P relying party needs this certificate chain: +-+---+ |T| | Presumably this is configured into the relying +-+---+ party software, or available from a server that | P Root| is secure and trusted by users of the P PKI +-+ +-+ | (P Root) | (1) This is the toughie -- could be configured into +-+ the P relying party or fetched from P LDAP but | Bridge| is NOT reasonable for Q offerer to supply... +-+ +-+ | (Bridge) | The Q offerer could supply this along with the +-+ End User certificate | Q Sign| +-+ +-+ | (Q Sign) | The Q offerer would supply this +-+ | Q End User | +-+ So, where would you suspect the (1) certificate would be obtained? It is unreasonable for Q End User to supply it, since she does not necessarily know client is from P and so would have to supply EVERY other PKI's bridge certificate. Perhaps it could be loaded from a source named by an Authority Information Access extension in (what? the end user certificate, or the signing certificate?) The only other alternative I can see is to load all the bridge certificates (1) into all the relying parties. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
An epiphany (of sorts)
Just finished a cover-to-cover reading of Planning for PKI [1] and it sure cleared up some things for me. Thanks to Richard Levitte for recommending it. It seems most of the cognitive dissonance I've been having with this PKI stuff is due to the PKI theoretics being based upon a pair of assumptions, neither of which obtains in the real world. Assumption 1: There is a global X.500 repository, containing all the certificates, so no assumptions need be made on OBTAINING certificates, it suffices to prove that a valid chain of certificates EXISTS Assumption 2: Relying-party software is competent to find all valid certificate chains, so no assumptions need be made on SELECTING certs, it suffices to prove that a valid chain of certificates EXISTS As a simple example, I had been unable to discern any operational difference between a bridge CA and a simple hierarchy with the bridge CA at the top. After reading the book, I realize that in fact THERE IS NO DIFFERENCE until you consider REVOCATION. Let L be the local root and B be the bridge root, then when the bridge is the top of a simple hierarchy a local relying party uses the certificates: +-+--+ +-+--+ |T| | |T| | +-+--+ +-+--+ Making the bridge simply one more entry in | L root | | B root | the trust list schema from the book ++ ++ while for the bridge case it uses: +-+--+ +-+--+ |T| | |(L root)| +-+--+ +-+--+ In this case the L root can revoke the | L root | | B root | certificate that trusts the bridge ++ ++ There is no difference here until we talk about revocation, since both configurations trust the same set of certificates, (the ones signed by L) union (the ones signed by B). Given this, does anybody know any good references on how the various browsers can interact with a local LDAP directory, in terms of fetching certificates and CRLs when needed? [1] Planning for PKI, Russ Housley and Tim Polk, Wiley, New York, 2001 http://www.amazon.co.uk/exec/obidos/ASIN/0471397024/qid=1095958618/sr=1-12/ref=sr_1_2_12/026-0124672-5623666 -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about openssl genrsa
Joppe Bos wrote: Hello everyone, I am fairly new with openssl and am trying to write a function which can make a public / private key pair with GMP (an open source big number library). I am doing this to compare the running time with openssl. I have a few questions regarding the openssl genrsa command: - What kind of random initialisation is being performed to be sure no-one can predict the output of the random generator? - Does openssl use normal primes of a certain number of bits or is it generating the so-called strong primes? And if it is generating strong primes what kinds of algortithm for this generating process is used (Gordon's algorithm or something else)? I don't know if recent research has changed this, but last time I looked, there was no such thing as a 'strong prime' -- according to the paper on file in the tech library at rsalabs.com the idea of strong primes was with respect to a certain factoring algorithm, but newer factoring algorithms now make the idea of 'strong prime' technically obsolete. You might take a look at the actual source code for openssl rsa -- I found it quite interesting, and this should answer your question. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: domain components in certificate dn?
Gerd Schering wrote: Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Fri, 24 Sep 2004 11:29:23 +0200, Gerd Schering [EMAIL PROTECTED] said: Schering is it possible to use domain name components - as in ldap - Schering for the certificate dn, i.e. something like Schering dc=mycompany,dc=com instead of the C=US,... staff? Absolutely. Is it possible to this with openssl? Gerd Yes, you use dc.1 foo dc.2 bar etc -- however, beware that some LDAP software might have problems with DN field names that were not mentioned in the original LDAP RFC schema. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: signedandenveoped + encryption from commandline
Alok wrote: David C. Partridge wrote: Once generated, it is encrypted using the public key of the recipient and included with the message. but then if i do something like DES(key=hispubkey(data=somerandom)) i can always decrypt if i know hispubkey. NO! Look, Alok, it's painfully obvious that you don't really understand public key encryption -- that something encrypted by the public key CANNOT be decrypted by that public key. It can only be decrypted by the matching but different PRIVATE key. Also reflexive -- something encrypted with the private key CANNOT be decrypted with the private key -- it can only be decrypted with the private key. This is qualitatively different from traditional private key techniques, where the same key is used for encryption and decryption. You will not understand anything that is going on until you internalize this fact. There have been a lot of newbie questions on this list recently. There is an FAQ which might answer some of the questions that are being asked over and over and over. Or do we need a newbie list??? (melting down due to getting over 200 spams a day...) -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKI - CA Cross-Cerificate with OpenSSL?
At the risk of seeming even more confused than usual... There's a lot of theory out there about cross certification and bridges etc, but as far as I can tell it is really all theory, and will REMAIN theory until the various relying parties, that is, the standard web browsers, can properly process what are called branched certificate chains. It is my belief that we are not yet there, so trying to do anything more complicated than a simple linear certificate chain is asking for trouble. Am I hopelessly rooted in the past, or is this a reasonable analysis? Toxa wrote: Would you mind to clear it out for me... It any CA has been cross-certified with another one, all users of that CA have to import their CA's cross-certificate in order to trust users of another CA, but they still has to keep old CA cert, right? What if user import new cross-certificate only, without installing old CA cert? I suppose it depends on functionality of cross-certificate... And the last one, imagine two cross-certified CAs which were, for example, self-signed, suddenly resign their root certs in order to be subordianted by new Root CA (e.g. their new certificates signed by those root CA). What about new certificate chain for users of those CAs, will it be based on cross ceritifcate, of based on new root CA. e.g. CA1 and CA2 are cross-certified, both subordinated by CA0. For user of CA1, picking certificate of user of CA2, the chain will be: [CA1] -- [CA2] or [CA1] -- [CA0] -- [CA2] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how do i use a CRL file to verify a certificate against?
Jon Bendtsen wrote: i can verify a certificate against a root certificate, with openssl verify -CAfile root.ca rsacert.pem but how do i know that the certificate i try to verify has not been revoked? At the risk of seeming to oversimply a VERY complicated issue: 1. You have been downloading Certificate Revocation Lists (CRLs) from the CA that issed the certificate, so you have a current CRL, and the serial number of the certificate in question does NOT appear on that CRL (this is one reason serial numbers must be unique). -or- 2. You conduct an Online Certificate Status Protocol (OCSP) transaction with the verfication point listed in the certificate. I suspect consulting the appropriate Internet RFC documents might be informative, although googling for OCSP and/or Certificate Revocation Lists would also bring in much info... Note that this must be done by the verifying party, which in most cases on the Internet is a web browser like IE or Netscape, so we don't have access to the source code and we are at the mercy of the software vendors as to how and when this is done. My sense at this point is that there is not a whole lot of OCSP being done out there (comments?) nor do end-users really religiously download CRLs, so the issue of revocation is a bit of an embarrasment for the PKI community as a whole. Maybe this is one of the reasons why PKI is three years out, and has been for the past five years... For our part, we are issuing fairly short-lived (1 year) end user certificates, knowing that if worst comes to worst, our losses are limited to one year's exposure. We hope that is good enough for a medium security PKI. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Extended key usage field
Why questions are particularly difficult to answer. I guess the real answer is: because the programmer who wrote the software in question decided to program it that way. The critical bit was intended to be an aid to software upgrade: Suppose you are trying to support a mix of old and new software, where the old software does not know about a particular extension but the new software does. Presumably the new software knows the proper way to deal with the extension. For the old software, the critical bit provides a hint of what to do. If the critical bit is not set, the software is free to ignore the extension. If the critical bit is set, the software should reject the certificate. But this is only for the old software, which does not know about the particular extension. In the case you describe, the software DOES know about the Extended Key Usage extension, so the critical bit does not make any difference. Even though the text description could be read to support your interpretation, note the operant sentance: Certificate using applications may nevertheless require that a particular purpose be indicated in order for the certificate to be acceptable to that application. This leaves the final decision up to the implementor, in this case OpenSSL. The certificate in question is marked for the purpose of client-side authentication (I think this is right) which means it belongs to a person and can be used by that person to prove to a web server who he or she is, AFTER that server has used a Server Side certificate to prove who IT is. Sorry, I don't know enough about MS CS W2K to advise you if it is difficult, easy, or impossible to add the additional purpose bits at the point the certificate is generated. Accorind to RFC 2459: If the Extended key usage field is flagged critical, the certificate MUST be used only for one of the purposes indicated. If the extension is flagged non-critical, then it indicates the intended purpose or purposes of the key, and may be used in finding the correct key/certificate of an entity that has multiple keys/certificates. It is an advisory field and does not imply that usage of the key is restricted by the certification authority to the purpose indicated. Certificate using applications may nevertheless require that a particular purpose be indicated in order for the certificate to be acceptable to that application. I have a certificate (generated with MS Certificate Services W2K). Certificate: Data: Version: 3 (0x2) Serial Number: 2c:fd:65:6e:00:00:00:00:01:79 Signature Algorithm: sha1WithRSAEncryption ..bla-bla... X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication Extended key usage in not flagged as critical. But I can't use them for smime encoding openssl verify -CAfile CA.cer -verbose -purpose smimesign text.cer error 26 at 0 depth lookup:unsupported certificate purpose From man: x509(1) CERTIFICATE EXTENSIONS The extended key usage extension places additional restrictions on the certificate uses. If this extension is present (whether critical or not) the key can only be used for the purposes specified. Why? -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Key generation question
Perhaps one way to think of the IV is that it is part of the key. That is, the IV and key are used to encrypt, and then the (same) IV and the (same) key can decrypt. It's just that if the IV is sent in clear text (included in the structure...) then it is not secret. One popular algorithm is to use MD5 to make a 128 bit hash of a password string, then use 64 bits of it as an IV and the other 64 bits of it as a DES key. So the IV and the key are innately related. Of course you could use the first and second 64 bits of an SHA1 hash just as well. In these cases, the IV can be regenerated from the password string at decrypt time, as long as it is the same string :-) IV is used in cipher block chaining, that is, the output from block N is used as part of the input for block N+1, and the IV is the initial shift in at the very beginning: clear clear clear block 1 block 2 block 3 | | | v v v +--+--+ +--+--+ +--+--+ IV -| DES ++ DES ++ DES +--- +--+--+ +--+--+ +--+--+ | | | v v v cipher cipher cipher 3 block 1 block 2 block 3 You can find a diagram like this in any good book on encryption.. Look under Cipher Block Chaining. So, given that you are doing chaining, the IV supplies the startup value for the chain. Steve Hay wrote: I then discovered that the encryption/decryption functions require an IV too, but still don't really know what an IV is... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: How to create a certificate silently
- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Charles B Cranston Gesendet: Freitag, 3. September 2004 21:00 An: [EMAIL PROTECTED] Betreff: Re: How to create a certificate silently If you're using Unix or another system that supports the Environment variables, you can write a fixed openssl conf file that references appropriate variables in appropriate places. If you don't have Environment you can still write a custom openssl conf file for each instance of signing. Lule Chen wrote: Hi, I use the openssl to create a self signed certificate, but it needs interactively input country name, province name, ... Common name. I am wondering if there is a way to do it silently, i.e. let it read those response from a configure file? Because I want to run the openssl command in a script and don't want user to input any thing. I badly need your help! Thanks, Louis -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to create a certificate silently
If you're using Unix or another system that supports the Environment variables, you can write a fixed openssl conf file that references appropriate variables in appropriate places. If you don't have Environment you can still write a custom openssl conf file for each instance of signing. Lule Chen wrote: Hi, I use the openssl to create a self signed certificate, but it needs interactively input country name, province name, ... Common name. I am wondering if there is a way to do it silently, i.e. let it read those response from a configure file? Because I want to run the openssl command in a script and don't want user to input any thing. I badly need your help! Thanks, Louis -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to include multiple common names in a single SSL certificate?
Ralph wrote: Hello list members, I'm trying to set up an Apache 2 based web server for multiple name based virtual hosts. As it is not possible with mod_ssl to have a seperate SSL certificate file for each virtual host... Actually, you can, but they have to have separate IP addresses. (Requiring the server host to be multi-homed...) This is because the software tries to put the link into secure mode BEFORE the client can tell the server WHICH virtual host it is looking for. Since the server doesn't know which virtual host is being requested, it cannot select the correct certificate to present. However, if each virtual host has a separate IP address, the server knows which one, so it can select the specific certificate for that particular virtual host. So, our motto is, if you want a secure virtual host, you have to have your own IP address. --- Even if you could make a certificate with multiple names in it, how do you convince Apache that it belongs to all those virtual hosts? Can you just put it into every configuration section and have it fall out? How does Apache even decide which configuration section to look in? -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Scanning for Certificate Expiration
The code to understand the notAfter output is fairly simple. You can use either Date::Parse or a kluge using Date::Calc like this: use Date::Calc( qwDecode_Month Add_Delta_YMDHMS Date_to_Time Date_to_Text Timezone ); print ($ed=STDIN),\n; # This is the output from -enddate: if ( ($m,$d,$h,$n,$s,$y) = ($ed=~/^notAfter=([A-Za-z]{3})\s(\d\d)\s(\d\d):(\d\d):(\d\d)\s(\d{4})\sGMT$/) ) { $m = Decode_Month($m); printf %s %02d:%02d:%02d GMT\n, Date_to_Text($y,$m,$d),$h,$n,$s; ($y,$m,$d,$h,$n,$s) = Add_Delta_YMDHMS( $y,$m,$d,$h,$n,$s, (Timezone Date_to_Time $y,$m,$d,$h,$n,$s)[0..5] ); printf %s %02d:%02d:%02d Local\n, Date_to_Text($y,$m,$d),$h,$n,$s; } else { print nomatch\n; } Olaf Gellert wrote: Patrick Heim wrote: Does anoyne know of a tool or a way to script OpenSSL to: 1. Connect to an SSL enabled server 2. Retrieve the server certificate 3. Parse it for the certificate expiration date Well, you can use openssl s_client to connect to the server: openssl s_client -connect www.servername.de:port -showcerts From the output you can extract the server certificate (choosing the certificate which has the according common name ( s:/C=[whatever]/CN=www.servername.de This certificate you can put into a file and run openssl x509 on it: openssl x509 -noout -in .pem -enddate The output is like this: notAfter=Sep 24 09:35:00 2004 GMT That's what you want, I guess... So a little bit of perl calling openssl twice (once with s_client, once with x509) and parsing the output should be sufficient. Cheers, Olaf -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE : RSA encryption - to encrypt a c structure ??
One danger with casting a structure as a string is that zero bytes (which can happen due to slack bits in the structure) might be interpreted as an end-of-string that would prematurely terminate the data. If you're going to process binary data, look for an API where you specify both a pointer and a length. Or else encode the binary data in printable format (such as base 64 or hexadecimal) and then pass THAT string to an API that takes a C string. And, technically, you CANNOT cast a structure as a string. What is being talked about is casting a (pointer to a structure) as a (pointer to a string). Casting does not actually change the data, only the way in which it is treated by the program. Jayashree Kanchana wrote: Hi Marc, I am sorry, I am not sure how I can type cast the structure to string, should I do (char *) ? Once I encrypt I am not sure if the encrypted string has the same structure as the original structure. Can you please show me the synatx to type cast a structure to string. Thanks, Jayashree On Tue, 3 Aug 2004, Marc Gaudichet wrote: Maybe you could cast the contents of your structure to a string, encrypt this string and then cast the string back to your structure type. Marc. -Message d'origine- De : Jayashree Kanchana [mailto:[EMAIL PROTECTED] Envoy? : mardi 3 ao?t 2004 16:00 ? : [EMAIL PROTECTED] Objet : RSA encryption - to encrypt a c structure ?? Hi, I am hoping that someone might have come across this problem and will be able to help me. I am trying to use openssl to encrypt a c structure instead of just a string, is there any function in openssl that I could use? I have a RSA key structure that is already created and I am able to encrypt and decrypt just a string using RSA_public_encrypt command and this RSA key pair . Thanks in advance, Jayashree __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What binary data format is used by openssl enc?
Technically this is true, as DER requires the determinate length encoding options and disallows the indeterminate length ones... Alicia da Conceicao wrote: Hi Steve: Its not ASN1 because the OpenSSL ASN1 code isn't fully streaming and to do so would be a massive undertaking which has so far not attracted any interest. The data following the salt is the raw encrypted data using standard block padding. This isn't conformant with any public standard. Thank you for clearing things up for me regarding openssl enc encoding format. :-) But now that you mentioned it, I would have to say that it would be more than a massive undertaking to use DER encoding for openssl enc streaming, it would be impossible, since DER encoding always puts an object's length before an object's contents. You would first need to dump the entire stream contents into a temporary location before you can obtain and DER encode the stream length, and to do so would not qualify as streaming since nothing comes out until everything is put in. Alicia. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: unique code
Well, I was confused about how you were confused. I guess you're saying the HMAC makes 32 printable characters, and this would be because it is being translated fron binary into hex. What I was trying to say is that if the hash makes k binary output bits, it is easy to fold them together with something like XOR to get k/2, k/4, k/8 bits, etc. But what I did not fully appreciate is that this needs to be done BEFORE the translation from binary to printable happens. If you cannot get the HMAC function to return the binary, you could always convert BACK from hex to binary, do the XOR, then convert the resulting shorter string forward to hex again. Hope this makes some sense. BTW all David's suggestions are good ones. The time stamp occured to me after I initially answered you. I didn't think about the IP address, and I guess I assumed you weren't up to putting up a central server. I didn't think of the software serial number, but it now occurs to me that you could use a CPU serial number if it is available, or the burned-in hardware Ethernet MAC address of an Ethernet interface (if you have one) since those are also supposed to be globally unique. Sorry, I don't trust the 512 bit random number approach, not because I doubt David's statistical maturity, but because I think generating a REALLY random number is a LOT more difficult than it sounds. You might be suprised at the success penetration workers have had by PREDICTING the next random number that the machine is going to base its security on... Michal Hlavac wrote: Charles B Cranston wrote: You could split into two 16-character pieces and then XOR the two pieces against each other. hmmm... but result of substr(hmac, 0, 16) ^ substr(hmac, 16, 16) is not human readable code... Do you think, that xor is right way??? for example hmac: 750c783e6ab0b503eaa86e310a5db738 $result = 750c783e6ab0b503 ^ eaa86e310a5db738; $result contains chr(0) characters... thanx... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Self-Signed server cert failing verification in Postfix
I think I understand how I was wrong, most of the stuff I work with negotiates the secure connection immediately, such as web on 443 (https) and ldaps (667?). I see that if there was a reqired interaction before switching over into secure mode (which is TLS rather than SSL?) that it might not be so easy. Sorry for the incomplete info. Lutz Jaenicke wrote: On Wed, Jun 23, 2004 at 07:47:35AM -0400, Charles Cranston wrote: It's not hard at all to use openssl s_client to try to make a connection and to see the certificate that is being presented by the server. If you use the -showcerts option it will even show the entire certificate chain being presented by the server, instead of just the end-user cert. I have good luck copying the PEM cert text right off the terminal screen, then pasting into an openssl x509 -noout -text in another terminal window (thus pasting into its standard input). Then again, this is a Macintosh, and I think we had less luck doing the copy/paste thing on a Windows machine. Not sure if the problem is in the copy or the paste. Maybe pasting to a text editor in input mode? While your concept is correct, it did fail in this case. The mail server requires the STARTTLS protocol to be spoken after an enforced EHLO, but the s_client application does not implement enough of the ESMTP protocol. Best regards, Lutz -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Don't Shoot....
You can generate your own certificates with OpenSSL, but you need to either get your root certificate into every piece of verifying software (browser), or else get all your users to manually accept each certificate, which greatly reduces security (because, with no way to know any better, they will just accept any counterfeit certificate without question, so your ADVERSARY can use OpenSSL to generate the counterfeits to attack you with). The justification for the cost of commercial certificates is that the commercial CA has paid a significant fraction of a million US dollars to both Microsoft and Netscape in order to put their commercial root into the generally distributed binaries of IE and Navigator. We buy our commercial certificates from Thawte. We have a web-based mechanism for downloading our local root into the various web browsers, after doing so, our locally generated certificates (generated by a web app that is a few thousand lines of Perl wrapped around OpenSSL) are just as good as the commercial ones. Hope this helps! Ryan Schefke wrote: Me for asking this question, I'm just not sure where to start but with the experts here. I'm moving my PHP and MySQL application to a hosting server. Currently, I'm looking at 1and1.com's dedicated servers on a Linux machine for $49/month (let me know if there are better choices). One problem though, the dedicated server, unlike a shared server, does not have a SSL certificate. So, I need one. Can anyone recommend a low cost (preferably free), and easy to install (since I have to do it myself) SSL Cert? Thanks, Ryan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to log out from an SSL V3 session?
The web does not use continuous connections. Typically for a web app you do a POST request, passing in data items and getting back the next form in the process, but the SSL connection is closed at that point, and another, different, connection is opened the next time you push a button or otherwise interact with the web app. [EMAIL PROTECTED] wrote: I have an application protected by client certificate authentication. I would like to let the user have a user-friendly way to change his authentication certificate, let's say he chooses to authenticate with certificate A, then a ssl handshake occurs and an ssl V3 session is set up. This is where you lose me. I don't think a session is set up here, instead, the window stores whatever parameters are need to reopen a new connection the next time the user interacts with the web app. Are you talking about a Java app that *could* keep a TCP/IP connection open between interactions? Are you talking about something OTHER than the customary and usual HTTP-mediated web app? What if the user change his mind and wants to authenticate with certificate B? The working solution is to make him close all his open browser windows, restart his browser and reconnect to the page, then he will be asked again to present a certificate and will be able to present certificate B. Well, this really has nothing to do with SSL, it's the behavior of the particular web browser you are talking about, that the act of quitting and restarting the browser loses that state information. Is there a simpler way for the user to ask him again to authenticate and to let him choose a different certificate? For a login/password type of authentication, you always have the choice to click on a Log out link that kills your session, and give you a chance to authenticate again with a different login/pwd. Can we imagine with client certificate authentication a same kind of way to log out and to authenticate with a different user. The idea of one-user one-PC was the standard in the early days of programming for microcomputers, so the idea of user is either not there at all or kluged in after the fact. The only systems I know that really have a hard idea of user are Linux and MacOSX. So it's not suprising that the idea of changing users was never implemented. BTW, the implementation on MacOSX 10.3 (Panther) is really neat. I can have multiple persons logged onto my laptop at one time, then switch between them by giving the password each time one wants to switch, so it's like switching the same keyboard and display among multiple running shell processes. Anyway, its really neat when you want to serially share the laptop between a set of users without having to log off and on again. On IE, there is a button in Tools / Internet Options / Content, called Clear SSL Cache, that does a similar action than a log out button, I haven't been able to find a similar button on Mozilla-like browsers... Do you know of any button of this kind on Mozilla ? This would enable logging out from a client initiative. Again, this reinforces the idea that it is the idiosyncratic behaviour of the browser that you are asking about, not anything in either mod_ssl nor the ssl protocol proper. From a server perspective : is it possible to send a signal to apache mod_ssl to tell him to close the SSL session, so that the client goes back to an unauthenticated session. If he wants to access a proctected page again, he would have a choice of choosing a different certificate. Again, the standard model does NOT use a continuously-open TCP/IP connection. You come in, exchange data for a new form, and then the connection is closed. So there's no question of any kind of closing the session. The session is already closed. What you'd be looking for is some means of poisoning the saved data in the browser, so it would be rejected the next time it is used to try to open the connection (and hope that the browser does the sane thing, forgetting its saved information and going back to square one and trying from first principles). Also, it's probably worth saying that the whole idea of Open Source is that you can not only read the source code for Mozilla but even write your own modifications, so you could MAKE a version of Mozilla that does what you believe the right thing to be. Although it's also probably worth saying that you need to learn a bit more about how the web stuff really works under the hood before taking on such a project. I hope this gets the idea across that the reason you're running into such unfriendlyness on the web is that you seem to be laboring under such a large set of misconceptions that nobody seems to know quite where to start in trying to straighten you out? -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: Securing a CA
Mark H. Wood wrote: Um, feel free to point me elsewhere, but I'm having trouble visualizing what's being discussed. I keep reading branched certificate chain, but what I understood from the description is like this: Before:OurRoot --- Level1 --- EndUsers After: IdenTrust --- OurRoot --- Level1 --- EndUsers What is the contents of the issuer field of the cert marked OurRoot? Before: our name After: IdenTrust's name So consider a browser that still has the OLD OurRoot sitting it its disk file, and then it gets ANOTHER DIFFERENT OurRoot in the chain shipped down from the server. Now, it starts building the chain with EndUsers, gets to Level1 OK, but when it wants to extend the next time, it has two choices, the OLD OurRoot still in its disk file, and the NEW OurRoot (which is not actually a root anymore) that came from the server. I could draw you more complicated diagrams in the context of the problem I was trying to solve last year: transparent upgrade from an old local root to a new local root. The approach I was trying was various forms of old root signed by new root and new root signed by old root but as I said I cannot show you something that actually works because I didn't find one... :-) -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Securing a CA
Rich Salz wrote: At the risk of being immodest, you might find this column useful: http://webservices.xml.com/pub/a/ws/2003/12/09/salz.html This is a verbatim quote from the text at that URL: The root will sign the Level 1 CA and then be taken offline. Anyone who wants to validate any identity within our organization only needs to have our root certificate. If the enterprise merges ... or joins a commercial PKI (such as Identrus), then we only need = to get the root certificate signed by our new super root. = Now, I've seen this (kind of) quote over and over again from the theoreticians of PKI, but as a practical implementor I've never really understood how things could be quite this simple. Perhaps it would be edifying if somebody who's been in this stuff more than just a few years could straighten me out. The example PKI from that article has only one intermediate certificate (called the Level 1 CA) so there would seem to be only two possible configurations for an SSL server operating under this example: either the server has a two-certificate chain (the L1 certificate and the end-user certificate for the server itself) or a three-certificate chain (above plus ROOT CA). Now, what has to happen at EACH server in the enterprise when doing a transition from this local CA to a commercial PKI (such as Identrus) If (without loss of generality) Identrus signs the pre-existing root certificate, that produces a new root certificate, although it contains the same public key as the pre-existing root. In the two-certificate case above, nothing needs to be done to the server, since it never had the root in the first place. In the three-certificate case, the new root certificate (signed by Identrus instead of signed by itself (self-signed)) must be installed on every server. I understand this. HOWEVER, what now happens at the client? In the two-certificate case, the client lacks the critical link from L1 to the Identrus root it already have (came installed in the browser) so in this case we need to visit every server and convert it from the two-certificate to the three-certificate configuration to get the missing link available to the client? In the three-certificate case do we need to replace the self-signed root in every server with the missing link certificate? In any case, it seems like we must do something explicit at every server in the enterprise. Am I missing something here? -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Securing a CA
Follow up to previous posting: I did try to do some experimentation in the context of trying to design a clean transition from the root we made in 1998 to the root I made in 2003. I did not have a great deal of success because the browsers I was working with at the time (Netscape 4.7x and IE 4 or 5) could not properly deal with what the PKI theoreticians call a branched certificate chain, which was what was really needed to address that problem. Could the PKI theoreticians acknowledge the fact that the real world certificate verifiers out there in fact cannot properly deal with a branched certificate chain, and that this deficiency severely limits the utility (e.g., truth :-) of statements such as If the enterprise merges or joins a commercial PKI (such as Identrus), then we only need to get the root certificate signed by our new super root? Needed added text: AND arrange for the NEW CERTIFICATE formed by getting our root certificate signed by our new super root to be available to the certificate chain validation software out there in the clients, AND make sure that in none of the four transition cases* is there any ambiguity in forming the certificate chain to be verified (this is the branch question) since the browsers don't deal well with trying to deal with branched certificate chains? Or am I living in the past, and up-to-date browsers have been fixed so this is no longer a problem??? N.B., the branched-certificate-chain case also occurs when you talk about so-called bridged PKIs. You have been warned. *Four transition cases I was considering: 1. unmodified client and unmodified server 2. unmodified clinet and updated server 3. updated client and as-yet unmodified server 4. updated client and server In all fairness my case was a bit harder since it was from one local root to another local root so it could not be assumed that the new local root was already in the client, while the present situation is that we can assume that the Identrus root is already present in the client, so the case of an unmodified client does not happen... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Securing a CA
Actually, it might be as easy as changing the name of the root and issuing a new L1 certificate. The branch happens when an unmodified client (which still has the local root installed) needs to decide who has signed the L1 certificate. Its two choices are 1. the local root 2. the missing link that the server gave it, which has the same name (e.g., Subject Key Identifier, which is a hash of the Subject DN information) If you subtly change the Subject DN of the root (which in the new scheme of things becomes a first level down from the Identrus root), and then reinstall a L1 certificate in the server that has the new Issuer ID but the old Subject ID, then the end user certificate does not need to be redone (since its hash is based on the L1 name which was not modified), and when the verifying software is looking for the issuer of the L1 certificate, this hash HAS been modified, so the old root is no longer in contention... I'll do some gedanken-thinking about this... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Securing a CA
Rich Salz wrote: I was envisioning something much simpler. Existing applications that know about the root CA work without configuration changes. New applications that need to know about the new larger PKI just add the new root to their list of trust anchors. I suppose that's really a bridge-CA. This is under some kind of assumption that the branched certificate chain does not totally confuse the verifier and cause it to crash or return I dunno so fail!. It seems, with some futher thought, that one might assume that if the chain will verify either way, it doesn't matter WHICH way the client chooses to go. However, this IS making an assumption about client software behaviour. However, I must ask the question: Have you actually DONE this before? If anybody on the list actually has experience with moving from a locally created root to being under one of the well-known PKI vendors a short note on successes, failures, and/or pitfalls would I think be greatly appreciated by the readership. Also, I guess I need to point out the vagueness of your reference above: New applications that need to know .. just add the new root to their list of trust anchors. This is not talking about servers or clients and could imply that explicit action is required AT THE CLIENT which I think we have determined is actually not necessary, at least as long as the old root doesn't interfere with the new chain validation. I don't think branched cert chains need to get involved, so I don't think I need to qualify or disclaim what I wrote. Yes, I ignored the details of distributing the new root certificate; there's a limit on the column length, ya know. In retrospect, adding (and get hte new root distirbuted and used) would probably have been worth adding. Yes, I understand there is a limit on column length, and that your real purpose was to publicise XKMS :-) So the comment I seized on was just a throw-away platitude, and maybe it was not appropriate for me to have made such a mountain out of that particular molehill. At any rate, the key point is that if you anchor everything you do under a single root, than moving your tree underneath something else is a lot eaiser if only one root has to move, rather than everything. This is quite true. One of the things we DID have to deal with during our old local root to new local root transition was people who decided to mark the end-user certificate as trusted in their browsers rather than take the risk of trusting our root. Of course that doesn't survive a transition at all... :-) Best regards -zben -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Changing the pass phrase on a CA root key
Doing it via: openssl rsa -in inca.key.pem -des3 -out outca.key.pem would be preferable since the -des3 would trigger output encryption, and you would be ASKED for the new pass phrase, while using stdin it just gapes at you with no prompt. I was (unsuccessfully) trying to remember the trigger for output encryption and I thought -passout rather than -des3. David Gianndrea wrote: Ok so to recap I would do the following. openssl rsa -in origca.key.pem -passout stdin -out newca.key.pem openssl rsa -in newca.key.pem -des3 -out ca.key.pem -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Interoperability with Microsoft CA
Ron Croonenberg wrote: I tried to get a certificate to work on Windows200 with IIS too. I don't know if this is off topic, but how can I sign a certificate request, created on a windows2000 server. I want to sign the request and create a certificate on a linux machine running openssl then take the certificate and make it work on an the windows machine again. AFAIK when you create the certificate request on the Windows 2000 server it is already signed, with the private key that is left lurking on the server when the CSR is generated. This is how the CSR submitter proves to the issuing CA that it really does have possesion of the private key, that the request itself can be verified with the public key THAT IS PART OF THE REQUEST ITSELF. So what you are asking is the general case and is being done by many people at many places. I don't know of a specific document on this topic, but we certainly were able after reading the OpenSSL documentation and other stuff from the web to figure out how to do this. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: compile problem in latest snap shot
We cannot find explicit as a reserved word in a (fairly old) ANSI C book. Is this the GNU compiler or a vendor compiler? Could this be a vendor-specific extension? Is there a compiler command line switch to remove vendor-specific extensions? Would the GNU compiler work better anyway? Just grabed the lastest snap shot of openssl Got a compile problem that probably needs to be addressed. In file x509_vfy.h the prototype for X509_policy_check() uses a reserved word explicit int X509_policy_check(X509_POLICY_TREE **ptree, int *explicit, -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: compile problem in latest snap shot
OOPS, sorry, it is a C++ reserved word even though it is not a C reserved word, and I guess it would be a Good Idea for OpenSSL to be callable from C++ as it used to be... Charles B Cranston wrote: We cannot find explicit as a reserved word in a (fairly old) ANSI C book. Is this the GNU compiler or a vendor compiler? Could this be a vendor-specific extension? Is there a compiler command line switch to remove vendor-specific extensions? -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: default encryption exponent in RSA
What is the default encryption exponent used in RSA encryption by OpenSSL? Is it e = 2^16 + 1 = 65537? Anybody knows where can I find this default value in the source files? It's actually the Public Exponent field in the certificate, so you would find it in the code that makes new certificates. Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Maryland, O=University of Maryland, OU=College Park Campus, CN=UMD College Park Root v0 Validity Not Before: Jun 6 17:15:39 2003 GMT Not After : Aug 15 17:15:39 2007 GMT Subject: C=US, ST=Maryland, O=University of Maryland, OU=College Park Campus, CN=UMD College Park Root v0 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:af:69:68:23:bf:46:9f:0c:d1:a1:20:c9:a1:2b: 0f:87:5c:6a:49:26:36:0a:f6:07:c9:76:0c:d0:73: 61:02:52:dd:10:13:75:d5:66:6e:ef:4b:2f:89:a1: e1:7c:aa:1f:1c:b5:54:9c:b8:20:f8:df:62:a8:28: 28:00:dc:88:b4:5e:ab:2d:d0:93:77:f0:1c:3d:39: 9d:eb:f3:6a:31:ec:f9:a2:bb:75:8b:34:03:f1:e8: d0:11:95:21:74:44:69:df:0b:a5:3f:b5:81:e4:11: 5f:2c:e3:cc:d6:84:c9:b6:e0:c0:77:34:27:0c:5b: af:14:06:59:eb:36:4a:62:55:17:06:6f:78:94:49: 2d:55:00:97:ce:85:3d:5e:d9:14:63:4c:8e:0f:f0: 78:4e:0b:bd:de:c8:8d:76:1b:94:ec:a3:21:bd:4e: fe:3d:2e:7b:72:8d:32:b7:e6:56:c8:2e:07:d5:97: f3:eb:d2:0f:e9:0f:6a:3e:2f:7d:19:61:d1:3d:97: a4:f6:21:8b:05:3b:f0:ec:69:ac:8d:80:9b:81:fa: 3e:79:ef:ad:ef:55:53:3a:7e:96:fb:89:3a:c3:ad: 2a:cb:a7:d6:ad:55:7c:5e:2c:ec:da:40:e4:3c:c5: 49:d6:99:5c:de:99:27:8f:8b:7d:03:d5:3f:1d:37: e6:3d Exponent: 65537 (0x10001) ^. Here is public exponent X509v3 extensions: X509v3 Subject Alternative Name: ... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Recommended x509v3 Extensions
With reference to Charles' comments, I still have the luxury of time before having to issue certs in anger. With us it was not time, per se, if you notice the postings for our CA we had our first signing party in February of the year that our 5-year 1998 previous root expired in August. So that's 6 months of lead time. Our problems were: * Lack of a software inventory. In a corporate environment one might have a definitive list of the software in use, to be used as a checklist when planning the testing. In the case of (our?) University no such inventory exists. There is just no telling who might be using what where. * Inability to mandate testing. There is just no way to persuade overworked and harried system maintenance personnel to test our proposed upcoming system before you actually go live and it's a matter of it breaking for the user or not. In a corporate environment one could (at least theoretically) get a mandate from management for mission critical systems to be formally tested. In our environment, with a weak king and strong barons, this is just not possible. * Every application is a mission-critical application. If anybody (assistant professor or better? :-) screams it is a disaster, regardless of the true importance or unimportance of the application to the institution. You cannot count on IT management haveing any sense of proportion or reasonableness. Whew... References for my previous posting: http://www.ietf.org/rfc/rfc3280 Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile http://middleware.internet2.edu/hepki-tag/pki-lite/pkilite-profile-current.html http://middleware.internet2.edu/hepki-tag/pki-lite/pkilite-root-profile-current.html The root profile might be useful to you. W/R/T the matrix The vendor with the problem with DC/EMAIL (Novell) actually patched the problem before our August deadline, though I decided to redo the root before I was aware they were able to do this. I suppose you could make some statement about Netscape 4.7 not knowing about Extended Key Usage extension (anti-anti-missle-missle-missle? :-) and with some semantic knowledge of what the critical bit means* one could make some sense of things. I wonder about keeping it up to date, though -- might be a full-time job. * Critical Bit: if (verifyer-knows-about-this-extension) { just do the right thing else if (critical-bit-in-cert-is-set) { FAIL VERIFICATION else verfyer is free to utterly ignore the extension So, in terms of extensions that will be newly created over the next ten years, they can just be ignored. What you are really worried about is: A. Setting critical on an extension that some verifyer is too old to know about (e.g., Netscape 4.7) B. Bug that causes software to crash in some situation. There is no way to predict B or take B into account. This is why we must test mission critical applications. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Hashed Directory format
I hadn't come across a hashed directory before and, having read the relevant sections in the OpenSSL documentation (openssl -verify and x509 -hash), I must admit it still doesn't make an awful lot of sense to me. I am working on Windows so perhaps that is the cause of the problem (amongst many others!) but can anyone enlighten me as to what is a hashed directory and how to provide a hashed directory on Windows. On a Unix system the usual practice is to make a symbolic link whose name is the hash value of the certificate Subject and that points to the actual certificate. Like this: # ls -l lrwxrwxrwx 1 root httpd 14 Mar 24 09:51 a0199d1b.0 - inter.cert.pem lrwxrwxrwx 1 root httpd 14 Mar 24 09:51 bc3a0aa7.0 - ssign.cert.pem -r--r- 1 root httpd 1732 Mar 24 09:45 inter.cert.pem -r--r- 1 root httpd 1720 Mar 17 15:43 root.cert.pem -r--r- 1 root httpd 1789 Mar 24 09:45 ssign.cert.pem That way, when constructing a certificate chain, the software can compute the hash of the Issuer of the lower certificate and then find the upper certificate by searching for that hash, as a file name. If Windows doesn't have links, I don't see any reason why you could not either duplicate the file or just rename the file as the hash (though you would lose readability). The hash value can be computed by % openssl x509 -noout -hash -in inter.cert.pem a0199d1b See also: http://cert.umd.edu/spickdoc?apache http://www.ssl.com/support/installation.jsp - (note right column links) http://www.apache.org http://www.openssl.org -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Montgomery constants
Dr. Stephen Henson wrote: The [sic] look like the standard CRT components. So: a = iqmp c = dmp1 f = dmq1 And, in fact, if you look at the PNG's in the posting, iqmpInverse of Q mod P a = Q^-1 mod P dmp1D mod prime 1 c = Ks mod (P-1) dmp2D mod prime 2 f = Ks mod (Q-1) so it all makes sense, given that P and Q (which are the secret factors of M) are prime1 and prime2. I've got a staff meeting in 10 minutes, so I don't have time to really work this out, but given private key format http://ospkibook.sourceforge.net/docs/OSPKI-2.4.6/OSPKI/sample-key-components.htm you might be able to find a correspondance between the above and exponent1 exponent2 coefficient failing that, I guess you'd have to compute a, c, f... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: variable command line options
prefab wrote: I had the same question for subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:(copy emailAddress) In Windows the environment variable replacement only works if you set the variable before calling openssl for signing the request: set [EMAIL PROTECTED] openssl x509 -req ... Does anyone know if there is a way to copy emailAddress like in subjectAltName = email:copy % man config config(5)OpenSSLconfig(5) NAME config - OpenSSL CONF library configuration files DESCRIPTION The OpenSSL CONF library can be used to read configuration files. It is used for the OpenSSL master configuration file openssl.cnf and in a few other places like SPKAC files and certificate extension files for the x509 util- ity. ... Each section in a configuration file consists of a number of name and value pairs of the form name=value == The name string can contain any alphanumeric characters as well as a few punctuation symbols such as . , ; and _. The value string consists of the string following the = character until end of line with any leading and trailing white space removed. The value string undergoes variable expansion. This can be == done by including the form $var or ${var}: this will sub- stitute the value of the named variable in the current section. It is also possible to substitute a value from another section using the syntax $section::name or ${sec- tion::name}. By using the form $ENV::name environment variables can be substituted. It is also possible to assign values to environment variables by using the name ENV::name, this will work if the program looks up environ- = ment variables using the CONF library instead of calling getenv() directly. It is possible to escape certain characters by using any kind of quote or the \ character. By making the last char- acter of a line a \ a value string can be spread across multiple lines. In addition the sequences \n, \r, \b and \t are recognized. My guess is that what you want to substitute in is in the value part of a pair, and so the variable substituion should work, but the only real way to find out is to try it... I'm sorry, I don't know how to call man under Windows :-) -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Sign PIX certificate using OpenSSL CA
Sorry for my ignorance, could you post a reference to SCEP? What would it take to manhandle a standard certificate into this format? Or is it a lot more difficult than that? Jon Barber wrote: [EMAIL PROTECTED] wrote: I'm assuming you mean a Pix Firewall version 6.3.x. I don't think there is a way to get a certificate onto a Pix, as the ca commands can only create certificates. The only way to get a cert is via SCEP. There are only a handful of CAs that support SCEP, and no open source ones that are ready for serious use, IMHO. If anyone knows different, *please* let me know. I spent 3 months trying out every CA I could get my hands on. Regards, Jon. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Sign PIX certificate using OpenSSL CA
So, am I right that OpenSSL has the means to make these PKCS7 files and the only new code development would be a network program to open connections and send and receive the appropriate stuff? I wonder if some of the code could be cribbed fro some of those projects. Are any of them open source :-) If somebody else is actively working on this, please warn me off... Jon Barber wrote: Charles B Cranston wrote: Sorry for my ignorance, could you post a reference to SCEP? What would it take to manhandle a standard certificate into this format? Or is it a lot more difficult than that? SCEP is a standard proposed by Cisco (Simple Certificate Enrollment Protocol) see http://www.cisco.com/warp/public/cc/pd/sqsw/tech/scep_wp.htm It basically uses PKCS7 to exchange requests, CRLs, certs etc between the CA / RA and an endpoint. You can't do it manually (at least not easily). There are quite a few examples on the Cisco site, just look at using IPSec VPN on PIX examples. The projects I looked at that have SCEP are openca, ejbca and openscep. I also looked at Sun Certificate Server (now discontinued) and ended up using Microsoft Certificate Services on Win2000. RSA Keon CA supports SCEP, but I'm not rich enough to buy it. Google is your friend. Yeah, luckily SCEP got me to Simple Certificate Enrollment Protocol and that got me to the PDF version of the HTML file mentioned above, which I'm now going to fetch from the printer... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Sign PIX certificate using OpenSSL CA
I dunno, I'm only about halfway through the Vesperman CVS book, but when I used google to find openca and tried to find the openca/openscep stuff I found that the HEAD version had been removed from the archive, and that the versions in .attic (:-) were merely half-page stubs. Maybe I was at the wrong version of the archives... Probably your best bet is OpenSCEP : http://openscep.othello.ch/ Having said that, openca looks very promising and has SCEP support in the CVS tree at the moment. OpenSCEP is quite lightweight specific, whereas OpenCA is trying to be a full blown CA / RA etc. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Zero length certificates
Best I can tell from looking at the code, the failure is somewhere in this block (which I have edited a bit for readability): # Convert the signed cert to a pkcs12 certificate # so Netscape and IE can import. (and clean up some files) `rm -f ./temp/$input{'email'}.pem`; `cat ./temp/$input{'email'}.key ./temp/$input{'email'}.pem.signed ./temp/$input{'email'}.temp`; sleep 3; my $command_conv; print \r; $command_conv = Expect-spawn( /usr/local/ssl/bin/openssl pkcs12 -export -in ./temp/$input{'email'}.temp -out ./temp/$input{'email'}.p12 -name 'OWL Certificate for $input{'email'}' -certfile /usr/local/ssl/misc/owl03CA/cacert.pem ); if ( $command_conv-expect(5, pass phrase:)) { print $command_conv $input{'passwd'}\r; } if ( $command_conv-expect(5, Export Password:)) { print $command_conv $input{'passwd'}\r; } if ( $command_conv-expect(5, Export Password:)) { print $command_conv $input{'passwd'}\r; } I'm not an expect expert, but the OpenSSL programs sometimes make null-length files when an error occurs during their execution. My guess is that the pkcs12 command is failing and somehow the error is not detected. AFAICT the command would be: /usr/local/ssl/bin/openssl pkcs12 -export \ -in ./temp/xxx.temp \ -out ./temp/xxx.p12 \ -name 'OWL Certificate for xxx' \ -certfile /usr/local/ssl/misc/owl03CA/cacert.pem Where xxx is $input{'email'} -- my suspicions might be that the cacert.pem file is not there in the new configuration or that somehow a change of shells screwed up that nested ' thing in the -name option or what else??? Why don't you try the command manually from the command line and see if it makes a good p12? All the pieces are just lying there??? BTW if this does turn out to the the problem it would be good to modify the expect stuff so if pkcs12 returns a nonzero error code SOMETHING gets printed or triggered or something... Brandon wrote: Charles , Here is the complete file, there are two additional calls to openssl after the req is generated. Brandon #!/usr/bin/perl # This script takes html form data and generates a pem encoded certificate request. MAIN: { require cgi-lib.pl; use Expect; #read in all the variables set by the form ReadParse(*input); $organization = OWL; # hard code the Org field $organization_unit = ; # changed below $new_state = ; # state in case counrty us different from US # Check to see if all the right fields are filled in # And if they have requested a cert in the past. print PrintHeader; print htmlheadtitleGenerating Certificate Request.../title\n; print script language=\Javascript\\n; print !--\n; printfunction goHome()\n; print {\n; printwindow.location=\http://www.owl.test\\;\n;; print }\n; print // --\n; print /script\n/head\nbody\n; if ( -f /var/www/cgi-bin/temp/$input{'email'}.p12) { CgiDie(Error: Certificate already in database\n,It appears you have requested a certificate twice. This corrupted your previous certificate. Please send mail to bamundson\(at)bbn.com so he can correct the problem. He will then inform you to request a cert again.\n); } if ($input{'name'} ne $input{'passwd'} ne $input{'passwd2'} ne ($input{'passwd'} eq $input{'passwd2'}) $input{'email'} ne ($input{'orgunit'} ne || $input{'orgunitother'} ne ) $input{'city'} ne (($input{'state'} ne ) || ($input{'country'} ne US $input{'state'} eq )) $input{'country'} ne ) { # # Check which orgunit to use and fix state country conflicts # if ($input{'orgunit'} ne ) { $organization_unit = $input{'orgunit'}; } else { $organization_unit = $input{'orgunitother'}; } if ($input{'country'} ne US) { $new_state = none; } else { $new_state = $input{'state'}; } # # Create the certificate and private key, put that in email_address.cert # while using expect to interact with openssl... # #print PrintHeader; print pre\r; #$temp = /var/www/cgi-bin/temp; $SSLEAY_CONFIG = -config /usr/local/ssl/openssl.cnf; #Define alternate .cnf file my $command_req; $command_req = Expect-spawn(/usr/local/ssl/bin/openssl req $SSLEAY_CONFIG -new -keyout ./temp/$input{'email'}.key -out ./temp/$input{'email'}.cert -days 1825); if ( $command_req-expect(5, phrase:)) { print $command_req $input{'passwd'}\r; } if ( $command_req-expect(5, phrase:)) { print $command_req $input{'passwd'}\r; } if ( $command_req-expect(5, \[US\]:) ) { print $command_req $input{'country'}\r; } if ( $command_req-expect(5, \[Some-State\]:)) { print $command_req $input{'state'}\r; } if ( $command_req-expect(5, city)) { print $command_req $input{'city'}\r; } if ( $command_req-expect(5, Ltd\]:)) { print $command_req $organization\r; } if ( $command_req-expect(5, section\) \[\]:))
Re: Zero length certificates
Dr. Stephen Henson wrote: You should where possible use the command line switches rather than expect because the prompts of the various commands may change. You can generate requests via template configuration files and there are various ways to supply passphrases. While I agree 100% with the thrust of what Stephen is saying, the sad reality is that there are real problems with OpenSSL in this area. For example, tell me how to specify a specific serial number on a C-language call like: execle(SSLBPATH,SSLBPATH,x509,-req,-sha1, -extfile,SPKICONF, -CA,./ssign.cert.pem, -CAkey,./ssign.key.pem, -CAserial,snumbuff, -days,365, /*-passin,fd:fileno(KDR), */ -passin,pass:a, 0,env); Well, OK, I can do int sn[2]; pipe(sn); sprintf(snumbuff,%lx,serial); write(sn[1],snumbuff,strlen(snumbuff)); sprintf(snumbuff,/dev/fd/%d,sn[0]); (ignoring for the moment that it has to be an even number of hex bytes, the code is a *little* more complicated, see below) but this is currently failing because the /dev/fd directory on this machine does not exist, and I have to get back to the systems people to find out if this is a bug or a feature... Likewise with the passphrase, I earlier found a bug with specifying both -passin fd:# and -passout fd:# on the same OpenSSL call (was rsa to change pass phrase I think overlapping buffers or something :-) so when I take out the a above and make it int pp[2]; pipe(pp); sprintf(passbuff,/dev/fd/%d,pp[0]); /* arrange for passphrase to be written to pp[1] */ But this also relies on operating system support for /dev/fd/#. (actual code considering length must be even:) pipe(sn); sprintf(snumbuff,0%lx,serial); pid = strlen(snumbuff); if (1 pid) { write(sn[1],snumbuff+1,pid-1); } else { write(sn[1],snumbuff,pid); } sprintf(snumbuff,/dev/fd/%d,sn[0]); close(sn[1]); = The worst case I came up against required me to run a pipe of three different commands. There just seemed to be NO WAY to specify a passphrase for the CA command, so I ended up with an explicit call to OpenSSL rsa (second command in below pipe) just to get the private key decoded. Apologies if I missed something, but I did futz around for a good amount of time before doing it this way. I don't recall why this code uses a temp file for the serial number instead of using another pipe. Maybe it didn't work at the time, or maybe I didn't think about it. This work was with 0.9.6c or so, and it is possible some of these points have been addressed in the evolution to 0.9.7 If there is a better way, score some points on me by telling me about it... # # SPKCSIGN # # Call OpenSSL ca to sign a SPKAC or PKCS10 # Because of various limitations in the OpenSSL code, # this routine runs a pipe of three processes. # 1. Vault program writes a passphrase to stdout (bound to pipe PW/PR) # 2. An instance of OpenSSL rsa #* reads the passphrase from a -passin fd:fileno(PR) #* reads the encrypted private key from a -in file argument #* writes unencrypted private key to stdout (bound to pipe KW/KR). # 3. An instance of OpenSSL ca #* reads unencrypted private key from # a -privateKey /dev/fd/fileno(KR) #* reads the SPKAC from a -spkac /dev/fdfileno(SR) #* writes the signed certificate to stdout (bound to pipe CW/CR). # Standard error from all three is bound to pipe EW/ER. # # This routine writes the SPKAC data to SW and reads the signed # certificate from CR, and any errors from ER. # # SPKAC # +---+ # SR | ^ SW # PASS KEY vCERT | # vault - OpenSSL rsa - OpenSSL ca - this routine # EW | PW PR | EWKW KR| EWCW CR ^ ER # v v v | # +--+-+---+ sub spkcsign { my ($vault,$vkey,$openssl,$tmpdir,$serial,$req,$certlife,$certmail) = @_; my $pid, $error, $cert; # Proc ID, error, result strs # Make serial number as even-number-of-digits hex string and write file my $hex = sprintf(%lX,$serial);# Convert serial to hex if ( length($hex) % 2 ) { $hex = '0'.$hex; # Requires even num digits! } my $snf = $tmpdir/pca.serial.$$; # Serial num file in config file open SERIAL,$snf; # Open write to file print SERIAL $hex; # Write serial number to file close SERIAL;# Close file # Make empty initial database file my $dbf = $tmpdir/pca.dbf.$$; # Database file open DBF,$dbf;# Write empty database file close DBF; # Close file # Copy passphrase from the vault into P pipe. pipe ER, EW;
Re: Zero length certificates
Peter Sylvester comments that a -set_serial option got added to x509 -- my systems people somehow think it optional to install man pages, but I did find it using the --help option of the program itself. It is documented in the man page at the openssl web site. My memory is now that I had to use a file to pass the serial number to ca in that long Perl program because OpenSSL expected to increment and write it back, and was unhappy with not being able to write to the read end of the pipe or some such thing. Though I thought this OS had bidirectional pipes. Something else to investigate in my copious free time... Charles B Cranston wrote: I don't recall why this code uses a temp file for the serial number instead of using another pipe. # Make serial number as even-number-of-digits hex string and write file my $hex = sprintf(%lX,$serial);# Convert serial to hex if ( length($hex) % 2 ) { $hex = '0'.$hex; # Requires even num digits! } my $snf = $tmpdir/pca.serial.$$; # Serial num file in config file open SERIAL,$snf; # Open write to file print SERIAL $hex; # Write serial number to file close SERIAL;# Close file -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Installing the cert
Well, it might be easier to answer this question if we knew what you were trying to install the certificate into. For the Apache server the certificate and private key are placed into filesystem files which are then named in the configuration files. The installation instructions vary for other products. You might find these URLs informative: http://www.ssl.com/support/installation.jsp (note right-column links) http://httpd.apache.org/docs-2.0/ssl/ http://cert.umd.edu/spickdoc?apache In general certificates are used to protect web servers and LDAP servers. We have successfully installed our local certificates on: web servers: apache, IIS, IBM HTTP LDAP servers: Novell eDirectory, IBM SecureWays, Netscape Suite Spot What is your application, what have you done so far, and how has it failed? Faulk, Brian , , WHS/PSD wrote: Can anyone tell me once you receive the cert back how do you install it? I am using openssl version 0.9.7c on an HP-UX system. Sorry but I am new to using openssl and I can't seem to get the cert installed. Any and all help is appreciated. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate and key pair generation for SSL applications
Sreedhara M. Reddy wrote: Hi, Can someone guide me how to generate certificate and key pairs for client authentification in SSL applications. First, are you really sure that this is what you want to do? The problem with client certificates is that they tie the client down to a specific workstation machine, which has the private key and certificate in its file system, unless the user carries her crypto material around in a USB key fob or a smart card. Unless you really need the highest level of security and people are going to carry multiple factor crypto material around with them, you're probably better off using a server certificate to secure the connection, then using something like a password to authenticate the actual user. It's just too damn easy to break into these cheap Windows machines and steal the crypto material, and passwords dont help when the adversary can steal the encrypted file and try password a, b, .. aa, ab .. aaa, aab for hours or days or whatever until she lucks onto the password. For example, look at today's web commerce. The commerce server machines use purchased certificates to authenticate themselves to the user (and to secure the network channel) but then the *credit card number* is how the buyer authenticates herself to the vendor. Or the growing number of web mail services where the server is secured by a vendor purchased certificate and the user types a password into a secured page in order to access her email. === Assuming this is really what you want to do, you need to have one root certificate and a client certificate for each client that is signed by it. The root certificate goes into the internet server application. The client certificates and their associated private keys go into the user machines (or smart cards or USB keyfobs or Java Buttons or whatever). Most browsers will accept certificates that are downloaded with either x-something MIME types (Netscape/Mozilla) or specific filename extensions (Explorer). A medium security system that is often used is to have a web page that issues the certificates and downloads them after a user has authenticated herself with a more traditional form of user authentication, like her campus password. Hope this gets you sort-of oriented. There are people on this list who are actually doing this who can supply more technical detail on request. === For machine-to-machine connections it is a little easier. It still makes sense to have a root, and have it sign a certificate for each machine. Just how you set it up depends on the specific software. The problem is, again, how to secure the password for the private key, given that there is typically no human being there at startup to give a password, so the adversary can, in principle, steal the entire filesystem and trace a startup in order to steal the crypto material. This is probably getting beyond appropriate for an orientation. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Requesting Cert from Server - Store on Client
Best guess is that you are confusing a client cert, which is used (optionally) to identify yourself to the server, and a root cert, which you use to validate the cert that the server returns to you. Your group may be telling you that you don't need a client cert for them to accept a connection from you. But in all cases their server will be returning a (locally sign sic) certificate to you, and it looks like ldapsearch is failing to verify that certificate. It needs a local copy of some kind of root certificate to do so. If s_client -showcerts is showing the root certificate you could grab a copy and put it wherever ldapsearch expects to find the root certificate, and see if that helps... Eric Buchman wrote: Hey Everyone, Summary Question: Is there a command I can issue (openssl) that will allow me to retrieve a cert I can store for my client intranet application to perform ldapw/ssl authorization? Situation: Forgive my newness to openssl. I've have a Intranet Postnuke server that uses openldap for admin authorization . I've recompiled my openldap and php for openssl, the openssl was configured for client only(no slapd, slurpd). My pickle is that I've been told by the group controlling the authorizing server I do not need a cert for ssl connection to their server. Every where I compare my error the answers appear to be in having a local cert. Their authorization server is using a locally sign cert. At first I was running an ldapsearch -ZZ -d7 -x -h authorization server I get the error: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed Then I ran ./openssl s_client -connect authserver:636 -showcerts -state which produces information of a locally signed certificate I believe I will need a locally stored cert on the intranet server(client), the two authorization administrators of the server, whom have been quite helpful actually, are out of the office this week. It would be nice to perform some validation while their gone, thus the need for a command to retrieve a certificate I can store. 2.1x of openldapl 0.9.7c of openssl Thank you for any help. Regards, Eric __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL cert key generation on an appliance
Sorry if I am way off base, haven't looked at the thread carefully, but if you can get a self-signed certificate you might be able to pass it into openssl req and convert it to a CSR, then sign that with the higher level cert. The idea is that all you really need is the public key, and that is in the certificate (and can be moved to a CSR with req). My belief that this will work is strong enough that I'm going to risk being publicly embarrassed if it doesn't... Mike Klein wrote: What you found is for self-signed certificates...not sure if this is what you want. Kind of too simplistic. What most faqs should steer useres towards is not self-signed server certs, but a self-signed ca...from which all else derives. In my server setup for my home office/lab...I have a self-signed CA, which signs certificates for the principles in my network (servers and users). I think this is more what you want...a self-signed CA only. When doing ssl auth, or smime/etc. it's much easier to just have your users import your self-signed ca cert just one and then everything else is all good/accepted. Check out the numerous perl ssl routines on cpan. Here's a perl intf to openssl: http://search.cpan.org/~madwolf/OpenCA-OpenSSL-0.9.91/OpenSSL.pod The above states that it is merely a command-line intf to openssl (via perl of course). The apis look quite simple. cheers, mike Rob Patrick wrote: Found a solution in the list archives from last month. http://www.moser-willi.at/doc/howto/docs/AutoSSL/ That script works great!!! Thanks much. - Original Message - From: Waitman C. Gobble, II [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 12:28 AM Subject: RE: SSL cert key generation on an appliance Hello, I am positive that there is a perl module, there just has to be. I haven't used it though. If you aren't exactly stuck on perl, you might have a look at the openssl functions in php: http://us3.php.net/manual/en/ref.openssl.php Take care, Waitman Gobble EMK Design Telephone (714) 522-2528 Toll Free (877) 290-2768 http://emkdesign.com ... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Patrick Sent: Tuesday, October 14, 2003 9:08 PM To: [EMAIL PROTECTED] Subject: SSL cert key generation on an appliance Hello, We're looking to deploy Linux-based security appliances that only provide the end-user with a web front-end. We want the end-user to have the ability to generate new (self-signed) certificates and SSL keys to be used on the appliance under Apache mod_ssl once installed. I'm betting somebody else has already solved this... how do you generate certs and keys without access to the interactive command line? Essentially, I'm looking for a shell script, some Perl, or another method to perform cert and key generation in an automated fashion, driven by input submitted by a user via the web. From what I can gather with the cmd-line utilities provided by OpenSSL, interactive command-line access is required. If there's an easier way than wrapping the OpenSSL cmd-line utilities with Net::Telnet and IO::Pty, please tell me! Thanks, -Rob Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how to generate certs with a + in the dn
Dr. Stephen Henson wrote: These things are called multi-valued RDSs of AVAs and several less polite names. Its been reported that some software doesn't handle them properly. Think AVAs might be Attribute Value Assertions but am not finding RDSs in much googleing -- is this X.509 stuff that didn't make it into PKIX or what? Asking for edification. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Warning on Non-Standard Port
R Ayres wrote: I have 2 certificates: a self signed server certificate and a purchased domain specific certificate. When I connect to the domain with https://mydomain.com it works fine, but if I try to connect to another port (https://mydomain.com:2020), the self signed certificate is the one that is recognized, and I get a warning because the certificate is self generated. Well, these symptoms could be explained quite easily if you were running two DIFFERENT servers, one on port 443 with the commercial certificate and another on port 2020 with the old self-signed one. You could use the openssl s_client tool to connect to each of the ports in turn, using the -showcerts option to really SEE which certificates each server is presenting. Note: you could be running either two copies of the Apache server or one copy with Virtual Hosts enabled. If you're using the Apache stuff, the answers will be in the httpd.conf file in the conf directory. But you haven't really told us which server(s) you are using. If this is on a Wintel box somebody else will have to help you... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: diagram explaining encryption using openssl
Here are some diagrams in a document I wrote what seems like a century ago (before I started actually writing PKI code): http://www.oit.umd.edu/middleware/pki.html Have been somewhat distracted the last few days by a hurricane. Refugee house guests from the unempowered areas etc. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Foundational questions
In my setup, I installed openssl to /usr/local/ssl. In that dir there is a /certs directory which is empty. However, in my source dir /usr/local/src/openssl-0.9.7b/certs/ there over 20 .pem files (and their associated hashes) which look to be the trusted root certificates. Should those be copied to /usr/local/ssl/certs, or remain where they are? Also, when applications such as Apache and Sendmail are compiled with openssl does the opensll library know to look in the orginal source area for those certs even though I've told those apps that the openssl libs are in /usr/local/ssl? My experience is that programs have configuration files, and there is a line in the configuration file that says where the certificates are to be found. I have only used the command line tools (haven't done any programming) but I believe there is a subroutine that is passed the name of the certs directory and/or the name of a file of certs to be read, and that other than this the library knows nothing of standard system locations where things are to be found. I'm hesitant to start giving read access to all the application's run as users to the ssl directories. Consequently Im wondering wehter the openssl libs have root access even though Apache might be running as nobody? Or, do I duplicate all the certs in each app's respective directories? Or even, do I create a new user id for all of those apps to run as so that I can grant access to a common directory? How's this normally handled by yourself and others? I do not at all believe that the SSL libraries have ANY access permissions above and beyond those of the process calling them. IMHO giving somebody read access to a certificate is not a security exposure. Anybody can connect to a secure server's port and get a list of certificates at any time. Only the private keys should be sacred. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Foundational questions
Dann Daggett wrote: However, I still don't know about the empty /certs directory. Am I supposed to copy /usr/local/src/openssl-0.9.7b/certs/ to /usr/local/ssl/certs? It seems strange that the install script wouldn't have done that as well if it were needed. Well, it depends on what you want to do. If you are just using OpenSSL with Apache then you might be giving the Apache http server a config file like: SSLEngine on SSLCertificateFile /usr/local/umcpca/www/certs/cert.cert.pem SSLCACertificatePath /usr/local/umcpca/www/certs Then the contents of the /certs directory just doesn't matter, since the OpenSSL library is being explicitly told where the certificates are to be found. It all depends on what you want to do. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]