Re: My bank has an invalid cert
Use this openssl command to obtain the full hierarchy including the root CA. This should be what you need to import the certs into your version of Firefox. openssl s_client -connect webbroker.tdwaterhouse.ca:443 -showcerts If you wish to automate it, you do so via 'certutil' and using the directory that houses your 'cert8.db' file. On 08/25/2011 05:26 PM, t...@terralogic.net wrote: Web broker. Also they seem to have broken their web site in other ways. I just hate it when they figure they should reprogram my browser so I can't right click on a link and open in a new window. I do run multiple monitors and its nice to put a press release on one monitor and another press release on another monitor while having the main window on yet a 3rd monitor. Their mind set seems to be like if you want to use our service then switch your machine to windows... toss out the extra monitors and set the display to 800x600. Well not quite that bad but close. If I have much more trouble with them I'm going to close my accounts. On Thu, Aug 25, 2011 at 05:08:40PM -0400, Crypto Sal wrote: Do you log into 'Web Broker' or 'Easy Web'? On 08/25/2011 04:50 PM, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: My bank has an invalid cert
Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
Do you log into 'Web Broker' or 'Easy Web'? On 08/25/2011 04:50 PM, t...@terralogic.net wrote: Sorry http://www.tdwaterhouse.ca/ Its my old cert chain which is broken. I jsut want to go to them and ask them to supply the root cert so I can install it and get rid of the error message which Firefox generates because I can't find the root cert. On Thu, Aug 25, 2011 at 04:44:07PM -0400, Crypto Sal wrote: Can you please *be* specific and provide us with an exact URL for those of thus that don't live in Canada or use TDWaterhouse? I see TD has several sites and this is why we need you to be specific so we can tell you which root to get. On 08/25/2011 03:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: My bank has an invalid cert
You typically import certs through the Firefox certificate manager found via Edit - Preferences - Adv. - Encryption - View Certificates. It should be self explanatory from here. The only other question that remains is which Root CA. That can only be done by reading the certificate hierarchy that is presented by the bank's server, which it should provide you upon making an s_client connection. On 08/25/2011 05:15 PM, t...@terralogic.net wrote: I know the theory. I'm also a programmer. I just never bothered to install a root cert before. But I do know how to make them. I'll dig around in FireFox and see where it is and how its done. As for the bank. We build it and they break it. Not my fault. On Thu, Aug 25, 2011 at 01:51:01PM -0700, Craig White wrote: the answer lies with the people who wrote the software for the certificate store since the whole point is trust. If users could manipulate the root certificate store, then it would be impossible to trust anything. Generally, you can add certificates by double clicking them and choosing the correct answer (where to store, how much to trust) You can open 'keychain access' on a Macintosh or use Windows MMC to delete certificates. Banks are entirely sensitive to the issue of SSL and Certificates - they have to be. If your computer doesn't automatically trust your bank's certificates, then you either need to fix your computer or get a new bank. The real answer to your problem is this... If you can't trust the root certificates that are part of your OS, then copy everything off the hard drive and re-install a fresh copy of your OS. That is the only way you can trust that your root certificates do what they are supposed to do. Craig On Aug 25, 2011, at 1:28 PM, t...@terralogic.net wrote: I already know its my certificate store. I only asked how to load in their noew root cert On Thu, Aug 25, 2011 at 01:09:20PM -0700, Craig White wrote: Go to an entirely different computer and try accessing - you will know if it's your computer or their certificates. If it's your computer, it's either your browser or your OS Certificate store (Windows and Macintosh use entirely different methods to accomplish). Firefox uses it's own certificates... if it's Firefox on your computer... uninstall it completely and re-install it. If it's Chrome, Safari or Internet Explorer, it uses the OS certificate store and you will probably need to get the OS to update the Root Certificates. This is all pretty much beyond what a user can manage but some users can manage them, but this is the wrong list... it would be an OS problem. Craig On Aug 25, 2011, at 12:06 PM, t...@terralogic.net wrote: TDWaterhouse In Canada. I'm in Calgary. THose idjots tell me to reboot my computer when their Apache servers in TO send me a misconfiguration message. I told them yesterday we build it and you break it. Something is desperatly wrong. On Thu, Aug 25, 2011 at 02:10:11PM -0400, Crypto Sal wrote: Firefox has its own certificate store. It doesn't share '/etc/ssl/certs'. If we had the bank URL, we would be able to better help you to resolve this issue. On 08/25/2011 01:45 PM, t...@terralogic.net wrote: I know you are trying to help. But it doesn't help me to defer to a package manager because I'm trying to fix what the last package managers screwed up. On Thu, Aug 25, 2011 at 04:09:44AM -0500, Michael S. Zick wrote: On Wed August 24 2011, t...@terralogic.net wrote: Top posting to a hijacked thread is not the way to get a quick and useful reply. Next time, start your own. Mailing list threads are cheap. I see my bank has an invalid cert. Likely I have an old cert chain. I'm running Debian Linux and firefox. Use anyone of the distribution provided package managers to download and install the most recently released package of certificates. Can anyone tell me where to install a valid root cert? Like what directory? I would think the bank should be able to provide the root of the chain. I'll need to know SPECICALLY what to ask them for. Asking the operator of the site you wish to authenticate for the certificate is similar to asking the Fox to guard your Chicken House. Get the root certificate from an independent, trusted, source. Using your distribution's package management will take care of that concern. I've created my own certs of course but just not recently. Also I never tried to install the CA cert for firefox. Your distribution's package manager already has that handled. All you have to do is use it. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http
Re: issue with p12 creation and network solutions EV SSL
On 04/21/2011 06:51 PM, James Chase wrote: I have done this multiple years in a row with the exact same process but now I get the following error when I try to create my SSL: openssl pkcs12 -export -chain -CAfile cachain.crt -out my.domain.com.p12 -inkey my.domain.com.key -in MY.DOMAIN.COM.crt Error unable to get local issuer certificate getting chain. I concatenated all the intermediate files in the order they suggest, and according to the process I have documented that has worked the past few years. I also downloaded the pre-built chain file where they already concatenated the needed files together but I get the same error. I also tried the same chain file I used last year -- same results. Googling is not helping me understand this error. Anyone know what could be going on here with the EV SSL creation for Network Solutions? -- Beware of all enterprises that require new clothes. -- Henry David Thoreau James, You don't need to include the -chain' option since you are providing the chain with the '-CAfile' option. '-chain' is if you want OpenSSL to build the chain for you. --Crypto.Sal
Re: Cert chain verification failures
On 03/29/2011 01:16 PM, David Coulson wrote: On 3/29/11 12:58 PM, Bruce Stephens wrote: Add the -showcerts option to the s_client commands and you'll see the first server returns a chain of certificates where the second offers only the end server certificate. Okay, I see that - Makes sense. When I hit the hostname w/ Firefox I'm able to see a complete certificate chain. Where does it get that information from? David: Firefox caches that information, so that it can use them later if you view a similar certificate hierarchy. If you view the Firefox Certificate Manager you should see Software Security Device vs. that of Built in Object next to each of the certificates in question outside of the Entrust Root CA, which should say 'Built In...'. Bruce: You don't even need to use the 'showcerts' flag for 's_client' because as one can see by looking at the digits in the right most column, which is the certificate depth. Depth 0 is always the end entity/device certificate and everything else may be a part of the hierarchy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Client certificate chains
On 03/22/2011 12:09 AM, plot.lost wrote: Or do you simply mean you looked manually at the x509 output (probably -text) and it looks correct to you? Yes, using -text to manually check the chain. Have you confirmed this alert is in response to your cert? You can use s_client with -debug, or run a network monitor (I recommend www.wireshark.org on Windows) to see. And are the server people actually looking at the error they got on your attempt(s), or just guessing? I think they are just using a pre-set response to any questions regarding connectivity problems, it's that same basic response that comes back each time. Verifying you-the-client is indeed the job of the server. And if doesn't verify you, then it would better give a more specific alert, like 'unknown CA' or 'invalid cert', not 'internal error'. Do you know what kind of software the server is running -- at the protocol level especially, e.g. if it is 'Apache plus our-bus-app' you probably only care about 'Apache', maybe 'Apache mod_ssl version N'. Somehow I don't think I would get a meaningful answer to this question... There are three common problems in this area but none quite matches what you relay the server people said. 1. Intermediate CA(s). Some (smaller) CAs may issue 'user' certs (client and/or server, and/or other kinds) directly under a root, but most have a multi-level hierarchy: root signs level2, level2 signs user; or level2 signs level3 and level3 signs user, etc. Each SSL system, such as this server, is configured with a set of CA-certs it knows (and trusts), but that set may not go all the way down. If that is the case, your client must supply the remaining 'intermediate' cert(s) during handshake. If you have the complete chain for your cert, or you get it from the CA(s), you could try showing it (probably Issuer, Serial, Subject, SubjectKeyID if any, AltName extensions if any, and CRLDistPoint or AuthorityInfoAccess extensions if any) to the server people and ask them to identify which cert(s) they don't already know (if any). Then give that/those to SSL_CTX_add_extra_chain_cert or SSL_CTX_use_certificate_chain_file. Or at worst supply everything; the server should ignore any it doesn't need, and it just takes a tiny bit longer. However, the server must already trust the root, at least; even if you supply the root, they can't trust that. See 3. 2. Ambiguous CA(s). A CA can have multiple (issuing) certs for the same name. In this case a verifier, like this server, needs to know which issuing cert (and hence key) to use. The standard way of doing this is an extension AuthorityKeyID abbreviated AKID in the user cert. If this is needed the CA should have done it, and if the CA didn't you can't fix it. x509 -text will show whether it is there, and if so help you build (or verify) the chain as above. 3. Wrong CA. Possibly the server simply doesn't trust the CA you used, although when you say 'required authority' I assume you mean required *by the server people*. s_client or monitor as above will show if the server is specifying 'preferred' CA(s) in its CertRequest message. If it is, and your cert is not under that or one of them (possibly though intermediates as above), that may be the problem. But note that OpenSSL for one configures the 'preferred' CA(s) separately from the trusted CA(s), so a mismatch with this field isn't definitive. I've tried generating a pkcs12 file that contained the client certificate, ca, root and client key and sent this to them. They have confirmed that it is valid. I hope you 'sent' it to them in a secure fashion or else at least consider that key/cert pair 'compromised'. ;) The last response had it seems that our server could not trust the certificate and failed to open the output stream at your end to pass the data which does not make any sense to me. Again they say import all of the certificates to your certificate trust store Me thinks they don't understand Client Authentication/Digital Certificates. The server doesn't typically need to verify up to the root, they provide a list of acceptable client CA names during the handshake. I'm using a CAfile that has all of the certificates in - as far as I am aware that makes openssl trust these certificates. Do you have them in reverse hierarchy when using '-CAfile' ?(Intermediate(s) to Root) I have seem some systems/programs flip out because certificates were out of order. For the cert option I've tried PEM encoded files that have just the client cert in, one that has client and ca, and one with client, ca and root. I've also tried these by converting the pkcs12 back to pem, which added some extra bits before each certificate section, none of these have made any difference. Can the pkcs12 file be used directly by s_client - the docs I have show that only PEM and DER are supported? Does it support having this chain of certificates in the client cert file? As far as I am aware PKCS12 files can not be use by
Re: Intermediate root CA's -- lost and confused :( **SOLVED**
On 09/13/2010 10:12 PM, Paul B. Henson wrote: On Mon, 13 Sep 2010, Tim Hudson wrote: You need to correct your server configuration so that it correctly sends out the chain. Ok, I figured out what was wrong. I only had the SSLCertificateChainFile configured in the specific ssl virtual host, but not the default ssl virtual host. When I added the SSLCertificateChainFile to the default virtual host config as well as the specific ssl virtual host the server started sending the chain. That was a very frustrating and confusing ordeal 8-/. It's weird that the browsers started working when I added it just to the specific ssl virtual host config, that led me to believe the server was configured correctly when it wasn't. Thanks much to everybody that helped! Paul, Browsers tend to cache certificates they receive from servers, hence why when you visited the properly configured site, then all your other sites were working on that browser on that machine. IE does some wacky things in terms of verifying the certificate chain, so don't always trust it in terms of certificates. For verifying certificates, I love using OpenSSL's s_client utility. It is a god-send! (So long as you know what you should be seeing. -- openssl s_client -connect SITE:port -- (in some cases you can use the protocol for standard stuff,https, pops, etc.) and then read the certificate chain section and forget all the rest. (provided you know what you should see.) One key thing to remember is with OpenSSL, you don't necessarily have a default certificate store. (Same can be said for wget and others) I do believe OpenSSL packages on Debian and Red Hat based systems (maintainer releases) use the System SSL directory of 'etc/ssl/certs/' for root CAs, but remember it is best practice that the server present the whole chain (minus) the root CA as the client must have access to it. SSLCACertificateFile works on older versions of Apache 1.x and early versions of Apache 2.0.x the same way that SSLCertificateChainFile works on Apache 2.x nowadays. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Adobe Acrobat Certificates?
On 08/16/2010 10:52 AM, Jakob Bohm wrote: On 16-08-2010 11:51, Steve Roylance wrote: Ivo, GlobalSign offers Adobe CDS based certificates to the market so we are very familiar with Adobe Acrobat. If you want to create a simple PKCS#12 self signed certificate and you have Acrobat Pro, then go into the 'Advanced' settings menu 'Security Settings' and simply click on 'Add ID' and a wizard will guide you through the process to end up with a PKCS#12 or an exportable certificate in your Windows PC cert store. It's very easy. Nice feature for test signatures, but I don't think that's what the OP wanted (see below). If you ever then need a real CDS (Recognizable by PDF reader worldwide) certificate GlobalSign would be pleased to help get one for you. Nice plug, but I guess the OP wanted to issue locally trusted certificates signed by an in-house enterprise CA that runs on a Linux machine and is based on OpenSSL (such as tinyCA, or Red Hat CA). So maybe you (based on your experience) can tell the rest of us exactly what makes an Adobe PDF Cert different from a generic X.509 cert? Jakob, From my experiences: NOTHING. (So long as it has digital signing enabled) From what I have seen and know, Adobe CDS partners [ http://www.adobe.com/security/partners_cds.html ], get an intermediate certificate from Adobe, which they then use to issue digital signing certificates to Organizations or Individuals. (Entity/their customers). The only real benefit is much like having a publicly trusted SSL certificate from a CA (Verisign/GeoTrust, Comodo, Entrust, GlobalSign, GoDaddy, etc.) vs. that of a self-signed certificate in a browser. (It helps get rid of the browser nag, because what end-user wants to actually THINK before they do something?) I do like the fact that Adobe gives end-users the ability to trust who they want (much like the friendly browsers do these days), when they want and they don't have to rely on Adobe to certify CAs especially since Adobe hasn't decided not to partner with some of the more popular global CAs such as Comodo, StartSSL, GoDaddy, etc. (Even though: Mozilla, Opera and Microsoft DO) Hope this sheds some more light on the issue. However, we await Steve's response. --Sal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.0o no fallback to SSLv2?
On 08/14/2010 09:11 PM, Stefan de Konink wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Dear Steve, Op 15-08-10 01:52, Dr. Stephen Henson schreef: OpenSSL 1.0.0 doesn't include any SSLv2 cipersuites by default and new logic means it doesn't send out an SSLv2 compatible client hello if it will never use SSLv2. That effectively disables SSLv2 by default. Try a cipher string that explicitly enables some SSLv2 ciphers. Could you elaborate why this did work out of the box in 0.9.8 and breaks with 1.0.0. Basically I found out that this site only seems to accept SSLv2. Of course I can specify what protocol to use manually, (I actually hacked the httplib in Python for it already), but from usability point of view: why did this break? Is it possible to configure to use SSLv2 anyway? Stefan Stefan, SSLv2 should no longer be used. It's old, weak and it has been deprecated. Anyone still using it needs a swift kick in the rear (Much like anyone using Windows ME and below). It's like guarding a million dollars with only a chain lock. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Stunnel 4.29 released
Works fine for me on Windows 7 (IE 8 and FF 3.5.5) On 12/03/2009 03:02 PM, Carter Browne wrote: I think it is a problem with your website - the copy on the backup site works properly. The browsers think the .exe file is a directory not a file. I've had not problems with earlier versions (starting with 4.14). Carter Carter Browne CBCS cbro...@cbcs-usa.com 781-721-2890 Michal Trojnara wrote: Carter Browne wrote: The link to stunnel-4.29-installer.exe is broken in both Firefox (error 505) and IE8. The other links I tried were ok. I guess there is a policy on your Windows machine to disallow downloading .exe files with a web browser. You could try to use an FTP client instead of a web broser. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to merge multiple public domain certs into one file?
On 11/16/2009 03:46 AM, Hécber Córdova wrote: Since 0.9.8f OpenSSL supports SNI (server name indication) TLS extension. Support of this extension in mod_ssl is discussed on httpd-...@apache.org for years, and even if it haven't yet got into release, you definitely can find patches in the apache bugzilla. So, it is theoretially possible for Apache to know name of virtual host on the stage of TLS handshake. But only if browser supports this extension (it seems that all modern browsers do). Hello, I'll disagree with you on all the modern browsers do part. SNI is not supported on Windows XP (only Vista on up). This affects IE 6 through IE 8, Safari and Google Chrome [or any client that relies on Windows Crypto] (Which by all definitions IE8, Safari 3+ and Google Chrome ARE modern browsers) Firefox 2x+ and Opera 8+ are unaffected because they are on their own. Also, in 0.9.8f, SNI is not enabled by default. I do believe that it is as of 0.9.8j that this is the case. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: cURL, paypal, and .cer files
On 08/20/2009 10:25 PM, btate wrote: I'm trying to integrate with paypal's payflow gateway via cURL. I can't for the life of me get their certificates right and neither paypal or verisign seem to have any idea how to do it. So I'm going to ask here. I basically have a bunch of .cer files that are necessary to connect to payflow.paypal.com. I'm on red hat 9 with apache 1.3. What do I do with those files? I've tried passing them with cURL, and that doesn't seem to be working. How do I add them to apache's keystore? I've been at this for days and nobody seems to know what to do. I'm getting pretty desperate. I can use cURL to connect to any site except the gateway and from what I'm told it's SSL cert related. If anybody has any theories I'd love to hear them. Thanks, Brandon Hey Brandon, What error messages are you getting back from cURL? Unknown CA? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Howto create a certificate for multiple domains?
On 08/12/2009 09:50 AM, Goetz Babin-Ebell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 deblarinteln schrieb: | Hi, | | well I have to create a certificate for our maindomian as well as for some | subdomains. | | The structure will look pretty much like this: | | mydomain.tld | mail.mydomain.tld | owa.mydomain.tld It is called subjectAltName extension. Goetz On 08/12/2009 03:15 AM, deblarinteln wrote: Hi, well I have to create a certificate for our maindomian as well as for some subdomains. The structure will look pretty much like this: mydomain.tld mail.mydomain.tld owa.mydomain.tld ... http://sandbox.rulemaker.net/ngps/m2/howto.ca.html -- To be your own CA. http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ --- What Goetz was getting at. subjectAltName=DNS: mydomain.tld subjectAltName=DNS: mail.mydomain.tld subjectAltName=DNS: owa.mydomain.tld ... So and so forth. (via OpenSSL) I do believe that Exchange 2007 you're able to use the New-ExchangeCertificate cmdlet to create a SAN self-signed certificate, if you want to go that route. Unless you're looking to be your own CA. http://technet.microsoft.com/en-us/library/aa998327.aspx Has anyone of you an idea how to get that done, so that the cert can finally be imported/installed on the exchange 2007 server? What I have found so far is that the Exchange server has to get a .cer file. All your help is highly appreciated! Thanks in advance Niels Exchange 2007 will accept either a PKCS7(CER, usually) file -or- a PEM encoded CRT file. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Maximum RSA/DSA key length
On 07/30/2009 08:05 AM, Alexander Lamaison wrote: I'm calling PEM_read_bio_RSAPrivateKey and PEM_read_bio_DSAPrivateKey with private keys loaded from files on disk. I read the file into a string, put that into a BIO and then call the function. At the moment, I'm reading the entire key file into memory but, of course, this isn't very safe. The user could accidentally specify a huge file and this would try to read all of it into a string. What is the maximum size of the RSA/DSA key files that OpenSSL can read? I can just return an error if the file exceeds that. I've tried to find a specification for the key files but not had much success. Many thanks. Alex Lamaison -- http://swish.sourceforge.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Alex, It would probably be a safe bet to say that stick with RSA between 1024 (US Govt will consider 1024 to be weak by the end of 2010) and 8192. As the key size goes up the more horsepower you need. This is on my quad 9850...(2.6GHz x 4) signverifysign/s verify/s rsa 1024 bits 0.001958s 0.87s510.8 11437.3 rsa 2048 bits 0.010719s 0.000276s 93.3 3617.8 rsa 4096 bits 0.066419s 0.000972s 15.1 1028.8 All done with: openssl speed rsaX, where X is 1024, 2048,4096. DSA signverifysign/s verify/s dsa 1024 bits 0.000860s 0.001033s 1162.5967.8 dsa 2048 bits 0.002696s 0.003171s370.9315.3 In my personal opinion RSA1024, 2048 are the only key sizes you might want to accept for performance reasons for right now Unless you can get ECC to work.:-P Hope this helps... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: cannot create openssl master certificate on my Exchange2007 Server!Help needed!
Exchange2007 will accept both a CER file (binary encoded PKCS7 file or straight up PEM encoded PKCS7 file) or a PEM (Base64) encoded crt file via the *Import-ExchangeCertificate* cmdlet. Same can be said for IIS 6 and 7. Both Default to the CER container format. Exchange2007 has a function to create it's own self-signed certificate by using the *New-ExchangeCertificate* cmdlet. The TechNet docs cover this topic. Are you looking to go through the IIS SSL how-to to become your own CA with its own chain of trust or were you looking just for a way to use SSL/TLS on Exchange 2007 to secure the various services (AutoDiscover, ActiveSync, IMAP, POP, SMTP, OWA, etc.) ? The only problem with becoming your own CA is you'd have distribute the Root Certificates to *ALL* clients or else it will error out when they connect to it. It might be better to go with something more ubiquitous (something that's pretty much everywhere) then becoming your own CA. You may want to take a look at the offerings of one of the companies that Microsoft recommends [ http://support.microsoft.com/kb/929395 ] for Exchange 2007 class certificates such as the ones offered by Comodo [ http://www.comodo.com/msexchange ] as these can be pretty headache free. There's no technological difference between what an OpenSSL CA puts forth vs. that what a commercial CA does. The only real difference is the ubiquity and the cost to your wallet (which Comodo doesn't charge very much as opposed to Greedysign [verisign]) Hope this helps! On 07/22/2009 04:55 AM, deblarinteln wrote: Okay, that went fine! Thanks for your help. Now I tried to work through the KB-Article but I don't get it to be honest. As far as I can say that I understood what the Exchange wants for a type of certificate I say that the Exchange2007 Server expects a file *.cer. To get this I should somehow get a *.txt file to convert that into a *.cer. Am I right? What do I have to do to get a *.txt file to be able to convert that into a *.cer? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: creating a certifiicate chain
On 06/06/2009 05:35 PM, Jerry Wang wrote: Hi, Does OpenSSL already have a function for creating a certificate chain? Thanks, Jerry Jerry, It depends how you mean it. Do you want OpenSSL to create the Root and the Intermediates and then the Entity cert? Or are you looking for OpenSSL to concatenate a bunch of certs into one file? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS w/LDAP
On 05/30/2009 12:52 AM, John Kane wrote: Thanks for the response, Kyle. I've pretty much deduced what the error is, but just cannot figure out where it is coming from. It only happens when I turn on TLS for LDAP. There are really no 'variables' defined in the LDAP configs; nothing using the '[ $blah = blahblah ] syntaxthat is why I turned to this list hoping to find what other file (non-ldap) might be read ONLY when I had the 'ssl start_tls' set in my ldap config. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Friday, May 29, 2009 10:19 PM To: openssl-users@openssl.org Subject: Re: TLS w/LDAP That's an error in the script you're launching at startup. I don't know what it is, but I'd bet there's an unquoted '[' character somewhere that is only evaluated when TLS LDAP is enabled. (see the '-bash: ' at the beginning of the line? That tells you that bash is generating the error message.) -Kyle H On Fri, May 29, 2009 at 1:34 PM, John Kane john.k...@prodeasystems.com wrote: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS back off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config file, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John Here's my configs I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert:snip John, I feel that having the TLS_CACERTFILE and TLS_CACERTDIR both defined is causing a problem. I suggest sticking with the TLS_CACERTFILE and comment out the the other. On the OpenLDAP side[(openldap file)] ... make it TLS_CACERT and reference the cacert.pem file instead of using the TLS_CACERTDIR directive. Hope this helps, ---Sal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Passing parameters to openssl for CSR
On 01/27/2009 08:57 PM, Thor wrote: Hi guys, I'm wondering if its possible to pass parameters to openssl when creating a CSR, specifically the country name, state name, locality name, organization name, common name etc? The reason being, I ideally would like to automate the process of creating a CSR and have it not require user input (other variables would be passed to it by default from an outside source). Something like... openssl req -days 3650 -nodes -new -keyout user.key -out user.csr -config -countryname SE -commonname user ... Any help would be appreciated, Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Thor, Have you checked out the man pages for the req program? It seems you'd want the * -subj * flag. http://www.openssl.org/docs/apps/req.html Here's a sample generation openssl req -nodes -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr -subj /C=GB/ST=Yorks/L=York/O=MyCompany Ltd./OU=IT/CN=mysubdomain.mydomain.com Hope this helps __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: One certificate for both hostname and IP
On 01/26/2009 08:40 PM, Marco De Vitis wrote: Il giorno 26/gen/09, alle ore 05:14, Crypto Sal ha scritto: Do any other clients (s_client, web browser, etc) exhibit the same behavior or an error message? If yes, what's the error response? Well, I currently do not know how to apply that certificate to an HTTP server to test it with browsers. Both Firefox and IE refuse to connect on POPS port 995, of course. Well, you should be able to setup Apache2 to use your certificate quite easily and the Apache Docs are quite easy to follow. All you'd have to do is move the key and certificate over to an area that Apache has access to, modify the SSL appropriate settings and things should be alright and you'll see if browsers choke too or its M$ products. I would also try Thunderbird and other email clients on the email server side of things. For s_client see below. When you use s_client to connect to your mail server does it pass verification through both ways, IP and DNS? I never used s_client before, I tried it now, but it doesn't seem to care at all about the CN difference: as long as I can see, and as long as I pass it the CA cert with the -CAfile option, it doesn't return any verification error, not even when I connect to the server with a totally different name from the ones stored in CN or subjectAltName! It just outputs verify return:1 for both the server and CA certificates which build up the chain. So, s_client seems a bit too relaxed to me, or am I missing anything? That's because you're only verifying the chain of trust, you are not verifying host name. This is in the latest development version of OpenSSL. Sorry, you did mention you were on 0.9.8c. Very sorry about this. Can you do an s_client and dump the cert to OpenSSL's x509 and read the cert? Do the SubjectAltNames appear in the X509v3 Subject Alternative Name section when doing so? How can I dump the certificate using s_client? I can't see anything about this in its man page. openssl s_client -connect HOST_NAME:PORT -starttls pop3 | openssl x509 -text -noout. Alternatively, openssl x509 -text -noout -in YOUR_CERT_HERE, and you can read the text output of the certificate instead of it's hashed value What is the *exact* error you get with the Microsoft Products when you use this format? Hostname Mismatch? Untrusted Cert? I'd say Hostname Mismatch. Both OE and Outlook just show a dialog containing no deep tech info, but they simply complain about the name of the server not being the same contained in the provided certificate. Usually Outlook will display a box with a series of checks and red X's. I am pretty sure it has three areas and in most cases it is the last one that it fails on. I wish I had a screenshot for you. I just saw one the other day too. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: One certificate for both hostname and IP
On 01/25/2009 11:35 AM, Marco De Vitis wrote: Il giorno 24/gen/09, alle ore 16:54, Dr. Stephen Henson ha scritto: You don't say which give a warning. If you use the IP version in subjectAltname do you get a warning for the hostname or the IP address? If the hostname but not IP address try adding a second value, DNS:whatever.com If I use: subjectAltName = IP:192.168.1.5 ...then both OE and Outlook show a warning when I set them up to use the IP address. In other words, they behave as if the Alternative Name did not exist. I do not understand if your suggestion was meant for this case, but I tried it anyway, using: subjectAltName = IP:192.168.1.5,DNS:mail.foo.org ...where mail.foo.org is the same hostname as the main CN, but both mail clients show the same warning, nothing changed. Any more ideas? Thank you very much. Marco, Do any other clients (s_client, web browser, etc) exhibit the same behavior or an error message? If yes, what's the error response? When you use s_client to connect to your mail server does it pass verification through both ways, IP and DNS? Can you do an s_client and dump the cert to OpenSSL's x509 and read the cert? Do the SubjectAltNames appear in the X509v3 Subject Alternative Name section when doing so? What is the *exact* error you get with the Microsoft Products when you use this format? Hostname Mismatch? Untrusted Cert? CN=mail.foo.org subjectAltName = IP:192.168.1.5, DNS:mail.foo.org --Sal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
