from:"Tom Browder"

Test failures with compiled OpenSSL 3.0.3 on Debian 11, 64 bit

2022-05-27 Thread Tom Browder

I used the following config input for openssl 3.0.3 based on my
previous successes with 1.1.1m (and earlier versions) and Ivan
Ristic's latest configuration:

config \
--prefix=/opt/openssl-3.0.3   \
--openssldir=/opt/openssl-3.0.3   \
no-shared \
-DOPENSSL_TLS_SECURITY_LEVEL=2  \
no-ec2m \
no-rc5  \
no-idea \
enable-ec_nistp_64_gcc_128

After compiling successfully, I ran (as a normal user) "make test" and
got several failures:

Failed 1/3 subtests
#   Failed test 'Revoke certificate and generate CRL: notimes'
Failed 10/15 subtests
# ExpectedResult mismatch: expected Success, got ClientFail.
# ExpectedResult mismatch: expected Success, got ClientFail.
# ExpectedResult mismatch: expected Success, got
FirstHandshakeFailed.
# ExpectedResult mismatch: expected Success, got
FirstHandshakeFailed.
# ExpectedResult mismatch: expected Success, got ClientFail.
# ExpectedResult mismatch: expected Success, got ClientFail.
# ExpectedResult mismatch: expected Success, got
FirstHandshakeFailed.
# ExpectedResult mismatch: expected Success, got
FirstHandshakeFailed.
#   Failed test 'running ssl_test 12-ct.cnf'
Failed 1/30 subtests
Failed 6/27 subtests
#   Failed test 'running sslapitest'
Failed 1/1 subtests
60-test_x509_store.t (Wstat: 256 Tests: 3 Failed: 1)
  Failed test:  1
80-test_ca.t (Wstat: 256 Tests: 7 Failed: 2)
  Failed tests:  1, 7
80-test_ssl_new.t(Wstat: 256 Tests: 30 Failed: 1)
  Failed test:  12
80-test_tsa.t(Wstat: 256 Tests: 22 Failed: 1)
  Failed test:  1
90-test_sslapi.t (Wstat: 256 Tests: 1 Failed: 1)
  Failed test:  1

Note I also get similar failures with version 1.1.1o.

I will file a bug with the full config dump output along with the full
output of the test run if the above config input looks reasonable.

Best regards,

-Tom

Re: Need some help signing a certificate request

2021-08-21 Thread Tom Browder

On Sat, Aug 21, 2021 at 09:21  wrote
...

> When I type ‘openssl ca -config .\openssl.cnf -in ../server/req.pem -out
>
I don't do wndows, but your directory separators are not consistent--not
sure of the effect.

-Tom

Re: Compiling OpenSSL without compabitlity with for OpenSSL 1.0

2020-09-10 Thread Tom Browder

On Thu, Sep 10, 2020 at 06:58 Bjoern Bidar  wrote:

> It was version 1.1.1g.


What OS? I had to to some fiddling with packages and options for Debian 10
Buster to get a good compile.

I have documented my journey if you're interested.

Best regards,

-Tom

Re: Private CA client cert file for iPad for a website

2020-06-25 Thread Tom Browder

On Thu, Jun 25, 2020 at 10:18 Dirk-Willem van Gulik 
wrote:

> On 25 Jun 2020, at 17:14, Tom Browder  wrote

...

> > Can anyone tell me how to generate an acceptable client cert for an iPad?

...

> Have a play with https://interop.redwax.eu/rs/scep/

Thanks, Dw, that looks like exactly what I'm looking for for Apple devices!

-Tom

Private CA client cert file for iPad for a website

2020-06-25 Thread Tom Browder

Can anyone tell me how to generate an acceptable client cert for an iPad?

I have so far been unable to find out the file format needed.

I generated client cert files for my classmates over seven years ago in p12
format and they still work fine on Linux, Mac, and Windows devices but I
want to (1) update all certs to modern standards and (2) add usable certs
for iOS and android devices as well as the existing format.

I am currently running OpenSSL 1.1.1g on Debian Buster.

Any help would be appreciated.

Blessings,

-Tom

Re: [openssl-users] Personal CA: are cert serial numbers critical?

2017-08-16 Thread Tom Browder

On Wed, Aug 16, 2017 at 08:36 Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:

> ➢ So, in summary, do I need to ensure cert serial numbers are unique for
> my CA?
>
> Why would you not?  The specifications require it, but those
> specifications are for interoperability. If nobody is ever going to see
> your certs, then who cares what’s in them?

Well, I do like to abide by specs, and they will be used in various
browsers, so I think I will continue the unique serial numbering.

Thanks, Rich.

Best regards,

-Tom
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Personal CA: are cert serial numbers critical?

2017-08-16 Thread Tom Browder

On Wed, Aug 16, 2017 at 08:32 Michael Ströder <mich...@stroeder.com> wrote:

> Tom Browder wrote:

...

> > So, in summary, do I need to ensure cert serial numbers are unique for my
> > CA?
>
> Yes, serial numbers should be unique per issuer-DN because the 2-tuple
> (issuer-DN, cert serial no.) is expected to be unique in several protocols.


Okay, that's good enough reason for me,

Thanks, Michael.

Cheers!

-Tom
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Personal CA: are cert serial numbers critical?

2017-08-16 Thread Tom Browder

Many years ago I started a CA for one group I manage for a private website,
and now I want to update members' client certs for the stricter
requirements for browsers.

My original cert generation was entirely automated including the following:

+ CN for each is an e-mail address for the member

+ the passphrase for each member's cert is determined from a pre-generated
list by me, it will not change

I plan to tidy my automation before the issue of new certs, but I wonder
how critical it is to ensure unique certificate serial numbers given that
the certs are only used for us.  I'm not even sure I'll ever revoke any
cert (they were issued to expire sometime in 2030).

So, in summary, do I need to ensure cert serial numbers are unique for my
CA?

With warmest regards,

-Tom
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSl functions ("apps"): Is arg order significant?

2017-08-06 Thread Tom Browder

On Sun, Aug 6, 2017 at 16:56 Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:

> > Looking at the man page for dsa it doesn't seem that the order of
> arguments is critical

...

> You mean flags and values, like "-foo" and "-bar asdf" ?  Yes, the order
> of flags does not matter, except in some special cases that are (hopefully)
> noted in the docs.


Thanks, Rich!

Best regards.

-Tom
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSl functions ("apps"): Is arg order significant?

2017-08-05 Thread Tom Browder

Looking at the man page for dsa it doesn't seem that the order of arguments
is critical as long, of course, as each arg that takes a value has an
approriate entry.

If that is true for dsa, is it true for similar functions such as rsa,
x509, etc.?

Thanks.

Best regards,

-Tom
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [ssllabs-discuss] Apache configuration

2017-07-20 Thread Tom Browder

On Thu, Jul 20, 2017 at 2:14 PM, Reindl Harald  wrote:
...
> before having the cluster 2015 in VMware EVC mathcing sandybridge i thought
> "well, the hardware is capable" but VMware filtered out AVX instrcutions and
> everything using openssl crashed with "illegal cpu instuction" which proved
> the compile flags worked but the binary where magnitudes slower with AES
> than the ordinary Fedora ones - hard to say but i guess something optimized
> the AES instructions from the runtime detection away

It sounds to my novice ears that at least some of the problem is in
the VM layer.  My system is a native-iron one so shouldn't I have a
better chance at success?

-Tom
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] [ssllabs-discuss] Apache configuration

2017-07-20 Thread Tom Browder

On Thu, Jul 20, 2017 at 1:57 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
>>> Am 20.07.2017 um 18:02 schrieb Tom Browder
>>>> On Thu, Jul 20, 2017 at 10:54 AM, Reindl Harald <h.rei...@thelounge.net>
>>>> wrote
...
>> P.S.  Of course the other part of my motivation in the past has been
>> to see if it can be made to work, regardless of need (due to my
>> butt-head gene from my father's side of the family)
>
...
> well, openssl is the straight to hell
>
> load something into your webserver built against 1.1 and have fun when a
> system library loads 1.0.x by watching the crash

Then what about Ivan's recommendation about installing openssl
alongside a system-wide one?  If that can't be done reliably, surely
there has been a bug report submitted. (I haven't looked at bugs in a
long time)?

-Tom
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FW: Website changing this weekend

2015-08-21 Thread Tom Browder

On Thu, Aug 20, 2015 at 4:54 PM, Salz, Rich rs...@akamai.com wrote:

 I'm curious why the new download page lists version 1.01p before version
 1.02d?
 Is it suggesting that users download the 1.01 branch instead of the later 
 one?

 They're listed in time-order, not alpha order.  Should perhaps  fix that.

The way you name versions doesn't help, but, IMHO, you should have two listings:

1. Something like Latest Version (latest version only of openssl and FIPS).

2. Then something like Other Versions (whatever else you want to
show on the page).

Much less confusing to me.

Best,

-Tom
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-21 Thread Tom Browder

On Sun, Jul 19, 2015 at 11:00 AM, Tom Browder tom.brow...@gmail.com wrote:
 On Thu, Jul 9, 2015 at 12:00 PM, Viktor Dukhovni
 That surely means that you're compiling some patched version or
 not even 1.0.2d.

 No, it's the correct version.

 But just now, after building gcc-5.2.0 and using it to rebuild
 openssl, all the warnings went away just as Matt said (although the
 jobserver doesn't work for some reason).

I lied.  After rebuilding gcc 5.2.0 and rechecking I get the following
warnings from building 1.0.2d:

ec_key.c: In function 'EC_KEY_set_public_key_affine_coordinates':
ec_key.c:369:26: warning: variable 'is_char_two' set but not used
[-Wunused-but-set-variable]
 int ok = 0, tmp_nid, is_char_two = 0;
  ^
d1_both.c: In function 'dtls1_retransmit_message':
d1_both.c:1261:9: warning: 'save_write_sequence' may be used
uninitialized in this function [-Wmaybe-uninitialized]
 memcpy(s-s3-write_sequence, save_write_sequence,
 ^

Best,

-Tom
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-19 Thread Tom Browder

On Thu, Jul 9, 2015 at 12:00 PM, Viktor Dukhovni
openssl-us...@dukhovni.org wrote:
 On Thu, Jul 09, 2015 at 11:50:25AM -0500, Tom Browder wrote:
 On Thu, Jul 9, 2015 at 10:22 AM, Viktor Dukhovni
 openssl-us...@dukhovni.org wrote:
  On Thu, Jul 09, 2015 at 09:47:00AM -0500, Tom Browder wrote:
 Yes, and you're right about the function--weird, but maybe Matt's
 e-mail points out the real problem.

 That surely means that you're compiling some patched version or
 not even 1.0.2d.

No, it's the correct version.

But just now, after building gcc-5.2.0 and using it to rebuild
openssl, all the warnings went away just as Matt said (although the
jobserver doesn't work for some reason).

Best regards,

-Tom
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-09 Thread Tom Browder

I get the following warnings from compiling the latest openssl with gcc 4.7.2:

ec_key.c: In function 'EC_KEY_set_public_key_affine_coordinates':
ec_key.c:369:26: warning: variable 'is_char_two' set but not used
[-Wunused-but-set-variable]

ecp_nistp224.c: In function 'batch_mul':
ecp_nistp224.c:1105:29: warning: array subscript is above array bounds
[-Warray-bounds]

ecp_nistp256.c: In function 'batch_mul':
ecp_nistp256.c:1631:28: warning: array subscript is above array bounds
[-Warray-bounds]

ecp_nistp521.c: In function 'batch_mul':
ecp_nistp521.c:1457:29: warning: array subscript is above array bounds
[-Warray-bounds]

I'm not real current with C so I'm not in a great position to
criticize, but can't those warnings (if there is truly no problem) be
eliminated (at least in gcc) with a pragma?

Thanks.

Best regards,

-Tom
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-09 Thread Tom Browder

On Thu, Jul 9, 2015 at 10:25 AM, Matt Caswell m...@openssl.org wrote:


 On 09/07/15 15:47, Tom Browder wrote:
 I get the following warnings from compiling the latest openssl with gcc 
 4.7.2:

 ec_key.c: In function 'EC_KEY_set_public_key_affine_coordinates':
 ec_key.c:369:26: warning: variable 'is_char_two' set but not used
 [-Wunused-but-set-variable]

 I don't get this by default, but can force it by compiling with no-ec2m.
 I assume that is what you are using? Its harmless but should be fixed.

Yes, you are correct.  I should have been more specific: I am using
openssl version 1.0.2d, and here is my configuration script:

$ cat openssl-config.sh
SSLDIR=/opt/openssl
./config \
no-ec2m \
no-rc5  \
no-idea \
threads \
zlib-dynamic\
shared  \
--prefix=${SSLDIR}  \
--openssldir=${SSLDIR}  \
enable-ec_nistp_64_gcc_128

 ecp_nistp521.c: In function 'batch_mul':
 ecp_nistp521.c:1457:29: warning: array subscript is above array bounds
 [-Warray-bounds]

 These only get compiled with enable-ec_nistp_64_gcc_128, but even with
 that I don't see these warnings. Perhaps a gcc issue fixed in later
 versions? I'm using gcc 4.9.2

Hm, I've been looking for an excuse to build the latest gcc, now I have.

But I haven't tried clang yet so here goes...

Thanks, Matt.

Best,

-Tom
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Warnings Compiling openssl 1.0.2d

2015-07-09 Thread Tom Browder

On Thu, Jul 9, 2015 at 10:22 AM, Viktor Dukhovni
openssl-us...@dukhovni.org wrote:
 On Thu, Jul 09, 2015 at 09:47:00AM -0500, Tom Browder wrote:
...
 ecp_nistp224.c: In function 'batch_mul':
 ecp_nistp224.c:1105:29: warning: array subscript is above array bounds
...
 In my copy of 1.0.2d, line 1105 of that file is in select_point(),
 not batch_mul().  Are you sure you're compiling the right code?

Yes, and you're right about the function--weird, but maybe Matt's
e-mail points out the real problem.

Thanks, Viktor.

-Tom
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Coverity Scan: Would/DId It Catch the Heartbleed Defect?

2014-04-16 Thread Tom Browder

Is OpenSSL participating in the Coverity free scanning program for
open source software?  If not, it might have caught the Heartbleed
bug.  If so, why did it miss it?

See this link for the latest report on open source statistics:

  http://softwareintegrity.coverity.com/register-for-scan-report-2013.html

Kind regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Coverity Scan: Would/DId It Catch the Heartbleed Defect?

2014-04-16 Thread Tom Browder

On Wed, Apr 16, 2014 at 5:38 AM, Hanno Böck ha...@hboeck.de wrote:
 On Wed, 16 Apr 2014 05:25:58 -0500
 Tom Browder tom.brow...@gmail.com wrote:

 Is OpenSSL participating in the Coverity free scanning program for
 open source software?
...

Thanks for the link, Hanno!

Regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Why doees an SSL client cert have a private/public key embedded?

2012-10-21 Thread Tom Browder

I have successfully generated SSL client certificates for my Apache
web site users, and we have successfully tested them using it to
access my restricted areas on my web site.

One thing I'm not sure of is why there is a private/public key pair in
the client certs.  Hopefully it's not the same private key used to
generate the CSR, or is it?

In any event, why is it needed?

All I am using the certs for is to allow access to my site which is
done by (as I understand it) Apache checking that (1) the client cert
hasn't been revoked and (2) it has been signed by me as the CA.

BTW, I currently have not put any restrictions in the client certs.
Would that make a difference?  I will test that while I await any
responses.

Thanks for any help.

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Why doees an SSL client cert have a private/public key embedded?

2012-10-21 Thread Tom Browder

On Sun, Oct 21, 2012 at 2:34 PM, Martin v. Löwis mar...@v.loewis.de wrote:
 Am 21.10.12 19:25, schrieb Tom Browder:

 I have successfully generated SSL client certificates for my Apache
 web site users, and we have successfully tested them using it to
 access my restricted areas on my web site.

 One thing I'm not sure of is why there is a private/public key pair in
 the client certs.

 You must be misinterpreting what you are seeing. The certificate
 data structure isn't capable of storing private keys, so if you see
 the private key embedded somewhere, it's not a client cert it is
 embedded in.

Martin, you are correct--I got mixed up over some other thing and
thought I saw info on a private key in a client certificate.  However,
I just checked the cert. again in two browsers (Firefox and Chrome),
as well as with openssl, and see no reference to a private key.

Sorry for the false alarm.

Thanks, Martin.

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Mac OS X and SSL Client Certitficates [UPDATE]

2012-10-14 Thread Tom Browder

On Fri, Oct 12, 2012 at 8:59 AM, Tom Browder tom.brow...@gmail.com wrote:
 I have successfully generated SSL client certs (generated with openssl
 1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus
 IE 9 on Windows, but I cannot get successful access with either Safari
 or Firefox on Mac OS X.

 When I try on Mac/Safari I get the error:

   The server did not accept the certificate. (NSURLErrorDomain:-1205)

 When I try on Mac/Firefox I get the error:

Firefox does work fine.  I had let the server CA cert that signed
client certs expire.

Chrome also works on mac OS X.

However, neither Safari nor Opera work--bug reports have been filed
with the developers.

Best,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Mac OS X and SSL Client Certitficates

2012-10-12 Thread Tom Browder

I have successfully generated SSL client certs (generated with openssl
1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus
IE 9 on Windows, but I cannot get successful access with either Safari
or Firefox on Mac OS X.

When I try on Mac/Safari I get the error:

  The server did not accept the certificate. (NSURLErrorDomain:-1205)

When I try on Mac/Firefox I get the error:

  SSL peer has rejected your certificate as expired.

  (Error code: ssl_error_expired_cert_alert)

When I view the cert on the Mac it clearly shows an expiration date
approximately one year from now.

Note that I have also added an identity preference in the Mac Key
Chain for the cert for the desired site.

Any help is appreciated.

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Mac OS X and SSL Client Certitficates

2012-10-12 Thread Tom Browder

On Fri, Oct 12, 2012 at 9:10 AM, Graham Leggett minf...@sharp.fm wrote:
 On 12 Oct 2012, at 3:59 PM, Tom Browder tom.brow...@gmail.com wrote:

 I have successfully generated SSL client certs (generated with openssl
 1.0.1c) used by Safari, Firefox, and Chrome on Linux and Windows plus
 IE 9 on Windows, but I cannot get successful access with either Safari
 or Firefox on Mac OS X.

 When I try on Mac/Safari I get the error:

  The server did not accept the certificate. (NSURLErrorDomain:-1205)

 When I try on Mac/Firefox I get the error:

  SSL peer has rejected your certificate as expired.

  (Error code: ssl_error_expired_cert_alert)

 When I view the cert on the Mac it clearly shows an expiration date
 approximately one year from now.

 Is both the clock and the timezone on this machine correct? You may find the 
 certificate is not yet valid.

Yes, the time and timezone are correct, and the validity of the cert
started on 09/12/12 and expires 09/12/13.

Thanks, Graham.

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Client cert, unverified in Firefox BUT trusted in Chrome

2012-07-30 Thread Tom Browder

On Mon, Jul 30, 2012 at 12:17 AM, Saurabh Pandya
er.saurabhpan...@gmail.com wrote:
 You need to Add Root CA of your client certificate to BOTH, Chrome
 anf Firefox

Saurabh, thanks.

The strange thing is, both browsers do have the Root CA.

I am still trying to fiddle with details of the CSR and signing of the
certs.  Perhaps that is making a difference.

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Client cert, unverified in Firefox BUT trusted in Chrome

2012-07-28 Thread Tom Browder

I have almost succeeded in creating a client SSL factory with a local
CA starting with a StartSSL free server certificate.

I just created a client cert. and imported it into my Chrome and
Firefox browsers.

Chrome shows the cert. as trusted (implied because it doesn't show it
as untrusted as it does for other certs. in its database). But Firefox
shows it as unverified for unknown reasons.

Does anyone have any suggestions on how to proceed to determine the
Firefox problem?

Thanks.

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSl v1.0.1c and Apache httpd v2.2.22

2012-07-28 Thread Tom Browder

On Fri, Jul 27, 2012 at 3:03 PM, Ruiyuan Jiang rji...@fnpc.com wrote:
 Hi,

 I am trying to use openssl v1.0.1c or 1openssl v1.0.1c.0.0j with Apache 
 v.2.2.22 but failed. I can use v1.0.0g no problem. It

I get a good configure with openssl v1.0.1c and apache v2.4.2.  I have
not tried 2.2.

Any reason not to use 2.4.2?

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Configuration files always required?

2012-07-27 Thread Tom Browder

I am working on a Perl programmatic solution (i.e., no user responses
needed) to a local CA and wonder if I need any configuration files at
all?  So far, all the man pages I've looked at seem to have command
args to handle almost everything that seems important (i.e.,
required).

The one exception I've found so far may be the [ req ] section that has:

  prompt  = no

Thanks.

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: how to setup my now CA and where to find an easy to understand guide about PKI (was Re: empty subject)

2012-07-26 Thread Tom Browder

On Thu, Jul 26, 2012 at 3:45 AM, Marco Molteni (mmolteni)
mmolt...@cisco.com wrote:
 Hi,

 there are two open source CA systems I am aware of, although I haven't tried 
 them out.

 I think they can be a good starting point instead of doing everything from 
 scratch :-)

 http://pki.fedoraproject.org/wiki/PKI_Main_Page
 http://openca.org/projects.shtml

I've taken a look and I'm not impressed.

-Tom

P.S.  Top posting is very noisy.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: how to setup my now CA and where to find an easy to understand guide about PKI (was Re: empty subject)

2012-07-26 Thread Tom Browder

On Thu, Jul 26, 2012 at 5:57 AM, Tom Browder tom.brow...@gmail.com wrote:
 On Thu, Jul 26, 2012 at 3:45 AM, Marco Molteni (mmolteni)
 mmolt...@cisco.com wrote:
 Hi,

 there are two open source CA systems I am aware of, although I haven't tried 
 them out.

 I think they can be a good starting point instead of doing everything from 
 scratch :-)

 http://pki.fedoraproject.org/wiki/PKI_Main_Page
 http://openca.org/projects.shtml

 I've taken a look and I'm not impressed.

I apologize for the snide remark.  I should have said that I have
taken a look and they do not meet my needs as I described.

Cheers!

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: how to setup my now CA and where to find an easy to understand guide about PKI (was Re: empty subject)

2012-07-26 Thread Tom Browder

On Thu, Jul 26, 2012 at 6:20 AM, Florian Rüchel
florian.ruec...@ruhr-uni-bochum.de wrote:
...
 Also make sure to check out OpenXPKI (http://www.openxpki.org/)

Now that looks much better!

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: how to setup my now CA and where to find an easy to understand guide about PKI (was Re: empty subject)

2012-07-26 Thread Tom Browder

On Thu, Jul 26, 2012 at 7:56 AM, Ted Byers r.ted.by...@gmail.com wrote:
 On Thu, Jul 26, 2012 at 7:20 AM, Florian Rüchel 
 florian.ruec...@ruhr-uni-bochum.de wrote:

 Also make sure to check out OpenXPKI (http://www.openxpki.org/)

And I just found

  http://www.cs.auckland.ac.nz/~pgut001/cryptlib/

which looks very promising.  It is well documented and has Perl and
C++ interfaces (as well as others).

Best,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Error generating a self-signed CA certificate with openssl-1.0.1c

2012-07-25 Thread Tom Browder

I am using the following command inside a Perl program:

$ /opt/openssl/bin/openssl req  -passout stdin  /tmp/6I0ZLcltuD \
  -config CA-default.org/ca-ssl.conf -out CA-default.org/certs/cacert.pem \
  -outform PEM -newkey rsa -x509 -batch -verbose

and get the following response, quote:

Using configuration from CA-default.org/ca-ssl.conf
Generating a 4096 bit RSA private key
++
++
writing new private key to 'CA-default.org/private/cakey.pem'
-
error, no objects specified in config file
problems making Certificate Request

end quote.

The CA private key is created but all other requested files are non-existent.

Next I added this line in the req section of the conf file:

  prompt = no

The same command line as above then produced this error, quote

problems making Certificate Request
140233213818536:error:0D06407A:asn1 encoding
routines:a2d_ASN1_OBJECT:first num too large:a_object.c:109:
140233213818536:error:0B083077:x509 certificate
routines:X509_NAME_ENTRY_create_by_txt:invalid field
name:x509name.c:285:name=countryName_min

end quote.

After several such iterations I eventually had to remove the following
lines in the req section (they were all suggested by several books and
online references):

  countryName_min = 2
  countryName_max= 2
  commonName_max  = 64
  emailAddress_max= 64

i ran the same command again and got a good command completion.

I looked at the source code and it looks like I should be able to rely
in the following file to define all valid object names for a Linux
system:

  ./include/

Can I rely on that file to be the single definitive source for valid
conf file object names?

Thanks.

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: (no subject): SSL Configuration

2012-07-25 Thread Tom Browder

On Wed, Jul 25, 2012 at 12:49 PM, Ted Byers r.ted.by...@gmail.com wrote:
 Hi All

Hi, Ted.  I, too, have been looking for something like you have.  I am
in the process of creating a Perl program that may be able to help you
(for at least part of your requirements), but I first can point you to
one of the most current references I can find for openssl
configuration:

  http://www.phildev.net/ssl/

It's a little outdated in that the following openssl conf object names
are no longer valid (at least as of the latest stable release:
openssl-1.0.1c):

#     challengePassword_max
#     challengePassword_min
#     commonName_max
#     countryName_max
#     countryName_min
#     emailAddress_max

I plan to release my program on git-hub when I have it working.  It is
designed for my work flow:

+ multiple virtual hosts on a single Apache server

+ one private CA for each vhost

+ all users requiring access to the private area for a vhost must have
an SSL client certificate generated and signed by that vhost's CA (and
I control the entire CA process as well as the server)

I will provide the user passwords for the client certs. to my
intermediate helpers via the USPO and the individual client
certificates via e-mail.  The users have to get their passwords from
the helpers via telephone.  The passwords are similar to Microsoft
client keys but are case sensitive.

I will use known email addresses as user names and require the users
to enter it when logging onto the site.  Apache will reject them if
their ssl cert and email don't match.

I will rely on my web of trust through my intermediate helpers (all of
whom I know) to verify their assigned users (whom they know) and their
emails.

Best regards,

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: (no subject): SSL Configuration

2012-07-25 Thread Tom Browder

On Wed, Jul 25, 2012 at 3:40 PM, Ted Byers r.ted.by...@gmail.com wrote:
...
 On Wed, Jul 25, 2012 at 4:03 PM, Tom Browder tom.brow...@gmail.com wrote:
...
 I will provide the user passwords for the client certs. to my
 intermediate helpers via the USPO and the individual client
 certificates via e-mail.  The users have to get their passwords from
 the helpers via telephone.  The passwords are similar to Microsoft
 client keys but are case sensitive.

 USPO?  You mean the postal service inthe US?

Yes, that's my plan.  I didn't say so, but I will e-mail the certs. to
my helpers also.  So the users have to call their assigned helper for
the certificate to be e-mailed to them and the password to be read to
them.

 Doesn't distribution of certificates via email create a vulnerability?  I
 would have expected that using email, a) gives a bad guy a chance to
 steal/copy the certificate, and b) requires the use of yet another server to
 secure.

Well, for my purposes I'm assuming that risk (the data to be protected
is contact data, not financial).

 From what I have been reading, distribution of the keys is always one of the
 biggest headaches in the design of a secure system.

I agree, but I'm trying to do the best I can given my users (and my
own lack of knowledge or a better idea).

 I was thinking of something more like giving your helpers login credentials
 (with cryptographically sercur random user IDs and passwords) that can be
 used only once.  They connect over the strongest SSL/TLS connection Apache
 supports, from whatever machine they will be using, so that the certificate
 can be created, signed, and installed over an encrypted channel in
 'effectively' an instant.  Making these things easy and intuitive for the
 end user, without compromising security, is a top criterion for me.

My user client certificates will be protected with long, random
passwords and 2048-bit keys.  I keep their private keys which they
don't have access to and which will not be distributed.

 Thanks.  Let me know when I can take a look at yor script.  I'd also like to
 hear about how you harden your servers.

Roger--I plan to put all that on my blog later.  I've been relying
heavily on several books, which I'll mention after I get home to my
bookshelf (Apache Security is one of them).

Cheers!

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: (no subject): SSL Configuration

2012-07-25 Thread Tom Browder

On Wed, Jul 25, 2012 at 4:15 PM, Tom Browder tom.brow...@gmail.com wrote:
 On Wed, Jul 25, 2012 at 3:40 PM, Ted Byers r.ted.by...@gmail.com wrote:
 On Wed, Jul 25, 2012 at 4:03 PM, Tom Browder tom.brow...@gmail.com wrote:
...
 Thanks.  Let me know when I can take a look at yor script.  I'd also like to
 hear about how you harden your servers.

 Roger--I plan to put all that on my blog later.  I've been relying
 heavily on several books, which I'll mention after I get home to my
 bookshelf (Apache Security is one of them).

The book Apache Security is by Ivan Ristic, published in March 2005.
 The other one I have is Preventing Web Attacks With Apache by Ryan
C. Barnett, published in 2006.  Both books have been very helpful,
along with the Apache 2.4 site docs for SSL.

Another great source is this link:

  https://www.ssllabs.com/

where they have several interesting projects including a program to
rate a site's security, and some good papers including one on SSL/TLS
Deployment Best Practices and one entitled SSL Server Rating Guide.

Best regards.

-Tom
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

37 matches

Mail list logo