Re: Cancel of mailing list

[warron.french]

I believe you need to refer to this link:-
https://mta.openssl.org/pipermail/openssl-users/2016-July/003979.html
There are two options for you with which you can remove yourself Paul.

Good luck,
--
Warron French



On Tue, Jun 9, 2020 at 10:18 AM Paul  wrote:

> Can you please remove my email from mailing list?
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error please notify the system manager.
> This message contains confidential information and is intended only for the
> individual named. If you are not the named addressee you should not
> disseminate, distribute or copy this e-mail. Please notify the sender
> immediately by e-mail if you have received this e-mail by mistake and
> delete this e-mail from your system. If you are not the intended recipient
> you are notified that disclosing, copying, distributing or taking any
> action in reliance on the contents of this information is strictly
> prohibited.

[openssl-users] Testing ports through firewall

[warron.french]

Hello Community, and Merry Christmas/Happy Seasons Greetings,
   anyway, I need some help with understanding an openssl feature -
*s_server*.

I executed the following command:  openssl s_server -accept 21937 -www &
And immediately got the following output:
[1] 3286
[sysadm@wfrench-rhel6c-cit ~]$ Error opening server certificate private key
file server.pem
140679739017032:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('server.pem','r')
140679739017032:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:400:
unable to load server certificate private key file

In order to test ports that are not encrypted with SSL/TLS do I still have
to generate a certificate and private key file (each)?

I would like to test ports from one machine using openssl s_client against
a remote machine on an opposing network, running a "listener", using
openssl s_server.

Perhaps I am way off?  I am not allowed to use openssl for this sort of
thing?
Any guidance would be greatly appreciated because I want to expand my
understanding of the openssl suite of commands and its offerings.


Have a nice day,
--
Warron French
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Help with making a SHA >1 certificate

[warron.french]

Charles, thanks for clarifying.  I was on the correct track, but for some
reason couldn't confirm it.  (I chalk it up to being tired.  That's my
story and I'm sticking to it.  lol).



--
Warron French


On Tue, Nov 7, 2017 at 9:37 AM, Charles Mills <charl...@mcn.org> wrote:

> The CA’s certificate validity is
>
>
>
> Not After : Nov 18 17:39:38 2024 GMT
>
>
>
> *Charles*
>
>
>
> *From:* openssl-users [mailto:openssl-users-boun...@openssl.org] *On
> Behalf Of *warron.french
> *Sent:* Monday, November 6, 2017 4:02 PM
> *To:* openssl-users@openssl.org
> *Subject:* Re: [openssl-users] Help with making a SHA >1 certificate
>
>
>
> Charles, I am no expert either - sorry.
>
>
>
> However, the question about why is your signed certificate at least not
> getting to be over 1 year in "length?"   What is the duration of the CA's
> certificate?
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Help with making a SHA >1 certificate

[warron.french]

Charles, I am no expert either - sorry.

However, the question about why is your signed certificate at least not
getting to be over 1 year in "length?"   What is the duration of the CA's
certificate?

--
Warron French


On Mon, Nov 6, 2017 at 5:04 PM, Charles Mills  wrote:

> Please forgive my ignorance here. I’m really not a certificate expert. I’m
> a software developer trying to make certificates to use in a testing
> situation.
>
>
>
> I’ve got some scripts that I have been using for years. I’ve just upgraded
> to 1.10f (but there are no upgrade issues that I know of – that’s not the
> problem).
>
>
>
> My last test certificate expired. So I am trying to make another one. All
> I seem to be able to make are SHA-1 signed certificates, but I’m trying to
> load them into a FIPS-140 (non-OpenSSL) key repository and it is failing, I
> think because of the SHA-1. Here is how I am making the certificate. What
> do I have to do differently to make a SHA-512 (or at least some SHA > 1)
> certificate?
>
>
>
> C:\OpenSSL-Win32-110f\bin\openssl.exe req -newkey rsa:2048 -sha512
> -keyout %1.key.pem -out %1.req.pem -config openssl_edited_win32_default.cfg
> -extensions usr_cert -reqexts usr_cert -nodes -days 3650
>
> C:\OpenSSL-Win32-110f\bin\openssl req -text -in %1.req.pem -sha512
>
> C:\OpenSSL-Win32-110f\bin\openssl.exe ca -in %1.req.pem -config
> CMC_root_config.cnf -out %1.pem -verbose -cert CMC_root.pem -keyfile
> CMC_root.key.pem -passin pass:password
>
>
>
> Here is what I end up with:
>
>
>
> Signature Algorithm: sha1WithRSAEncryption
>
> Issuer: CN=Charles Mills Consulting, LLC, ST=California,
> C=US/emailAddress=charl...@mcn.org, O=Charles Mills Consulting, LLC
>
> Validity
>
> Not Before: Nov  6 19:13:09 2017 GMT
>
> Not After : Nov  6 19:13:09 2018 GMT
>
> Subject: CN=Charles Mills Consulting, LLC, ST=California,
> C=US/emailAddress=charl...@mcn.org, O=CZAGENT_Nov2017
>
> Subject Public Key Info:
>
> Public Key Algorithm: rsaEncryption
>
> Public-Key: (2048 bit)
>
>
>
> While we’re at it, why doesn’t my –days 3650 seem to have any effect?
>
>
>
> Thanks!
>
>
>
> *Charles *
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How do I connect to this server

[warron.french]

I know that this is a TLS related question; however, do you know how you
can diagnose straight HTTP using:

*telnet **server1 portnumber  ?*
Then provide HTTP/1.1 etc?

Is it possible to do the same thing with:  *openssl   s_client
 server1:portnumber* then do the HTTP/1.1 etc... etc...?

Is that a possible technique?  I am interested in learning too?

--
Warron French


On Fri, Apr 21, 2017 at 6:29 PM, Salz, Rich via openssl-users <
openssl-users@openssl.org> wrote:

> > https://username:passw...@server.com
> > How do I specify this username and password when using SSL_connect()?
>
> You don't.  That stuff is at the protocol level about TLS/SSL.
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Properly manage CA-signed certificates that have expired

[warron.french]

Hello, I had to build a Certificate Authority (CA) server for an isolated
network (I know, it seems silly).

Anyway, I figured out how to create the CA service doing a self-signed
certificate that will expire in 9 years, because it was a 10-year
certificate of which 9 years remains available.

I then created separate TLS keys and CSRs and had them signed by the CA
server.

The 2 certificates for the "servers" (its actually all the same 1 server
with different DNS-A-Record resolvable names) worked perfectly for the past
1 year; but I was kept busy working on other tasks; so this isolated
network got neglected.  The two (2) certificates for the servers expired
last month.

I documented how to build the CA, how to create the CSRs and get them
signed; but I didn't know how to write the documentation for maintaining
any certificates once they expired.

I want to properly, and gracefully, manage the CA server to do whatever is
appropriate.

I believe, but do not know for sure, that what I want to do is:
1.  Revoke the expired certificates (maybe that is not necessary or
appropriate?)
2.  Clean up the CA database (with the openssl ca -updatedb command?)
3.  Then create new server certificates for the 2 servers again.

I don't want to use the same 1 certificate for 2 services, because I have
one for TLS-securing the LDAP service making it an ldapS:// url, and the
other is for TLS-securing the AdminConsole of the same 389-ds
implementation.

Please help, I don't know what terminology I am looking for to properly
pursue what a Professional CA (like Verisign, or wherever) would do.



Thanks,
--
Warron French
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users