RE: Firefox unhappy with my self signed Cert
From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Friday, 12 October, 2012 11:51 As some additional info, I am suspecting this may be an issue with my config file. I am using the same config file I used to set up my certificate authority, which has under [ req ] a couple of values plugged in - for one, prompt=no, because I didnt want it to prompt me for values. It also has a value filled in for distinguished_name which points to a section called [ ca_distinguished_name ] that has the values for commonName, etc, that seem to be getting put into my CSR. You didn't say before that you used same config file for CA and entity, but as I answered Friday, if you have prompt=no in the config it uses the DN in the config and is NOT overridden by -subj on commandline. Thus if you have prompt=no and name for CA in config, to do the CA cert with req -new -x509, and use same config for the entity CSR, the entity CSR will have the CA name, which is wrong. Could this be the issue? Do I need to have a separate config file for generating my CSRs than I used for generating my CA cert? If you want to use prompt=no, yes you need a different config. If you have prompt=yes and use -subj on *both* commandlines, with the correct (different) value in each, that should work. And if you omit -subj it will prompt you and you can enter correct (different) values. On Fri, Oct 12, 2012 at 11:22 AM, Derek Cole derek.c...@gmail.com wrote: ... openssl req -new -nodes -subj /CN=www.myserver.com -out /tmp/file.csr -keyout /tmp/privkey.csr -config /my/openssl.cnf ... openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf ... It seems like the file is getting created with the common name in the config file intsead of the one I pass it. Does it not overrride the config file? snip: Firefox complained about wrong hostname in cert __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Firefox unhappy with my self signed Cert
As some additional info, I am suspecting this may be an issue with my config file. I am using the same config file I used to set up my certificate authority, which has under [ req ] a couple of values plugged in - for one, prompt=no, because I didnt want it to prompt me for values. It also has a value filled in for distinguished_name which points to a section called [ ca_distinguished_name ] that has the values for commonName, etc, that seem to be getting put into my CSR. Could this be the issue? Do I need to have a separate config file for generating my CSRs than I used for generating my CA cert? Thanks On Fri, Oct 12, 2012 at 11:22 AM, Derek Cole derek.c...@gmail.com wrote: So I think you were right. I used a command to view the CSR that I generated with the following: openssl req -new -nodes -subj /CN=www.myserver.com -out /tmp/file.csr -keyout /tmp/privkey.csr -config /my/openssl.cnf when I do this though, I noticed that my subject line, which I view with openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf It seems like the file is getting created with the common name in the config file intsead of the one I pass it. Does it not overrride the config file? Thanks On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Thursday, 11 October, 2012 19:03 i have a server that is running a custom app that can accept a SSL connection. I generate a cert on each server, that is signed by my own CA. I tested whether this worked or not by using the openssl s_client and s_server commands, and it actually worked to connect to the server using those commands. I started the server with a PEM file that contained the signed cert request, Nit: it contains the cert, and privatekey. A cert is NOT a signed CSR. as well as the private key for that cert request. This allowed me to start the server with openssl s_server -accept 443 -cert myfile.cert Note that will support connection at the SSL level, but not give an HTTP response unless you type it by hand (which is hard to do). Add -www to support minimal requests from browsers. and on the client side snip: s_client okay I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. [which] says Wrong Site and This iste attempts to identify itself iwth invalid information Most SSL clients including Firefox, unlike s_client, check that the name in the server cert matches the name of the server they want, almost always as a domain name. The traditional and simple way is the CommonName in the server cert's Subject field is the FQDN. Most clients, I'd expect including Firefox but didn't take time to test, also support (1-level) wildcard, or the SubjectAlternativeName extension which can have multiple domain names or wildcards or some other options that are rarely used. Public CAs often call this multi-domain, or Unified Communications which was Microsoft's jargon for it. If you're doing these certs yourself and can issue whatever you want free anytime, I'd go with simple, but openssl ca (or x509 -req) can do SAN if you set-up the config file(s). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Firefox unhappy with my self signed Cert
From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Friday, 12 October, 2012 17:06 Interesting. While I was playing around with this, I actually noticed that if I use the -subj option on the CSR, I am not able to do this. I was able to get it working by adding the common name on the actual cert generation from that CSR. The config file was modified so that for my priority_match, which had some match fields, was changed to priority_any which only had a common name required, firefox was happy. Just thought I'd post this workaround in case anyone else stumbles across it. I think you mixed up two or maybe three things here, and you meant policy not priority. Generating a CSR with req -new -subj works if the config file has prompt specified or defaulted yes. I tested that. You can generate a CSR with only CommonName by either -subj, prompted, or unprompted. I (now) tested all of those. The distro config file prompts all and defaults some DN fields, so you must enter dots to get CN only. OTOH you can specify more than CN with -subj. *Issuing* a cert using 'ca' from a CSR containing only CommonName, however the CSR was created, is a different issue. *That* depends on the policy in the config file, and distro policy_match won't allow it. You can either edit config or use -policy sect. You can override the subject in the CSR with ca -subj, but policy still applies. If you specify -subj with only CN it will work only if the configured policy or -policy sect allows that -- and in that case, CSR with only CN works just as well. snip previous __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Firefox unhappy with my self signed Cert
So I think you were right. I used a command to view the CSR that I generated with the following: openssl req -new -nodes -subj /CN=www.myserver.com -out /tmp/file.csr -keyout /tmp/privkey.csr -config /my/openssl.cnf when I do this though, I noticed that my subject line, which I view with openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf It seems like the file is getting created with the common name in the config file intsead of the one I pass it. Does it not overrride the config file? Thanks On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Thursday, 11 October, 2012 19:03 i have a server that is running a custom app that can accept a SSL connection. I generate a cert on each server, that is signed by my own CA. I tested whether this worked or not by using the openssl s_client and s_server commands, and it actually worked to connect to the server using those commands. I started the server with a PEM file that contained the signed cert request, Nit: it contains the cert, and privatekey. A cert is NOT a signed CSR. as well as the private key for that cert request. This allowed me to start the server with openssl s_server -accept 443 -cert myfile.cert Note that will support connection at the SSL level, but not give an HTTP response unless you type it by hand (which is hard to do). Add -www to support minimal requests from browsers. and on the client side snip: s_client okay I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. [which] says Wrong Site and This iste attempts to identify itself iwth invalid information Most SSL clients including Firefox, unlike s_client, check that the name in the server cert matches the name of the server they want, almost always as a domain name. The traditional and simple way is the CommonName in the server cert's Subject field is the FQDN. Most clients, I'd expect including Firefox but didn't take time to test, also support (1-level) wildcard, or the SubjectAlternativeName extension which can have multiple domain names or wildcards or some other options that are rarely used. Public CAs often call this multi-domain, or Unified Communications which was Microsoft's jargon for it. If you're doing these certs yourself and can issue whatever you want free anytime, I'd go with simple, but openssl ca (or x509 -req) can do SAN if you set-up the config file(s). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Firefox unhappy with my self signed Cert
From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Friday, 12 October, 2012 11:22 So I think you were right. I used a command to view the CSR that I generated with the following: openssl req -new -nodes -subj /CN=www.myserver.com -out /tmp/file.csr -keyout /tmp/privkey.csr -config /my/openssl.cnf when I do this though, I noticed that my subject line, which I view with openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf Aside: you don't need a config file to view an existing request, although since 1.0.0 it gives a spurious warning. It seems like the file is getting created with the common name in the config file intsead of the one I pass it. Does it not overrride the config file? req -new has two ways of getting the subject DistinguishedName, prompted from the terminal and unprompted from the config file. Apparently -subj substitutes only for prompted; to make it effective, specify or default prompt=yes in the config file. (And if that config file will or might be used in actual prompting mode, make sure you have DNpart = promptstring not DNpart = actualvalue as you should for prompt=no.) In 0.9.8 if you specify all parameters needed for req -new on the commandline you don't need a config file for that. Since 1.0.0 -new demands a config file even if not needed. On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson dthomp...@prinpay.com wrote: snip: name(s) in cert must match host desired by client like Firefox __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Firefox unhappy with my self signed Cert
Interesting. While I was playing around with this, I actually noticed that if I use the -subj option on the CSR, I am not able to do this. I was able to get it working by adding the common name on the actual cert generation from that CSR. The config file was modified so that for my priority_match, which had some match fields, was changed to priority_any which only had a common name required, firefox was happy. Just thought I'd post this workaround in case anyone else stumbles across it. On Fri, Oct 12, 2012 at 4:42 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Friday, 12 October, 2012 11:22 So I think you were right. I used a command to view the CSR that I generated with the following: openssl req -new -nodes -subj /CN=www.myserver.com -out /tmp/file.csr -keyout /tmp/privkey.csr -config /my/openssl.cnf when I do this though, I noticed that my subject line, which I view with openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf Aside: you don't need a config file to view an existing request, although since 1.0.0 it gives a spurious warning. It seems like the file is getting created with the common name in the config file intsead of the one I pass it. Does it not overrride the config file? req -new has two ways of getting the subject DistinguishedName, prompted from the terminal and unprompted from the config file. Apparently -subj substitutes only for prompted; to make it effective, specify or default prompt=yes in the config file. (And if that config file will or might be used in actual prompting mode, make sure you have DNpart = promptstring not DNpart = actualvalue as you should for prompt=no.) In 0.9.8 if you specify all parameters needed for req -new on the commandline you don't need a config file for that. Since 1.0.0 -new demands a config file even if not needed. On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson dthomp...@prinpay.com wrote: snip: name(s) in cert must match host desired by client like Firefox __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Firefox unhappy with my self signed Cert
Hello, I sort of posted about this earlier, but I think this is a more concise question (as the previous replies were helpful for me to start debugging the problem). i have a server that is running a custom app that can accept a SSL connection. I generate a cert on each server, that is signed by my own CA. I tested whether this worked or not by using the openssl s_client and s_server commands, and it actually worked to connect to the server using those commands. I started the server with a PEM file that contained the signed cert request, as well as the private key for that cert request. This allowed me to start the server with openssl s_server -accept 443 -cert myfile.cert and on the client side openssl s_client -connect myserver:443 -CAfile my_server_cert.pem This gave me a verify code of zero, so I thought I was good to go. I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. When I click this button, I noticed that under Certificate Status it says Wrong Site and This iste attempts to identify itself iwth invalid information I'd prefer my clients to not have this pop-up when they are connecting to my servers. From the server side, when I debug the app, I see I get the sslv3 alert bad certificate error at first, and then the next connection's are SSL_accepted() as the client requests cert status and such, until i'm finally done adding the security exception, and my final SSL_accept() finally gets a return of 1 which I was hoping for. Is this just a firefox bug or what? I have noticed too, that I am able to launch my custom app, and use openssl s_client -connect to connect to that same server, same certs, and it gives me verify code zero. Thanks for any insight.
RE: Firefox unhappy with my self signed Cert
How do you specify the name (URL) of the Web site in Firefox? Do you use exactly the same name as you use with the test client (and the name in the certificate)? Firefox is saying the certificate is for myserver but you are specifying a different name when you open the site. The name has to be exactly the same as one of the names (including alternates) in the certificate. (You can wildcard the last node in the alternate names.) myserver is not the same as myserver.com Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Derek Cole Sent: Thursday, October 11, 2012 4:03 PM To: openssl-users@openssl.org Subject: Firefox unhappy with my self signed Cert Hello, I sort of posted about this earlier, but I think this is a more concise question (as the previous replies were helpful for me to start debugging the problem). i have a server that is running a custom app that can accept a SSL connection. I generate a cert on each server, that is signed by my own CA. I tested whether this worked or not by using the openssl s_client and s_server commands, and it actually worked to connect to the server using those commands. I started the server with a PEM file that contained the signed cert request, as well as the private key for that cert request. This allowed me to start the server with openssl s_server -accept 443 -cert myfile.cert and on the client side openssl s_client -connect myserver:443 -CAfile my_server_cert.pem This gave me a verify code of zero, so I thought I was good to go. I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. When I click this button, I noticed that under Certificate Status it says Wrong Site and This iste attempts to identify itself iwth invalid information I'd prefer my clients to not have this pop-up when they are connecting to my servers. From the server side, when I debug the app, I see I get the sslv3 alert bad certificate error at first, and then the next connection's are SSL_accepted() as the client requests cert status and such, until i'm finally done adding the security exception, and my final SSL_accept() finally gets a return of 1 which I was hoping for. Is this just a firefox bug or what? I have noticed too, that I am able to launch my custom app, and use openssl s_client -connect to connect to that same server, same certs, and it gives me verify code zero. Thanks for any insight.
Re: Firefox unhappy with my self signed Cert
On 12 Oct 2012, at 1:03 AM, Derek Cole derek.c...@gmail.com wrote: I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. When I click this button, I noticed that under Certificate Status it says Wrong Site and This iste attempts to identify itself iwth invalid information What DNS name did you insert into the certificate, and does this DNS name match the name of the site you're connecting to exactly? One of the key purposes of an SSL cert in an https connection is to verify that you are actually connecting to the site you think you're connecting to. If the DNS names don't match, the connection will fail, as it should. Regards, Graham -- smime.p7s Description: S/MIME cryptographic signature
Re: Firefox unhappy with my self signed Cert
On 12 Oct 2012, at 1:40 AM, Charles Mills charl...@mcn.org wrote: How do you specify the name (URL) of the Web site in Firefox? Do you use exactly the same name as you use with the test client (and the name in the certificate)? Firefox is saying the certificate is for myserver but you are specifying a different name when you open the site. The name has to be exactly the same as one of the names (including alternates) in the certificate. (You can wildcard the last node in the alternate names.) myserver is not the same asmyserver.com If you see http://mysite.somewhere; in your browser, then the name mysite.somewhere needs to be embedded in the certificate, and this need to be precise. You can't arbitrarily leave parts of the names out, or insert some kind of approximation (with the exception of a wildcard entry in a cert, subject to specific rules). What URL are you typing into Firefox? What DNS name have you embedded into the cert, and how have you done it? Regards, Graham -- smime.p7s Description: S/MIME cryptographic signature
RE: Firefox unhappy with my self signed Cert
From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Thursday, 11 October, 2012 19:03 i have a server that is running a custom app that can accept a SSL connection. I generate a cert on each server, that is signed by my own CA. I tested whether this worked or not by using the openssl s_client and s_server commands, and it actually worked to connect to the server using those commands. I started the server with a PEM file that contained the signed cert request, Nit: it contains the cert, and privatekey. A cert is NOT a signed CSR. as well as the private key for that cert request. This allowed me to start the server with openssl s_server -accept 443 -cert myfile.cert Note that will support connection at the SSL level, but not give an HTTP response unless you type it by hand (which is hard to do). Add -www to support minimal requests from browsers. and on the client side snip: s_client okay I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. [which] says Wrong Site and This iste attempts to identify itself iwth invalid information Most SSL clients including Firefox, unlike s_client, check that the name in the server cert matches the name of the server they want, almost always as a domain name. The traditional and simple way is the CommonName in the server cert's Subject field is the FQDN. Most clients, I'd expect including Firefox but didn't take time to test, also support (1-level) wildcard, or the SubjectAlternativeName extension which can have multiple domain names or wildcards or some other options that are rarely used. Public CAs often call this multi-domain, or Unified Communications which was Microsoft's jargon for it. If you're doing these certs yourself and can issue whatever you want free anytime, I'd go with simple, but openssl ca (or x509 -req) can do SAN if you set-up the config file(s). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Firefox unhappy with my self signed Cert
From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Thursday, 11 October, 2012 19:40 Some minor points: How do you specify the name (URL) of the Web site in Firefox? Do you use exactly the same name as you use with the test client (and the name in the certificate)? OP's test client was openssl s_client, which does NOT check hostname, so that one doesn't matter. URL in Firefox/etc and name in cert do. Firefox is saying the certificate is for myserver but you are specifying a different name when you open the site. The name has to be exactly the same as one of the names (including alternates) in the certificate. (You can wildcard the last node in the alternate names.) myserver is not the same as myserver.com You can use wildcard in either Subject or SubjectAlternativeNames. The wildcard is the lowest-level component of a DNS name, which is at the left as written; in abstract that might be considered last but I think most people wouldn't call it that. snip earlier __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Firefox unhappy with my self signed Cert
The wildcard is the lowest-level component of a DNS name, which is at the left as written; in You're right (left?) of course. I was somehow picturing it incorrectly in my mind. I quick went and looked at my wildcard comparison code and it is correct (whew!). In my other thread about checking client IP addresses I was picturing a lowest-level/RIGHTmost wildcard on the IP address: e.g. 192.168.1.* That's lowest level conceptually but I guess not what the standard or convention provides for. BTW, a good quick discussion of wildcard certificate names: http://support.godaddy.com/help/article/567/what-is-a-wildcard-ssl-certifica te (They'd love to sell you one; this is not an endorsement.) Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, October 11, 2012 5:13 PM To: openssl-users@openssl.org Subject: RE: Firefox unhappy with my self signed Cert From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Thursday, 11 October, 2012 19:40 Some minor points: How do you specify the name (URL) of the Web site in Firefox? Do you use exactly the same name as you use with the test client (and the name in the certificate)? OP's test client was openssl s_client, which does NOT check hostname, so that one doesn't matter. URL in Firefox/etc and name in cert do. Firefox is saying the certificate is for myserver but you are specifying a different name when you open the site. The name has to be exactly the same as one of the names (including alternates) in the certificate. (You can wildcard the last node in the alternate names.) myserver is not the same as myserver.com You can use wildcard in either Subject or SubjectAlternativeNames. The wildcard is the lowest-level component of a DNS name, which is at the left as written; in abstract that might be considered last but I think most people wouldn't call it that. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Firefox unhappy with my self signed Cert
Thanks to everyone for the information. I can't recall right now how I set up the name - I was thinking for sure it was with the FQDN, but I'll double check. I will do that reading and check tomorrow when I am back at work and see if I can figure out what is going wrong there. Thanks On Thu, Oct 11, 2012 at 8:41 PM, Charles Mills charl...@mcn.org wrote: The wildcard is the lowest-level component of a DNS name, which is at the left as written; in You're right (left?) of course. I was somehow picturing it incorrectly in my mind. I quick went and looked at my wildcard comparison code and it is correct (whew!). In my other thread about checking client IP addresses I was picturing a lowest-level/RIGHTmost wildcard on the IP address: e.g. 192.168.1.* That's lowest level conceptually but I guess not what the standard or convention provides for. BTW, a good quick discussion of wildcard certificate names: http://support.godaddy.com/help/article/567/what-is-a-wildcard-ssl-certifica te (They'd love to sell you one; this is not an endorsement.) Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, October 11, 2012 5:13 PM To: openssl-users@openssl.org Subject: RE: Firefox unhappy with my self signed Cert From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Thursday, 11 October, 2012 19:40 Some minor points: How do you specify the name (URL) of the Web site in Firefox? Do you use exactly the same name as you use with the test client (and the name in the certificate)? OP's test client was openssl s_client, which does NOT check hostname, so that one doesn't matter. URL in Firefox/etc and name in cert do. Firefox is saying the certificate is for myserver but you are specifying a different name when you open the site. The name has to be exactly the same as one of the names (including alternates) in the certificate. (You can wildcard the last node in the alternate names.) myserver is not the same as myserver.com You can use wildcard in either Subject or SubjectAlternativeNames. The wildcard is the lowest-level component of a DNS name, which is at the left as written; in abstract that might be considered last but I think most people wouldn't call it that. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org