Re: One certificate for both hostname and IP
Il giorno 27/gen/09, alle ore 06:01, Crypto Sal ha scritto: settings and things should be alright and you'll see if browsers choke too or its M$ products. I would also try Thunderbird and other email clients on the email server side of things. Indeed, I now tried with Thunderbird and it happily accepts both hostname and IP. My problem is that I cannot avoid the use of Outlook and OE by users. But maybe this is the proof that what I need cannot be done, because M $ mail clients do not support subjectAltName? Can this really be true? I thought SSL support was nowadays (sort of) standardized... sigh. Can you do an s_client and dump the cert to OpenSSL's x509 and read the cert? Do the SubjectAltNames appear in the X509v3 Subject Alternative Name section when doing so? How can I dump the certificate using s_client? I can't see anything about this in its man page. openssl s_client -connect HOST_NAME:PORT -starttls pop3 | openssl x509 -text -noout. Alternatively, openssl x509 -text -noout -in YOUR_CERT_HERE, and you can read the text output of the certificate instead of it's hashed value Oh yes, I often used the second one, and yes, the subjectAltName value always appears in the right place. Usually Outlook will display a box with a series of checks and red X's. I am pretty sure it has three areas and in most cases it is the last one that it fails on. I wish I had a screenshot for you. I just saw one the other day too. No checks or X's here. Here is the warning I get from Outlook 2007 (Italian): http://www.mdv.eu/temp/outlook_ssl.png Translating literally, it just tells that the main destination name is wrong. -- Ciao, Marco. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: One certificate for both hostname and IP
Il giorno 26/gen/09, alle ore 05:14, Crypto Sal ha scritto: Do any other clients (s_client, web browser, etc) exhibit the same behavior or an error message? If yes, what's the error response? Well, I currently do not know how to apply that certificate to an HTTP server to test it with browsers. Both Firefox and IE refuse to connect on POPS port 995, of course. For s_client see below. When you use s_client to connect to your mail server does it pass verification through both ways, IP and DNS? I never used s_client before, I tried it now, but it doesn't seem to care at all about the CN difference: as long as I can see, and as long as I pass it the CA cert with the -CAfile option, it doesn't return any verification error, not even when I connect to the server with a totally different name from the ones stored in CN or subjectAltName! It just outputs verify return:1 for both the server and CA certificates which build up the chain. So, s_client seems a bit too relaxed to me, or am I missing anything? Can you do an s_client and dump the cert to OpenSSL's x509 and read the cert? Do the SubjectAltNames appear in the X509v3 Subject Alternative Name section when doing so? How can I dump the certificate using s_client? I can't see anything about this in its man page. What is the *exact* error you get with the Microsoft Products when you use this format? Hostname Mismatch? Untrusted Cert? I'd say Hostname Mismatch. Both OE and Outlook just show a dialog containing no deep tech info, but they simply complain about the name of the server not being the same contained in the provided certificate. Thanks. -- Ciao, Marco. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: One certificate for both hostname and IP
On 01/26/2009 08:40 PM, Marco De Vitis wrote: Il giorno 26/gen/09, alle ore 05:14, Crypto Sal ha scritto: Do any other clients (s_client, web browser, etc) exhibit the same behavior or an error message? If yes, what's the error response? Well, I currently do not know how to apply that certificate to an HTTP server to test it with browsers. Both Firefox and IE refuse to connect on POPS port 995, of course. Well, you should be able to setup Apache2 to use your certificate quite easily and the Apache Docs are quite easy to follow. All you'd have to do is move the key and certificate over to an area that Apache has access to, modify the SSL appropriate settings and things should be alright and you'll see if browsers choke too or its M$ products. I would also try Thunderbird and other email clients on the email server side of things. For s_client see below. When you use s_client to connect to your mail server does it pass verification through both ways, IP and DNS? I never used s_client before, I tried it now, but it doesn't seem to care at all about the CN difference: as long as I can see, and as long as I pass it the CA cert with the -CAfile option, it doesn't return any verification error, not even when I connect to the server with a totally different name from the ones stored in CN or subjectAltName! It just outputs verify return:1 for both the server and CA certificates which build up the chain. So, s_client seems a bit too relaxed to me, or am I missing anything? That's because you're only verifying the chain of trust, you are not verifying host name. This is in the latest development version of OpenSSL. Sorry, you did mention you were on 0.9.8c. Very sorry about this. Can you do an s_client and dump the cert to OpenSSL's x509 and read the cert? Do the SubjectAltNames appear in the X509v3 Subject Alternative Name section when doing so? How can I dump the certificate using s_client? I can't see anything about this in its man page. openssl s_client -connect HOST_NAME:PORT -starttls pop3 | openssl x509 -text -noout. Alternatively, openssl x509 -text -noout -in YOUR_CERT_HERE, and you can read the text output of the certificate instead of it's hashed value What is the *exact* error you get with the Microsoft Products when you use this format? Hostname Mismatch? Untrusted Cert? I'd say Hostname Mismatch. Both OE and Outlook just show a dialog containing no deep tech info, but they simply complain about the name of the server not being the same contained in the provided certificate. Usually Outlook will display a box with a series of checks and red X's. I am pretty sure it has three areas and in most cases it is the last one that it fails on. I wish I had a screenshot for you. I just saw one the other day too. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: One certificate for both hostname and IP
Il giorno 24/gen/09, alle ore 16:54, Dr. Stephen Henson ha scritto: You don't say which give a warning. If you use the IP version in subjectAltname do you get a warning for the hostname or the IP address? If the hostname but not IP address try adding a second value, DNS:whatever.com If I use: subjectAltName = IP:192.168.1.5 ...then both OE and Outlook show a warning when I set them up to use the IP address. In other words, they behave as if the Alternative Name did not exist. I do not understand if your suggestion was meant for this case, but I tried it anyway, using: subjectAltName = IP:192.168.1.5,DNS:mail.foo.org ...where mail.foo.org is the same hostname as the main CN, but both mail clients show the same warning, nothing changed. Any more ideas? Thank you very much. -- Ciao, Marco. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: One certificate for both hostname and IP
On 01/25/2009 11:35 AM, Marco De Vitis wrote: Il giorno 24/gen/09, alle ore 16:54, Dr. Stephen Henson ha scritto: You don't say which give a warning. If you use the IP version in subjectAltname do you get a warning for the hostname or the IP address? If the hostname but not IP address try adding a second value, DNS:whatever.com If I use: subjectAltName = IP:192.168.1.5 ...then both OE and Outlook show a warning when I set them up to use the IP address. In other words, they behave as if the Alternative Name did not exist. I do not understand if your suggestion was meant for this case, but I tried it anyway, using: subjectAltName = IP:192.168.1.5,DNS:mail.foo.org ...where mail.foo.org is the same hostname as the main CN, but both mail clients show the same warning, nothing changed. Any more ideas? Thank you very much. Marco, Do any other clients (s_client, web browser, etc) exhibit the same behavior or an error message? If yes, what's the error response? When you use s_client to connect to your mail server does it pass verification through both ways, IP and DNS? Can you do an s_client and dump the cert to OpenSSL's x509 and read the cert? Do the SubjectAltNames appear in the X509v3 Subject Alternative Name section when doing so? What is the *exact* error you get with the Microsoft Products when you use this format? Hostname Mismatch? Untrusted Cert? CN=mail.foo.org subjectAltName = IP:192.168.1.5, DNS:mail.foo.org --Sal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
One certificate for both hostname and IP
Hi, running my own CA on a Debian Etch machine (openssl 0.9.8c) I need to create a certificate for a private mailserver, which must be reachable both using its hostname and its IP address. So the certificate needs to contain both, to prevent warnings at the client side. The mail clients used will be, among others, Outlook Express and Outlook 2007 (I cannot avoid this). I tried various solutions, to no avail. I first generated a certificate containing two Common Names, and it was ok for Oulook Express, but not for Outlook, which shows a security warning when using the second name. I then tried various subjectAltName configurations, but none of these seems to be supported by either OE or Outlook, they both always show a security warning for one of the names. Here are some configurations I tried: subjectAltName = IP:IP address subjectAltName = otherName:1.2.3.4;UTF8:IP address subjectAltName = dirName:dir_sect [dir_sect] C = IT O = bla bla OU = bla bla CN = IP address subjectAltName = @alt_names [alt_names] IP.1 = IP address All other needed parameters in openssl.cnf are correctly in place, AFAICT, because the subjectAltName values are correctly visible in the generated certificate. I can post the full openssl.cnf if needed. Any clues? Thanks. -- Ciao, Marco. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: One certificate for both hostname and IP
On Sat, Jan 24, 2009, Marco De Vitis wrote: Hi, running my own CA on a Debian Etch machine (openssl 0.9.8c) I need to create a certificate for a private mailserver, which must be reachable both using its hostname and its IP address. So the certificate needs to contain both, to prevent warnings at the client side. The mail clients used will be, among others, Outlook Express and Outlook 2007 (I cannot avoid this). I tried various solutions, to no avail. I first generated a certificate containing two Common Names, and it was ok for Oulook Express, but not for Outlook, which shows a security warning when using the second name. I then tried various subjectAltName configurations, but none of these seems to be supported by either OE or Outlook, they both always show a security warning for one of the names. Here are some configurations I tried: subjectAltName = IP:IP address subjectAltName = otherName:1.2.3.4;UTF8:IP address subjectAltName = dirName:dir_sect [dir_sect] C = IT O = bla bla OU = bla bla CN = IP address subjectAltName = @alt_names [alt_names] IP.1 = IP address All other needed parameters in openssl.cnf are correctly in place, AFAICT, because the subjectAltName values are correctly visible in the generated certificate. I can post the full openssl.cnf if needed. Any clues? Thanks. You don't say which give a warning. If you use the IP version in subjectAltname do you get a warning for the hostname or the IP address? If the hostname but not IP address try adding a second value, DNS:whatever.com Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
