Re: Generating keys to be used in a specific implementation
Ok... I created the certificates and private keys for server and client... At server side I'm using the certificate and the private key in the same file and Calling SSL_CTX_use_PrivateKey_file() and SSL_CTX_use_certificate_chain_file() to this file. At client side I'm using the openssl s_client command to teste the server with parameters -key client.pem -cert client.crt. Until here all works fine But when I set SSL_CTX_set_verify(context,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0); the server does not accept the session saying 5208:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:.\ssl\s3_srvr.c:2525:. I tried to copy the client certificate to same file server.pem, but it's still not working. Which private keys and certificates I need to put at server.pem and/or client.pem/.crt to authentication work properly?? At this time I use a CA. Thanks, Renato A. Ferreira - Original Message - From: David Schwartz [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Wednesday, June 25, 2008 12:09 AM Subject: RE: Generating keys to be used in a specific implementation I have an desktop/server agent that listen for TCP connections to process some information. And now i´m trying to implement privacy and authentication to this application, to unsure that only my trusted application interact with these TCP agents. Another problem is that I'm not sure if It really needs a self-signed certificate to authenticate the clients in a scenario that is already implemented a method with fixed pair of private keys. Someone could help me in this objective? Examples, articles and documentations will be apreciated. Since you have complete control over both ends (right?) then you can just generate keys and certificates following any web page and then hard code each side to check for the key it's expecting from the other side. You can generate a key with 'openssl genrsa -out key.pem 1024'. You can generate a self-signed certificate by following the instructions: http://www.akadia.com/services/ssh_test_certificate.html http://sial.org/howto/openssl/self-signed/ If you are 100% sure both ends will always be trusted, you can simply include the server certificate, client certificate, and client key in the client. You include the client certificate, client key, and server certificate in the server. Then just confirm that the other side is using the proper certificate. Note that this means compromising one client compromises them all. It's more complex, but arguably, the right approach is to create your own CA. Issue a client to the server with a common name the clients check for. Issue each client its own certificate for a different key with a different common name. This will mean that compromising one client doesn't compromise them all and will also allow the server to securely determine what client it's talking to. This will also require less specialized coding, since you can simply hard code the CA's certificate in the client and server, and then they don't need any special code to recognize the clients -- just tell OpenSSL that our CA certificate is the only CA. If you choose to go that way: http://www.octaldream.com/~scottm/talks/ssl/opensslca.html http://sial.org/howto/openssl/ca/ DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generating keys to be used in a specific implementation
Sorry, I mean that at this time I CAN'T use a CA. - Original Message - From: Renato Araújo Ferreira [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Friday, June 27, 2008 7:24 PM Subject: Re: Generating keys to be used in a specific implementation Ok... I created the certificates and private keys for server and client... At server side I'm using the certificate and the private key in the same file and Calling SSL_CTX_use_PrivateKey_file() and SSL_CTX_use_certificate_chain_file() to this file. At client side I'm using the openssl s_client command to teste the server with parameters -key client.pem -cert client.crt. Until here all works fine But when I set SSL_CTX_set_verify(context,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0); the server does not accept the session saying 5208:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:.\ssl\s3_srvr.c:2525:. I tried to copy the client certificate to same file server.pem, but it's still not working. Which private keys and certificates I need to put at server.pem and/or client.pem/.crt to authentication work properly?? At this time I use a CA. Thanks, Renato A. Ferreira - Original Message - From: David Schwartz [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Wednesday, June 25, 2008 12:09 AM Subject: RE: Generating keys to be used in a specific implementation I have an desktop/server agent that listen for TCP connections to process some information. And now i´m trying to implement privacy and authentication to this application, to unsure that only my trusted application interact with these TCP agents. Another problem is that I'm not sure if It really needs a self-signed certificate to authenticate the clients in a scenario that is already implemented a method with fixed pair of private keys. Someone could help me in this objective? Examples, articles and documentations will be apreciated. Since you have complete control over both ends (right?) then you can just generate keys and certificates following any web page and then hard code each side to check for the key it's expecting from the other side. You can generate a key with 'openssl genrsa -out key.pem 1024'. You can generate a self-signed certificate by following the instructions: http://www.akadia.com/services/ssh_test_certificate.html http://sial.org/howto/openssl/self-signed/ If you are 100% sure both ends will always be trusted, you can simply include the server certificate, client certificate, and client key in the client. You include the client certificate, client key, and server certificate in the server. Then just confirm that the other side is using the proper certificate. Note that this means compromising one client compromises them all. It's more complex, but arguably, the right approach is to create your own CA. Issue a client to the server with a common name the clients check for. Issue each client its own certificate for a different key with a different common name. This will mean that compromising one client doesn't compromise them all and will also allow the server to securely determine what client it's talking to. This will also require less specialized coding, since you can simply hard code the CA's certificate in the client and server, and then they don't need any special code to recognize the clients -- just tell OpenSSL that our CA certificate is the only CA. If you choose to go that way: http://www.octaldream.com/~scottm/talks/ssl/opensslca.html http://sial.org/howto/openssl/ca/ DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Generating keys to be used in a specific implementation
I have an desktop/server agent that listen for TCP connections to process some information. And now i´m trying to implement privacy and authentication to this application, to unsure that only my trusted application interact with these TCP agents. Another problem is that I'm not sure if It really needs a self-signed certificate to authenticate the clients in a scenario that is already implemented a method with fixed pair of private keys. Someone could help me in this objective? Examples, articles and documentations will be apreciated. Since you have complete control over both ends (right?) then you can just generate keys and certificates following any web page and then hard code each side to check for the key it's expecting from the other side. You can generate a key with 'openssl genrsa -out key.pem 1024'. You can generate a self-signed certificate by following the instructions: http://www.akadia.com/services/ssh_test_certificate.html http://sial.org/howto/openssl/self-signed/ If you are 100% sure both ends will always be trusted, you can simply include the server certificate, client certificate, and client key in the client. You include the client certificate, client key, and server certificate in the server. Then just confirm that the other side is using the proper certificate. Note that this means compromising one client compromises them all. It's more complex, but arguably, the right approach is to create your own CA. Issue a client to the server with a common name the clients check for. Issue each client its own certificate for a different key with a different common name. This will mean that compromising one client doesn't compromise them all and will also allow the server to securely determine what client it's talking to. This will also require less specialized coding, since you can simply hard code the CA's certificate in the client and server, and then they don't need any special code to recognize the clients -- just tell OpenSSL that our CA certificate is the only CA. If you choose to go that way: http://www.octaldream.com/~scottm/talks/ssl/opensslca.html http://sial.org/howto/openssl/ca/ DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]