Re: create opensll, ssldump keyfile

[Eric Rescorla]

Davidson, Stuart [EMAIL PROTECTED] writes:
 The following ssldump trace records the following 'su' sequence and shows that
 an su from a non privileged account does not work.
 
 # su - dav
 $ id
 uid=4001 gid=401 +++ su from root to dav works OK +++
 $ su - dav
 Password:
 su: Sorry +++ su from dav to dav does NOT work +++
 $
 
 Questions:
 
 1. any idea why the su from a non privileged account is not working?
This is a Solaris question. My guess, offhand, would be that DAV has
a '*'-ed out password field so you can't su to it if you're not
root.

 2. how do I invoke ssldump to decrypt the complete dialog?
(e.g. all Handshakes and application data)
You need to ensure that it has the server's private key, using the 
-k and -p arguments.

 3. how do I convert the certificates exported from Microsoft Enterprise
Certificate Authority to a format which can be read by ssldump?
I'm not sure what yu're trying to do here. There seem to be two
ways to read this message:
(1) You want ssldump to decode the certificates when it parses
the transaction. This is a simple matter of giving it the -N
flag to tell it to parse the ASN.1. (Assuming, of course, ssldump
was linked with OpenSSL when you built it.)

(2) You want ssldump to read the server's private key (not certificate).
There's no need to read the server's certificate. All you need to do for
this is convert it into an OpenSSL keyfile. It's not clear what
kind of keyfile you're starting with here...

-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: create opensll, ssldump keyfile

[Davidson, Stuart]

2. when I try using the -k and -p arguments using the iPlanet cert7.db, ssldump gives 
the error:

Problem loading private key
Error: Couldn't create network handler

3. I think I need option (2) but I don't know how to convert the existing iPlanet 
key3.db, cert7.db or Microsoft Enterprise Certtificate Authority Server certificates 
to a format which can be read by ssldump.

The ssldump man page specifies an OpenSSL format keyfile but how do I create one? Step 
by step instructions would be great.

Last but not least, any idea why the failed su coincides with 81 byte application_data 
and 20 byte Handshake?

Thanks,
Stuart
 
-Original Message-
From: Eric Rescorla [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 14, 2002 6:51 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: create opensll, ssldump keyfile


Davidson, Stuart [EMAIL PROTECTED] writes:
 The following ssldump trace records the following 'su' sequence and shows that
 an su from a non privileged account does not work.
 
 # su - dav
 $ id
 uid=4001 gid=401 +++ su from root to dav works OK +++
 $ su - dav
 Password:
 su: Sorry +++ su from dav to dav does NOT work +++
 $
 
 Questions:
 
 1. any idea why the su from a non privileged account is not working?
This is a Solaris question. My guess, offhand, would be that DAV has
a '*'-ed out password field so you can't su to it if you're not
root.

 2. how do I invoke ssldump to decrypt the complete dialog?
(e.g. all Handshakes and application data)
You need to ensure that it has the server's private key, using the 
-k and -p arguments.

 3. how do I convert the certificates exported from Microsoft Enterprise
Certificate Authority to a format which can be read by ssldump?
I'm not sure what yu're trying to do here. There seem to be two
ways to read this message:
(1) You want ssldump to decode the certificates when it parses
the transaction. This is a simple matter of giving it the -N
flag to tell it to parse the ASN.1. (Assuming, of course, ssldump
was linked with OpenSSL when you built it.)

(2) You want ssldump to read the server's private key (not certificate).
There's no need to read the server's certificate. All you need to do for
this is convert it into an OpenSSL keyfile. It's not clear what
kind of keyfile you're starting with here...

-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]