RE: ssl-cert-HOWTO.txt for review
Title: RE: ssl-cert-HOWTO.txt for review If openssl can generate random data and spit it out in a file then why use a file to begin with? Can't openssl ( tool ) just generate its random data internally and use that? I think that's a lot safer than spitting it out to a file and prevents less problems with the random data getting deleted/viewed. - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Marcus Redivo [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 7:14 PM To: [EMAIL PROTECTED] Subject: RE: ssl-cert-HOWTO.txt for review Hello Fiel, Thanks for the comments. At 10:45 AM 12/1/01 -0800, Fiel Cabral wrote: My suggestion is to include info about the RANDFILE variable. I set RANDFILE=$HOME/.rnd in my environment and in the configuration file (the default value: $ENV::HOME/.rnd). If .rnd doesn't exist, I just copy a file to it (usually a binary file or a random-looking log file). I did not mention the RANDFILE, and in fact left it out of the example configuration, because I was under the impression that if I had /dev/*random I did not need it. If this is not true, could someone please correct me? Thanks. Now, the RANDFILE candidate. Using a binary or a log is nowhere near random enough. Fortunately, openssl has a command to create a better random file: # openssl rand -out $HOME/.rnd 1024 (Don't send the output to your console unless you add the -base64 switch, unless you like abstract art... ;) ) BTW, I'm on the list now. Marcus Redivo The Binary Tool Foundry PO Box 2087 Stn Main Sidney BC Canada mailto:[EMAIL PROTECTED] http://www.binarytool.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ssl-cert-HOWTO.txt for review
Andrew, openssl is rather mixer than generator or random data. No deterministic (ok, stable) program can make something random. To make a random secret one need some input unavailable to attacker. /dev/random is internal enough and could be quite a good one. regards, Vadim On Mon, 3 Dec 2001, Andrew Finnell wrote: If openssl can generate random data and spit it out in a file then why use a file to begin with? Can't openssl ( tool ) just generate its random data internally and use that? I think that's a lot safer than spitting it out to a file and prevents less problems with the random data getting deleted/viewed. - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Marcus Redivo [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 7:14 PM To: [EMAIL PROTECTED] Subject: RE: ssl-cert-HOWTO.txt for review Hello Fiel, Thanks for the comments. At 10:45 AM 12/1/01 -0800, Fiel Cabral wrote: My suggestion is to include info about the RANDFILE variable. I set RANDFILE=$HOME/.rnd in my environment and in the configuration file (the default value: $ENV::HOME/.rnd). If .rnd doesn't exist, I just copy a file to it (usually a binary file or a random-looking log file). I did not mention the RANDFILE, and in fact left it out of the example configuration, because I was under the impression that if I had /dev/*random I did not need it. If this is not true, could someone please correct me? Thanks. Now, the RANDFILE candidate. Using a binary or a log is nowhere near random enough. Fortunately, openssl has a command to create a better random file: # openssl rand -out $HOME/.rnd 1024 (Don't send the output to your console unless you add the -base64 switch, unless you like abstract art... ;) ) BTW, I'm on the list now. Marcus Redivo The Binary Tool Foundry PO Box 2087 Stn Main Sidney BC Canada mailto:[EMAIL PROTECTED] http://www.binarytool.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ssl-cert-HOWTO.txt for review
Hello Franck, I read through your document a couple of times. It looks like you did some research, and the results are good. Your document is much broader in scope than mine. Fortunately, there is not much overlap; you could take the meat of mine and incorporate it into a section of yours. You are welcome to do so. I will be updating mine over the next couple of weeks to incorporate feedback I have received, so you may want to hold off for the moment. I will advise the list when the revisions are complete. Regards, Marcus -Original Message- From: Franck Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 10:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: ssl-cert-HOWTO.txt for review I have written a certificate HOW-TO that I will submit very soon to LDP. You can find it in the archives of this list. Look for a HOWTO in the subject. There is a PDF attachment to the message. I have requested some comments a few weeks ago and I have received a few that I'm incorporating right now. I think your work could be included in the HOW-TO I wrote and it will come as a good complement. Could you please look into the matter and let me know what should be updated. Thanks. [EMAIL PROTECTED] On Sat, 2001-12-01 at 00:18, Marcus Redivo wrote: OpenSSL users and developers, I have struggled with getting certificates in order on my servers, and I have seen others struggle with this too. It became necessary to do a proper job, so I decided I should write up what I had to learn as a HOWTO. I would like to contribute this for posting on www.openssl.org. But first, I think someone who actually _knows_ what they are doing should review my document; preferably, several people. (Yesterday I couldn't spell SSL...) So here it is: http://www.binarytool.com/ssl-cert-HOWTO.txt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ssl-cert-HOWTO.txt for review
I think this is fine. I just wanted to make sure you agree to the gnu documentation licence. I will hold it for a while until I get results from linuxdoc, then I will submit an update including your text. Cheers. On Sun, 2001-12-02 at 13:34, Marcus Redivo wrote: Hello Franck, I read through your document a couple of times. It looks like you did some research, and the results are good. Your document is much broader in scope than mine. Fortunately, there is not much overlap; you could take the meat of mine and incorporate it into a section of yours. You are welcome to do so. I will be updating mine over the next couple of weeks to incorporate feedback I have received, so you may want to hold off for the moment. I will advise the list when the revisions are complete. Regards, Marcus So here it is: http://www.binarytool.com/ssl-cert-HOWTO.txt
ssl-cert-HOWTO.txt for review
OpenSSL users and developers, I have struggled with getting certificates in order on my servers, and I have seen others struggle with this too. It became necessary to do a proper job, so I decided I should write up what I had to learn as a HOWTO. I would like to contribute this for posting on www.openssl.org. But first, I think someone who actually _knows_ what they are doing should review my document; preferably, several people. (Yesterday I couldn't spell SSL...) So here it is: http://www.binarytool.com/ssl-cert-HOWTO.txt Please, if you have the time, take a look through this and make sure I'm not telling lies or leading people into danger. Send me mail at the address below, as I'm not on the list. One specific thing I would like to be able to control on the non-CA certificates is the Any Purpose CA : Yes attribute; what do I put in the config file to change this to No? Thanks very much in advance for your input. Marcus Redivo The Binary Tool Foundry http://www.binarytool.com mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]