Re: [9fans] Encoding private RSA key to PEM with p9p
Ok thanks for the help. I'm trying to use it with 9vx + lastest 9front rootfs that already have this patch applied. I put my client private key into factotum like this: % cat client.key.plan9 /mnt/factotum/ctl Then I'm trying to dial with tlsclient: % tlsclient -D -c client.crt.pem -t ca.crt.pem tcp!127.0.0.1!5640 As you told me, if there is no certificate chain verification, I may better provide the server certificate instead of the ca's: % tlsclient -D -c client.crt.pem -t server.crt.pem tcp!127.0.0.1!5640 Is it the right thing to do? I read the man page but I don't get what tlsclient does that allow me to finally mount the fs. For now, I get the error message could not negociate acceptable security parameters. I tried disabling client authentication on the server side. Same error message. Maybe it is because I use the cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA which might not be supported... 2013/12/19 David du Colombier 0in...@gmail.com I think I also need to add the server's CA's certificate, so factotum can check the server identity. Right? Factotum is meant to store the private keys. The CA certificate would probably have its place in /sys/lib/tls (in PEM format). However, this is not needed, since the current X.509 implementation in Plan 9 doesn't verify certificate chain. Also, TLS client authentication isn't currently supported in Plan 9, but you could try Christian Kellermann's implementation. http://plan9.bell-labs.com/sources/patch/maybe/tls-client-auth/ hget http://www.9legacy.org/9legacy/patch/tls-client-auth.diff | ape/patch -p0 -- David du Colombier -- Jean-André Santoni
Re: [9fans] Encoding private RSA key to PEM with p9p
Thanks, I managed to convert the key this way and added it to factotum. I think I also need to add the server's CA's certificate, so factotum can check the server identity. Right? I converted the CA crt to DER like this: openssl x509 -in ca.crt.pem -inform PEM -out ca.crt.der -outform DER Not I'm trying to convert this DER to the factotum format : asn12rsa -t 'proto=rsa service=tls owner=*' ca.crt.der ca.crt.plan9 but asn12rsa complains : asn12rsa: couldn't parse asn1 key 2013/12/17 David du Colombier 0in...@gmail.com I tried to do the opposite : generating keys as PEM using linux's openssl, then convert them to plan9 format using pemdecode without success. You have to convert the key from PEM to DER with OpenSSL, then convert it to the Factotum format using auth/asn12rsa: openssl rsa -in key.pem -inform PEM -out key.der -outform DER auth/asn12rsa -t 'proto=rsa service=tls owner=*' key.der key -- David du Colombier -- Jean-André Santoni
[9fans] Encoding private RSA key to PEM with p9p
Hi, I'm using golang to code a 9p filesystem on linux. I wish to use srv + factotum + 9pfuse from p9p as client to test the fs. The server uses TLS with client authentication. Golang tls lib need keys in PEM format (I think). On the client side, factotum need the keys in plan9 format. I have no problem converting the public keys to PEM, using rsa2x509 | pemencode. However, no man explains how to encode a private key to PEM. I tried to do the opposite : generating keys as PEM using linux's openssl, then convert them to plan9 format using pemdecode without success. Any idea? -- Jean-André Santoni