Re: RSA decrypt problems
On Sat, 6 May 2000, Kris Kennaway wrote:
# I'm strongly suspecting something wrong with the encoding of the
# certificate. Can you grab dumpasn1.c and dumpasn1.cfg from
[snip]
# Then:
#
# dumpasn1 file.der
root@bonsai(/usr/local/etc/apache/ssl.key)# dumpasn1 server.key
0 2D 45: Unknown (Reserved) {
2 2D 45: Unknown (Reserved) {
4 2D 66: Unknown (Reserved) {
6 45 71: [APPLICATION 5]
: 'IN RSA PRIVATE KEY-.MIICXgIBAAKBgQC554Ro+VH0'
: 'dJONqljPBW+C72MDNGNy9eX'
Error: Inconsistent object length, 7 bytes difference.
: }
Error: Inconsistent object length, 30 bytes difference.
: }
Error: Inconsistent object length, 32 bytes difference.
: }
0 warnings, 3 errors.
I get similar errors with server.crt.
-steve
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
Steve Price wrote:
On Fri, 5 May 2000, Kris Kennaway wrote:
# I'm suspecting it might be something missing in the ASN.1 encoding of the
# certificate, which netscape requires but IE permits. This would be
# consistent with a missing openssl.cnf file at the time of certificate
# generation. Could one of you try copying the openssl.cnf file from
# crypto/openssl/apps/ to /etc/ssl (editing as appropriate) and see if that
# fixes it (i.e. make a new certificate and test it in the same way)?
It didn't help here. I rebuilt the port and re-installed from
a clean WRKDIR and I get the same error message. If I do a
'make certificate', copy those files over, and try to start
apache it just hangs definitely until I ^C it. After I kill
it I see this in the apache error logs.
[error] mod_ssl: Init: Private key not found (OpenSSL library
error follows)
[error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:
header too long
Methinks it has something to do with key generation as well, but
I'll be darned if I know what.
Ok, here are some silly questions. Did you create a private key for
this server, did you encrypt your cert with it, and is that .key file
pointed to in your httpd.conf config file? SSLCertificateKeyFile is what
you're looking for. http://www.modssl.org/related/ has some really good
resources for this, and their FAQ has step by step instructions for
creating and testing keys and certs that may help you track down where
in the process it's getting lost.
Also, did you install the openssl port, or are you using the openssl
that is part of the base in 4.0+? I vaguely remember you saying that you
were using the port. If so, cd to /usr/local/openssl and cp
openssl.cnf.sample to openssl.cnf.
I'm currently hip deep in certificate generation problems myself, so I
sympathize with your plight there Steve. Kris, I was going to let you
know about the openssl.cnf problem, but I wanted to wait till I had more
data. But, since the cat's out of the bag here, yes, we do need an
openssl.cnf file in /etc/ssl for the system version. I attached a patch
(not that you couldn't have done it yourself...). The only problem with
this is that from the mergemaster standpoint, there is no $FreeBSD/$Id
tag in that file. mm will still work (doing a complete comparison with
diff) but it speeds things up and hides local mods if there is a CVS
tag.
HTH,
Doug
--
"Live free or die"
- State motto of my ancestral homeland, New Hampshire
Do YOU Yahoo!?
Index: Makefile
===
RCS file: /usr/ncvs/src/etc/Makefile,v
retrieving revision 1.221
diff -u -r1.221 Makefile
--- Makefile2000/04/15 16:48:41 1.221
+++ Makefile2000/05/07 19:20:41
@@ -26,6 +26,10 @@
${.CURDIR}/../crypto/openssh/sshd_config
.endif
+.if exists(${.CURDIR}/../crypto) !defined(NO_OPENSSL)
+SSL= ${.CURDIR}/../crypto/openssl/apps/openssl.cnf
+.endif
+
# -rwxr-xr-x root.wheel, for the new cron root.wheel
BIN2= netstart pccard_ether rc.suspend rc.resume
@@ -76,6 +80,10 @@
.if exists(${.CURDIR}/../crypto) !defined(NO_OPENSSH)
(cd ${.CURDIR}; ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 644 ${SSH} \
${DESTDIR}/etc/ssh )
+.endif
+.if exists(${.CURDIR}/../crypto) !defined(NO_OPENSSL)
+ (cd ${.CURDIR}; ${INSTALL} -c -o ${BINOWN} -g ${BINGRP} -m 644 ${SSL} \
+ ${DESTDIR}/etc/ssl )
.endif
.if !defined(NO_MAKEDEV)
(cd ${DESTDIR}/dev; sh MAKEDEV all)
Re: RSA decrypt problems
On Sun, 7 May 2000, Doug Barton wrote: # Ok, here are some silly questions. Did you create a private key for # this server, did you encrypt your cert with it, and is that .key file # pointed to in your httpd.conf config file? SSLCertificateKeyFile is what # you're looking for. http://www.modssl.org/related/ has some really good # resources for this, and their FAQ has step by step instructions for # creating and testing keys and certs that may help you track down where # in the process it's getting lost. I did create a key for my server with the following command ssh-keygen -f /etc/ssh/ssh_host_key I didn't encrypt a cert with it. This is on a test box and up until a few days ago the only steps I ever had to take were to install one of the apache13-*ssl ports, crank up apache, and it just worked. Of course this could be where I've gone astray, as it appears this no longer works. :) I've been using the 'Snake Oil' certs that come with these ports up until now, since the box is behind a firewall and not in production yet. # Also, did you install the openssl port, or are you using the openssl # that is part of the base in 4.0+? I vaguely remember you saying that you # were using the port. If so, cd to /usr/local/openssl and cp # openssl.cnf.sample to openssl.cnf. I'm not using the port. I'm using the bits that come with -current (and 4.0 on another box). At Kris' suggestion I did copy over an /etc/ssl/openssl.cnf file but that didn't seem to help with the problem I'm having. :( Thanks. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sun, 7 May 2000, Steve Price wrote: # Then: # # dumpasn1 file.der root@bonsai(/usr/local/etc/apache/ssl.key)# dumpasn1 server.key Nope, this is the .pem-encoded version. You need to decode it to .der using: openssl asn1parse -in server.key -out server.der before running dumpasn1 on it. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
Steve Price wrote: On Sun, 7 May 2000, Doug Barton wrote: # Ok, here are some silly questions. Did you create a private key for # this server, did you encrypt your cert with it, and is that .key file # pointed to in your httpd.conf config file? SSLCertificateKeyFile is what # you're looking for. http://www.modssl.org/related/ has some really good # resources for this, and their FAQ has step by step instructions for # creating and testing keys and certs that may help you track down where # in the process it's getting lost. I did create a key for my server with the following command ssh-keygen -f /etc/ssh/ssh_host_key ERrr... that's for ssh only. I didn't encrypt a cert with it. This is on a test box and up until a few days ago the only steps I ever had to take were to install one of the apache13-*ssl ports, crank up apache, and it just worked. Of course this could be where I've gone astray, as it appears this no longer works. :) I'm not familiar with those ports, so I can't speak intelligently about them, however I've looked over the mod_ssl stuff, and they have pre-configured a whole certificate authority chain with the snake oil stuff so that you can test your installation of the binary(ies). However, that does you a disservice down the road when you have to do it for real. # Also, did you install the openssl port, or are you using the openssl # that is part of the base in 4.0+? I vaguely remember you saying that you # were using the port. If so, cd to /usr/local/openssl and cp # openssl.cnf.sample to openssl.cnf. I'm not using the port. I'm using the bits that come with -current (and 4.0 on another box). At Kris' suggestion I did copy over an /etc/ssl/openssl.cnf file but that didn't seem to help with the problem I'm having. :( Well, it'll help, but you have to get down the road a bit before you notice how it helps you. :) Take a look at http://www.modssl.org/docs/2.6/ssl_faq.html#ToC28 which describes the process of creating real certificates. If this is to be a "real" secure server that will be visible on the internet, you'll want to follow those instructions pretty much to the letter (assuming you're using mod_ssl, or one of its ports). The way x509 works for secure servers is that you first create a "key" that is your server's unique signature. This is similar to the identity files created with ssh-keygen. Then you create a certificate that contains what is essentially your public key (actually a combination of your certificate's public key and your identity key's public part). You sign this certificate with your server's identity key, then send it to a certificate authority (read, "Verisign") which signs the certificate with its public key. Then you install the doubly signed certificate. The client browser is able to use the information in your certificate to A) confirm with the CA that your certificate really came from you, B) encrypt an offer of a session key/cipher for that session, and C) decrypt your acceptance of that offer. I'm oversimplifying this a bit, hopefully you get the idea. There is more info on the web pages I sent in my previous e-mail. HTH, Doug -- "Live free or die" - State motto of my ancestral homeland, New Hampshire Do YOU Yahoo!? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Louis A. Mamakos wrote:
Just curious, but is there any documentation installed that describes
what the contents of the file look like? I went on a hunt for this
recently, and found precious little documentation on openssl provided
with the system.
The sample file is in /usr/src/crypto/openssl/apps/openssl.cnf - thats
about all there is in the way for documentation about that file.
As I noted in another response, OpenSSL manpages exist in
crypto/openssl/docs/{crypto,ssl} but we don't install them yet because
they conflict with system manpages and I'm waiting for the OpenSSL team to
fix them.
Kris
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Garrett Wollman wrote: # I've had this problem with recent values of OpenSSL since last # November. I haven't gotten around to playing with permutations of the # openssl.cnf file yet. I tried my site certificate on various versions # of Netscape and Exploder, and all of them failed in a similar manner, # but `openssl s_client' worked just fine, and all the other clients # failed identically against `openssl s_server'. I sent a note about # this to the OpenSSL mailing-list, and did not receive a single # relevant response. So what do you use as a workaround? The openssl port? The old SSLeay port? Would using DSA instead of RSA make matters better? -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Garrett Wollman wrote: I've had this problem with recent values of OpenSSL since last November. I haven't gotten around to playing with permutations of the I'm strongly suspecting something wrong with the encoding of the certificate. Can you grab dumpasn1.c and dumpasn1.cfg from http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c and http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg and run it on the old and new certificates to see if anything is different? To convert the Cert to DER: openssl asn1parse -in file.pem -out file.der Then: dumpasn1 file.der Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Sat, 6 May 2000, Kris Kennaway wrote: http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c and http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.cfg I've made these into a port, so you can just install the converters/dumpasn1 port and save the minor trouble of editing the stupid ^Z out of the .c file and compiling it :-) Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Steve Price wrote: [Fri May 5 20:46:19 2000] [error] OpenSSL: error:1E06D401:RSAref routines:func(109) :reason(1025) You can interpret these error codes by looking up the defines in openssl/rsaref.h - for example, these two are: #define RSAREF_F_RSA_REF_PRIVATE_DECRYPT 109 #define RSAREF_R_DATA0x0401 which doesn't tell you much in itself. However: Doing 2048 bit private rsa's for 10s: RSA private encrypt failure 14674:error:1E065406:RSAref routines:func(101) :reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: 14674:error:1E065406:RSAref routines:func(101) :reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: 1 2048 bit private RSA's in 0.00s #define RSAREF_F_RSAREF_BN2BIN 101 #define RSAREF_R_LEN 0x0406 RSARef can't handle keys 1024 bits long. This is a design limitation which the license forbids us from fixing. Does your webserver use a long key? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
FWIW, I've had a weird (perhaps related) problem, only in the reverse. After creating a certificate (ie: 'make certificate' in apache), I was unable to connect to the server from a Netscape 4.72 browser. It only told me there was a decryption error in the apache logs. ? On Fri, May 05, 2000 at 08:10:27PM -0700, Kris Kennaway wrote: On Fri, 5 May 2000, Steve Price wrote: [Fri May 5 20:46:19 2000] [error] OpenSSL: error:1E06D401:RSAref routines:func(109) :reason(1025) You can interpret these error codes by looking up the defines in openssl/rsaref.h - for example, these two are: #define RSAREF_F_RSA_REF_PRIVATE_DECRYPT 109 #define RSAREF_R_DATA0x0401 which doesn't tell you much in itself. However: Doing 2048 bit private rsa's for 10s: RSA private encrypt failure 14674:error:1E065406:RSAref routines:func(101) :reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: 14674:error:1E065406:RSAref routines:func(101) :reason(1030):/usr/src/secure/lib/librsausa/../../../crypto/openssl/crypto/../rsaref/rsaref.c:125: 1 2048 bit private RSA's in 0.00s #define RSAREF_F_RSAREF_BN2BIN 101 #define RSAREF_R_LEN 0x0406 RSARef can't handle keys 1024 bits long. This is a design limitation which the license forbids us from fixing. Does your webserver use a long key? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
I understand, from private correspondence, that OpenSSH will have SSH2 protocol support, thus allowing people to not use RSA. Can someone confirm as it applies to use on FreeBSD. I personally find the RSARef licensing to be a sham, in the light of everything else on the internet, an would rather not have to use it. But SSH1 requires it in the protocol. _F To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Forrest Aldrich wrote: I understand, from private correspondence, that OpenSSH will have SSH2 protocol support, thus allowing people to not use RSA. Can someone confirm as it applies to use on FreeBSD. It's being developed in the current version of OpenSSH. I'll probably update to a more recent snapshot soon - I got a message from Markus Friedl confirming it should be stable enough to update to. I personally find the RSARef licensing to be a sham, in the light of everything else on the internet, an would rather not have to use it. But SSH1 requires it in the protocol. Roll on September 20! :-) Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Kris Kennaway wrote: # #define RSAREF_F_RSAREF_BN2BIN 101 # #define RSAREF_R_LEN 0x0406 # # RSARef can't handle keys 1024 bits long. This is a design limitation # which the license forbids us from fixing. # # Does your webserver use a long key? Nope. I generated the key with 'make certificate' on the apache13-php4 port. Here's what openssl says about the key. % openssl rsa -noout -text -in server.key | grep bit Private-Key: (1024 bit) % I'm beginning to wonder if it isn't something that has changed in the ports. My problems started when I pkg_delete'd the apache13-modssl port to install the apach13-php4 port with modssl support so that I could play around with php4. It worked before I did this. Even now if I go back to the port without php4 support it doesn't work. :( -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Forrest Aldrich wrote: # FWIW, I've had a weird (perhaps related) problem, only in the # reverse. After creating a certificate (ie: 'make certificate' in # apache), I was unable to connect to the server from a Netscape # 4.72 browser. It only told me there was a decryption error in the # apache logs. I see the same thing in my apache error logs so it probably is related. Did you by chance try another browser and did it work? -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Steve Price wrote: Nope. I generated the key with 'make certificate' on the apache13-php4 port. Here's what openssl says about the key. % openssl rsa -noout -text -in server.key | grep bit Private-Key: (1024 bit) % It sounds like somehting is broken with the certificate generation. I wonder if it could have to do with the fact that we currently don't install an openssl.cnf (my oversight, pointed out by rwatson yesterday), since thats where openssl looks for parameters when generating keys. I'm beginning to wonder if it isn't something that has changed in the ports. My problems started when I pkg_delete'd the apache13-modssl port to install the apach13-php4 port with modssl support so that I could play around with php4. It worked before I did this. Even now if I go back to the port without php4 support it doesn't work. :( How long ago was the previous port built? Do you still have the openssl port installed, if it was built against that? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
Duh :) It didn't occur to me to try another browser: Okay, I just did, using MS Explorer 5 and it worked with no problems. So, this is related to Netscape-4.72. But is it a bug on their part, or something else? Forrest On Fri, May 05, 2000 at 10:49:04PM -0500, Steve Price wrote: On Fri, 5 May 2000, Forrest Aldrich wrote: # FWIW, I've had a weird (perhaps related) problem, only in the # reverse. After creating a certificate (ie: 'make certificate' in # apache), I was unable to connect to the server from a Netscape # 4.72 browser. It only told me there was a decryption error in the # apache logs. I see the same thing in my apache error logs so it probably is related. Did you by chance try another browser and did it work? -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Forrest Aldrich wrote: Okay, I just did, using MS Explorer 5 and it worked with no problems. So, this is related to Netscape-4.72. But is it a bug on their part, or something else? I'm suspecting it might be something missing in the ASN.1 encoding of the certificate, which netscape requires but IE permits. This would be consistent with a missing openssl.cnf file at the time of certificate generation. Could one of you try copying the openssl.cnf file from crypto/openssl/apps/ to /etc/ssl (editing as appropriate) and see if that fixes it (i.e. make a new certificate and test it in the same way)? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Kris Kennaway wrote: # I'm suspecting it might be something missing in the ASN.1 encoding of the # certificate, which netscape requires but IE permits. This would be # consistent with a missing openssl.cnf file at the time of certificate # generation. Could one of you try copying the openssl.cnf file from # crypto/openssl/apps/ to /etc/ssl (editing as appropriate) and see if that # fixes it (i.e. make a new certificate and test it in the same way)? It didn't help here. I rebuilt the port and re-installed from a clean WRKDIR and I get the same error message. If I do a 'make certificate', copy those files over, and try to start apache it just hangs definitely until I ^C it. After I kill it I see this in the apache error logs. [error] mod_ssl: Init: Private key not found (OpenSSL library error follows) [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object: header too long Methinks it has something to do with key generation as well, but I'll be darned if I know what. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Kris Kennaway wrote: # How long ago was the previous port built? From the best I can remember it was sometime early to middle of March. # Do you still have the openssl # port installed, if it was built against that? Nope. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Steve Price wrote: It didn't help here. I rebuilt the port and re-installed from a clean WRKDIR and I get the same error message. If I do a 'make certificate', copy those files over, and try to start apache it just hangs definitely until I ^C it. After I kill it I see this in the apache error logs. It's not clear that you installed the openssl.cnf file before making the cert - can you confirm? Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA decrypt problems
On Fri, 5 May 2000, Kris Kennaway wrote: # It's not clear that you installed the openssl.cnf file before making the # cert - can you confirm? Yes I did. I put it in /etc/ssl as you suggested. -steve To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
