how to merge multiple public domain certs into one file?
Hi... I've been struggling with how to concatenate multiple public domain certs into one crt file. Basically, I have 5 SSL virtual host domains running on 1 apache httpd server and each host has a separate GeoTrust domain certificate. Instead of having 5 individual public *.crt files, is there anyway to merge them together into 1 file. Any information would be much appreciated. Thanks in advance, Michael
Re: how to merge multiple public domain certs into one file?
I didn't think it possible to server multiple virtual SSL domains from one Apache instance (on the same IP, at least). I suppose if you use different IP numbers this constraint goes away. Has something changed about Apache in this regard? Then, you have the matter of: If each virtual SSL domain setup must reference its own cert(s), how would this be accomplished if all your certs, for all domains, were consolidated into one big file? Lou Picciano - Original Message - From: M C migua...@gmail.com To: openssl-users@openssl.org Sent: Saturday, November 14, 2009 12:56:09 PM GMT -05:00 US/Canada Eastern Subject: how to merge multiple public domain certs into one file? Hi... I've been struggling with how to concatenate multiple public domain certs into one crt file. Basically, I have 5 SSL virtual host domains running on 1 apache httpd server and each host has a separate GeoTrust domain certificate. Instead of having 5 individual public *.crt files, is there anyway to merge them together into 1 file. Any information would be much appreciated. Thanks in advance, Michael
Re: About Crypto Library usage and...
Hi, OpenSSL can definitely be used to implement a port of Crypto API under Linux but I advise you to take a look at Winelib from the Wine project (http://www.winehq.org/winelib). They have implemented, among other things, the whole Crypto API functions along with MS CSPs. Although it's not based on OpenSSL (they use LibTomCrypt and GnuTLS), it's very stable and easy to use in order to port existing Crypto API code. In order to show this, I have written a CryptAPI sample that performs RSA key generation, hashing and signature computation along with the Linux makefile that enables to compile it using Winelib. You can get it from the following link : http://www.idrix.fr/Root/Samples/capi_wine.tar.gz (Just type make after decompressing) Under Debian, you get Winelib by typing apt-get install libwine-dev and under Ubuntu you've to type apt-get install wine-dev. I hope this will help. Cheers -- Mounir IDRASSI IDRIX http://www.idrix.fr Gaurav Kumar wrote: Hi, I want to port few MS Crypto Api's on Linux. Here are api's which i want to port. CryptSetKeyParam CryptDecrypt CryptEncrypt CryptGetKeyParam CryptHashData CryptCreateHash I want to use the same parameters used for encryption and decryption on windows. For e.g. CryptDecrypt uses parameters: hkey ---key to use for the decryption. hHash --- Hash handle MD5 or SHA1. dwFlag-For padding pbData --- Data to decrypt. pdwDatalength -- Size of data to decrypt. Can this be possible using Crypto Library? Which Crypto Api's in Linux uses key, MD5 or SHA1 and padding to decrypt and encrypt the data? Thanks, Gaurav __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: how to merge multiple public domain certs into one file?
Hi, Unless I'm misunderstanding things, you *can*, by using ServerName inside each of the VirtualHost sections: http://httpd.apache.org/docs/2.0/vhosts/name-based.html Jim Lou Picciano loupicci...@comcast.net wrote: I didn't think it possible to server multiple virtual SSL domains from one Apache instance (on the same IP, at least). I suppose if you use different IP numbers this constraint goes away. Has something changed about Apache in this regard? Then, you have the matter of: If each virtual SSL domain setup must reference its own cert(s), how would this be accomplished if all your certs, for all domains, were consolidated into one big file? Lou Picciano - Original Message - From: M C migua...@gmail.com To: openssl-users@openssl.org Sent: Saturday, November 14, 2009 12:56:09 PM GMT -05:00 US/Canada Eastern Subject: how to merge multiple public domain certs into one file? Hi... I've been struggling with how to concatenate multiple public domain certs into one crt file. Basically, I have 5 SSL virtual host domains running on 1 apache httpd server and each host has a separate GeoTrust domain certificate. Instead of having 5 individual public *.crt files, is there anyway to merge them together into 1 file. Any information would be much appreciated. Thanks in advance, Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Accessing PBKDF2 from command line
On Sun, 15 Nov 2009 21:44:55 -0500 Victor Duchovni victor.ducho...@morganstanley.com wrote: | | Subject:Re: Encapsulation of AES_KEY | Date: 2009-11-11 18:49:38 | | The problem is the openssl command does not make this function available | either directly as a password to key+IV converter, or as part of its | file encryption method, for use from CLI. | | The enc(1) command uses EVP_BytesToKey(), which would have been good | enough in most applications, if the iteration count were high-enough, | or configurable. | | Thus, unless I'm misreading the code, the solution is to use a strong | pass-phrase, or code up your own tool, that uses PBKDF2, with as high | an iteration count is practical within your latency and CPU cost bounds. | Which I did. :-) | Breaking backwards compatibility with already encrypted files is not | a good option, so any new key-derivation mode for enc(1) would have | to be switched-on via new, non-default flags. | But didn't enc(1) break that compatibility! At one point the default for 'enc' was to use '-nosalt' whcih does not have any file 'magic' included. At least that was what the manpages say is the default!!! But when I started to work with it I found the default is to use use '-salt'. That is the file format is * 'Salted__' magic string * 8 bytes of random salt * encrypted data Similar I found many other references to the change in the openssl encrypted file generation. The iterative count (ic) defaults to 1, with no options from the command line to change this count. Nor does it seem to store the count into file, something that would be necessary. So I decided to do my own pass-phrase to key stage. But found the openssl command deficient here too. You can specify alternative sources for password, but a user derived key and IV for direct data encryption can only be given on the command line (VERY bad for security). These should at least be able to be read from file descriptors, like pass-phrases can. Salt and counts don't need this as they are public data. But Key and IV are not and alternative input methods other than hex digit arguments is a must. In Summery the openssl command is deficient. * You can't create a encrypted file that included an ic * You can't even specify the ic for the encryption (it just 1) * You can't pass Key and IV other than as command line arguments! (making them visible in process listings!) * You can't even use the openssl command to just do the basic conversions of pass-phrase + salt + count --TO- key + IV perhaps with options for base64 or base16 (hexadecimal) output. For either PBKDF 1.5 using EVP_BytesToKey() or for PBKDF 2 using PKCS5_PBKDF2_HMAC_SHA1() This was my finding during my last phase of development as an application programmer. Anthony Thyssen ( System Programmer )a.thys...@griffith.edu.au -- Out testing new time machine. Be back yesterday! -- Anthony's Home is his Castle http://www.cit.gu.edu.au/~anthony/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Accessing PBKDF2 from command line
On Mon, Nov 16, 2009 at 01:45:07PM +1000, Anthony Thyssen wrote: In Summery the openssl command is deficient. [ various limitations of enc(1) ] At the end of the day, OpenSSL is a *library*, not an end-user product, and enc(1) and friends are developer utilities and demo tools. When you need a *product*, you build something useful with the library. Yes, enc(1) should be better, but it is likely not a priority relative to improving the library. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: how to merge multiple public domain certs into one file?
Hi *, Certainly you can configure Apache to use virtualHosts based on domain names, and this works perfect with HTTP (1.1). However, this cannot be achieved using SSL, and the answer is simple, the SSL is established using the server IP, and during the SSL negotiation (handshake), there is no mention to servername/domain, the server certificate/private keys are used during the negotiation, and Apache needs to know what certificate is going to use (and the virtual host must choose the certificate before even know what virutalhost name the client is referring to). After the SSL negotiation, the client will send the HTTP request with the host clause (the host contains the domain name of the server), but the certificate has been used in the negotiation. In few words, first the SSL is negotiated and then the virtualhost is selected. With this in mind, the only options for running multiple virtual host with SSL are: assigning multiples IPs to the server or running each instance in a different port. Regards, Hecber -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of oh...@cox.net Sent: Monday, November 16, 2009 9:00 AM To: openssl-users@openssl.org Cc: Lou Picciano Subject: Re: how to merge multiple public domain certs into one file? Hi, Unless I'm misunderstanding things, you *can*, by using ServerName inside each of the VirtualHost sections: http://httpd.apache.org/docs/2.0/vhosts/name-based.html Jim Lou Picciano loupicci...@comcast.net wrote: I didn't think it possible to server multiple virtual SSL domains from one Apache instance (on the same IP, at least). I suppose if you use different IP numbers this constraint goes away. Has something changed about Apache in this regard? Then, you have the matter of: If each virtual SSL domain setup must reference its own cert(s), how would this be accomplished if all your certs, for all domains, were consolidated into one big file? Lou Picciano - Original Message - From: M C migua...@gmail.com To: openssl-users@openssl.org Sent: Saturday, November 14, 2009 12:56:09 PM GMT -05:00 US/Canada Eastern Subject: how to merge multiple public domain certs into one file? Hi... I've been struggling with how to concatenate multiple public domain certs into one crt file. Basically, I have 5 SSL virtual host domains running on 1 apache httpd server and each host has a separate GeoTrust domain certificate. Instead of having 5 individual public *.crt files, is there anyway to merge them together into 1 file. Any information would be much appreciated. Thanks in advance, Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME cryptographic signature
Re: Accessing PBKDF2 from command line
On Mon, Nov 16, 2009 at 11:52:26AM +1000, Anthony Thyssen wrote: I was reading the openssl-users mail list, (I am not on that list) where you mentioned the PBKDF2 openssl library function. You should join, at least long enough to ask the question that interests you. Further follow-up will be on-list only. Subject:Re: Encapsulation of AES_KEY Date: 2009-11-11 18:49:38 The problem is the openssl command does not make this function available either directly as a password to key+IV converter, or as part of its file encryption method, for use from CLI. The enc(1) command uses EVP_BytesToKey(), which would have been good enough in most applications, if the iteration count were high-enough, or configurable. Thus, unless I'm misreading the code, the solution is to use a strong pass-phrase, or code up your own tool, that uses PBKDF2, with as high an iteration count is practical within your latency and CPU cost bounds. Breaking backwards compatibility with already encrypted files is not a good option, so any new key-derivation mode for enc(1) would have to be switched-on via new, non-default flags. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: how to merge multiple public domain certs into one file?
Hécber and Lou, Oops. I missed the part in the original post about this being for SSL-enabled VirtualHosts :(... Sorry for any confusion... Jim Hécber Córdova hcord...@smartmatic.com wrote: Hi *, Certainly you can configure Apache to use virtualHosts based on domain names, and this works perfect with HTTP (1.1). However, this cannot be achieved using SSL, and the answer is simple, the SSL is established using the server IP, and during the SSL negotiation (handshake), there is no mention to servername/domain, the server certificate/private keys are used during the negotiation, and Apache needs to know what certificate is going to use (and the virtual host must choose the certificate before even know what virutalhost name the client is referring to). After the SSL negotiation, the client will send the HTTP request with the host clause (the host contains the domain name of the server), but the certificate has been used in the negotiation. In few words, first the SSL is negotiated and then the virtualhost is selected. With this in mind, the only options for running multiple virtual host with SSL are: assigning multiples IPs to the server or running each instance in a different port. Regards, Hecber -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of oh...@cox.net Sent: Monday, November 16, 2009 9:00 AM To: openssl-users@openssl.org Cc: Lou Picciano Subject: Re: how to merge multiple public domain certs into one file? Hi, Unless I'm misunderstanding things, you *can*, by using ServerName inside each of the VirtualHost sections: http://httpd.apache.org/docs/2.0/vhosts/name-based.html Jim Lou Picciano loupicci...@comcast.net wrote: I didn't think it possible to server multiple virtual SSL domains from one Apache instance (on the same IP, at least). I suppose if you use different IP numbers this constraint goes away. Has something changed about Apache in this regard? Then, you have the matter of: If each virtual SSL domain setup must reference its own cert(s), how would this be accomplished if all your certs, for all domains, were consolidated into one big file? Lou Picciano - Original Message - From: M C migua...@gmail.com To: openssl-users@openssl.org Sent: Saturday, November 14, 2009 12:56:09 PM GMT -05:00 US/Canada Eastern Subject: how to merge multiple public domain certs into one file? Hi... I've been struggling with how to concatenate multiple public domain certs into one crt file. Basically, I have 5 SSL virtual host domains running on 1 apache httpd server and each host has a separate GeoTrust domain certificate. Instead of having 5 individual public *.crt files, is there anyway to merge them together into 1 file. Any information would be much appreciated. Thanks in advance, Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: how to merge multiple public domain certs into one file?
Hi, Ok, mod_ssl assume only one server certificate per file (with the exception of the cacert file), and this is because apache doesn't have any way to select the best certificate for a particular virtual host, and only one certificate is assigned for a particular virtual host. Regards, Hecber -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of oh...@cox.net Sent: Monday, November 16, 2009 1:54 PM To: openssl-users@openssl.org Subject: RE: how to merge multiple public domain certs into one file? Hécber and Lou, Oops. I missed the part in the original post about this being for SSL-enabled VirtualHosts :(... Sorry for any confusion... Jim Hécber Córdova hcord...@smartmatic.com wrote: Hi *, Certainly you can configure Apache to use virtualHosts based on domain names, and this works perfect with HTTP (1.1). However, this cannot be achieved using SSL, and the answer is simple, the SSL is established using the server IP, and during the SSL negotiation (handshake), there is no mention to servername/domain, the server certificate/private keys are used during the negotiation, and Apache needs to know what certificate is going to use (and the virtual host must choose the certificate before even know what virutalhost name the client is referring to). After the SSL negotiation, the client will send the HTTP request with the host clause (the host contains the domain name of the server), but the certificate has been used in the negotiation. In few words, first the SSL is negotiated and then the virtualhost is selected. With this in mind, the only options for running multiple virtual host with SSL are: assigning multiples IPs to the server or running each instance in a different port. Regards, Hecber -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of oh...@cox.net Sent: Monday, November 16, 2009 9:00 AM To: openssl-users@openssl.org Cc: Lou Picciano Subject: Re: how to merge multiple public domain certs into one file? Hi, Unless I'm misunderstanding things, you *can*, by using ServerName inside each of the VirtualHost sections: http://httpd.apache.org/docs/2.0/vhosts/name-based.html Jim Lou Picciano loupicci...@comcast.net wrote: I didn't think it possible to server multiple virtual SSL domains from one Apache instance (on the same IP, at least). I suppose if you use different IP numbers this constraint goes away. Has something changed about Apache in this regard? Then, you have the matter of: If each virtual SSL domain setup must reference its own cert(s), how would this be accomplished if all your certs, for all domains, were consolidated into one big file? Lou Picciano - Original Message - From: M C migua...@gmail.com To: openssl-users@openssl.org Sent: Saturday, November 14, 2009 12:56:09 PM GMT -05:00 US/Canada Eastern Subject: how to merge multiple public domain certs into one file? Hi... I've been struggling with how to concatenate multiple public domain certs into one crt file. Basically, I have 5 SSL virtual host domains running on 1 apache httpd server and each host has a separate GeoTrust domain certificate. Instead of having 5 individual public *.crt files, is there anyway to merge them together into 1 file. Any information would be much appreciated. Thanks in advance, Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME cryptographic signature
Re: openssl and hardware tokens
On 2009.11.13 at 04:44:02 -0800, Mansour Dagher wrote: Hi all, if certificates and associated keys are stored on HW (Sun crypto card for example), is there a way in openssl to specify the card as the location of these certificates/kets? It appears from the methods below, the openSSL only takes filesystem directory paths and file names as input for certificate/key locations: X509_STORE_load_locations() SSL_CTX_use_certificate_chain_file() SSL_CTX_use_PrivateKey_file() Any suggestions/thought? There is SSL_CTX_use_PrivateKey which allows you to use private key already loaded into memory as EVP_PKEY structure. There is ENGINE_load_private_key function, which allows to create EVP_PKEY structure engine-specific way. Engine is a module, which handles interaction with some crypto hardware. Really this EVP_PKEY can contain just reference for key stored in the hardware. If engine-initialization code sets up an RSA/DSA/other PKEY method which knows how to hand of crypto operation to the hardware, you can use key stored on the token (and never actually leaves it) for all operations - either PKCS7/CMS/SMIME or SSL/TLS. If you store trusted CA certificates on the token as well, engine module can also provide X509_STORE method, which can be used for certificate verification. I don't remember in which version of OpenSSL support for engine-provided X509_STORE method is appeared. Things are somewhat worse for certificates for the your private key. There was no ENGINE api to load certificates from token in the 0.9.8 version. In the 1.0.0 function ENGINE_load_ssl_client_cert appeared, which allows you to load certificate/private key pair given list of CA names acceptable by server. This function seems to be designed for use from SSL client certificate callback. But there still no API for loading SSL server certificate/key pair and for loading SMIME certificate/key pair, not to mention loading certificate with arbitrary extendedKeyUsage. But main problem is that when one want to use hardware token with OpenSSL, it typically means tha one want to use token with existing openssl applications, such as Apache, Lynx, OpenVPN etc. OpenVPN has some support for PKCS#11 modules, but I've never tried it. Other applications cannot make use of OpenSSL engine API without modifications. I'm not sure that they can work with X509_STORE method provided by engine, even this method is set as default. Some client applications such as lynx and wget are happy with X509_STORE_set_default_locations, but most server applications want greater control on trusted CA store. Few years ago I've submitted patch for PostgreSQL which allows to use keys loaded via ENGINE_load_private_keys to connect to PostgreSQL database and this patch got into PostgreSQL 8.3 version. But that time there was no API to load certificates. Now, when we have ENGINE_load_ssl_client_cert and PostgreSQL 8.4 have certificate authentication support may be it is time for new patch. Thank you in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: RE: how to merge multiple public domain certs into one file?
On 2009.11.15 at 21:01:13 -0500, H??cber C??rdova wrote: Hi *, Certainly you can configure Apache to use virtualHosts based on domain names, and this works perfect with HTTP (1.1). However, this cannot be achieved using SSL, and the answer is simple, the SSL is established using the server IP, and during the SSL negotiation (handshake), there is no mention to servername/domain, the server certificate/private keys are used during the negotiation, and Apache needs to know what certificate is going to use (and Since 0.9.8f OpenSSL supports SNI (server name indication) TLS extension. Support of this extension in mod_ssl is discussed on httpd-...@apache.org for years, and even if it haven't yet got into release, you definitely can find patches in the apache bugzilla. So, it is theoretially possible for Apache to know name of virtual host on the stage of TLS handshake. But only if browser supports this extension (it seems that all modern browsers do). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org