Re: Creating client certificates ?
[EMAIL PROTECTED] wrote: > > Hello modssl users ! > > I managed to set up an ssl aware web server. > Although I searched the web and also the list > archive I haven't been able to create a client > certificate which is signed by my own CA for > client authentication. > > Could someone describe the process of creating > such a certificate in detail ? I assume you are working as root with bourne-shell and with the openssl bin directory in your path. Also, many of the command below have many options, check the docs and change to suit. Proceed as follows (assume you are working as root with bourne-shell): STAGE 1: Prepare your CA - First you need a source of random data (skip this if you have /dev/urandom or something): # cp /var/cron/olog temp # gzip temp # mv temp.gz random_data # RANDFILE=/home/apached/ssl/certs/random_data # export RANDFILE - Create a RSA private key (ca.key) for your Certificate Authority and choose a password for your CA (e.g. "CA_PASSWORD"). # openssl genrsa -des3 -out ca.key 1024 - Now make the certificate (ca.crt) using the private key. # openssl req -new -x509 -days 365 -key ca.key -out ca.crt It is here you define the details of the certificate authority, e.g. Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Inc. Organizational Unit Name (eg, section) []:ACME Internet (Unofficial CA) Common Name (eg, YOUR name) []:www.acme.com Email Address []:[EMAIL PROTECTED] STAGE 2: MAKE A CERT FOR YOUR SITE -- - Make a private key for www.banana.com # openssl genrsa -des3 -out banana.key 1024 - You will be prompted for a password. If you later use the certificate, the server will not start until you enter the password. If you want to avoid having a password, you have to write out the key and save it again. # openssl rsa -in banana.key -out temp_key # mv temp_key banana.key - now banana.key is unencrypted. Next, make a certificate signing request: # openssl req -new -key banana.key -out banana.csr It is here you define the details of the website, e.g. Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]:Banana Inc. Organizational Unit Name (eg, section) []:Banana Internet Common Name (eg, YOUR name) []:www.banana.com Email Address []:[EMAIL PROTECTED] - Finally, sign the CSR using the CA certificate: # ./sign.sh eex.csr - you need to enter the CA password to sign it. You finish up with banana.crt and banana.key which you move to the server and refer to with SSLCertificateFile and SSLCertificateKeyFile. You can remove banana.csr. Rgds, Owen Boyle. PS: Regarding removing the passphrase on the certificate - it is up to you whether to do this or not. If you want certificates that no-one can steal but don't mind typing in a passowrd every time you start the server, leave it on. If you prefer to have an automated server start but are willing to risk certificate theft, remove it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ca cert questions (was Re: Dumb SSL question)
On 2 Apr 2002, jon schatz wrote: > we had not chose to trust). geotrust had me install a CA cert on the > server and use 'SSLCACertificateFile' to point to it. magically, ie then > trusted the certificate. so why does this work? i mean, why can't i > start forging ssl certificates that are trusted by my own ca files that > i host locally? do browsers do any verification of ca files served up by > remote machines? feel free to point me to documentation on this one... The difference is that the CA certificate they would have had you install (a) is signed by a CA that the browser *does* trust and (b) contains a flag saying "this certificate may be used to sign other certificates." SSLCertificateChainFile (and SSLCACertificateFile in this case) is all about establishing a chain of trust back to some entity (a root CA) that the browser does trust. Take a look at the CA certificate they gave you... it will have been signed by some root CA (is Thawte the only one that actually provides this service? Maybe Verisign does, I don't know.), and you'll see the special capabilities flags in there as well. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Creating client certificates ?
Hello modssl users ! I managed to set up an ssl aware web server. Although I searched the web and also the list archive I haven't been able to create a client certificate which is signed by my own CA for client authentication. Could someone describe the process of creating such a certificate in detail ? I know it is possible with openssl but as I said before I wasn't able to figure out how. Please help ! -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL cache issue
Make sure that the "JSPs" in question are resolving their url's with the right protocol HTTPS/HTTP when appropriate. The JSPs may be trying to GET/POST with HTTP when they need to use HTTPS. Since you are using Apache and RESIN. I would assume that you are using the mod_caucho plug-in for Apache. David Marshall -Original Message- From: Shiraz Esat [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 1:10 AM To: '[EMAIL PROTECTED]' Subject: RE: SSL cache issue Terry, If anyone passes you a solution, can you please pass it on to me as well, as I have the same problem :( [Only difference, though, is that I'm using PHP generated pages] Thanks in advance Shiraz -Original Message- From: Terry Ziemniak [SMTP:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 9:31 PM To: '[EMAIL PROTECTED]' Subject:SSL cache issue I am getting 'page not found errors' the first time I access certain JSP pages (though there are others that always work). If I refresh the page displays correctly. Notes: 1. This only happens over HTTPS, never over HTTP 2. Netscape (v 4.2) displayed the error "Data Missing. This document resulted from a POST operation and has expired from the cache. If you wish you can repost the form data to create the document by pressing the reload button." 3. Apache's access.log seems to validate point 2. The last line before an error is a POST. The retry shows a POST followed shortly by anther GET and POST of the same JSP. 4. I have not yet been able to exactly describe 'First time'. General rule of them, if I repeat the process within 15 minutes it seems OK. If I wait an hour it should fail. Though quantifying that has not been my highest priority. 5. I am running Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32 and Resin 1.2.8. Any help would be appreciated. Terry Ziemniak << File: ATT2.htm >> __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Dumb SSL question.
"Ladner, Eric (Eric.Ladner)" <[EMAIL PROTECTED]> writes: > Oops.. I finally found this info in the mailing list. > > I still have a question though.. > > What mechanism is it that will allow an encrypted communication (a > connection to the https side of the web server) without popping up > the View/Accept/Whatever dialog for the certificate? > > Is there a validation done between on the client to the issuer of > the certificat and it's just accepted if the certificate is validated? > (i.e. the cert is validated with verisign, or whoever, and is just > accepted if everything checks out ok). Believe it or not, this is how things are SUPPOSED to work. If the certificate is a valid certificate (descends from a trusted root, not on a CRL, etc.) and has the correct name then you get connected without any dialog (or maybe a "you are about to enter a secure connection" dialog). It's only if something is wrong that you get a pop-up. It's a sad testament to how often things are wrong that people consider the pop-up the normal state of affairs. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ca cert questions (was Re: Dumb SSL question)
On Tue, 2002-04-02 at 13:50, Ladner, Eric (Eric.Ladner) wrote: > What mechanism is it that will allow an encrypted communication (a > connection to the https side of the web server) without popping up > the View/Accept/Whatever dialog for the certificate? All that's required is a valid cert ( valid date, correct servername) signed by a valid CA (installed on your web browser or on the remote server). which brings me to my question: my company purchased a cert from geotrust. initially, we couldn't make the cert work (we got ie dialog saying that the cert was from a company we had not chose to trust). geotrust had me install a CA cert on the server and use 'SSLCACertificateFile' to point to it. magically, ie then trusted the certificate. so why does this work? i mean, why can't i start forging ssl certificates that are trusted by my own ca files that i host locally? do browsers do any verification of ca files served up by remote machines? feel free to point me to documentation on this one... -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing." signature.asc Description: This is a digitally signed message part
RE: Dumb SSL question.
Oops.. I finally found this info in the mailing list. I still have a question though.. What mechanism is it that will allow an encrypted communication (a connection to the https side of the web server) without popping up the View/Accept/Whatever dialog for the certificate? Is there a validation done between on the client to the issuer of the certificat and it's just accepted if the certificate is validated? (i.e. the cert is validated with verisign, or whoever, and is just accepted if everything checks out ok). Thanks, Eric "I should search the archives better" Ladner -Original Message- From: Ladner, Eric (Eric.Ladner) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 2:23 PM To: '[EMAIL PROTECTED]' Subject: Dumb SSL question. How can I enable mod_ssl and apache to use SSL encryption for browser to server communication without having to have the user accept a certificate? I've noticed several sites do this on the web without asking for you to accept or reject a certificate. Basically, I want to use encryption, but not have the user intervene to enable/disable it. Thanks, Eric Ladner __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Dumb SSL question.
Eric Ladner wrote RE:>>Basically, I want to use encryption, but not have the user intervene to enable/disable it. -- In IE 5.5; Tools, Internet Options, Security, Custom Level... Enable "Don't prompt for Client Certificate..." (or is it "Disable" -- it's a double negative and I always had trouble with those... :-) Don't know if this will help but it SEEMS like it could address your question from the client side. Good luck! Andrew Lietzow The ACL Group, Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: Dumb SSL question.
Hi Eric, For example you can buy a certificate from Thawte (www.thawte.com) or Verisign (www.verisign.com) I hope, this was helpful. Rgds, Peter Stoehr GAYNET.AT -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Ladner, Eric (Eric.Ladner) Gesendet: Dienstag, 02. April 2002 22:23 An: '[EMAIL PROTECTED]' Betreff: Dumb SSL question. How can I enable mod_ssl and apache to use SSL encryption for browser to server communication without having to have the user accept a certificate? I've noticed several sites do this on the web without asking for you to accept or reject a certificate. Basically, I want to use encryption, but not have the user intervene to enable/disable it. Thanks, Eric Ladner __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Dumb SSL question.
How can I enable mod_ssl and apache to use SSL encryption for browser to server communication without having to have the user accept a certificate? I've noticed several sites do this on the web without asking for you to accept or reject a certificate. Basically, I want to use encryption, but not have the user intervene to enable/disable it. Thanks, Eric Ladner __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL cache issue
Actually I've had this problem. I may have the solution for you if you can tell me what OS your running the client from and what browser. Jeremy Walton DICE Corporation -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Shiraz Esat Sent: Tuesday, April 02, 2002 4:10 AM To: '[EMAIL PROTECTED]' Subject: RE: SSL cache issue Terry, If anyone passes you a solution, can you please pass it on to me as well, as I have the same problem :( [Only difference, though, is that I'm using PHP generated pages] Thanks in advance Shiraz -Original Message- From: Terry Ziemniak [SMTP:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 9:31 PM To: '[EMAIL PROTECTED]' Subject:SSL cache issue I am getting 'page not found errors' the first time I access certain JSP pages (though there are others that always work). If I refresh the page displays correctly. Notes: 1. This only happens over HTTPS, never over HTTP 2. Netscape (v 4.2) displayed the error "Data Missing. This document resulted from a POST operation and has expired from the cache. If you wish you can repost the form data to create the document by pressing the reload button." 3. Apache's access.log seems to validate point 2. The last line before an error is a POST. The retry shows a POST followed shortly by anther GET and POST of the same JSP. 4. I have not yet been able to exactly describe 'First time'. General rule of them, if I repeat the process within 15 minutes it seems OK. If I wait an hour it should fail. Though quantifying that has not been my highest priority. 5. I am running Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32 and Resin 1.2.8. Any help would be appreciated. Terry Ziemniak << File: ATT2.htm >> __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL cache issue
This is related, and might be work noting: With modSSL 3.x in apache 2.x land, I have found that it cannot renegotiate during a POST. However, hitting the refresh button seems to do the handshake and then to the POST correctly. --Ed >From: Shiraz Esat <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> >Subject: RE: SSL cache issue >Date: Tue, 2 Apr 2002 10:10:15 +0100 > >Terry, > >If anyone passes you a solution, can you please pass it on to me as well, >as I have the same problem :( > >[Only difference, though, is that I'm using PHP generated pages] > >Thanks in advance >Shiraz > >-Original Message- >From: Terry Ziemniak [SMTP:[EMAIL PROTECTED]] >Sent: Friday, March 29, 2002 9:31 PM >To:'[EMAIL PROTECTED]' >Subject: SSL cache issue > >I am getting 'page not found errors' the first time I access certain JSP >pages (though there are others that always work). If I refresh the page >displays correctly. > >Notes: >1. This only happens over HTTPS, never over HTTP >2. Netscape (v 4.2) displayed the error "Data Missing. This document >resulted from a POST operation and has expired from the cache. If you wish >you can repost the form data to create the document by pressing the reload >button." >3. Apache's access.log seems to validate point 2. The last line before >an error is a POST. The retry shows a POST followed shortly by anther GET >and POST of the same JSP. >4. I have not yet been able to exactly describe 'First time'. General >rule of them, if I repeat the process within 15 minutes it seems OK. If I >wait an hour it should fail. Though quantifying that has not been my >highest priority. >5. I am running Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32 and >Resin 1.2.8. > >Any help would be appreciated. > >Terry Ziemniak > > << File: ATT2.htm >> >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL cache issue
Terry, If anyone passes you a solution, can you please pass it on to me as well, as I have the same problem :( [Only difference, though, is that I'm using PHP generated pages] Thanks in advance Shiraz -Original Message- From: Terry Ziemniak [SMTP:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 9:31 PM To: '[EMAIL PROTECTED]' Subject:SSL cache issue I am getting 'page not found errors' the first time I access certain JSP pages (though there are others that always work). If I refresh the page displays correctly. Notes: 1. This only happens over HTTPS, never over HTTP 2. Netscape (v 4.2) displayed the error "Data Missing. This document resulted from a POST operation and has expired from the cache. If you wish you can repost the form data to create the document by pressing the reload button." 3. Apache's access.log seems to validate point 2. The last line before an error is a POST. The retry shows a POST followed shortly by anther GET and POST of the same JSP. 4. I have not yet been able to exactly describe 'First time'. General rule of them, if I repeat the process within 15 minutes it seems OK. If I wait an hour it should fail. Though quantifying that has not been my highest priority. 5. I am running Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32 and Resin 1.2.8. Any help would be appreciated. Terry Ziemniak << File: ATT2.htm >> __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Bug appear after an upgrade...
Dear list, I've an apache server with mod_ssl and today i've done a "regular" upgrade to my web, installing the latest apache (1.3.24) with the relative mod_ssl with openssl 0.9.6c/mm 1.1.3. After the restart of the server, almost all the thing are fine except for the client authentication with certificate, but only if I request a directory listing or a directory index. In effect if I request 1) https://myweb.com/pages/index.html I receive the correct page, but if I request 2) https://myweb.com/pages/ I receive an "403 / Access forbidden" Note that I've in effect an .htaccess that restrict the access for the whole directory, and removing the .htaccess, I can see the index.html also with the second request, so it seems not the DirectoryIndex directive in error, nor the Indexes in the Directory item. If I use a simple basic authentication (login/password) as usual, I can see all without problems, and either login:passwd and certificate:"password" lives in the same dbm file. Any hints ??? Pls. reply also to my address, as I'm not in this list... thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http redirects to https
Hi All, I need some help with the Mod_Rewrite module. I need to redirect all http calls to https for a specific hostname only. The httpd.conf file is something like: DocumentRoot /docs/A ... DocumentRoot /docs/B ... DocumentRoot /docs/C ... AllowOverride None AuthName "D.com" AuthType Basic AuthLDAPAuthoritative on AuthLDAPBindDN [EMAIL PROTECTED] AuthLDAPBindPassword SS0-query Order deny,allow deny from all allow from all Satisfy all ServerNameD.com Redirect / https://D.com/ ServerNameD.com DocumentRoot /docs/D SSL stuff EOF The above works fine for redirecting http://D.com/docs/D ---> https://D.com/docs/D I want to extend it so: I want to allow some directories such as /docs/A, /docs/B, /docs/C simple http access. These are enabled by the VirtualHosts A.com, B.com, C.com. All other directories I want to be made available only via https. Original call Redirected call http://D.com/docs/D ---> https://D.com/docs/D http://D.com/ZZZ ---> https://D.com/ZZZ http://A.com/docs/D ---> rejected Any help appreciated. Thanks. Farooq Khan - This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]