RE: ssl-cert-HOWTO.txt for review
Title: RE: ssl-cert-HOWTO.txt for review If openssl can generate random data and spit it out in a file then why use a file to begin with? Can't openssl ( tool ) just generate its random data internally and use that? I think that's a lot safer than spitting it out to a file and prevents less problems with the random data getting deleted/viewed. - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Marcus Redivo [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 7:14 PM To: [EMAIL PROTECTED] Subject: RE: ssl-cert-HOWTO.txt for review Hello Fiel, Thanks for the comments. At 10:45 AM 12/1/01 -0800, Fiel Cabral wrote: My suggestion is to include info about the RANDFILE variable. I set RANDFILE=$HOME/.rnd in my environment and in the configuration file (the default value: $ENV::HOME/.rnd). If .rnd doesn't exist, I just copy a file to it (usually a binary file or a random-looking log file). I did not mention the RANDFILE, and in fact left it out of the example configuration, because I was under the impression that if I had /dev/*random I did not need it. If this is not true, could someone please correct me? Thanks. Now, the RANDFILE candidate. Using a binary or a log is nowhere near random enough. Fortunately, openssl has a command to create a better random file: # openssl rand -out $HOME/.rnd 1024 (Don't send the output to your console unless you add the -base64 switch, unless you like abstract art... ;) ) BTW, I'm on the list now. Marcus Redivo The Binary Tool Foundry PO Box 2087 Stn Main Sidney BC Canada mailto:[EMAIL PROTECTED] http://www.binarytool.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ssl-cert-HOWTO.txt for review
Andrew, openssl is rather mixer than generator or random data. No deterministic (ok, stable) program can make something random. To make a random secret one need some input unavailable to attacker. /dev/random is internal enough and could be quite a good one. regards, Vadim On Mon, 3 Dec 2001, Andrew Finnell wrote: If openssl can generate random data and spit it out in a file then why use a file to begin with? Can't openssl ( tool ) just generate its random data internally and use that? I think that's a lot safer than spitting it out to a file and prevents less problems with the random data getting deleted/viewed. - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Marcus Redivo [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 7:14 PM To: [EMAIL PROTECTED] Subject: RE: ssl-cert-HOWTO.txt for review Hello Fiel, Thanks for the comments. At 10:45 AM 12/1/01 -0800, Fiel Cabral wrote: My suggestion is to include info about the RANDFILE variable. I set RANDFILE=$HOME/.rnd in my environment and in the configuration file (the default value: $ENV::HOME/.rnd). If .rnd doesn't exist, I just copy a file to it (usually a binary file or a random-looking log file). I did not mention the RANDFILE, and in fact left it out of the example configuration, because I was under the impression that if I had /dev/*random I did not need it. If this is not true, could someone please correct me? Thanks. Now, the RANDFILE candidate. Using a binary or a log is nowhere near random enough. Fortunately, openssl has a command to create a better random file: # openssl rand -out $HOME/.rnd 1024 (Don't send the output to your console unless you add the -base64 switch, unless you like abstract art... ;) ) BTW, I'm on the list now. Marcus Redivo The Binary Tool Foundry PO Box 2087 Stn Main Sidney BC Canada mailto:[EMAIL PROTECTED] http://www.binarytool.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ssl-cert-HOWTO.txt for review
Hello Franck, I read through your document a couple of times. It looks like you did some research, and the results are good. Your document is much broader in scope than mine. Fortunately, there is not much overlap; you could take the meat of mine and incorporate it into a section of yours. You are welcome to do so. I will be updating mine over the next couple of weeks to incorporate feedback I have received, so you may want to hold off for the moment. I will advise the list when the revisions are complete. Regards, Marcus -Original Message- From: Franck Martin [mailto:[EMAIL PROTECTED]] Sent: Friday, November 30, 2001 10:40 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: ssl-cert-HOWTO.txt for review I have written a certificate HOW-TO that I will submit very soon to LDP. You can find it in the archives of this list. Look for a HOWTO in the subject. There is a PDF attachment to the message. I have requested some comments a few weeks ago and I have received a few that I'm incorporating right now. I think your work could be included in the HOW-TO I wrote and it will come as a good complement. Could you please look into the matter and let me know what should be updated. Thanks. [EMAIL PROTECTED] On Sat, 2001-12-01 at 00:18, Marcus Redivo wrote: OpenSSL users and developers, I have struggled with getting certificates in order on my servers, and I have seen others struggle with this too. It became necessary to do a proper job, so I decided I should write up what I had to learn as a HOWTO. I would like to contribute this for posting on www.openssl.org. But first, I think someone who actually _knows_ what they are doing should review my document; preferably, several people. (Yesterday I couldn't spell SSL...) So here it is: http://www.binarytool.com/ssl-cert-HOWTO.txt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ssl-cert-HOWTO.txt for review
I think this is fine. I just wanted to make sure you agree to the gnu documentation licence. I will hold it for a while until I get results from linuxdoc, then I will submit an update including your text. Cheers. On Sun, 2001-12-02 at 13:34, Marcus Redivo wrote: Hello Franck, I read through your document a couple of times. It looks like you did some research, and the results are good. Your document is much broader in scope than mine. Fortunately, there is not much overlap; you could take the meat of mine and incorporate it into a section of yours. You are welcome to do so. I will be updating mine over the next couple of weeks to incorporate feedback I have received, so you may want to hold off for the moment. I will advise the list when the revisions are complete. Regards, Marcus So here it is: http://www.binarytool.com/ssl-cert-HOWTO.txt