Re: [9fans] How do I get a CSR CA's like?
If it's just as simple, this might be the right place/time to use sha256 for this sort of thing. Again, I did not look into this in detail, but CSRs I generated recently with openssl seem to use SHA1 with RSA encryption for the signature: Certificate Request: Data: Version: 0 (0x0) Subject: C=ZA, L=Kestell, ST=Free State, O=Proxima Research Development, OU=Public Internet Services, CN=serendipity.proxima.alt.za/emailAddress=ad...@proxima.alt.za Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx: xx:xx That was what I thought would take some effort to get right in x509.c Lucio.
Re: [9fans] Plumb(er) + Acme + MacOS X - don't work
On Mon May 25 16:05:22 PDT 2015, uldericofi...@gmail.com wrote: It seems I solve my own problem by accident. In the end I am using this script: #!/bin/bash /usr/local/plan9/bin/plumber cat /usr/local/plan9/plumb/fileaddr /usr/local/plan9/plumb/basic $HOME/lib/plumbing | 9p write plumb/rules export tabstop=8; /usr/local/plan9/bin/acme -a -l ~/acme.dump if you simply include basic as the last step of your $HOME/lib/plumbing, you won't need the cat. - erik
Re: [9fans] How do I get a CSR CA's like?
UPDATE: I now have reason to believe that they just removed MD5 from known signing algorithms, and that a SHA1 will work. Anyone know anything about this? Thanks, bwc On May 25, 2015, at 3:06 PM, Brantley Coile brantleyco...@me.com wrote: Turns out the CSR wasn’t acceptable because of the MD5 signature. It seems the that they should be signed as RSA and not MD5. MD5 is not deemed secure enough. The plan 9 code is signing everything with MD5. Who owns this code? Has anyone fixed this yet? On May 24, 2015, at 11:10 AM, Skip Tavakkolian 9...@9netics.com wrote: going by my notes from the last time i used plan9 tools to generate a CSR, the only differences i see are quoting the O attribute to handle spaces in organization name and dropping the word SIGNING from PEM header/footer. Thanks all. It goes through sslshopper fine, but the CA still doesn’t like it. I’ll call them tomorrow. Thanks for all the help. bwc On May 23, 2015, at 1:08 PM, lu...@proxima.alt.za wrote: I then pasted the contents of ‘csr’ into the page and get “This CSR has an invalid signature!” It's worth playing with openssl to check the output from auth/rsa2csr. The diagnostics are bound to be a bit less vague. Trying your instructions, the PEM encoded csr includes the seemingly unwanted word SIGNING in the headers. When I remove it (and a space) openssl req reports a valid certificate request. Lucio.
Re: [9fans] How do I get a CSR CA's like?
I now have reason to believe that they just removed MD5 from known signing algorithms, and that a SHA1 will work. Anyone know anything about this? There's an exploit for the MD5 version. It looks pretty serious and deserves to be fixed by disabling the MD5 signing algorithm. www.phreedom.org/research/rogue-ca/ What exactly did you change in /sys/src/libsec/port/x509.c? I had a quick look this morning, but I didn't have the opportunity to dig deep enough. Lucio.
Re: [9fans] How do I get a CSR CA's like?
I just changed “md5(…)” to “shall(…)” and added an object id to the table. Once I figured out I didn’t have to us RSA to *sign* the CSR, but had to have something other than md5, it was easy. On May 26, 2015, at 2:00 PM, lu...@proxima.alt.za wrote: I now have reason to believe that they just removed MD5 from known signing algorithms, and that a SHA1 will work. Anyone know anything about this? There's an exploit for the MD5 version. It looks pretty serious and deserves to be fixed by disabling the MD5 signing algorithm. www.phreedom.org/research/rogue-ca/ What exactly did you change in /sys/src/libsec/port/x509.c? I had a quick look this morning, but I didn't have the opportunity to dig deep enough. Lucio.
Re: [9fans] How do I get a CSR CA's like?
If it's just as simple, this might be the right place/time to use sha256 for this sort of thing. On Tue, May 26, 2015 at 12:35 PM, Brantley Coile brantleyco...@me.com wrote: I just changed “md5(…)” to “shall(…)” and added an object id to the table. Once I figured out I didn’t have to us RSA to *sign* the CSR, but had to have something other than md5, it was easy. On May 26, 2015, at 2:00 PM, lu...@proxima.alt.za wrote: I now have reason to believe that they just removed MD5 from known signing algorithms, and that a SHA1 will work. Anyone know anything about this? There's an exploit for the MD5 version. It looks pretty serious and deserves to be fixed by disabling the MD5 signing algorithm. www.phreedom.org/research/rogue-ca/ What exactly did you change in /sys/src/libsec/port/x509.c? I had a quick look this morning, but I didn't have the opportunity to dig deep enough. Lucio.
Re: [9fans] How do I get a CSR CA's like?
(Ducking smelling connection!) Use sha1. On May 26, 2015, at 10:44 AM, Brantley Coile brantleyco...@me.com wrote: Fixed. Use shall instead of md5 and everyone is happy. On May 26, 2015, at 9:27 AM, Brantley Coile brantleyco...@me.com wrote: UPDATE: I now have reason to believe that they just removed MD5 from known signing algorithms, and that a SHA1 will work. Anyone know anything about this? Thanks, bwc On May 25, 2015, at 3:06 PM, Brantley Coile brantleyco...@me.com wrote: Turns out the CSR wasn’t acceptable because of the MD5 signature. It seems the that they should be signed as RSA and not MD5. MD5 is not deemed secure enough. The plan 9 code is signing everything with MD5. Who owns this code? Has anyone fixed this yet? On May 24, 2015, at 11:10 AM, Skip Tavakkolian 9...@9netics.com wrote: going by my notes from the last time i used plan9 tools to generate a CSR, the only differences i see are quoting the O attribute to handle spaces in organization name and dropping the word SIGNING from PEM header/footer. Thanks all. It goes through sslshopper fine, but the CA still doesn’t like it. I’ll call them tomorrow. Thanks for all the help. bwc On May 23, 2015, at 1:08 PM, lu...@proxima.alt.za wrote: I then pasted the contents of ‘csr’ into the page and get “This CSR has an invalid signature!” It's worth playing with openssl to check the output from auth/rsa2csr. The diagnostics are bound to be a bit less vague. Trying your instructions, the PEM encoded csr includes the seemingly unwanted word SIGNING in the headers. When I remove it (and a space) openssl req reports a valid certificate request. Lucio.
Re: [9fans] Plumb(er) + Acme + MacOS X - don't work
Thanks - it worked. - CC 2015-05-26 15:15 GMT+02:00 erik quanstrom quans...@quanstro.net: On Mon May 25 16:05:22 PDT 2015, uldericofi...@gmail.com wrote: It seems I solve my own problem by accident. In the end I am using this script: #!/bin/bash /usr/local/plan9/bin/plumber cat /usr/local/plan9/plumb/fileaddr /usr/local/plan9/plumb/basic $HOME/lib/plumbing | 9p write plumb/rules export tabstop=8; /usr/local/plan9/bin/acme -a -l ~/acme.dump if you simply include basic as the last step of your $HOME/lib/plumbing, you won't need the cat. - erik
