Re: Cyrus21 does not work corectly with SSL
On Di, 15.02.2005, 00:25, Bernd Eckenfels wrote: In article [EMAIL PROTECTED] you wrote: 'Toto Root CA' seems to be a self signed certificate instead of an undependent certificate as your root certificate. You don't have to self sign a root certificate. You need a signature on all certificates, so root certificates are selfsigned. Bernd Sorry, you're absolute right: No signing - no cert, also for root. Perhaps it was to late for me last night. ;) Nicolas: How you've created your certs? The commands with arguments and version of openssl, libssl would be interesting. Perhaps the lines with tls_... within your imapd.conf, too. Christian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cyrus21 does not work corectly with SSL
Le Tue, Feb 15, 2005 at 11:38:43AM +0100, Christian Storch a écrit : I use this config with cyrus because it's simple with many clients to use SSL. Sorry, you're absolute right: No signing - no cert, also for root. Perhaps it was to late for me last night. ;) My certificates work perfectly with apache. My ca was generated with attach script. And my cyrus cert with do script. Nicolas: How you've created your certs? The commands with arguments and version of openssl, libssl would be interesting. Perhaps the lines with tls_... within your imapd.conf, too. tls_cert_file: /etc/cyrus/imap.winch.my.crt tls_key_file: /etc/cyrus/imap.winch.my.key tls_ca_path: /etc/ssl/certs tls_session_timeout: 0 tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH largo:~# cat /etc/cyrus/imap.winch.my.crt -BEGIN CERTIFICATE- fqsdfqsdf[...]qsfqsdf -END CERTIFICATE- largo:~# cat /etc/cyrus/imap.winch.my.key -BEGIN RSA PRIVATE KEY- sdfgsdfg[...]qszedsf -END RSA PRIVATE KEY- largo:~# ls /etc/ssl/certs/ 0481cb65.0 052e396b.0 06d75f4b.0 [...] signet_rootca_pem.pem signet_tsa1_pem.pem spi-ca.pem winch-ca.pem largo:~# cat /etc/ssl/certs/winch-ca.pem -BEGIN CERTIFICATE- jhzertkjzert[...]tahlkhjdf -END CERTIFICATE- Thanks. -- Nicolas Ledez new-root-ca.sh Description: Bourne shell script #!/bin/sh host=imap.winch.my if [ ! -f $host.key ]; then openssl genrsa -out $host.key 1024 fi if [ ! -f $host.csr ]; then openssl req -new -config $host.conf -key $host.key -out $host.csr fi if [ ! -f $host.crt ]; then openssl ca -config $host.conf -in $host.csr -out $host.crt if [ $? != 0 ]; then echo Error in : echo openssl ca -config $host.conf -in $host.csr -out $host.crt exit 1 fi else mv $host.crt $host.crt.0 openssl x509 -req -in $host.csr -CA ../ca.crt -days 365 -CAkey ../ca.key -CAserial ../ca.db.serial -out $host.crt -extfile $host.conf -extensions v3_req if [ $? != 0 ]; then echo Error in : echo openssl x509 -req -in $host.csr -CA ../ca.crt -days 365 -CAkey ../ca.key -CAserial ../ca.db.serial -out $host.crt -extfile $host.conf -extensions v3_req exit 1 fi fi if [ -f $host.pem ]; then mv $host.pem $host.pem.0 fi cat $host.key $host.crt $host.pem chmod 400 $host.csr $host.crt $host.key $host.pem openssl x509 -noout -text -in $host.crt [ req ] default_bits= 1024 distinguished_name = req_distinguished_name string_mask = nombstr req_extensions = v3_req prompt = no [ req_distinguished_name ] C = MY ST = France L = Chateaubourg O = Winch OU = Secure Imap Server CN = imap.winch.my emailAddress= [EMAIL PROTECTED] [ v3_req ] nsCertType = server basicConstraints= critical,CA:false [ ca ] default_ca = default_CA [ default_CA ] dir = .. new_certs_dir = $dir/ca.db.certs database= $dir/ca.db.index serial = $dir/ca.db.serial certificate = $dir/ca.crt private_key = $dir/ca.key default_days= 365 default_crl_days= 30 default_md = md5 preserve= no x509_extensions = server_cert policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional
Re: Cyrus21 does not work corectly with SSL
On Di, 15.02.2005, 13:20, Nicolas Ledez wrote: Le Tue, Feb 15, 2005 at 11:38:43AM +0100, Christian Storch a écrit : ... My ca was generated with attach script. And my cyrus cert with do script. Nicolas: How you've created your certs? The commands with arguments and version of openssl, libssl would be interesting. Perhaps the lines with tls_... within your imapd.conf, too. tls_cert_file: /etc/cyrus/imap.winch.my.crt tls_key_file: /etc/cyrus/imap.winch.my.key tls_ca_path: /etc/ssl/certs tls_session_timeout: 0 tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH I've tried your scripts for creating root and server certs. Testing with s_client on two different servers I got no errors but nearly the same output you've posted! woody: ii cyrus21-common 2.1.15-0woody.1.0Cyrus mail system (common files) ii cyrus21-imapd 2.1.15-0woody.1.0Cyrus mail system (IMAP support) ii libssl0.9.70.9.7d-0.backports.org.1 SSL shared libraries sid: ii cyrus21-common 2.1.17-3 Cyrus mail system (common files) ii cyrus21-imapd 2.1.17-3 Cyrus mail system (IMAP support) ii libssl0.9.70.9.7c-5 SSL shared libraries What versions are you using? - It's the only idea I have at the moment. Christian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cyrus21 does not work corectly with SSL
Le Tue, Feb 15, 2005 at 06:47:53PM +0100, Christian Storch a écrit : I've tried your scripts for creating root and server certs. Testing with s_client on two different servers I got no errors but nearly the same output you've posted! I try to find more information for my certificate. With openssl verify -CApath /etc/ssl/certs/ -issuer_checks imap.winch.my.crt I have error 29 at 0 depth lookup:subject issuer mismatch errors. I think it's normaly. What command can I use to test certificate ? woody: ii cyrus21-common 2.1.15-0woody.1.0Cyrus mail system (common files) ii cyrus21-imapd 2.1.15-0woody.1.0Cyrus mail system (IMAP support) ii libssl0.9.70.9.7d-0.backports.org.1 SSL shared libraries sid: ii cyrus21-common 2.1.17-3 Cyrus mail system (common files) ii cyrus21-imapd 2.1.17-3 Cyrus mail system (IMAP support) ii libssl0.9.70.9.7c-5 SSL shared libraries What versions are you using? - It's the only idea I have at the moment. largo:~# dpkg -l cyrus\*|grep '^ii' ii cyrus21-admin 2.1.17-3 Cyrus mail system (administration tool) ii cyrus21-client 2.1.17-3 Cyrus mail system (test clients) ii cyrus21-common 2.1.17-3 Cyrus mail system (common files) ii cyrus21-doc2.1.17-3 Cyrus mail system (documentation files) ii cyrus21-imapd 2.1.17-3 Cyrus mail system (IMAP support) ii cyrus21-pop3d 2.1.17-3 Cyrus mail system (POP3 support) largo:~# dpkg -l libssl\*|grep '^ii' ii libssl0.9.60.9.6m-1 SSL shared libraries (old version) ii libssl0.9.70.9.7e-2 SSL shared libraries ii libssl09 0.9.4-6.woody. SSL shared libraries (old version) I tryed with tls_ca_file, tls_ca_path. Nothing... Thanks. -- Nicolas Ledez -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
On Monday 07 February 2005 14:43, Alvin Oga [EMAIL PROTECTED] wrote: No, you make an image, reinstall, and if you have time (ie. you normally dont) then you can start the forensics. yes about making an image ... i assume you mean - take the box down, - i hate taking the box down, as you can lose valuable info in its memory Unless you have special hardware installed it's impossible to take a memory image of a running machine. There are PCI cards available which use bus-mastering to copy the memory of a live machine for forensics, but they are expensive and would have to be installed before the machine was cracked. Inspecting the memory of a running machine that has been properly cracked is a problem as it may be obscured by a kernel module. Most people recommend abruptly cutting the power to a machine that may have been compromised. That prevents unlinking files that have no links but which were in use at the time. A shutdown process will give a consistent file system (losing data from temporary files) and may also lose other data. - i'd re-install into a new disk and leave the cracked one alone ( disks are super cheap ) - i would not reinstall on the cracked disk as it can have hidden filesystems How would hidden filesystems work? Some name-brand machines (particularly laptops) have a BIOS extension stored on an IDE hard disk which apparently has some reserved disk space. It seems that my Thinkpad had something like this, but now that I'm running 2.6.10 Linux sees all the disk space which would allow me to increase my Linux use by 3.4G which would overwrite the Thinkpad stuff. Once Linux is using all the space there's no-where to hide. Assuming that you use all your disk space then hidden file systems shouldn't be an issue. However it may be good to keep the disk anyway for evidence purposes. Data on original disk may be better regarded than data on a DVD if the case ever comes to court. - for forensics.. use a good cd or build a custom disk with with lot of fun forensics on it and fiddle till one finds all the answers :-0 Make sure that you don't do forensics on the original image. Investigating the situation may require running fsck etc which changes things. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Compromised system - still ok?
In article [EMAIL PROTECTED] you wrote: - for forensics.. use a good cd or build a custom disk with with lot of fun forensics on it and fiddle till one finds all the answers :-0 Make sure that you don't do forensics on the original image. Investigating the situation may require running fsck etc which changes things. And talking about forensics: use script to generate a complete typescript of your forensics session. Greetings Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]