Re: Eliminate warning message from Netscape?

2002-10-19 Thread Rick Widmer
At 12:19 AM 10/19/02 -0700, Brian Lavender wrote:

Is there a way to eliminate the warning message from Netscape
when you sign keys with your own CA?


For your browser, you should be able to stop the warning by
accepting the certificate forever.  Each customer will have
to be convinced to do the same.




I am still getting the warning message when I connect to my
Apache modssl server using Netscape after creating a server
key and signing it with my own CA.



The warning should be that the certificate is not signed by a
CA that is in the list of known certificates that come with
Netscape.  The only way to eliminate it for everyone without
trying to convince each individual hitting the site to accept
your certificate is to buy a certificate from a CA that is in
the list.

Rick

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Using subjectAltName

2002-10-19 Thread camccuk
Joe Orton <[EMAIL PROTECTED]> wrote:

>Hi - you might be better of asking these questions on the openssl-users
>list.
>
>On Thu, Oct 10, 2002 at 10:18:48AM -0400, [EMAIL PROTECTED] wrote:
>..
>> x509_extensions                                 = usr_cert
>
>This looks like a simple typo, the above requires a section called
>'usr_cert', yet you've actually named the section "user_cert".

Ouch. Cleaned it up for posting - I can confirm that even when correctly spelled, this 
fails to insert the field into the certificate. A cert is generated but when examined 
doesn't appear to have any extra fields.

Point taken that this might be slightly OT and I shall try openssl lists.

Thanks for the reply,

cam
-
[EMAIL PROTECTED]


__
The NEW Netscape 7.0 browser is now available. Upgrade now! 
http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



distributing encryption software (fwd)

2002-10-19 Thread Cliff Woolley

Because so many of you have asked, here is the answer.

--Cliff


-- Forwarded message --
Date: Sat, 19 Oct 2002 02:56:40 -0700
From: Roy T. Fielding <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: distributing encryption software

Ryan asked for a clarification about whether or not we have the ability
to redistribute SSL binaries for win32.

Last year, the board hired a lawyer to give us an opinion on whether
we can distribute encryption software, or hooks to such software.
The exact opinion we got back is, unfortunately, not online, but it
is essentially the same (with less detail) as the one given to Debian
and visible at .  Basically,
we have the right to distribute encryption software in source or
executable form if we also distribute that same software as open
source for free to the public, provided we first notify the U.S.
authorities once per new encryption-enabled product.

This is sufficient for Debian because they distribute the source code
to everything in Debian within a single repository.  Note, however,
that we do not do the same for OpenSSL.  Not only is OpenSSL not in
our CVS, but it isn't normally distributed by us at all, and the
authors of OpenSSL aren't likely to want us to distribute it because
doing so pollutes the recipients rights with U.S. crypto controls
whereas they could simply grab the same distribution from the origin
and not be polluted.

I think that Bill Rowe at one point requested that we seek out a
lawyer's opinion on this specific matter, but that was not followed
through by the board because we already know the legal aspects.
The issue isn't legal -- it is social.  We can download a released
version of OpenSSL, compile it, and make both available from our
website provided we first notify the BXA as described in the Debian
opinion above.  However, it is still preferable for our users to
get the DLL themselves, from a distribution outside the U.S., and
avoid having to maintain our distribution of OpenSSL up-to-date.

I think a reasonable and defensible compromise would be to make
it part of the win32 installation script -- to select no SSL or,
if SSL is selected, to guide/automate the user in downloading an
appropriate DLL from some other site.  Besides, that would allow
the user to pick some other SSL library, such as one of the
optimized ones available commercially that may already be
installed on their system.  There is such a thing as being too
concerned about "ease of installation."

Finally, it should also be noted that the exception for Apache ONLY
applies to non-commercial distributions.  Any commercial distribution,
even if it is simply Apache slapped onto a CD and sold for a buck,
remains subject to the old US export controls that everyone hates,
and must be approved via a separate process.

Roy


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]