RE: Help with using SSL certificate with IMAP?..
I have that config working on rh7.2. but I didn't need the openssl s_client bit. As long as the cert+priv. key file's in the right place, it all worked (althouh I think I removed some of the read access on the directories as they seemed too lax). I can't remember where they should be at the moment, but they do need to have the right name too (impad.pem, or similar). I do have problems at the other end on windows xp, but they're more pain in the bum than fatal. tc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Victor Danilchenko Sent: 15 August 2002 14:26 To: [EMAIL PROTECTED] Subject: Re: Help with using SSL certificate with IMAP?.. A followup: First of all, I forgot to mention the IMAP server type. It's UW IMAP 2001. Secondly, some time after I posted the message, I realized that I made a stupid error: of course both the private and the public keys are needed! but I originally was confused about the key generation process. Anyway, so I re-did the steps, generating the server private key, then the certificate request, then signing the request with my CA key and certificate. Then I concatenated the server private key and the certificate, emplacing the result as imapd.pem -- and nothing happens. or rather, the IMAPD server does start up (instead of just refusing to run), but it does so rather uselessly: it doesn't actually *do* anything, not even establish the SSL connection: [root ssl.crt]# openssl s_client -connect somesystem:993 CONNECTED(0003) and that's where it freezes, sitting in place uselessly. The /var/log/messages contained nothing relating to the bad connections, and I could find no way to enable some sort of verbose or debug logging in UW imapd. Out of curiosity, I used the same .cnf file to generate a self-signed certificate; and that one worked like a charm, even including various extensions (cert type, x509 basic constraints, revocation URLs, etc.) so the problem doesn't seem to lie in a bad .cnf file. I am missing something obvious here, i suspect, and I don't know what it is. For reference, here is the full sequence of steps I took to generate the CA and the server certificate -- the one that doesn't work: 1) generate CA private key (I tried both RSA and DSA, with the same lack of result): openssl genrsa -des3 -out ca.key 1024 2) Generate self-signed CA certificate: openssl req -new -x509 -days 400 -key ca.key -config ca.cnf -out ca.pem 3) Generate server private key: openssl genrsa -des3 -out cscf.key 1024 4) Generate certificate request: openssl req -new -key cscf.key -config cscf.cnf -out cscf.csr 5) Sign certificate request with our self-signed CA: openssl ca -cert ca.pem -keyfile ca.key -config cscf.cnf -in cscf.csr -out cscf.pem And when I cat together the resulting cscf.key and cscf.pem into imapd.pem, nothing happens -- the IMAPD server with this imapd.pem cert accepts connections, but doesn't do any SSL negotiations. Can anyone help?.. Please? On Wed, 14 Aug 2002, Victor Danilchenko wrote: A newbie here... Some help is much needed. We are trying to set up our own CA; so I muddled through private key generation (DSA), CA generation, certificate request, and finally the leaf certificate signing. Now I am trying to test the setup: got Mozilla to accept the CA certificate, and I tried to configure IMAPS with the generated client cert -- and it doesn't work. IMAPS runs with the old self-signed certificate, but I obviously don't want to include the private key in the .pem file; and when I include only the certificate itself, IMAP simply refuses to run (I did trim the verbose info out of the .pem file, leaving only the certificate section -- it didn't help). The certificate in question is configured as a non-CA cert with 'Server,email' type. Does anyone have any idea about what is going on? Could the matter be helped by including various data from the configuration files or the certificates? (I generated them all verbose, with '-text' option)? I include below the relevant info from the final .pem file, let me know if something else would help. Many thanks in advance. P.S. is there a problem with not including the CN field in the self-signed CA certificate? I figured that CN makes no sense for a CA certificate, but I don't know much about SSL anyway... Certificate: Data: Version: 3 (0x2) Serial Number: 9 (0x9) Signature Algorithm: dsaWithSHA1 Issuer: C=US, ST=Massachusetts, L=Amherst, O=University of Massachusetts/Amherst, OU=Department of Computer Science Validity Not Before: Aug 14 16:58:25 2002 GMT Not After : Aug 14 16:58:25 2003 GMT Subject: C=US,
How do I input ldap urls of the crlDistributionPoints URI value in openssl.cnf ?
Hello, I use OpenSSL 0.97 library. I read the opensl.txt file and trying to use crlDistributionPoints extention option. But I met some problem to use crl repository point in ldap url format. The below shows the error messages. Error Loading extension section usr_cert 1704:error:0E06D06C:configuration file routines:NCONF_get_string:no value:P:\OpenSSL\openssl-0.9.7-beta2\crypto\conf\con f_lib.c:329:group=CA_default name=email_in_dn 1704:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME:missing value:P:\OpenSSL\openssl-0.9.7-beta2\crypto\x509v3\v3_alt. c:391: 1704:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:P:\OpenSSL\openssl-0.9.7-beta2\crypto\x509v3\v3_ conf.c:92:name=crlDistributionPoints, value=URI: ldap://203.233.91.35:389/ou=dp2p1140,ou=LicensedCA,o=yessign,c=kr?certif icateRevocationList I surveyed the errors. I found the reason that the ldap url format has like this, ldap://203.233.91.35:389/ou=dp2p1140,ou=LicensedCA,o=yessign,c=kr?certif icateRevocationList and this string has the characters , and ?. I also see the URI name value pair is delimited by , in openssl.cnf file. So OpenSSL library read the , in ldap url as URI delimiter. And fail to parse the string. I need some help to input the correct ldap url in openssl.cnf . Any one knows how to input the ldap url in openssl.cnf? Thanks. J. H. cha __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Diffie-Hellman question
Hello! Please help me. I need to run OpenSSL as server from command line (Win32 platform), and need it to support ciphers like DH_DSS_WITH_DES_CBC_SHA, DH_RSA_WITH_DES_CBC_SHA or DH_anon_WITH_DES_CBC_SHA. When I try to connect with only cipher of noticed upper, the server says No shared ciphers directly after client hello is received. If anybody knows how to make OpenSSL support these ciphers, please tell me. Possibly, I need to create a Diffie-Hellman certificate? How it may be created? Thank You very much, Innokentiy Ivanov. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Where can i get OpenSSL 0.9.5a
Hello! Please, advice me, where can I download the win32 version of OpenSSL 0.9.5a. Thank you, Innokentiy Ivanov __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: How do I input ldap urls of the crlDistributionPoints URI value in openssl.cnf ?
Hello, You have to use / instead of the , inside the LDAP-URI, because the , delimits the URIs. The ? does not do any harm, you can use it without change. (Besides, some time ago I read in a comment that openssl would not support ldap-URIs because of the commas inside the ldap-URI. When you create text-output from a certificate with openssl x509 -in certificate.pem -text you see that the ldap entry for subject uses slashes! Just did the same, it worked.) Best regards, Michael -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Jung-Ho Cha Gesendet: Freitag, 16. August 2002 10:52 An: [EMAIL PROTECTED] Betreff: How do I input ldap urls of the crlDistributionPoints URI value in openssl.cnf ? Hello, I use OpenSSL 0.97 library. I read the opensl.txt file and trying to use crlDistributionPoints extention option. But I met some problem to use crl repository point in ldap url format. The below shows the error messages. Error Loading extension section usr_cert 1704:error:0E06D06C:configuration file routines:NCONF_get_string:no value:P:\OpenSSL\openssl-0.9.7-beta2\crypto\conf\con f_lib.c:329:group=CA_default name=email_in_dn 1704:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME:missing value:P:\OpenSSL\openssl-0.9.7-beta2\crypto\x509v3\v3_alt. c:391: 1704:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:P:\OpenSSL\openssl-0.9.7-beta2\crypto\x509v3\v3_ conf.c:92:name=crlDistributionPoints, value=URI: ldap://203.233.91.35:389/ou=dp2p1140,ou=LicensedCA,o=yessign,c=kr?certif icateRevocationList I surveyed the errors. I found the reason that the ldap url format has like this, ldap://203.233.91.35:389/ou=dp2p1140,ou=LicensedCA,o=yessign,c=kr?certif icateRevocationList and this string has the characters , and ?. I also see the URI name value pair is delimited by , in openssl.cnf file. So OpenSSL library read the , in ldap url as URI delimiter. And fail to parse the string. I need some help to input the correct ldap url in openssl.cnf . Any one knows how to input the ldap url in openssl.cnf? Thanks. J. H. cha __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ASN1_TIME manipulation
Is there a function of some sort that enables me to add a certain amount of days to a date stored inside an ASN1_TIME structure ?? Example: Suppose I want to set the expiration date for a new certificate as the expiration date of another certificate PLUS a year... So, what I have is: X509_set_notBefore(newCert, X509_get_notBefore(oldCert)); My problem is: How can I add the 365 days to the result of X509_get_notBefore(oldCert) ?? -- Arthur Wongtschowski SCOPUS Tecnologia S.A. Segurança de Sistemas __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Which Ciphers are being used?
Hello all,the cipher used for a particular session is: CIPHER is: EDH-RSA-DES-CBC3-SHA Can someone provide me of a break down of what ciphers are actually being used for what operations? I am particularly interested in what cipher is being used for the actual encryption / decryption of data transferred after the handshaking phase (i.e. data transferred via SSL_read and SSL_write). Thanks! Austin
Re: Which Ciphers are being used?
Hello all, the cipher used for a particular session is: CIPHER is: EDH-RSA-DES-CBC3-SHA Can someone provide me of a break down of what ciphers are actually being used for what operations? I am particularly interested in what cipher is being used for the actual encryption / decryption of data transferred after the handshaking phase (i.e. data transferred via SSL_read and SSL_write). EDH (ephemeral diffie-hellman) : Key exchange. That's is used to establish a read/write key pair for client and server. RSA : signing diffie-hellman's key DES-CBC3 : triple des for all data encryption SHA : creating MAC for data records Thanks! Austin - ðÏÌÕÞÉÔÅ ÂÅÓÐÌÁÔÎÙÊ ÐÏÞÔÏ×ÙÊ ÑÝÉË @ukr.net ÎÁ http://freemail.ukr.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Compiling openssl-0.9.6g on Solaris 2.x
Hi All. I have no trouble compiling openssl-0.9.6g on SOlaris 2.6 or 2.8 with the default makefile, but if I either perform a ./Configure solaris-sparcv9-gcc --prefix=DIR, or if I modify the INSTALL_PREFIX= in the Makefile and then do a make;make install, it fails to install to my destination directory.. I get stuff like this: nstalling ssl... make[1]: Entering directory `/depot/openssh/openssl-0.9.6g/ssl' cp: cannot create live/include/openssl/ssl.h: No such file or directory chmod: WARNING: can't access live/include/openssl/ssl.h cp: cannot create live/include/openssl/ssl2.h: No such file or directory chmod: WARNING: can't access live/include/openssl/ssl2.h cp: cannot create live/include/openssl/ssl3.h: No such file or directory chmod: WARNING: can't access live/include/openssl/ssl3.h cp: cannot create live/include/openssl/ssl23.h: No such file or directory chmod: WARNING: can't access live/include/openssl/ssl23.h cp: cannot create live/include/openssl/tls1.h: No such file or directory chmod: WARNING: can't access live/include/openssl/tls1.h make[1]: *** [install] Error 1 make[1]: Leaving directory `/depot/openssh/openssl-0.9.6g/ssl' etc. and then it dies. ANy idea how to get it to install to another destination instead of off of / ? Thanks Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Does SSL have No encryption option?
Had an internal request to provide https connectivity without encryption. Is this a valid option? Will OpenSSL allow the negotiation of this if client or server requests it? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How do I input ldap urls of the crlDistributionPoints URI value in openssl.cnf ?
On Fri, Aug 16, 2002, Karl-Michael Werzowa wrote: Hello, You have to use / instead of the , inside the LDAP-URI, because the , delimits the URIs. The ? does not do any harm, you can use it without change. (Besides, some time ago I read in a comment that openssl would not support ldap-URIs because of the commas inside the ldap-URI. When you create text-output from a certificate with openssl x509 -in certificate.pem -text you see that the ldap entry for subject uses slashes! Just did the same, it worked.) Using the alternative @section syntax commas can be included (see doc/openssl.txt). Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Does SSL have No encryption option?
On Fri, Aug 16, 2002, Denslow, Gregory E (Greg) wrote: Had an internal request to provide https connectivity without encryption. Is this a valid option? Will OpenSSL allow the negotiation of this if client or server requests it? Yes this is supported but the relevant ciphersuites have to be specifically enabled. See the ciphers manual page. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Which Ciphers are being used?
A little reading of the correct documents and all falls into place. The OpenSSL command to run is: OpenSSL ciphers -v EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 Various phases of the session are: Key Exchange (Kx), Authentication (Au), Encryption (Enc), and Message Authentication Codes (Mac). - Original Message - From: Austin Krauss To: [EMAIL PROTECTED] Sent: Friday, August 16, 2002 10:15 AM Subject: Which Ciphers are being used? Hello all,the cipher used for a particular session is: CIPHER is: EDH-RSA-DES-CBC3-SHA Can someone provide me of a break down of what ciphers are actually being used for what operations? I am particularly interested in what cipher is being used for the actual encryption / decryption of data transferred after the handshaking phase (i.e. data transferred via SSL_read and SSL_write). Thanks! Austin
how to sign cert for IE SSL proof of concept?
I'm trying to duplicate the recent IE SSL issues, but all I have is a exported server key from an IIS server to sign with. Given the 3 formats you can do this in: DER encoded x.509 Base-64 encoded x.509 PKCS #7 How could I then use these formats to sign a CSR an illustrate the flaw? Yes, these are my keys, and yes I'm RTFM'ing, but the info doesn't seem readily available. Thanks -Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
NET::SSLeay
I am having problems installing NET::SSLeay on my machine...here is all the pertinant information. If there is anything else that can help in my fixing this problem let me know...Thanks ~joel rpm -q openssl openssl-0.9.5a-2 rpm -q openssl-devel openssl-devel-0.9.5a-2 Redhat based on 6.2 uname -a 2.2.14-VA.2.1 #1 Mon Jul 31 21:58:22 PDT 2000 i686 unknown rpm -ba /usr/src/redhat/SPECS/perl-Net_SSLeay.spec error + umask 022 + cd /usr/src/redhat/BUILD + rm -rf /var/tmp/perl-Net_SSLeay-1.05-5-root + cd /usr/src/redhat/BUILD + rm -rf Net_SSLeay-1.05 + /usr/bin/bzip2 -dc /usr/src/redhat/SOURCES/Net_SSLeay-1.05.tar.bz2 + tar -xf - + STATUS=0 + [ 0 -ne 0 ] + cd Net_SSLeay-1.05 ++ /usr/bin/id -u + [ 0 = 0 ] + /bin/chown -Rhf root . ++ /usr/bin/id -u + [ 0 = 0 ] + /bin/chgrp -Rhf root . + /bin/chmod -Rf a+rX,g-w,o-w . + exit 0 + umask 022 + cd /usr/src/redhat/BUILD + cd Net_SSLeay-1.05 + rm -rf /var/tmp/perl-Net_SSLeay-1.05-5-root + /usr/bin/perl Makefile.PL /usr That's is newer than what this module was tested with (0.9.3a). You should consider checking if there is a newer release of this module available. Everything will probably work OK, though. + make OPTIMIZE=-O2 -m486 -fno-strength-reduce PREFIX=/usr In file included from /usr/include/openssl/pem.h:66, from /usr/include/openssl/ssl.h:147, from SSLeay.xs:55: /usr/include/openssl/evp.h:97: openssl/idea.h: No such file or directory make: *** [SSLeay.o] Error 1 Bad exit status from /var/tmp/rpm-tmp.17811 (%build) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
first installation - apache uses other httpd.conf-path
I successfully installed openssl and modssl as described in the docs. Running https:// works fine, but I recognized that apache now uses the httpd.conf located in /usr/local/apache/conf and not as before installing SSL in /etc/httpd. How can I force make certificate to store the keys and certs under /etc/httpd and that apache uses all .conf files in /etc/httpd? -- Jochen Kaechelin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
what domain when generating a test cert
I run a apache on my local Valhallabox on the domain redhat.amsjk.home (192.168.0.1). What domain do I have to enter when generating a test cert? -- Jochen Kaechelin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Does SSL have No encryption option?
The easiest way would be to move HTTP from port 80 to your HTTPS port. SSL without encryption wouldn't be SSL. Unless you just want the key authentication and leave the data unencrypted? -Original Message- From: Denslow, Gregory E (Greg) [mailto:[EMAIL PROTECTED]] Sent: Friday, August 16, 2002 12:11 PM To: [EMAIL PROTECTED] Subject: Does SSL have No encryption option? Had an internal request to provide https connectivity without encryption. Is this a valid option? Will OpenSSL allow the negotiation of this if client or server requests it? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]