mod_authz_ldap configuration
Anyone has successfully configured mod_authz_ldap based from http://authzldap.othello.ch/ examples or howto? --- Glynn --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: CSR / CA Issued Certificate
Hi Kevin Here is the part of a document I created where I describe the creation of the CA,server and client certificate. Creation of Certificates I first started by using Openssl (and Perl) to create my own Certificate Authority (CA) from the Linux Box. Below are the steps used for that: 1. Create a directory to keep all CA work in one clearly defined place: mkdir /CA 2. Copy /openssl-0.9.6g/apps/CA.pl and /openssl-0.9.6g/apps/openssl.cnf into /CA. 3. Create the new CA: perl CA.pl -newca Fill in the CA certificate details (all of them), something like: Country Name (2 letter code) [AU]:ZA State or Province Name (full name) [Some-State]:WP Locality Name (eg, city) []:Cape Town Organization Name (eg, company) [Internet Widgits Pty Ltd]:telkom Organizational Unit Name (eg, section) []:Isis Common Name (eg, YOUR name) []:Root Email Address []:[EMAIL PROTECTED] Now /CA/demoCA/cacert.pem contains the certificate for the new personal certificate authority. Then create the server certificate: 1. Generate a certificate request. perl CA.pl -newreq Fill in the server certificate details (all of them), something like: Country Name (2 letter code) [AU]:ZA State or Province Name (full name) [Some-State]:WP Locality Name (eg, city) []:Cape Town Organization Name (eg, company) [Internet Widgits Pty Ltd]:telkom Organizational Unit Name (eg, section) []:server unit Common Name (eg, YOUR name) []:111.111.11.11 Email Address []:[EMAIL PROTECTED] 2. Sign that request. This is what a Trusted Authority does for you: perl CA.pl -sign Had we wanted a third party to sign our certificate, we would send the certificate request to them, they would sign it, and send it back to us. We would then use that certificate. 3. Then extract the private key into a separate file: openssl rsa newreq.pem newkey.pem 4. For ease of use, rename these to more meaningful file names: mv newcert.pem server.crt mv newreq.pem server.req mv newkey.pem server.key Place these in the apache httpd.conf accordingly. To create a client certificate, we have two choices: 1. If the certificate is going to be used in a B2B manner using SUN's JSSE implementation then the client certificate gets created by first generating a public key using Java's keytool command and then signing using our CA above. Here are the steps: · Create our new puhlic key in a new keystore keytool -keystore jsseclientcerts -genkey -alias client1 When prompted, enter passphrase for the password to use this keystore with the Java B2B application. · Export the client's public key: keytool -keystore jsseclientcerts -certreq -alias client1 -file client1.crs · Copy it through to the Linux box's /CA directory mentioned above · Sign the client's key with our CA key openssl ca -config openssl.cnf -in client1.crs -out client1.crs.pem -keyfile demoCA/private/ca.key At this point, you should have a file called client.crs.pem, which is the signed public key. It needs to be converted to a format suitable for the JDK's keytool command, and then imported into the jsseclientcerts keystore · Convert to DER format: openssl x509 -in client1.crs.pem -out client1.crs.der -outform DER · Now copy the CA certificate (/CA/demoCA/cacert.pem) and this client certificate back into the Windows machine. · First import the CA certificate into the client's key store: keytool -keystore jsseclientcerts -alias root -import -file cacert.pem · Import signed key into client's key store: keytool -keystore jsseclientcerts -alias client1 -import -file client1.crs.der The second last step must be completed so that the keytool command agrees to import the signed key. We also have to create our truststore, which will simply contain our CA certificate (unless you want all the Verisign,etc certificates before it - then include the -trustcacerts in the command below): · keytool -keystore jssecacerts -alias root -file cacert.pem The above trustore has to be placed under C:\Program Files\JavaSoft\JRE\1.3.1\lib\security. I also place our client keystore there for convenience. These two keystores (jsseclientcerts and jssecacerts) are then used as needed inside the Java program. The initial steps could be something like: java.security.Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); System.setPropertyjava.protocol.handler.pkgs,com.sun.net.ssl.intern al.www.protocol); System.setProperty(javax.net.ssl.keyStorePassword,testte); System.setProperty(javax.net.ssl.trustStorePassword,testte); System.setProperty(javax.net.ssl.trustStore, C:\\Program Files\\Javasoft\\jre\\1.3.1\\lib\\security\\jssecacerts); System.setProperty(javax.net.ssl.keyStore, C:\\Program
Time use in CRL
Hi, I'm using Openssl 0.9.6g on Linux. After I've revoked a certificate and generated a CRL, I was wonder what time source did the Openssl get to stamp in the CRL. After I generated the CRL, I used "asn1parse" to dump theCRL into ASN1 then in theCRL time section the opensslused my system time+ the time zone, which thesystem time it got is already plus the time zone. For example: my sytem timeis: $ date Wed Oct 16 13:00:00 GMT+7 2002 but the time obtained from asn1parse ofCRL is UTCTIME 02101620Z which is my system time + 7 (time zone). It should be 13:00:00 only. When I put that CRL in M$ Windows2K and 98 it shows the CRL tme as: Thu Oct 17 2002 03:00:00 which is the time of the CRL + 7 (time zone). Then the time of the CRL that will be used on M$ will be 14 hrs later than the real time. So I try to change the Timezone in M$ back to GMT-7 the CRLshows the right time (as same as on Linux). So how did the Openssl get the time source for stamping the CRL? and to get the right time (as current time) how should I set the system time? Thanks, Sorot P.
RE: REPOST AS REQUESTED: openssl 9.6g Redhat 7.3 Seg Fault ADDITIONAL INFO
I have just built another redhat 7.3 machine (default out of the box) using the same kernel / GCC / openssl etc the same configure options, the only difference is more memory and a faster CPU in the newer machine I get the same problem. make all works, make tests seg faults exactly the same. I am agreeing this is most likley a gcc problem, however I would welcome any feedback from more experienced ssl users. thanks, Matt. -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 5:27 PM To: '[EMAIL PROTECTED]' Subject: REPOST AS REQUESTED: openssl 9.6g Redhat 7.3 Seg Fault -Original Message- From: DARCY,MATTHEW (HP-UnitedKingdom,ex2) Sent: Thursday, October 10, 2002 1:45 PM To: '[EMAIL PROTECTED]' Subject: openssl 9.6g Redhat 7.3 Seg Fault Hi, I have a redhat 7.3 server which came with an openssl-9.6b rpm pre-installed. I removed this package with rpm -e --nodeps as 1.) this version of openssl had bugs/secuirty issues in it 2.) I am not a fan of rpm packages. I downloaded the source for openssl-9.6g I ran a ./config --prefix=/usr --openssldir=/usr/local/ssl -shared which ran ok. I then ran a make this ran ok I then ran a make test this errored with the line testing... make[1]: Entering directory `/usr/local/src/openssl-0.9.6g/test' make[2]: Entering directory `/usr/local/src/openssl-0.9.6g/apps' make[2]: Nothing to be done for `all'. make[2]: Leaving directory `/usr/local/src/openssl-0.9.6g/apps' ./destest make[1]: *** [test_des] Segmentation fault make[1]: Leaving directory `/usr/local/src/openssl-0.9.6g/test' make: *** [tests] Error 2 (I have also attatched the file containing the make report) I have searched through google and the openssl archives and found 2 references to similar problem 1.) was the same problem with openssl-9.6g although I don't know what OS / compiler was being used. (message 12907) 2.) was the same problem with openssl-9.4 this was put down to reload1.c and reload.c having a small bug in it. I am using Redhat 7.3 2.4.18 kernel openssl-9.6g gcc-g77-2.96-110 gcc-c++-2.96-110 gcc-2.96-110 I am open to suggestions on the cause and how to fix it. thanks, Matt. testlog __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS12_parse problem
Greetings. I recently re-compiled my application with OpenSSL 0.9.6g (it was previously linked with 0.9.6c). I have a problem with the ''PKCS12_parse'' function that I didn't have before (platform is Solaris 8). If my application calls ''PKCS12_parse'' more than once (at different moments, even distant in time) on the same PKCS#12, ONLY THE FIRST CALL SUCCEED. Calls after the first return 0. Since I'm only interested in extracting the private key, my call is like: if (!PKCS12_parse(p12, passphrase, prkey, NULL,NULL)) error handling This problem didn't happen with 0.9.6c. I'm quite sure that the p12 argument is a valid pointer to a PKCS#12 structure because every time I : open the key file (abort if it fails), read the pkcs12 by means of d2i_PKCS12_fp (close file and abort if it fails) close the key file call the PKCS12_parse Any hint, FAQ or known problem? Thanks in advance Francesco __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
client-side session reuse
Hi, I'm trying to add session caching to a multi-threaded SSL client. I've run into a crash when my client, with caching enabled, is talking to an SSL server which has caching DISabled. What I see in the debugger is that if more than one client connection is coming up, and both are using the same session from the cache, then when the server's certificate in the session is updated (session-sess_cert) by the second connection, the first connection is left holding an invalid pointer to the public key in the cert. The crash occurs when that public key is used for encrypting a secret to send to the server. What's confusing me, and I feel like I'm missing something basic here, is that the code doesn't look like it should ever work with reused sessions because the only field in the session which is modified under lock is the reference count. SSL_set_session() doesn't copy the session, it reuses the pointer and increments the ref count. Other code changes fields in the session at will. When my client is caching and talking to a server which is also caching then everything works great. What am I missing here? Thanks, -- Jonathan __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Compiling on Solaris8
I am using Forte cc for my compiler and get this error. It seems to just go wacky inside the ifdefs for DEVRANDOM, which I defined since I have patched the system to include /dev/random: making all in crypto/rand... cc -I.. -I../.. -I../../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_ DLFCN_H -DDEVRANDOM=/dev/random -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xd epend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM -c rand_win.c rand_win.c, line 705: syntax error before or at: / rand_win.c, line 711: undefined symbol: n rand_win.c, line 711: undefined symbol: tmpbuf rand_win.c, line 713: warning: improper pointer/integer combination: arg #1 rand_win.c, line 714: warning: improper pointer/integer combination: arg #1 rand_win.c, line 719: warning: old-style declaration or incorrect type for: l rand_win.c, line 719: undefined symbol: curr_pid rand_win.c, line 719: non-constant initializer: op NAME rand_win.c, line 720: syntax error before or at: rand_win.c, line 720: warning: undefined or missing type for: sizeof rand_win.c, line 720: warning: old-style declaration or incorrect type for: RA ND_add rand_win.c, line 720: identifier redeclared: RAND_add current : function() returning int previous: function(pointer to const void, int, double) returning void : ../../include/openssl/rand.h, line 89 rand_win.c, line 720: warning: syntax error: empty declaration rand_win.c, line 721: warning: old-style declaration or incorrect type for: l rand_win.c, line 721: identifier redefined: l current : int previous: int : rand_win.c, line 719 rand_win.c, line 721: non-constant initializer: op UCALL rand_win.c, line 722: syntax error before or at: rand_win.c, line 722: warning: undefined or missing type for: sizeof rand_win.c, line 722: warning: old-style declaration or incorrect type for: RA ND_add rand_win.c, line 722: warning: syntax error: empty declaration rand_win.c, line 724: warning: old-style declaration or incorrect type for: l rand_win.c, line 724: identifier redefined: l current : int previous: int : rand_win.c, line 721 rand_win.c, line 724: non-constant initializer: op CALL rand_win.c, line 725: syntax error before or at: rand_win.c, line 725: warning: undefined or missing type for: sizeof rand_win.c, line 725: warning: old-style declaration or incorrect type for: RA ND_add rand_win.c, line 725: warning: syntax error: empty declaration rand_win.c, line 728: warning: syntax error: empty declaration cc: acomp failed for rand_win.c *** Error code 2 -- ($_,$y)=(Yhre lo .kePnarhtretcae\n, '(.) (.)' ); $y=~s/\(/(./gwhile s/$y/$2$1/xg;print; @ !; `---'; __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Compiling on Solaris8
My only advice would be to use gcc. I can confirm that gcc 3.2 will compile openssl on Solaris 8 with no problem. Alternatively, if you don't mind an out-of-the-box openssl, get the package from www.sunfreeware.com. -Original Message- From: Mark [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 16. Oktober 2002 17:07 To: [EMAIL PROTECTED] Subject: Compiling on Solaris8 I am using Forte cc for my compiler and get this error. It seems to just go wacky inside the ifdefs for DEVRANDOM, which I defined since I have patched the system to include /dev/random: making all in crypto/rand... cc -I.. -I../.. -I../../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_ DLFCN_H -DDEVRANDOM=/dev/random -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xd epend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM -c rand_win.c rand_win.c, line 705: syntax error before or at: / rand_win.c, line 711: undefined symbol: n rand_win.c, line 711: undefined symbol: tmpbuf rand_win.c, line 713: warning: improper pointer/integer combination: arg #1 rand_win.c, line 714: warning: improper pointer/integer combination: arg #1 rand_win.c, line 719: warning: old-style declaration or incorrect type for: l rand_win.c, line 719: undefined symbol: curr_pid rand_win.c, line 719: non-constant initializer: op NAME rand_win.c, line 720: syntax error before or at: rand_win.c, line 720: warning: undefined or missing type for: sizeof rand_win.c, line 720: warning: old-style declaration or incorrect type for: RA ND_add rand_win.c, line 720: identifier redeclared: RAND_add current : function() returning int previous: function(pointer to const void, int, double) returning void : ../../include/openssl/rand.h, line 89 rand_win.c, line 720: warning: syntax error: empty declaration rand_win.c, line 721: warning: old-style declaration or incorrect type for: l rand_win.c, line 721: identifier redefined: l current : int previous: int : rand_win.c, line 719 rand_win.c, line 721: non-constant initializer: op UCALL rand_win.c, line 722: syntax error before or at: rand_win.c, line 722: warning: undefined or missing type for: sizeof rand_win.c, line 722: warning: old-style declaration or incorrect type for: RA ND_add rand_win.c, line 722: warning: syntax error: empty declaration rand_win.c, line 724: warning: old-style declaration or incorrect type for: l rand_win.c, line 724: identifier redefined: l current : int previous: int : rand_win.c, line 721 rand_win.c, line 724: non-constant initializer: op CALL rand_win.c, line 725: syntax error before or at: rand_win.c, line 725: warning: undefined or missing type for: sizeof rand_win.c, line 725: warning: old-style declaration or incorrect type for: RA ND_add rand_win.c, line 725: warning: syntax error: empty declaration rand_win.c, line 728: warning: syntax error: empty declaration cc: acomp failed for rand_win.c *** Error code 2 -- ($_,$y)=(Yhre lo .kePnarhtretcae\n, '(.) (.)' ); $y=~s/\(/(./gwhile s/$y/$2$1/xg;print; @ !; `---'; __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
