Re: Proxy'ing client certs
Hi Chandrasekhar, On Wed, Jan 22, 2003 at 11:20:58AM +0530, Chandrasekhar R S wrote: Hi Vadim I am sorry for portraying the problem vaguely. I will make an attempt to clarify the problem - The entire scenario - Client -- Proxy Server - Proxy Client -- Backend Server Proxy Server and Proxy Client are on the same M/C and hence no SSL communication between them. Data transfer through IPC. Localized Scenario : Client -- Proxy Server 1. Client has CA signed certificate, call it CLIENT CERT. 2. Client's Public Key is tightly coupled with CLIENT CERT You likely mean private key here 3. This public key will be used in establishing SSL connection with the Proxy Server. to establish SSL connection with the proxy, SSL server sertificate and private key is required. It is not required to do Connect method of HTTP. 4. Proxy Server could extract the CLIENT CERT, say to a file. The file would be available for the Proxy Client (since both would be on the same m/c). I should say it again: yes, SSL client certificate is available for Proxy Client at this point. One could print it or something. However, it needs the corresponding private key to run SSL protocol pretending to be the client. Localized Scenario : Proxy Client -- Backend Server 5. The requirement is, Proxy Client should be presenting CLIENT CERT to the backend server. Yes, it can present it somehow My doubt is, as a certificate is tightly coupled with a Public Key, how could the Proxy Client use CLIENT CERT (that has client's public key) in its communication with the backend server (using SSL). Please remember SSL had well-defined protocol design goals, including handling man-in-the-middle I referred to Stronghold HTTP server as, in their website they offer two options, 1. to tunnel the CLIENT CERT to the backend server 2. to present a PROXY CLIENT CERT for proxy client -- backend server scenario. I'd prefer to keep talking about well-known protocols and business requirements. Would Connect method of HTTP deliver functions wanted? My requirement is to develop this functionality not for a particular protocol, but generically. Any chance to tune mod_ssl or apache-ssl to do the job? Sorry for the confusion. I hope, I had been clearer than earlier. with thanks and regards, rsr. best wishes, Vadim Fedukovich consulting and software development -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Vadim Fedukovich Sent: Monday, January 20, 2003 2:13 PM To: [EMAIL PROTECTED] Subject: Re: Proxy'ing client certs On Mon, Jan 20, 2003 at 12:20:43PM +0530, Chandrasekhar R S wrote: I have already posted the following on the lists under Proxy'ing client certs thread. Could not see the posting, hence re-posting. - My understanding had been the following : Client Proxy Server -- Proxy Client Server produces a consumes presents a Can only recv CA signed the ProxyClient Cert ProxyClient Cert Client Cert Client Cert ProxyClient Cert is not the same as Client Cert. Though the Proxy Server is in receipt of the Client Cert, it cannot represent the same in the SSL connection between ProxyClient - Server. The requirement is to make the Proxy faithfully forward the Client Cert to the Server. It's hard for me to see how this could fit SSL and HTTP protocols, sorry. Someone else might be lucky here consume certificate probably means engage in a protocol to prove the name certified. It's still open question what protocol both do the job and is implemented by popular browsers. Hope you could hit your target with other tools like passord-based proxy access or maybe proxy access controlled by IPSec Vadim, suggested that CONNECT method of HTTP can be used to setup TCP connections first and run SSL next. Proxy could forward SSL traffic. It had been difficult to understand the solution. It seems to me that we need to set up a TCP connection via the proxy server first and add SSL to it later. I am not aware of how to do this. There was a document by Ari Luotonen; just found it at (single line!) http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-t unneling-01.txt It describes the method how a proxy could handle HTTPS requests Please note HTTP details might be off-topic for this list hope this helps, Vadim Fedukovich consulting and software development Could one help me further. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 Phone : 2052427
RE: Proxy'ing client certs
Hello Vadim, Localized Scenario : Proxy Client -- Backend Server 5. The requirement is, Proxy Client should be presenting CLIENT CERT to the backend server. Yes, it can present it somehow RSR : I am in search of this somehow. Could it be this way - If it is possible to seperate public key from certificate, then it should be possible for registering CLIENT CERT with Proxy Client in its communication with Backend Server. with thanks rsr. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Proxy'ing client certs
On Wed, Jan 22, 2003 at 02:36:16PM +0530, Chandrasekhar R S wrote: Hello Vadim, Localized Scenario : Proxy Client -- Backend Server 5. The requirement is, Proxy Client should be presenting CLIENT CERT to the backend server. Yes, it can present it somehow RSR : I am in search of this somehow. Could it be this way - If it is possible to seperate public key from certificate, yes, one could get public key from the certificate then it should be possible for registering CLIENT CERT with Proxy Client in its communication with Backend Server. yes one could register it somehow Please note another key, the private one is required to run SSL protocol using that certificate with thanks rsr. best wishes, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
TLS in multithreaded server
hi, i have a multithreaded server that manage TLS connections to the clients. to enable TLS on an unencrypted tcp stream i use: SSL_load_error_strings(); SSL_library_init(); ctx = SSL_CTX_new(SSLv23_server_method()); ... ssl = SSL_new(ctx); ... to shutdown and cleanup a connection a use: int rval = SSL_shutdown(sslServer); if (rval == 0) { SSL_shutdown(sslServer); } SSL_free(ssl); SSL_CTX_free(ctx); is that right or is there a smaller solution? is it necessary to init the library every for every connection or is there a possibility to init the library only once (when starting server application)? greetings, Alex __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem creating strong encryption certificates
On Wed, Jan 22, 2003, Peter Hendriks wrote: Thanks for your answer. According to the infobox of Outlook Express 6.0 SP1 (completely updated), it says something like 128 bits coding strength (I have a Dutch version). I can access something like mailvault, which requires 128 bit SSL. The windows homepage tells me that the strong encryption pack is only available for MSIE 6.0 which has this package included. Therefore I can't install this strong encryption pack. https://www.fortify.net/sslcheck.html says I can use RC4, 128 bit coding strength. To my best knowledge Outlook Express and Internet Explorer use the same coding system. What I have done is create 3 certs (1 root, and 2 users) on my pc. I import all keys with the certificate manager, then create a public key (with the certificate manager) from the other user. This public key is stored in the addressbook of the other user. I'm composing a message in Outlook Express from me to the other user. When I click on send it gives a warning (like only 40 bit encryption is used). The message wasn't really send, it just sits in the outbox. The certs do work. As far as I can see, the problem must be either in Outlook Express, Windows 98SE, or OpenSSL. It may be that when you just install a certificate for the 'other user' it has no way of knowing what encryption the other user can handle so it defaults to 40 bit RC2. Try sending signed mail from the 'other user' to Outlook. It should then get the necessary info that it support strong encryption. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Stunnel 4.04 released
Michal Trojnara wrote: Version 4.04, 2003.01.12 ... Downloaded stunnel-4.04.exe to a Win 2K system. Tried to run it as stunnel -help. Got nothing. Furthermore, looking at the source, as far as I can tell, when compiling for WIN32, no main procedure is compiled. Did you use old openssl-0.9.6[a-g] libraries or 0.9.7? The version of stunnel-4.04.exe compiled by Mike requires 0.9.7. (New dlls available at both stunnel.mirt.net and stunnel.org) Followups should probably go to the Stunnel mailing list instead of OpenSSL. -- Brian Hatch Of course I don't Systems andlook busy. Security Engineer I did it right http://www.ifokr.org/bri/ the first time. Every message PGP signed msg30093/pgp0.pgp Description: PGP signature
openssl using asp
Hi I am working on Microsoft Platform. I develop web sites using asp and IIS 5.0. I would like to know how openssl can be implemented in asp environment. I have checked up other sites and forums, but have only come across openssl implementation in perl / php. Kindly let me know what is to be done for implementing openssl in asp. This is extremely urgent. Thanks Best Regards Sudhir Rau --- B. Sudhir Rau Brahmaputra Infotech 95, National Park New Delhi India Phone : 91-11-26443933
private key creation and checking
When the private keys are created, are there checks performed to determine the quality/primality of the keys? If so, is there documentation on how the keys are checked? Thanks, Rick Robinson [EMAIL PROTECTED]
Re: obtaining expiry dates
: I'm trying to write an automated script to check for pending expiry dates in : SSL certs. Depending on your end-goal, this may or may not help you -- but if you're just looking for something to poll your servers and flag pending cert expirations, you may want to check out Recon: http://www.brandxdev.net -qm __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl segmentation fault
Hi I wonder if you can help. I am trying to generate certificates in order to have a FreeRadius server running on my RedHat 7.3 and to authenticate a WinXP client. So far I have used openssl (/usr/local/ssl) version 0.9.6h ([engine] 5 Dec 2002) with which I can generate CA for root (CA.root), server (CA.svr) and client (CA.clt) without any problem. This release doesn't support WinXP, so I got version 0.9.7 and installed it as per your instruction (/usr/local/openss-certgen). Now, with this version I can generate root certificates but attempt to generate the server one results in the following log information: Generating a 1024 bit RSA private key ++ ++ writing new private key to 'newreq.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [UK]:State or Province Name (full name) [Wales]:Locality Name (eg, city) [Ebbw Vale]:Organization Name (eg, company) [Technology Concepts Ltd]:Organizational Unit Name (eg, section) [Technical Support]:Common Name (eg, YOUR name) [mansour]:Email Address [[EMAIL PROTECTED]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password [test123]:An optional company name []:Using configuration from /usr/local/openssl-certgen/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4 (0x4) Validity Not Before: Jan 15 14:26:18 2003 GMT Not After : Jan 15 14:26:18 2004 GMT Subject: countryName = UK stateOrProvinceName = Wales localityName = Ebbw Vale organizationName = Technology Concepts Ltd organizationalUnitName= john commonName= mansour emailAddress = [EMAIL PROTECTED] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D0:BB:EA:85:0A:F6:AC:78:A6:48:00:73:FF:14:55:C4:F4:9E:23:10 X509v3 Authority Key Identifier: keyid:73:EC:32:B6:8F:57:69:7A:C5:5F:C2:52:D5:5E:ED:28:37:DB: 28:A8 DirName:/C=UK/ST=Wales/L=Ebbw Vale/O=Technology Concepts Ltd/OU=Technical [EMAIL PROTECTED] serial:00 Certificate is to be certified until Jan 15 14:26:18 2004 GMT (365 days) Sign the certificate? [y/n]: 1 out of 1 certificate requests certified, commit? [y/n]CERTIFICATION CANCELED ./CAsvr: line 23: 1851 Segmentation fault openssl ca -policy policy_anything -out newcert.pem -passin pass:test123 -key test123 - infiles newreq.pem No certificate matches private key 1853:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:138: unable to load certificate 1854:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE I get Segmentation fault!!. My kernel ID is 2.4.18-3. Can you please let me know if you are aware of this problem and how to go about solving it. Thanks. Kind regards R Mansour Tel: +44 (0)870 8705088 Fax: +44 (0)870 8705089 WEB: http://www.TheTCL.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem creating strong encryption certificates
Tried your suggestion. Doesn't work. Mailed between 2 e-mail addresses, both addresses had secret and public keys available. The senders certificate is / stays RC2 40 bits in the outbox. After exchanging e-mails with reply it still remains RC2 40 bits. Public key is 1024 bit md5RSA, private key also. Also strange is that pub key has V1, while CA root cert is V3. Peter. - Original Message - From: Dr. Stephen Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 22, 2003 2:46 PM Subject: Re: Problem creating strong encryption certificates On Wed, Jan 22, 2003, Peter Hendriks wrote: Thanks for your answer. According to the infobox of Outlook Express 6.0 SP1 (completely updated), it says something like 128 bits coding strength (I have a Dutch version). I can access something like mailvault, which requires 128 bit SSL. The windows homepage tells me that the strong encryption pack is only available for MSIE 6.0 which has this package included. Therefore I can't install this strong encryption pack. https://www.fortify.net/sslcheck.html says I can use RC4, 128 bit coding strength. To my best knowledge Outlook Express and Internet Explorer use the same coding system. What I have done is create 3 certs (1 root, and 2 users) on my pc. I import all keys with the certificate manager, then create a public key (with the certificate manager) from the other user. This public key is stored in the addressbook of the other user. I'm composing a message in Outlook Express from me to the other user. When I click on send it gives a warning (like only 40 bit encryption is used). The message wasn't really send, it just sits in the outbox. The certs do work. As far as I can see, the problem must be either in Outlook Express, Windows 98SE, or OpenSSL. It may be that when you just install a certificate for the 'other user' it has no way of knowing what encryption the other user can handle so it defaults to 40 bit RC2. Try sending signed mail from the 'other user' to Outlook. It should then get the necessary info that it support strong encryption. Steve. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem creating strong encryption certificates
On Wed, Jan 22, 2003, Peter Hendriks wrote: Tried your suggestion. Doesn't work. Mailed between 2 e-mail addresses, both addresses had secret and public keys available. The senders certificate is / stays RC2 40 bits in the outbox. After exchanging e-mails with reply it still remains RC2 40 bits. Public key is 1024 bit md5RSA, private key also. Also strange is that pub key has V1, while CA root cert is V3. Hmmm. Did you try deleting the other certificate from the store first and seeing if it gets added again when the signed message is received? You shouldn't use V1 certificates they have various problems associated with them. Either use the 'ca' utilty for signing requests or add: -extfile /path/to/openssl.cnf -extensions usr_cert to the 'x509' utility command line. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Rainbow Cryptoswift Support
Hello all, Does anyone here use the Rainbow Cryptoswift PCI card? What is the extent of OpenSSL's support for this card? Does OpenSSL require kernel-level support for this card to work? Thanks, Scott Johnson __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Rainbow Cryptoswift Support
In message [EMAIL PROTECTED] on Wed, 22 Jan 2003 13:12:03 -0600, Scott Johnson [EMAIL PROTECTED] said: scottj Does anyone here use the Rainbow Cryptoswift PCI card? I do, occasionally. scottj What is the extent of OpenSSL's support for this card? Supported algorithms: - RSA - DSA - DH - RAND (randomness) scottj Does OpenSSL require kernel-level support for this card to work? I've no idea. All it requires is the presence of libswift.so. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Queries on ERR_print_errors
ERR_print_errors(BIO*) If i need the errors in a string, how do I get it from BIO? thanks, __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]