Re: Newbie question - Signing CSR's
On Tue, Aug 19, 2003, Rohan Pinto wrote: This is the part that i would need help on. I have created a root certificate, I've imported that into all my web browsers and also on the webserver. I have also crested a cSR from the webserver. I dont know how to sign the CSR If I could get some advise on jow to sign a CSR i would at leats get an understanding of the flow. From what i have understood so far... I used the rootCA private key while signing the CSR. The webservers public key is sittign somewhere on the webserver. i would need to use that key to sign the CSR. The question is. how do i get that key?. Also I am confused as i believed that the webservers key would be embedded in the CSR. This normally involves using the 'ca' utility, before you do that a certain directory structure needs to be set up. This is documented in the ca manual page. However its easier to use the CA.pl script this can create the root CA and directory structure and sign the request among other things. Something like: CA.pl -newca move server request to newreq.pem CA.pl -sign new cert is then in newcert.pem Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL denial of service
Shawn, Thanks for the response. It's a lovely thought, but it's not as simple as sticking in a firewall I am afraid .. that leaves me open to attacks that can't be blocked by the firewall .. such as attacks from inside the firewall, or attacks from outside that use the correct port and appear to come from a valid IP address (unless I block tcp connections from the internet zone, which I cannot do). I was just wondering if anyone did anything to reduce the impact of high volume brute force attacks against the listening socket, that cannot be blocked in any trivial way (such as the firewall). I take it the answer's no then. - Original Message - From: Shawn P. Stanley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 18, 2003 9:38 PM Subject: Re: OpenSSL denial of service I use a firewall, myself. On 8/18/03 3:08 PM, Neil Humphreys [EMAIL PROTECTED] wrote: Hi Has anyone got any good examples / advice / tricks for reducing the impact of denial-of-service attacks on an SSL listening socket? cheers Neil __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
Rohan Pinto wrote: I wrote What you need to do is: 1. create a root certificate 2. install that root certificate into all your web browsers 3. create a CSR on the server 4. use the root to sign that CSR into a server certificate This is the part that i would need help on. I have created a root certificate, I've imported that into all my web browsers and also on the webserver. I have also crested a cSR from the webserver. I dont know how to sign the CSR If I could get some advise on jow to sign a CSR i would at leats get an understanding of the flow. From what i have understood so far... I used the rootCA private key while signing the CSR. The webservers public key is sittign somewhere on the webserver. i would need to use that key to sign the CSR. The question is. how do i get that key?. Also I am confused as i believed that the webservers key would be embedded in the CSR. You are doing fine until you get to signing the CSR with the webserver's public key which is sitting somewhere on the webserver. Important theoretical points 1. The CSR IS the webserver's public key, plus some ID info 2. The CSR is made INTO the Certificate by signing with the root's private key (not any server key nor any public key) 3. The webserver's PRIVATE key is the one sitting somewhere on the webserver 4. The Certificate IS the webserver's public key (as obtained from the CSR) and is SIGNED using the root's private key. Why? So the root's public key, which EVERYBODY has access to, can be used to VERIFY that the certificate has not been forged. So, take the CSR from the webserver machine to the machine where you are running OpenSSL. Sign the CSR into a certificate using the private key from the root certificate. This can be done with either the ca tool (or something like CA.PL which calls it) or with the x509 tool. Take the certificate back and install it into the webserver. The way to do this varies from webserver to webserver but go to http://www.ssl.com/support/installation.jsp and look at the menu over on the right hand side. Find your webserver software and see if they have good installation documentation. This is a VERY well done web site. 5. install the server certificate on the server Wish i could get some pointers on the the steps to sign a CSR thats generated from a webserver (which resides on abcd.com domain) using openssl that resides on (xyz.com) on xyz.com: ftp abcd.com get server.csr.pem quit openssl x509 -req -in server.csr.pem \ -CA root.cert.pem -CAkey root.key.pem more options \ -out server.cert.pem ftp abcd.com put server.cert.pem Under more options there is -CAserial to set a serial number, maybe -sha1 to use SHA instead of MD5 as a hash, -days to set the certificate lifetime, etc. Some of these things can be set in the OpenSSL configuration file. I'd look at man x509. Alternatively, signing can be done with the ca tool, but I'm not so familiar with it. It requires an infrastructure of a data file and a serial number file and directories of various things etc and since I based our database on Oracle it seemed too high-level and high-maintenance to use. Unfortunately it seems I need to use it for my personal identity and privacy PKIs since x509 doesn't seem to know how to process a SPKIX file. Sorry about my somewhat fuzzy (and in some places WRONG) answer before. I should REALLY learn not to type anything in before noon. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL denial of service
Depends on the attack itself? are you worried about syn flood type attacks, on the tcp port itself? or are you worried about ssl attacks that go through with ssl negotiation and simply strive to consume processing resources? the former has several solutions, including firewalls. the later is not as easy to protect yourself against. using honking big h/w accelerators is one solution. I don't know of any s/w solutions. -lee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Neil Humphreys Sent: Tuesday, August 19, 2003 2:24 PM To: [EMAIL PROTECTED] Subject: Re: OpenSSL denial of service Shawn, Thanks for the response. It's a lovely thought, but it's not as simple as sticking in a firewall I am afraid .. that leaves me open to attacks that can't be blocked by the firewall .. such as attacks from inside the firewall, or attacks from outside that use the correct port and appear to come from a valid IP address (unless I block tcp connections from the internet zone, which I cannot do). I was just wondering if anyone did anything to reduce the impact of high volume brute force attacks against the listening socket, that cannot be blocked in any trivial way (such as the firewall). I take it the answer's no then. - Original Message - From: Shawn P. Stanley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 18, 2003 9:38 PM Subject: Re: OpenSSL denial of service I use a firewall, myself. On 8/18/03 3:08 PM, Neil Humphreys [EMAIL PROTECTED] wrote: Hi Has anyone got any good examples / advice / tricks for reducing the impact of denial-of-service attacks on an SSL listening socket? cheers Neil __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's (picture enclosed)
Sometimes a picture is worth a thousand words: The Standard Model of Certificate generation: On the server machine: Generate CSR operation +-+ +-+ | Private Key | | Certificate Signing Request | +--+--+ | | v | ++| | | Public Key || | ++| | | |Distinguished Name | | | Note: hash is signed | ++| by private key above | |Hash|| | ++| +--+--+ | | Sent to CA for signing v +-+ CA can use public key | Certificate | from CSR to check | | signature on hash to| ++| prevent alteration of | | Public Key || CSR by adversary| ++| | | | Issuer Distinguished Name | | | | Subject DistinguishedName | | | Note: hash is signed| ++| by private key of root | |Hash|| | ++| +--+--+ | | Returned to server v In secure site operation: Server presents certificate to client Client uses public key of root (obtained from preconfigured root certificate) to check hash to ensure certificate has not been forged. Client rolls a random number and encrypts it with the public key from the server certificate, then returns it to the server. Server decrypts this with server private key and both sides use it as a symmetric key for conventional (e.g., DES) cryptography. Eavesdropper does not have access to private key so cannot decrypt. Man-in-the-middle attacker does not have access to private key so cannot decrypt. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl is not recognized as an internal or external command
Title: RE: openssl is not recognized as an internal or external command Thanks steve, If you've done a standard Windows build you'd have various DLLs and executables in the out32dll directory. They should be copied somewhere on your PATH. copy out32dll\libeay32.dll c:\windows\system copy out32dll\ssleay32.dll c:\windows\system md c:\openssl md c:\openssl\bin md c:\openssl\lib md c:\openssl\include md c:\openssl\include\openssl copy /b inc32\openssl\* c:\openssl\include\openssl copy /b out32dll\ssleay32.lib c:\openssl\lib copy /b out32dll\libeay32.lib c:\openssl\lib copy /b out32dll\ssleay32.dll c:\openssl\bin copy /b out32dll\libeay32.dll c:\openssl\bin copy /b out32dll\openssl.exe c:\openssl\bin Now while still in the DOS prompt I cd back to c:\ and from here I enter: OPENSSL_CONF=c:/openssl/openssl.cnf I get the error message that OPENSSL_CONF is not recognized as an internal or external command, operable program or batch file. I have tried the online documents at http://www.openssl.org/docs/ but I cant find a solution. Any ideas? To answer the next problem in advance, you also need to copy openssl.cnf somewhere and point he OPENSSL_CONF environment variable at it or the CA.pl commands wont work. See FAQ and manual pages for more info.
RE: openssl is not recognized as an internal or external command
Title: RE: openssl is not recognized as an internal or external command Since that last mail I think I have finally created my certificate (once I figure this all out I think I might right a how to guide for newbies). Anyway, now I have my certificate I want to setup a page on my localhost that is secure. E.g. https://localhost/default.htm Does anyone have any info on how to do this? Thanks. -Original Message- From: Mark Radford Sent: Wednesday, 20 August 2003 9:13 AM To: [EMAIL PROTECTED] Subject: RE: openssl is not recognized as an internal or external command Thanks steve, If you've done a standard Windows build you'd have various DLLs and executables in the out32dll directory. They should be copied somewhere on your PATH. copy out32dll\libeay32.dll c:\windows\system copy out32dll\ssleay32.dll c:\windows\system md c:\openssl md c:\openssl\bin md c:\openssl\lib md c:\openssl\include md c:\openssl\include\openssl copy /b inc32\openssl\* c:\openssl\include\openssl copy /b out32dll\ssleay32.lib c:\openssl\lib copy /b out32dll\libeay32.lib c:\openssl\lib copy /b out32dll\ssleay32.dll c:\openssl\bin copy /b out32dll\libeay32.dll c:\openssl\bin copy /b out32dll\openssl.exe c:\openssl\bin Now while still in the DOS prompt I cd back to c:\ and from here I enter: OPENSSL_CONF=c:/openssl/openssl.cnf I get the error message that OPENSSL_CONF is not recognized as an internal or external command, operable program or batch file. I have tried the online documents at http://www.openssl.org/docs/ but I cant find a solution. Any ideas? To answer the next problem in advance, you also need to copy openssl.cnf somewhere and point he OPENSSL_CONF environment variable at it or the CA.pl commands wont work. See FAQ and manual pages for more info.
Re: OpenSSL denial of service
If someone has implemented software protection (that isn't already in place), I sure hope they share it with the rest of us. That's really the only level where we as SSL programmers have reasonable control, but only after making sure we have a good firewall and a solid TCP/IP stack in place. On 8/19/03 1:24 PM, Neil Humphreys [EMAIL PROTECTED] wrote: Shawn, Thanks for the response. It's a lovely thought, but it's not as simple as sticking in a firewall I am afraid .. that leaves me open to attacks that can't be blocked by the firewall .. such as attacks from inside the firewall, or attacks from outside that use the correct port and appear to come from a valid IP address (unless I block tcp connections from the internet zone, which I cannot do). I was just wondering if anyone did anything to reduce the impact of high volume brute force attacks against the listening socket, that cannot be blocked in any trivial way (such as the firewall). I take it the answer's no then. - Original Message - From: Shawn P. Stanley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 18, 2003 9:38 PM Subject: Re: OpenSSL denial of service I use a firewall, myself. On 8/18/03 3:08 PM, Neil Humphreys [EMAIL PROTECTED] wrote: Hi Has anyone got any good examples / advice / tricks for reducing the impact of denial-of-service attacks on an SSL listening socket? cheers Neil __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compile Hint +z for OpenSSL on HP-UX 10.20
On Mon, Aug 18, 2003 at 08:19:39PM -0700, Josh Chamas wrote: Hi, I recently ran into a problem building Crypt::SSLeay against perl 5.6.1 and openssl 0.9.7b on HP-UX 10.20. The problem was that for the standard cc compiler on that platform, the +z CC_FLAG needed to be added to the Makefile for the build of openssl so that it could build the shared library correctly for perl, which was also compiling modules with the +z flag. This seems to be a widespread complaint against the HP-UX CC compiler when building various cross project modules. It might be good to have that be a standard option when compiling openssl on HP-UX 10.2x. I cannot speak towards whether this problem exists on HP-UX 11. BTW, the original error message when building Crypt::SSLeay looked like: ld: Invalid loader fixup for symbol $0034001C. and perl was trying to compile Crypt::SSLeay like this: cc -c -I/usr/local/ssl/include -D_HPUX_SOURCE -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Ae -O -DVERSION=\0.51\ -DXS_VERSION=\0.51\ +z -I/opt/perl5/lib/5.6.1/PA-RISC1.1/CORE SSLeay.c Your observation is technically correct. However: the problem you describe only appears if Crypt:SSLeay is linked against a static libcrypto.a/libssl.a. By adding +z (or +Z), all modules inside libcrypto.a/libssl.a become relocatable and can be linked into a very large perl module. I would rather recommend to build shared libraries (HP-UX 10.20 is supported: I am using it myself :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]