Re: Does a root CA need two certificates?
Joel wrote: Had another newbie type question -- When reading about how to set up a self-signed web server, the docs I read indicate there is a need for two certificates -- one being a self-signed certificate for the entity certifying the server, and the other being the certificate the web server gives out (certified by the self-signed certificate). Reading the RFCs and the docs, it seems like CAs would similarly have the certificate(s?) they operate under and the certificate they give out. And it looks like a root CA does not give out its self-signed certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea. The paragraph I'm reading now about pathLenConstraint makes it look like the root CA does give out his self-signed certificate when he gives one out -- talking about the count of non-self-signed certificates.) Does setting up a root CA require generating a self-signed certificate, and then generating an operating certificate signed under the self-signed certificate, or am I thinking too hard and as confused as usual? I think it may be possible to use a self-signed (or root) certificate for a web server but it does not make much sense. If you want to build up a CA (for Inhouse use in a company for example) you should use the CA's key ONLY to sign certificates. If you just want to play around with SSL it's better to simulate the usual approach, especially since this only costs you the call of another script. Using a self-signed CA in an Internet-environment is almost senseless since this leaves you open to man-in-the-middle attacks. And most people who can listen to the wire can also redirect requests. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: linking ssleay32.dll statically inside the app?
Hi, I am using RSA encryption and decryption in my projects. If I do encryption continuously in loop I am not getting the desired results. Should there be any delay between calling RSA_public_encrypt. Thank in advance S.Suresh - Original Message - From: Serge [EMAIL PROTECTED] Date: Monday, January 10, 2005 6:59 pm Subject: linking ssleay32.dll statically inside the app? Hi, is it possible to link statically the ssleay32.dll along my application so I won't need to provide the dll to my customers? I use windows xp and msvc++ 6.0. thank you. - Do you Yahoo!? All your favorites on one personal page ? Try My Yahoo! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: Does a root CA need two certificates?
Hi Ted, using a self signed certificate doesn't mean your connection is less secure. It is only people are going to use your web pages because they get a warning that the certificate is not certified b a CA. But with openssl you can use the same routine to generate your certificate like a CA. Regards Richard -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bernhard Froehlich Gesendet: Mittwoch, 19. Januar 2005 09:23 An: openssl-users@openssl.org Betreff: Re: Does a root CA need two certificates? Joel wrote: Had another newbie type question -- When reading about how to set up a self-signed web server, the docs I read indicate there is a need for two certificates -- one being a self-signed certificate for the entity certifying the server, and the other being the certificate the web server gives out (certified by the self-signed certificate). Reading the RFCs and the docs, it seems like CAs would similarly have the certificate(s?) they operate under and the certificate they give out. And it looks like a root CA does not give out its self-signed certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea. The paragraph I'm reading now about pathLenConstraint makes it look like the root CA does give out his self-signed certificate when he gives one out -- talking about the count of non-self-signed certificates.) Does setting up a root CA require generating a self-signed certificate, and then generating an operating certificate signed under the self-signed certificate, or am I thinking too hard and as confused as usual? I think it may be possible to use a self-signed (or root) certificate for a web server but it does not make much sense. If you want to build up a CA (for Inhouse use in a company for example) you should use the CA's key ONLY to sign certificates. If you just want to play around with SSL it's better to simulate the usual approach, especially since this only costs you the call of another script. Using a self-signed CA in an Internet-environment is almost senseless since this leaves you open to man-in-the-middle attacks. And most people who can listen to the wire can also redirect requests. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Does a root CA need two certificates?
But how do you guarantee that the web server is who he says he is? Iin theory, an ISP could, hack up a DNS to point to my local server. What verifies that the machine I am connecting to is indeed that machine which it claims to be? - Original Message - From: R. Markham [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Wednesday, January 19, 2005 1:54 AM Subject: AW: Does a root CA need two certificates? Hi Ted, using a self signed certificate doesn't mean your connection is less secure. It is only people are going to use your web pages because they get a warning that the certificate is not certified b a CA. But with openssl you can use the same routine to generate your certificate like a CA. Regards Richard -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bernhard Froehlich Gesendet: Mittwoch, 19. Januar 2005 09:23 An: openssl-users@openssl.org Betreff: Re: Does a root CA need two certificates? Joel wrote: Had another newbie type question -- When reading about how to set up a self-signed web server, the docs I read indicate there is a need for two certificates -- one being a self-signed certificate for the entity certifying the server, and the other being the certificate the web server gives out (certified by the self-signed certificate). Reading the RFCs and the docs, it seems like CAs would similarly have the certificate(s?) they operate under and the certificate they give out. And it looks like a root CA does not give out its self-signed certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea. The paragraph I'm reading now about pathLenConstraint makes it look like the root CA does give out his self-signed certificate when he gives one out -- talking about the count of non-self-signed certificates.) Does setting up a root CA require generating a self-signed certificate, and then generating an operating certificate signed under the self-signed certificate, or am I thinking too hard and as confused as usual? I think it may be possible to use a self-signed (or root) certificate for a web server but it does not make much sense. If you want to build up a CA (for Inhouse use in a company for example) you should use the CA's key ONLY to sign certificates. If you just want to play around with SSL it's better to simulate the usual approach, especially since this only costs you the call of another script. Using a self-signed CA in an Internet-environment is almost senseless since this leaves you open to man-in-the-middle attacks. And most people who can listen to the wire can also redirect requests. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AW: Does a root CA need two certificates?
R. Markham wrote: Hi Ted, using a self signed certificate doesn't mean your connection is less secure. It is only people are going to use your web pages because they get a warning that the certificate is not certified b a CA. But with openssl you can use the same routine to generate your certificate like a CA. Regards Richard Yes, I do think (no, this time I'm really sure) it is less secure! If you use a self signed CA in an internet setting (that is, you do not know your users and your users typically don't know you) there is no way für the user to be sure that s/he is talking with your website and not with a Man-In-The-Middle proxy, since everyone can generate a self signed certificate with the name of your site in it. And someone who can listen to the wire (like an internet provider) usually can hijack or redirect a connection to his own site. It's a completely different story if your users know you and can check the CA's fingerprint using another channel, like personal contact, papermail or a secure Website using a trusted certificate. You are right in the one aspect that the encryption itself is equally strong, regardless of what certificate you use. But the best encryption does not help you if you send its key to an untrusted target. Using self signed certificates to make a typical internet user believe his communication is more secure is a classical case of selling snake oil. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
rsa enc-dec problem
Hi, I am using RSA encryption and decryption in my projects. If I do encryption continuously in loop I am not getting the desired results. Should there be any delay between calling RSA_public_encrypt. Thank in advance S.Suresh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: Does a root CA need two certificates?
The data is no less secure true.. but the authentication is much easier for someone to fake since the certificate chain doesn't go through a trusted third party (Root CA) the person says This is me. End of story and you choose whether you believe it or not. Hi Shaun, I don't understand why is a root CA which everybody can download from the internet is more secure than if I use my own CA. I want to make it clear I am not against using Certificates from an official CA. But in some cases you can save your money as a expenses for the certificate if you use your self signed certificate. If you want that only authenticated user can have access, than you can use SSLVerifyClient in Apache. Regards Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Does a root CA need two certificates?
Hi Richard, How else do you authenticate the originator of the certificate I dont know if you really want to read it up but I found the concept in: http://theory.lcs.mit.edu/~cis/pubs/rivest/rsapaper.ps an explaination to the same. It tells you why an assymetric keypair like RSA is used/needed to sign the certificates. One of the keys is probably what the browser has and the other is the key used to sign the webserver's digital cert generated from the csr. -hth Alok - Original Message - From: R. Markham [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Wednesday, January 19, 2005 3:28 AM Subject: AW: Does a root CA need two certificates? The data is no less secure true.. but the authentication is much easier for someone to fake since the certificate chain doesn't go through a trusted third party (Root CA) the person says This is me. End of story and you choose whether you believe it or not. Hi Shaun, I don't understand why is a root CA which everybody can download from the internet is more secure than if I use my own CA. I want to make it clear I am not against using Certificates from an official CA. But in some cases you can save your money as a expenses for the certificate if you use your self signed certificate. If you want that only authenticated user can have access, than you can use SSLVerifyClient in Apache. Regards Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Does a root CA need two certificates?
* R. Markham wrote: I don't understand why is a root CA which everybody can download from the internet is more secure than if I use my own CA. I want to make it clear I am not against using Certificates from an official CA. But in some cases you can save your money as a expenses for the certificate if you use your self signed certificate. If you want that only authenticated user can have access, than you can use SSLVerifyClient in Apache. I made the same mistake as this. Assuming that an authenticated client is authorised. This gave me a headache since I couldn't work out why it's secure since anyone could obtain a signed client certificate from a root CA and if that root CA is in the list of CA's on my webserver they can get access. However now I understand it. The root CA doesn't grant a certificate saying this person is allowed access to your website but this person is WHO THEY SAY THEY ARE. This means it's still up to you to decide what they should be allowed to access (their authorization). You've just used a different way of identifying them.. a certificate instead of a username password. SSLCheckClientDN and SSLFakeBasicAuth allow for authenticated access in Apache NOT SSLVerifyClient. SSLVerifyClient just makes sure they have a valid client certificate. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Writing to a mem BIO instead of using SSL_Write
I did it: -- // // the connection is already established (with ssl_accept) // BIO *internal_bio, *network_bio, *ssl_bio; int iDataLen; // // let's create a new bio pair and the ssl bio // the internal_bio is not directly used. // BIO_new_bio_pair(internal_bio,0,network_bio,0); ssl_bio = BIO_new(BIO_f_ssl()); SSL_set_bio(ssl, internal_bio, internal_bio); BIO_set_ssl(ssl_bio,ssl,BIO_NOCLOSE); // // recv'ing // iDataLen = recv(sd,szBuffer,sizeof(szBuffer),0); if(iDataLen == 0 || iDataLen == SOCKET_ERROR) break; // // decrypting // BIO_write(network_bio,szBuffer,iDataLen); BIO_flush(network_bio); iDataLen = BIO_ctrl_pending(ssl_bio_write); BIO_read(ssl_bio_write,szBuffer,iDataLen); // :-) if(memcmp(szBuffer,exit,4) == 0) break; // // crypting the buffer // BIO_write(ssl_bio_write,szBuffer,iDataLen); BIO_flush(ssl_bio_write); iDataLen = BIO_ctrl_pending(network_bio); BIO_read(network_bio,szBuffer,iDataLen); // // send'ing // iDataLen = send(sd, szBuffer,iDataLen,0); - Thank you all, Strauss On Mon, 17 Jan 2005 10:36:02 -0700, Trent Harmon [EMAIL PROTECTED] wrote: BIO pairs are, by design, completely detached from the socket when they are created. Here's how it works: 1. You establish a communication channel (independent of OpenSSL). This could be just another socket. But, the point is that you establish it without any OpenSSL involvement. 2. You create a BIO pair. 3. You read data from the socket (the read is done in whatever manner you choose, independant of OpenSSL). After reading the data, you pass the data into the BIO pair. 4. You retrieve data from one-half of the BIO pair (it comes out decrypted). Then you do whatever you want with the decrypted data. 5. You pass clear data into one-half of the BIO pair. 6. Then, you can retrieve the encrypted data from the other half of the BIO pair. Once retrieved, you can write it to your socket. The point is that the BIO pair takes care of the entire SSL process without actually caring about the communications interface (i.e. socket). Note that the BIO pair is manipulating SSL records just as they would normally have been done with the socket-style OpenSSL interface. Have you found the example, ssltest.c, in your OpenSSL distribution? If not, it's online: http://www.opensource.apple.com/darwinsource/10.3/OpenSSL096-2/openssl/ssl/ssltest.c Hopefully that file will make this clearer. The book I recommended is a good guide too. Don't expect to have it running in an hour or two. Give yourself a couple days to prototype and understand. -trent Rodrigo Strauss wrote: I need to follow these steps: - Make the socket connection, keeping the socket in synchronous mode - Call SSL_Accept to initialize the SSL session - Detach the SSL from the socket - Now the socket will be controlled by a network I/O thread (the app already do this and I can't change this behavior). And all data will be sent from another thread. - All the data going to this socket need to be encrypted IN A BUFFER and sent to the thread using a queue (so all the buffer will be sent ordered). The network I/O thread will just read the buffer from the queue and send it. The buffer need to be already encrypted I'm having some problems understanding how bio pairs work. If someone could help Thanks, Strauss On Mon, 17 Jan 2005 07:56:42 -0700, Trent Harmon [EMAIL PROTECTED] wrote: Hi, I didn't copy the openssl alias since I don't consider myself an expert. You'll likely get other, perhaps better, suggestions from there. But, in the meantime, I think what you're wanting is a BIO Pair. This assumes that you're wanting more than just encryption, but that you're also wanting the SSL negotiation between the two endpoints. A BIO pair allows you to choose how to send/receive the SSL records. You can find an example in .../ssl/ssltest.c. It can be a little tricky (especially when you account for flow control) so be prepared to take some time and lots of testing to make sure it's working right. The book, Network Security with OpenSSL by John Viega, Matt Messier, and Pravir Chandra (ISBN 0-596-00270-X) has a small section devoted to BIO Pairs on page 94. Hope this helps. -trent P.S. No mem BIO is needed for this. Just char buffers. Rodrigo Strauss wrote: Hi. I'm trying (with no success) to detach SSL from a socket, and use it to crypt/decrypt using a mem BIO. Instead of using SSL_write, I want to write the encrypted data to a mem BIO (or just a buffer) and send it by myself (and do the reverse operation on receive). I will do this just after the initial negotiation. All the information will be encrypted, I just need to do the send/recv by myself. I need to change an existing application to use SSL. I'll need to put the already encrypted buffer in a queue, to be
Re: Does a root CA need two certificates?
Sorry, I wasn't clear in my question. (I'm confused, I know.) (B (B(And thanks for trying to help a confused newb. ;-) (B (BOn Wed, 19 Jan 2005 16:27:10 +0900 (BJoel [EMAIL PROTECTED] mumbled unintelligibly: (B (B Had another newbie type question -- (B (B When reading about how to set up a self-signed web server, the docs I (B read indicate there is a need for two certificates -- one being a (B self-signed certificate for the entity certifying the server, and the (B other being the certificate the web server gives out (certified by the (B self-signed certificate). (B (BThat was from when I was playing with mod_ssl and apache. Got it working, (Bmore or less, and, no, I did not use the self-signed certificate for (Bmod_ssl, I used the certificate signed with the self-signed certificate. (B (B Reading the RFCs and the docs, it seems like CAs would similarly have (B the certificate(s?) they operate under and the certificate they give out. (B And it looks like a root CA does not give out its self-signed (B certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea. (B The paragraph I'm reading now about pathLenConstraint makes it look like (B the root CA does give out his self-signed certificate when he gives one (B out -- talking about the count of non-self-signed certificates.) (B (B Does setting up a root CA require generating a self-signed certificate, (B and then generating an operating certificate signed under the (B self-signed certificate, or am I thinking too hard and as confused as (B usual? (B (BThis is for an internal application, in which it really doesn't make (Bsense to have an externally trusted entity sign the CA certificate. We (Baren't asking our customers to trust our self-signed certificate, we are (Bjust trying to make sure the person who handed us the floppy with the (Bcertificate is on the other end of the line, so to speak. (B (B(You could say our man in the middle is always "known" to be a "trusted" (Bemployee, in the sense that PKI allows us to talk about mechanized trust. (B8-/ ) (B (BWhat I'm trying to ask, if I can get it right this time, is whether a (Broot CA will be passing its own self-signed certificate out. (B (BI think I've figured it out, by the way. In the case of the web server, (Bthe self-signed certificate is not intended for certifying the web site, (Bbut for certifying the certificate(s) of (a) web site(s), which is why (Btwo are necessary. (B (BBut in the case of a CA, the certificate is for signing certificates for (Bother CAs and won't be given out otherwise. But it would be given out (Bwith the signed certificates for the subordinate CAs. (B (BBut if the root CA machine is also signing server certificates (which it (Bshould not, but that's another story), it should have a separate (Bcertificate for signing certificates for servers. Should also have a (Bseparate piece of the directory tree to do it in. (B (BAm I getting warm? (B (B-- (BJoel Rees [EMAIL PROTECTED] (Bdigitcom, inc. $B3t<02q
Re: AW: Does a root CA need two certificates?
R. Markham wrote: The data is no less secure true.. but the authentication is much easier for someone to fake since the certificate chain doesn't go through a trusted third party (Root CA) the person says This is me. End of story and you choose whether you believe it or not. Hi Shaun, I don't understand why is a root CA which everybody can download from the internet is more secure than if I use my own CA. The trick is not that everyone can download it, the trick is that (hopefully) no evil one can modify it. So Bill Gates certifies (by including the CA-certs on his distribution CDs or digitaly signing the new Certs for distribution via Windows Update) that those CA-certs are good CA-certs (I personally disagree sometimes, but that's another story). If you download a CA-bundle from somewhere else you should make sure that the source ist trustworthy and noone has modified it, typically by checking a digital signature or using a secure download. Of course there are several possibilities to get your fingers in between in this procedure, but if you just give me a certificate and say this is mine I have no assurance that I'm receiving what you sent. I want to make it clear I am not against using Certificates from an official CA. But in some cases you can save your money as a expenses for the certificate if you use your self signed certificate. If you want that only authenticated user can have access, than you can use SSLVerifyClient in Apache. You are completely right. There are lots of cases where you can use a self signed CA even more secure that those official ones. But internet applications (in the sense of my clients have nothing else to do with me) usually are not among them. It alway depends on having a secure (or a bit more secure than unauthenticated internet) channel to distribute the CA-certificates. And of course the trust in the CAs themselves. Regards Richard [...] BTW, there is no offense intended by my side, I'm just trying to clarify this. ;) Ted -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: AW: Does a root CA need two certificates?
From a newb who has way too much theory and too little practical -- (B (B The data is no less secure true.. but the authentication is much easier (B for someone to fake since the certificate chain doesn't go through a (B trusted third party (Root CA) the person says "This is me. End of story" (B and you choose whether you believe it or not. (B (B Hi Shaun, (B (B I don't understand why is a root CA which everybody can download from the (B internet is more secure than if I use my own CA. (B (BWell, the way I understand it is, verisign, the company (for example), (Bhas not come out and said, "NO! Don't trust our certificates!!!", and (Bneither have a lot of other people. So we can assume their certificates (Bour theirs, even though we can't assume they are who they publically (Bclaim to be. (B (BThe trust on the second question is an induced trust in our heads. Since (Bnobody is standing up to claim that the management of any of these (Bcompanies are fraudulent in the claims they make as to who they say they (Bare, the induced trust takes more effect. But that sort of trust is (Boutside of PKI. (B (B I want to make it clear I (B am not against using Certificates from an official CA. But in some cases you (B can save your money as a expenses for the certificate if you use your self (B signed certificate. If you want that only authenticated user can have (B access, than you can use SSLVerifyClient in Apache. (B (BWell, yeah, if your head of engineering stands up in the morning meeting (Band claims he signed the company's internal root CA certificate himself, (Bthat is actually better than if he sent it off to one of the commercial (B(or open) CAs, because the external chain of trust is more direct. (B (BAlso, that group in Australia that's doing peer-to-peer certification (Bhas an approach that I think is theoretically valid in a different way (Band in a different context, because it's a chain of face-to-face trust. (BI haven't got a certificate from them yet, but I want to see how well (Bthey implement things. (B (BFirst I have to make sure I really understand what's going on with (Bopenssl and the more hierarchical approach. (B (B-- (BJoel Rees [EMAIL PROTECTED] (Bdigitcom, inc. $B3t<02q
Re: Does a root CA need two certificates?
Joel wrote: Sorry, I wasn't clear in my question. (I'm confused, I know.) (And thanks for trying to help a confused newb. ;-) [...] What I'm trying to ask, if I can get it right this time, is whether a root CA will be passing its own self-signed certificate out. Ahh, now I think we get nearer to the mark. ;) Yes, the root CA has to distribute its self signed certificate (NOT its private key, just the cert. There seem to be misunderstandings about that elsewhere) to those who have to trust it. For example if your employees have to make sure they are on a company website you have to give them a disk (this is the secure channel here) containing the CA's certificate and they have to import it into their browsers. N.B.: Just make sure that your CA certificate is not used to sign fake certificates, since if your employees trust your CA this also implies (at least with current browser implementations) that they trust every certificate signed by your CA, even if you hand out certificates for www.bigbank.com or www.ebay.com... I think I've figured it out, by the way. In the case of the web server, the self-signed certificate is not intended for certifying the web site, but for certifying the certificate(s) of (a) web site(s), which is why two are necessary. Yes, that sounds correct. But in the case of a CA, the certificate is for signing certificates for other CAs and won't be given out otherwise. But it would be given out with the signed certificates for the subordinate CAs. But if the root CA machine is also signing server certificates (which it should not, but that's another story), it should have a separate certificate for signing certificates for servers. Should also have a separate piece of the directory tree to do it in. Though a CA can sign other CAs and thereby build longer CA-chains it is more common in Inhouse-CAs to directly sign end-user (or end-server) certificates. And as explained above the self signed certificate of the root CA has to be distributed. The approach described by you is a more secure but less practical way. You typically do this if you are Thawte or Verisign and your root certificate has to have a very late expiery date, like 25 years from now. Then it is better to keep the root CA's private(!) keys very very secure in a bank vault and only use it once a year to sign certificates for some sub-CAs, which expire in a year or so and are then used to sign end-user certificates. Now if one of the sub-CAs compromises its private key, only the certificates singed by this particular sub-CA are void, and not possibly those of ten or twenty years of work. But still the root CA's certificate (which apart from management information primarily contains its signed public(!) key part) has to be distributed, in the case of Thawte etc. to Bill, the Mozilla project and people like that. Am I getting warm? I think you are already rather close. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: Does a root CA need two certificates?
Joel, you seem to be a bit confused about PKI matters, and among others what's considered private and what's considered public. Let me start with the private vs. public part: private keys are designed to be kept private by the owner. Certificates (which contain the public key) are designed to be public and to be given out to anyone who needs it or is interested. Also, a small detail: CA certificates aren't used to sign with, the private keys are. You use CA certificates to validate a signature in any certificate issued by that CA (this puts it simply, since there are other data that are checked between certificates, but the signature check is still the most important thing). Now, the way things work with a X.509/PKIX flavor of PKI, you validate a certificate (any kind of certificate, be it a user certificate, a server certificate or whatever kind of certificate we're able to invent) by checking it against an issuing cerificate (a CA certificate), among others by checking that the signature in the current certificate can be verified using the public key in the issuing certificate. This is done all the way to the top (the root certificate). To be able to do a proper certificate validation, you therefore need all the certificates in the chain, from the certificate you want to validate to the root certificate that starts (or ends, depending on your point of view) the chain. This holds true for anyone who needs to validate your server certificate as well as any certificate your server needs to validate. So, to directly answer your questions: rees What I'm trying to ask, if I can get it right this time, is rees whether a root CA will be passing its own self-signed rees certificate out. Yes, in one form or another. rees I think I've figured it out, by the way. In the case of the web rees server, the self-signed certificate is not intended for rees certifying the web site, but for certifying the certificate(s) rees of (a) web site(s), which is why two are necessary. That's correct. Those aren't two CA certificates, though. The root certificate is the CA certificate, while the server certificate is a EE (End Entity) certificate. You confused the matter for yourself earlier by talking about two CA certificates. rees But in the case of a CA, the certificate is for signing rees certificates for other CAs and won't be given out otherwise. But rees it would be given out with the signed certificates for the rees subordinate CAs. This is confusing. Either you're publishing a certificate or you aren't. It doesn't matter if it's bundled with subordinate certificates or not. And either way, if you want others to be able to validate a certificate issued by the subordinate CAs, you need to publish the root CA certificate as well. rees But if the root CA machine is also signing server certificates rees (which it should not, but that's another story), it should have rees a separate certificate for signing certificates for servers. rees Should also have a separate piece of the directory tree to do it rees in. You are confusing the matter. It seems like you're saying the CA should split in two, one that signs subordinate CAs and one that signs your server certificate. Now, the question is, when you split that CA in two, are you actually creating an entirely different CA that uses the same key, or are you in fact creating another subordinate CA (using the same key?)? You might want to draw a tree that shows how the root CA, subordinate CAs and other entities are related to each other. A picture does say more than a thousand words, and I've already spent a few hundred of them :-). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Even CA's make mistakes..
A bit off the thread... Ever wondered if one can break PKI given that the 1st request to a server is mostly GET / in https? Any ideas? - Original Message - From: Shaun Lipscombe [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Wednesday, January 19, 2005 4:57 AM Subject: Even CA's make mistakes.. In continuing the thread on can you trust a CA.. you have to remember that there's a human process involved and if someone can perform identity fraud in the REAL world then they can also perform it in the virtual world. PKI only tries to tie these two realms together. Please see.. http://www.cert.org/advisories/CA-2001-04.html http://support.microsoft.com/kb/293818/EN-US/ The day someone managed to obtain a valid certificate claiming for the identity Microsoft Corp Shaun __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Does a root CA need two certificates?
In message [EMAIL PROTECTED] on Wed, 19 Jan 2005 11:47:25 +, Shaun Lipscombe [EMAIL PROTECTED] said: shaun.lipscombe At least with SSL you have a single entity at the top, shaun.lipscombe in OpenPGP etc you have a web of trust and key shaun.lipscombe signing parties and lots of other stuff which really shaun.lipscombe makes key validity a touch n go subject and people shaun.lipscombe being who they say they are gets a bit of an iffy shaun.lipscombe subject. OK, time to call bullshit whan I see it :-) OpenPGP has a different trust model than X.509/PKIX, it's entirely true. Making that something inherently bad is what I call BS. The trust model for OpenPGP is direct, personal validation of identity. I won't sign another person's PGP key unless I either know this person personally, or can validate his/her identity through some kind of identity paper, for example a passport together with a business card where his/her email address is clearly shown together with the same name as on the passport. The validation chain is a chain of such checkups, basically, coupled with trust settings (they can be viewed as policy settings are viewed in the X.509/PKIX world). The trust model for X.509/PKIX is to trust a higher authority, but can also be set up as a personal web of trust if you set up your own CA and use policy extensions properly. shaun.lipscombe Just search any keyserver for Superman and I'm sure shaun.lipscombe you'll find someone that claims to be Superman for shaun.lipscombe example. Claims it in what way? You mean as part of the real name or as part of the email address? Either way, what stops anyone claiming the same in the X.509/PKIX world? That's not the point either way, the point is if you trust the claim, or if you trust someone who would trust that claim. That kind of trust can be handled, both in the OpenPGP world and the X.509/PKIX one. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Does a root CA need two certificates?
Thanks, Ted and Richard, especially for going to the effort of (Bdeciphering my English. (B (B(One of these days I'll learn how to type fast and be lucid at the same (Btime.) (B (BOn the question of using certificates to sign vs. using keys to sign, (Bcould I ask for one more clarification -- (B (BIf, for the sake of argument, I made a key for CA use, signed (Bcertificates for servers with it, and then made the CA's certificate, (Bare the certificates signed when only the key existed going to be valid? (BAnd are they going to be identical to certificates signed afterwards, (Bother than entropy? (B (BI don't want to do this, it's just the quickest way I can think of to (Bask about the mechanical interdependencies. (B (B-- (BJoel Rees [EMAIL PROTECTED] (Bdigitcom, inc. $B3t<02q
Re: Even CA's make mistakes..
* Alok wrote: A bit off the thread... Ever wondered if one can break PKI given that the 1st request to a server is mostly GET / in https? The GET /HTTP/1.0 is done using a symetric cipher like RC2 or RC4 etc. The PKI is only used to transfer the symetric key between hosts. Using a suitable keylength (1024) its a tough job to break. Longer than the lifetime of the universe or some silly number like that. yup the PKI part may be a problem lets take PKI out for a moment and talk simple block encryption, given that you know a. the message or the 1st few bits in it b. the set of possible block algorithms used to encrypt Can you determine session key? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Even CA's make mistakes..
Alok wrote: [...] lets take PKI out for a moment and talk simple block encryption, given that you know a. the message or the 1st few bits in it b. the set of possible block algorithms used to encrypt Can you determine session key? If it would be known to be possible this would not be a algorithm in wide use. This kind of attack is well known as known plaintext attack. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
A bug in OBJECT management?
Hello! It seems to me I've found a bug in openssl req command. I use a 2005-01-17 snapshot of 0.9.8 branch. openssl is configured with libefence in debug mode with ./config -d shared. In my script I load fake engine looking like simplified rsaref demo, but registering its own cipher algorithm via OBJ_create EVP_add_cipher inside the engine. I export LD_LIBRARY_PATH with values pointing to snapshot dir and engine dir and use openssl in interactive mode. I load my engine with command engine - dynamic -pre SO_PATH:../minimum/obj_mid.lnx/eng_min.so -pre LIST_ADD:1 -pre LOAD and create rsa certificate request with command req -newkey rsa:512 -keyout rsakey.pem -nodes -out rsareq.pem After that I exit from app, getting a SEGFAULT. It seems to me it is caused by double free() on cleanup, because commenting out OBJ_cleanup at apps/req.c saves from SEGFAULT, and nothing happens without libefence. Engine source code is attached. Please, tell me where is my mistake. Thank you. -- SY, Dmitry Belyavsky (ICQ UIN 6575) #include string.h #include openssl/err.h #include openssl/evp.h #include openssl/bn.h #include openssl/engine.h #include openssl/objects.h static int NID_minimum_cipher_GOST = NID_undef; #define OID_gost89 1.2.643.2.9.1.1.1 #define SN_gost89 gost89 #define LN_gost89 GOST 28147-89 symmetric cipher int register_minimum_NID (void) { NID_minimum_cipher_GOST = OBJ_create(OID_gost89, SN_gost89, LN_gost89); if (NID_minimum_cipher_GOST == NID_undef) {goto err;} return 1; err: NID_minimum_cipher_GOST = NID_undef; return 0; } /* Fake crypt functions */ int cce_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc){return 1;} int cce_cipher_do(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl){return 1;} int cce_cipher_cleanup(EVP_CIPHER_CTX *ctx){return 1;} #define minimum_LIB_NAME minimum GOST engine static const char *engine_minimum_id = minimum; static const char *engine_minimum_name = minimum GOST engine; static int cce_destroy(ENGINE *e); static int cce_init(ENGINE *e); static int cce_finish(ENGINE *e); /* Engine commands */ static const ENGINE_CMD_DEFN cce_cmd_defns[] = { {0, NULL, NULL, 0} }; /* Symetric cipher and digest function registrar */ static int cce_ciphers(ENGINE *e, const EVP_CIPHER **cipher, const int **nids, int nid); static int cce_cipher_nids[]= {NID_undef,0}; static EVP_CIPHER cipher_gost = { NID_undef, 1,/*block_size*/ 32,/*key_size*/ 8, EVP_CIPH_CFB_MODE|EVP_CIPH_CUSTOM_IV|EVP_CIPH_NO_PADDING, cce_cipher_init, cce_cipher_do, cce_cipher_cleanup, 0,/* ctx_size */ NULL, NULL, NULL, NULL, }; static int cce_init(ENGINE *e) { return 1; } static int cce_finish(ENGINE *e) { return 1; } static int cce_destroy(ENGINE *e) { return 1; } static int bind_cce (ENGINE *e,const char *id) { if (id strcmp(id, engine_minimum_id)) return 0; if (!ENGINE_set_id(e, engine_minimum_id)) { printf(ENGINE_set_id failed\n); return 0; } if (!ENGINE_set_name(e, engine_minimum_name)) { printf(ENGINE_set_name failed\n); return 0; } if (!register_minimum_NID()) return 0; /* set up NIDs */ cipher_gost.nid = NID_minimum_cipher_GOST; /* end set up NIDs */ if (! ENGINE_set_ciphers(e, cce_ciphers)) { printf(ENGINE_set_ciphers failed\n); return 0; } if ( ! ENGINE_set_destroy_function(e, cce_destroy) || ! ENGINE_set_init_function(e,cce_init) || ! ENGINE_set_finish_function(e,cce_finish)) return 0; if (!EVP_add_cipher(cipher_gost)) return 0; return 1; } #ifdef _WIN32 extern __declspec( dllexport ) #endif #ifndef OPENSSL_NO_DYNAMIC_ENGINE IMPLEMENT_DYNAMIC_BIND_FN(bind_cce); IMPLEMENT_DYNAMIC_CHECK_FN(); #else static ENGINE *engine_cce(void) { ENGINE *ret = ENGINE_new(); if(!ret) return NULL; if(!bind_cce(ret, engine_minimum_id)) { ENGINE_free(ret); return NULL; } return ret; } void ENGINE_load_cce(void) { /* Copied from eng_[openssl|dyn].c */ ENGINE *toadd = engine_cce(); if(!toadd) return; ENGINE_add(toadd); ENGINE_free(toadd); ERR_clear_error(); } #endif /* OPENSSL_NO_DYNAMIC_ENGINE */ static int cce_ciphers (ENGINE *e,const EVP_CIPHER **cipher, const int **nids, int nid) { int ok = 1; if (!cipher) { /* return list of supported nids */ if (cce_cipher_nids[0] == NID_undef) { cce_cipher_nids[0] = NID_minimum_cipher_GOST; } *nids = cce_cipher_nids; return 1; /* Only one cipher supported */ } if(nid == NID_minimum_cipher_GOST) { *cipher = cipher_gost; } else { ok = 0; } return ok; }
Re: Does a root CA need two certificates?
In message [EMAIL PROTECTED] on Wed, 19 Jan 2005 22:35:46 +0900, Joel [EMAIL PROTECTED] said: rees On the question of using certificates to sign vs. using keys to rees sign, could I ask for one more clarification -- rees rees If, for the sake of argument, I made a key for CA use, signed rees certificates for servers with it, and then made the CA's rees certificate, are the certificates signed when only the key rees existed going to be valid? And are they going to be identical to rees certificates signed afterwards, other than entropy? It's really a matter of interpretation for those doing the validation, and as long as things look OK at the time you publish any certificate, there should really be no problems. There are a few things to keep track of, though: - it would look quite suspicious of the notValidBefore field of the CA certificate is later than the noValidBefore field of any certificate it has issued. - there are extensions that get data from the issuing certificate, so creating certificates using only a key may not be very productive. - the openssl utility won't allow it, because it will need the issuer certificate to be able to fill in the issuer field, at the very least. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Does a root CA need two certificates?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 19 Jan 2005, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Wed, 19 Jan 2005 11:47:25 +, Shaun Lipscombe [EMAIL PROTECTED] said: [snip] shaun.lipscombe Just search any keyserver for Superman and I'm sure shaun.lipscombe you'll find someone that claims to be Superman for shaun.lipscombe example. Claims it in what way? You mean as part of the real name or as part of the email address? Either way, what stops anyone claiming the same in the X.509/PKIX world? That's not the point either way, the point is if you trust the claim, or if you trust someone who would trust that claim. That kind of trust can be handled, both in the OpenPGP world and the X.509/PKIX one. Claims it in what way? is in fact an extremely important question. I have little doubt that someone could find a judge willing to allow him to change his legal name to Superman. After that it would say Superman on his business cards, bank accounts, utility bills, etc. and it would be reasonable to say that that person's name is Superman, or, here, let me give you a copy of Superman's email certificate. None of that says anything about whether the individual in question is the comic-book hero, able to fly, crush charcoal into diamonds in his hand, reflect bullets with his unprotected flesh, a native of Krypton, etc. It's necessary to think about what his name is Superman means, and whether that meaning is of any use in determining the kind of identity you want to prove. The same is true of X.509 or OpenPGP certificates, or really any other identifier. It's always necessary to decide what it is you want to know, before accepting something as identification. - -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Open-source executable: $0.00. Source: $0.00 Control: priceless! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFB7qOps/NR4JuTKG8RAhbbAJ9qLXT7lvUg9/OyzIkeCkqHoa+PsACgiPGc C1TKEFXfny4Pqvg6mkBr01Y= =rFTN -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
linking 64-bit apps against 32-bit openssl libs
Can I link a 64-bit app with a 32-bit openssl lib ? More specifically, the environment would be OS = FreeBSD 5.2.1 CC = gcc 3.3.3 Linker = ld 2.13.2 32-bit Lib = OpenSSL I personally don't think that is possible. However, my peer has managed to compile a 64-bit app with the 32-bit SSL lib and claims it even runs. In fact ld should've stopped it before even linking it. Some clarification would be appreciated... Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What is that CA directory in the template directory layout?
Any takers on this? (B (BI'm still thinking that ${OPENSSL_HOME}/CA/ is for the certificate one (Bsigns as a CA and ${OPENSSL_HOME}/CA/private/ for the key for that (Bcertificate, but a coworker here insists that the root certificate (Bbelongs in ${OPENSSL_HOME}/ and the the key for it in (B${OPENSSL_HOME}/private/, where they'll get in the way of other keys, (Band other files in general. (B (BAgain, anyone care to hit me with a clue stick? (B (B-- (BJoel Rees [EMAIL PROTECTED] (Bdigitcom, inc. $B3t<02q