date:20050119

Joel wrote:

Had another newbie type question --
  

When reading about how to set up a self-signed web server, the docs I
read indicate there is a need for two certificates -- one being a
self-signed certificate for the entity certifying the server, and the
other being the certificate the web server gives out (certified by the
self-signed certificate).

Reading the RFCs and the docs, it seems like CAs would similarly have
the certificate(s?) they operate under and the certificate they give out.
And it looks like a root CA does not give out its self-signed
certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea.
The paragraph I'm reading now about pathLenConstraint makes it look like
the root CA does give out his self-signed certificate when he gives one
out -- talking about the count of non-self-signed certificates.)

Does setting up a root CA require generating a self-signed certificate,
and then generating an operating certificate signed under the
self-signed certificate, or am I thinking too hard and as confused as
usual?
  

I think it may be possible to use a self-signed (or root) certificate
for a web server but it does not make much sense.
If you want to build up a CA (for Inhouse use in a company for example)
you should use the CA's key ONLY to sign certificates.
If you just want to play around with SSL it's better to simulate the
usual approach, especially since this only costs you the call of another
script.
Using a self-signed CA in an Internet-environment is almost senseless
since this leaves you open to man-in-the-middle attacks. And most people
who can listen to the wire can also redirect requests.

Hope it helps,
Ted
;)

-- 
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26



smime.p7s
Description: S/MIME Cryptographic Signature

Re: linking ssleay32.dll statically inside the app?

2005-01-19 Thread suresh . kumar

Hi,
I am using RSA encryption and decryption in my projects. If I do encryption 
continuously in loop I am not getting the desired results. Should there be any 
delay between calling RSA_public_encrypt.

Thank in advance
S.Suresh

- Original Message -
From: Serge [EMAIL PROTECTED]
Date: Monday, January 10, 2005 6:59 pm
Subject: linking ssleay32.dll statically inside the app?

 Hi,
 
 is it possible to link statically the ssleay32.dll along my 
 application so I won't need to provide the dll to my customers?
 
 I use windows xp and msvc++ 6.0.
 
 thank you.
 
   
 -
 Do you Yahoo!?
 All your favorites on one personal page ? Try My Yahoo!
 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

AW: Does a root CA need two certificates?

2005-01-19 Thread R. Markham

Hi Ted,

using a self signed certificate doesn't mean your connection is less secure.
It is only people are going to use your web pages because they get a warning
that the certificate is not certified b a CA. But with openssl you can use
the same routine to generate your certificate like a CA.

Regards

Richard 

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Bernhard Froehlich
Gesendet: Mittwoch, 19. Januar 2005 09:23
An: openssl-users@openssl.org
Betreff: Re: Does a root CA need two certificates?

Joel wrote:

Had another newbie type question --
  

When reading about how to set up a self-signed web server, the docs I
read indicate there is a need for two certificates -- one being a
self-signed certificate for the entity certifying the server, and the
other being the certificate the web server gives out (certified by the
self-signed certificate).

Reading the RFCs and the docs, it seems like CAs would similarly have
the certificate(s?) they operate under and the certificate they give out.
And it looks like a root CA does not give out its self-signed
certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea.
The paragraph I'm reading now about pathLenConstraint makes it look like
the root CA does give out his self-signed certificate when he gives one
out -- talking about the count of non-self-signed certificates.)

Does setting up a root CA require generating a self-signed certificate,
and then generating an operating certificate signed under the
self-signed certificate, or am I thinking too hard and as confused as
usual?
  

I think it may be possible to use a self-signed (or root) certificate
for a web server but it does not make much sense.
If you want to build up a CA (for Inhouse use in a company for example)
you should use the CA's key ONLY to sign certificates.
If you just want to play around with SSL it's better to simulate the
usual approach, especially since this only costs you the call of another
script.
Using a self-signed CA in an Internet-environment is almost senseless
since this leaves you open to man-in-the-middle attacks. And most people
who can listen to the wire can also redirect requests.

Hope it helps,
Ted
;)

-- 
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Does a root CA need two certificates?

But how do you guarantee that the web server is who he says he is?
Iin theory, an ISP could, hack up a DNS to point to my local server. What
verifies that the machine I am connecting to is indeed that machine which it
claims to be?

- Original Message - 
From: R. Markham [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Wednesday, January 19, 2005 1:54 AM
Subject: AW: Does a root CA need two certificates?

Hi Ted,

using a self signed certificate doesn't mean your connection is less secure.
It is only people are going to use your web pages because they get a warning
that the certificate is not certified b a CA. But with openssl you can use
the same routine to generate your certificate like a CA.

Regards

Richard

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Bernhard Froehlich
Gesendet: Mittwoch, 19. Januar 2005 09:23
An: openssl-users@openssl.org
Betreff: Re: Does a root CA need two certificates?

Joel wrote:

Had another newbie type question --

When reading about how to set up a self-signed web server, the docs I
read indicate there is a need for two certificates -- one being a
self-signed certificate for the entity certifying the server, and the
other being the certificate the web server gives out (certified by the
self-signed certificate).

Reading the RFCs and the docs, it seems like CAs would similarly have
the certificate(s?) they operate under and the certificate they give out.
And it looks like a root CA does not give out its self-signed
certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea.
The paragraph I'm reading now about pathLenConstraint makes it look like
the root CA does give out his self-signed certificate when he gives one
out -- talking about the count of non-self-signed certificates.)

Does setting up a root CA require generating a self-signed certificate,
and then generating an operating certificate signed under the
self-signed certificate, or am I thinking too hard and as confused as
usual?

I think it may be possible to use a self-signed (or root) certificate
for a web server but it does not make much sense.
If you want to build up a CA (for Inhouse use in a company for example)
you should use the CA's key ONLY to sign certificates.
If you just want to play around with SSL it's better to simulate the
usual approach, especially since this only costs you the call of another
script.
Using a self-signed CA in an Internet-environment is almost senseless
since this leaves you open to man-in-the-middle attacks. And most people
who can listen to the wire can also redirect requests.

Hope it helps,
Ted
;)

-- 
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: AW: Does a root CA need two certificates?

R. Markham wrote:
Hi Ted,
using a self signed certificate doesn't mean your connection is less secure.
It is only people are going to use your web pages because they get a warning
that the certificate is not certified b a CA. But with openssl you can use
the same routine to generate your certificate like a CA.
Regards
Richard 
 

Yes, I do think (no, this time I'm really sure) it is less secure! If 
you use a self signed CA in an internet setting (that is, you do not 
know your users and your users typically don't know you) there is no way 
für the user to be sure that s/he is talking with your website and not 
with a Man-In-The-Middle proxy, since everyone can generate a self 
signed certificate with the name of your site in it. And someone who can 
listen to the wire (like an internet provider) usually can hijack or 
redirect a connection to his own site.

It's a completely different story if your users know you and can check 
the CA's fingerprint using another channel, like personal contact, 
papermail or a secure Website using a trusted certificate.

You are right in the one aspect that the encryption itself is equally 
strong, regardless of what certificate you use. But the best encryption 
does not help you if you send its key to an untrusted target.
Using self signed certificates to make a typical internet user believe 
his communication is more secure is a classical case of selling snake oil.

Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26



smime.p7s
Description: S/MIME Cryptographic Signature

rsa enc-dec problem

2005-01-19 Thread suresh . kumar

Hi,
I am using RSA encryption and decryption in my projects. If I do encryption 
continuously in loop I am not getting the desired results. Should there be any 
delay between calling RSA_public_encrypt.

Thank in advance
S.Suresh



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

AW: Does a root CA need two certificates?

2005-01-19 Thread R. Markham



The data is no less secure true.. but the authentication is much easier
for someone to fake since the certificate chain doesn't go through a
trusted third party (Root CA) the person says This is me. End of story
and you choose whether you believe it or not.

Hi Shaun,

I don't understand why is a root CA which everybody can download from the
internet is more secure than if I use my own CA. I want to make it clear I
am not against using Certificates from an official CA. But in some cases you
can save your money as a expenses for the certificate if you use your self
signed certificate. If you want that only authenticated user can have
access, than you can use SSLVerifyClient in Apache.


Regards

Richard






__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Does a root CA need two certificates?

Hi Richard,

How else do you authenticate the originator of the certificate

I dont know if you really want to read it up but I found the concept in:
http://theory.lcs.mit.edu/~cis/pubs/rivest/rsapaper.ps

an explaination to the same.
It tells you why an assymetric keypair like RSA is used/needed to sign the
certificates.
One of the keys is probably what the browser has and the other is the key
used to sign the webserver's digital cert generated from the csr.


-hth
Alok


- Original Message - 
From: R. Markham [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Wednesday, January 19, 2005 3:28 AM
Subject: AW: Does a root CA need two certificates?




 The data is no less secure true.. but the authentication is much easier
 for someone to fake since the certificate chain doesn't go through a
 trusted third party (Root CA) the person says This is me. End of story
 and you choose whether you believe it or not.

 Hi Shaun,

 I don't understand why is a root CA which everybody can download from the
 internet is more secure than if I use my own CA. I want to make it clear I
 am not against using Certificates from an official CA. But in some cases
you
 can save your money as a expenses for the certificate if you use your self
 signed certificate. If you want that only authenticated user can have
 access, than you can use SSLVerifyClient in Apache.


 Regards

 Richard






 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Does a root CA need two certificates?

2005-01-19 Thread Shaun Lipscombe

* R. Markham wrote:

 I don't understand why is a root CA which everybody can download from the
 internet is more secure than if I use my own CA. I want to make it clear I
 am not against using Certificates from an official CA. But in some cases you
 can save your money as a expenses for the certificate if you use your self
 signed certificate. If you want that only authenticated user can have
 access, than you can use SSLVerifyClient in Apache.

I made the same mistake as this. Assuming that an authenticated client
is authorised.  This gave me a headache since I couldn't work out why
it's secure since anyone could obtain a signed client certificate from
a root CA and if that root CA is in the list of CA's on my webserver
they can get access. However now I understand it.  The root CA doesn't
grant a certificate saying this person is allowed access to your
website but this person is WHO THEY SAY THEY ARE.  This means it's
still up to you to decide what they should be allowed to access (their
authorization).  You've just used a different way of identifying them..
a certificate instead of a username  password.

SSLCheckClientDN and SSLFakeBasicAuth allow for authenticated access in
Apache NOT SSLVerifyClient. SSLVerifyClient just makes sure they have a
valid client certificate.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Writing to a mem BIO instead of using SSL_Write

2005-01-19 Thread Rodrigo Strauss

I did it:
--
//
// the connection is already established (with ssl_accept)
//
BIO *internal_bio, *network_bio, *ssl_bio;
int iDataLen;

//
// let's create a new bio pair and the ssl bio
// the internal_bio is not directly used.
//
BIO_new_bio_pair(internal_bio,0,network_bio,0);
ssl_bio = BIO_new(BIO_f_ssl());

SSL_set_bio(ssl, internal_bio, internal_bio);
BIO_set_ssl(ssl_bio,ssl,BIO_NOCLOSE);

  
//
// recv'ing
//
iDataLen = recv(sd,szBuffer,sizeof(szBuffer),0);

if(iDataLen == 0 || iDataLen == SOCKET_ERROR)
  break;

//
// decrypting
//
BIO_write(network_bio,szBuffer,iDataLen);
BIO_flush(network_bio);

iDataLen = BIO_ctrl_pending(ssl_bio_write);
BIO_read(ssl_bio_write,szBuffer,iDataLen);

// :-)
if(memcmp(szBuffer,exit,4) == 0)
  break;
  
//
// crypting the buffer
//
BIO_write(ssl_bio_write,szBuffer,iDataLen);
BIO_flush(ssl_bio_write);

iDataLen = BIO_ctrl_pending(network_bio);
BIO_read(network_bio,szBuffer,iDataLen);

//
// send'ing
//
iDataLen = send(sd, szBuffer,iDataLen,0);


-

Thank you all,

Strauss

On Mon, 17 Jan 2005 10:36:02 -0700, Trent Harmon
[EMAIL PROTECTED] wrote:
 BIO pairs are, by design, completely detached from the socket
 when they are created.  Here's how it works:
 
1. You establish a communication channel (independent of OpenSSL).
   This could be just another socket.  But, the point is that you
   establish it without any OpenSSL involvement.
 
2. You create a BIO pair.
 
3. You read data from the socket (the read is done in whatever
   manner you choose, independant of OpenSSL).  After reading
   the data, you pass the data into the BIO pair.
 
4. You retrieve data from one-half of the BIO pair (it comes out
   decrypted).  Then you do whatever you want with the decrypted data.
 
5. You pass clear data into one-half of the BIO pair.
 
6. Then, you can retrieve the encrypted data from the other half
   of the BIO pair.  Once retrieved, you can write it to your socket.
 
 The point is that the BIO pair takes care of the entire SSL process
 without actually caring about the communications interface (i.e.
 socket).  Note that the BIO pair is manipulating SSL
 records just as they would normally have been done with the socket-style
 OpenSSL interface.
 
 Have you found the example, ssltest.c, in your OpenSSL distribution?
 If not, it's online:
 http://www.opensource.apple.com/darwinsource/10.3/OpenSSL096-2/openssl/ssl/ssltest.c
 
 Hopefully that file will make this clearer.
 
 The book I recommended is a good guide too.  Don't expect to have it
 running in an hour or two.  Give yourself a couple days to prototype
 and understand.
 
 -trent
 
 Rodrigo Strauss wrote:
 
  I need to follow these steps:
 
  - Make the socket connection, keeping the socket in synchronous mode
  - Call SSL_Accept to initialize the SSL session
  - Detach the SSL from the socket
  - Now the socket will be controlled by a network I/O thread (the app
  already do this and I can't change this behavior). And all data will
  be sent from another thread.
  - All the data going to this socket need to be encrypted IN A BUFFER
  and sent to the thread using a queue (so all the buffer will be sent
  ordered). The network I/O thread will just read the buffer from the
  queue and send it. The buffer need to be already encrypted
 
  I'm having some problems understanding how bio pairs work. If someone
  could help
 
  Thanks,
 
  Strauss
 
 
 
  On Mon, 17 Jan 2005 07:56:42 -0700, Trent Harmon
  [EMAIL PROTECTED] wrote:
 
 Hi,
 
 I didn't copy the openssl alias since I don't consider myself
 an expert.  You'll likely get other, perhaps better, suggestions
 from there.
 
 But, in the meantime, I think what you're wanting is a BIO Pair.
 This assumes that you're wanting more than just encryption, but that
 you're also wanting the SSL negotiation between the two endpoints.
 A BIO pair allows you to choose how to send/receive the SSL records.
 
 You can find an example in .../ssl/ssltest.c.
 
 It can be a little tricky (especially when you account for flow
 control) so be prepared to take some time and lots of testing to
 make sure it's working right.
 
 The book, Network Security with OpenSSL by John Viega,
 Matt Messier, and Pravir Chandra (ISBN 0-596-00270-X) has a small
 section devoted to BIO Pairs on page 94.
 
 Hope this helps.
 
 -trent
 
 P.S. No mem BIO is needed for this.  Just char buffers.
 
 Rodrigo Strauss wrote:
 
 
 Hi.
 
 I'm trying (with no success) to detach SSL from a socket, and use it
 to crypt/decrypt using a mem BIO. Instead of using SSL_write, I want
 to write the encrypted data to a mem BIO (or just a buffer) and send
 it by myself (and do the reverse operation on receive). I will do this
 just after the initial negotiation.
 
 All the information will be encrypted, I just need to do the send/recv
 by myself. I need to change an existing application to use SSL. I'll
 need to put the already encrypted buffer in a queue, to be

Re: Does a root CA need two certificates?

Sorry, I wasn't clear in my question. (I'm confused, I know.)
(B
(B(And thanks for trying to help a confused newb. ;-)
(B
(BOn Wed, 19 Jan 2005 16:27:10 +0900
(BJoel [EMAIL PROTECTED] mumbled unintelligibly:
(B
(B Had another newbie type question --
(B 
(B When reading about how to set up a self-signed web server, the docs I
(B read indicate there is a need for two certificates -- one being a
(B self-signed certificate for the entity certifying the server, and the
(B other being the certificate the web server gives out (certified by the
(B self-signed certificate).
(B
(BThat was from when I was playing with mod_ssl and apache. Got it working,
(Bmore or less, and, no, I did not use the self-signed certificate for
(Bmod_ssl, I used the certificate signed with the self-signed certificate.
(B
(B Reading the RFCs and the docs, it seems like CAs would similarly have
(B the certificate(s?) they operate under and the certificate they give out.
(B And it looks like a root CA does not give out its self-signed
(B certificate. (Or does it? I'm not sure where in RFC 3280 I got this idea.
(B The paragraph I'm reading now about pathLenConstraint makes it look like
(B the root CA does give out his self-signed certificate when he gives one
(B out -- talking about the count of non-self-signed certificates.)
(B 
(B Does setting up a root CA require generating a self-signed certificate,
(B and then generating an operating certificate signed under the
(B self-signed certificate, or am I thinking too hard and as confused as
(B usual?
(B
(BThis is for an internal application, in which it really doesn't make
(Bsense to have an externally trusted entity sign the CA certificate. We
(Baren't asking our customers to trust our self-signed certificate, we are
(Bjust trying to make sure the person who handed us the floppy with the
(Bcertificate is on the other end of the line, so to speak. 
(B
(B(You could say our man in the middle is always "known" to be a "trusted"
(Bemployee, in the sense that PKI allows us to talk about mechanized trust.
(B8-/ )
(B
(BWhat I'm trying to ask, if I can get it right this time, is whether a
(Broot CA will be passing its own self-signed certificate out. 
(B
(BI think I've figured it out, by the way. In the case of the web server,
(Bthe self-signed certificate is not intended for certifying the web site,
(Bbut for certifying the certificate(s) of (a) web site(s), which is why
(Btwo are necessary. 
(B
(BBut in the case of a CA, the certificate is for signing certificates for
(Bother CAs and won't be given out otherwise. But it would be given out
(Bwith the signed certificates for the subordinate CAs.
(B
(BBut if the root CA machine is also signing server certificates (which it
(Bshould not, but that's another story), it should have a separate
(Bcertificate for signing certificates for servers. Should also have a
(Bseparate piece of the directory tree to do it in.
(B
(BAm I getting warm?
(B
(B--
(BJoel Rees   [EMAIL PROTECTED]
(Bdigitcom, inc.   $B3t<02q

Re: AW: Does a root CA need two certificates?

R. Markham wrote:

The data is no less secure true.. but the authentication is much easier
for someone to fake since the certificate chain doesn't go through a
trusted third party (Root CA) the person says This is me. End of story
and you choose whether you believe it or not.

Hi Shaun,
I don't understand why is a root CA which everybody can download from the
internet is more secure than if I use my own CA.

The trick is not that everyone can download it, the trick is that
(hopefully) no evil one can modify it. So Bill Gates certifies (by
including the CA-certs on his distribution CDs or digitaly signing the
new Certs for distribution via Windows Update) that those CA-certs are
good CA-certs (I personally disagree sometimes, but that's another story).
If you download a CA-bundle from somewhere else you should make sure
that the source ist trustworthy and noone has modified it, typically by
checking a digital signature or using a secure download.
Of course there are several possibilities to get your fingers in between
in this procedure, but if you just give me a certificate and say this
is mine I have no assurance that I'm receiving what you sent.

I want to make it clear I am not against using Certificates from an official CA. But in some cases you
can save your money as a expenses for the certificate if you use your self
signed certificate. If you want that only authenticated user can have
access, than you can use SSLVerifyClient in Apache.

You are completely right. There are lots of cases where you can use a
self signed CA even more secure that those official ones. But internet
applications (in the sense of my clients have nothing else to do with
me) usually are not among them.
It alway depends on having a secure (or a bit more secure than
unauthenticated internet) channel to distribute the CA-certificates.
And of course the trust in the CAs themselves.

Regards
Richard
[...]

BTW, there is no offense intended by my side, I'm just trying to clarify
this. ;)
Ted

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26

smime.p7s
Description: S/MIME Cryptographic Signature

Re: AW: Does a root CA need two certificates?

From a newb who has way too much theory and too little practical --
(B
(B The data is no less secure true.. but the authentication is much easier
(B for someone to fake since the certificate chain doesn't go through a
(B trusted third party (Root CA) the person says "This is me. End of story"
(B and you choose whether you believe it or not.
(B 
(B Hi Shaun,
(B 
(B I don't understand why is a root CA which everybody can download from the
(B internet is more secure than if I use my own CA.
(B
(BWell, the way I understand it is, verisign, the company (for example),
(Bhas not come out and said, "NO! Don't trust our certificates!!!", and
(Bneither have a lot of other people. So we can assume their certificates
(Bour theirs, even though we can't assume they are who they publically
(Bclaim to be.
(B
(BThe trust on the second question is an induced trust in our heads. Since
(Bnobody is standing up to claim that the management of any of these
(Bcompanies are fraudulent in the claims they make as to who they say they
(Bare, the induced trust takes more effect. But that sort of trust is
(Boutside of PKI.
(B
(B I want to make it clear I
(B am not against using Certificates from an official CA. But in some cases you
(B can save your money as a expenses for the certificate if you use your self
(B signed certificate. If you want that only authenticated user can have
(B access, than you can use SSLVerifyClient in Apache.
(B
(BWell, yeah, if your head of engineering stands up in the morning meeting
(Band claims he signed the company's internal root CA certificate himself,
(Bthat is actually better than if he sent it off to one of the commercial
(B(or open) CAs, because the external chain of trust is more direct.
(B
(BAlso, that group in Australia that's doing peer-to-peer certification
(Bhas an approach that I think is theoretically valid in a different way
(Band in a different context, because it's a chain of face-to-face trust.
(BI haven't got a certificate from them yet, but I want to see how well
(Bthey implement things. 
(B
(BFirst I have to make sure I really understand what's going on with
(Bopenssl and the more hierarchical approach.
(B
(B--
(BJoel Rees   [EMAIL PROTECTED]
(Bdigitcom, inc.   $B3t<02q

Re: Does a root CA need two certificates?

Joel wrote:

Sorry, I wasn't clear in my question. (I'm confused, I know.)

(And thanks for trying to help a confused newb. ;-)
[...]
  

What I'm trying to ask, if I can get it right this time, is whether a
root CA will be passing its own self-signed certificate out. 
  

Ahh, now I think we get nearer to the mark. ;)
Yes, the root CA has to distribute its self signed certificate (NOT its
private key, just the cert. There seem to be misunderstandings about
that elsewhere) to those who have to trust it. For example if your
employees have to make sure they are on a company website you have to
give them a disk (this is the secure channel here) containing the CA's
certificate and they have to import it into their browsers.

N.B.: Just make sure that your CA certificate is not used to sign fake
certificates, since if your employees trust your CA this also implies
(at least with current browser implementations) that they trust every
certificate signed by your CA, even if you hand out certificates for
www.bigbank.com or www.ebay.com...

I think I've figured it out, by the way. In the case of the web server,
the self-signed certificate is not intended for certifying the web site,
but for certifying the certificate(s) of (a) web site(s), which is why
two are necessary. 
  

Yes, that sounds correct.

But in the case of a CA, the certificate is for signing certificates for
other CAs and won't be given out otherwise. But it would be given out
with the signed certificates for the subordinate CAs.
  


But if the root CA machine is also signing server certificates (which it
should not, but that's another story), it should have a separate
certificate for signing certificates for servers. Should also have a
separate piece of the directory tree to do it in.
  

Though a CA can sign other CAs and thereby build longer CA-chains it is
more common in Inhouse-CAs to directly sign end-user (or end-server)
certificates. And as explained above the self signed certificate of the
root CA has to be distributed.

The approach described by you is a more secure but less practical way.
You typically do this if you are Thawte or Verisign and your root
certificate has to have a very late expiery date, like 25 years from
now. Then it is better to keep the root CA's private(!) keys very very
secure in a bank vault and only use it once a year to sign certificates
for some sub-CAs, which expire in a year or so and are then used to sign
end-user certificates. Now if one of the sub-CAs compromises its private
key, only the certificates singed by this particular sub-CA are void,
and not possibly those of ten or twenty years of work.
But still the root CA's certificate (which apart from management
information primarily contains its signed public(!) key part) has to be
distributed, in the case of Thawte etc. to Bill, the Mozilla project and
people like that.

Am I getting warm?
  

I think you are already rather close.

Ted
;)

-- 
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Does a root CA need two certificates?

2005-01-19 Thread Richard Levitte - VMS Whacker

Joel,

you seem to be a bit confused about PKI matters, and among others
what's considered private and what's considered public.

Let me start with the private vs. public part:  private keys are
designed to be kept private by the owner.  Certificates (which contain
the public key) are designed to be public and to be given out to
anyone who needs it or is interested.

Also, a small detail: CA certificates aren't used to sign with, the
private keys are.  You use CA certificates to validate a signature in
any certificate issued by that CA (this puts it simply, since there
are other data that are checked between certificates, but the
signature check is still the most important thing).

Now, the way things work with a X.509/PKIX flavor of PKI, you validate
a certificate (any kind of certificate, be it a user certificate, a
server certificate or whatever kind of certificate we're able to
invent) by checking it against an issuing cerificate (a CA
certificate), among others by checking that the signature in the
current certificate can be verified using the public key in the
issuing certificate.  This is done all the way to the top (the root
certificate).

To be able to do a proper certificate validation, you therefore need
all the certificates in the chain, from the certificate you want to
validate to the root certificate that starts (or ends, depending on
your point of view) the chain.  This holds true for anyone who needs
to validate your server certificate as well as any certificate your
server needs to validate.

So, to directly answer your questions:

rees What I'm trying to ask, if I can get it right this time, is
rees whether a root CA will be passing its own self-signed
rees certificate out.

Yes, in one form or another.

rees I think I've figured it out, by the way. In the case of the web
rees server, the self-signed certificate is not intended for
rees certifying the web site, but for certifying the certificate(s)
rees of (a) web site(s), which is why two are necessary.

That's correct.  Those aren't two CA certificates, though.  The root
certificate is the CA certificate, while the server certificate is a
EE (End Entity) certificate.  You confused the matter for yourself
earlier by talking about two CA certificates.

rees But in the case of a CA, the certificate is for signing
rees certificates for other CAs and won't be given out otherwise. But
rees it would be given out with the signed certificates for the
rees subordinate CAs.

This is confusing.  Either you're publishing a certificate or you
aren't.  It doesn't matter if it's bundled with subordinate
certificates or not.  And either way, if you want others to be able to
validate a certificate issued by the subordinate CAs, you need to
publish the root CA certificate as well.

rees But if the root CA machine is also signing server certificates
rees (which it should not, but that's another story), it should have
rees a separate certificate for signing certificates for servers.
rees Should also have a separate piece of the directory tree to do it
rees in.

You are confusing the matter.  It seems like you're saying the CA
should split in two, one that signs subordinate CAs and one that signs
your server certificate.  Now, the question is, when you split that CA
in two, are you actually creating an entirely different CA that uses
the same key, or are you in fact creating another subordinate CA
(using the same key?)?

You might want to draw a tree that shows how the root CA, subordinate
CAs and other entities are related to each other.  A picture does say
more than a thousand words, and I've already spent a few hundred of
them :-).

Cheers,
Richard

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/

When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up.
-- C.S. Lewis
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Even CA's make mistakes..

A bit off the thread...
Ever wondered if one can break PKI given that the 1st request to a server is
mostly GET /  in https?
Any ideas?
- Original Message - 
From: Shaun Lipscombe [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Wednesday, January 19, 2005 4:57 AM
Subject: Even CA's make mistakes..


 In continuing the thread on can you trust a CA.. you have to remember
 that there's a human process involved and if someone can perform
 identity fraud in the REAL world then they can also perform it in the
 virtual world. PKI only tries to tie these two realms together.

 Please see..

 http://www.cert.org/advisories/CA-2001-04.html
 http://support.microsoft.com/kb/293818/EN-US/

 The day someone managed to obtain a valid certificate claiming for the
 identity Microsoft Corp

 Shaun
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Does a root CA need two certificates?

2005-01-19 Thread Richard Levitte - VMS Whacker

In message [EMAIL PROTECTED] on Wed, 19 Jan 2005 11:47:25 +, Shaun 
Lipscombe [EMAIL PROTECTED] said:

shaun.lipscombe At least with SSL you have a single entity at the top,
shaun.lipscombe in OpenPGP etc you have a web of trust and key
shaun.lipscombe signing parties and lots of other stuff which really
shaun.lipscombe makes key validity a touch n go subject and people
shaun.lipscombe being who they say they are gets a bit of an iffy
shaun.lipscombe subject.

OK, time to call bullshit whan I see it :-)

OpenPGP has a different trust model than X.509/PKIX, it's entirely
true.  Making that something inherently bad is what I call BS.

The trust model for OpenPGP is direct, personal validation of
identity.  I won't sign another person's PGP key unless I either know
this person personally, or can validate his/her identity through some
kind of identity paper, for example a passport together with a
business card where his/her email address is clearly shown together
with the same name as on the passport.  The validation chain is a
chain of such checkups, basically, coupled with trust settings (they
can be viewed as policy settings are viewed in the X.509/PKIX world).

The trust model for X.509/PKIX is to trust a higher authority, but can
also be set up as a personal web of trust if you set up your own CA
and use policy extensions properly.

shaun.lipscombe Just search any keyserver for Superman and I'm sure
shaun.lipscombe you'll find someone that claims to be Superman for
shaun.lipscombe example.

Claims it in what way?  You mean as part of the real name or as part
of the email address?  Either way, what stops anyone claiming the same
in the X.509/PKIX world?  That's not the point either way, the point
is if you trust the claim, or if you trust someone who would trust
that claim.  That kind of trust can be handled, both in the OpenPGP
world and the X.509/PKIX one.

Cheers,
Richard

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/

When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up.
-- C.S. Lewis
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Does a root CA need two certificates?

Thanks, Ted and Richard, especially for going to the effort of
(Bdeciphering my English.
(B
(B(One of these days I'll learn how to type fast and be lucid at the same
(Btime.)
(B
(BOn the question of using certificates to sign vs. using keys to sign,
(Bcould I ask for one more clarification -- 
(B
(BIf, for the sake of argument, I made a key for CA use, signed
(Bcertificates for servers with it, and then made the CA's certificate,
(Bare the certificates signed when only the key existed going to be valid?
(BAnd are they going to be identical to certificates signed afterwards,
(Bother than entropy?
(B
(BI don't want to do this, it's just the quickest way I can think of to
(Bask about the mechanical interdependencies.
(B
(B--
(BJoel Rees   [EMAIL PROTECTED]
(Bdigitcom, inc.   $B3t<02q

Re: Even CA's make mistakes..



 * Alok wrote:

  A bit off the thread...
  Ever wondered if one can break PKI given that the 1st request to a
server is
  mostly GET /  in https?

 The GET /HTTP/1.0 is done using a symetric cipher like RC2 or RC4 etc.
 The PKI is only used to transfer the symetric key between hosts.  Using
 a suitable keylength (1024) its a tough job to break.  Longer than the
 lifetime of the universe or some silly number like that.

yup the PKI part may be a problem

lets take PKI out for a moment and talk simple block encryption,

given that you know
a. the message or the 1st few bits in it
b. the set of possible block algorithms used to encrypt

Can you determine session key?


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Even CA's make mistakes..

Alok wrote:
[...]
lets take PKI out for a moment and talk simple block encryption,
given that you know
a. the message or the 1st few bits in it
b. the set of possible block algorithms used to encrypt
Can you determine session key?
 

If it would be known to be possible this would not be a algorithm in 
wide use. This kind of attack is well known as known plaintext attack.

Ted
;)
--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26


smime.p7s
Description: S/MIME Cryptographic Signature

A bug in OBJECT management?

2005-01-19 Thread Dmitry Belyavsky

Hello!

It seems to me I've found a bug in openssl req command.
I use a 2005-01-17 snapshot of 0.9.8 branch.
openssl is configured with libefence in debug mode with

./config -d shared.

In my script I load fake engine looking like simplified rsaref demo, but
registering its own cipher algorithm via OBJ_create  EVP_add_cipher
inside the engine.

I export LD_LIBRARY_PATH with values pointing to snapshot dir and engine
dir and use openssl in interactive mode.

I load my engine with command

engine - dynamic -pre SO_PATH:../minimum/obj_mid.lnx/eng_min.so -pre 
LIST_ADD:1  -pre LOAD

and create rsa certificate request with command

req -newkey rsa:512 -keyout rsakey.pem -nodes -out rsareq.pem

After that I exit from app, getting a SEGFAULT. It seems to me it is
caused by double free() on cleanup, because commenting out OBJ_cleanup
at apps/req.c saves from SEGFAULT, and nothing happens without
libefence.

Engine source code is attached.

Please, tell me where is my mistake. Thank you.

-- 
SY, Dmitry Belyavsky (ICQ UIN 6575)
#include string.h
#include openssl/err.h
#include openssl/evp.h
#include openssl/bn.h
#include openssl/engine.h
#include openssl/objects.h

static int NID_minimum_cipher_GOST = NID_undef;

#define OID_gost89 1.2.643.2.9.1.1.1
#define SN_gost89 gost89
#define LN_gost89 GOST 28147-89 symmetric cipher

int register_minimum_NID (void)
{
	NID_minimum_cipher_GOST = OBJ_create(OID_gost89, SN_gost89, LN_gost89);
	if (NID_minimum_cipher_GOST == NID_undef) {goto err;}
	return 1;
	
err:
	 NID_minimum_cipher_GOST = NID_undef;
	return 0;
}

/* Fake crypt functions */
int cce_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
		const unsigned char *iv, int enc){return 1;}

int	cce_cipher_do(EVP_CIPHER_CTX *ctx, unsigned char *out,
		const unsigned char *in, unsigned int inl){return 1;}

int cce_cipher_cleanup(EVP_CIPHER_CTX *ctx){return 1;}

#define minimum_LIB_NAME minimum GOST engine

static const char *engine_minimum_id = minimum;
static const char *engine_minimum_name = minimum GOST engine;

static int cce_destroy(ENGINE *e);
static int cce_init(ENGINE *e);
static int cce_finish(ENGINE *e);

/* Engine commands */
static const ENGINE_CMD_DEFN cce_cmd_defns[] = {
		{0, NULL, NULL, 0}
	};

/* Symetric cipher and digest function registrar */

static int cce_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
		 const int **nids, int nid);

static int cce_cipher_nids[]=
{NID_undef,0};

static EVP_CIPHER cipher_gost = 
	{
	  NID_undef,
	  1,/*block_size*/
	  32,/*key_size*/
	  8,
	  EVP_CIPH_CFB_MODE|EVP_CIPH_CUSTOM_IV|EVP_CIPH_NO_PADDING,
	  cce_cipher_init,
	  cce_cipher_do,
	  cce_cipher_cleanup,
	  0,/* ctx_size */
	  NULL,
	  NULL,
	  NULL,
	  NULL,
	};

static int cce_init(ENGINE *e) { 
	return 1;
}
static int cce_finish(ENGINE *e) { 
	return 1;
}

static int cce_destroy(ENGINE *e) {
	return 1;
}

static int bind_cce (ENGINE *e,const char *id) {
	if (id  strcmp(id, engine_minimum_id)) return 0;
	if (!ENGINE_set_id(e, engine_minimum_id)) {
		printf(ENGINE_set_id failed\n); 
		return 0;
	}	
	if (!ENGINE_set_name(e, engine_minimum_name)) {
		printf(ENGINE_set_name failed\n);
		return 0;
	}	
	if (!register_minimum_NID()) return 0;
	/*  set up NIDs */
	cipher_gost.nid = NID_minimum_cipher_GOST;
	/*  end set up NIDs */
if (! ENGINE_set_ciphers(e, cce_ciphers)) {
		printf(ENGINE_set_ciphers failed\n);
		return 0;
	}	
	if ( ! ENGINE_set_destroy_function(e, cce_destroy)
		|| ! ENGINE_set_init_function(e,cce_init)
		|| ! ENGINE_set_finish_function(e,cce_finish)) return 0;
	if (!EVP_add_cipher(cipher_gost)) return 0;
	return 1;
}	

#ifdef _WIN32
extern __declspec( dllexport ) 
#endif
	
#ifndef OPENSSL_NO_DYNAMIC_ENGINE
IMPLEMENT_DYNAMIC_BIND_FN(bind_cce);
IMPLEMENT_DYNAMIC_CHECK_FN();
#else
static ENGINE *engine_cce(void)
	{
	ENGINE *ret = ENGINE_new();
	if(!ret)
		return NULL;
	if(!bind_cce(ret, engine_minimum_id))
		{
		ENGINE_free(ret);
		return NULL;
		}
	return ret;
	}

void ENGINE_load_cce(void)
	{
	/* Copied from eng_[openssl|dyn].c */
	ENGINE *toadd = engine_cce();
	if(!toadd) return;
	ENGINE_add(toadd);
	ENGINE_free(toadd);
	ERR_clear_error();
	}
#endif /* OPENSSL_NO_DYNAMIC_ENGINE */

static int cce_ciphers (ENGINE *e,const EVP_CIPHER **cipher,
		const int **nids, int nid) {
	int ok = 1;
	if (!cipher) {
		/* return list of supported nids */
		if (cce_cipher_nids[0] == NID_undef) {
			cce_cipher_nids[0] = NID_minimum_cipher_GOST;
		}
		*nids = cce_cipher_nids;
		return 1; /* Only one cipher supported */
	}

	if(nid == NID_minimum_cipher_GOST) {
			*cipher = cipher_gost;
	} else {
		ok = 0;
	}
	return ok;
}

Re: Does a root CA need two certificates?

2005-01-19 Thread Richard Levitte - VMS Whacker

In message [EMAIL PROTECTED] on Wed, 19 Jan 2005 22:35:46 +0900, Joel [EMAIL 
PROTECTED] said:

rees On the question of using certificates to sign vs. using keys to
rees sign, could I ask for one more clarification -- 
rees 
rees If, for the sake of argument, I made a key for CA use, signed
rees certificates for servers with it, and then made the CA's
rees certificate, are the certificates signed when only the key
rees existed going to be valid? And are they going to be identical to
rees certificates signed afterwards, other than entropy?

It's really a matter of interpretation for those doing the validation,
and as long as things look OK at the time you publish any certificate,
there should really be no problems.

There are a few things to keep track of, though:

 - it would look quite suspicious of the notValidBefore field of the
   CA certificate is later than the noValidBefore field of any
   certificate it has issued.
 - there are extensions that get data from the issuing certificate, so
   creating certificates using only a key may not be very productive.
 - the openssl utility won't allow it, because it will need the issuer
   certificate to be able to fill in the issuer field, at the very
   least.

Cheers,
Richard

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/

When I became a man I put away childish things, including
 the fear of childishness and the desire to be very grown up.
-- C.S. Lewis
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Does a root CA need two certificates?

2005-01-19 Thread Mark H. Wood

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 19 Jan 2005, Richard Levitte - VMS Whacker wrote:
 In message [EMAIL PROTECTED] on Wed, 19 Jan 2005 11:47:25 +, Shaun 
 Lipscombe [EMAIL PROTECTED] said:
[snip]
 shaun.lipscombe Just search any keyserver for Superman and I'm sure
 shaun.lipscombe you'll find someone that claims to be Superman for
 shaun.lipscombe example.

 Claims it in what way?  You mean as part of the real name or as part
 of the email address?  Either way, what stops anyone claiming the same
 in the X.509/PKIX world?  That's not the point either way, the point
 is if you trust the claim, or if you trust someone who would trust
 that claim.  That kind of trust can be handled, both in the OpenPGP
 world and the X.509/PKIX one.

Claims it in what way? is in fact an extremely important question.  I
have little doubt that someone could find a judge willing to allow him to
change his legal name to Superman.  After that it would say Superman
on his business cards, bank accounts, utility bills, etc. and it would be
reasonable to say that that person's name is Superman, or, here, let me
give you a copy of Superman's email certificate.

None of that says anything about whether the individual in question is the
comic-book hero, able to fly, crush charcoal into diamonds in his hand,
reflect bullets with his unprotected flesh, a native of Krypton, etc.
It's necessary to think about what his name is Superman means, and
whether that meaning is of any use in determining the kind of identity you
want to prove.  The same is true of X.509 or OpenPGP certificates, or
really any other identifier.  It's always necessary to decide what it is
you want to know, before accepting something as identification.

- -- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQFB7qOps/NR4JuTKG8RAhbbAJ9qLXT7lvUg9/OyzIkeCkqHoa+PsACgiPGc
C1TKEFXfny4Pqvg6mkBr01Y=
=rFTN
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

linking 64-bit apps against 32-bit openssl libs

2005-01-19 Thread Medi Montaseri

Can I link a 64-bit app with a 32-bit openssl lib ?
More specifically, the environment would be
OS = FreeBSD 5.2.1
CC = gcc 3.3.3
Linker = ld 2.13.2
32-bit Lib = OpenSSL
I personally don't think that is possible. However, my peer has managed 
to compile a 64-bit
app with the 32-bit SSL lib and claims it even runs. In fact ld 
should've stopped it before even linking it.

Some clarification would be appreciated...
Thanks
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: What is that CA directory in the template directory layout?