Re: TLS compatibility problem -- can connect to server with NSS but not OpenSSL.
On Tue, 2009-05-26 at 11:21 -0400, Victor Duchovni wrote: The server is unhappy with the client certificate chain, and drops the connection if the client certificate trust chain does not verify. The same server is willing to accept clients with no certificates at all. The server is lame. Don't use it with client certificates that don't have a complete trust chain. That makes a certain amount of sense; thanks. Forgive my ignorance -- is there a way to ensure that the full trust chain is included in the certificate itself, rather than having to provide the -CAfile option to openssl(1) separately? I naïvely tried just appending the contents of a working cafile to the certificate.pem file but that's not sufficient. I found another strange behaviour that I didn't expect -- the _order_ of the certificates in the cafile seems to be important. My original scripts which interact with the company's internal PKI infrastructure would download a bunch of certificates separately and I would shove them all in a single file with a command line like: for a in *.crt ; do cat $a ; echo company-certchain.crt The resulting file would work, and allow me to connect to the server. So I modified the scripts to create one big file just the same... except that they'd be stored in the order that they were downloaded, instead of alphabetical order by filename as the above shell command gave me. And _that_ cafile doesn't work; I still get summarily disconnected. Does ordering in trustchain files matter? If so, how do I ensure I get the right order? -- dwmw2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: TLS w/LDAP
If you add set -x to the top of your script, you can see the script execute line by line to locate the source of the error. Dave -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of John Kane Sent: Saturday, May 30, 2009 12:53 AM To: openssl-users@openssl.org Subject: RE: TLS w/LDAP Thanks for the response, Kyle. I've pretty much deduced what the error is, but just cannot figure out where it is coming from. It only happens when I turn on TLS for LDAP. There are really no 'variables' defined in the LDAP configs; nothing using the '[ $blah = blahblah ] syntaxthat is why I turned to this list hoping to find what other file (non-ldap) might be read ONLY when I had the 'ssl start_tls' set in my ldap config. John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Friday, May 29, 2009 10:19 PM To: openssl-users@openssl.org Subject: Re: TLS w/LDAP That's an error in the script you're launching at startup. I don't know what it is, but I'd bet there's an unquoted '[' character somewhere that is only evaluated when TLS LDAP is enabled. (see the '-bash: ' at the beginning of the line? That tells you that bash is generating the error message.) -Kyle H On Fri, May 29, 2009 at 1:34 PM, John Kane john.k...@prodeasystems.com wrote: I just turned on TLS on my LDAP (per instructions on http://www.openldap.org/faq/data/cache/185.html). Now all of my Linux servers give the following error on login: -bash: [: =: unary operator expected The error goes away when I turn TLS back off. I cannot determine what is causing this error, or even which file contains the error. I've gone through my LDAP config file, cannot find an issue in any of these. Other than my cacert.pem, and the LDAP config files, are there other files that are read only when TLS is turned on? Thanks, John Here's my configs I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss file): ssl start_tls tls_checkpeer yes tls_cacertfile /etc/openldap/cacerts/cacert.pem tls_cacertdir /etc/openldap/cacerts/ and have the following in my /etc/openldap/ldap.conf (openldap file): HOST 172.25.3.97 BASE dc=example,dc=net TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow and my (self-signed) cacert: [r...@serverx cacerts]# openssl x509 -text -in /etc/openldap/cacerts/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Validity Not Before: May 28 04:37:13 2009 GMT Not After : May 27 04:37:13 2012 GMT Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers, CN=Integration Root CA/emailaddress=john.sm...@myco.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81: 6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88: 11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16: 08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7: 19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad: 59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0: cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c: f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96: b0:69:39:e1:e6:1a:bd:9e:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C X509v3 Authority Key Identifier: keyid:0B:FB:7D:0B:0D:17:A3:CD:79:02:A3:A3:92:57:15:6F:DE:38:07:3C Signature Algorithm: sha1WithRSAEncryption 28:52:3d:9c:90:d1:89:00:d7:9d:3b:06:a6:32:28:e8:c0:8d: 9d:5a:0b:79:bb:1a:c9:1a:8d:c6:3a:a5:ec:5d:4c:9f:20:4c: c6:1e:41:df:7d:d5:fc:45:09:2b:4b:7c:ff:38:aa:ea:33:a0: 4a:be:7c:84:7c:58:e8:98:9b:c9:0e:4b:5b:11:c6:28:84:b1: 3f:bb:30:03:f6:38:40:9f:2d:32:bc:3a:97:b8:6f:fd:aa:9f: 67:a6:27:07:53:b2:40:41:86:b7:02:f2:6b:07:6f:1b:74:87: 63:3b:1b:89:13:08:cb:32:f0:3c:3b:5e:d6:df:e3:91:19:86: 7a:d4 -BEGIN CERTIFICATE- MIIDDzCCAnigAwIBAgIBADANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UERhMCVVMx DjAMBgNVBAgTBVRleGFzMRMwEQYDVQQKEwpCaWd0aW1lIENBMRAwDgYDVQQLEwdT
Re: Basic Question
Thanks to all for the information that was exchanged. It did help me understand. Bob Bell On Thu, May 28, 2009 at 2:05 PM, Bob Bell rt.bob.b...@gmail.com wrote: Folks - I have a basic question relative to the FIPS openSSL lib and US export control law. As I understand it, in order for the openSSL lib to run as a FIPS certified module, it must be configured to be loaded as a dynamically linked library. If that is so, how do you get a export classification of less than RESTRICTED since the library contains strong crypto, and the lib could be used to encrypt user data at rates which exceed the positive list restrictions? Bob Bell
Re: TLS w/LDAP - SOLVED
On Sun May 31 2009, John Kane wrote:
After painstakingly commenting everything out of all startup files, then
added them back in, I found the cause of the
-bash: [: =: unary operator expected
error that has been occurring on all Linux servers since turning on LDAP
TLS on INT.
In the file:
/etc/profile.d/krb5-workstation.sh
The follow is causing the issue:
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
if [ `/usr/bin/id -u` = 0 ] ; then
PATH=/usr/kerberos/sbin:${PATH}
fi
fi
If I add around the backticked command, I the bash error goes away.
Not sure who I need to open a ticket against :-)
A more general solution would be:
# Am I running as user 0 (root)?
uid=$(/usr/bin/id -u) 2/dev/null
if [ $uid == 0 ] ; then
Note the use of white space and the change from
an assignment to a test for equality.
Usually, such problems get reported to the
distribution producer - they know who wrote
the script.
Mike
Thanks,
John
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: TLS compatibility problem -- can connect to server with NSS but not OpenSSL.
On Sun, 2009-05-31 at 10:13 +0100, David Woodhouse wrote:
On Tue, 2009-05-26 at 11:21 -0400, Victor Duchovni wrote:
The server is unhappy with the client certificate chain, and drops the
connection if the client certificate trust chain does not verify. The
same server is willing to accept clients with no certificates at all.
The server is lame. Don't use it with client certificates that don't
have a complete trust chain.
That makes a certain amount of sense; thanks. Forgive my ignorance -- is
there a way to ensure that the full trust chain is included in the
certificate itself, rather than having to provide the -CAfile option to
openssl(1) separately? I naïvely tried just appending the contents of a
working cafile to the certificate.pem file but that's not sufficient.
I found another strange behaviour that I didn't expect -- the _order_ of
the certificates in the cafile seems to be important. My original
scripts which interact with the company's internal PKI infrastructure
would download a bunch of certificates separately and I would shove them
all in a single file with a command line like:
for a in *.crt ; do cat $a ; echo company-certchain.crt
The resulting file would work, and allow me to connect to the server.
So I modified the scripts to create one big file just the same... except
that they'd be stored in the order that they were downloaded, instead of
alphabetical order by filename as the above shell command gave me. And
_that_ cafile doesn't work; I still get summarily disconnected.
Does ordering in trustchain files matter? If so, how do I ensure I get
the right order?
I implemented PKCS#12 support in the OpenConnect VPN client¹, and
created a PKCS#12 version of my certificate including the required trust
chain -- by appending the full trust chain file to my certificate.pem
file and then running:
openssl pkcs12 -export -out cert.p12 -in cert.pem -inkey priv-key.pem
It only works if I reverse the order of the certificates it contains,
with a patch like the following:
diff --git a/ssl.c b/ssl.c
index 6f47568..3a8170c 100644
--- a/ssl.c
+++ b/ssl.c
@@ -163,7 +163,12 @@ static int load_pkcs12_certificate(struct openconnect_info
}
if (ca) {
+ STACK_OF(X509) *ca2 = sk_X509_new_null();
+
while ((cert = sk_X509_pop(ca))) {
+ sk_X509_push(ca2, cert);
+ }
+ while ((cert = sk_X509_pop(ca2))) {
char buf[200];
X509_NAME_oneline(X509_get_subject_name(cert), buf,
sizeof(buf));
I tried sk_X509_sort(ca) but that just segfaults...
--
dwmw2
¹ http://git.infradead.org/users/dwmw2/openconnect.git
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Client Puzzle during SSL handshake
Hello I want to implement ssl with client puzzle ( After the client hello and server hello , server will send puzzle req and further step will take place if server would get correct puzzle reply from client) Till now i have directly used ssl_connect function but now i need to support client puzzle. But i m not getting actually how ssl_connect code is implemented ( i didnt find its code) and how introduce puuzle steps in it. so any suggestion how to do ?
RE: TLS w/LDAP
Thanks for the help, all;
The (handy) 'set -x' in the /etc/profile did show the culprit:
+ for i in '/etc/profile.d/*.sh'
+ '[' -r /etc/profile.d/krb5-workstation.sh ']'
+ . /etc/profile.d/krb5-workstation.sh
++ echo /usr/local/bin:/bin:/usr/bin
++ /bin/grep -q /usr/kerberos/bin
++ PATH=/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin
++ echo /usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin
++ /bin/grep -q /usr/kerberos/sbin
++ '[' = 0 ']'
-bash: [: =: unary operator expected
Thanks,
John
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Dave Stoddard
Sent: Saturday, May 30, 2009 10:12 AM
To: openssl-users@openssl.org
Subject: RE: TLS w/LDAP
If you add set -x to the top of your script, you can see
the script execute line by line to locate the source of the
error.
Dave
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of John Kane
Sent: Saturday, May 30, 2009 12:53 AM
To: openssl-users@openssl.org
Subject: RE: TLS w/LDAP
Thanks for the response, Kyle.
I've pretty much deduced what the error is, but just cannot figure out
where it is coming from. It only happens when I turn on TLS for LDAP.
There are really no 'variables' defined in the LDAP configs; nothing
using the '[ $blah = blahblah ] syntaxthat is why I turned to
this list hoping to find what other file (non-ldap) might be read ONLY
when I had the 'ssl start_tls' set in my ldap config.
John
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Kyle Hamilton
Sent: Friday, May 29, 2009 10:19 PM
To: openssl-users@openssl.org
Subject: Re: TLS w/LDAP
That's an error in the script you're launching at startup. I don't
know what it is, but I'd bet there's an unquoted '[' character
somewhere that is only evaluated when TLS LDAP is enabled. (see the
'-bash: ' at the beginning of the line? That tells you that bash is
generating the error message.)
-Kyle H
On Fri, May 29, 2009 at 1:34 PM, John Kane
john.k...@prodeasystems.com wrote:
I just turned on TLS on my LDAP (per instructions on
http://www.openldap.org/faq/data/cache/185.html). Now all of my
Linux
servers give the following error on login:
-bash: [: =: unary operator expected
The error goes away when I turn TLS back off. I cannot determine
what
is causing this error, or even which file contains the error. I've
gone
through my LDAP config file, cannot find an issue in any of these.
Other than my cacert.pem, and the LDAP config files, are there
other
files that are read only when TLS is turned on?
Thanks,
John
Here's my configs
I turn on TLS by adding the following in my /etc/ldap.conf (pam/nss
file):
ssl start_tls
tls_checkpeer yes
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts/
and have the following in my /etc/openldap/ldap.conf (openldap
file):
HOST 172.25.3.97
BASE dc=example,dc=net
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
and my (self-signed) cacert:
[r...@serverx cacerts]# openssl x509 -text -in
/etc/openldap/cacerts/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=Utah, O=Bigtime CA, OU=Signers,
CN=Integration
Root CA/emailaddress=john.sm...@myco.com
Validity
Not Before: May 28 04:37:13 2009 GMT
Not After : May 27 04:37:13 2012 GMT
Subject: C=US, ST=Utah, O=Bigtime CA, OU=Signers,
CN=Integration
Root CA/emailaddress=john.sm...@myco.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b3:bf:f0:18:5d:7e:57:0a:ce:15:3c:28:2a:81:
6d:e6:c5:31:98:7e:cc:09:03:d2:28:f2:33:3e:88:
11:5f:7d:e1:18:33:38:7d:f5:fa:9d:89:a8:95:16:
08:00:81:08:29:ac:37:b3:b1:2b:f3:20:52:15:d7:
19:44:92:9c:45:e7:2e:58:fe:7e:07:d4:1f:5a:ad:
59:91:37:84:14:a8:4e:df:54:a2:62:66:38:9b:f0:
cf:48:01:68:0d:3a:7c:93:83:02:48:e0:76:a1:5c:
f9:05:3b:49:1e:03:9a:fd:ea:ee:79:f7:87:66:96:
b0:69:39:e1:e6:1a:bd:9e:0d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
Re: TLS w/LDAP - SOLVED
They could also use $EUID == $UID == 0 to check the user ID, rather
than relying on an external utility.
($EUID is the effective user ID, $UID is the real uid. Please see the
bash man page for more info.)
-Kyle H
On Sun, May 31, 2009 at 6:05 AM, Michael S. Zick open...@morethan.org wrote:
On Sun May 31 2009, John Kane wrote:
After painstakingly commenting everything out of all startup files, then
added them back in, I found the cause of the
-bash: [: =: unary operator expected
error that has been occurring on all Linux servers since turning on LDAP
TLS on INT.
In the file:
/etc/profile.d/krb5-workstation.sh
The follow is causing the issue:
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
if [ `/usr/bin/id -u` = 0 ] ; then
PATH=/usr/kerberos/sbin:${PATH}
fi
fi
If I add around the backticked command, I the bash error goes away.
Not sure who I need to open a ticket against :-)
A more general solution would be:
# Am I running as user 0 (root)?
uid=$(/usr/bin/id -u) 2/dev/null
if [ $uid == 0 ] ; then
Note the use of white space and the change from
an assignment to a test for equality.
Usually, such problems get reported to the
distribution producer - they know who wrote
the script.
Mike
Thanks,
John
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-us...@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Basic Question
OpenSSL is publicly available code and thus has an export exemption. Things linked with it, however, may not be, depending on their configuration. -Kyle H On Thu, May 28, 2009 at 1:05 PM, Bob Bell rt.bob.b...@gmail.com wrote: Folks - I have a basic question relative to the FIPS openSSL lib and US export control law. As I understand it, in order for the openSSL lib to run as a FIPS certified module, it must be configured to be loaded as a dynamically linked library. If that is so, how do you get a export classification of less than RESTRICTED since the library contains strong crypto, and the lib could be used to encrypt user data at rates which exceed the positive list restrictions? Bob Bell __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS w/LDAP - SOLVED
On Sun May 31 2009, Kyle Hamilton wrote:
They could also use $EUID == $UID == 0 to check the user ID, rather
than relying on an external utility.
($EUID is the effective user ID, $UID is the real uid. Please see the
bash man page for more info.)
I didn't want to re-design it. Just point out the
difference between an assignment and an equality
test.
Mike
-Kyle H
On Sun, May 31, 2009 at 6:05 AM, Michael S. Zick open...@morethan.org wrote:
On Sun May 31 2009, John Kane wrote:
After painstakingly commenting everything out of all startup files, then
added them back in, I found the cause of the
-bash: [: =: unary operator expected
error that has been occurring on all Linux servers since turning on LDAP
TLS on INT.
In the file:
/etc/profile.d/krb5-workstation.sh
The follow is causing the issue:
if ! echo ${PATH} | /bin/grep -q /usr/kerberos/sbin ; then
if [ `/usr/bin/id -u` = 0 ] ; then
PATH=/usr/kerberos/sbin:${PATH}
fi
fi
If I add around the backticked command, I the bash error goes away.
Not sure who I need to open a ticket against :-)
A more general solution would be:
# Am I running as user 0 (root)?
uid=$(/usr/bin/id -u) 2/dev/null
if [ $uid == 0 ] ; then
Note the use of white space and the change from
an assignment to a test for equality.
Usually, such problems get reported to the
distribution producer - they know who wrote
the script.
Mike
Thanks,
John
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-us...@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Anyone know if ettercap will be further developed (or know where the authors NaGa and Alor are nowadays?)
Anyone know if ettercap will be further developed (or know where the authors NaGa and Alor are nowadays?) I remeber when it was in active development (ending in 2005). Each release brought new things. I remeber using it and watching as I watched in plaintext my ssh login made me configure ssh to only allow sshv2. The developers are: Alberto Ornaghi (ALoR) He works as Security Consultant in an italian professional services company active in Information and Communication Technology (ICT) Age: 30-06-17 e-mail: a...@users.sourceforge.net Marco Valleri (NaGA) Works as Security Engineer for another IT security company (we are competitors) :) Age: 30-08-02 e-mail: n...@antifork.org But they don't answer email nor is anything developed for the app anymore. It would be a shame to see it wither and die in the face of new technologies. Or become unusable in the face of linux kernel changes.
