Re: How to sign new certificates
Hi Ariel, You can't achieve what you want because the certificate you bought is not a CA one : if you look at its extensions, you will find that the value of the Certificate Basic Constraints extension is End Entity and that it is set as Critical. if the contrary was possible, then it would have been a big security hole : you could issue valid certificates for domains without authorization (like paypal.com) and it will enable you to mount sophisticated man-in-the-middle attacks. To authenticate users in your website, create you own CA, issue certificates for them and then configure your webserver to accept only client certificates issued by your CA. Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 10/12/2010 5:41 AM, Ariel wrote: Hi again, I could enable my site to use SSL with a wildcard certificate bought to GoDaddy by concatening the "mysite.com.crt" and the "gd_bundle.crt" into a combined one "mysite.com.combined.crt" (explained in a previous email). Now I want to enable SSL Client certificate, creating new keypair files, new certificate signed requests (csr) and signing them using my combined cert file as the CA. Is that possible? How can achieve this goal using the command line tool? Thanks, __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to sign new certificates
Hi again, I could enable my site to use SSL with a wildcard certificate bought to GoDaddy by concatening the "mysite.com.crt" and the "gd_bundle.crt" into a combined one "mysite.com.combined.crt" (explained in a previous email). Now I want to enable SSL Client certificate, creating new keypair files, new certificate signed requests (csr) and signing them using my combined cert file as the CA. Is that possible? How can achieve this goal using the command line tool? Thanks, -- Ariel Diaz Bermejo http://www.linkedin.com/in/adiazbermejo
Re: Issue with SSL certificate chain
On Mon, Oct 11, 2010 at 11:41 PM, Dave Thompson wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of Ariel > > Sent: Monday, 11 October, 2010 20:05 > > > I have a site (Rails app) that I'm trying to setup with SSL > > and SSL Client Certificate (using nginx). > > I bought a wildcard one-domain certificate at GoDaddy in order > > to support multiple subdomains to my site: *.mysite.com > > > I downloaded the cert file and the bundle file; combined them into > > one single cert and setup my nginx SSL directives to use it as suggested > here [1]. > > > Then I try to verify my setup using the openssl command line tool > and I got this: > > > $ openssl s_client -connect mysite.com:443 -showcerts > >CONNECTED(0003) > >depth=3 /L=ValiCert Validation Network/O=ValiCert, > Inc./OU=ValiCert > Class 2 Policy Validation > Authority/CN=http://www.valicert.com//emailaddress=i...@valicert.com > >verify error:num=19:self signed certificate in certificate chain > >verify return:0 > >--- > >Certificate chain > > > Looks right, but you have to give s_client the root(s) to verify against. > It does NOT automatically default, at least not in the standard distro. > > Get your desired root cert -- ValiCert Class 2 Policy Validation Authority > -- > in a file in PEM format and give s_client -CAfile filename . > (There are other ways to do this, but that's simplest.) > > Or test from a browser that comes with 'mainstream' CAs builtin. > Even if your app doesn't talk HTTP, the browser should complete > the SSL connection successfully before it gets an HTTP error. > The two I have to hand, IE7 and FF3.6, do appear to include this CA. > That is a good place to get the file you use for s_client above. > > Thanks, it worked. Tested using the command line tool with the "-CAfile" option and also with a browser. -- Ariel Diaz Bermejo http://www.linkedin.com/in/adiazbermejo
RE: Issue with SSL certificate chain
> From: owner-openssl-us...@openssl.org On Behalf Of Ariel > Sent: Monday, 11 October, 2010 20:05 > I have a site (Rails app) that I'm trying to setup with SSL > and SSL Client Certificate (using nginx). > I bought a wildcard one-domain certificate at GoDaddy in order > to support multiple subdomains to my site: *.mysite.com > I downloaded the cert file and the bundle file; combined them into > one single cert and setup my nginx SSL directives to use it as suggested here [1]. > Then I try to verify my setup using the openssl command line tool and I got this: > $ openssl s_client -connect mysite.com:443 -showcerts >CONNECTED(0003) >depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailaddress=i...@valicert.com >verify error:num=19:self signed certificate in certificate chain >verify return:0 >--- >Certificate chain Looks right, but you have to give s_client the root(s) to verify against. It does NOT automatically default, at least not in the standard distro. Get your desired root cert -- ValiCert Class 2 Policy Validation Authority -- in a file in PEM format and give s_client -CAfile filename . (There are other ways to do this, but that's simplest.) Or test from a browser that comes with 'mainstream' CAs builtin. Even if your app doesn't talk HTTP, the browser should complete the SSL connection successfully before it gets an HTTP error. The two I have to hand, IE7 and FF3.6, do appear to include this CA. That is a good place to get the file you use for s_client above. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Issue with SSL certificate chain
Hi, I'm new to the list and I hope you can give some light into the following: I have a site (Rails app) that I'm trying to setup with SSL and SSL Client Certificate (using nginx). I bought a wildcard one-domain certificate at GoDaddy in order to support multiple subdomains to my site: **.mysite.com* I downloaded the cert file and the bundle file; combined them into one single cert and setup my nginx SSL directives to use it as suggested here [1]. So now I have something like this: ... ssl_certificate /var/www/rails/mysite/ssl/mysite.com.combined.crt; ssl_certificate_key /var/www/rails/mysite/ssl/mysite.com.key; ... Then I try to verify my setup using the openssl command line tool and I got this: $ openssl s_client -connect mysite.com:443 -showcerts CONNECTED(0003) depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN= http://www.valicert.com//emailaddress=i...@valicert.com verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/O=*.mysite.com/OU=Domain Control Validated/CN=*.mysite.com i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU= http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 -BEGIN CERTIFICATE- MIIFVzCCBD+gAwIBAgIHTyWPQS3tOjANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE .more... mz61HEG2Bn/pe4dsaHFPgY3KjlDe+KaH/HuD -END CERTIFICATE- 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU= http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority -BEGIN CERTIFICATE- MIIE3jCCA8agAwIBAgICAwEwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMx .more... qDTMBqLdElrRhjZkAzVvb3du6/KFUJheqwNTrZEjYx8WnM25sgVjOuH0aBsXBTWV U+4= -END CERTIFICATE- 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN= http://www.valicert.com//emailaddress=i...@valicert.com -BEGIN CERTIFICATE- MIIE+zCCBGSgAwIBAgICAQ0wDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1Zh .more... SxOaFIqII6hR8INMqzW/Rn453HWkrugp++85j09VZw== -END CERTIFICATE- 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN= http://www.valicert.com//emailaddress=i...@valicert.com i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN= http://www.valicert.com//emailaddress=i...@valicert.com -BEGIN CERTIFICATE- MIIC5zCCAlACAQEwDQYJKoZIhvcNAQEFBQAwgbsxJDAiBgNVBAcTG1ZhbGlDZXJ0 .more... W/POuZ6lcg5Ktz885hZo+L7tdEy8W9ViH0Pd -END CERTIFICATE- --- Server certificate subject=/O=*.mysite.com/OU=Domain Control Validated/CN=*.mysite.com issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU= http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 --- No client certificate CA names sent --- SSL handshake has read 5355 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: BBC2FD59A062A4FC48C1384842895C3BCA559F37E23F4890AD518D2EA32FB54F Session-ID-ctx: Master-Key: 9B51A344FB76A9606E69179849A40B0E23CD897094D5A4BFD8C31752E64181F481930348B785754234BB93C6822293F7 Key-Arg : None Start Time: 1286841464 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- How can I solve this issue?? Any hints? Thanks, [1] http://nginx.groups.wuyasea.com/articles/how-to-setup-godaddy-ssl-certificate-on-nginx/2 -- Ariel Diaz Bermejo http://www.linkedin.com/in/adiazbermejo
probleme traffic secure with lib perl MIME::Lite
hello guys and hello girls and professor hello my friends. I work on the lib perl MIME:: Lite and am having problems related to traffic secure. I do not know how to discuss the subject except by proposing a pastebin http://pastebin.com/hsr2ctMU I do not understand why it does not my code from MIME:: Lite is good -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 signature.asc Description: Ceci est une partie de message numériquement signée
Re: Crosscompiling openssl-fips-1.2 for arm-linux - still FIPS compliant?
On Mon, Oct 11, 2010, Ronald Wahl wrote: > Hi, > > I'm currently trying to cross compile openssl-fips-1.2 for arm-linux on a > x86 host. This does abort at a certain point. The problem has been already > reported and solutions are provided. See here: > > http://www.mail-archive.com/openssl-users@openssl.org/msg59904.html > > I have not tried the solutions yet but my question is: If I do so - is the > resulting module still FIPS compliant? The according SecurityPolicy > document contains the statement: > > "Note that failure to use one of the specified commands sets exactly >as shown will result in a module that cannot be considered compliant >with FIPS 140-2." > > So my current assumption is that we probably could build the module but you > can't actually call it FIPS compliant anymore which makes it rather > useless. Is this correct? > The result *is* FIPS compliant: a change leter specifically supports cross compilation as long as you use the specified commands. You should be able to use them unmodified (using incore or a copying script) though you many need to change the environment variables to match the target system. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Crosscompiling openssl-fips-1.2 for arm-linux - still FIPS compliant?
Hi, I'm currently trying to cross compile openssl-fips-1.2 for arm-linux on a x86 host. This does abort at a certain point. The problem has been already reported and solutions are provided. See here: http://www.mail-archive.com/openssl-users@openssl.org/msg59904.html I have not tried the solutions yet but my question is: If I do so - is the resulting module still FIPS compliant? The according SecurityPolicy document contains the statement: "Note that failure to use one of the specified commands sets exactly as shown will result in a module that cannot be considered compliant with FIPS 140-2." So my current assumption is that we probably could build the module but you can't actually call it FIPS compliant anymore which makes it rather useless. Is this correct? greets, ron -- Ronald Wahl - ronald.w...@raritan.com - Phone +49 375271349-0 Fax -99 Raritan Deutschland GmbH, Kornmarkt 7, 08056 Zwickau, Germany WEEE-Reg-Nr. DE28850302, USt-IdNr. DE813094160, Steuer-Nr. 226/117/02950 Amtsgericht Chemnitz HRB 23605 Geschäftsführung: Gerard W. J. Heuvel, Burkhard Wessler __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Getting detailed ssl-handshake debug output
I received the answer in a direct email and just wanted to share it here too: - command line: openssl s_client -state -debug -connect host:port - programmatic: One can look in the callback mechanism used in the above, specifically in apps/s_cb.c __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
