RE: Becoming a CA for group of internal servers?
Many thanks! - I now see the S-A-N in the signed cert :) Next challenge is I'd like to create a pkcs12 file as below ... openssl pkcs12 -export -in server.crt -inkey server.key -name tomcat -passout pass:changeit -out serverkeystore.pfx However when I view with ... openssl pkcs12 -in serverkeystore.pfx -info I can't see S-A-N within the .pfx? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 01 September 2011 23:16 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan Sent: Thursday, 01 September, 2011 17:43 Many thanks again, okay a little progress now... after creating the request by running; openssl req -new -key server.key -out server.csr -config customopenssl.cnf then viewing with; openssl req -in server.csr -text -noout I can see the S-A-N. However when I then sign with; openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 And then view with; openssl x509 -in server.crt -text -noout I do not see the S-A-N? As I said, 'x509 -req' does NOT use the extensions in the CSR. You need to use -extfile and possibly -extensions (not -extsect as I mistyped in the other message) *on 'x509 -req'*. Specifically, if you have subjectAltName=@something in [v3_req], as you normally would for 'req -new', just add -extfile customopenssl.cnf -extensions v3_req Or you can put extensions=v3_req in the default section (which I notate [] but actually has no [x] line at all), or put the subjectAltName=@something directly in default, and use just -extfile customopenssl.cnf Or you could use 'ca' instead, but I think you're closer this way. I assume I should I expect to see this in the signed .crt? Once you get it right, yes. When I created my ca.crt I did not have an updated customopenssl.cnf do I need to re-create my ca.crt? No change in the CA cert (or key) is needed. The items/sections you've been changing in your .cnf are for the child CSRs certs. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: 01 September 2011 20:51 To: openssl-users@openssl.org Subject: RE: Becoming a CA for group of internal servers? From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan Sent: Wednesday, 31 August, 2011 21:32 I tested with below, all looks good. After running I am converting to .der files and generating a keystore with ImportKey.java - could this be removing what is needed? looks good means 'x509 -text -noout' DOES show S-A-N? If it's in the cert at all, it's within the signed part, so nothing that processes the cert can remove or modify it without invalidating the signature, which should cause (hopefully obvious) errors whenever it is used for anything. From: owner-openssl-us...@openssl.org owner-openssl-us...@openssl.org Before using the cert, test it with the command: openssl x509 -in yourcert.cer -noout -text If the parameters were in the right place, you should see all the extra names as SubjectAlternativeName attributes in the cert. On 8/31/2011 11:52 PM, Hopkins, Nathan wrote: snip I have also observed when viewing the certificates I am unable to see any references to the alt_names added, I have double checked the CA certificate created with below steps has been successfully added to Authorities and for the CN it works as expected. 'viewing the certificates' where and how? If it's in a java keystore, keytool -list -v should show all extensions including S-A-N. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager
pkcs7 signature with timestamp
Hi there I'm trying to create a pkcs7 signature with timestamp for a pdf-signature. With openssl smime -sign -in tmp.pdf -inkey s.key -signer s.cer -outform der -binary i get a der-encode pkcs7-signature. With openssl ts -query -data tmp.pdf -out req.tsq and openssl ts -reply -config openssl.conf -queryfile req.tsq -out response.tsr i get a der-encoded pkcs7-timestamp How can i merge them to create a single pkcs7-signature which is recognized by standard pdf-readers... Thanks for your help Greetz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: pkcs7 signature with timestamp
The data for the timestamp is done on the signature, not the file. So the TS command should reflect that. As far as merging, I would take a look at the actual PDF format. -Eduardo -Original Message- From: q0...@cuba.ionum.ch Sent: Friday, September 02, 2011 6:42 AM To: openssl-users@openssl.org Subject: pkcs7 signature with timestamp Hi there I'm trying to create a pkcs7 signature with timestamp for a pdf-signature. With openssl smime -sign -in tmp.pdf -inkey s.key -signer s.cer -outform der -binary i get a der-encode pkcs7-signature. With openssl ts -query -data tmp.pdf -out req.tsq and openssl ts -reply -config openssl.conf -queryfile req.tsq -out response.tsr i get a der-encoded pkcs7-timestamp How can i merge them to create a single pkcs7-signature which is recognized by standard pdf-readers... Thanks for your help Greetz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
REMOVE my address from your mailing list, please
-- Mayra
Disabling SSLv2
Hello, Is there a way to disable SSLv2 system-wide (assuming non-static linking)? I am trying to get a CentOS 5.6 system to pass a PCI credit card processing certification and the scanning company blindly flags SSLv2 as non-compliant. Rather than try to disable SSLv2 in each application (postfix, Apache, Dovecot, etc), I was hoping there was a low-level directive that would block SSLv2 (but not SSLv3 or TLSv1). Is there any such directive to torpedo SSLv2 specifically? Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Disabling SSLv2
On Fri, Sep 02, 2011, Michael B Allen wrote: Hello, Is there a way to disable SSLv2 system-wide (assuming non-static linking)? I am trying to get a CentOS 5.6 system to pass a PCI credit card processing certification and the scanning company blindly flags SSLv2 as non-compliant. Rather than try to disable SSLv2 in each application (postfix, Apache, Dovecot, etc), I was hoping there was a low-level directive that would block SSLv2 (but not SSLv3 or TLSv1). Is there any such directive to torpedo SSLv2 specifically? Which version of OpenSSL are you using? In OpenSSL 1.0.0 and later the cipher string determines whether SSLv2 support is advertised or accepted and the default cipher string includes on SSLv2 ciphers. Alternatively try no-ssl2 on the command line but that hasn't been tested for a while. If you use that you will get linker errors in applications that reference SSLv2 directly. Third option. At the end SSL_CTX_new in ssl/ssl_lib.c the options flag has some settings added. Add something to disable SSLv2: ret-options |= SSL_OP_NO_SSLv2; Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Disabling SSLv2
On Fri, Sep 2, 2011 at 2:09 PM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Sep 02, 2011, Michael B Allen wrote: Hello, Is there a way to disable SSLv2 system-wide (assuming non-static linking)? I am trying to get a CentOS 5.6 system to pass a PCI credit card processing certification and the scanning company blindly flags SSLv2 as non-compliant. Rather than try to disable SSLv2 in each application (postfix, Apache, Dovecot, etc), I was hoping there was a low-level directive that would block SSLv2 (but not SSLv3 or TLSv1). Is there any such directive to torpedo SSLv2 specifically? Which version of OpenSSL are you using? In OpenSSL 1.0.0 and later the cipher string determines whether SSLv2 support is advertised or accepted and the default cipher string includes on SSLv2 ciphers. Alternatively try no-ssl2 on the command line but that hasn't been tested for a while. If you use that you will get linker errors in applications that reference SSLv2 directly. Third option. At the end SSL_CTX_new in ssl/ssl_lib.c the options flag has some settings added. Add something to disable SSLv2: ret-options |= SSL_OP_NO_SSLv2; Hi Steve, Well I was hoping there was some kind of global configuration file directive that would affect the behavior of the openssl library and at least everything dynamically linked with it. But based on your answer it's fairly clear that there is no such option. Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Disabling SSLv2
Well I was hoping there was some kind of global configuration file directive that would affect the behavior of the openssl library and at least everything dynamically linked with it. But based on your answer it's fairly clear that there is no such option. He said that for OpenSSL 1.0.0 that the cipher list controls it. You can configure the cipher list from openssl.cnf. /s/ Adam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Becoming a CA for group of internal servers?
From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan Sent: Friday, 02 September, 2011 04:00 Many thanks! - I now see the S-A-N in the signed cert :) Next challenge is I'd like to create a pkcs12 file as below ... openssl pkcs12 -export -in server.crt -inkey server.key -name tomcat -passout pass:changeit -out serverkeystore.pfx However when I view with ... openssl pkcs12 -in serverkeystore.pfx -info I can't see S-A-N within the .pfx? 'openssl pkcs12' doesn't display details of the cert(s), or key(s), within the pkcs12 file. It just inserts or extracts them as complete units. You can use openssl pkcs12 -in $file -nokeys -out tempcert # -clcerts would be needed if you put chain # or CA certs in but in this case you didn't to get the certificate (back) out, and then look at it, or just compare it to the known-good one you put in. You can combine these steps with a pipe: openssl pkcs12 -in $file -nokeys | openssl x509 -text -noout Perhaps better for you, Java can display directly: keytool -list -v -keystore $file -storetype pkcs12 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Disabling SSLv2
On Fri September 2 2011, Michael B Allen wrote: On Fri, Sep 2, 2011 at 2:09 PM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Sep 02, 2011, Michael B Allen wrote: Hello, Is there a way to disable SSLv2 system-wide (assuming non-static linking)? I am trying to get a CentOS 5.6 system to pass a PCI credit card processing certification and the scanning company blindly flags SSLv2 as non-compliant. Rather than try to disable SSLv2 in each application (postfix, Apache, Dovecot, etc), I was hoping there was a low-level directive that would block SSLv2 (but not SSLv3 or TLSv1). Is there any such directive to torpedo SSLv2 specifically? Which version of OpenSSL are you using? In OpenSSL 1.0.0 and later the cipher string determines whether SSLv2 support is advertised or accepted and the default cipher string includes on SSLv2 ciphers. Alternatively try no-ssl2 on the command line but that hasn't been tested for a while. If you use that you will get linker errors in applications that reference SSLv2 directly. Third option. At the end SSL_CTX_new in ssl/ssl_lib.c the options flag has some settings added. Add something to disable SSLv2: ret-options |= SSL_OP_NO_SSLv2; Hi Steve, Well I was hoping there was some kind of global configuration file directive that would affect the behavior of the openssl library and at least everything dynamically linked with it. But if you did it that way, wouldn't the entire PCI credit card processing certification depend on that configuration file being used, un-altered, from that point onwards? That sounds sort of long-term fragile to me. The better sounding answer to me is Steve's third suggestion, disable SSLv2 in the source and re-build. __AND__ be sure that the controls of the CentOS package manager (Yum?) are set so it will not blindly update either the custom built package or the special-purposed configuration file. As appropriate to whichever route you decide to take. Mike But based on your answer it's fairly clear that there is no such option. Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Becoming a CA for group of internal servers?
Many thanks for all your help, everything is working as expected. - Original Message - From: owner-openssl-us...@openssl.org owner-openssl-us...@openssl.org To: openssl-users@openssl.org openssl-users@openssl.org Sent: Fri Sep 02 20:55:15 2011 Subject: RE: Becoming a CA for group of internal servers? From: owner-openssl-us...@openssl.org On Behalf Of Hopkins, Nathan Sent: Friday, 02 September, 2011 04:00 Many thanks! - I now see the S-A-N in the signed cert :) Next challenge is I'd like to create a pkcs12 file as below ... openssl pkcs12 -export -in server.crt -inkey server.key -name tomcat -passout pass:changeit -out serverkeystore.pfx However when I view with ... openssl pkcs12 -in serverkeystore.pfx -info I can't see S-A-N within the .pfx? 'openssl pkcs12' doesn't display details of the cert(s), or key(s), within the pkcs12 file. It just inserts or extracts them as complete units. You can use openssl pkcs12 -in $file -nokeys -out tempcert # -clcerts would be needed if you put chain # or CA certs in but in this case you didn't to get the certificate (back) out, and then look at it, or just compare it to the known-good one you put in. You can combine these steps with a pipe: openssl pkcs12 -in $file -nokeys | openssl x509 -text -noout Perhaps better for you, Java can display directly: keytool -list -v -keystore $file -storetype pkcs12 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Disabling SSLv2
On Fri, Sep 02, 2011, Coda Highland wrote: Well I was hoping there was some kind of global configuration file directive that would affect the behavior of the openssl library and at least everything dynamically linked with it. But based on your answer it's fairly clear that there is no such option. He said that for OpenSSL 1.0.0 that the cipher list controls it. You can configure the cipher list from openssl.cnf. Actually you can't. Applications generaally have their own way of setting the cipherlist or just rely on the default value and don't allow it to be changed at all. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Disabling SSLv2
On Fri, Sep 2, 2011 at 4:07 PM, Dr. Stephen Henson st...@openssl.org wrote: On Fri, Sep 02, 2011, Coda Highland wrote: Well I was hoping there was some kind of global configuration file directive that would affect the behavior of the openssl library and at least everything dynamically linked with it. But based on your answer it's fairly clear that there is no such option. He said that for OpenSSL 1.0.0 that the cipher list controls it. You can configure the cipher list from openssl.cnf. Actually you can't. Applications generaally have their own way of setting the cipherlist or just rely on the default value and don't allow it to be changed at all. It would be very nice if there was a cipher list option that applications could not override so that you can absolutely block SSLv2 on the whole machine by only editing one file (openssl.cnf and not httpd/conf.d/ssl.conf, postfix/main.cf, dovecot.conf, etc). I do not want to build anything from source anymore. Then I would have to watch for updates and rebuild all the time. I would much rather just rely on the distribution's package repository to keep me up-to-date. I'm currently using openssl 0.9.8e from CentOS 5.6. But CentOS 6 has openssl 1.0 and it also has Postfix 2.6 which supports the smtpd_tls_protocols = !SSLv2 directive which is required to disable SSLv2 in Postfix at the app-level. So it sounds like I will need to migrate to CentOS 6. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org