RE: create opensll, ssldump keyfile
2. when I try using the -k and -p arguments using the iPlanet cert7.db, ssldump gives the error: Problem loading private key Error: Couldn't create network handler 3. I think I need option (2) but I don't know how to convert the existing iPlanet key3.db, cert7.db or Microsoft Enterprise Certtificate Authority Server certificates to a format which can be read by ssldump. The ssldump man page specifies an OpenSSL format keyfile but how do I create one? Step by step instructions would be great. Last but not least, any idea why the failed su coincides with 81 byte application_data and 20 byte Handshake? Thanks, Stuart -Original Message- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 6:51 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: create opensll, ssldump keyfile Davidson, Stuart [EMAIL PROTECTED] writes: The following ssldump trace records the following 'su' sequence and shows that an su from a non privileged account does not work. # su - dav $ id uid=4001 gid=401 +++ su from root to dav works OK +++ $ su - dav Password: su: Sorry +++ su from dav to dav does NOT work +++ $ Questions: 1. any idea why the su from a non privileged account is not working? This is a Solaris question. My guess, offhand, would be that DAV has a '*'-ed out password field so you can't su to it if you're not root. 2. how do I invoke ssldump to decrypt the complete dialog? (e.g. all Handshakes and application data) You need to ensure that it has the server's private key, using the -k and -p arguments. 3. how do I convert the certificates exported from Microsoft Enterprise Certificate Authority to a format which can be read by ssldump? I'm not sure what yu're trying to do here. There seem to be two ways to read this message: (1) You want ssldump to decode the certificates when it parses the transaction. This is a simple matter of giving it the -N flag to tell it to parse the ASN.1. (Assuming, of course, ssldump was linked with OpenSSL when you built it.) (2) You want ssldump to read the server's private key (not certificate). There's no need to read the server's certificate. All you need to do for this is convert it into an OpenSSL keyfile. It's not clear what kind of keyfile you're starting with here... -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
create opensll, ssldump keyfile
The following ssldump trace records the following 'su' sequence and shows that an su from a non privileged account does not work. # su - dav $ id uid=4001 gid=401 +++ su from root to dav works OK +++ $ su - dav Password: su: Sorry +++ su from dav to dav does NOT work +++ $ Questions: 1. any idea why the su from a non privileged account is not working? 2. how do I invoke ssldump to decrypt the complete dialog? (e.g. all Handshakes and application data) 3. how do I convert the certificates exported from Microsoft Enterprise Certificate Authority to a format which can be read by ssldump? Thanks, Stuart Note: I have tried various openssl commands to convert the Microsoft Enterprise Certificates to a formate suitable for ssldump but without success. The server certificate exported from Microsoft Enterprise Certificate Authority have been added to the Netscape/iPlanet format cert7.db using keyutil and certutil. This allows passwords stored in Active Directory to be changed from Solaris proving, I think, that the certificates are OK. Overall objective is to integrate Solaris with Active Directory so that user accounts are served from AD. Environment: Solaris 8, PAM ldap built with iPlanet ldapcsdk5[1].08, Windows 2000 Service Pack 2, Active Directory, Microsoft Enterprise Certificate Authority ssldump follows, comments prefixed with +++ # ssldump -i hme0 -AdX New TCP connection #1: sun6.reo.cpqcorp.net(32829) - cpqtestdc1.cpqunix.net(636) 1 1 0.0026 (0.0026) CS SSLv2 compatible client hello Version 3.1 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 1 2 0.0041 (0.0014) SCV3.1(3977) Handshake ServerHello Version 3.1 random[32]= 73 9e a3 ec 7b 3c 59 cb 82 43 dd 8b 87 03 8e e5 c8 c6 98 06 96 25 18 16 69 33 74 e8 aa 2e 9d 5d session_id[32]= fa 0b 00 00 a6 73 5b 52 9e f4 3d 99 dd b8 c7 98 68 26 ac 42 c7 3a 7f 9f fd 0f 18 4d c8 29 6e be cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL Certificate CertificateRequest certificate_types rsa_sign certificate_authority 30 81 c1 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0a 13 0e 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 31 3c 30 3a 06 03 55 04 0b 13 33 43 6c 61 73 73 20 31 20 50 75 62 6c 69 63 20 50 72 69 6d 61 72 79 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 20 2d 20 47 32 31 3a 30 38 06 03 55 04 0b 13 31 28 63 29 20 31 39 39 38 20 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 20 2d 20 46 6f 72 20 61 75 74 68 6f 72 69 7a 65 64 20 75 73 65 20 6f 6e 6c 79 31 1f 30 1d 06 03 55 04 0b 13 16 56 65 72 69 53 69 67 6e 20 54 72 75 73 74 20 4e 65 74 77 6f 72 6b certificate_authority 30 81 c1 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0a 13 0e 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 31 3c 30 3a 06 03 55 04 0b 13 33 43 6c 61 73 73 20 34 20 50 75 62 6c 69 63 20 50 72 69 6d 61 72 79 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 20 2d 20 47 32 31 3a 30 38 06 03 55 04 0b 13 31 28 63 29 20 31 39 39 38 20 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 20 2d 20 46 6f 72 20 61 75 74 68 6f 72 69 7a 65 64 20 75 73 65 20 6f 6e 6c 79 31 1f 30 1d 06 03 55 04 0b 13 16 56 65 72 69 53 69 67 6e 20 54 72 75 73 74 20 4e 65 74 77 6f 72 6b certificate_authority 30 81 d1 31 0b 30 09 06 03 55 04 06 13 02 5a 41 31 15 30 13 06 03 55 04 08 13 0c 57 65 73 74 65 72 6e 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 09 43 61 70 65 20 54 6f 77 6e 31 1a 30 18 06 03 55 04 0a 13 11 54 68 61 77 74 65 20 43 6f 6e 73 75 6c 74 69 6e 67 31 28 30 26 06 03 55 04 0b 13 1f 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 69 6f 6e 31 24 30 22 06 03 55 04 03 13 1b 54 68 61 77 74 65 20 50 65 72 73 6f 6e 61 6c 20 46 72 65 65 6d 61 69 6c 20 43 41 31 2b 30 29 06 09 2a 86 48 86 f7 0d 01 09 01 16 1c 70 65 72 73 6f 6e 61 6c 2d 66 72 65 65 6d 61 69 6c 40 74 68 61 77 74 65 2e 63 6f 6d certificate_authority 30 75 31 0b
LDAP, SSL, Active Directory, Microsoft Enterprise Certificate Authority
Trying to change passwords on UNIX accounts stored in Win2K Active Directory... we have extracted the Solaris 2.6 passwd binary and replaced 2.8 binary. However, still get the following error: # passwd dav Permission denied The following is logged in /var/adm/messages Mar 25 20:09:18 sun6.CPQUNIX.NET passwd[11637]: [ID 280705 user.error] pam_ldap: ldap_simple_bind Can't contact LDAP server Using truss on passwd appears to show a dialog with the Win2K system running Active Directory, Enterprise Certificate Authority via SSL, port 636. The reply from Win2K is read on fd 5 and possibly compared with the local client database read on fd 4. However, this leads to ldap_simple_bind failing. We have exported the Microsoft Enterprise Certificate Authority certificate from the Win2k system in base-64, DER and PKCS #7 format. The certificates have been copied to the Solaris system. The certutil executable has been copied from another Solaris system. However, attempts to add the Certificates to the database on Solaris fail as follows: # ./certutil -d /etc/ssl/certs -A -n CPQ UNIX ENTERPRISE CA -t C,C,C -i cpqunix_der.cer certutil: failure authenticating to key database. : Security I/O error Questions 1. how do we update the certifcate database on Solaris to include the Win2K Enterprise CA? 2. what else do we need to do to get this working? Although this is not OpenSSL it does appear to be an SSL issue, so any help appreciated. Thanks, Stuart Environment: Solaris 8, LDAP, SSL, Active Directory, Microsft SFU (Services For Unix) schema in Active Directory, PADL nss_ldap.so, pam_ldap.so on Solaris, Microsoft Enterprise Certificate Authority The truss trace follows: truss -f -u libpam,libldap,libldapssl40 -v connect /usr/bin/passwd dav 11557: stat(/etc/ssl/certs/cert7.db, 0xFFBEE408) = 0 # # open local certificate database cert7.db on fd 4 # 11557: open(/etc/ssl/certs/cert7.db, O_RDONLY) = 4 11557: fcntl(4, F_SETFD, 0x0001) = 0 11557: read(4, \00615 a\0\0\002\0\010E1.., 260) = 260 11557: brk(0x0003FDB8) = 0 11557: brk(0x00041DB8) = 0 11557: lseek(4, 73728, SEEK_SET) = 73728 11557: read(4, \0 $1FF71FF41F821D1F1D03.., 8192) = 8192 11557: brk(0x00041DB8) = 0 11557: brk(0x00043DB8) = 0 11557: lseek(4, 98304, SEEK_SET) = 98304 11557: read(4, \0181F9E1EEE1E v1DC11D N.., 8192) = 8192 11557: stat(/etc/ssl/certs/secmod.db, 0xFFBEE398)= 0 11557: open(/etc/ssl/certs/secmod.db, O_RDONLY) = 5 11557: fcntl(5, F_SETFD, 0x0001) = 0 11557: read(5, \00615 a\0\0\002\0\010E1.., 260) = 260 11557: brk(0x00043DB8) = 0 11557: brk(0x00045DB8) = 0 11557: lseek(5, 8192, SEEK_SET)= 8192 11557: read(5, \0021FDF1F881F ~1F88\0\0.., 8192) = 8192 11557: brk(0x00045DB8) = 0 11557: brk(0x00047DB8) = 0 11557: lseek(5, 16384, SEEK_SET) = 16384 11557: read(5, \0\0\0\0\0\0\0\0\0\0\0\0.., 8192) = 8192 11557: close(5)= 0 11557/1: - libldapssl40:ldapssl_client_init() = 0 11557/1: - libldapssl40:ldapssl_init(0x385a0, 0x27c, 0x1, 0x391d0) 11557/1: - libldapssl40:ldapssl_init() = 0x3e4c0 11557/1: - libldapssl40:ldap_set_option(0x3e4c0, 0x11, 0x39224, 0x391d0) 11557/1: - libldapssl40:ldap_set_option() = 0 11557/1: - libldapssl40:ldap_set_rebind_proc(0x3e4c0, 0xff1e3400, 0x38588, 0xff05e7c0) 11557/1: - libldapssl40:ldap_set_rebind_proc() = 0x3e4c0 11557/1: - libldapssl40:ldap_set_option(0x3e4c0, 0x2, 0x391e8, 0x3e4c0) 11557/1: - libldapssl40:ldap_set_option() = 0 11557/1: - libldapssl40:ldap_set_option(0x3e4c0, 0x4, 0x39228, 0xff05e7c0) 11557/1: - libldapssl40:ldap_set_option() = 0 11557/1: - libldapssl40:ldap_set_option(0x3e4c0, 0x8, 0x0, 0xff05e7c0) 11557/1: - libldapssl40:ldap_set_option() = 0 11557/1: - libldapssl40:ldap_set_option(0x3e4c0, 0x9, 0x1, 0xff05e7c0) 11557/1: - libldapssl40:ldap_set_option() = 0 11557: getuid()= 0 [0] 11557/1: - libldapssl40:ldap_simple_bind(0x3e4c0, 0x392a0, 0x38600, 0x0) 11557: so_socket(2, 2, 0, , 1) = 5 11557: fcntl(5, F_GETFL, 0x) = 2 11557: fstat64(5, 0xFFBEDA98) = 0 11557: getsockopt(5, 65535, 8192, 0xFFBEDB98, 0xFFBEDB90, 229005) = 0 11557: fstat64(5, 0xFFBEDA98) = 0 11557: getsockopt(5, 65535, 8192, 0xFFBEDB98, 0xFFBEDB94, 229005) = 0 11557: setsockopt(5, 65535, 8192, 0xFFBEDB98, 4, 229005) = 0 11557: fcntl(5,