from:"Davidson, Stuart"

RE: create opensll, ssldump keyfile

2002-05-14 Thread Davidson, Stuart


2. when I try using the -k and -p arguments using the iPlanet cert7.db, ssldump gives 
the error:

Problem loading private key
Error: Couldn't create network handler

3. I think I need option (2) but I don't know how to convert the existing iPlanet 
key3.db, cert7.db or Microsoft Enterprise Certtificate Authority Server certificates 
to a format which can be read by ssldump.

The ssldump man page specifies an OpenSSL format keyfile but how do I create one? Step 
by step instructions would be great.

Last but not least, any idea why the failed su coincides with 81 byte application_data 
and 20 byte Handshake?

Thanks,
Stuart
 
-Original Message-
From: Eric Rescorla [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 14, 2002 6:51 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: create opensll, ssldump keyfile


Davidson, Stuart [EMAIL PROTECTED] writes:
 The following ssldump trace records the following 'su' sequence and shows that
 an su from a non privileged account does not work.
 
 # su - dav
 $ id
 uid=4001 gid=401 +++ su from root to dav works OK +++
 $ su - dav
 Password:
 su: Sorry +++ su from dav to dav does NOT work +++
 $
 
 Questions:
 
 1. any idea why the su from a non privileged account is not working?
This is a Solaris question. My guess, offhand, would be that DAV has
a '*'-ed out password field so you can't su to it if you're not
root.

 2. how do I invoke ssldump to decrypt the complete dialog?
(e.g. all Handshakes and application data)
You need to ensure that it has the server's private key, using the 
-k and -p arguments.

 3. how do I convert the certificates exported from Microsoft Enterprise
Certificate Authority to a format which can be read by ssldump?
I'm not sure what yu're trying to do here. There seem to be two
ways to read this message:
(1) You want ssldump to decode the certificates when it parses
the transaction. This is a simple matter of giving it the -N
flag to tell it to parse the ASN.1. (Assuming, of course, ssldump
was linked with OpenSSL when you built it.)

(2) You want ssldump to read the server's private key (not certificate).
There's no need to read the server's certificate. All you need to do for
this is convert it into an OpenSSL keyfile. It's not clear what
kind of keyfile you're starting with here...

-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

create opensll, ssldump keyfile

2002-05-14 Thread Davidson, Stuart


The following ssldump trace records the following 'su' sequence and shows that
an su from a non privileged account does not work.

# su - dav
$ id
uid=4001 gid=401 +++ su from root to dav works OK +++
$ su - dav
Password:
su: Sorry +++ su from dav to dav does NOT work +++
$

Questions:

1. any idea why the su from a non privileged account is not working?
2. how do I invoke ssldump to decrypt the complete dialog?
   (e.g. all Handshakes and application data)
3. how do I convert the certificates exported from Microsoft Enterprise
   Certificate Authority to a format which can be read by ssldump?

Thanks,
Stuart
  
Note:

I have tried various openssl commands to convert the Microsoft Enterprise
Certificates to a formate suitable for ssldump but without success.

The server certificate exported from Microsoft Enterprise Certificate
Authority have been added to the Netscape/iPlanet format cert7.db using
keyutil and certutil. This allows passwords stored in Active Directory to
be changed from Solaris proving, I think, that the certificates are OK.

Overall objective is to integrate Solaris with Active Directory so that user
accounts are served from AD.

Environment:

Solaris 8, PAM ldap built with iPlanet ldapcsdk5[1].08, Windows 2000 Service
Pack 2, Active Directory, Microsoft Enterprise Certificate Authority

ssldump follows, comments prefixed with +++

# ssldump -i hme0 -AdX
New TCP connection #1: sun6.reo.cpqcorp.net(32829) - cpqtestdc1.cpqunix.net(636)
1 1  0.0026 (0.0026)  CS SSLv2 compatible client hello
  Version 3.1 
  cipher suites
  TLS_DHE_DSS_WITH_RC4_128_SHA  
  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA  
  TLS_RSA_WITH_RC4_128_MD5  
  Unknown value 0xfeff  
  TLS_RSA_WITH_3DES_EDE_CBC_SHA  
  Unknown value 0xfefe  
  TLS_DHE_RSA_WITH_DES_CBC_SHA  
  TLS_DHE_DSS_WITH_DES_CBC_SHA  
  TLS_RSA_WITH_DES_CBC_SHA  
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA  
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA  
  TLS_RSA_EXPORT_WITH_RC4_40_MD5  
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5  
1 2  0.0041 (0.0014)  SCV3.1(3977)  Handshake
  ServerHello
Version 3.1 
random[32]=
  73 9e a3 ec 7b 3c 59 cb 82 43 dd 8b 87 03 8e e5 
  c8 c6 98 06 96 25 18 16 69 33 74 e8 aa 2e 9d 5d 
session_id[32]=
  fa 0b 00 00 a6 73 5b 52 9e f4 3d 99 dd b8 c7 98 
  68 26 ac 42 c7 3a 7f 9f fd 0f 18 4d c8 29 6e be 
cipherSuite TLS_RSA_WITH_RC4_128_MD5
compressionMethod   NULL
  Certificate
  CertificateRequest
certificate_types   rsa_sign
certificate_authority
  30 81 c1 31 0b 30 09 06 03 55 04 06 13 02 55 53 
  31 17 30 15 06 03 55 04 0a 13 0e 56 65 72 69 53 
  69 67 6e 2c 20 49 6e 63 2e 31 3c 30 3a 06 03 55 
  04 0b 13 33 43 6c 61 73 73 20 31 20 50 75 62 6c 
  69 63 20 50 72 69 6d 61 72 79 20 43 65 72 74 69 
  66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 
  74 79 20 2d 20 47 32 31 3a 30 38 06 03 55 04 0b 
  13 31 28 63 29 20 31 39 39 38 20 56 65 72 69 53 
  69 67 6e 2c 20 49 6e 63 2e 20 2d 20 46 6f 72 20 
  61 75 74 68 6f 72 69 7a 65 64 20 75 73 65 20 6f 
  6e 6c 79 31 1f 30 1d 06 03 55 04 0b 13 16 56 65 
  72 69 53 69 67 6e 20 54 72 75 73 74 20 4e 65 74 
  77 6f 72 6b 
certificate_authority
  30 81 c1 31 0b 30 09 06 03 55 04 06 13 02 55 53 
  31 17 30 15 06 03 55 04 0a 13 0e 56 65 72 69 53 
  69 67 6e 2c 20 49 6e 63 2e 31 3c 30 3a 06 03 55 
  04 0b 13 33 43 6c 61 73 73 20 34 20 50 75 62 6c 
  69 63 20 50 72 69 6d 61 72 79 20 43 65 72 74 69 
  66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 
  74 79 20 2d 20 47 32 31 3a 30 38 06 03 55 04 0b 
  13 31 28 63 29 20 31 39 39 38 20 56 65 72 69 53 
  69 67 6e 2c 20 49 6e 63 2e 20 2d 20 46 6f 72 20 
  61 75 74 68 6f 72 69 7a 65 64 20 75 73 65 20 6f 
  6e 6c 79 31 1f 30 1d 06 03 55 04 0b 13 16 56 65 
  72 69 53 69 67 6e 20 54 72 75 73 74 20 4e 65 74 
  77 6f 72 6b 
certificate_authority
  30 81 d1 31 0b 30 09 06 03 55 04 06 13 02 5a 41 
  31 15 30 13 06 03 55 04 08 13 0c 57 65 73 74 65 
  72 6e 20 43 61 70 65 31 12 30 10 06 03 55 04 07 
  13 09 43 61 70 65 20 54 6f 77 6e 31 1a 30 18 06 
  03 55 04 0a 13 11 54 68 61 77 74 65 20 43 6f 6e 
  73 75 6c 74 69 6e 67 31 28 30 26 06 03 55 04 0b 
  13 1f 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 
  53 65 72 76 69 63 65 73 20 44 69 76 69 73 69 6f 
  6e 31 24 30 22 06 03 55 04 03 13 1b 54 68 61 77 
  74 65 20 50 65 72 73 6f 6e 61 6c 20 46 72 65 65 
  6d 61 69 6c 20 43 41 31 2b 30 29 06 09 2a 86 48 
  86 f7 0d 01 09 01 16 1c 70 65 72 73 6f 6e 61 6c 
  2d 66 72 65 65 6d 61 69 6c 40 74 68 61 77 74 65 
  2e 63 6f 6d 
certificate_authority
  30 75 31 0b

LDAP, SSL, Active Directory, Microsoft Enterprise Certificate Authority

2002-03-25 Thread Davidson, Stuart


Trying to change passwords on UNIX accounts stored in Win2K Active Directory... we 
have extracted the Solaris 2.6 passwd binary and replaced 2.8 binary. However, still 
get the following error:

# passwd dav
Permission denied

The following is logged in /var/adm/messages

Mar 25 20:09:18 sun6.CPQUNIX.NET passwd[11637]: [ID 280705 user.error] pam_ldap: 
ldap_simple_bind Can't contact LDAP server

Using truss on passwd appears to show a dialog with the Win2K system running Active 
Directory, Enterprise Certificate Authority via SSL, port 636. The reply from Win2K is 
read on fd 5 and possibly compared with the local client database read on fd 4. 
However, this leads to ldap_simple_bind failing.

We have exported the Microsoft Enterprise Certificate Authority certificate from the 
Win2k system in base-64, DER and PKCS #7 format. The certificates have been copied to 
the Solaris system. The certutil executable has been copied from another Solaris 
system. However, attempts to add the Certificates to the database on Solaris fail as 
follows:

# ./certutil -d /etc/ssl/certs -A -n CPQ UNIX ENTERPRISE CA -t C,C,C -i 
cpqunix_der.cer
certutil: failure authenticating to key database.
: Security I/O error

Questions

1. how do we update the certifcate database on Solaris to include the Win2K Enterprise 
CA?
2. what else do we need to do to get this working?

Although this is not OpenSSL it does appear to be an SSL issue, so any help 
appreciated.

Thanks,
Stuart

Environment: Solaris 8, LDAP, SSL, Active Directory, Microsft SFU (Services For Unix) 
schema in Active Directory, PADL nss_ldap.so, pam_ldap.so on Solaris, Microsoft 
Enterprise Certificate Authority

The truss trace follows:

truss -f -u libpam,libldap,libldapssl40 -v connect /usr/bin/passwd dav

11557:  stat(/etc/ssl/certs/cert7.db, 0xFFBEE408) = 0
#
# open local certificate database cert7.db on fd 4
#
11557:  open(/etc/ssl/certs/cert7.db, O_RDONLY)   = 4
11557:  fcntl(4, F_SETFD, 0x0001)   = 0
11557:  read(4, \00615 a\0\0\002\0\010E1.., 260)  = 260
11557:  brk(0x0003FDB8) = 0
11557:  brk(0x00041DB8) = 0
11557:  lseek(4, 73728, SEEK_SET)   = 73728
11557:  read(4, \0 $1FF71FF41F821D1F1D03.., 8192) = 8192
11557:  brk(0x00041DB8) = 0
11557:  brk(0x00043DB8) = 0
11557:  lseek(4, 98304, SEEK_SET)   = 98304
11557:  read(4, \0181F9E1EEE1E v1DC11D N.., 8192) = 8192
11557:  stat(/etc/ssl/certs/secmod.db, 0xFFBEE398)= 0
11557:  open(/etc/ssl/certs/secmod.db, O_RDONLY)  = 5
11557:  fcntl(5, F_SETFD, 0x0001)   = 0
11557:  read(5, \00615 a\0\0\002\0\010E1.., 260)  = 260
11557:  brk(0x00043DB8) = 0
11557:  brk(0x00045DB8) = 0
11557:  lseek(5, 8192, SEEK_SET)= 8192
11557:  read(5, \0021FDF1F881F ~1F88\0\0.., 8192) = 8192
11557:  brk(0x00045DB8) = 0
11557:  brk(0x00047DB8) = 0
11557:  lseek(5, 16384, SEEK_SET)   = 16384
11557:  read(5, \0\0\0\0\0\0\0\0\0\0\0\0.., 8192) = 8192
11557:  close(5)= 0
11557/1:  - libldapssl40:ldapssl_client_init() = 0
11557/1:  - libldapssl40:ldapssl_init(0x385a0, 0x27c, 0x1, 0x391d0)
11557/1:  - libldapssl40:ldapssl_init() = 0x3e4c0
11557/1:  - libldapssl40:ldap_set_option(0x3e4c0, 0x11, 0x39224, 0x391d0)
11557/1:  - libldapssl40:ldap_set_option() = 0
11557/1:  - libldapssl40:ldap_set_rebind_proc(0x3e4c0, 0xff1e3400, 0x38588, 
0xff05e7c0)
11557/1:  - libldapssl40:ldap_set_rebind_proc() = 0x3e4c0
11557/1:  - libldapssl40:ldap_set_option(0x3e4c0, 0x2, 0x391e8, 0x3e4c0)
11557/1:  - libldapssl40:ldap_set_option() = 0
11557/1:  - libldapssl40:ldap_set_option(0x3e4c0, 0x4, 0x39228, 0xff05e7c0)
11557/1:  - libldapssl40:ldap_set_option() = 0
11557/1:  - libldapssl40:ldap_set_option(0x3e4c0, 0x8, 0x0, 0xff05e7c0)
11557/1:  - libldapssl40:ldap_set_option() = 0
11557/1:  - libldapssl40:ldap_set_option(0x3e4c0, 0x9, 0x1, 0xff05e7c0)
11557/1:  - libldapssl40:ldap_set_option() = 0
11557:  getuid()= 0 [0]
11557/1:  - libldapssl40:ldap_simple_bind(0x3e4c0, 0x392a0, 0x38600, 0x0)
11557:  so_socket(2, 2, 0, , 1)   = 5
11557:  fcntl(5, F_GETFL, 0x)   = 2
11557:  fstat64(5, 0xFFBEDA98)  = 0
11557:  getsockopt(5, 65535, 8192, 0xFFBEDB98, 0xFFBEDB90, 229005) = 0
11557:  fstat64(5, 0xFFBEDA98)  = 0
11557:  getsockopt(5, 65535, 8192, 0xFFBEDB98, 0xFFBEDB94, 229005) = 0
11557:  setsockopt(5, 65535, 8192, 0xFFBEDB98, 4, 229005) = 0
11557:  fcntl(5,

RE: create opensll, ssldump keyfile

create opensll, ssldump keyfile

LDAP, SSL, Active Directory, Microsoft Enterprise Certificate Authority

3 matches

Site Navigation

Mail list logo

Footer information