Re: NAT + mod_ssl
At 11:01 AM 2/22/01 +0530, you wrote: Forgive my possible ignorance, but the common name of the certificate would have to match the NATed apparent address (A entry to the router's public IP) of the server, right ? Regards, Sandipan The CN is typically the site name, not IP, .. as such, as long as there is an on-net IP to establish the session and the IP agrees with the DNS entry the session can be established. The major sticking point is that the NAT box must be setup to: 1) Handle an 'inside' server. 2) Proxy SSL requests on port 443. As someone else responded, many of the NAT boxes will do this, .. but I have seen some that will not. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apologies
Sorry folks, I meant to direct the previous message directly to the miscreant that does not know how to use a mailing list. Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: REMOVE
At 06:24 PM 2/21/01 +0600, you wrote: REMOVE Hey dufus, THIS IS SPAM! It is NOT polite, .. nor it is appreciated by the rest of us. There are a lot of folks out here that see enough email at the present time, .. please do NOT bother us with YOUR problems. There is ABSOLUTELY NO BENEFIT to trashing the list in this way, to you or anyone else. ONLY YOU can unsubscribe, as YOU MUST acknowledge the request. If YOU did not bother to save the instructions when YOU joined the list, Here they are again: = Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users or from another account, besides your email: unsubscribe openssl-users your email If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to [EMAIL PROTECTED] . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: This open mailing list is used for discussions between the OpenSSL users. Everyone can post. OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Expired CA certificate
At 01:02 PM 1/10/01 -0500, you wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I generated a local CA for my company. However, when I generated it, the
CA certificate only had like a month-long validity, and it expired today.
Is there any way to "renew" this CA certificate, or am I going to have to
generate a new CA?
Thanks,
Wade
When you generate the cert, specify '-days 365' for a year.
Lee
====
Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Expired CA certificate
At 03:53 PM 1/10/01 -0500, you wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Is there any way to fix the already-generated CA certificate, or do I need to make a new one? - --Wade To my knowledge, once you create a certificate there is no way to change it - that would provide a very BIG security hole g! Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certs: where to get them?
At 10:28 PM 12/30/00 -0800, you wrote: The only difference between purchasing a certificate and issuing your own certificate is that when I come across your web site and I see your "snake oil" certificate, how do I know you're not some 'fly by night' web site trying to steal my credit card number of use any 'confidential' information I submit to you for your own personal gain? Hi Ray, I had to respond to this one - what, for heavans sake, would prevent me from opening a sham corporation, purchasing a cert, and making away with YOUR credit card number? NOTHING! Having a certificate from a commercial authority does nothing except prevent the user from seeing the 'Do you trust this site'? dialog. The ONLY way to trust the person to whom you are giving your credit card is to trust the business being represented. Do you give your credit card number to porn sites?? What makes them any better than one of your 'snake oil' sites? The fact that they purchased their certificated from a commercial company says NOTHING about the business they are representing. Second, the 'snake oil' certificate doesn't accurately identify your company name. Therefore, where will I go for information on your company? There won't be any "snake oil" company listed with any US online database of Incorporated Companies, there won't be any "snake oil" company listed with any state's "Better Business Bureau". Nope. When you create a certificate, you supply the organization name *and* location (city/state or eq). If you do not provide a one, that's your choice, but if you complete the cert properly, the company name and location is incluced. Yes, purchasing a commercial cert would *require* a ON (I have not tried to create a cert with a blank name, but I *think* you can), .. but to what advantage? What user cares? What user even LOOKS at the organization name? The bottom line is a commercial cert only prevents the use from getting the 'Do you trust this site' dialog, .. if does nothing to validate the business represented. The user, and *only* the user, is responsible for that validation and trust. Certainly, a naive user might trust a site more if it does not put up the 'Do you trust this site' dialog, .. but is that trust properly placed? If a user gives his/her credit card number to any site on the internet just because the lock symbol is present on their browser he/she has a much BIGGER problem dealing with ecommerce in general than one a certificate is capable of solving! I, for one, *use* 'snake oil' certificates because I wish to *remind* the user that they must trust the issuer of the certificate (displayed in the dialog box), .. paying $125 (or even $400) a year is not the proper way to earn that trust. I guess that makes 6 cents! Lee ============ Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Always ask password when start Apache httpsd?
At 08:46 PM 11/14/00 -0500, you wrote: However each time I start the httpsd daemon, it always asks me for the private key. Is there any command option to save the private key? In scanning the posts, .. I am not sure anyone gave you the correct answer - if you need auto-start (which we always do here, .. I, for one, would not wish to schlep down to the NOC in case the UPS ran out!), you need to remove the passphrase from the key. IIRC, the procedure is in the FAQ. Thank you in advance! You're welcome. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error Message : IP address does not match the server name
At 11:17 AM 10/29/00 +0800, you wrote: When I try to send mail or receive mail using the SSL connection using Outlook 98 , the following error message occurs . "IP address does not match the server name" . So , I am wondering if this is due to DNS error ? That would mean that the Reverse DNS does not match your name - which is not an SSL problem. The most likely cause is the RDNS configuration on your DNS server - make sure that the server IP you are using correctly resolves to your CN. Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: changing of passphrase
At 05:53 PM 9/25/00 -0700, you wrote: Hi, can someone help me? I'm trying to change the passphrase that is use to start the ssl-apache. Thanks. Buy a new Cert. Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Changing the information in certificate request
At 02:14 PM 9/5/00 +0200, you wrote: Hello, Suppose that a user generates a certificate request, but enrolls partially incorrect information in it (let's say (s)he filled the OU in other format than how I'd like it to be; for example "Dept. 870" instead of just "870"). Ivan, I do not think you can change the information once submitted to the request generator, .. That's why I'm trying to write a script for certificate signing, that would allow me to change the information (DN, OU, O, L, ...) contained in certificate request. but it would be easy to do as a script - just keep each element as a local variable, and allow the user to edit the information as required. Only submit and build the certificate request upon acceptance (i.e. submit ALL data at once). Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenCA.org
At 10:39 PM 8/30/00 +0200, you wrote: On Wed, Aug 30, 2000 at 09:58:21PM +0200, Arne Borkowski (borko.net) wrote: Hi, someone mentioned the URL http://www.openca.org/ However, I cannot establish a link with my browser to it. Is the URL wrong? Is the site down? Could somebody please "make me see" ??? The url is correct - and the site is up. Mads Toftum Mads ( Arne), Just to let Arne know that openca is *not* a phantom g, .. openca *has* had a number of up/down problems in the past few months, .. last time I tried to load it about a month ago the DNS was not resolving. Hopefully, it will be more stable in the future. Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: OpenCA.org
At 01:21 AM 8/31/00 +0200, you wrote: Hi, somewhere with *.interbusiness.it the tracert dies. But still I cannot access the site from here. However, I do not want to bother the whole list with that problem. I'll keep on trying without complainig here :-) 10 mi5-ny2-1.seabone.net (195.22.192.198) 142.428 ms 143.738 ms 142.531 ms 11 ibs-9-it-mi5.seabone.net (195.22.196.42) 145.052 ms 143.608 ms 143.370 ms 12 r-mi46-fa5.interbusiness.it (151.99.75.3) 142.662 ms 143.124 ms 142.582 ms 13 r-com-modena.interbusiness.it (195.31.113.190) 158.545 ms 159.060 ms 158.305 ms 14 s0-TIR-i Non-authoritative answer: Name:albert.openca.org Address: 195.223.135.22 Aliases: www.openca.org Site comes up from here, .. but it has been down in the past. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: transferring digital cert.
At 10:37 AM 8/28/00 -0500, you wrote: Quick question. We are getting ready to do some major upgrades on our network, thus moving everything off the old. How would I go about transfering our digital certificates, ect. from one server to another? The reason I ask is that we use Verisign and I've heard from "unreliable" sources that we would have purchase another certificate? -William Scates As long as the server name is the same, .. you should be OK. Of course Verisign wants you to purchase a new certificate! The certificate itself is just a file, put it in the proper directory on the new server and point your config to it. Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Specifying seprate Document roots for SSL VirtualHosts
Tom, The virtual hosts you have configured will not work. You must have a unique IP/Port combination for EACH SSL server. Use a separate IP for your hosts [or port] and everything will be copasetic. Lee At 01:03 PM 7/27/00, you wrote: I can be more specific: Here's how I have it set for several virtual hosts: VirtualHost 10.10.10.10:443 SSLEnable SSLCertificateFile /usr/local/apache/certificate_location server1.pem /VirtualHost VirtualHost 10.10.10.10:443 SSLEnable SSLCertificateFile /usr/local/apache/certificate_location server2.pem /VirtualHost __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificates
At 07:11 AM 7/24/00, you wrote: 1. Are there free certificates somewhere? Yes. You can build your own (see the OpenSSL docs for creating a CSRT), .. the only difference is that you will not have traceability to a root cert, and any users will get the dialog boxe(s)'do you really trust this site'. 2. Does higher price mean a better certificate? No. The encryption is the same [for the selected encryption technology] once the user and server have agreed on the CERT. Or why are the prices sometimes so high? Because companies like to make money. Prime example - RSA. Can anyone give me some advice about this? You can also check out EquiFax - they have a standard CERT for $45, last time I checked. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificates
At 04:06 AM 7/24/00, you wrote: You can get a trial one (e.g. at Verisign), or build your own CA You don't need to build your own CA for a single cert, .. a CA is only required (IIUC) to manage *client certs*. I think a good certificate is made of two things, trust (in the CA), and availability of your cert for other people to contact you. Sorry, .. but *anybody* can get a CERT, from *any* vendor. All you need is the appearance of a business (i.e. telephone, mailing address, minimal credit report, ...) - trust is not an issue. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Free CA
At 03:09 PM 6/12/00, you wrote: Interesting... I don't quite understand what the preloaded root certs have as extra value. The ONLY reason for e-commerce folks to sign up with a Root Cert CA (like Verisign or Thawte) is to prevent the nasty messages when a user initiates an SSL connection. Other than that, I, for one, will continue to use our self-generated certs g. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificate
At 03:10 PM 4/27/00, you wrote: So how to set this certificate, and do I write in httpsd.conf correctly, or maybe it is possible to turn off cache and no problem. The best FAQ right now is on www.apache-ssl.org. You settings for cache should work with the default httpsd.conf, .. so you might wish to revert back to the original again. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certi
At 12:53 PM 4/26/00, you wrote: Of course, nothing is as secure as a human being typing the passphrase in at startup, but we've established that that is too much like hard work :). Sorry, .. but you missed the point. If you are rebooting a server: 1) In many cases the person doing the rebooting does not have root access, .. much less knowledge OF the pass phrase! 2) In many other cases, the reboot is done remotely. 3) In both cases above, the server would HANG on reboot awaiting a passphrase. 3) In 95% of the other cases, nobody is going to the trouble to write a C program just to enter the passphrase. 4) A passphrase on a server doesn't really matter anyway, .. since if the machine is setup correctly only the SysAdmin has access to the directory with the key. In reality, passphrases are only applicable on user-level machines. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [Re: ssh login, urgent help needed]
At 04:58 PM 4/19/00 , you wrote: On Wed, 19 Apr 2000, Leland V. Lammert wrote: SSH has never had a GPL version, ssh-1.2.16 and previous were under a free license but later versions were under successively more restrictive licenses. Use OpenSSH :) *BUT* OpenSSH is still v1. How can OpenSSH talk to a v2 commercial product? Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Verisign -- Want some free certificate over the Internet?
At 11:28 AM 3/30/00 , you wrote: This site distributes a free software called SecureAge which is working on Windows 95/98/NT. It will give the user a free certificate issued by that company, that certfiticate will enable the user to - send signed/encrypted email - exchange secure document over the Internet - chat securely with friends OK,. . but what root cert do they use? There is no listing in either IE or NN for SecureAge. Without a cert from a CA that has their root cert in the tree of NN or IE, it is no better than generating a cert with OpenSSL (self certifying). Thanks, Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Verisign -- Want some free certificate over the Internet?
At 08:04 PM 3/28/00 , you wrote: Want some free certificate from the Internet? Try www.secureage.com What does this have to do with certs? The site is about a security application, .. not certs - have I missed something? Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Commercial SSL in the US
At 05:15 PM 3/10/00 , you wrote:
Your post is rife with errors of fact and reasoning. The first
is reference to BSAFE. You of course mean RSAREF -- and it is not
now, nor has it ever been, nor is it likely ever to be "in the public domain."
The RSA algorithm is still patented in the US (until September 20, 2000).
RSAREF contains copyrighted code, and that doesn't expire when the
patent does.
Micheal,
I am not sure if you read the reply you sent - you should reread the original post
before accusing someone of 'errors of fact and reasoning'.
---
1. RSAREF is free for personal or corporate use under the
following conditions:
Those conditions are *EXACTLY* what this post is about! The issue was securing an
internal server, .. not selling or deploying an SSL application. Those selling SSL
applications, certainly, have reason to be cautious of RSAREF and patent issues, ..
however your confirmation above about corporate use is exactly what we do, and I have
been recommending for five years.
Lee
====
Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Commercial SSL in the US
At 07:27 AM 3/10/00 , you wrote: Hiya, You could wait 'till Sept 20th this year when the RSA patents expire . . . . G. Or not, .. RSA *STILL* has the BSafe toolkit in the public domain, .. and it's license specifies that you can use it for any 'internal' use. *OUR* legal beagles tell me that 'internal use' includes anything for which we do not charge a fee, .. including using OpenSSL to secure our own servers. To *SELL* anything including or using the RSA toolkit, we would have to pay RSA a license. Some of the folks here happily mix the two, taking the 'trod upon' viewpoint, .. but I would recommend checking with your own lawyers to make a decision. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Commercial SSL in the US
At 05:10 AM 3/9/00 , you wrote: Wow. I'm at a loss here. Does anyone know of any way that my (tiny) company can legally use SSL for commercial purposes in the US without paying an obscene amount of money to RSA or buying an obscenely expensive web server system from a vendor? Yes. It's called OpenSSL. Export regulations were relaxed this January, .. and while there are many issues to be resolved, it essentially means that WE can IMPORT anything in the public domain without a problem. We were going to use an Apache web server with its OpenSSL interface, but the Apache documentation indicates that this is not allowed for commercial purposes in the US. Any help you can give would be appreciated. Commercial use as defined by the Feds is *SELLING* the software. Using it for YOUR website is not commercial use. Some have argued the point, but who cares? As a small company, we can download OpenSSL, OpenBSD (my next project), SSH, and on and on as long as we grab international versions. Nobody cares what we do, as long as WE do not EXPORT crypto software. Now before all of the experts chime in, realize that I am just speaking from the 'small fry' viewpoint g! It will take years before the regs work their way through the courts and are interpreted, .. but at this point there is nobody saying that you cannot use OpenSSL or any of it's related works. The restrictions occur when US companies export encryption, .. but as long as we use international code there are no restrictions. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building a Corporate CA
At 05:00 AM 1/24/00 , you wrote: I've been quite unsucessfull in finding documentation about setting up a corporate CA. Does anyone have some pointers for me? Thanks, A. www.openca.org (and mirrors) Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pine + ssl?
At 09:01 PM 1/21/00 , you wrote: Hello *! I'm actually searching for patches, in order to force the good old pine to talk ssl. Does anybody knows where I can get these patches as a non-american human being? Thank you very much. Mark, I would think it far easier to run over an SSH connection, would it not? Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
New Export Restrictions
Stephen (et al),
I checked the previous posting about the announcement from the Department of Commerce
on 12 January, .. and it would seem that my recount from Tuesday was correct:
(http://204.193.246.62/public.nsf/docs/60D6B47456BB389F852568640078B6C0)
Global Exports of Unrestricted Encryption Source Code
Encryption source code which is available to the public and which is not subject to
an express agreement for the payment of a licensing fee or royalty for commercial
production or sale of any product developed with the source code may be exported
under a license exception without a technical review.
Since we are not the exporter, does this not free anyone in the US to assist with
openssl?
The exporter must submit to the Bureau of Export Administration a copy of the source
code, or a written notification of its Internet location, by the time of export.
Foreign products made with the unrestricted source code do not require review and
classification by the U.S. Government for reexport.
Contributors [us] are not exporters, .. so this means we have no reporting or risk.
The 'exporter', if international, does not seem to be at any risk at all - does this
not mean that they are addressing your previous concern? Based internationally, there
IS no export action to report/control from the US.
This license exception should apply to exports of most "open source" software.
Maybe we can now pitch in without risk in the US to help clean up the openssl docs?
Lee
====
Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Question
At 04:14 PM 1/8/00 , you wrote: Hi everyone, My name is Jaime. I recently installed apache-mod_ssl 1.3.9.4.9-0.6.0 and openssl 9.4.1. I have read on the openssl documentation that it is illegal to run ssl here in the US. Well, can anyone shed more light into this issue? -Jaime Jaime, It is not *illegal* (criminal) to run openssl in the US, but a violation of the RSA patents - which is a civil issue. If you use openssl (or one of the other public domain products), RSA has the right to ask you to cease and desist based on their patent. If you continue to use it after being asked to cease and desist, RSA may also be able to win a court case for damages. If you are worried about that, you can purchase one of the commercial flavors - Stronghold or RedHad Secure Server. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to install openssl after download the tar file ?
At 02:44 PM 1/5/00 , you wrote: Does anyone have idea ? After I download the tart file, how to install openssl into NT machine ? Jason Jason, The first thing you have to do is download the correct file - tar files are for UNIX machines. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to install openssl after download the tar file ?
At 02:08 PM 1/6/00 , you wrote: - You must unpack the tar file (which is like a zip file) using something like PkZip or WinZip (or tar -xvf filename in Cygwin bash). Andrew Andrew, I would assume that if someone download a tar file, .. they would have downloaded, perhaps, a UNIX file?? In any case, a tarball is typically source code, .. which is a REAL pain to compile on Win32. A far better approach would be to acquire one of the pre-build binaries. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
At 01:22 PM 1/4/00 , you wrote: One solution to the fact that the new CA is not embed in IE nor Netscape is to: snipped for bevity Nicolas Roumiantzeff. Nicolas, One problem with this scenario - the user is still essentially trusting YOUR server instead of the CA. By trusting your server to install the proper CERT you are no worse (to the user) than using a self-signed CERT (which we do). Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: client cert is rejected - y2k?
At 12:01 PM 1/3/00 , you wrote:
hi,
i have an apache with mod ssl installed in november and i was using
self-signed openssl generated client certificate issued in december
expiring in december 2000. this morning i tried to connect over ssl to
my server and faild due to "expired certificate" :-(. i just issued
myself another client certificate and it failed too. i'm going to
reissue the server certificate next. has anyone experienced this
problem?
--
Aaron Stromas
Oracle Corp.
I just tested ours (we also use self-certs), .. no problem, this one was recreated
ours on December 21.)
I would expect:
1) You only generated a cert with 30 days expiration (created in November).
2) When you generated the second one, you might have accidentally changed the file
name or not restarted Apache, so the server did not see it.
HTH,
Lee
====
Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: New Server Certificate
At 05:48 PM 12/27/99 , you wrote: Hi I have downloaded and installed openssl-0.9.4. It created its own server certificate to test with which worked fine. I have now purchased a new digital ID and certificate from Verisign, but I cannot figure out how to install the new certificate. I am using Apache 1.3.9. Can someone help me install my new certificate? Thanks in advance for all of your help! Darrin. [EMAIL PROTECTED] Darrin, You must start with an SSL-enabled version OF Apache (i.e. www.modssl.org or www.apachessl.org). You then specify the location of the CERT in the httpsd.conf file. BTW - Verisign SHOULD have FAQs and docs for this process, .. you might want to contact them also. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it legal?
At 08:14 AM 12/26/99 , you wrote: At 05:15 AM 12/26/99 +0100, Roberto Micarelli wrote: That's a good question, stay with us in fighting against sw patents. I *HAVE* to take exception to this. As a patent holder myself (I hold 4 of them), what's wrong with somebody being able to safeguard their own personal inventions? You seem to believe that nobody has a right to do that. Sorry, pal, but you are just plain WRONG! And I think it's highly inappropriate that you openly push that agenda in a forum like this. Dan, I also believe in SW patents, .. but the current farce with RSA, even you have to admit, is stupid! Why cannot developers purchase a license (I do not call $100,000 a license fee for ANYONE)? Why has RSA abandoned RSAREF? I think even you would have to agree that this is a SW patent gone WAY off track. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: configuration
At 04:55 AM 12/22/99 , you wrote: Hello all, I try to learn more about openssl The installation is ok !! But I try to configure it and I can manage it ! Is someone can help me ? Thanks in advance, Fabrice Fabrice, The documentation is on the web site - http://www.openssl.org/docs/openssl.html Another source is the system you are integrating openssl *with* (e.g. Apache). Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seeking officers for Free-software-friendly CA
At 12:40 PM 12/22/99 , you wrote: I think a free CA would be great. I really wish there was an acadmic institution initiative. A big limitation as far as I can see would be getting certs pre-installed into web browsers. The chance of either MS or netscape doing this would be close to none. If my experience is anything to go by, asking the average user to import a CA can be problematic. It IS going to be a pain - Thawte was the only agency willing to issue a CERT for user-compiled code. The only solution that I see is for vendors to self-certify. What's the difference between self-certification and a Versign cert anyway?? In the first case, the user gets the 'do you trust this site' messages (four in NN), but once they accept the cert no problem. In the second case, the user must trust the CA (Versign only in the current marketplace), of which they are not aware in most cases. I created our own cert two years ago, and just renewed it (recreated for another 365 days) for the second time. Nobody has complained to date! Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Another RSApkc Primer
At 11:00 PM 11/30/99 , you wrote: Hi -- Terrell Larson wrote: Here's another couple options: 1) www.thwaite.com I believe that's www.thawte.com -- their certificates cost about 1/2 what Verisign charges. Linda, That was my first assumption, .. but I am unsure what Thawte (a certificate vendor) has to do with Apache and SSL products. (Thawte being an issuer of reasonable cost certificates.) Has anyone else here seen this announcement from Spyrus: http://www.spyrus.com/content/pressroom/releases/1999/pr_ssl_pricing.html and what is your opinion? Interesting, .. reasonable price ($95) for an SSL toolkit. No help with the RSA license issue however, .. they also pass through the 2% fee. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ca/cert key gen?
At 05:23 AM 12/1/99 , you wrote: Skye Poier wrote: [...] Also, what files do I need to generate for the server and client (certificates? CA? private/public keys?) for those ciphers and what are the steps for doing that? I think I can be my own CA, also neither the client nor the server are checking certificates, we're just using the encryption for now. Check out openca.org - we have not used their system, but it is supposed to be a standard CA implementation. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Another RSApkc Primer
At 01:08 PM 11/30/99 , you wrote:
"Leland V. Lammert" [EMAIL PROTECTED] writes:
1) Purchase an Apache like Stronghold (at $1K+ not an option for a small company).
Completely legal in the US?
Frankly, I find this baffling. I work for a small company (two people)
and we bought well over 3K in computers and software last year. If
you can afford computers, Internet service, and a web site, you
should be able to fork over $1K for a web server.
Sorry, .. but the economics just don't work - even using your example, $3K of hardware
can host 50-100 sites, . . at, say, a net profit of $25/ea makes the payback about a
year. Spending $1K on an SSL server just doesn't make sense, .. unless you had a
specific project with requisite revenues.
Besides, .. for the past three years our hardware budget has been exactly $0 (we have
used recycled machines quite successfully to build servers for quite some time - one
of the main advantages with Unix; the only problem has been that power supply fan
bearings only last about five years of 24/7 g!).
Since it is not practical for a small company to deal directly with
RSA (or the like), our only option at the time seemed to be #2, as
the server was initially a 'test site'. We need to rebuild the
server in the near future, .. and I would be very interested in pros
and cons.
You've missed at least one interesting option: use IIS on Windows. You
get SSL with RSA for free.
That is not consistent with my information - when we priced IIS three years ago, MS
required a purchase of SITE SERVER (at $1K+) to get SSL capability. Have they changed
the terms? It is not my understanding that you could run SSL in plan IIS.
Lee
====
Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Another RSApkc Primer
At 03:54 AM 11/24/99 , you wrote: Didn't mean for this to run on so, but it's now the wee hours of a holiday eve. I beg your pardon for any pedantic airs that crept in; summary histories seem to foster them. Vin, Thank you for the excellent SSL history! Though there might be inaccuracies (of which someone else may point out), I, for one, would be most interested if you can comment on (or add to) the following options as I see them for a US based company that wishes to build a SSL-based web server: 1) Purchase an Apache like Stronghold (at $1K+ not an option for a small company). Completely legal in the US? 2) Build Apache with OpenSSL (or, as we did three years ago, with SSLeay). Legal for non-commercial purposes in the US and questionable for e-commerce? 3) Purchase the RedHat Secure Server (as I commented earlier), .. though I did not think to phrase that I was advocating using the RH SSL binaries and linking to a standard Apache (which I have been told is completely legal). Legal, but may be problematic merging standard Apache and RH implementations? 4) Install OpenBSD (though we have not used it, it appears to have the SSL libraries built-in). Legal status unknown? Since it is not practical for a small company to deal directly with RSA (or the like), our only option at the time seemed to be #2, as the server was initially a 'test site'. We need to rebuild the server in the near future, .. and I would be very interested in pros and cons. TIA, Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL usage liability, RHSWS, and toothbrushes
Jeeze, boobie! Lighten UP!! There have been no court cases on the issue (are you a
lawyer or a judge??), .. and your analogy to piece parts is invalid. Quit giving bogus
legal advice!
Lee
At 09:39 AM 11/18/99 , you wrote:
-Original Message-
From: Leland V. Lammert [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Thursday, November 18, 1999 1:55 AM
Subject: Re: OpenSSL usage liability.
At 05:59 PM 11/17/99 , you wrote:
snip
Another option - puchase the RedHat secure server for $149, and throw it
away (retaining the license, of course). That way, you WOULD be legal with
openssl.
Lee
Look at it this way: Manufacturer A patents a new bristle technology for
toothbrushes. Manufacturer B makes a toothbrush using the same technology.
Does buying a toothbrush from Manufacturer A give you a right to use
Manufacturer B's toothbrush? US PATENT LAW SAYS NO! The only time you have
a right to use Manufacturer B's toothbrush is if Manufacturer B licenses the
patent from Manufacturer A. This is entirely independant of any
relationship between the end customer and Manufacturer A.
I have seen this idea tossed around on this list and on the mod_ssl list,
that somehow licensing RHSWS or Raven allows one to use *any* implementation
of RSA. I personally don't see any factual or legal evidence to support
this conclusion. It seems that with all of these products, (and with their
crypto toolkits, too), RSA is licensing you "software", not rights to an
algorithm. That software that they are licensing you happens to use their
patented algorithm (which is certainly lawful, since they own the patent,
and the software). You have a right to use the algorithm ONLY because you
have a right to use the *software* that you licensed from them.
The license that comes with RHSWS 2.0 states at the top that the software
"[is] protected by copyright *and other laws*. Title to these programs ...
shall at all times remain with the aformentioned ..." (emphasis mine). The
aforementioned the clause refers to are Red Hat Software and RSA Data
Security, Inc. (now just RSA Security, Inc.).
Subsequently in the RSA portion of the license agreement, it states:
"The Software Programs include software licensed from RSA Data Security,
Inc. ("RSA Software"). You may not modify, translate, reverse engineer,
decompile, or dissasemble the RSA Software or any part thereof, or otherwise
attepmt to derive the source code therefrom, and you shall not authorize any
third party to do any of the foregoing. *Nothing in this Agreement grants
you any rights, license, or interest with respect to the source code for the
RSA Software*..."
Again, the emphasis is mine. Now, granted, this agreement does not
specifically address the patent issue by name. However, I would say that
the language of the agreement certainly expresses RSA's intent to limit the
licensee's rights to use the "Software". Add that to the fact that, AFAIK,
RSA has *never* licensed anyone to use their own implementation of RSA in
the US (one must always license BSAFE), and I'd say even a lawyer (one of
which I am not) would have a hard time arguing that buying RHSWS in any way
grants you rights to use any other implementation of RSA's patented
algorithms.
I actually had a conversation (via email) with Preston Brown of Red Hat, and
he told me that the reason that they distribute RHSWS as a statically-linked
binary only, with source just for the apache part (rather than with the
crypto part as a binary DSO, so that the server could be recompiled, as some
vendors do), is that their license with RSA prohibited it; it seems RSA
wasn't keen on the idea that the user might have some discreet crypto lib
lying around on their system that they could try to put to arbitrary uses.
I feel I must repeat, "I AM NOT A LAWYER." However, I'd suggest anyone
adhering to the idea that licensing a particular RSA implementation gives
them any rights to the algorithm itself go get one, because they may ending
needing his/her service in court. September 2000 can't come soon enough.
Dave Neuer
Software Engineer
Futuristics Labs, Inc.
www.futuristics.net
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
====
Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
Network/Internet Consultants www.omnitec.net
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Re: Internal CA Generating my own Certificates
At 08:29 AM 11/22/99 , Adam Sherman wrote: I want to setup an Internal CA and generate my own server client certificates. However, I haven't found any documentation on what is involved or the exect syntax needed. Please send any infomation on the above, Thank You, A. www.openca.org Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with Outlook Express 5 (SMTP) and stunnel
At 01:56 AM 10/6/99 , Roman Borovits wrote: Hi! I'm sorry but I don't have an answer for you, but maybe you wuld be so kind and help me. How can I make my sendmail 8.9 server under Linux beiing a SSL server. I guess this would be a long answer, just tell me the highlights, please, or where I can find some documentation about it. Roman, Sendmail is a Mail Transfer Agent (MTA). An SSL server (assuming the web variety) requires a web server. You need OpenSSL (here), .. Apache (www.apache.org) + mod_ssl, .. OR ApacheSSL (www.apachessl.org). If this is beyond your capabilities, you might look for an ISP that offers secure web hosting. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: U.S. To Allow Export Of Encryption Products
At 02:29 AM 9/17/99 , Mark J Cox wrote: I read that as saying every program using strong encryption must still go through the approval process Right; it doesn't help us allow US people to get involved in the development. It also means that browser manufacturers won't be able to make full-strength versions their default download (because they have a limit on countries allowed). Even within the US right now there is a large percentage of browsers being used that are export-crippled. Another issue is that MOST people behind a firewall and cannot even download 128-bit encryption products! Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CA and Certificates
At 04:39 AM 8/19/99 -0400, Patrick Brewer wrote: If I get a certificate from a CA can I then become a CA and create certificates for machines in my domain? Or for virtual hosted domains? The certificate you receive is 'branded' to the site name in the request, and can only be used on the named site. This establishes your traceability for a 'trust' relationship between your server and SSL enabled browsers that ALSO truse YOUR certificate origin. Becoming a CA is a different matter, .. involving YOUR issuance of certificated. IMLK, being a CA has nothing to do WITH getting a certificate FROM a CA. (What we do is described above.) If you are a CA issuing certificates, the certificates you issue are installed on the client machines, and you both have a trust relationship (i.e. the client trusts you, and you know the client's identity via the certificate you have issued them.) Each method is completely independent, .. the first involves *MUTUAL* trust of a public CA, .. the second involved a bi-directional trust between YOUR CA and identify-proven clients. If so how can I create a certificate at other than compile time? I gather that it is possible to create a certificate using openssl (the command), but I can't find it documented anywhere. (I'm running from a binary RPM, from Mandrake.) I would hate to have to compile a new copy of apache, each time I wanted a new certificate. Compile time has nothing to do with it. A self-created certificate is usable in either case above, though for the first case the client will get a few screens (four in NN) asking if they trust the issuer of the cert (i.e. you). If so, SSL is permitted. When I get a real certificate from a CA, can I just copy it over the old dummy certificate currently being used by my apache server? Yes, assuming the names match. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Build-your-own Certificate Authority
At 01:09 PM 7/28/99 -0400, Steven J Sobol wrote: I would like to set up a CA certificate that I will use to sign website certificates with. These website certificates will be used on a temporary basis until my client gets a real certificate from a real CA. Am I correct in thinking that all I have to do is generate a separate certificate and use it to sign the site certificates? Steven, Check out www.openca.org - I have seen it mentioned in threads here, .. though I have not checked it out myself. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OT: Hardware proxy?
At 02:47 PM 7/21/99 -0700, Harry Whitehouse wrote: Is there an industrial-strength proxy available commerically which only permits 443 traffic? I know I could get something like MS Proxy Server software and run it on an NT, but the stream of security patches I get from MS regarding NT isn't particularly calming to me -- suppose someone hacks my proxy NT? So is there something more basic -- perhaps a dedicated hardware device -- which would do this job? Harry, It *sounds* like you are describing a 'network appliance firewall'. We sell and have had excellent experience with the Firebox II, from WatchGuard (www.watchguard.com). Moderate cost ($5K), stand-along bright red box - no OS troubles (though it is Linux based), no separate hardware, *really* straightforward management from your admin console, realtime security updates (daily). Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Secure Telnet
At 01:17 PM 3/18/99 +0100, you wrote: Hello, Why SSH would not be appropriate ? Hi Cedric, The only problem with SSH is that it normally requires a separate client software, .. and the cost/complexity is on the order of a VPN solution. One of our goals in pursuing this approach is to explore a standard client configuration, which can be supported by anybody (local or remote), vs. a custom client that has to be supported from the home office. Since I posted the original message, another chap came back with an SSH JAVA client that can be downloaded directly to a browser - that *seems* like the best option for this choice. Thanks again, .. SSH might be the solution after all, but NOT (most likely) with the standard client program. Lee === Leland V. Lammert, PhDChief Scientist Omnitec Corporation Network Consulting [EMAIL PROTECTED] www.omnitec.net === __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Secure Telnet
At 11:41 AM 3/18/99 -0600, you wrote: J. River's ICE.PPN might be just what you need. http://www.jriver.com/ Thanks! Someone else had mentioned jriver, .. but I did not notice that ICE.PPN product! Lee === Leland V. Lammert, PhDChief Scientist Omnitec Corporation Network Consulting [EMAIL PROTECTED] www.omnitec.net === __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
