Re: I can't believe how much this sucks
It’s interesting that this article shows that LACK OF GOOD DOCUMENTATION and POOR API DESIGN are at the heart of this problem. I have noticed over the years that much of our society has changed its very idea of what a good application is. It used to be that if something could not be easily understood or behaved badly or unexpectedly, people would see this as a bug in need of fixing. With the rise in software complexity, requirements for budgets and schedules, we have now evolved to a society of hoop jumpers who see software as good enough if they can find a path to make it do what they want. Developers have followed suit, practically forced to do so, and we now have massive amounts of broken code on broken code on broken code. Ownership of code (ie really taking responsibility for it) is unheard of because the onerous burden of being responsible for your work is simply an open door to a lawyer that wants to steal the fruit of your labor. It is no wonder under these circumstances that “security by obscurity” has become the defacto standard of the day. The true bug here is our justice system unfortunately. I think it is high time for a v2 of openssl, a rewrite almost from scratch, removing support for older protocols and ciphers and simplifying it down with full TDD from start to finish to really correct this problem. And of course, probably not gonna happen. But thanks for listening. Sandy -Original Message- From: Marco Molteni (mmolteni) Sent: Thursday, November 15, 2012 4:42 AM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks Another amen. I am a professional programmer. I am grateful for OpenSSL. At the same time, each time I have to use it directly (as opposed to use a few of the good C++ wrappers) I know I will be going down to hell and fight for my life, and when I will come back, my hairs will be grayer :-) Lack of good documentation is a problem for any software library, but in this case lack of documentation can also cause security vulnerabilities because the user of the API misunderstood it. As Charles, I propose as food for though the very recent, very good paper on the security risks of (among other things) wrong APIs and wrong documentation: The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software, available at http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf marco.m On 13.11.2012 19:49 , Charles Mills charl...@mcn.org wrote: AMEN! Why is it easier to answer dumb question after dumb question here rather than to document the darned product once? (Never mind the cumulative labor of all the programmers trying to figure out and debug the same problems again and again and again, all over the world.) Consider http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf. Doesn’t *some* of the responsibility for these (severe and scary!) problems fall on the lack of clear documentation? It’s a GREAT product and I love it and am grateful but why after years and years do the man pages still say “under construction”? Charles :��IϮ��r�m (���Z+�K�+1���x ��h���[�z�(���Z+� ��f�y������f���h��)z{,���
Re: I can't believe how much this sucks
In the case of openssl, a big gain would be to simply document the command line interface better and create a doc centric forum for people to add their lessons learned filed around the particular feature area of openssl. WORKING EXAMPLES would be REAL cool. Does anyone on this alias want to let me or others know how we can update the docs somehow? -Original Message- From: Carlo Wood Sent: Thursday, November 15, 2012 8:31 AM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks On Tue, 13 Nov 2012 14:11:17 -0700 t...@terralogic.net wrote: This is just a NORMAL way for a programmer to work IMHO. I HATE comming into undocumented code years after its been written and IMHO its a big booby trap because its very easy to miss something and that creates hard to find bugs. Really criptic error messages don't help this. I've looked in the OOS community and there are attempts to put together systems and one I looked at was OXYGEN. I concur. When I was 12, I wrote compact code with only single character variables and no documentation. For some reason I was able to have thousands of code lines all in my head at once and I had no idea why I'd need to add documentation. When I got older, I started to use more descriptive variable and function names, mostly for the purpose of being able to 'grep' (reg.exp) them in large code. At some point I completely did away with abbreviations and only used complete English words, discovering that code is incredibly better to understand when the variable names express exactly what they mean (to the point that it avoids bugs). I still didn't see the point in documentation however: the code explained itself as if it was English. Only when my memory started to get worse and I couldn't remember Megabytes of code anymore, especially when my code became so complex that I had to use Object Orientation because it was impossible to keep an overview, I started to document code. The funny thing is: I did this mostly because I knew that a year later I wouldn't be able to understand it myself anymore if I didn't; not because I thought that anyone else might need it. Now, after more than 30 years of coding experience I have reached the same conclusion as terra wrote: Code is only as useful as it's documentation. Don't bother to write code without good COMPLETE documentation as it's worthless: only you, the developer (with a good memory on top of that) will think it's trivial and usable. Everyone else will not be able to use it. http://www.stack.nl/~dimitri/doxygen/ I have no idea at this time how useful this would be. Perhaps the best we might be able to do on the user side is a wiki and perhaps one exists. I did a google search on this. https://help.ubuntu.com/community/OpenSSL ^ I did find this and I did not look very hard. Maybe there is something better. If there is then it doesn't come up in the 1st hits google finds. So I think we can do much better. Just my 2 cents. -- Carlo Wood ca...@alinoe.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
I can't believe how much this sucks
I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. So let me get specific here – one simple specific question (of many that I have) that has me clueless: The command of: openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs -cert ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass file:ssl\keys\Client_1_pwd.txt results in output containing: No client certificate CA names sent from the docs for the s_client command, –cert option says: -cert certname The certificate to use, if one is requested by the server. The default is not to use a certificate. My guess from this is that this command is referring to the CLIENT SSL certificate - no? If my assumption is correct, then why am I getting this error? Or is this a notification of something normal and I should be looking elsewhere? I have checked the Apache httpd-ssl.cnf file I am using and verified that all the certificate related parts are filled in and I have verified the integrity of all the certificates referenced by it. I have been able to do straight one-way SSL with the server as well with both IE and Chrome browsers. Two-way SSL fails with the server logs indicating that the client “refused” the connection. I am using a self-signed CA which was used to sign the server certificate. The client certificate is also signed by the same CA self-signed certificate. Apache error logs give me this: [Tue Nov 13 12:38:56 2012] [error] [client 127.0.0.1] Invalid method in request Which is about as useful as the openssl docs are.I am also seeing this in openssl’s s_client output:verify error:num=19:self signed certificate in certificate chainFrom what I think I understand, this should not be a showstopper problem as all root CA certs would naturally be self-signed no?Full output of this operation with the –showcerts command is attached for reference.I have read through many forum examples of how to do this and it seems simple enough but then when it doesn’t work, figuring out what things MEAN and how to address what is wrong proves to be be very difficult indeed. httpd-ssl.conf Description: Binary data CONNECTED(0190) --- Certificate chain 0 s:/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz Root CA -BEGIN CERTIFICATE- MIID2zCCAsOgAwIBAgIBCjANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJLWTEV MBMGA1UECBMMR3JhbmQgQ2F5bWFuMRQwEgYDVQQHEwtHZW9yZ2UgVG93bjEQMA4G A1UEChMHQ2FzaFdpejEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD0Nh c2hXaXogUm9vdCBDQTAeFw0xMjExMTMxNzI5NDBaFw0yMjExMTExNzI5NDBaMGwx CzAJBgNVBAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xEDAOBgNVBAoTB0Nh c2hXaXoxFDASBgNVBAsTC0RldmVsb3BtZW50MR4wHAYDVQQDExV3d3cucGF3bm1h c3RlcnByby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTp1dY GOY2ew6O7CbHvokVMSYNYv/uBghjeO3hP2FVXQSCfPWk4NpCh1ve8vu9kUgZ6Ezh slTSn7FM5RlG3NoOx1XnVkJNQ30cRX7oi01l1vwXHPvxn+dq0gJzGofamSYv6Hkm X+zhqhiK37GFmHG5gVZVKg84fEOV10WI+9j6SuOoVg646Rsu91Q3ZYW+v08ucmrC ZfoeuxXwZ/6kJkn8PkRb0RAgy20UMkYTPj7dgC5HkVlDdldJ1+IxegNGG0pMM6SW E6J08mAOs4t2wZ+oybtQZ4+2aeKylMUb/EEDBkSh+bab9k4fe48cmBxj4mnumajx b5pkm3d8HXOk1N5nAgMBAAGjeDB2MAkGA1UdEwQCMAAwHQYDVR0OBBYEFL5T2NTf xfmf3exS2OZB+t8ghcZ/MB8GA1UdIwQYMBaAFFRJfotvTu3PmEaV9+qJf95MmP1e MAsGA1UdDwQEAwIF4DARBglghkgBhvhCAQEEBAMCBkAwCQYDVR0RBAIwADANBgkq hkiG9w0BAQQFAAOCAQEAXlG4az+P/JrtNVgLux67FMQomimcppYVqkPS/HgERZvp VUhTxWClKqC+wQ4RS90VtjcMGQs7iPL5D+563u0CudBaXz3QK7oVInGLAqEIEhfa Si/S6tKA8bxeujKY5GnppRfV9DcTYIjX1eCLx+n8neI9gwiaKgXV8XLIQoE8g/r6 3Dsfn/uLatQZM7a+V8U/JtF/fGHP81M1D2aqG2JmSayZ9gMgwPAPqI3OdGRsCDqj zTI3z6XomblD1cUdEepMCxnhRHsGVaVXOY0ubM1zWB3b92pVDsKV8TwAlzeijGE1 vAVRptr58jAQXVIN0M3HzmtneHulvOP7UFu2Ozm4OQ== -END CERTIFICATE- 1 s:/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz Root CA -BEGIN CERTIFICATE-
Re: I can't believe how much this sucks
Couldn’t agree more Ted. I think the bar on open-source product documentation has been going way up over time. If I were these guys, I’d get it right so I wouldn’t have to keep bothering to answer so many questions over and over. From: Ted Byers Sent: Tuesday, November 13, 2012 2:49 PM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks On Tue, Nov 13, 2012 at 2:02 PM, Lee Fisher blib...@gmail.com wrote: For things that the peer support forum and the existing documentation don't cover, you have the source code, which is definitive. Additionally, there are professional OpenSSL consultants you can use for help. It would be more productive to submit bugs and patches, instead of a litany :-) Even so, some of those closely involved in the project ought to be doing a better job of documenting the product. Telling people to hire consultants is even worse than telling people to read the code. I develop software for a living, and I would be ashamed of any attempt to release even one of my products without a proper reference manual, complete design documentation, including a reasonable suite of UML documents (in the case of an open source product since good coders benefit from good design documentation - which, admittedly, I have not produced) and a thorough tutorial. I have had feedback on some of my products that the end users found my interface so intuitive that they did not look at the documentation I'd provided even once, but I do not see that as an excuse for not producing proper documentation. In my view, the documentation for a product is as much a part of the product as the code in the product. The product is not ready for release until the documentation is as complete and polished as is the code. Peer support is hardly a good, or cost effective, substitute for good documentation; and contrary to what some coders I have met, and worked with, have claimed, the source code is often not adequate documentation. Yes, you see what the code is doing, but tracing execution paths through it can be a tedious nightmare; especially if the coder that produced it wrote the code as a candidate for an obfuscated coding contest (something, BTW, I would regard as grounds for dismissal if obfuscation is the only justification the code can offer for it). In my own coding, the only libraries I use often are those that are well documented. Life is just too short to waste on libraries that are poorly documented (unless someone wants to pay me to do so - but they'd be paying a significant premium for such a tedious, and usually frustrating, task). I am not criticising the documentation for openssl, and will not; but I would encourage those who are responsible for maintaining and improving openssl to not neglect the documentation. It would be a mistake to leave that for someone else to do, for when that happens, it is certain that the documentation will suffer. just my $0.02, as a coder with decades of coding experience. Cheers Ted
Re: I can't believe how much this sucks
You miss the fact that I VOLUNTEER TO HELP FIX IT if someone will tell me where to start. There are lots of open source projects out there with WAY better docs. Take JQuery for one example. I think the reason openssl docs suck is because the authors don’t really care about docs and they don’t even seem to want someone who does to help. From: Magosányi, Árpád Sent: Tuesday, November 13, 2012 1:51 PM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks On 11/13/2012 07:34 PM, Sanford Staab wrote: Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. You might have overlooked the fact that openssl is an open source project. Feel free to contribute the needed documentation or finance the creation thereof if your knowledge is lacking to do so. (Yes, the documentation is lacking, an I (r=1 user of openssl) also find this a sad state of affairs. But I find whining about a problem in an open source project in this tone disturbing. Rule of thumb: the more you contribute you have more right to whine. You and me have right to point out a bug, or respectfully ask for a feature.
Re: error while generating Certificate Signing Request
It looks like your missing the openssl.cnf file or maybe the my_key.key file. Double check your config file and command line parameters. From: PRIYARANJAN NAYAK Sent: Tuesday, October 23, 2012 3:03 AM To: openssl-users@openssl.org Subject: error while generating Certificate Signing Request Hi ALL, -- First I generate private key i.e my_key.key,then I am trying to Generate a Certificate Signing Request: while generating .csr file I faced this error . C:\C:\tmp_open_ssl\bin\openssl.exe req -new -key my_key.key -out my_request.csr -config C:\tmp_open_ssl\ssl\openssl.cnf WARNING: can't open config file: c:/tmp_open_ssl;/ssl/openssl.cnf Error opening Private Key my_key.key 3464:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\bss_file.c:398:fopen('my_key.key','rb') 3464:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:400:unable to load Private Key Can any one help me about this error Thanks Priyaranjan
Re: client server management of client SSL certificates
Good questions and similar to what is on my mind. Please let me know if you get any good answers to these questions. From: Ted Byers Sent: Saturday, July 28, 2012 12:15 PM To: openssl-users@openssl.org Subject: client server management of client SSL certificates I am familiar with basic usage of openssl to make certificates, but what I am unclear about is how one has a CA (certificate authority) on a server, for a given organization, and an RA (registration authority) using a different server in that organization, and then supports creating client certificates on a given user's machine once that user has logged into a secure website and passed a series of challenges and responses established between the RA and the user. And perhaps, someone can shed a little light on whether there is anything more between an RA and CA than simply a message from the RA that a given person, who gives the right responses to these challenge questions, ought to receive a certificate. How does one do that in a manner that is user friendly (i.e. without requiring the user to install openssl on his personal computer or mobile device, or having the user's private key transmitted over the web)? I would suppose that the key would remain confidential once the user has established a SSL connection with the server, so it could be made using a cgi script that in turn uses openssl to make the csr and then send the private key and certificate to the user. But then, the user would have to figure out how and where to install the key and certificate, and there is the question of whether or not the client's private key ought to ever be on the server. I know people who are 'technically challenged' (you could almost describe them as Luddites, except that they are addicted to their smart phones and other assorted mobile devices - to the point they deserve the tickets they'd get while using them when driving) who could benefit from use of a combination of server and client certificates, if somehow I could establish a web server that makes it as easy for them to get their client certificates as it is for them to browse amazon.com to buy a book. Anything beyond that and their eyes would start to glaze over when you start giving them instructions on how to proceed. And we really want to avoid the glazed eye phenomenon! And we also want to avoid having a company's MIS or his designated assistant, having to create and install these certificates on every mobile device (smart phone, laptop, c.) the company's staff have, or having to go to each of their homes to install the keys and certificates on their home computers. Is there a JavaScript solution that handles creating the private key and CSR in the client's browser, and transmits the CSR to the server so it can create and sign the certificate which then sends it back to the browser so a different JavaScript function can handle installing both the key and certificate in the right places, and back up both to a 'safe' place? If so, is there a variant which is certain to work in all browsers and that can install the certificates in all the browsers installed on the clients machine as well as in all the email clients installed on the clients machine (so the user can encrypt or sign, or both, any document, and check signatures and decrypt documents, regardless of whether transmitted via email or the web)? Any information that can be provided would be greatly appreciated. Thanks Ted
Re: Certificate and Certificate request (Using API)
It really looks to me like the openssl documentation needs improvement as well as a better tool besides CA.pl to help people use openssl in common scenarios. I suspect there is a strong demand for creative private CA support and we should have a friendly script or cookbook for this available somewhere. Fixing this will relieve you guys of answering all these inquiries via email. If any of the devs on openssl would like some help on writing up or coding up some docs/tools to help this process I would be happy to help where I can. I am a windows guy and have very little experience with Unix systems so that is where I would be of more help. I too am new to openssl and am trying to do these same kinds of things and have not yet been comfortable with my knowledge to embark on extensive coding. Let me know if and how I can help. Sandy -Original Message- From: Saurabh Pandya Sent: Friday, July 27, 2012 7:20 AM To: openssl-users@openssl.org Subject: Re: Certificate and Certificate request (Using API) On 7/27/12, Saurabh Pandya er.saurabhpan...@gmail.com wrote: Do roughly the same thing apps/ca.c does, except you probably don't need all its options but may want some other options: Create an X509 and set all needed X509_CINF fields in that X509 to values that you either extract from the X509_REQ and approve, or choose by your own logic (serial at least). Then sign the X509. Using My self-signed CA's private key, isn't it ?? I am asking this as I have the basic question about certificate signing - I have my self-sign CA A and CA key file B - I create another RSA key pair EVP_PKEY *pkey to be used for child leaf certificates - I create a certificate X509 *x (that supposed to be child of my CA) I am setting public key by, that will set public key part of rsa key pkey, to my certificate x X509_set_pubkey(x,pkey) And I am signing certificate with my private key x509_sign(x,pkey) Then How can I make my normal server certificate x as a child of my CA certificate A, do i need to sign it with B. I am confuse which keys to set in X509_set_pubkey() and X509_sign when I want a certificate appeared to be issued by my CA. Thanks all. Saurabh __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org