RE: Signing certificates on Windows
>-Original Message- >From: Charles B Cranston [mailto:[EMAIL PROTECTED]] >Sent: Mittwoch, 8. Januar 2003 21:53 >To: [EMAIL PROTECTED] >Subject: Re: Signing certificates on Windows > > >> Franck Martin wrote: >> You can't use virtual hosts on apache with https. >> Each host must have its own IP address, that's what I learnt >from the doc... >> May be it is fixed somehow... > >The reason is that the security is negotiated before even one byte >is sent down the channel, and the server has no way of knowing >WHICH of the various virtual hosts you want to talk to until it has >read the incoming HTTP header, which it cannot do until the >security has been negotiated. > >One might think the server would have a single certificate that it >uses before trying to find out the desired virtual host name. >However, it turns out it has to know WHICH virtual host name is >wanted to select WHICH certificate to use! Chicken and egg. > >There might be a solution with a single certificate that has all >the virtual host names as subjectAltNames but I'm too much in >alligator mode to look at such swamps... The important thing is that SSL is as much about authentication as it is about encryption. If all we were concerned about was encryption, then you would just have a certificate bound to the server's IP address, and the SSL channel could be established without bothering about which VH to use. Then, NBVH would work with encryption-only SSL. However, it is also vital to *authenticate* the server. That is, the URL the user types into the browser must match the Common Name in the certificate (remember that in a real certificate, the Common Name is guaranteed to belong to the server by the certificate signing authority - not just anyone can get a certificate for www.amazon.com, for instance). This is why the certificate must be defined at a VH level and not server-wide. Encryption is like sending your money to the bank in an armoured car. Authentication is making sure that the armoured car really does go to the bank. Rgds, Owen Boyle > >-- > >Charles B. (Ben) Cranston >mailto:[EMAIL PROTECTED] >http://www.wam.umd.edu/~zben >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing certificates on Windows
> Franck Martin wrote: > You can't use virtual hosts on apache with https. > Each host must have its own IP address, that's what I learnt from the doc... > May be it is fixed somehow... The reason is that the security is negotiated before even one byte is sent down the channel, and the server has no way of knowing WHICH of the various virtual hosts you want to talk to until it has read the incoming HTTP header, which it cannot do until the security has been negotiated. One might think the server would have a single certificate that it uses before trying to find out the desired virtual host name. However, it turns out it has to know WHICH virtual host name is wanted to select WHICH certificate to use! Chicken and egg. There might be a solution with a single certificate that has all the virtual host names as subjectAltNames but I'm too much in alligator mode to look at such swamps... -- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Signing certificates on Windows
i ported the cert.sh to work on win32 ( windows 95, 98, ME, 2k, XP ) isnt that great ! just use that here is the location for the script http://members.fortunecity.net/adityald/ssh-scripts does any one know how do i submit them to openssl contrib list at openssl.org -aditya my email address >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of >Theodor.Isporidi-at-gmx.net (Theodor Isporidi) |OpenSSL/1.0-Allow| >Sent: Tuesday, January 07, 2003 10:12 PM >To: X >Subject: Signing certificates on Windows > > >Hi ! > >My first try at posting to the list probably didn't work, so I'm >posting again. In case this shows up twice please disregard this mail >and accept my apology. > >I am just trying to get the latest Apache running with SSL support. >Well, in fact it is already compiled and running but to use SSL I >need to generate a certificate and sign it. > >I have already generated a certificate but since sign.sh is a unix >shell script it is useless on Windows systems. Has nobody ever tried >to sign certificates on Windows and can tell me how to do it? > >Thanks a lot. > >Bye ! > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing certificates on Windows
On Wed, Jan 08, 2003 at 11:46:50PM +1200, Franck Martin wrote: > You can't use virtual hosts on apache with https. > > Each host must have its own IP address, that's what I learnt from the > doc... May be it is fixed somehow... It can be fixed by implementing "Upgrade" HTTP request, both by servers and browsers. I cant see how it could be done by sending HTTP headers after SSL connection setup > > So assign multiple IP addresses to your network card. it is quite easy > under Linux... > > Please feel free to contribute to the HOWTO. > > Cheers. > Franck > > > On Wed, 2003-01-08 at 17:19, Theodor Isporidi wrote: > > I know, but my search didn't turn up anything useful. I probably used > the wrong keywords. > > > http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SSL-Cert > > ficates-HOWTO.pdf > > Thanks a lot, that document was just what I needed! I have my > certificates now. > > But Apache is still giving me some headaches. Perhaps you could give me > a hand here too? > > > > > Localhost, localhost2, localhost3 and localhost4 point to 127.0.0.1 > (done with the hosts file). > > What I think this should do is serve localhost, localhost2 and > localhost3 only via http and localhost4 only via https. But that > doesn't work. I can access all 4 via http and https on Netscape 4.79. > With IE 6.0 SP1 I can access all 4 via http but none at all via https. > What is wrong there? > > Bye ! > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing certificates on Windows
You can't use virtual hosts on apache with https. Each host must have its own IP address, that's what I learnt from the doc... May be it is fixed somehow... So assign multiple IP addresses to your network card. it is quite easy under Linux... Please feel free to contribute to the HOWTO. Cheers. Franck On Wed, 2003-01-08 at 17:19, Theodor Isporidi wrote: I know, but my search didn't turn up anything useful. I probably used the wrong keywords. > http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SSL-Cert > ficates-HOWTO.pdf Thanks a lot, that document was just what I needed! I have my certificates now. But Apache is still giving me some headaches. Perhaps you could give me a hand here too? Localhost, localhost2, localhost3 and localhost4 point to 127.0.0.1 (done with the hosts file). What I think this should do is serve localhost, localhost2 and localhost3 only via http and localhost4 only via https. But that doesn't work. I can access all 4 via http and https on Netscape 4.79. With IE 6.0 SP1 I can access all 4 via http but none at all via https. What is wrong there? Bye ! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing certificates on Windows
Hi, I am developing an IPSec stack for ixp1200 platform. I have successfully completed IKE Phase I and Phase II and got the keying materials for ESP traffic. I sent a ping request from an IPSec client (Safenet SoftRemote client) and I am seeing that the authentication data is only 12bytes(96 bits). I am negotiating SHA1 authentication algorithm. I verified the data authenticity depending on IP header length and it's correct. When I get the Ping Request packet, I extract the payload and do SHA1 authentication and 3DES decryption. My aythentication is failing but encryption is successful. So I sent the packet to IP stack and I got the ping reply in plain text. Now I encrypt that packet and authenticate it. Add IP header and sent to client. But on client side it's not getting the reply. Can anyone tell me what's going wrong here? Is there any method to trace the ESP processing on client side? Or any other Windows client give ESP packet processing details? Any help will be greatly appreciated. Thanks & Best Regards, BPaul From: [EMAIL PROTECTED] (Theodor Isporidi) Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] () Subject: Re: Signing certificates on Windows Date: Wed, 8 Jan 2003 06:19:12 +0100 Hi ! > Why not use the 'openssl' directly, in a step-by-step manner? Easier said than done if the openssl docs are almost nonexistant and the mod_ssl docs state explicitly Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing. without even giving a hint about how to do it manually. > If not, there should be something at the Linux Documentation Project > Lets, see..."google is your friend": I know, but my search didn't turn up anything useful. I probably used the wrong keywords. > http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SSL-Cert > ficates-HOWTO.pdf Thanks a lot, that document was just what I needed! I have my certificates now. But Apache is still giving me some headaches. Perhaps you could give me a hand here too? I'm starting Apache with -D SSL to have ssl.conf included and uncommented the line LoadModule ssl_module modules/mod_ssl.so in httpd.conf to load mod_ssl. So far so good. I want to have several virtual hosts for local testing of several webpages. Some should only be served via http others only via https. My config looks like this: NameVirtualHost 127.0.0.1:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /page1 ServerName localhost ServerAdmin [EMAIL PROTECTED] DocumentRoot /page2 ServerName localhost2 ServerAdmin [EMAIL PROTECTED] DocumentRoot /page3 ServerName localhost3 and there is another Virtualhost in ssl.conf NameVirtualHost 127.0.0.1:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /page4 ServerName localhost4 SSLEngine on SSLProtocol all SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # The rest are default settings except for paths to certificates Localhost, localhost2, localhost3 and localhost4 point to 127.0.0.1 (done with the hosts file). What I think this should do is serve localhost, localhost2 and localhost3 only via http and localhost4 only via https. But that doesn't work. I can access all 4 via http and https on Netscape 4.79. With IE 6.0 SP1 I can access all 4 via http but none at all via https. What is wrong there? Bye ! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ The new MSN 8 is here: Try it free* for 2 months http://join.msn.com/?page=dept/dialup __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing certificates on Windows
Hi ! > Why not use the 'openssl' directly, in a step-by-step manner? Easier said than done if the openssl docs are almost nonexistant and the mod_ssl docs state explicitly Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing. without even giving a hint about how to do it manually. > If not, there should be something at the Linux Documentation Project > Lets, see..."google is your friend": I know, but my search didn't turn up anything useful. I probably used the wrong keywords. > http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SSL-Cert > ficates-HOWTO.pdf Thanks a lot, that document was just what I needed! I have my certificates now. But Apache is still giving me some headaches. Perhaps you could give me a hand here too? I'm starting Apache with -D SSL to have ssl.conf included and uncommented the line LoadModule ssl_module modules/mod_ssl.so in httpd.conf to load mod_ssl. So far so good. I want to have several virtual hosts for local testing of several webpages. Some should only be served via http others only via https. My config looks like this: NameVirtualHost 127.0.0.1:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /page1 ServerName localhost ServerAdmin [EMAIL PROTECTED] DocumentRoot /page2 ServerName localhost2 ServerAdmin [EMAIL PROTECTED] DocumentRoot /page3 ServerName localhost3 and there is another Virtualhost in ssl.conf NameVirtualHost 127.0.0.1:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /page4 ServerName localhost4 SSLEngine on SSLProtocol all SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # The rest are default settings except for paths to certificates Localhost, localhost2, localhost3 and localhost4 point to 127.0.0.1 (done with the hosts file). What I think this should do is serve localhost, localhost2 and localhost3 only via http and localhost4 only via https. But that doesn't work. I can access all 4 via http and https on Netscape 4.79. With IE 6.0 SP1 I can access all 4 via http but none at all via https. What is wrong there? Bye ! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]