Yes, I do understand the deal with Browser Certificate, I did install
one from StartSSL, the Free one, my guess is that this one should have
worked, whereas the Self-signed may not as you pointed out, I will defer
this question until I get another public server up, and install a real
Certificate for it, but I still need to know which one to get.
I think installing this on a local machine may be problematic at best,
but what I would like to see in the README.md is detailed instructions
on how to do this properly so there is no need to ask questions about
this like I am doing now, I am sure others ran into this problem as
well.
The thing that is throwing me is the error: Error (asio):
use_tmp_dh_file: no start line, I get it from the command line or Qt
Creator, I am using the command line:
./SslClientAuth --docroot . --http-address 0.0.0.0 --http-port 8080
--https-address=0.0.0.0 --https-port=4430
--ssl-certificate=/etc/ssl/certs/www_wittywizard_org_ssl.crt
--ssl-private-key=/etc/ssl/private/www_wittywizard_org_nk_ssl.key
--ssl-tmp-dh=/etc/ssl/certs/www_wittywizard_org_ssl.pem --ssl-enable-v3
--ssl-client-verification=required --ssl-verify-depth=15
--ssl-ca-certificates=/etc/ssl/certs/www_wittywizard_org_ssl.crt
I am using the Free StartSSL certificate with the Browser Certificate
installed, the only deviation I took was making a decrypted private key,
but I used their tools to do it, then created the pem file like this:
cat /etc/ssl/private/www_wittywizard_org_nk_ssl.key
/etc/ssl/certs/www_wittywizard_org_ssl.crt >
/etc/ssl/certs/www_wittywizard_org_ssl.pem
I cat'd the No Key private key with the crt.
Things I need to clear up:
ssl-ca-certificates=/etc/ssl/certs/www.wittywizard.org.crt and
ssl-certificate=/etc/ssl/certs/www_wittywizard_org.crt, I have them
being the same file, but this makes no sense, but the ones I down loaded
from StartSSL are mostly pem files, the only crt file is the one you
have to make manually.
The error is the pem file, my understanding about it, is that its a
combination of certificates, but even using the ca-bundle.pem that came
with StartSSL, gets the same error.
If I use the private key from StartSSL I get prompted for a password,
then I get the same error after that.
Does StartSSL's free Certificate work with this example would be my next
question, I did try every pem file I downloaded, and there are 10 of
them, and if I purchase one, is their Certificate for $59
or
https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
PositiveSSL Multi-Domain for $29.88
work?
I am going for the Multi-Domain, because this will be a CMS with
multiple domains, which brings up a good question as to how that will
work, since I don't want a cert for one site working for another, but
this should not be the case, since its URL specific, and I will still
want to authenticate using the Local Users root user, which I still
don't know if your Auth will handle that.
At this point I just need to know what to do to get this example
working, sense I plan to use it in the Witty Wizard CMS, but I also need
to find the easiest and cheapest way to do this for all the users.
The Idea is to use this for a CMS with multiple domains, but only use it
to get into the admin section so you can log in with the local user
account, so its a double security measure, because in this CMS, I want
to run root level commands to control the server or local machine,
depending on where its installed.
Are you saying a Self-Signed Certificate will not work?
Thanks
On Wed, 2014-02-12 at 10:14 +0100, Wim Dumon wrote:
> Hello Jeffrey,
>
> Are you aware that client and server certificates are two very
> different things? The example you're trying expects client
> certificates, but in your command descriptions you only talk about the
> server certificates, not about what you do with the browser. This
> cannot work. Client certificates are installed in the browser (or on a
> smartcard connected to the browser).
>
>
>
> The client example can e.g. be used to authenticate a user based on
> his ID card (in Belgium, all ID cards are smart cards that have a
> government signed authentication certificate on them).
>
>
> Is that what you plan to do?
>
>
>
> From the top of my head, the procedure is about this (assuming you
> want to be your own CA):
>
> - generate a root CA
>
> - generate a authentication certificate for a user
>
> - generate a signing request for the authentication certificate
>
> - sign authentication certificate with root CA private key
>
> - install root CA public key as trusted root CA in the browser or the
> operating system
>
> - copy the root CA public key also to the server; make wt aware of it
> using option ssl-ca-certificates
>
> - install private key of the authentication certificate in your
> browser
>
> - generate a proper SSL certificate for your server. Self-signed
> certificates will not work, but you have a root CA now that you can
> use.
>
>
> The whole procedure is quite tricky. In my experience, the browser
> will not successfully authenticate itself unless you get the trust
> chain of each piece of this puzzle right.
>
>
>
> BR,
> Wim.
>
>
>
>
>
>
>
> Best regards,
> Wim.
>
>
>
>
>
> 2014-02-11 Jeffrey Scott Flesher Gmail
> <[email protected]>:
>
> Q: How did you create your client certificate?
> A: I used this script to create the Cert:
>
> chmod 755 /etc/ssl/private/www_wittywizard_org_ssl.key
> chmod 755 /etc/ssl/private/www_wittywizard_org_nk_ssl.key
> openssl req -new -newkey rsa:2048 -nodes -out
> www_wittywizard_org_ssl.csr -keyout
> www_wittywizard_org_ssl.key -subj
> "/C=US/ST=Oregon/L=Terrebonne/O=Witty
> Wizard/CN=www.wittywizard.org"
> openssl x509 -req -days 365 -in www_wittywizard_org_ssl.csr
> -signkey www_wittywizard_org_ssl.key -out
> www_wittywizard_org_ssl.crt
> cp -f
> www_wittywizard_org_ssl.crt /etc/ssl/certs/www_wittywizard_org_ssl.crt
> cp -f
> www_wittywizard_org_ssl.key
> /etc/ssl/private/www_wittywizard_org_ssl.key
> cp -f
> www_wittywizard_org_ssl.key
> /etc/ssl/private/www_wittywizard_org_nk_ssl.key
> cat www_wittywizard_org_ssl.key www_wittywizard_org_ssl.crt
> > /etc/ssl/certs/www_wittywizard_org_ssl.pem
> chmod 400 /etc/ssl/private/www_wittywizard_org_ssl.key
> chmod 400 /etc/ssl/private/www_wittywizard_org_nk_ssl.key
>
> Note: www_wittywizard_org_nk_ssl.key was used when I signed it
> with a password, otherwise www_wittywizard_org_ssl.key are the
> same.
> I did this to use the certs I created at StartSSL.com, so I
> created a signed key, then decrypted it, then I cat'd them as
> in above, so I did not get the message to enter password
>
> Q: how did you add it to your browser?
> A: I am running it from Qt Creator so I add it to the run
> argument
> --docroot . --http-address 0.0.0.0 --http-port 8080
> --https-address=0.0.0.0 --https-port=4430
> --ssl-certificate=/etc/ssl/certs/www_wittywizard_org_ssl.crt
> --ssl-private-key=/etc/ssl/private/www_wittywizard_org_nk_ssl.key
> --ssl-tmp-dh=/etc/ssl/certs/www_wittywizard_org_ssl.pem --ssl-enable-v3
> --ssl-client-verification=required --ssl-verify-depth=15
> --ssl-ca-certificates=/etc/ssl/certs/www_wittywizard_org_ssl.crt
>
> then I did an https://localhost:4430, but I get the below
> error, so the service is never started
>
> Q: Did you also add your CA root certificate to the browser?
> A: Yes and No
> I did with the ones I created at StartSSL.com, but I did
> not for the self-signed, since I can not get the browser to
> start up, I get an error:
> (asio) use_tmp_dh_file: no start line
>
> Notes:
> --ssl-ca-certificates and --ssl-certificate are the same, are
> they suppose to be?
>
> There should be detailed instructions on how to do this in the
> read me file, do not assume everyone knows how to do this
> right the first time.
>
>
>
> On Mon, 2014-02-10 at 11:51 +0100, Wim Dumon wrote:
>
> > Hi Jeffrey,
> >
> >
> > Client SSL certificates for authentication does not require
> > apache.
> >
> >
> >
> > How did you create your client certificate, and how did you
> > add it to your browser? Did you also add your CA root
> > certificate to the browser?
> >
> >
> > Best regards,
> > Wim.
> >
> >
> >
> >
> > 2014-02-01 Jeffrey Scott Flesher Gmail
> > <[email protected]>:
> >
> > Do you need to have Apache setup on the Machine if
> > you are only use wt-httpd in the methods in your
> > example SSLClientAuth?
> >
> > I have setup a Self Signed Cert, I am using
> > QtCreator with the run command:
> > --docroot . --http-address 0.0.0.0 --http-port 8080
> > --ssl-certificate /etc/httpd/conf/server.crt
> > --ssl-private-key /etc/httpd/conf/server.key
> > --ssl-tmp-dh=projects/ssl/dh512.pem --ssl-enable-v3
> > --ssl-client-verification=required
> > --ssl-verify-depth=15
> > --ssl-ca-certificates=/etc/httpd/conf/server.crt
> >
> > Note: I do not have ssl-tmp-dh, nor do I know if its
> > required, but same results without it, in fact, same
> > with just --docroot . --http-address 0.0.0.0
> > --http-port 8080,
> > which makes me wonder if I am doing this right.
> >
> > I used this script to create the Cert:
> > cd /etc/httpd/conf/
> > sudo openssl genrsa -out server.key 4096
> > sudo chmod 600 server.key
> > sudo openssl req -new -key server.key -out
> > server.csr
> > sudo openssl x509 -req -days 365 -in server.csr
> > -signkey server.key -out server.crt
> > and it checked out ok, so the paths to the cert are
> > there and verified.
> >
> > I hit the code message:
> > Not an SSL session, or no client certificate
> > available. Please read the readme file in
> > examples/feature/client-ssl-auth for more info.
> >
> > Then I tried to get more info by doing this:
> > Wt::WValidator::Result results =
> > sslInfo->clientVerificationResult();
> > new Wt::WText("Not an SSL session, or no client
> > certificate available. Please read the readme file
> > in examples/feature/client-ssl-auth for more info."
> > + results.message(), root());
> > This didn't work, or its not the right way to do it,
> > any clue which one?
> >
> > After a long recovery from being hit in the head by
> > a Micro Meteorite, I am back to working on the Witty
> > Wizard CMS,
> > I do not want to have Apache installed for security
> > reasons,
> > I want to require a public/private Cert, but do not
> > want it to bomb if its not there,
> > but if it is, give the user a button to log in using
> > the servers users,
> > so I can log in as root, and run root commands from
> > the web page,
> > like Virtualmin or cPanel,
> > so I can maintain the server from the CMS,
> > so I was wondering if you have a function to
> > authenticate using local users on the server its ran
> > from?
> >
> > If this requires Apache, is there a workaround to
> > make something like this work without?
> >
> > What I need is the most secure way to log in as root
> > and run root commands.
> >
> > Thanks
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > WatchGuard Dimension instantly turns raw network
> > data into actionable
> > security intelligence. It gives you real-time visual
> > feedback on key
> > security issues and trends. Skip the complicated
> > setup - simply import
> > a virtual appliance and go from zero to informed in
> > seconds.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
> > _______________________________________________
> > witty-interest mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/witty-interest
> >
> >
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Managing the Performance of Cloud-Based Applications
> > Take advantage of what the Cloud has to offer - Avoid Common
> Pitfalls.
> > Read the Whitepaper.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk
> >
> > _______________________________________________
> > witty-interest mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/witty-interest
>
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience. Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> witty-interest mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/witty-interest
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
witty-interest mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/witty-interest
