Hello,
I'm on the way to change some TCP/IP client server application to use
Openssl to cipher the traffic. To get understanding of Openssl I started
with the openssl-examples-20020110 some weeks ago. After
struggling some time with the way of creating the CA and certificate
(because the ones included in the tar archive have been expired), I
found the way as described below to re-generate them. The resulting
*.pem files are:
$ ls -l *.pem
lrwxr-xr-x 1 guru wheel 13 1 ago 10:59 client.pem -> localhost.pem
-rw-r--r-- 1 guru wheel 245 1 ago 11:00 dh1024.pem
-rw-r--r-- 1 guru wheel 4834 1 ago 10:58 localhost.pem
-rw-r--r-- 1 guru wheel 2963 1 ago 10:53 root.pem
lrwxr-xr-x 1 guru wheel 13 1 ago 10:59 server.pem -> localhost.pem
The openssl-examples-20020110 software builds fine on my system and I
can start the "wserver" as:
$ cd openssl-examples-20020110
$ ./wserver
and con connect with the "wclient" while standing in the same dir:
$ ./wclient -h localhost -p 4433
This connects to the "wserver" which sends over the SSL socket the dummy
message:
HTTP/1.0 200 OK
Server: EKRServer
Server test page
and all works as it should. I watched with truss(1) what the "./wclient"
is using of the above *.pem files to make the connection to the
"wserver", it uses (i.e. reads):
client.pem
root.pem
which makes sense when I look into the source of wclient.c, because the
name of the keyfile "client.pem" is passed as an argument to
SSL_CTX_use_PrivateKey_file()
I tested now the running "wserver" with the standard openssl client from
another host by running:
$ openssl s_client -connect hein.sisis.de:4433
and was a bit surprised that the connection went fine and the "wserver"
accepts the SSL connection and responds fine with its dummy message. The
openssl client does not need any key files to connect...
The output of the openssl client about the connection is attached below
as "nohup.out".
Why is this? Could some kind soul bring a bit light into this? Thanks in
advance.
matthias
--
Matthias Apitz | /"\ ASCII Ribbon Campaign: www.asciiribbon.org
E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail
WWW: http://www.unixarea.de/ | X - No proprietary attachments
phone: +49-170-4527211 | / \ - Respect for open standards
$Id: openssl-examples-20020110.txt,v 1.1 2012/07/22 15:36:56 guru Exp $
configure and compile the source using openssl from the ports:
$ tar xzf openssl-examples-20020110.tar.gz
$ cd openssl-examples-20020110
$ ./configure --with-openssl=/usr/local/openssl \
--with-openssl-inc=/usr/local/include \
--with-openssl-lib=/usr/local/lib
$ make
generate new certs and keys as described here:
http://www.gentoo-wiki.info/OpenSSL
i.e. do:
First step
Inside the example code directory openssl-examples-20020110 do
PATH=/usr/local/bin:$PATH
(to use 'openssl' from the ports in /usr/local/bin)
$ mkdir newca
$ cd newca
( orig: $ cp /etc/ssl/misc/CA.sh . )
for FreeBSD port of openssl use:
$ cp /usr/local/openssl/misc/CA.sh .
$ ./CA.sh -newca
will create a new CA. Remember the passphrase as you will need
it to sign certificates.
$ cp demoCA/cacert.pem ../root.pem
Second step
$ ./CA.sh -newreq
will create a certificate and a certification request.
Set the passphrase to 'password' as this is hard-coded in
the examples' source code. It is important to set the
[Common Name] to 'localhost'.
Third step
$ ./CA.sh -sign
will sign your newly created certificate. Enter the password for
your CA which you have defined in step 1.
Fourth step
$ cat newreq.pem newkey.pem newcert.pem > ../localhost.pem
$ cd ..
$ ln -s localhost.pem server.pem
$ ln -s localhost.pem client.pem
Maybe you also want to issue
$ openssl dhparam 1024 -2 -out dh1024.pem -outform PEM
in order to update the DH parameters.
The above setup will only work for local testing. If you want to
use OpenSSL to connect between different hosts, you either have
to disable the common name and host name comparison in client.c
in order to be able to use the same certificate on all hosts
which may pose a security problem, or repeat steps two and three
above with the correct host names (FQDN - fully qualified domain name,
ie. host name plus domain name) instead of 'localhost'.
Final note: if the SSL_get_verify_result() method in client.c
returns the error code 10 (outdated certificate), also check
the CA's certificate (root.pem) expiration date! In my case,
I tried to set the expiration time 100 years in the future -- which
resulted in a point of time in the past possibly due to a number overflow.
$ openssl s_client -connect hein.sisis.de:4433
depth=1 /C=DE/ST=Germany/O=xxxxxxxxxxxxxxx GmbH/OU=SolarTech/CN=Matthias
verify error:num=19:self signed certificate in certificate chain
verify return:0
CONNECTED(00000004)
---
Certificate chain
0 s:/C=DE/ST=Germany/L=Munich/O=xxxxxxxxxxxxxxx GmbH/OU=SolarTech/CN=localhost
i:/C=DE/ST=Germany/O=xxxxxxxxxxxxxxx GmbH/OU=SolarTech/CN=Matthias
1 s:/C=DE/ST=Germany/O=xxxxxxxxxxxxxxx GmbH/OU=SolarTech/CN=Matthias
i:/C=DE/ST=Germany/O=xxxxxxxxxxxxxxx GmbH/OU=SolarTech/CN=Matthias
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICwzCCAiygAwIBAgIJAKf8ZVz72wlIMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNV
BAYTAkRFMRAwDgYDVQQIDAdHZXJtYW55MRIwEAYDVQQKDAlPQ0xDIEdtYkgxFDAS
BgNVBAsMC1N1blJpc2VUZWNoMREwDwYDVQQDDAhNYXR0aGlhczAeFw0xMjA4MDEw
ODU4MThaFw0xMzA4MDEwODU4MThaMG4xCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdH
ZXJtYW55MQ8wDQYDVQQHDAZNdW5pY2gxEjAQBgNVBAoMCU9DTEMgR21iSDEUMBIG
A1UECwwLU3VuUmlzZVRlY2gxEjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAsFBB6ONMV4iE26yTzuJzvWMxUhrxDBcIY6/78qqt
jYyaK4gtnF6b1ODFSnzHpENIm/hIRV/xvM4vs4qXWN+GLh78vLn125V884zpDzvn
KLXXHE9xwe80CKaPdz2sonru8sE/MmTZK/RdIAF9jyP94obJsmJdJ/dghd0xQEow
Bs8CAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH
ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHe2+XnoLHlmji5hY5yAejIt
Ac+5MB8GA1UdIwQYMBaAFIfagnrVok6+fUS7D8dx1qzPzl0IMA0GCSqGSIb3DQEB
BQUAA4GBACRUcTMRAg7sxJY+ttjT0c/eQSsYzZakcJ/IKhFxtc5HPjlkgBMAJrVT
SK2DNpLZ6z3+om0jUd78yUAphdL9mcF4sotsuWdG+IDHzZ8rOFd/z2IGfDJZPM/p
WPND2XvIIQG2M2X3ycOoYYER+eA/XELUlMLRRZOedjwAFbqs7EsH
-----END CERTIFICATE-----
subject=/C=DE/ST=Germany/L=Munich/O=xxxxxxxxxxxxxxx
GmbH/OU=SolarTech/CN=localhost
issuer=/C=DE/ST=Germany/O=xxxxxxxxxxxxxxx GmbH/OU=SolarTech/CN=Matthias
---
No client certificate CA names sent
---
SSL handshake has read 1935 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: AF5D74783EE77B7FB8AA8CD043C8E86B46D795E43C9035D78A01F2C4169708D8
Session-ID-ctx:
Master-Key:
CA334EF3A12FE612A4A06F338CFD733E6010C3BD10EAE4F3C2A549B95E20537D2D30C0F66A8194EAB2EF1D95892E09B8
Key-Arg : None
Start Time: 1348640119
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
HTTP/1.0 200 OK
Server: EKRServer
Server test page
closed
