Re: Proxy'ing client certs

2003-01-22 Thread Vadim Fedukovich 
Hi Chandrasekhar,

On Wed, Jan 22, 2003 at 11:20:58AM +0530, Chandrasekhar R S wrote:
> Hi Vadim
>   I am sorry for portraying the problem vaguely.
> 
>   I will make an attempt to clarify the problem -
> 
>   The entire scenario -
> 
>   Client -- Proxy Server - Proxy Client -- Backend Server
> 
>   Proxy Server and Proxy Client are on the same M/C and hence no SSL
> communication between them.  Data transfer through IPC.
> 
> Localized Scenario : Client -- Proxy Server
> 1. Client has CA signed certificate, call it "CLIENT CERT".
> 2. Client's Public Key is tightly coupled with "CLIENT CERT"

You likely mean private key here

> 3. This public key will be used in establishing SSL connection
>with the Proxy Server.

to establish SSL connection with the proxy, SSL server sertificate
and private key is required. It is not required to do Connect method
of HTTP.

> 4. Proxy Server could extract the "CLIENT CERT", say to a file.
>The file would be available for the Proxy Client (since both
>would be on the same m/c).

I should say it again: yes, SSL client certificate is available for
"Proxy Client" at this point. One could print it or something.
However, it needs the corresponding private key to run SSL protocol
pretending to be the client.

> Localized Scenario : Proxy Client -- Backend Server
> 5. The requirement is, Proxy Client should be presenting
>"CLIENT CERT" to the backend server.

Yes, it can "present" it somehow

>  My doubt is, as a certificate is tightly coupled with a Public Key, how
> could the Proxy Client use "CLIENT CERT" (that has client's public key) in
> its communication with the backend server (using SSL).

Please remember SSL had well-defined protocol design goals,
including handling man-in-the-middle

>  I referred to Stronghold HTTP server as, in their website they offer
> two options, 1. to tunnel the "CLIENT CERT" to the backend server
>  2. to present a "PROXY CLIENT CERT" for proxy client -- backend
> server scenario.

I'd prefer to keep talking about well-known protocols and 
business requirements.

Would Connect method of HTTP deliver functions wanted?

>  My requirement is to develop this functionality not for a particular
> protocol, but generically.

Any chance to tune mod_ssl or apache-ssl to do the job?

>  Sorry for the confusion.  I hope, I had been clearer than earlier.
> 
> with thanks and regards,
> rsr.

best wishes,
Vadim Fedukovich
consulting and software development

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Vadim Fedukovich
> Sent: Monday, January 20, 2003 2:13 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Proxy'ing client certs
> 
> 
> On Mon, Jan 20, 2003 at 12:20:43PM +0530, Chandrasekhar R S wrote:
> > I have already posted the following on the lists under "Proxy'ing client
> > certs" thread.
> > Could not see the posting, hence re-posting.
> > -
> > My understanding had been the following :
> >
> > Client      Proxy Server   --  Proxy Client 
> > Server
> > produces a  consumes   presents a
> Can
> > only recv
> > CA signed   the  ProxyClient Cert
> > ProxyClient Cert
> > Client Cert   Client Cert
> >
> > "ProxyClient Cert" is not the same as "Client Cert".
> >
> > Though the Proxy Server is in receipt of the "Client Cert", it
> > cannot represent the same in the SSL connection between
> > "ProxyClient - Server".  The requirement is to make the Proxy
> > faithfully forward the "Client Cert" to the "Server".
> 
> It's hard for me to see how this could fit SSL and HTTP protocols, sorry.
> Someone else might be lucky here
> 
> "consume certificate" probably means "engage in a protocol to prove
> the name certified". It's still open question what protocol both do the job
> and is implemented by popular browsers.
> 
> Hope you could hit your target with other tools like passord-based
> proxy access or maybe proxy access controlled by IPSec
> 
> > Vadim, suggested that "CONNECT method of HTTP can be
> > used to setup TCP connections first and run SSL next.  Proxy
> > could forward SSL traffic".
> >
> > It had been difficult to understand the solution.  It seems to me that
> > we need to set up a TCP connection via the proxy server first and add
> > SSL to it later.  I am not aware of how to do this.
> 
> There was a document by Ari Luotonen; just found it at (single line!)
> http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-t
> unneling-01.txt
> It describes the method how a proxy could handle HTTPS requests
> 
> Please note HTTP details might be off-topic for this list
> 
> hope this helps,
> Vadim Fedukovich
> consulting and software development
> 
> >
> >

RE: Proxy'ing client certs

2003-01-22 Thread Chandrasekhar R S 
Hello Vadim,

> Localized Scenario : Proxy Client -- Backend Server
> 5. The requirement is, Proxy Client should be presenting
>"CLIENT CERT" to the backend server.

Yes, it can "present" it somehow

RSR : I am in search of this "somehow".

Could it be this way - If it is possible to seperate public key from
certificate, then it should be possible for registering "CLIENT CERT" with
Proxy Client in its communication with Backend Server.

with thanks
rsr.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Proxy'ing client certs

2003-01-22 Thread Vadim Fedukovich 
On Wed, Jan 22, 2003 at 02:36:16PM +0530, Chandrasekhar R S wrote:
> Hello Vadim,
> 
> > Localized Scenario : Proxy Client -- Backend Server
> > 5. The requirement is, Proxy Client should be presenting
> >"CLIENT CERT" to the backend server.
> 
> Yes, it can "present" it somehow
> 
> RSR : I am in search of this "somehow".
> 
>   Could it be this way - If it is possible to seperate public key from
> certificate,

yes, one could get public key from the certificate

> then it should be possible for registering "CLIENT CERT" with
> Proxy Client in its communication with Backend Server.

yes one could "register" it somehow

Please note another key, the private one is required to run SSL protocol
using that certificate

> 
> with thanks
> rsr.

best wishes,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

TLS in multithreaded server

2003-01-22 Thread Alexander Biehl 
hi,

i have a multithreaded server that manage TLS connections to the
clients.

to enable TLS on an unencrypted tcp stream i use:

SSL_load_error_strings();
SSL_library_init();
ctx = SSL_CTX_new(SSLv23_server_method());
...

ssl = SSL_new(ctx);
...

to shutdown and cleanup a connection a use:

int rval = SSL_shutdown(sslServer);
if (rval == 0) {
  SSL_shutdown(sslServer);
}
SSL_free(ssl);
SSL_CTX_free(ctx);


is that right or is there a smaller solution?
is it necessary to init the library every for every connection
or is there a possibility to init the library only once (when starting
server application)?


greetings, Alex

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem creating strong encryption certificates

2003-01-22 Thread Dr. Stephen Henson 
On Wed, Jan 22, 2003, Peter Hendriks wrote:

> Thanks for your answer.
> 
> According to the infobox of Outlook Express 6.0 SP1 (completely updated), it
> says something like 128 bits coding strength (I have a Dutch version). I can
> access something like mailvault, which requires 128 bit SSL.
> 
> The windows homepage tells me that the "strong encryption pack" is only
> available for MSIE < 6.0 which has this package included. Therefore I can't
> install this "strong encryption pack".
> 
> https://www.fortify.net/sslcheck.html says I can use RC4, 128 bit coding
> strength.
> 
> To my best knowledge Outlook Express and Internet Explorer use the same
> coding system.
> 
> What I have done is create 3 certs (1 root, and 2 users) on my pc. I import
> all keys with the certificate manager, then create a public key (with the
> certificate manager) from "the other user". This public key is stored in the
> addressbook of "the other user". I'm composing a message in Outlook Express
> from "me" to the "other" user. When I click on "send" it gives a warning
> (like "only 40 bit encryption is used"). The message wasn't really send, it
> just sits in the outbox. The certs do work.
> 
> As far as I can see, the problem must be either in Outlook Express, Windows
> 98SE, or OpenSSL.
> 

It may be that when you just install a certificate for the 'other user' it has
no way of knowing what encryption the other user can handle so it defaults to
40 bit RC2.

Try sending signed mail from the 'other user' to Outlook. It should then get
the necessary info that it support strong encryption.

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Stunnel 4.04 released

2003-01-22 Thread Brian Hatch 


> Michal Trojnara wrote:
> > 
> > Version 4.04, 2003.01.12
> ...
> 
> Downloaded stunnel-4.04.exe to a Win 2K system.
> 
> Tried to run it as "stunnel -help". Got nothing.
> 
> Furthermore, looking at the source, as far as I can tell,
> when compiling for WIN32, no main procedure is compiled.

Did you use old openssl-0.9.6[a-g] libraries or
0.9.7?  The version of stunnel-4.04.exe compiled
by Mike requires 0.9.7.  (New dlls available
at both stunnel.mirt.net and stunnel.org)


Followups should probably go to the Stunnel mailing
list instead of OpenSSL.

--
Brian Hatch  Of course I don't
   Systems andlook busy.
   Security Engineer I did it right
http://www.ifokr.org/bri/ the first time.

Every message PGP signed



msg30093/pgp0.pgp
Description: PGP signature

openssl using asp

2003-01-22 Thread Sudhir Rau 



Hi
    I am working on 
Microsoft Platform. I develop web sites using asp and IIS 5.0. I would like to 
know how openssl can be implemented in asp environment. I have checked up other 
sites and forums, but have only come across openssl implementation in perl / 
php. Kindly let me know what is to be done for implementing openssl in asp. This 
is extremely urgent.
 
Thanks
 
Best Regards
 
Sudhir Rau 
 
---
B. Sudhir Rau
Brahmaputra Infotech
95, National Park
New Delhi
India
Phone : 91-11-26443933
 
 

private key creation and checking

2003-01-22 Thread Robinson, Richard L (Rick) 



When the private 
keys are created, are there checks performed to determine the quality/primality 
of the keys?  If so, is there documentation on how the keys are 
checked?
 
Thanks,
Rick 
Robinson
[EMAIL PROTECTED]
 

Re: obtaining expiry dates

2003-01-22 Thread qm180 
: I'm trying to write an automated script to check for pending expiry dates in
: SSL certs.

Depending on your end-goal, this may or may not help you -- but if
you're just looking for something to poll your servers and flag
pending cert expirations, you may want to check out Recon:

http://www.brandxdev.net

-qm
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl segmentation fault

2003-01-22 Thread Rahim Mansour 
Hi 

I wonder if you can help. I am trying to generate certificates in order
to have a FreeRadius server running on my RedHat 7.3 and to authenticate
a WinXP client. 
So far I have used openssl (/usr/local/ssl) version 0.9.6h ([engine] 5
Dec 2002) with which I can generate CA for root (CA.root), server
(CA.svr) and client (CA.clt) without any problem. This release doesn't
support WinXP, so I got version 0.9.7 and installed it as per your
instruction (/usr/local/openss-certgen). Now, with this version I can
generate root certificates but attempt to generate the server one
results in the following log information:

Generating a 1024 bit RSA private key
++
++
writing new private key to 'newreq.pem'
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [UK]:State or Province Name (full name)
[Wales]:Locality Name (eg, city) [Ebbw Vale]:Organization Name (eg,
company) [Technology Concepts Ltd]:Organizational Unit Name (eg,
section) [Technical Support]:Common Name (eg, YOUR name) [mansour]:Email
Address [[EMAIL PROTECTED]]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password [test123]:An optional company name []:Using
configuration from /usr/local/openssl-certgen/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Jan 15 14:26:18 2003 GMT
Not After : Jan 15 14:26:18 2004 GMT
Subject:
countryName   = UK
stateOrProvinceName   = Wales
localityName  = Ebbw Vale
organizationName  = Technology Concepts Ltd
organizationalUnitName= john
commonName= mansour
emailAddress  = [EMAIL PROTECTED]
X509v3 extensions:
X509v3 Basic Constraints: 
CA:FALSE
Netscape Comment: 
OpenSSL Generated Certificate
X509v3 Subject Key Identifier: 
D0:BB:EA:85:0A:F6:AC:78:A6:48:00:73:FF:14:55:C4:F4:9E:23:10
X509v3 Authority Key Identifier: 
keyid:73:EC:32:B6:8F:57:69:7A:C5:5F:C2:52:D5:5E:ED:28:37:DB:
28:A8
DirName:/C=UK/ST=Wales/L=Ebbw Vale/O=Technology Concepts
Ltd/OU=Technical [EMAIL PROTECTED]
serial:00

Certificate is to be certified until Jan 15 14:26:18 2004 GMT (365 days)
Sign the certificate? [y/n]:

1 out of 1 certificate requests certified, commit? [y/n]CERTIFICATION
CANCELED
./CAsvr: line 23:  1851 Segmentation fault  openssl ca -policy
policy_anything -out newcert.pem -passin pass:test123 -key test123 -
infiles newreq.pem
No certificate matches private key
1853:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too
long:asn1_lib.c:138:
unable to load certificate
1854:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:632:Expecting: TRUSTED CERTIFICATE

I get Segmentation fault!!. 
My kernel ID is 2.4.18-3. Can you please let me know if you are aware of
this problem and how to go about solving it.
Thanks.

Kind regards

R Mansour
Tel: +44 (0)870 8705088
Fax: +44 (0)870 8705089
WEB: http://www.TheTCL.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem creating strong encryption certificates

2003-01-22 Thread Peter Hendriks 
Tried your suggestion. Doesn't work. Mailed between 2 e-mail addresses, both
addresses had secret and public keys available. The senders certificate is /
stays RC2 40 bits in the outbox. After exchanging e-mails with reply it
still remains RC2 40 bits.

Public key is 1024 bit md5RSA, private key also.

Also strange is that pub key has V1, while CA root cert is V3.

Peter.

- Original Message -
From: "Dr. Stephen Henson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 22, 2003 2:46 PM
Subject: Re: Problem creating strong encryption certificates


> On Wed, Jan 22, 2003, Peter Hendriks wrote:
>
> > Thanks for your answer.
> >
> > According to the infobox of Outlook Express 6.0 SP1 (completely
updated), it
> > says something like 128 bits coding strength (I have a Dutch version). I
can
> > access something like mailvault, which requires 128 bit SSL.
> >
> > The windows homepage tells me that the "strong encryption pack" is only
> > available for MSIE < 6.0 which has this package included. Therefore I
can't
> > install this "strong encryption pack".
> >
> > https://www.fortify.net/sslcheck.html says I can use RC4, 128 bit coding
> > strength.
> >
> > To my best knowledge Outlook Express and Internet Explorer use the same
> > coding system.
> >
> > What I have done is create 3 certs (1 root, and 2 users) on my pc. I
import
> > all keys with the certificate manager, then create a public key (with
the
> > certificate manager) from "the other user". This public key is stored in
the
> > addressbook of "the other user". I'm composing a message in Outlook
Express
> > from "me" to the "other" user. When I click on "send" it gives a warning
> > (like "only 40 bit encryption is used"). The message wasn't really send,
it
> > just sits in the outbox. The certs do work.
> >
> > As far as I can see, the problem must be either in Outlook Express,
Windows
> > 98SE, or OpenSSL.
> >
>
> It may be that when you just install a certificate for the 'other user' it
has
> no way of knowing what encryption the other user can handle so it defaults
to
> 40 bit RC2.
>
> Try sending signed mail from the 'other user' to Outlook. It should then
get
> the necessary info that it support strong encryption.
>
> Steve.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem creating strong encryption certificates

2003-01-22 Thread Dr. Stephen Henson 
On Wed, Jan 22, 2003, Peter Hendriks wrote:

> Tried your suggestion. Doesn't work. Mailed between 2 e-mail addresses, both
> addresses had secret and public keys available. The senders certificate is /
> stays RC2 40 bits in the outbox. After exchanging e-mails with reply it
> still remains RC2 40 bits.
> 
> Public key is 1024 bit md5RSA, private key also.
> 
> Also strange is that pub key has V1, while CA root cert is V3.
> 

Hmmm. Did you try deleting the other certificate from the store first and
seeing if it gets added again when the signed message is received?

You shouldn't use V1 certificates they have various problems associated with
them. Either use the 'ca' utilty for signing requests or add:

-extfile /path/to/openssl.cnf -extensions usr_cert

to the 'x509' utility command line.

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Rainbow Cryptoswift Support

2003-01-22 Thread Scott Johnson 
Hello all,

Does anyone here use the Rainbow Cryptoswift PCI card?  What is the extent 
of OpenSSL's support for this card?  Does OpenSSL require kernel-level 
support for this card to work?

Thanks,
Scott Johnson

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Rainbow Cryptoswift Support

2003-01-22 Thread Richard Levitte - VMS Whacker 
In message <[EMAIL PROTECTED]> on Wed, 22 Jan 2003 
13:12:03 -0600, Scott Johnson <[EMAIL PROTECTED]> said:

scottj> Does anyone here use the Rainbow Cryptoswift PCI card?

I do, occasionally.


scottj> What is the extent of OpenSSL's support for this card?

Supported algorithms:

 - RSA
 - DSA
 - DH
 - RAND (randomness)

scottj> Does OpenSSL require kernel-level support for this card to work?

I've no idea.  All it requires is the presence of libswift.so.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Queries on ERR_print_errors

2003-01-22 Thread Sunitha Kumar 
ERR_print_errors(BIO*)
If i need the errors in a string, how do I get it from BIO?
thanks,



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Rainbow Cryptoswift Support

2003-01-22 Thread lynng 
On 22 Jan 2003, at 20:42, Richard Levitte - VMS Whacker wrote:

> In message <[EMAIL PROTECTED]> on Wed, 22 Jan 2003 
>13:12:03 -0600, Scott Johnson <[EMAIL PROTECTED]> said:
> 
> scottj> Does anyone here use the Rainbow Cryptoswift PCI card?
> 
> I do, occasionally.
> 
> 
> scottj> What is the extent of OpenSSL's support for this card?
> 
> Supported algorithms:
> 
>  - RSA
>  - DSA
>  - DH
>  - RAND (randomness)
> 
> scottj> Does OpenSSL require kernel-level support for this card to work?
> 
> I've no idea.  All it requires is the presence of libswift.so.
> 

OpenSSL communicates with libswift.so, and libswift.so 
communicates with a platform-specific driver for the CryptoSwift 
PCI card.  Both libswift.so and the driver would be part of the 
installation of the software that you would get from Rainbow with 
the card.

Lynn Gazis

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]