Mailing List Archive: Certificates (again)

Hi,

Can anyone give a simple example on how to use certificates please?
Basically what I did is:

1) run make inside of /usr/share/ssl/certs
after adding the root certificate
2) run conserver with the following command line element:
-c /opt/conserver/certs/conserver.pem
3) conserver starts fine, but I am unable to connect without using
my certificate, which should be ok:
| $ console -vx
| console: interface address 127.0.0.1 (lo)
| console: interface address w.x.y.z (eth1)
| console: SSLVerifyCallback(): error with certificate at depth: 0
| console: SSLVerifyCallback(): issuer = /C=FR/O=WXYZ/CN=ABCD
| console: SSLVerifyCallback(): subject = /C=FR/O=WXYZ/OU=USR6402/CN=conserver.my.domain/emailAddress=email@my.domain
| console: SSLVerifyCallback(): error #20: unable to get local issuer certificate
| console: SSL negotiation failed
| 21520:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
| verify failed:s3_clnt.c:843:

3) using a certificate, it doesn't work either:
| $ console -vxc /var/tmp/my-user-cert.crt
| console: interface address 127.0.0.1 (lo)
| console: interface address w.x.y.z (eth1)
| Enter PEM pass phrase:
| console: Could not SSL private key from '/var/tmp/my-user-cert.crt'

It may just be a trivial "wrong format" issue of my x509 certificate, but as
the documentation on these issues is quite lacking I am posting to the list.

What's unclear to me for instance is how do you handle permissions? Where
does one define whose cert can have access, and whose can't?

Thanks for help

_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users

well, it seems close enough. i'm thinking the wrong files are being
used. which ones are the right ones? well, i'm not 100% sure, but
perhaps the example that i got to work will help you figure that out.

On Fri, Nov 10, 2006 at 03:27:05PM +0100, Fabien Wernli wrote:
> 1) run make inside of /usr/share/ssl/certs
> after adding the root certificate

i used contrib/maketestcerts to create a bunch of self-signed certs.
check that script to see what was done to make all these things. file
list sorted by time...

-rw-r--r-- 1 bryan stansell 676 Nov 10 21:39 rootreq.pem
-rw-r--r-- 1 bryan stansell 963 Nov 10 21:39 rootkey.pem
-rw-r--r-- 1 bryan stansell 899 Nov 10 21:39 rootcert.pem
-rw-r--r-- 1 bryan stansell 1862 Nov 10 21:39 root.pem
-rw-r--r-- 1 bryan stansell 668 Nov 10 21:39 serverreq.pem
-rw-r--r-- 1 bryan stansell 963 Nov 10 21:39 serverkey.pem
-rw-r--r-- 1 bryan stansell 891 Nov 10 21:39 servercert.pem
-rw-r--r-- 1 bryan stansell 2753 Nov 10 21:39 server.pem
-rw-r--r-- 1 bryan stansell 660 Nov 10 21:39 clientreq.pem
-rw-r--r-- 1 bryan stansell 963 Nov 10 21:39 clientkey.pem
-rw-r--r-- 1 bryan stansell 883 Nov 10 21:39 clientcert.pem
-rw-r--r-- 1 bryan stansell 2745 Nov 10 21:39 client.pem

i copied the rootcert.pem to my ssl/certs directory and ran c_rehash
(which is probably what the makefile does). did you put the right root
pem file there?

> 2) run conserver with the following command line element:
> -c /opt/conserver/certs/conserver.pem

yep...that should be all you need (assuming your conserver.pem is the
equivalent of my server.pem).

> 3) conserver starts fine, but I am unable to connect without using
> my certificate, which should be ok:
> | $ console -vx
> | console: interface address 127.0.0.1 (lo)
> | console: interface address w.x.y.z (eth1)
> | console: SSLVerifyCallback(): error with certificate at depth: 0
> | console: SSLVerifyCallback(): issuer = /C=FR/O=WXYZ/CN=ABCD
> | console: SSLVerifyCallback(): subject = /C=FR/O=WXYZ/OU=USR6402/CN=conserver.my.domain/emailAddress=email@my.domain
> | console: SSLVerifyCallback(): error #20: unable to get local issuer certificate
> | console: SSL negotiation failed
> | 21520:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> | verify failed:s3_clnt.c:843:

to make things fail, i removed the rootcert.pem file and got the
following:

console: SSLVerifyCallback(): error with certificate at depth: 1
console: SSLVerifyCallback(): issuer = /C=US/ST=California/L=Folsom/O=conserver.com/OU=Conserver CA/CN=conserver.com
console: SSLVerifyCallback(): subject = /C=US/ST=California/L=Folsom/O=conserver.com/OU=Conserver CA/CN=conserver.com
console: SSLVerifyCallback(): error #19: self signed certificate in certificate chain
console: SSL negotiation failed
18491:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:844:

notice i got error #19 and you got error #20. that makes me think
you've got one of the other root cert files in ssl/certs...but it's just
a guess.

> It may just be a trivial "wrong format" issue of my x509 certificate, but as
> the documentation on these issues is quite lacking I am posting to the list.

yeah, it is lacking. if you're creating your own certs, you should be
able to modify the maketestcerts script...(and if anyone knows how to
make it work without passphrases, please let me know).

> What's unclear to me for instance is how do you handle permissions? Where
> does one define whose cert can have access, and whose can't?

there is no restriction in conserver for checking certs. they're only
used to make sure the ssl channel is not being hijacked. clients need
to validate the cert before they are allowed to send any data and the
server will validate the client's cert (if it prevents one - doesn't
happen unless -c is used and isn't required). if those conditions are
met, then you're back to your standard restrictions (tcp_wrappers,
passwords, ro/rw lists, etc).

hopefully that gives you at least something to try...

Bryan
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users