[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: Certificates (again)

Bryan Stansell bryan@conserver.com
Fri, 10 Nov 2006 22:02:47 -0800 (PST)

well, it seems close enough.  i'm thinking the wrong files are being
used.  which ones are the right ones?  well, i'm not 100% sure, but
perhaps the example that i got to work will help you figure that out.

On Fri, Nov 10, 2006 at 03:27:05PM +0100, Fabien Wernli wrote:
> 1) run make inside of /usr/share/ssl/certs
>    after adding the root certificate

i used contrib/maketestcerts to create a bunch of self-signed certs.
check that script to see what was done to make all these things.  file
list sorted by time...

-rw-r--r--   1 bryan    stansell     676 Nov 10 21:39 rootreq.pem
-rw-r--r--   1 bryan    stansell     963 Nov 10 21:39 rootkey.pem
-rw-r--r--   1 bryan    stansell     899 Nov 10 21:39 rootcert.pem
-rw-r--r--   1 bryan    stansell    1862 Nov 10 21:39 root.pem
-rw-r--r--   1 bryan    stansell     668 Nov 10 21:39 serverreq.pem
-rw-r--r--   1 bryan    stansell     963 Nov 10 21:39 serverkey.pem
-rw-r--r--   1 bryan    stansell     891 Nov 10 21:39 servercert.pem
-rw-r--r--   1 bryan    stansell    2753 Nov 10 21:39 server.pem
-rw-r--r--   1 bryan    stansell     660 Nov 10 21:39 clientreq.pem
-rw-r--r--   1 bryan    stansell     963 Nov 10 21:39 clientkey.pem
-rw-r--r--   1 bryan    stansell     883 Nov 10 21:39 clientcert.pem
-rw-r--r--   1 bryan    stansell    2745 Nov 10 21:39 client.pem

i copied the rootcert.pem to my ssl/certs directory and ran c_rehash
(which is probably what the makefile does).  did you put the right root
pem file there?

> 2) run conserver with the following command line element:
>    -c /opt/conserver/certs/conserver.pem

yep...that should be all you need (assuming your conserver.pem is the
equivalent of my server.pem).

> 3) conserver starts fine, but I am unable to connect without using
>    my certificate, which should be ok:
> |   $ console -vx
> |   console: interface address (lo)
> |   console: interface address w.x.y.z (eth1)
> |   console: SSLVerifyCallback(): error with certificate at depth: 0
> |   console: SSLVerifyCallback():  issuer  = /C=FR/O=WXYZ/CN=ABCD
> |   console: SSLVerifyCallback():  subject = /C=FR/O=WXYZ/OU=USR6402/CN=conserver.my.domain/emailAddress=email@my.domain
> |   console: SSLVerifyCallback():  error #20: unable to get local issuer certificate
> |   console: SSL negotiation failed
> |   21520:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> |   verify failed:s3_clnt.c:843:

to make things fail, i removed the rootcert.pem file and got the

console: SSLVerifyCallback(): error with certificate at depth: 1
console: SSLVerifyCallback():  issuer  = /C=US/ST=California/L=Folsom/O=conserver.com/OU=Conserver CA/CN=conserver.com
console: SSLVerifyCallback():  subject = /C=US/ST=California/L=Folsom/O=conserver.com/OU=Conserver CA/CN=conserver.com
console: SSLVerifyCallback():  error #19: self signed certificate in certificate chain
console: SSL negotiation failed
18491:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:844:

notice i got error #19 and you got error #20.  that makes me think
you've got one of the other root cert files in ssl/certs...but it's just
a guess.

> It may just be a trivial "wrong format" issue of my x509 certificate, but as
> the documentation on these issues is quite lacking I am posting to the list.

yeah, it is lacking.  if you're creating your own certs, you should be
able to modify the maketestcerts script...(and if anyone knows how to
make it work without passphrases, please let me know).

> What's unclear to me for instance is how do you handle permissions? Where
> does one define whose cert can have access, and whose can't?

there is no restriction in conserver for checking certs.  they're only
used to make sure the ssl channel is not being hijacked.  clients need
to validate the cert before they are allowed to send any data and the
server will validate the client's cert (if it prevents one - doesn't
happen unless -c is used and isn't required).  if those conditions are
met, then you're back to your standard restrictions (tcp_wrappers,
passwords, ro/rw lists, etc).

hopefully that gives you at least something to try...