[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
Bryan Stansell bryan@conserver.com
Fri, 10 Nov 2006 22:02:47 -0800 (PST)
well, it seems close enough. i'm thinking the wrong files are being used. which ones are the right ones? well, i'm not 100% sure, but perhaps the example that i got to work will help you figure that out. On Fri, Nov 10, 2006 at 03:27:05PM +0100, Fabien Wernli wrote: > 1) run make inside of /usr/share/ssl/certs > after adding the root certificate i used contrib/maketestcerts to create a bunch of self-signed certs. check that script to see what was done to make all these things. file list sorted by time... -rw-r--r-- 1 bryan stansell 676 Nov 10 21:39 rootreq.pem -rw-r--r-- 1 bryan stansell 963 Nov 10 21:39 rootkey.pem -rw-r--r-- 1 bryan stansell 899 Nov 10 21:39 rootcert.pem -rw-r--r-- 1 bryan stansell 1862 Nov 10 21:39 root.pem -rw-r--r-- 1 bryan stansell 668 Nov 10 21:39 serverreq.pem -rw-r--r-- 1 bryan stansell 963 Nov 10 21:39 serverkey.pem -rw-r--r-- 1 bryan stansell 891 Nov 10 21:39 servercert.pem -rw-r--r-- 1 bryan stansell 2753 Nov 10 21:39 server.pem -rw-r--r-- 1 bryan stansell 660 Nov 10 21:39 clientreq.pem -rw-r--r-- 1 bryan stansell 963 Nov 10 21:39 clientkey.pem -rw-r--r-- 1 bryan stansell 883 Nov 10 21:39 clientcert.pem -rw-r--r-- 1 bryan stansell 2745 Nov 10 21:39 client.pem i copied the rootcert.pem to my ssl/certs directory and ran c_rehash (which is probably what the makefile does). did you put the right root pem file there? > 2) run conserver with the following command line element: > -c /opt/conserver/certs/conserver.pem yep...that should be all you need (assuming your conserver.pem is the equivalent of my server.pem). > 3) conserver starts fine, but I am unable to connect without using > my certificate, which should be ok: > | $ console -vx > | console: interface address 127.0.0.1 (lo) > | console: interface address w.x.y.z (eth1) > | console: SSLVerifyCallback(): error with certificate at depth: 0 > | console: SSLVerifyCallback(): issuer = /C=FR/O=WXYZ/CN=ABCD > | console: SSLVerifyCallback(): subject = /C=FR/O=WXYZ/OU=USR6402/CN=conserver.my.domain/emailAddress=email@my.domain > | console: SSLVerifyCallback(): error #20: unable to get local issuer certificate > | console: SSL negotiation failed > | 21520:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > | verify failed:s3_clnt.c:843: to make things fail, i removed the rootcert.pem file and got the following: console: SSLVerifyCallback(): error with certificate at depth: 1 console: SSLVerifyCallback(): issuer = /C=US/ST=California/L=Folsom/O=conserver.com/OU=Conserver CA/CN=conserver.com console: SSLVerifyCallback(): subject = /C=US/ST=California/L=Folsom/O=conserver.com/OU=Conserver CA/CN=conserver.com console: SSLVerifyCallback(): error #19: self signed certificate in certificate chain console: SSL negotiation failed 18491:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:844: notice i got error #19 and you got error #20. that makes me think you've got one of the other root cert files in ssl/certs...but it's just a guess. > It may just be a trivial "wrong format" issue of my x509 certificate, but as > the documentation on these issues is quite lacking I am posting to the list. yeah, it is lacking. if you're creating your own certs, you should be able to modify the maketestcerts script...(and if anyone knows how to make it work without passphrases, please let me know). > What's unclear to me for instance is how do you handle permissions? Where > does one define whose cert can have access, and whose can't? there is no restriction in conserver for checking certs. they're only used to make sure the ssl channel is not being hijacked. clients need to validate the cert before they are allowed to send any data and the server will validate the client's cert (if it prevents one - doesn't happen unless -c is used and isn't required). if those conditions are met, then you're back to your standard restrictions (tcp_wrappers, passwords, ro/rw lists, etc). hopefully that gives you at least something to try... Bryan