The Open Source Swiss Army Knife

/cryptography/
/cryptography/ + sub-categories		 http://www.sirfsup.com/
web directory content
     
      

Not logged in
Chat Register Login
return to:  http:/www.sirfsup.com      /cryptography 
Permalink: ssl.htm
Title: add
article options : please login   |  print view

ssl

  1. introduction
  2. make
  3. file/key placement
  4. generation of keys at the command line using the ssl binary
  5. seed
  6. ssh-keygen
  7. code

introduction

do you need to have secure e-mail?
do you need a secure web server ?
or is this just mod_ssl?
do you want to use stunnel to make virtually anything insecrure secure?

if you answered yes to any of the above, get and install the openssl library, as it will generate your keys, sign your certificates, and offer encryption libraries you can link against and use over and over again.

make

  2. Build OpenSSL by running:

       $ make

     This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the
     OpenSSL binary ("openssl"). The libraries will be built in the top-level
     directory, and the binary will be in the "apps" directory.

file placement

individual servers
  1. sendmail
  2. apache

for the impatient, /etc/ssl/ is the directory you are looking for. somebody know the env settting? It's not an environmental setting, but the cert location perhaps should be? NB: the rpm default installation is not /etc/ssl but rather /usr/share/ssl, so all is relative to that ...

sendmail

"USING SSL/TLS WITH SENDMAIL

By default, sendmail(8) expects both the keys and certificates to reside
     in /etc/mail/certs, not in the /etc/ssl directory.  The default paths may
     be overridden in the sendmail.cf file.  See starttls(8) for information
     on configuring sendmail(8) to use SSL/TLS."

apache

Compile and Optimize
... apache_1.3.12 \ --with-crt=/etc/ssl/certs/server.crt \ --with-key=/etc/ssl ... must already
be installed on your server, and your public and private keys ...
link - 8k - Cached - Similar pages

others

CA
private
certs
Makefile : generates keys without needing to study generation below
ca-bundle.crt : certifciate request
imapd.pem
ipop3d.pem
make-dummy-cert
stunnel.pem
lib
misc
private

*.pem usually specifies a private key. The ssl page here tells you to execute openssl req -new -days 365 -nodes -config stunnel.cnf -out certreq.pem -keyout stunnel.pem . The output from this command is: (error)

[joe@www joe]$  openssl req -new -days 365 -nodes -config stunnel.cnf -out certr
eq.pem -keyout stunnel.pem  
Using configuration from stunnel.cnf
error on line 4 of stunnel.cnf
28955:error:02001002:system library:fopen:No such file or directory:bss_file.c:1
04:fopen('stunnel.cnf','rb')
28955:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:106:
28955:error:0E064002:configuration file routines:CONF_load:system lib:conf_lib.c
:91:
[joe@www joe]$ sudo locate stunnel.cnf

command-line syntax used to generate public and private keys, certs

wrong way to generate a private key
openssl genrsa -out KEY.pem 1024
openssl rsa -in KEY.pem -out private.pem
openssl rsa -in KEY.pem -pubout -out public.pem
the correct way to do it: (you don't need openssl genrsa -out KEY.pem 1024 because genrsa generates a private key already)
openssl genrsa -out private.pem 1024
openssl rsa -in private.pem -pubout -out public.pem
generating a des3 key
openssl genrsa -des3 -out ca.key 1024

RSA is used in SSH and apache. who uses DES?

creates a certificate store, that is, a CA which can issue certificates
/usr/bin/openssl req -new -key some-key.key -x509 -days 365 -out name_of.crt helpful
using that store, create a server certificate
  1. openssl genrsa -des3 -out server.key

    errors concenring the seed value

    you don't have random number generator utility that is used by OpenSSL to get seed. Look at this link, you can find one here.

    ssh-keygen

    code

    1. reading a public key

    reading a public key

    what is wrong with trying to read the public.pem the following way 
         13 
     14    RSA *x;
     15    FILE *fp;
     16 
     17    ERR_load_crypto_strings();
     18    if ( (fp=fopen("public.pem","r")) == NULL)
     19     {
     20      perror("ERROR: rsapubkey.pem");
     21      exit(0);
     22     }
     23 
     24    if ((x=(RSA *)PEM_read_RSAPublicKey(fp,NULL, NULL,NULL)) !=
     25 NULL)
     26              free(x);
     27    else ERR_print_errors_fp(stderr);
     28    fclose(fp);
    answer: 
          3 that's because there's two ways to read public keys. a public key can
      4 be rsa, dsa and dh (may be more in openssl i don't remember now). with
      5 the function PEM_read_RSAPublicKey OpenSSL is expecting a concrete RSA
      6 Public key which will have in the header of the PEM file
      7  
      8 -----BEGIN RSA PUBLIC KEY-----
      9  
     10 instead of
     11  
     12 -----BEGIN PUBLIC KEY-----
     13  
     14 if you'd like to load an RSA key with the "BEGIN PUBLIC KEY" header,
     15 you should use PEM_read_RSA_PUBKEY function instead of the one you use.
     16  
     17 this header will be common for dsa, rsa and dh keys.
     18
    Leave a Reply
    Your Name:     anonymous
    Your Email:
    Website:  
    Comments:

    The author will be notified of your reply.
    return to top
    24078 [ 483 MB ] of Articles and Code Samples   
    5897 pages in the directory #!/bin/sh sys=0; rec=0; for i in `ls *.pagecount`; do sys=$(cat $i); rec=$(( $rec + $sys)); done; echo $rec;
    848 Users
    Online Since Mar 3 2002
    design help and support from mynd4rent design
    Don't Worry! The Material on Sirfsup.com is Your Copyright as the Author