LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-28-2003, 10:23 AM   #1
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Rep: Reputation: 30
Quick OpenSSL how to


Okay Ive seen several people posting here about problems with OpenSSL, so I just thought Id post a quick 3 step process that can be followed through by all when thier creating a self-signed Certificate: -

==============================================
1. Creating RSA Private Key using random bit pattern (-des3 adds a tripled des encrypted password of your choice to protect private key).

#openssl genrsa –des3 -rand /dev/urandom -out private.key

2. Creating a Certificate Signing Request (csr), if you want you can send this to a CA to get it signed or move to step 3 and sign it yourself.

#openssl req -new -key private.key -out public.csr

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: wherever
Locality Name (eg, city) []:Sesame street
Organization Name (eg, company) [Internet Widgits Pty Ltd]: company name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: whatever.com (Must match the DNS name of Web server to avoid problems)
Email Address []: somebody@somewhere.com

3. Creating a self signed x509 Certificate based on Private Key and csr
#openssl x509 -req -days 1095 -in public.csr -signkey private.key -out public.cert
==============================================

I know this is a relatively quick explanation but it should help anyone who wants to use OpenSSL to create an RSA based public/private Key pair.

Please let me know if there are any errors, or if its of assistance to you.

Dai

Last edited by dai; 07-28-2003 at 10:24 AM.
 
Old 07-28-2003, 03:56 PM   #2
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
I followed this exactly.

Set my sendmail.mc to

define(`confCACERT_PATH',`/usr/share/ssl/mycert')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/mycert/mycert.cert')
define(`confSERVER_KEY',`/usr/share/ssl/mycert/mycert.key')
define(`confCLIENT_CERT',`/usr/share/ssl/mycert/mycert.cert')
define(`confCLIENT_KEY',`/usr/share/ssl/mycert/mycert.key')

And when I check my mail with Eudora 5.1 I get
Server does not support SSL.

Where do I start to fix this? I am going to look at the logs now to see if I notice anything since that is what everyone says to do... but I am not sure what I am looking for.

Thanks
 
Old 07-28-2003, 04:04 PM   #3
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Firstly, as youre using the certificates I am assuming that the process outlined worked for you????

With regards to the SSL not supported poblem Im not sure really what to say as Ive not tried to use SSL with a mail server. As you said the best thing to do is check the logs etc...

It seems from the error your providing that the certificate and Private Key are working fine but theres a problem with the setup of the Sendmail server, Im just guessing here so bear wih me (Never really worked with Sendmail yet). Is it possible that you need to carry out further configuration to support SSL??????

For example with Apache 1.3 you need mod_ssl to communicate with OpenSSL. Is it possible that you need something similar for Sendmail???? Also I dont think you need to specify a server certificate only a client certificate. Also only the server needs to know where the private key is not the client.

Again sorry I cant be anymore help but Ive not really worked with Sendmail.

Hope to have helped (some what)

Dai

Last edited by dai; 07-28-2003 at 04:11 PM.
 
Old 07-28-2003, 04:26 PM   #4
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
Yes once I let go and just followed you steps without fear the instructions worked fine.

Actually that much I had managed but using the MAKE that comes with Redhat in openssl.

I am not sure about the additional configs for sendmail but I will look. I will try cutting out the server side config and see if that helps.

Thanks for trying...
 
Old 07-28-2003, 04:28 PM   #5
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
no problem, if it still doesent work just post back perhaps I can help by offerring a different perspective, or perhaps some other kind person who knows more about Sendmail than me could help
 
Old 07-28-2003, 04:37 PM   #6
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
Well I found the line in sendmail...

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

but now I get:
Error reading from network Cause: Connection closed by foreign host. (0)

Back to the log I guess.

nothing in 'messages' and nothing in 'maillog'

Last edited by markstevens; 07-28-2003 at 04:44 PM.
 
Old 07-28-2003, 04:41 PM   #7
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Well at least youre getting some where

WHy dont you try googling for some information on how to setup Sendmail using SSL that may help with the configuration problems youre getting.

Post back with how the problem is progressing, hopefully you will be able to use the SSL connection soon.

Dai
 
Old 07-28-2003, 04:45 PM   #8
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Try this, it might help get the SSL connection working

http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml
 
Old 07-29-2003, 08:45 AM   #9
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
Thanks for the link. I am working that angle right now. Would be nice to have a test server. Phone keeps ringing everytime I try a new config.

I'll keep posting results. I seem to be the worst case scenerio so if I can get it going anyone can.
 
Old 07-29-2003, 08:58 AM   #10
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
Glad to be able to help

I can help with the phone aswell, try taking it off the hook
 
Old 07-29-2003, 10:10 AM   #11
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
How can I tell if my version of sendmail is complied with SSL support? I am using the out of the box redhat 9 professional build of sendmail only making changes to the sendmail.mc file.

For some reason I am still getting the error. It is driving me nuts.

I have tried time and again creating new certs and keys over and over again. Nothing seems to work...
 
Old 07-29-2003, 10:14 AM   #12
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
All I can suggest is get a sorce code copy of sendmail and compile it yourself with support for SSL then try it again.

From the error youre getting (Server does not Support SSL) it would indicate SSL support is not included in the pre-built copy you are using.

Last edited by dai; 07-29-2003 at 10:15 AM.
 
Old 07-29-2003, 11:35 AM   #13
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
working on doing it all one more time by scratch....

but when I do:

openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem

while in /etc/mail/certs/CA and etc/mail/certs/CA/private/cakey.pem does exist

I get:
Error opening CA private key ./CA/private/cakey.pem

In the openssl.cnf file it lists the directory for everything as ./CA

What does the ./ do?

Anyway... I think if I can get past this glitch I can get this to work...
 
Old 07-29-2003, 11:43 AM   #14
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Original Poster
Rep: Reputation: 30
it just means from the directory that is specified as the default location of the certificate e.g. /ssl/key that ./CA/keyname.Pem is not found or full path /ssl/key/CA/keyname.key isnt found.

Possibly got the wrong path of where key is stored
 
Old 07-29-2003, 12:13 PM   #15
markstevens
Member
 
Registered: Jun 2003
Posts: 86

Rep: Reputation: 15
pwd reveals /etc/mail/certs/CA/private
ls reveals cakey.pem

so /etc/mail/certs/CA/private/cakey.pem

in /etc/mail/certs/CA/openssl.cnf

----snip----
[ CA_default ]
dir = ./CA #where everything is kept
----snip----
private_key = $dir/private/cakey.pem #The private key
----snip----


grrr.... what am I missing... must be something so simple...


Here is the whole [ CA_default ]

####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

dir = ./CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenSSL and its wonder Swakoo Linux - Newbie 9 03-22-2006 07:41 AM
Openssl velan Programming 1 05-16-2005 12:28 AM
OpenSSL Chiel Linux - Newbie 1 09-03-2004 04:52 PM
openssl abdullahgee Linux - Security 2 06-04-2004 01:36 PM
OpenSSL 0.9.6k kojiroh Solaris / OpenSolaris 2 10-09-2003 10:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration