Weblog entry #3 for alfadir
See all weblog entries made by alfadir.
#3
SSL Hell?
Posted by alfadir on Mon 17 Jan 2011 at 11:37
Lately I have tried to upgrade a server, and its services.
It was already running with a openssl certificates from a CA I set
up a few years ago, using this guide :
http://www.debian-administration.org/articles/284
I have had several services running happilly with passphrased certificate
keys.
Now, first the trouble started with OpenLDAP not wanting an openssl certificate.
Gnutls is the new standard and openssl support is not compiled in.
But gnutls does not support openssl encrypted keys.
Also if you convert them to PKCS #8, they have a limited passphrase (50 bytes?).
Still openldap with gnutls does not support encrypted keys. So a loss to security.
0-1.
Installing the new calendarserver got me into the same trouble. The
calendar server uses an apple script to read the passphrase that is not
included. Returning the key using echo in a script did also not help.
Another loss and another removal of the passphrase made it work.
0-2.
So before digging any further in the openssl/gnutls djungle and find out
what services supports what combination of secure certificate I wanted to ask you what you use.
I have used openssl + scripts to run my CA, is there a better tool ?
http://en.wikipedia.org/wiki/Certificate_authority
lists a few open source ones, what do you use ?
(EJBCA is not packaged?)
I am not intereseted in a fast snakeoil cert but a real structured CA with
certificates for many virtual hosts and different services
(in Openssl adding each host in the same certificate, SNI would be better though.)
How do you add the CA correctly to the /etc/ssl/certs ?
is there some special script ?
(git happend to look there for certs I think, or I have another ssl problem)
Also if anyone has a link to a website describing how to add a CA to each of the common webbrowsers I would be thankful. Depending on what browser version and os the user uses adding the CA.pem to the browser varies a lot.
So, I guess I am done with my SSL questions for now, and I look forward to
good *secure* tips.
It was already running with a openssl certificates from a CA I set
up a few years ago, using this guide :
http://www.debian-administration.org/articles/284
I have had several services running happilly with passphrased certificate
keys.
Now, first the trouble started with OpenLDAP not wanting an openssl certificate.
Gnutls is the new standard and openssl support is not compiled in.
But gnutls does not support openssl encrypted keys.
Also if you convert them to PKCS #8, they have a limited passphrase (50 bytes?).
Still openldap with gnutls does not support encrypted keys. So a loss to security.
0-1.
Installing the new calendarserver got me into the same trouble. The
calendar server uses an apple script to read the passphrase that is not
included. Returning the key using echo in a script did also not help.
Another loss and another removal of the passphrase made it work.
0-2.
So before digging any further in the openssl/gnutls djungle and find out
what services supports what combination of secure certificate I wanted to ask you what you use.
I have used openssl + scripts to run my CA, is there a better tool ?
http://en.wikipedia.org/wiki/Certificate_authority
lists a few open source ones, what do you use ?
(EJBCA is not packaged?)
I am not intereseted in a fast snakeoil cert but a real structured CA with
certificates for many virtual hosts and different services
(in Openssl adding each host in the same certificate, SNI would be better though.)
How do you add the CA correctly to the /etc/ssl/certs ?
is there some special script ?
(git happend to look there for certs I think, or I have another ssl problem)
Also if anyone has a link to a website describing how to add a CA to each of the common webbrowsers I would be thankful. Depending on what browser version and os the user uses adding the CA.pem to the browser varies a lot.
So, I guess I am done with my SSL questions for now, and I look forward to
good *secure* tips.
Comments on this Entry
Posted by Anonymous (79.198.xx.xx) on Mon 17 Jan 2011 at 15:45
If you created the CAs certificates with the debian openssl binary, which had a now famous bug, your certificates could be rejected by a patched openssl. Check the CAs .pem file with "openssl-vulnkey file.pem"
From README.Debian: The CA certificates contained in this package are installed into “/usr/share/ca-certificates” ... “dpkg-reconfigure ca-certificates” ... “update-ca-certificates” will then update “/etc/ssl/certs”
looking into /usr/sbin/update-ca-certificates, there is a HOOKSDIR=/etc/ca-certificates/update.d line where you could put an script which modifies /etc/ssl/certs to your needs, e.g. adding your CAs .crt to /etc/ssl/certs/ca-certificates.crt
Peter
From README.Debian: The CA certificates contained in this package are installed into “/usr/share/ca-certificates” ... “dpkg-reconfigure ca-certificates” ... “update-ca-certificates” will then update “/etc/ssl/certs”
looking into /usr/sbin/update-ca-certificates, there is a HOOKSDIR=/etc/ca-certificates/update.d line where you could put an script which modifies /etc/ssl/certs to your needs, e.g. adding your CAs .crt to /etc/ssl/certs/ca-certificates.crt
Peter
[ Parent | Reply to this comment ]
Sorry, sure should have found the ca-certificates Readme.
I understand it as no extra script is needed:
"If you want to install local certificate authorities to be implicitly
trusted, please put the certificate files as single files ending with
.crt into /usr/local/share/ca-certificates and re-run
update-ca-certificates ."
And that should put your certificate in the right place.
Sure, I know all about DSA-1571, and regenerated the certs right away.
With the CA set up, it was easy, and all the services just continued to
work. Now I find that the change to gnutls for some services makes it
harder to use openssl as a basis for my CA, and it is here I need advice
and ideas.
The main services I am running right now is :
openldap, apache2, calendarserver, exim4, dovecot, mailman, silc, and ssh.
git and subversion run under apache2.
All controlled by openldap, more or less.
(mailman does not have a ldap MemberAdaptor that suits my needs yet,
and caldav still needs configuring)
I have had one cert per service with encrypted key based on my own CA.
This is probably overkill, but it makes things easier to have a real CA
instead of copying a snakeoil cert around.
I used openssl as a "standard", now I guess I have to figure out what the real
standard is and what encryption/hashing is the strongest, and what services are supported.
Started to play with http://wiki.ejbca.org/livecd in a VirtualBox, so if someone
has hints about it please join in.
I understand it as no extra script is needed:
"If you want to install local certificate authorities to be implicitly
trusted, please put the certificate files as single files ending with
.crt into /usr/local/share/ca-certificates and re-run
update-ca-certificates ."
And that should put your certificate in the right place.
Sure, I know all about DSA-1571, and regenerated the certs right away.
With the CA set up, it was easy, and all the services just continued to
work. Now I find that the change to gnutls for some services makes it
harder to use openssl as a basis for my CA, and it is here I need advice
and ideas.
The main services I am running right now is :
openldap, apache2, calendarserver, exim4, dovecot, mailman, silc, and ssh.
git and subversion run under apache2.
All controlled by openldap, more or less.
(mailman does not have a ldap MemberAdaptor that suits my needs yet,
and caldav still needs configuring)
I have had one cert per service with encrypted key based on my own CA.
This is probably overkill, but it makes things easier to have a real CA
instead of copying a snakeoil cert around.
I used openssl as a "standard", now I guess I have to figure out what the real
standard is and what encryption/hashing is the strongest, and what services are supported.
Started to play with http://wiki.ejbca.org/livecd in a VirtualBox, so if someone
has hints about it please join in.
[ Parent | Reply to this comment ]
Even if I add the CA systemwide properly as described above,
Chromium ignores it.
It has to be installed in the NSS Shared DB.
http://code.google.com/p/chromium/wiki/LinuxCertManagement
Easy as 1,2,3.14159265
Would have been nice if the browser could trust /etc/ssl/certs/ca-certificates.crt
Chromium ignores it.
It has to be installed in the NSS Shared DB.
http://code.google.com/p/chromium/wiki/LinuxCertManagement
Easy as 1,2,3.14159265
Would have been nice if the browser could trust /etc/ssl/certs/ca-certificates.crt
[ Parent | Reply to this comment ]
Posted by dkg (216.254.xx.xx) on Wed 9 Feb 2011 at 15:25
[ Send Message | View dkg's Scratchpad | View Weblogs ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
alfadir wrote:
Would have been nice if the browser could trust /etc/ssl/certs/ca-certificates.crtI recommend filing a bug against the chromium package with this feature request. I agree that this would be good behavior.
[ Parent | Reply to this comment ]