Date: Sun, 22 Jul 2012 15:29:22 +0200 From: Matthias Apitz <guru@unixarea.de> To: freebsd-questions@freebsd.org Subject: Re: setting up an openssl client/server Message-ID: <20120722132922.GA7524@tinyCurrent> In-Reply-To: <500BAD93.5080007@infracaninophile.co.uk> References: <20120721155922.GA4774@tinyCurrent> <E2209559-2902-48F4-93C1-224CDA680041@mac.com> <20120722063818.GA2445@tinyCurrent> <500BAD93.5080007@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
El día Sunday, July 22, 2012 a las 08:36:51AM +0100, Matthew Seaman escribió: > On 22/07/2012 07:38, Matthias Apitz wrote: > > What it is missing, as well in the pages of www.openssl.org and > > www.freebsd.org, is a complete step by step guide to make certificates > > and keys to SSL a simple client/server communition, or at least I can't > > see them. > > I've found TinyCA (ports: security/tinyca) to be simple and easy to use > for setting up a personal certification authority. Just remember not to > fill in the e-mail field when creating a HTTPS server cert if you want > the filename of the cert to be based on the site URL. > Thanks for the hint, but this did not help, it (perl) dumps core; and as well it does no help to dig into the details. With Google I found out how to build new certificates for the example code (works now) and I'm still trying to understand all the details. Here is for the records how one can get it working; matthias configure and compile the source using openssl from the ports: $ tar xzf openssl-examples-20020110.tar.gz $ cd openssl-examples-20020110 $ ./configure --with-openssl=/usr/local/openssl\ --with-openssl-inc=/usr/local/include\ --with-openssl-lib=/usr/local/lib $ make generate new certs and keys as described here: http://www.gentoo-wiki.info/OpenSSL (the text below is from the above web site with some changes for FreeBSD) First step Inside the example code directory openssl-examples-20020110 do ( for FreeBSD use 'openssl' from /usr/local/bin ) $ PATH=/usr/local/bin:$PATH $ mkdir newca $ cd newca ( orig: $ cp /etc/ssl/misc/CA.sh . ) for FreeBSD port of openssl use: $ cp /usr/local/openssl/misc/CA.sh . $ ./CA.sh -newca will create a new CA. Remember the passphrase as you will need it to sign certificates. $ cp demoCA/cacert.pem ../root.pem Second step $ ./CA.sh -newreq will create a certificate and a certification request. Set the passphrase to 'password' as this is hard-coded in the examples' source code. It is important to set the [Common Name] to 'localhost'. Third step $ ./CA.sh -sign will sign your newly created certificate. Enter the password for your CA which you have defined in step 1. Fourth step $ cat newreq.pem newkey.pem newcert.pem > ../localhost.pem $ cd .. $ ln -s localhost.pem server.pem $ ln -s localhost.pem client.pem Maybe you also want to issue $ openssl dhparam 1024 -2 -out dh1024.pem -outform PEM in order to update the DH parameters. The above setup will only work for local testing. If you want to use OpenSSL to connect between different hosts, you either have to disable the common name and host name comparison in client.c in order to be able to use the same certificate on all hosts which may pose a security problem, or repeat steps two and three above with the correct host names (FQDN - fully qualified domain name, ie. host name plus domain name) instead of 'localhost'. Final note: if the SSL_get_verify_result() method in client.c returns the error code 10 (outdated certificate), also check the CA's certificate (root.pem) expiration date! In my case, I tried to set the expiration time 100 years in the future -- which resulted in a point of time in the past possibly due to a number overflow. -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e <guru@unixarea.de> - w http://www.unixarea.de/ UNIX since V7 on PDP-11 | UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2 | FreeBSD since 2.2.5
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120722132922.GA7524>