From owner-freebsd-questions@FreeBSD.ORG Sun Jul 22 13:29:26 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A9C8F106566B for ; Sun, 22 Jul 2012 13:29:26 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms16-1.1blu.de (ms16-1.1blu.de [89.202.0.34]) by mx1.freebsd.org (Postfix) with ESMTP id 35D308FC15 for ; Sun, 22 Jul 2012 13:29:26 +0000 (UTC) Received: from [188.174.214.14] (helo=localhost.my.domain) by ms16-1.1blu.de with esmtpsa (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from ) id 1SswDs-0002P1-R6 for freebsd-questions@freebsd.org; Sun, 22 Jul 2012 15:29:25 +0200 Received: from localhost.my.domain (localhost [127.0.0.1]) by localhost.my.domain (8.14.4/8.14.3) with ESMTP id q6MDTN1j007556 for ; Sun, 22 Jul 2012 15:29:23 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.14.4/8.14.3/Submit) id q6MDTMkk007555 for freebsd-questions@freebsd.org; Sun, 22 Jul 2012 15:29:22 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Sun, 22 Jul 2012 15:29:22 +0200 From: Matthias Apitz To: freebsd-questions@freebsd.org Message-ID: <20120722132922.GA7524@tinyCurrent> References: <20120721155922.GA4774@tinyCurrent> <20120722063818.GA2445@tinyCurrent> <500BAD93.5080007@infracaninophile.co.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <500BAD93.5080007@infracaninophile.co.uk> X-Operating-System: FreeBSD 9.0-CURRENT r214444 (i386) User-Agent: Mutt/1.5.21 (2010-09-15) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 188.174.214.14 Subject: Re: setting up an openssl client/server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Matthias Apitz List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2012 13:29:26 -0000 El día Sunday, July 22, 2012 a las 08:36:51AM +0100, Matthew Seaman escribió: > On 22/07/2012 07:38, Matthias Apitz wrote: > > What it is missing, as well in the pages of www.openssl.org and > > www.freebsd.org, is a complete step by step guide to make certificates > > and keys to SSL a simple client/server communition, or at least I can't > > see them. > > I've found TinyCA (ports: security/tinyca) to be simple and easy to use > for setting up a personal certification authority. Just remember not to > fill in the e-mail field when creating a HTTPS server cert if you want > the filename of the cert to be based on the site URL. > Thanks for the hint, but this did not help, it (perl) dumps core; and as well it does no help to dig into the details. With Google I found out how to build new certificates for the example code (works now) and I'm still trying to understand all the details. Here is for the records how one can get it working; matthias configure and compile the source using openssl from the ports: $ tar xzf openssl-examples-20020110.tar.gz $ cd openssl-examples-20020110 $ ./configure --with-openssl=/usr/local/openssl\ --with-openssl-inc=/usr/local/include\ --with-openssl-lib=/usr/local/lib $ make generate new certs and keys as described here: http://www.gentoo-wiki.info/OpenSSL (the text below is from the above web site with some changes for FreeBSD) First step Inside the example code directory openssl-examples-20020110 do ( for FreeBSD use 'openssl' from /usr/local/bin ) $ PATH=/usr/local/bin:$PATH $ mkdir newca $ cd newca ( orig: $ cp /etc/ssl/misc/CA.sh . ) for FreeBSD port of openssl use: $ cp /usr/local/openssl/misc/CA.sh . $ ./CA.sh -newca will create a new CA. Remember the passphrase as you will need it to sign certificates. $ cp demoCA/cacert.pem ../root.pem Second step $ ./CA.sh -newreq will create a certificate and a certification request. Set the passphrase to 'password' as this is hard-coded in the examples' source code. It is important to set the [Common Name] to 'localhost'. Third step $ ./CA.sh -sign will sign your newly created certificate. Enter the password for your CA which you have defined in step 1. Fourth step $ cat newreq.pem newkey.pem newcert.pem > ../localhost.pem $ cd .. $ ln -s localhost.pem server.pem $ ln -s localhost.pem client.pem Maybe you also want to issue $ openssl dhparam 1024 -2 -out dh1024.pem -outform PEM in order to update the DH parameters. The above setup will only work for local testing. If you want to use OpenSSL to connect between different hosts, you either have to disable the common name and host name comparison in client.c in order to be able to use the same certificate on all hosts which may pose a security problem, or repeat steps two and three above with the correct host names (FQDN - fully qualified domain name, ie. host name plus domain name) instead of 'localhost'. Final note: if the SSL_get_verify_result() method in client.c returns the error code 10 (outdated certificate), also check the CA's certificate (root.pem) expiration date! In my case, I tried to set the expiration time 100 years in the future -- which resulted in a point of time in the past possibly due to a number overflow. -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.unixarea.de/ UNIX since V7 on PDP-11 | UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2 | FreeBSD since 2.2.5