setting up an openssl client/server
guru at unixarea.de
Sun Jul 22 13:29:26 UTC 2012
El día Sunday, July 22, 2012 a las 08:36:51AM +0100, Matthew Seaman escribió:
> On 22/07/2012 07:38, Matthias Apitz wrote:
> > What it is missing, as well in the pages of www.openssl.org and
> > www.freebsd.org, is a complete step by step guide to make certificates
> > and keys to SSL a simple client/server communition, or at least I can't
> > see them.
> I've found TinyCA (ports: security/tinyca) to be simple and easy to use
> for setting up a personal certification authority. Just remember not to
> fill in the e-mail field when creating a HTTPS server cert if you want
> the filename of the cert to be based on the site URL.
Thanks for the hint, but this did not help, it (perl) dumps core; and as
well it does no help to dig into the details. With Google I found out
how to build new certificates for the example code (works now) and I'm
still trying to understand all the details. Here is for the records how
one can get it working;
configure and compile the source using openssl from the ports:
$ tar xzf openssl-examples-20020110.tar.gz
$ cd openssl-examples-20020110
$ ./configure --with-openssl=/usr/local/openssl\
generate new certs and keys as described here:
(the text below is from the above web site with some changes for
Inside the example code directory openssl-examples-20020110 do
( for FreeBSD use 'openssl' from /usr/local/bin )
$ mkdir newca
$ cd newca
( orig: $ cp /etc/ssl/misc/CA.sh . )
for FreeBSD port of openssl use:
$ cp /usr/local/openssl/misc/CA.sh .
$ ./CA.sh -newca
will create a new CA. Remember the passphrase as you will need
it to sign certificates.
$ cp demoCA/cacert.pem ../root.pem
$ ./CA.sh -newreq
will create a certificate and a certification request.
Set the passphrase to 'password' as this is hard-coded in
the examples' source code. It is important to set the
[Common Name] to 'localhost'.
$ ./CA.sh -sign
will sign your newly created certificate. Enter the password for
your CA which you have defined in step 1.
$ cat newreq.pem newkey.pem newcert.pem > ../localhost.pem
$ cd ..
$ ln -s localhost.pem server.pem
$ ln -s localhost.pem client.pem
Maybe you also want to issue
$ openssl dhparam 1024 -2 -out dh1024.pem -outform PEM
in order to update the DH parameters.
The above setup will only work for local testing. If you want to
use OpenSSL to connect between different hosts, you either have
to disable the common name and host name comparison in client.c
in order to be able to use the same certificate on all hosts
which may pose a security problem, or repeat steps two and three
above with the correct host names (FQDN - fully qualified domain name,
ie. host name plus domain name) instead of 'localhost'.
Final note: if the SSL_get_verify_result() method in client.c
returns the error code 10 (outdated certificate), also check
the CA's certificate (root.pem) expiration date! In my case,
I tried to set the expiration time 100 years in the future -- which
resulted in a point of time in the past possibly due to a number overflow.
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <guru at unixarea.de> - w http://www.unixarea.de/
UNIX since V7 on PDP-11 | UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2 | FreeBSD since 2.2.5
More information about the freebsd-questions