Archive for the ‘SSL’ Category

Just to summarize why Firefox does not trust the https://www.clevery.co.jp/ online shop.

Apparently the server at https://www.clevery.co.jp/ only sends its own certificate when I open their page. What most sites usually do is that they send not only their own certificate, but also the certificate of their issuer, and the certificate of that issuer and so on up to the root certificate (excluding the last one). What is happening with the clevery server is that its certificate contains an extension that points to the location of the parent certificate. As given by OpenSSL
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
CA Issuers - URI:http://SVR1024Secure-aia.verisign.com/SVR1024Secure2007-aia.cer

So, apparently Firefox doesn’t follow that path and that seems to be a recognized standard. A quick Google found this article by someone who ran into the same problem and who has already checked the status of that extension.

I’ll have to look more into it myself, but I am not in the mood right now.

Posted by chutz on December 29, 2007 at 9:47 pm under SSL.
2 Comments.

Logwatch was good enough to show me that I had my logs filled with messages like these… repeating themselves over and over ad infinitum:
Continue reading ‘OpenVPN connectivity issues’ »

Posted by chutz on December 20, 2007 at 4:56 pm under SSL.
Comment on this post.

I am running netqmail patched for with TLS support under sslserver from the ucspi-ssl package.

However, every time a connection is closed the sslserver process segfaults. On the Opteron it also causes messages like sslserver[13106] general protection rip:2ab6c23cf687 rsp:7fffe89e9308 error:0 to appear in my system log.

Currently tracing the problem, but it seems that the process dedicated to handling the encryption assumes that it has to start an encrypted connection even though it has not been requested to do so. I’ll have to dig around a bit more.

Update: I also have a very trivial patch that fixes the issue. I’ve been running with it for over an year now and there have been no issues so it should be safe.
Here is the file:
ucspi-ssl-070-fixsegfault.patch

Posted by chutz on January 14, 2007 at 2:13 pm under SSL.
Tags:
1 Comment.

Here is a short summary of how I am managing my SSL certificates

  • Edit /etc/ssl/openssl.cnf and add a section for each separate certificate authority, e.g. CA_servers CA_clients, CA_vpn
  • Use a safe umask: umask 077
  • Generate a private key
    • an unencrypted key (no password needed) openssl genrsa -out key.pem 2048
    • an encrypted key (with a password) openssl genrsa -aes256 -out key.pem 2048
  • Create a certificate request:openssl req -new -key key.pem -out req.pem
  • Sign the certificate: openssl ca -name CA_vpn -in req.pem -out cert.pem
  • Optionally add specific extensions to the signed certificate:
    • Prepare a section in /etc/ssl/openssl.cnf like this:
      [ext_server]
      nsCertType = server, client
    • Modify the signing command like this:
      openssl ca -name CA_vpn -in req.pem -out cert.pem -extensions ext_server

Posted by chutz on December 19, 2006 at 1:18 am under SSL.
Comment on this post.