From owner-freebsd-current  Sun May  7 15:47:44 2000
Delivered-To: freebsd-current@freebsd.org
Received: from dt051n0b.san.rr.com (dt051n0b.san.rr.com [204.210.32.11])
	by hub.freebsd.org (Postfix) with ESMTP
	id B7B8D37BB14; Sun,  7 May 2000 15:47:38 -0700 (PDT)
	(envelope-from DougB@gorean.org)
Received: from gorean.org (doug@master [10.0.0.2])
	by dt051n0b.san.rr.com (8.9.3/8.9.3) with ESMTP id PAA60510;
	Sun, 7 May 2000 15:47:34 -0700 (PDT)
	(envelope-from DougB@gorean.org)
Message-ID: <3915F286.6DD0067@gorean.org>
Date: Sun, 07 May 2000 15:47:34 -0700
From: Doug Barton <DougB@gorean.org>
Organization: Triborough Bridge & Tunnel Authority
X-Mailer: Mozilla 4.72 [en] (X11; U; FreeBSD 5.0-CURRENT-0422 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Steve Price <sprice@hiwaay.net>
Cc: Kris Kennaway <kris@FreeBSD.org>,
	Forrest Aldrich <forrie@navipath.com>, current@FreeBSD.org
Subject: Re: RSA decrypt problems
References: <Pine.OSF.4.21.0005071654270.24280-100000@fly.HiWAAY.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Steve Price wrote:
> 
> On Sun, 7 May 2000, Doug Barton wrote:
> 
> #       Ok, here are some silly questions. Did you create a private key for
> # this server, did you encrypt your cert with it, and is that .key file
> # pointed to in your httpd.conf config file? SSLCertificateKeyFile is what
> # you're looking for. http://www.modssl.org/related/ has some really good
> # resources for this, and their FAQ has step by step instructions for
> # creating and testing keys and certs that may help you track down where
> # in the process it's getting lost.
> 
> I did create a key for my server with the following command
> 
>         ssh-keygen -f /etc/ssh/ssh_host_key

	ERrr... that's for ssh only. 

> I didn't encrypt a cert with it.  This is on a test box and
> up until a few days ago the only steps I ever had to take
> were to install one of the apache13-*ssl ports, crank up apache,
> and it just worked.  Of course this could be where I've gone
> astray, as it appears this no longer works. :) 

	I'm not familiar with those ports, so I can't speak intelligently about
them, however I've looked over the mod_ssl stuff, and they have
pre-configured a whole certificate authority chain with the snake oil
stuff so that you can test your installation of the binary(ies).
However, that does you a disservice down the road when you have to do it
for real. 

> #       Also, did you install the openssl port, or are you using the openssl
> # that is part of the base in 4.0+? I vaguely remember you saying that you
> # were using the port. If so, cd to /usr/local/openssl and cp
> # openssl.cnf.sample to openssl.cnf.
> 
> I'm not using the port.  I'm using the bits that come with
> -current (and 4.0 on another box).  At Kris' suggestion I
> did copy over an /etc/ssl/openssl.cnf file but that didn't
> seem to help with the problem I'm having. :(

	Well, it'll help, but you have to get down the road a bit before you
notice how it helps you. :) Take a look at
http://www.modssl.org/docs/2.6/ssl_faq.html#ToC28 which describes the
process of creating real certificates. If this is to be a "real" secure
server that will be visible on the internet, you'll want to follow those
instructions pretty much to the letter (assuming you're using mod_ssl,
or one of its ports). 

	The way x509 works for secure servers is that you first create a "key"
that is your server's unique signature. This is similar to the identity
files created with ssh-keygen. Then you create a certificate that
contains what is essentially your public key (actually a combination of
your certificate's public key and your identity key's public part). You
sign this certificate with your server's identity key, then send it to a
certificate authority (read, "Verisign") which signs the certificate
with its public key. Then you install the doubly signed certificate. The
client browser is able to use the information in your certificate to A)
confirm with the CA that your certificate really came from you, B)
encrypt an offer of a session key/cipher for that session, and C)
decrypt your acceptance of that offer. I'm oversimplifying this a bit,
hopefully you get the idea. There is more info on the web pages I sent
in my previous e-mail. 

HTH,

Doug
-- 
        "Live free or die"
		- State motto of my ancestral homeland, New Hampshire

	Do YOU Yahoo!?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message