From owner-freebsd-security@FreeBSD.ORG Sun May 14 12:57:08 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D72616A404 for ; Sun, 14 May 2006 12:57:08 +0000 (UTC) (envelope-from pietro.cerutti@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8901443D53 for ; Sun, 14 May 2006 12:57:07 +0000 (GMT) (envelope-from pietro.cerutti@gmail.com) Received: by wr-out-0506.google.com with SMTP id 57so617830wri for ; Sun, 14 May 2006 05:57:07 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=FfAY7uqlnucW8HX4NDL0JaNcT6VczQIZ+YfAqczVbjqpMc/8SLZn7jM/oIoo+8IloohLsg+7ToWZSVVXPfUDpQkIgfDmW/NiB31xgrdgYQOdIh2eNnPtoXH3Nd4cpGFgLv/pj5JKgFEuD+QfaZFOUkLA7hAPY8Ei5qEFnPJ/WHQ= Received: by 10.65.151.14 with SMTP id d14mr2884829qbo; Sun, 14 May 2006 05:57:07 -0700 (PDT) Received: by 10.65.189.18 with HTTP; Sun, 14 May 2006 05:57:06 -0700 (PDT) Message-ID: Date: Sun, 14 May 2006 14:57:06 +0200 From: "Pietro Cerutti" To: "Colin Percival" , "freebsd security" In-Reply-To: <44640C13.2010409@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4461EC0F.2070809@freebsd.org> <44640C13.2010409@freebsd.org> Cc: Subject: Re: Freebsd-update and 6.1-RELEASE X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 May 2006 12:57:08 -0000 On 5/12/06, Colin Percival wrote: > I wrote: > > FreeBSD Update will work on FreeBSD 6.1 before the first security > > advisory affecting 6.1 is released. > > I think I have everything in place for FreeBSD Update to run on > FreeBSD 6.1. Please test and let me know if I forgot anything. Hi Colin, yes, everything works as expected... # freebsd-update -v fetch Fetching updates signature... Fetching hash list signature... Examining local system... No updates available # This is the best output one can dream of! > > Colin Percival > Tnx for your work, regards --=20 Pietro Cerutti From owner-freebsd-security@FreeBSD.ORG Mon May 15 22:53:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15CE816AEA9 for ; Mon, 15 May 2006 22:53:45 +0000 (UTC) (envelope-from james@netinertia.co.uk) Received: from starbug.netinertia.co.uk (starbug.netinertia.co.uk [217.147.82.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC75B43D67 for ; Mon, 15 May 2006 22:53:44 +0000 (GMT) (envelope-from james@netinertia.co.uk) Received: from croydon.netinertia.co.uk ([82.69.247.45] helo=[10.1.0.82]) by starbug.netinertia.co.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from ) id 1Ffly9-000IXe-W3 for freebsd-security@freebsd.org; Mon, 15 May 2006 23:55:20 +0100 Message-ID: <4469064F.50102@netinertia.co.uk> Date: Mon, 15 May 2006 23:53:03 +0100 From: James O'Gorman User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: FreeBSD Security List X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-NetI-Spam-Score: -1.4 (-) Subject: Slightly OT: SSL certs - best practice? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 22:53:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, This question may be slightly OT for this list, but it does concern securing services on my FreeBSD servers :-) At the moment I have some existing (self-signed) SSL certs for Dovecot, Exim and Apache. It's mostly only me that uses them for now, but I'm planning on expanding that, so want to try and do things "right". My real question is, should I have a separate SSL certificate for each service, or can I just use one for all of them? Also, at the moment, the Dovecot cert is for "*.netinertia.co.uk", but it can be accessed as either mail.netinertia.co.uk, imap.netinertia.co.uk or pop.netinertia.co.uk. Is this right, or should I just pick one (probably mail) to be the "official" name? (Similarly, Exim has its certificate set to mail.netinertia.co.uk, but can be accessed as smtp.netinertia.co.uk.) I was thinking of just creating one wildcard certificate and using it for all the above services, but I don't know if this is actually the proper way of doing things! Cheers, James PS - Once I've worked out how exactly I'm supposed to be doing this, I'll probably get some "officially" signed certs. I hear CACert are a good, free way of doing this. Anyone got any comments on that? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iQEVAwUBRGkGT/8Z3wLA10m9AQLt3wf/RBAvhZ/B+t0L4XFqf3Jds44esvdDAhVw Mvv1Qp9AfwnHImH/cAQpWAihcyK3dIs9KgOtpBsOxbBgPiJUX508Apn4e9IiCC/S xh/OjqpdjnqyMc3r4gBJbMwn0DUXqd+E9wiod53RCxCqysedMxY76SrnUu0pkl7J 56p6xav6BWHZGWnFTdEo5u+W0BJTNe1KKm/zXwZ8a23ujIzhMwpzAw/Odf09obdz /hfZ+C5e7OrGgFnDTbwLQkWSi4e3DGNnsWQ6aP2N4jvmze32wqIxo5UbHM3aeBPs LOVCz/bUkR6cgDKnBt3FqYzxxq54JK48EB5qvrRD7BZlRZDii28t5w== =rUCj -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue May 16 00:15:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 356A916AF5B for ; Tue, 16 May 2006 00:15:26 +0000 (UTC) (envelope-from claim@rinux.net) Received: from rinux.net (rinux.net [81.169.157.144]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F54B43D81 for ; Tue, 16 May 2006 00:15:04 +0000 (GMT) (envelope-from claim@rinux.net) Received: from localhost (localhost [127.0.0.1]) by rinux.net (Postfix) with ESMTP id DD7713530B4; Tue, 16 May 2006 02:15:02 +0200 (CEST) X-Virus-Scanned: by amavisd-new using F-Prot/ClamAV at rinux.net Received: from rinux.net ([127.0.0.1]) by localhost (rinux.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o6sk0afHUi+B; Tue, 16 May 2006 02:14:58 +0200 (CEST) Received: from [10.0.0.3] (i5387958D.versanet.de [83.135.149.141]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rinux.net (Postfix) with ESMTP id BAF7F353054; Tue, 16 May 2006 02:14:58 +0200 (CEST) Message-ID: <44691982.3070400@rinux.net> Date: Tue, 16 May 2006 02:14:58 +0200 From: Clemens Renner User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: James O'Gorman References: <4469064F.50102@netinertia.co.uk> In-Reply-To: <4469064F.50102@netinertia.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Security List Subject: Re: Slightly OT: SSL certs - best practice? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 00:15:26 -0000 Hi James, I would advise against using wildcard certificates. There certainly are situations where this might be adequate but I'm in favor of a single server certificate for each service that uses a different (virtual) host. Thus, I have created several certificates for Apache SSL hosts plus certificates for mail serving, etc. One point might be: If someone manages to set up a host in the namespace of the wildcard certificate and presents the cert once the host is accessed, it looks like you have accredited that specific host since you probably signed that wildcard cert. Whether you use single certs for pop.netinertia.co.uk, imap.netinertia.co.uk etc. or one generic name for all services related to your mail -- that's a matter of taste, I guess. In any case, I wouldn't stick with wildcards. > PS - Once I've worked out how exactly I'm supposed to be doing this, > I'll probably get some "officially" signed certs. I hear CACert are a > good, free way of doing this. Anyone got any comments on that? The problem with self-signed certs is just that they usually aren't trustworthy, as you may have noticed. I'd say the same thing applies to certificates signed by a CA that does not do a "real" verification of the requesting person by which I mean that you probably don't need to go somewhere and show some official ID to prove that you are in fact you. The problem with fraud is mis-placed trust. And people (read: those who decide which CA certs to include in a product by default) tend to put stronger trust in something that requires money for someone to vouch for you. On the other hand, I haven't had any bad experience with the following approach: I created my own CA and have used it to sign my certs. I've instructed all of my users how to import and trust that CA cert and we're done. You only need to do this once to get any cert signed by that CA accepted from that point on. Clemens From owner-freebsd-security@FreeBSD.ORG Tue May 16 08:55:02 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 799DB16A400 for ; Tue, 16 May 2006 08:55:02 +0000 (UTC) (envelope-from iang@iang.org) Received: from mx1.sonance.net (mx1.sonance.net [62.116.45.222]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4D2243D48 for ; Tue, 16 May 2006 08:55:01 +0000 (GMT) (envelope-from iang@iang.org) Received: from localhost (mf1 [127.0.0.1]) by mx1.sonance.net (Postfix) with ESMTP id B1A6A13DFE; Tue, 16 May 2006 10:55:03 +0200 (CEST) Received: from mx1.sonance.net ([127.0.0.1]) by localhost (mf1 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15430-02; Tue, 16 May 2006 10:55:02 +0200 (CEST) Received: from postix.sonance.net (zentrix [192.168.0.223]) by mx1.sonance.net (Postfix) with ESMTP id 3CC3113DDD; Tue, 16 May 2006 10:55:02 +0200 (CEST) Received: from localhost (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id E489E17B504; Tue, 16 May 2006 10:54:57 +0200 (CEST) Received: from postix.sonance.net ([127.0.0.1]) by localhost (zentrix [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11644-09; Tue, 16 May 2006 10:54:53 +0200 (CEST) Received: from [IPv6???1] (zentrix [127.0.0.1]) by postix.sonance.net (Postfix) with ESMTP id 438DD17B491; Tue, 16 May 2006 10:54:53 +0200 (CEST) Message-ID: <446992A7.6010807@iang.org> Date: Tue, 16 May 2006 10:51:51 +0200 From: Ian G Organization: http://iang.org/ User-Agent: Mozilla Thunderbird 1.0.6 (X11/20051013) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Clemens Renner , James O'Gorman References: <4469064F.50102@netinertia.co.uk> <44691982.3070400@rinux.net> In-Reply-To: <44691982.3070400@rinux.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam X-Virus-Scanned: sonance network anti-spam amavisd-new-20030616-p10 controlled spam Cc: FreeBSD Security List Subject: Re: Slightly OT: SSL certs - best practice? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 08:55:02 -0000 Hi all, Clemens Renner wrote: > Hi James, > > I would advise against using wildcard certificates. There certainly are > situations where this might be adequate but I'm in favor of a single > server certificate for each service that uses a different (virtual) > host. Thus, I have created several certificates for Apache SSL hosts > plus certificates for mail serving, etc. An alternative to wildcard certificates is the SAN or SubjectAltName method documented here: http://wiki.cacert.org/wiki/VhostTaskForce It seems to work, I've used it (note that the primary CN should be duplicated in the SAN list). >> PS - Once I've worked out how exactly I'm supposed to be doing this, >> I'll probably get some "officially" signed certs. I hear CACert are a >> good, free way of doing this. Anyone got any comments on that? ... > I'd say the same thing applies to > certificates signed by a CA that does not do a "real" verification of > the requesting person by which I mean that you probably don't need to go > somewhere and show some official ID to prove that you are in fact you. OK, just to clarify here - CAcert's system of verification includes (in general) checking of identity documents in a person-to-person process. Once people have been verified to their standard - they call it their assurance process - the assured user can issue certs with names in them, using a "class 3" root; before that, users can only issue unnamed certs using an anon "class 1" root. (Whether this works for you, all depends.) iang PS: I gather that the "class 3" and "class 1" convention comes from verisign. From owner-freebsd-security@FreeBSD.ORG Tue May 16 09:15:34 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6634F16A54A for ; Tue, 16 May 2006 09:15:34 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail14.syd.optusnet.com.au (mail14.syd.optusnet.com.au [211.29.132.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48D1F43D5E for ; Tue, 16 May 2006 09:15:20 +0000 (GMT) (envelope-from peterjeremy@optushome.com.au) Received: from turion.vk2pj.dyndns.org (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail14.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id k4G9FCBj025301 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 16 May 2006 19:15:18 +1000 Received: from turion.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by turion.vk2pj.dyndns.org (8.13.6/8.13.6) with ESMTP id k4G9FCp0001203; Tue, 16 May 2006 19:15:12 +1000 (EST) (envelope-from peter@turion.vk2pj.dyndns.org) Received: (from peter@localhost) by turion.vk2pj.dyndns.org (8.13.6/8.13.6/Submit) id k4G9FCT2001202; Tue, 16 May 2006 19:15:12 +1000 (EST) (envelope-from peter) Date: Tue, 16 May 2006 19:15:12 +1000 From: Peter Jeremy To: "James O'Gorman" Message-ID: <20060516091512.GE714@turion.vk2pj.dyndns.org> Mail-Followup-To: Peter Jeremy , James O'Gorman , FreeBSD Security List References: <4469064F.50102@netinertia.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline In-Reply-To: <4469064F.50102@netinertia.co.uk> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.11 Cc: FreeBSD Security List Subject: Re: Slightly OT: SSL certs - best practice? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 May 2006 09:15:34 -0000 --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, 2006-May-15 23:53:03 +0100, James O'Gorman wrote: >PS - Once I've worked out how exactly I'm supposed to be doing this, >I'll probably get some "officially" signed certs. I hear CACert are a >good, free way of doing this. Anyone got any comments on that? I've gone through the CAcert assurance process and it seems to work, though a lot depends on your access to other assurers. Note that the CAcert certificates are now part of ports/security/ca-roots though the issue of bootstrapping remains (how do you know that your roots file is genuine). --=20 Peter Jeremy --neYutvxvOLaeuPCA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEaZgf/opHv/APuIcRAm8WAJ9YozyKpoGVRNj0HOjYWo9fizAGXQCggPx1 aEjrl8pyT3kpndgBMiWOB0A= =C5j3 -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA--