|
geeklog 2005/09/30 13:25 |
geeklog 2008/10/03 08:25 current |
| - | ====== September, 30th ======= | + | =====EasySSL ? A high level library to OpenSSL===== |
| | | | |
| - | =====About AIX===== | + | I'm actually working with OpenSSL C API, to be able to add |
| | + | OCSP support to software like freeradius, maybe postfix, etc.. |
| | + | While I'm writing more and more code to send an OCSP request (~400 lines) |
| | + | I'm thinking to start a high level library to OpenSSL (the name easyssl |
| | + | is just my first thought) to help developers to doesn't care really |
| | + | about the complex usage of OpenSSL. |
| | | | |
| - | Now I have a "good" a SNMP, I want that all my server are SNMP aware, and for all interesting MIB, | + | For example, I recently check |
| - | like HOST-RESOURCES, which allow me to check CPU and memory utilization, etc.. That's why I tried | + | a well know software which can use certificates to authenticate users. After taking a look |
| - | to configure the AIX snmp agent correctly. After spent few minutes to read snmpd.conf and mib.defs, | + | in code, I noticed the check was sometimes only done on the DN certificate, it's a very poor test, it's may be even a serious security flaw. That's why I think it could be nice to provide developers an easy to use library, features fill (OCSP support is not often available) for SSL functions. |
| - | I was able to query the host-resources MIB OID (take a look in [[docs:aix]]). **But**, there is //funny// | + | |
| - | bug in the AIX version I use for my server, just look : | + | |
| | | | |
| - | <code> | + | Here the code of main function to check a certificate by OCSP (I removed |
| - | % snmpwalk -v1 -c public 192.168.1.48 .1.3.6.1.2.1.25.3.3.1.2 | + | checks code) |
| - | HOST-RESOURCES-MIB::hrProcessorLoad.1 = INTEGER: -2147483648 | + | |
| - | HOST-RESOURCES-MIB::hrProcessorLoad.2 = INTEGER: -2147483648 | + | |
| - | </code> | + | |
| | | | |
| - | Very funny, isn't it ? Funny, but annoying too. So, I look for why I had such values : it's a bug. | + | <code c> |
| - | Well, I really can't understand why such things like snmp can be bugged. Seem we are only few | + | /* Create a new EasySSL configuration and initialize it */ |
| - | system administrator who use SNMP... Anyway, it's a good way to learn more about AIX (I'm a noob | + | config = malloc (sizeof (ssl_config)); |
| - | with this OS), specially about patch management. | + | init_ssl_config(config); |
| | | | |
| - | [[geeklog:comments:20050930]] | + | /* Add a certificate to the CA store */ |
| | | | |
| - | ====== September, 28th ======= | + | /* char *cacert : path of CA certificate file to load */ |
| | + | add_cert_to_CAstore(config, cacert)) |
| | | | |
| - | =====Cisco and multicast===== | + | /* Load certificate to check from a file, since a file |
| | + | * may contains more than one certificates, we need to |
| | + | * use a STACK_OF(X509), check its size, and pop the uniq element */ |
| | | | |
| - | Since I create few VLAN at work, the servers and (NOC) workstations are no longer in the same | + | /* char *xfile: path of final certificate file to load */ |
| - | IP subnet (I don't even understand how the previous sys/net admin can leave servers | + | certificates = x509_load_certificates_from_file(xfile); |
| - | and workstations in the same LAN). So, a java admin ask me why he can't setup a weblogic | + | { |
| - | cluster with one node in our LAN (the NOC one), and one node in the LAN server. I just told him | + | X509 *certificate = NULL; |
| - | ";hold on few mintes";. Well, ok, few hours after, it still doesn't working... But It's now ok, | + | int response = -1; |
| - | I use the following config : | + | |
| | | | |
| - | <code> | + | if (sk_num(certificates) != 1) |
| - | ! | + | goto error; |
| - | interface Vlan1 | + | |
| - | ip address 192.168.1.4 255.255.255.0 | + | |
| - | ip pim dense-mode | + | |
| - | ip igmp join-group 232.168.34.65 | + | |
| - | ip igmp join-group 237.0.0.9 | + | |
| - | ntp multicast key 1 | + | |
| - | end | + | |
| - | ! | + | |
| - | interface Vlan34 | + | |
| - | ip address 192.168.34.1 255.255.255.0 | + | |
| - | ip helper-address 192.168.1.6 | + | |
| - | ip pim dense-mode | + | |
| - | ip igmp join-group 232.168.34.65 | + | |
| - | ip igmp join-group 237.0.0.9 | + | |
| - | ntp multicast key 1 | + | |
| - | end | + | |
| - | ! | + | |
| - | ip multicasting-routing | + | |
| - | ! | + | |
| - | </code>; | + | |
| | | | |
| - | But **the more important point is the TTL** which is set by the multicast application. IT **MUST BE GREATER** | + | /* Pop the certificate from stack of X509 */ |
| - | than one (1) if you want forwarding multicast. | + | certificate = (X509 *) sk_pop(certificates); |
| | | | |
| - | Example : | + | /* |
| | + | * ssl_config *config: pointer to EasySSL configuration |
| | + | * char *url: URL to use to join the OCSP responder, (eg http://pki.asyd.net/ejbca/publicweb/status/ocsp) |
| | + | * X509 *certificate: certificate to check |
| | + | * Return: |
| | + | * < 0: Internal error |
| | + | * 0: The certificate is valid |
| | + | * > 0: The certificate is revoked, the return value stand for the reason |
| | + | */ |
| | + | response = ocsp_check_certificate(config, url, certificate) |
| | | | |
| - | <code> | + | /* Display status */ |
| - | % sudo udp-sender --file docs/CompilingBinaryFilesUsingACompiler.pdf --mcast-all-addr 232.168.34.65 --ttl 64 | + | printf(" certificate DN: %s\n", |
| - | Udp-sender 2004-05-31 | + | certificate->name); |
| - | Using mcast address 232.168.34.65 | + | |
| - | UDP sender for docs/CompilingBinaryFilesUsingACompiler.pdf at 192.168.34.65 on eth0 | + | printf(" status: "); |
| - | Broadcasting control to 232.168.34.65 | + | |
| - | New connection from 192.168.1.50 (#0) 00000019 | + | if (response < 0) |
| - | Ready. Press any key to start sending data. | + | printf("Internal error\n"); |
| - | Starting transfer: 00000019 | + | else if (response == 0) |
| - | bytes= 67 278 re-xmits=000000 ( 0.0%) slice=0202 67 278 - 0 | + | printf("OK\n"); |
| - | Transfer complete. | + | else if (response > 0) |
| - | Disconnecting #0 (192.168.1.50) | + | { |
| | + | printf("revoked\n"); |
| | + | printf(" reason: %s\n", OCSP_crl_reason_str(response)); |
| | + | } |
| | + | } |
| | </code> | | </code> |
| | | | |
| | <code> | | <code> |
| - | % sudo udp-receiver --ttl 64 --mcast-all-addr 232.168.34.65 --file /tmp/output | + | % ./ocsp certs/cacert.pem certs/test00.pem |
| - | Udp-receiver 2004-05-31 | + | certificate DN: /CN=Bruno Bonfils (test00)/O=asyd dot net/C=FR |
| - | UDP receiver for /tmp/output at 192.168.1.50 on eth0 | + | status: OK |
| - | received message, cap=00000019 | + | |
| - | Connected as #0 to 192.168.34.65 | + | % ./ocsp certs/cacert.pem certs/test01.pem |
| - | Listening to multicast on 232.168.34.65 | + | certificate DN: /CN=Bruno Bonfils (test01)/O=asyd dot net/C=FR |
| - | Press any key to start receiving data! | + | status: revoked |
| - | Sending go signal 1 Success 0 | + | reason: certificateHold |
| - | bytes= 67 278 ( 1.05 Mbps) 67 278 | + | |
| - | Transfer complete. | + | |
| | </code> | | </code> |
| | | | |
| - | As you can notice, I use udp-receiver / udp-sender - available [[http://alain.knaff.lu/udpcast/|here]], or maybe with your distrib (Debian | + | As you can see, it's **very simple**. I hope I'll have enough time to code the same |
| - | include it) - to test the multicast. | + | simple function as SSL sockets frontend, but in a first time I'll add the validity |
| | + | check. |
| | + | |
| | + | |
| | + | //[[geeklog:2006:12:28:easyssl|Permanent link and discussions]]// |
| | + | |
| | + | |
| | + | ===== Interview ===== |
| | + | |
| | + | |
| | + | //[[geeklog:2006/12/04:interview|Permanent link and discussions]] // |
| | + | |
| | + | |
| | + | ===== Logicial if solaris ===== |
| | + | |
| | + | |
| | + | //[[geeklog:2006/10/25:logicial_if_solaris|Permanent link and discussions]] // |
| | + | |
| | + | |
| | + | ===== Solaris zsh ===== |
| | + | |
| | + | |
| | + | //[[geeklog:2006/09/07:solaris_zsh|Permanent link and discussions]] // |
| | + | |
| | + | |
| | + | ===== Pkgsrc pgsql ===== |
| | + | |
| | + | |
| | + | //[[geeklog:2006/09/06:pkgsrc_pgsql|Permanent link and discussions]] // |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | | | |
| - | I just wondering why it doesn't work if the Cisco is not a member of the group, I probably need to check docs again and again. | |
| | | | |
| | | | |
| - | ===== OpenLDAP ===== | |
| | | | |
| - | Well, by mischance, I need to use OpenLDAP.. So I begin to put all my notes about this | |
| - | (crappy) software. Their will available [[docs:ldap:openldap|here]]. | |
| | | | |
| - | [[geeklog:comments:20050928|Comments]] | |
| | | | |
| - | ====== September, 19th ======= | |
| | | | |
| - | =====Small useful applications====== | |
| | | | |
| - | * [[http://freshmeat.net/redir/brack/55828/url_homepage/programs|Brack]] is a small php application which help to manage rack, it have interesting features (like a Service tag field for Dell hardware), and can be easily hack. | |
| - | * [[http://www.redferni.uklinux.net/dia/|Colour Cisco's shapes for Dia]] (I don't understand why this package is not include in the upstream) | |
| | | | |
| - | Here a little patch to Brack's CSS to ensure all racks have the same size : (replace td.space with the following one) | |
| - | <code> | |
| - | td.space { | |
| - | font-size: small; | |
| - | font-family: sans-serif; | |
| - | padding: 0 5px; | |
| - | background-color: white; | |
| - | border-style: solid none none none; border-width: thin | |
| - | } | |
| - | </code> | |
| - | (Very thanks to Cesar for his help) | |
| | | | |
| | | | |
| - | [[geeklog:comments:20050919|Comments]] | |
