Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace:

Differences

This shows you the differences between the selected revision and the current version of the page.

geeklog 2005/10/19 10:33 geeklog 2008/10/03 08:25 current
Line 1: Line 1:
-====== October, 18th ======+=====EasySSL ? A high level library to OpenSSL=====
-=====Certificates=====+I'm actually working with OpenSSL C API, to be able to add 
 +OCSP support to software like freeradius, maybe postfix, etc..  
 +While I'm writing more and more code to send an OCSP request (~400 lines) 
 +I'm thinking to start a high level library to OpenSSL (the name easyssl 
 +is just my first thought) to help developers to doesn't care really 
 +about the complex usage of OpenSSL.
-Now I found a **very** good PKI free software, I try to use it everywhere I need certificates. My first //difficult// task +For example, I recently check 
-was with IOS. You can find here some notes.+a well know software which can use certificates to authenticate users. After taking a look 
 +in code, I noticed the check was sometimes only done on the DN certificate, it's a very poor test, it's may be even a serious security flaw. That's why I think it could be nice to provide developers an easy to use library, features fill (OCSP support is not often available) for SSL functions.
-====EJBCA and IOS====+Here the code of main function to check a certificate by OCSP (I removed  
 +checks code)
-Here my IOS config related to my CA :+<code c> 
 +  /* Create a new EasySSL configuration and initialize it */ 
 +  config = malloc (sizeof (ssl_config)); 
 +  init_ssl_config(config);
-<code> +  /* Add a certificate to the CA store */
-+
-crypto ca trustpoint FMSCA +
- enrollment url http://pki.intranet.fimasys.fr:8080/ejbca/publicweb/apply/scep +
- serial-number +
- source interface Ethernet0 +
- auto-enroll regenerate +
-+
-</code>+
-Description / Notes +  /* char *cacert : path of CA certificate file to load */ 
 +  add_cert_to_CAstore(config, cacert))
-  * The enrollment line tell how (the method, here an url -> http) to contact the PKI software. Note: you **must** omit the pkiclient.exe filename at the end which is automagically add by IOS. +  /* Load certificate to check from a file, since a file  
-  * serial-number tell to IOS to include the serial number  +  * may contains more than one certificates, we need to  
-  * The name of the trustpoint you use **MUST MATCH** exactly the shortname of your CA in ejbca+  * use a STACK_OF(X509), check its size, and pop the uniq element */
-One you have that, use the command :+  /* char *xfile: path of final certificate file to load */ 
 +  certificates = x509_load_certificates_from_file(xfile); 
 +  { 
 +    X509 *certificate = NULL; 
 +    int response = -1;
-<code> +    if (sk_num(certificates) != 1) 
-# crypto ca authenticate FMSCA +         goto error;
-</code>;+
-to fetch the CA certificate. Then, set the password enrollment with the command :+    /* Pop the certificate from stack of X509 */ 
 +    certificate  = (X509 *) sk_pop(certificates); 
 + 
 +    /*  
 +      * ssl_config *config: pointer to EasySSL configuration 
 +      * char *url: URL to use to join the OCSP responder, (eg http://pki.asyd.net/ejbca/publicweb/status/ocsp) 
 +      * X509 *certificate: certificate to check 
 +      * Return: 
 +      *    < 0: Internal error  
 +      *      0: The certificate is valid 
 +      *    > 0: The certificate is revoked, the return value stand for the reason 
 +      */ 
 +    response = ocsp_check_certificate(config, url, certificate) 
 + 
 +      /* Display status */ 
 +    printf("  certificate DN: %s\n", 
 +      certificate->name); 
 + 
 +    printf("  status: "); 
 + 
 +    if (response < 0) 
 +      printf("Internal error\n"); 
 +    else if (response == 0) 
 +      printf("OK\n"); 
 +    else if (response > 0) 
 +      { 
 + printf("revoked\n"); 
 + printf("  reason: %s\n", OCSP_crl_reason_str(response)); 
 +      } 
 +  } 
 +</code>
<code> <code>
-# crypto ca enroll FMSCA+% ./ocsp certs/cacert.pem certs/test00.pem 
 +  certificate DN: /CN=Bruno Bonfils (test00)/O=asyd dot net/C=FR 
 +  status: OK 
 + 
 +% ./ocsp certs/cacert.pem certs/test01.pem 
 +  certificate DN: /CN=Bruno Bonfils (test01)/O=asyd dot net/C=FR 
 +  status: revoked 
 +  reason: certificateHold
</code> </code>
 +
 +As you can see, it's **very simple**. I hope I'll have enough time to code the same
 +simple function as SSL sockets frontend, but in a first time I'll add the validity
 +check.
 +
 +
 +//[[geeklog:2006:12:28:easyssl|Permanent link and discussions]]//
 +
 +
 +===== Interview =====
 +
 +
 +//[[geeklog:2006/12/04:interview|Permanent link and discussions]] //
 +
 +
 +===== Logicial if solaris =====
 +
 +
 +//[[geeklog:2006/10/25:logicial_if_solaris|Permanent link and discussions]] //
 +
 +
 +===== Solaris zsh =====
 +
 +
 +//[[geeklog:2006/09/07:solaris_zsh|Permanent link and discussions]] //
 +
 +
 +===== Pkgsrc pgsql =====
 +
 +
 +//[[geeklog:2006/09/06:pkgsrc_pgsql|Permanent link and discussions]] //
 +
-====== September, 30th ======= 
-=====About AIX===== 
-Now I have a "good" a SNMP, I want that all my server are SNMP aware, and for all interesting MIB, 
-like HOST-RESOURCES, which allow me to check CPU and memory utilization, etc.. That's why I tried 
-to configure the AIX snmp agent correctly. After spent few minutes to read snmpd.conf and mib.defs,  
-I was able to query the host-resources MIB OID (take a look in [[docs:aix]]). **But**, there is //funny// 
-bug in the AIX version I use for my server, just look : 
-<code> 
-% snmpwalk -v1 -c public 192.168.1.48 .1.3.6.1.2.1.25.3.3.1.2 
-HOST-RESOURCES-MIB::hrProcessorLoad.1 = INTEGER: -2147483648 
-HOST-RESOURCES-MIB::hrProcessorLoad.2 = INTEGER: -2147483648 
-</code> 
-Very funny, isn't it ? Funny, but annoying too. So, I look for why I had such values : it's a bug. 
-Well, I really can't understand why such things like snmp can be bugged. Seem we are only few 
-system administrator who use SNMP... Anyway, it's a good way to learn more about AIX (I'm a noob 
-with this OS), specially about patch management. 
-[[geeklog:comments:20050930]] 
-====== September, 28th ======= 
-=====Cisco and multicast===== 
-Since I create few VLAN at work, the servers and (NOC) workstations are no longer in the same  
-IP subnet (I don't even understand how the previous sys/net admin can leave servers 
-and workstations in the same LAN). So, a java admin ask me why he can't setup a weblogic 
-cluster with one node in our LAN (the NOC one), and one node in the LAN server. I just told him 
-"hold on few mintes". Well, ok, few hours after, it still doesn't working... But It's now ok, 
-I use the following config : 
-<code> 
-! 
-interface Vlan1 
- ip address 192.168.1.4 255.255.255.0 
- ip pim dense-mode 
- ip igmp join-group 232.168.34.65 
- ip igmp join-group 237.0.0.9 
- ntp multicast key 1 
-end 
-! 
-interface Vlan34 
- ip address 192.168.34.1 255.255.255.0 
- ip helper-address 192.168.1.6 
- ip pim dense-mode 
- ip igmp join-group 232.168.34.65 
- ip igmp join-group 237.0.0.9 
- ntp multicast key 1 
-end 
-! 
-ip multicasting-routing 
-! 
-</code> 
-But **the more important point is the TTL** which is set by the multicast application. IT **MUST BE GREATER** 
-than one (1) if you want forwarding multicast. 
-Example : 
-<code> 
-% sudo udp-sender  --file docs/CompilingBinaryFilesUsingACompiler.pdf --mcast-all-addr 232.168.34.65 --ttl 64 
-Udp-sender 2004-05-31 
-Using mcast address 232.168.34.65 
-UDP sender for docs/CompilingBinaryFilesUsingACompiler.pdf at 192.168.34.65 on eth0 
-Broadcasting control to 232.168.34.65 
-New connection from 192.168.1.50  (#0) 00000019 
-Ready. Press any key to start sending data. 
-Starting transfer: 00000019 
-bytes=        67 278 re-xmits=000000 (  0.0%) slice=0202          67 278 -  0 
-Transfer complete. 
-Disconnecting #0 (192.168.1.50) 
-</code> 
-<code> 
-% sudo udp-receiver --ttl 64 --mcast-all-addr 232.168.34.65 --file /tmp/output 
-Udp-receiver 2004-05-31 
-UDP receiver for /tmp/output at 192.168.1.50 on eth0 
-received message, cap=00000019 
-Connected as #0 to 192.168.34.65 
-Listening to multicast on 232.168.34.65 
-Press any key to start receiving data! 
-Sending go signal 1 Success 0 
-bytes=        67 278  (  1.05 Mbps)        67 278 
-Transfer complete. 
-</code> 
-As you can notice, I use udp-receiver / udp-sender - available [[http://alain.knaff.lu/udpcast/|here]], or maybe with your distrib (Debian  
-include it) - to test the multicast. 
-I just wondering why it doesn't work if the Cisco is not a member of the group, I probably need to check docs again and again. 
-===== OpenLDAP ===== 
-Well, by mischance, I need to use OpenLDAP.. So I begin to put all my notes about this 
-(crappy) software. Their will available [[docs:ldap:openldap|here]]. 
-[[geeklog:comments:20050928|Comments]] 
-====== September, 19th ======= 
-=====Small useful applications====== 
-  * [[http://freshmeat.net/redir/brack/55828/url_homepage/programs|Brack]] is a small php application which help to manage rack, it have interesting features (like a Service tag field for Dell hardware), and can be easily hack. 
-  * [[http://www.redferni.uklinux.net/dia/|Colour Cisco's shapes for Dia]] (I don't understand why this package is not include in the upstream) 
-Here a little patch to Brack's CSS to ensure all racks have the same size : (replace td.space with the following one) 
-<code> 
-td.space { 
-  font-size: small; 
-  font-family: sans-serif; 
-  padding: 0 5px; 
-  background-color: white; 
-  border-style: solid none none none; border-width: thin 
-} 
-</code> 
-(Very thanks to Cesar for his help) 
-[[geeklog:comments:20050919|Comments]]