cancel
Showing results for 
Search instead for 
Did you mean: 

SSl matters

Willem Grooters
Honored Contributor

SSl matters

I have installed latest SSL (1.1, on VMS 7.3-1), had to de a few copies (overwrite current files with the templates supplied). Created an RANDFILE ($ SH SYS /FULL/OUT=, according Alan Winston's book about the nonstop webserver).
However, it seems impossible to create a self-signed certificate. The key-file is created but no certificate file. No error message - until you ask to view the certificate: it simply doesn;t exist. Nowhere within the SSL-strcutures!
Creating a CA server doesn't succeed either. No certificates created!
Creating a certificate request fails to get past country name. Whatever I enter, it always gives me "invalid input". So I cannot get any further.
The documentation doesn't state anything either, or I've read over it.

Any hint of where I got wrong is appreciated...

Willem
Willem Grooters
OpenVMS Developer & System Manager
7 REPLIES
Willem Grooters
Honored Contributor

Re: SSl matters

OOPS.

removed product SSL
removed directory (was installed on VMS$COMMON:SSL, so i removed this SSL.DIR and all below)
removed SYS$STARTUP:SSL$*.COM (startup and shutdown)

installed SSL again, to VMS$COMMON:[SSL] - the default location.
Creation of self-signed certificate Ok
Creation of CA certificate Ok
Creation of certificate request failes on country. Whatever i do, it tells me "Invalid input".

(I want to create my own CA on my webserver so I can control who gets access. These need a certificate as well. the manuals don't tell me how to achieve this...So I just have to try :-( )

Willem
Willem Grooters
OpenVMS Developer & System Manager
Martin P.J. Zinser
Honored Contributor

Re: SSl matters

Hello Willen,

can you please report the exact commands you use and errors you receive (Obviously after obscuring any confidential information). I do have SSL up (for my OSU webserver) and would like to try and reproduce your problem.

Greetings, Martin
Willem Grooters
Honored Contributor

Re: SSl matters

Martin.

I used SSL$CERT_TOOL.COM - and by that, the different underlaying procedures, as supplied with the kit. I would expect them to work. I haven't tried the plain openssl executable - yet.
I also think the documentation is not very clear: how do I create my machine to be a certificate server? My assumption was the CA certificate, but now I doubt that's true....
Willem Grooters
OpenVMS Developer & System Manager
Martin P.J. Zinser
Honored Contributor

Re: SSl matters

Hello Willem,

well this "tool" is not part of OpenSSL. Since it is made and supported by hp it might be a good idea to pick up the phone and bug them about it. Else you could try to find out what they do in the DCL. Once you got the command they try to execute I will be more than happy to test against a real OpenSSL installation.

Greetings, Martin

P.S. I really try to avoid my "hp has no clue about open source SW" soapbox here :-(
Willem Grooters
Honored Contributor

Re: SSl matters

Martin, you must be joking:


Since it is made and supported by hp it might be a good idea to pick up the phone and bug them about it.


Small user, no support contract (because far above budget) so they won't help.
GKW

I'll dig into the procedures then. No alternative, alas...

(I don't like soapbox here either)
Willem Grooters
OpenVMS Developer & System Manager
Willem Grooters
Honored Contributor

Re: SSl matters

********************************

PROBLEM SOLVED

********************************

Problem is in SSL$RQST_CERT.COM where size of input is compared with data kept in configuration file. THIS FILE IS WRONG.
As far as I could find, in any configuration file, _countryname_upd is either "Y" of "N".
Where countryname_max is set this should be set to 2.
I changed that - and the problem was solved:

$ sea ssl$conf:ssl$cert.cnf;* _max

******************************
SSL$ROOT:[DEMOCA.CONF]SSL$CERT.CNF;2

countryName_max = 2
commonName_max = 64
emailAddress_max = 40

******************************
SSL$ROOT:[DEMOCA.CONF]SSL$CERT.CNF;1

countryName_max = '_countryName_upd'
commonName_max = 64
emailAddress_max = 40
$ sea ssl$conf:ssl$cert.cnf;* _upd

******************************
SSL$ROOT:[DEMOCA.CONF]SSL$CERT.CNF;1

countryName_max = '_countryName_upd'
$

With this change, I was able to create and sign a request. Well, now look how I can get it implemented and what's needed on the browser side.

Willem Grooters
OpenVMS Developer & System Manager
Martin P.J. Zinser
Honored Contributor

Re: SSl matters

Hello Willem,

if you feel generous, please send mail to
OpenVMSSecurity@hp.com detailing your problem and the bug you have fixed. Maybe it will make it into the next hp SSL version.

Greetings, Martin