HPE Community
Operating System - OpenVMS
1828171 Members
2813 Online
109975 Solutions
New Discussion

Re: SSl matters

 
Willem Grooters
Honored Contributor

‎01-25-2004 03:17 AM

‎01-25-2004 03:17 AM

SSl matters

I have installed latest SSL (1.1, on VMS 7.3-1), had to de a few copies (overwrite current files with the templates supplied). Created an RANDFILE ($ SH SYS /FULL/OUT=, according Alan Winston's book about the nonstop webserver).
However, it seems impossible to create a self-signed certificate. The key-file is created but no certificate file. No error message - until you ask to view the certificate: it simply doesn;t exist. Nowhere within the SSL-strcutures!
Creating a CA server doesn't succeed either. No certificates created!
Creating a certificate request fails to get past country name. Whatever I enter, it always gives me "invalid input". So I cannot get any further.
The documentation doesn't state anything either, or I've read over it.

Any hint of where I got wrong is appreciated...

Willem
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
7 REPLIES 7
Willem Grooters
Honored Contributor

‎01-25-2004 03:52 AM

‎01-25-2004 03:52 AM

Re: SSl matters

OOPS.

removed product SSL
removed directory (was installed on VMS$COMMON:SSL, so i removed this SSL.DIR and all below)
removed SYS$STARTUP:SSL$*.COM (startup and shutdown)

installed SSL again, to VMS$COMMON:[SSL] - the default location.
Creation of self-signed certificate Ok
Creation of CA certificate Ok
Creation of certificate request failes on country. Whatever i do, it tells me "Invalid input".

(I want to create my own CA on my webserver so I can control who gets access. These need a certificate as well. the manuals don't tell me how to achieve this...So I just have to try :-( )

Willem
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
Martin P.J. Zinser
Honored Contributor

‎01-25-2004 04:13 AM

‎01-25-2004 04:13 AM

Re: SSl matters

Hello Willen,

can you please report the exact commands you use and errors you receive (Obviously after obscuring any confidential information). I do have SSL up (for my OSU webserver) and would like to try and reproduce your problem.

Greetings, Martin
0 Kudos
Reply
Willem Grooters
Honored Contributor

‎01-25-2004 06:49 PM

‎01-25-2004 06:49 PM

Re: SSl matters

Martin.

I used SSL$CERT_TOOL.COM - and by that, the different underlaying procedures, as supplied with the kit. I would expect them to work. I haven't tried the plain openssl executable - yet.
I also think the documentation is not very clear: how do I create my machine to be a certificate server? My assumption was the CA certificate, but now I doubt that's true....
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
Martin P.J. Zinser
Honored Contributor

‎01-26-2004 04:09 AM

‎01-26-2004 04:09 AM

Re: SSl matters

Hello Willem,

well this "tool" is not part of OpenSSL. Since it is made and supported by hp it might be a good idea to pick up the phone and bug them about it. Else you could try to find out what they do in the DCL. Once you got the command they try to execute I will be more than happy to test against a real OpenSSL installation.

Greetings, Martin

P.S. I really try to avoid my "hp has no clue about open source SW" soapbox here :-(
0 Kudos
Reply
Willem Grooters
Honored Contributor

‎01-26-2004 07:47 AM

‎01-26-2004 07:47 AM

Re: SSl matters

Martin, you must be joking:


Since it is made and supported by hp it might be a good idea to pick up the phone and bug them about it.


Small user, no support contract (because far above budget) so they won't help.
GKW

I'll dig into the procedures then. No alternative, alas...

(I don't like soapbox here either)
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
Willem Grooters
Honored Contributor

‎01-26-2004 08:55 AM

‎01-26-2004 08:55 AM

Re: SSl matters

********************************

PROBLEM SOLVED

********************************

Problem is in SSL$RQST_CERT.COM where size of input is compared with data kept in configuration file. THIS FILE IS WRONG.
As far as I could find, in any configuration file, _countryname_upd is either "Y" of "N".
Where countryname_max is set this should be set to 2.
I changed that - and the problem was solved:

$ sea ssl$conf:ssl$cert.cnf;* _max

******************************
SSL$ROOT:[DEMOCA.CONF]SSL$CERT.CNF;2

countryName_max = 2
commonName_max = 64
emailAddress_max = 40

******************************
SSL$ROOT:[DEMOCA.CONF]SSL$CERT.CNF;1

countryName_max = '_countryName_upd'
commonName_max = 64
emailAddress_max = 40
$ sea ssl$conf:ssl$cert.cnf;* _upd

******************************
SSL$ROOT:[DEMOCA.CONF]SSL$CERT.CNF;1

countryName_max = '_countryName_upd'
$

With this change, I was able to create and sign a request. Well, now look how I can get it implemented and what's needed on the browser side.

Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
Martin P.J. Zinser
Honored Contributor

‎01-26-2004 02:02 PM

‎01-26-2004 02:02 PM

Re: SSl matters

Hello Willem,

if you feel generous, please send mail to
OpenVMSSecurity@hp.com detailing your problem and the bug you have fixed. Maybe it will make it into the next hp SSL version.

Greetings, Martin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.