[no subject]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

[root@ur1 _data]# docker exec -i -t ur1 /bin/bash
6b70de8c74e9:/ # cd /data
6b70de8c74e9:/data # cd config
6b70de8c74e9:/data/config # certutil -L -d .

Certificate Nickname                                         Trust Attrib=
utes
                                                             SSL,S/MIME,J=
AR/XPI

Self-Signed-CA                                               CT,,=20
/data/tls/ca/XXXXXXROOTCA2015.crt                            C,, =20
/data/tls/ca/XXXXXXServerCA2015.crt                          C,, =20
Server-Cert                                                  u,u,u
6b70de8c74e9:/data/config # certutil -K -d . -f pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private K=
ey and Certificate Services"
< 0> rsa      f6112f5e250e3b84034fa1272e43354d6715a3e5   (orphan)
< 1> rsa      6cc26b19c14150f6cb27aa3dee09795ed48cd8db   Server-Cer=
t
6b70de8c74e9:/data/config #=20


Looks like the ssca directory and some self-signed CA and cert
get always installed, even if a complete CA chain and a server cert
is provided.

openssl s_client -connect ur1.XXXXXXX.de:3636=20
CONNECTED(00000003)
depth=3D2 C =3D DE, ST =3D XXXXXXXX, O =3D XXXXXXX, CN =3D XXXXXXX ROOT C=
A 2015, emailAddress =3D <a class=3D"moz-txt-link-abbreviated" href=3D"ma=
ilto:security@xxxxxxxxxx">security@xxxxxxxxxx</a>
verify error:num=3D19:self signed certificate in certificate chain

An orphan key doesn't look nice, but I am more worried about the unnecess=
ary
stuff in the databases
</pre>
      </blockquote>
      <pre class=3D"moz-quote-pre" wrap=3D"">
So the orphan key is the "original" server-cert key that was orphaned sin=
ce you loaded your own key. It's honestly harmless. Everything else appea=
rs to have imported correctly which is excellent!=20
</pre>
    </blockquote>
    <br>
    OK, agreed. It is harmless, but also not needed. Usually, I choose
    to use only one private key in my key3.db or key4.db.<br>
    My assumption was, that if I provide certificates in the tls
    subdirectory, the ssca directory is not even used at all,<br>
    since the key and cert that are effectively used are stored in the
    config directory and its databases. <br>
    <blockquote type=3D"cite"
      cite=3D"mid:1BC865A2-4F40-4509-B148-B329DD6E7B42@xxxxxxxx">
      <pre class=3D"moz-quote-pre" wrap=3D"">
</pre>
      <blockquote type=3D"cite">
        <pre class=3D"moz-quote-pre" wrap=3D"">and the failing openssl ce=
rtificate validation.
</pre>
      </blockquote>
      <pre class=3D"moz-quote-pre" wrap=3D"">
We'll need to see the output of 'openssl -_client -connect url1.XXXXXX.de=
:3636 -showcerts' to see what is or isn't self signed in the chain. It co=
uld just simply be that your ROOTCA/ServerCA aren't trusted by your opens=
sl install of the host. </pre>
    </blockquote>
    <br>
    Due to NDA I can't provide more details. But the problem is not
    related to self-signed-certs as indicated by <br>
    openssl's error messages, it's really that I didn't properly specify
    rootCA/ServerCA.<br>
    <br>
    It works now with:<br>
    <br>
    cat XXXXXXROOTCA2015.crt &gt; ./chain.crt<br>
    cat XXXXXXServerCA2015.crt &gt;&gt; ./chain.crt<br>
    openssl s_client -connect ur1.sedevsso.XXXXXX.de:3636 -CAfile
    &lt;path&gt;/ca/chain.crt :<br>
    <br>
    ...<br>
    ...<br>
    SSL handshake has read 4776 bytes and written 427 bytes<br>
    ---<br>
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256<br>
    Server public key is 2048 bit<br>
    Secure Renegotiation IS supported<br>
    Compression: NONE<br>
    Expansion: NONE<br>
    No ALPN negotiated<br>
    SSL-Session:<br>
    =C2=A0=C2=A0=C2=A0 Protocol=C2=A0 : TLSv1.2<br>
    =C2=A0=C2=A0=C2=A0 Cipher=C2=A0=C2=A0=C2=A0 : ECDHE-RSA-AES128-GCM-SH=
A256<br>
    =C2=A0=C2=A0=C2=A0 Session-ID:
    003BB677D15FC7C0490D3E795F193AB103D1E579D2F554086B63853DA9916525<br>
    =C2=A0=C2=A0=C2=A0 Session-ID-ctx: <br>
    =C2=A0=C2=A0=C2=A0 Master-Key:
D050F13AD8343F825E4602F57BFFDB7BFBF38438E9ED497C9626F973C7772EC0D52C92B68=
E4BE087AF49C1DE4C2FB06A<br>
    =C2=A0=C2=A0=C2=A0 Key-Arg=C2=A0=C2=A0 : None<br>
    =C2=A0=C2=A0=C2=A0 Krb5 Principal: None<br>
    =C2=A0=C2=A0=C2=A0 PSK identity: None<br>
    =C2=A0=C2=A0=C2=A0 PSK identity hint: None<br>
    =C2=A0=C2=A0=C2=A0 Start Time: 1647338825<br>
    =C2=A0=C2=A0=C2=A0 Timeout=C2=A0=C2=A0 : 300 (sec)<br>
    =C2=A0=C2=A0=C2=A0 Verify return code: 0 (ok)<br>
    ---<br>
    <br>
    <br>
    <blockquote type=3D"cite"
      cite=3D"mid:1BC865A2-4F40-4509-B148-B329DD6E7B42@xxxxxxxx">
      <pre class=3D"moz-quote-pre" wrap=3D"">



--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- <a class=3D"moz-txt-link-abbreviated" href=3D"m=
ailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx">389-users@xxxxxxxxxxxxxxxxxxxxxx=
g</a>
To unsubscribe send an email to <a class=3D"moz-txt-link-abbreviated" hre=
f=3D"mailto:389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx";>389-users-leave@list=
s.fedoraproject.org</a>
Fedora Code of Conduct: <a class=3D"moz-txt-link-freetext" href=3D"https:=
//docs.fedoraproject.org/en-US/project/code-of-conduct/">https://docs.fed=
oraproject.org/en-US/project/code-of-conduct/</a>
List Guidelines: <a class=3D"moz-txt-link-freetext" href=3D"https://fedor=
aproject.org/wiki/Mailing_list_guidelines">https://fedoraproject.org/wiki=
/Mailing_list_guidelines</a>
List Archives: <a class=3D"moz-txt-link-freetext" href=3D"https://lists.f=
edoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx">https:/=
/lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx<=
/a>
Do not reply to spam on the list, report it: <a class=3D"moz-txt-link-fre=
etext" href=3D"https://pagure.io/fedora-infrastructure";>https://pagure.io=
/fedora-infrastructure</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>
--===============7005154562945863694==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KMzg5LXVzZXJz
IG1haWxpbmcgbGlzdCAtLSAzODktdXNlcnNAbGlzdHMuZmVkb3JhcHJvamVjdC5vcmcKVG8gdW5z
dWJzY3JpYmUgc2VuZCBhbiBlbWFpbCB0byAzODktdXNlcnMtbGVhdmVAbGlzdHMuZmVkb3JhcHJv
amVjdC5vcmcKRmVkb3JhIENvZGUgb2YgQ29uZHVjdDogaHR0cHM6Ly9kb2NzLmZlZG9yYXByb2pl
Y3Qub3JnL2VuLVVTL3Byb2plY3QvY29kZS1vZi1jb25kdWN0LwpMaXN0IEd1aWRlbGluZXM6IGh0
dHBzOi8vZmVkb3JhcHJvamVjdC5vcmcvd2lraS9NYWlsaW5nX2xpc3RfZ3VpZGVsaW5lcwpMaXN0
IEFyY2hpdmVzOiBodHRwczovL2xpc3RzLmZlZG9yYXByb2plY3Qub3JnL2FyY2hpdmVzL2xpc3Qv
Mzg5LXVzZXJzQGxpc3RzLmZlZG9yYXByb2plY3Qub3JnCkRvIG5vdCByZXBseSB0byBzcGFtIG9u
IHRoZSBsaXN0LCByZXBvcnQgaXQ6IGh0dHBzOi8vcGFndXJlLmlvL2ZlZG9yYS1pbmZyYXN0cnVj
dHVyZQo=

--===============7005154562945863694==--
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux