Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).
Trace:

Differences

This shows you the differences between the selected revision and the current version of the page.

geeklog 2005/09/28 07:29 geeklog 2008/10/03 08:25 current
Line 1: Line 1:
-====== Septembre, 28th =======+=====EasySSL ? A high level library to OpenSSL=====
-=====Cisco and multicast=====+I'm actually working with OpenSSL C API, to be able to add 
 +OCSP support to software like freeradius, maybe postfix, etc..  
 +While I'm writing more and more code to send an OCSP request (~400 lines) 
 +I'm thinking to start a high level library to OpenSSL (the name easyssl 
 +is just my first thought) to help developers to doesn't care really 
 +about the complex usage of OpenSSL.
-Since I create few VLAN at work, the servers and (NOC) workstations are no longer in the same  +For example, I recently check 
-IP subnet (I don't even understand how the previous sys/net admin can leave servers +a well know software which can use certificates to authenticate users. After taking a look 
-and workstations in the same LAN). So, a java admin ask me why he can't setup a weblogic +in code, I noticed the check was sometimes only done on the DN certificate, it's a very poor test, it's may be even a serious security flaw. That's why I think it could be nice to provide developers an easy to use library, features fill (OCSP support is not often available) for SSL functions.
-cluster with one node in our LAN (the NOC one), and one node in the LAN server. I just told him +
-"hold on few mintes". Well, ok, few hours after, it still doesn't working... But It's now ok, +
-I use the following config :+
-<code> +Here the code of main function to check a certificate by OCSP (I removed  
-+checks code)
-interface Vlan1 +
- ip address 192.168.1.4 255.255.255.0 +
- ip pim dense-mode +
- ip igmp join-group 232.168.34.65 +
- ip igmp join-group 237.0.0.9 +
- ntp multicast key 1 +
-end +
-+
-interface Vlan34 +
- ip address 192.168.34.1 255.255.255.0 +
- ip helper-address 192.168.1.6 +
- ip pim dense-mode +
- ip igmp join-group 232.168.34.65 +
- ip igmp join-group 237.0.0.9 +
- ntp multicast key 1 +
-end +
-+
-ip multicasting-routing +
-+
-</code>+
-But **the more important point is the TTL** which is set by the multicast application. IT **MUST BE GREATER** +<code c> 
-than one (1) if you want forwarding multicast.+  /* Create a new EasySSL configuration and initialize it *
 +  config = malloc (sizeof (ssl_config)); 
 + init_ssl_config(config);
-Example :+  /* Add a certificate to the CA store */
-<code> +  /* char *cacert : path of CA certificate file to load */ 
-% sudo udp-sender --file docs/CompilingBinaryFilesUsingACompiler.pdf --mcast-all-addr 232.168.34.65 --ttl 64 +  add_cert_to_CAstore(config, cacert)) 
-Udp-sender 2004-05-31 + 
-Using mcast address 232.168.34.65 +  /* Load certificate to check from a file, since a file  
-UDP sender for docs/CompilingBinaryFilesUsingACompiler.pdf at 192.168.34.65 on eth0 +  * may contains more than one certificates, we need to  
-Broadcasting control to 232.168.34.65 +  * use a STACK_OF(X509), check its size, and pop the uniq element *
-New connection from 192.168.1.50 (#0) 00000019 + 
-Ready. Press any key to start sending data+  /* char *xfile: path of final certificate file to load */ 
-Starting transfer: 00000019 +  certificates = x509_load_certificates_from_file(xfile); 
-bytes=         67 278 re-xmits=000000 ( 0.0%) slice=0202          67 278 -  +  { 
-Transfer complete. +    X509 *certificate = NULL; 
-Disconnecting #0 (192.168.1.50)+    int response = -1; 
 + 
 +     if (sk_num(certificates) != 1) 
 +         goto error; 
 + 
 +    /* Pop the certificate from stack of X509 */ 
 +    certificate = (X509 *) sk_pop(certificates); 
 + 
 +    /*  
 +      * ssl_config *config: pointer to EasySSL configuration 
 +      * char *url: URL to use to join the OCSP responder, (eg http://pki.asyd.net/ejbca/publicweb/status/ocsp) 
 +     * X509 *certificate: certificate to check 
 +     * Return: 
 +      *    < 0: Internal error  
 +      *      0: The certificate is valid 
 +      *    > 0: The certificate is revoked, the return value stand for the reason 
 +      */ 
 +    response = ocsp_check_certificate(config, url, certificate) 
 + 
 +      /* Display status */ 
 +    printf("  certificate DN: %s\n", 
 +      certificate->name); 
 + 
 +    printf("  status: "); 
 + 
 +    if (response < 0) 
 +      printf("Internal error\n"); 
 +    else if (response == 0) 
 +     printf("OK\n"); 
 +   else if (response > 0
 +      { 
 + printf("revoked\n")
 + printf("  reason: %s\n", OCSP_crl_reason_str(response)); 
 +      } 
 +  }
</code> </code>
<code> <code>
-% sudo udp-receiver --ttl 64 --mcast-all-addr 232.168.34.65 --file /tmp/output +% ./ocsp certs/cacert.pem certs/test00.pem 
-Udp-receiver 2004-05-31 +   certificate DN: /CN=Bruno Bonfils (test00)/O=asyd dot net/C=FR 
-UDP receiver for /tmp/output at 192.168.1.50 on eth0 +  status: OK 
-received message, cap=00000019 + 
-Connected as #0 to 192.168.34.65 +% ./ocsp certs/cacert.pem certs/test01.pem 
-Listening to multicast on 232.168.34.65 +   certificate DN: /CN=Bruno Bonfils (test01)/O=asyd dot net/C=FR 
-Press any key to start receiving data! +   status: revoked 
-Sending go signal 1 Success 0 +  reason: certificateHold
-bytes=         67 278  ( 1.05 Mbps)         67 278 +
-Transfer complete.+
</code> </code>
-As you can notice, I use udp-receiver / udp-sender - available [[http://alain.knaff.lu/udpcast/|here]], or maybe with your distrib (Debian  +As you can see, it's **very simple**. I hope I'll have enough time to code the same 
-include it) - to test the multicast.+simple function as SSL sockets frontend, but in a first time I'll add the validity 
 +check.  
 + 
 + 
 +//[[geeklog:2006:12:28:easyssl|Permanent link and discussions]]//  
 + 
 + 
 +===== Interview ===== 
 + 
 + 
 +//[[geeklog:2006/12/04:interview|Permanent link and discussions]] // 
 + 
 + 
 +===== Logicial if solaris ===== 
 + 
 + 
 +//[[geeklog:2006/10/25:logicial_if_solaris|Permanent link and discussions]] // 
 + 
 + 
 +===== Solaris zsh ===== 
 + 
 + 
 +//[[geeklog:2006/09/07:solaris_zsh|Permanent link and discussions]] // 
 + 
 + 
 +===== Pkgsrc pgsql ===== 
 + 
 + 
 +//[[geeklog:2006/09/06:pkgsrc_pgsql|Permanent link and discussions]] // 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
 + 
-I just wondering why it doesn't work if the Cisco is not a member of the group, I probably need to check docs again and again. 
-[[geeklog:comments:20050928|Comments]] 
-====== September, 19th ======= 
-=====Small useful applications====== 
-  * [[http://freshmeat.net/redir/brack/55828/url_homepage/programs|Brack]] is a small php application which help to manage rack, it have interesting features (like a Service tag field for Dell hardware), and can be easily hack. 
-  * [[http://www.redferni.uklinux.net/dia/|Colour Cisco's shapes for Dia]] (I don't understand why this package is not include in the upstream) 
-Here a little patch to Brack's CSS to ensure all racks have the same size : (replace td.space with the following one) 
-<code> 
-td.space { 
-  font-size: small; 
-  font-family: sans-serif; 
-  padding: 0 5px; 
-  background-color: white; 
-  border-style: solid none none none; border-width: thin 
-} 
-</code> 
-(Very thanks to Cesar for his help) 
-[[geeklog:comments:20050919|Comments]]