戯術者の日記

古いけど[2005-07-05-1]の続き。
ssl.el はパスが変わったかな? 本家から、stable/wl-2.12.2.tar.gz を落としてきて、utils/ssl.el を C:\Meadow\packages\lisp\wl\ssl.el にコピー。で、byte-compile-file する。

で、相変わらず imaps 接続すると

Cannot open: elmo-network-initialize-session

となるので、パケットキャプチャしてみた。
つか、なんで以前はやらなかったんだろ^^;

で、やっぱり証明書まわりだ。

Alert (Level: Fatal, Description: Unknown CA)

だって。

ただ、self signed な証明書だと NG だけど、自己CAでも良いので署名があればアクセスできてそう。

さくらの imaps(とpops)は self signed な証明書なんで、ダメだった。openssl でアクセスすると

$ openssl s_client -connect example.sakura.ne.jp:993
:
SSL-Session:
:
    Start Time: 1137938883
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
(以下、imap)

こんな感じ。
ちなみに、自己CAでサインしてるおうちサーバだと同じ部分は

    Verify return code: 21 (unable to verify the first certificate)

だ。
こっちは、imapsでアクセスできる。

うーむ...
というか、wlはルートCAたどれなくてもアクセスできるって事??

ssl.el のソースには

(defcustom ssl-certificate-directory "~/.w3/certs/"
  "*Directory to store CA certificates in"
  :group 'ssl
  :type 'directory)

なんて記述があるけど、イマイチわからず。

(usage メモ)
.wl (や.folders)への記述なしに、一時的に imap(s) アクセスするには、g で

%inbox:username[/method]@imap.example.org[:port]

とか

%inbox.sent:username[/method]@imap.example.org:993!

! で SSL 接続。
/method は省略すれば .wl の

(setq wl-smtp-authenticate-type "cram-md5")

とか clear とか login が使われる。

http://www.gohome.org/wl/doc/wl-euc_19.html#SEC19

---

(追記)
現在の環境
Setup.exe version 2.10.8
GNU Emacs 21.4.1 (i386-mingw-nt5.1.2600) of 2005-08-28 on CUBE
Wanderlust/2.12.2 (99 Luftballons) (パッケージの2.12.2-1)

courier-imap-ssl の設定で使用する証明書ファイルは、[2005-08-28-1]で作ったCA証明書・サーバ証明書のうち、以下のものを cat で結合した1つのファイルを使う

# cat server.key server.crt ca.csr > courier.pem

で、/etc/courier/imap-ssl は以下の設定

TLS_CERTFILE=/etc/ssl/servkey/courier.pem

メーラ側は、ブラウザ同様 ca.crt をインポートしてやればよい。つか、Firefox あんど Thunderbird 使用だと、同じものをそれぞれインポートしてやらんといけないからメンドウだな…

apache-ssl パッケージを apt でインストールすると、インストール時のみに、期限1ヶ月のオレオレ証明書を同時に作成しインストールされる。
ので、自己CAで署名したサーバ証明書を別途作成する。
コマンドは、@ITのApacheでSSLを使うにはの通りで問題なし

作業ディレクトリの作成

# mkdir /etc/ssl/servkey
# cd /etc/ssl/servkey

ま、管理しやすい位置でどこでもいいけど。

CAの秘密鍵の作成

# openssl genrsa -rand /var/log/syslog -out ca.key 1024

CAのCSRの作成

# openssl req -new -key ca.key -out ca.csr

国名や名前などを入力

CA証明書の発行

# openssl x509 -req -in ca.csr -signkey ca.key -days 730 -out ca.crt

-days がないと1ヶ月だったので、2年間と指定してみた。

で、
サーバ証明書の秘密鍵

# openssl genrsa -rand /var/log/syslog -out server.key 1024

サーバ証明書のCSRの作成

# openssl req -new -key server.key -out server.csr

CAと同様に国名などの入力。Common Name に「ブラウザからアクセスするときに使用するドメイン名」を入力すること。

シリアルナンバーのファイルを作成し

# echo 01 > ca.srl

証明書の発行

# openssl x509 -req -days 730 -CA ca.crt -CAkey ca.key -in server.csr -out server.crt

作成した証明書の内容は、以下のコマンドで確認可能

# openssl x509 -in server.crt -text

で、ブラウザ側(クライアントPC)には、(何らかの安全な方法で)ca.crt をコピーし、証明書をインポートorインストールし、「この証明書を信頼する」とかそんな設定を行う。

サーバ(apache-ssl)側は、/etc/apache-ssl/httpd.conf の以下の設定を行う。(パスは作業ディレクトリ)

SSLCACertificateFile /etc/ssl/servkey/ca.crt
SSLCertificateFile /etc/ssl/servkey/server.crt
SSLCertificateKeyFile /etc/ssl/servkey/server.key

関連: mod_ssl(src)[2005-08-09-1], mod-ssl(deb)[2005-03-25-1]

http://wiki.spc.gr.jp/tunnel/?DigByStone (stoneで穴掘り)

うぁー、ガッコの友達に(随分前に)教えてもらって試しに

(A) PC(winXP)
↓
(B) 社外アクセス用proxyサーバ(一部の社内サーバにもアクセス可能)
↓
(C) 社内サーバ

つー環境で、(C) を外部のサーバに見立ててやってみたら、見事に (A)->(C) の ssh がアクセスできた…。
あ、(A) の PC のネットワークは外部には全く出れず(名前解決もできない)、http(80,8080), https(443) のみ、(B) を proxy に Internet にアクセスできる、という環境です。で、(A), (B), (C) 全て異なるネットワークにいます。

ちなみに、(C) は debian sarge で、

# aptitude install stone

で、必要なものは揃う。

(A) の win 用の stone は http://www.gcd.org/sengoku/stone/Welcome.ja.html より。
「stone version 2.2e for Win32 OpenSSL 版パッケージ」をダウンロードし、適当なディレクトリに展開し、コマンドプロンプトから実行。

まぁ、ネットワークが違うので、実際に外部に出れるかはわかんないけどね。

---

05/08/29 追記
出れた :p

オレオレ CA 付で、新規に CA とサーバ鍵を生成する。
参考 Apache+mod SSLのインストールと設定
非 root で作業(ぉぃ

$ mkdir -p ~/local/src/apache
$ cd ~/local/src/apache
$ wget http://www.modssl.org/source/mod_ssl-2.8.23-1.3.33.tar.gz
$ wget http://www.meisei-u.ac.jp/mirror/apache/dist/httpd/apache_1.3.33.tar.gz
$ gzip -dc mod_ssl-2.8.23-1.3.33.tar.gz | tar xvf -
$ gzip -dc apache_1.3.33.tar.gz | tar xvf -

つか、mod_ssl の INSTALL にインストール手順が載ってるので、そのまんま作業すれば良い。

(↓ prefix の指定方法を間違ってます。後述)

$ cd mod_ssl-2.8.23-1.3.33
$ ./configure --with-apache=../apache_1.3.33 --with-ssl=/usr/local/ssl --prefix=~/local/apache-ssl
Configuring mod_ssl/2.8.23 for Apache/1.3.33
 + Apache location: ../apache_1.3.33 (Version 1.3.33)
 + OpenSSL location: /usr/local/ssl
 + Auxiliary patch tool: ./etc/patch/patch (local)
 + Applying packages to Apache source tree:
   o Extended API (EAPI)
   o Distribution Documents
   o SSL Module Source
   o SSL Support
   o SSL Configuration Additions
   o SSL Module Documentation
   o Addons
Done: source extension and patches successfully applied.

Configuring for Apache, Version 1.3.33
 + using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
 + configured for Solaris 280 platform
 + setting C compiler to gcc
 + setting C pre-processor to gcc -E
 + using "tr [a-z] [A-Z]" to uppercase
 + checking for system header files
 + adding selected modules
    o ssl_module uses ConfigStart/End
      + SSL interface: mod_ssl/2.8.23
      + SSL interface build type: OBJ
      + SSL interface compatibility: enabled
      + SSL interface experimental code: disabled
      + SSL interface conservative code: disabled
      + SSL interface vendor extensions: disabled
      + SSL interface plugin: Vendor DBM (libc)
      + SSL library path: /opt/usr/local/ssl
      + SSL library version: OpenSSL 0.9.7b 10 Apr 2003
      + SSL library type: installed package (stand-alone)
 + enabling Extended API (EAPI)
 + using system Expat
 + checking sizeof various data types
 + doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/modules/standard
Creating Makefile in src/modules/ssl

Now proceed with the following commands:
 $ cd ../apache_1.3.33
 $ make
 $ make certificate
 $ make install

で

$ cd ../apache_1.3.33
$ make
:
(コンパイル)
:

TYPE=custom で、CA とサーバ鍵をセットで作る(作ったサーバ証明書をCAに署名させる)

$ make certificate TYPE=custom
make[1]: Entering directory `/export/home/miyazaki/local/src/apache/apache_1.3.3
3/src'
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.

Generating custom certificate signed by own CA [CUSTOM]
______________________________________________________________________

STEP 0: Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:
______________________________________________________________________

STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
1578372 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.....................++++++
...++++++
e is 65537 (0x10001)
______________________________________________________________________

STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:JP
2. State or Province Name   (full name)     [Snake Desert]:Kanagawa
3. Locality Name            (eg, city)      [Snake Town]:Yokohama
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:home
5. Organizational Unit Name (eg, section)   [Certificate Authority]:admin
6. Common Name              (eg, CA name)   [Snake Oil CA]:foo
7. Email Address            (eg, name@FQDN) [ca@snakeoil.dom]:www@www.example.org
8. Certificate Validity     (days)          [365]:
______________________________________________________________________

STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=home/OU=admin/CN=foo/emailAddress=www@www.example
.org
Getting Private key
Verify: matching certificate & key modulus
Verify: matching certificate signature
../conf/ssl.crt/ca.crt: /C=JP/ST=Kanagawa/L=Yokohama/O=home/OU=admin/CN=foo/emailAddress
=www@www.example.org
error 18 at 0 depth lookup:self signed certificate
OK
______________________________________________________________________

STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
1578471 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
..............++++++
...............................++++++
e is 65537 (0x10001)
______________________________________________________________________

STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:JP
2. State or Province Name   (full name)     [Snake Desert]:Kanagawa
3. Locality Name            (eg, city)      [Snake Town]:Yokohama
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:home
5. Organizational Unit Name (eg, section)   [Webserver Team]:foo
6. Common Name              (eg, FQDN)      [www.snakeoil.dom]:www.example.org
7. Email Address            (eg, name@fqdn) [www@snakeoil.dom]:www@www.example.org
8. Certificate Validity     (days)          [365]:
______________________________________________________________________

STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=JP/ST=Kanagawa/L=Yokohama/O=home/OU=foo/CN=www.example.org/emailAddress
=www@www.example.org
Getting CA Private Key
Verify: matching certificate & key modulus
Verify: matching certificate signature
../conf/ssl.crt/server.crt: OK
______________________________________________________________________

STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________

STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [ser
ver.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted RSA private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________

RESULT: CA and Server Certification Files

o  conf/ssl.key/ca.key
   The PEM-encoded RSA private key file of the CA which you can
   use to sign other servers or clients. KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/ca.crt
   The PEM-encoded X.509 certificate file of the CA which you use to
   sign other servers or clients. When you sign clients with it (for
   SSL client authentication) you can configure this file with the
   'SSLCACertificateFile' directive.

o  conf/ssl.key/server.key
   The PEM-encoded RSA private key file of the server which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file of the server which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o  conf/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request of the server file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our own CA) which later can replace the conf/ssl.crt/server.crt
   file.

Congratulations that you establish your server with real certificates.

make[1]: Leaving directory `/export/home/miyazaki/local/src/apache/apache_1.3.33
/src'

インストール

$ make install

…うまくいってるように見えたけど、~/local/apache-ssl がない。
探してみると、作業ディレクトリ直下に '~' ディレクトリができてる… orz

つーわけで、--prefix は絶対ディレクトリ指定にすれば OK
でもって、インストールディレクトリ(~/local/apache-ssl)以下にある conf/ssl.crt/ca.crt をクライアント(ブラウザ) にインポートしてやれば、OK

debian での apache + mod-ssl インストール[2005-03-25-1]と似たようなものか。

http://lists.debian.or.jp/debian-users/200112/msg00163.html

# apt-get install apache

(略)

# apt-get install libapache-mod-ssl

(debconfはなし)
・テスト用証明書の作成

# mod-ssl-makecert
/etc/apache/ssl.crt/server.crt: already present
/etc/apache/ssl.csr/server.csr: already present
/etc/apache/ssl.key/server.key: already present

Do you really want to overwrite the existing certificate ? [y/N]:  <- y

What type of certificate do you want to create ?

1. dummy    (dummy self-signed Snake Oil cert)
2. test     (test cert signed by Snake Oil CA)
3. custom   (custom cert signed by own CA)
4. existing (existing cert)
:
> 2 (外用なら3ぽい)

STEP 2 Generating X.509 certificate signing request [server.csr]
1. Country Name             (2 letter code) [XY]:JP
2. State or Province Name   (full name)     [Snake Desert]:Kanagawa
3. Locality Name            (eg, city)      [Snake Town]:Yokohama
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:home
5. Organizational Unit Name (eg, section)   [Webserver Team]:Administrator
6. Common Name              (eg, FQDN)      [www.snakeoil.dom]:localhost
7. Email Address            (eg, name@FQDN) [www@snakeoil.dom]:webmaster@localhost
8. Certificate Validity     (days)          [365]:

STEP 3 Generating X.509 certificate signed by Snake Oil CA [server.crt]
Certificate Version (1 or 3) [3]:

STEP 4: Enrypting RSA private key with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]:      <- n

RESULT: Server Certification Files

o  conf/ssl.key/server.key
   The PEM-encoded RSA private key file which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o  conf/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our demonstration-only Snake Oil CA) which later can replace
   the conf/ssl.crt/server.crt file.

httpd.conf の設定
sarge なら、/usr/share/doc/libapache-mod-ssl/ に mod-ssl.conf,
vhost.conf.gz として設定ファイル例があるが、woody はない…

<IfModule mod_ssl.c>
  〜

と

<VirtualHost>
〜

を追加

(setq elmo-imap4-default-port 993)
(setq elmo-imap4-default-stream-type 'ssl)   ; use SSL

を 追加
993 は imaps のポート
stream-type 'ssl で、標準動作で SSL 使用

http://mm.apache.or.jp/pipermail/apache-users/2004-September/004683.html
これのとおりで全てうまく良く

$ ./configure --prefix=/export/home/miyazaki/local/apache2-ssl --disable-ipv6
--enable-ssl --with-ssl=/usr/local/ssl --enable-so

暗号化

$ openssl des3 -e -in file.txt [-out encrypt.txt]

復号

$ openssl des3 -d -in encrypt.txt [-out file.txt]

-in/-out がなければ、入出力は stdin/stdout になる。