svn commit: r44604 - head/en_US.ISO8859-1/books/handbook/security
Dru Lavigne
dru at FreeBSD.org
Fri Apr 18 16:10:46 UTC 2014
Author: dru
Date: Fri Apr 18 16:10:46 2014
New Revision: 44604
URL: http://svnweb.freebsd.org/changeset/doc/44604
Log:
Finish editorial review of OpenSSL chapter.
Update instructions and examples.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Apr 18 14:47:22 2014 (r44603)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Apr 18 16:10:46 2014 (r44604)
@@ -1781,17 +1781,6 @@ kadmind5_server_enable="YES"</programlis
and Transport Layer Security v1 (TLSv1) network security
protocols and can be used as a general cryptographic
library.</para>
-<!--
-This patent expired in 2012, is the note still needed?
- <note>
- <para>While <application>OpenSSL</application> supports the
- <acronym>IDEA</acronym> algorithm, it is disabled by default
- due to United States patents. To use it, the license should
- be reviewed and, if the restrictions are acceptable, the
- <varname>MAKE_IDEA</varname> variable must be set in
- <filename>/etc/make.conf</filename>.</para>
- </note>
- -->
<para><application>OpenSSL</application> is often used to encrypt
authentication of mail clients and to secure web based
@@ -1833,8 +1822,15 @@ This patent expired in 2012, is the note
<secondary>certificate generation</secondary>
</indexterm>
- <para>To generate a certificate, the following command is
- available:</para>
+ <para>To generate a certificate that will be signed by an
+ external <acronym>CA</acronym>, issue the following command and
+ input the information requested at the prompts. This input
+ information will be written to the certificate. At the
+ <literal>Common Name</literal> prompt, input the fully
+ qualified name for the system that will use the certificate.
+ If this name does not match the server, the application verifying the
+ certificate will issue a warning to the user, rendering the
+ verification provided by the certificate as useless.</para>
<screen>&prompt.root; <userinput>openssl req -new -nodes -out req.pem -keyout cert.pem</userinput>
Generating a 1024 bit RSA private key
@@ -1861,100 +1857,120 @@ Please enter the following 'extra' attri
to be sent with your certificate request
A challenge password []:<userinput><replaceable>SOME PASSWORD</replaceable></userinput>
An optional company name []:<userinput><replaceable>Another Name</replaceable></userinput></screen>
-
- <para>Notice the response directly after the <quote>Common
- Name</quote> prompt shows a domain name. This prompt
- requires a server name to be entered for verification
- purposes and placing anything but a domain name yields a
- useless certificate. Other options, such as the expire
- time and alternate encryption algorithms, are available. A
+
+ <para>Other options, such as the expire
+ time and alternate encryption algorithms, are available when
+ creating a certificate. A
complete list of options is described in
&man.openssl.1;.</para>
- <para>Two files should now exist in the directory in which this
- command was issued. The certificate request,
- <filename>req.pem</filename>, may be sent to a
+ <para>This command will create two files in the current directory.
+ The certificate request,
+ <filename>req.pem</filename>, can be sent to a
<acronym>CA</acronym> who will validate the entered
credentials, sign the request, and return the signed
- certificate. The second file is named
- <filename>cert.pem</filename> and is the private key for the
- certificate and should be protected at all costs. If this
- falls in the hands of others it can be used to impersonate
+ certificate. The second file,
+ <filename>cert.pem</filename>, is the private key for the
+ certificate and should be stored in a secure location. If this
+ falls in the hands of others, it can be used to impersonate
the user or the server.</para>
- <para>In cases where a signature from a <acronym>CA</acronym>
- is not required, a self signed certificate can be created.
+ <para>Alternately, if a signature from a <acronym>CA</acronym>
+ is not required, a self-signed certificate can be created.
First, generate the <acronym>RSA</acronym> key:</para>
- <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput></screen>
-
- <para>Next, generate the <acronym>CA</acronym> key:</para>
-
- <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput></screen>
+ <screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out myRSA.key 1024</userinput>
+0 semi-random bytes loaded
+Generating DSA parameters, 1024 bit long prime
+This could take some time
+.............+........+...........+...+....+........+.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
+..........+.+...........+....+........+.................+.+++++++++++++++++++++++++++++++++++++++++++++++++++*</screen>
+
+ <para>Next, generate the <acronym>CA</acronym> key. When
+ prompted, enter a passphrase between 4 to 1023 characters.
+ Remember this passphrase as it is needed whenever the key is
+ used to sign a certificate.</para>
+
+ <screen>&prompt.root; <userinput>openssl gendsa -des3 -out myca.key myRSA.key</userinput>
+Generating DSA key, 1024 bits
+Enter PEM pass phrase:
+Verifying - Enter PEM pass phrase:</screen>
+
+ <para>Use this key to create a self-signed certificate. When
+ prompted, enter the passphrase. Then follow the usual prompts
+ for creating a certificate:</para>
- <para>Use this key to create the certificate:</para>
-
- <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput></screen>
+ <screen>&prompt.root; <userinput>openssl req -new -x509 -days 365 -key myca.key -out new.crt</userinput>
+Enter pass phrase for myca.key:
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:<userinput><replaceable>US</replaceable></userinput>
+State or Province Name (full name) [Some-State]:<userinput><replaceable>PA</replaceable></userinput>
+Locality Name (eg, city) []:<userinput><replaceable>Pittsburgh</replaceable></userinput>
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:<userinput><replaceable>My Company</replaceable></userinput>
+Organizational Unit Name (eg, section) []:<userinput><replaceable>Systems Administrator</replaceable></userinput>
+Common Name (e.g. server FQDN or YOUR name) []:<userinput><replaceable>localhost.example.org</replaceable></userinput>
+Email Address []:<userinput><replaceable>trhodes at FreeBSD.org</replaceable></userinput></screen>
- <para>Two new files should appear in the directory: a
+ <para>This will create two new files in the current directory: a
certificate authority signature file,
- <filename>myca.key</filename> and the certificate itself,
+ <filename>myca.key</filename>, and the certificate itself,
<filename>new.crt</filename>. These should be placed in a
directory, preferably under <filename>/etc</filename>, which
is readable only by <systemitem
- class="username">root</systemitem>. Permissions of 0700 are
- appropriate and can be set using &man.chmod.1;.</para>
+ class="username">root</systemitem>. Permissions of <literal>0700</literal> are
+ appropriate for these files and can be set using <command>chmod</command>.</para>
</sect2>
<sect2>
<title>Using Certificates</title>
<para>One use for a certificate is to encrypt connections to the
- <application>Sendmail</application> <acronym>MTA</acronym>.
- This prevents the use of clear text authentication for users
- who send mail via the local <acronym>MTA</acronym>.</para>
+ <application>Sendmail</application> mail server in order to
+ prevent the use of clear text authentication.</para>
<note>
- <para>Some <acronym>MUA</acronym>s will display error if the
- user has not installed the certificate locally. Refer to
+ <para>Some mail clients will display an error if the
+ user has not installed a local copy of the certificate. Refer to
the documentation included with the software for more
information on certificate installation.</para>
</note>
- <para>To configure <application>Sendmail</application>, the
- following lines should be placed in the local
- <filename>.mc</filename> file:</para>
-
- <programlisting>dnl SSL Options
-define(`confCACERT_PATH',`/etc/certs')dnl
-define(`confCACERT',`/etc/certs/new.crt')dnl
-define(`confSERVER_CERT',`/etc/certs/new.crt')dnl
-define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
-define(`confTLS_SRV_OPTIONS', `V')dnl</programlisting>
-
- <para>In this example, <filename>/etc/certs/</filename>
- stores the certificate and key files locally. After saving
- the edits, rebuild the local <filename>.cf</filename> file by
- typing
- <command>make install</command>
- within <filename>/etc/mail</filename>.
- Follow that up with <command>make
- restart</command> which should
- start the <application>Sendmail</application> daemon.</para>
+ <para>To configure <application>Sendmail</application>, add the
+ following lines to
+ <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>sendmail_enable="YES"
+sendmail_cert_create="YES"
+sendmail_cert_cn="<replaceable>localhost.example.org</replaceable>"</programlisting>
+
+ <para>This will automatically create a self-signed certificate,
+ <filename>/etc/mail/certs/host.cert</filename>, a signing key,
+ <filename>/etc/mail/certs/host.key</filename>, and a
+ <acronym>CA</acronym> certificate,
+ <filename>/etc/mail/certs/cacert.pem</filename>. The
+ certificate will use the <literal>Common Name</literal>
+ specified in <option>sendmail_cert_cn</option>.
+ After saving
+ the edits, restart <application>Sendmail</application>:</para>
- <para>If all went well, there will be no error messages in
- <filename>/var/log/maillog</filename> and
- <application>Sendmail</application> will show up in the
- process list.</para>
+ <screen>&prompt.root; <userinput>service sendmail restart</userinput></screen>
- <para>For a simple test, connect to the mail server using
- &man.telnet.1;:</para>
+ <para>If all went well, there will be no error messages in
+ <filename>/var/log/maillog</filename>. For a simple test,
+ connect to the mail server's listening port using
+ <command>telnet</command>:</para>
<screen>&prompt.root; <userinput>telnet <replaceable>example.com</replaceable> 25</userinput>
Trying 192.0.34.166...
-Connected to <systemitem class="fqdomainname">example.com</systemitem>.
+Connected to example.com.
Escape character is '^]'.
-220 <systemitem class="fqdomainname">example.com</systemitem> ESMTP Sendmail 8.12.10/8.12.10; Tue, 31 Aug 2004 03:41:22 -0400 (EDT)
+220 example.com ESMTP Sendmail 8.14.7/8.14.7; Fri, 18 Apr 2014 11:50:32 -0400 (EDT)
<userinput>ehlo <replaceable>example.com</replaceable></userinput>
250-example.com Hello example.com [192.0.34.166], pleased to meet you
250-ENHANCEDSTATUSCODES
@@ -1968,10 +1984,10 @@ Escape character is '^]'.
250-DELIVERBY
250 HELP
<userinput>quit</userinput>
-221 2.0.0 <systemitem class="fqdomainname">example.com</systemitem> closing connection
+221 2.0.0 example.com closing connection
Connection closed by foreign host.</screen>
- <para>If the <quote>STARTTLS</quote> line appears in the
+ <para>If the <literal>STARTTLS</literal> line appears in the
output, everything is working correctly.</para>
</sect2>
</sect1>
More information about the svn-doc-head
mailing list