Re: LYNX-DEV SSL on Lynx 2.7.1 (Linux) - Intro to Certs and CAs (fwd)

[tzeruch]

On Thu, 10 Jul 1997, Laura Eaves wrote:

> I tried eassl a while back and never was able to get it to work
> unless I turned off all the cert verify stuff -- i.e., returned 1
> regardless of the cert string.
> Then I was able to connect to https sites with no problem.
> 
> Anyway, since I don't understand exactly what eassl / edssl are trying to do
> in the first place, i deleted all that and am just using Tom's "super simple"
> lxprox.c.  It hasn't failed yet.
> (I never got Fote's stuff to work either.)
> 
> I don't see why it is necessary to have your own cert (or whatever it's 
> called)
> in order to connect to an https/snews site.  (And I don't like running
> something unless I have at least an inkling of what it's doing.)
> All I wanted to do was place orders online at my favorite shopping sites,
> which are all switching to secure transactions.
> Are there sites that actually require a user to supply a cert?
> If so, how do they know which certs are valid?
> --le

You need to run c_rehash in /usr/local/ssl/certs (or the equivalent on
your machine), or see below about /usr/local/ssl/cert.pem.

You don't really need your own cert unless you want to connect to a site
that wants to use user certs.  You can copy any cert to be presented, but
you will be rejected if it is not the right type (site v.s. user) or if it
doesn't recognize you.  No one uses these yet beyond experiments, so I
have just included the function.  MIT is filling in the details, so should
have this fully supported.

The certs (in e*ssl) have a validation mechanism so you can "trust" that
damark.com is really damark.com, and this is using CA (certifying
authority) certificates.  Damark has its certificate signed by a
certifying authority, e.g. RSA.  So e*ssl when it sees the damark.com cert
has "RSA"  as the issuer and so reads /usr/local/ssl/certs/0fc98611.0
which is symlinked to rsa-ssca.pem and can verify the signature.  0fc98611
is a "hash value" derived from information in damark's cert.  Because RSA
signed it, and there is an RSA CA cert (selfsigned by RSA which would be a
problem if it was not a CA cert), it indicates that damark.com is who they
say they are. 

Otherwise I could open up daymarque.com with a self-signed daymarque.com
cert anywhere on the internet and you would connect with a secure
connection, but not to where you think you were going.  I could even
intercept your packets if I could access your NSP and route damark.com to
my computer.  But with signed certs, I would not be able to pretend I
was damark because I couldn't get a signed cert saying I was.

The CA mechanism is for authentication (How do I know I am talking to
damark and not someone pretending to be damark), and not strictly privacy
(so someone can't get your credit card number by monitoring the
communication stream), but since both require encryption technology, it
was easier to do both. 

You can also copy all the CA cert files into /usr/local/ssl/cert.pem
(e.g. cat /usr/local/ssl/certs/*.pem >/usr/local/ssl/cert.pem).  If SSLeay
(and by extension e*ssl) can't find the CA cert, it will reject the
connection unless it is overridden, which is what it is supposed to do.

Damark has the following info (from the connection):

subject=/C=US/ST=Minnesota/O=Damark International, Inc./CN=www1.damark.com
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

And the RSA CA cert (from the ssl/certs/rsa-ssca.pem file):

Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification 
Authority
Subject: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification 
Authority

The whole subject of CA chains is available from the SSL spec area of
Netscape.com and other providers, if you want to explore it in further
detail, or ask on ssl-talk or ssl-users.

--- reply to tzeruch - at - ceddec - dot - com ---


;
; To UNSUBSCRIBE:  Send a mail message to address@hidden
;                  with "unsubscribe lynx-dev" (without the
;                  quotation marks) on a line by itself.
;