1 Using and Abusing SSL Securty
2 OR
3 It must be secure, its so bloody hard to use
4
5 (With apologies to Eric A. Young and the OpenSSL developers)
6
7 Patrick Powell
8 Thu Jul 18 10:20:58 PDT 2002
9
10Executive Summary
11 SSL Encryption and authentication is supported using the OpenSSL
12library. The following changes have been made to LPRng:
13
14 lprng_certs - a certificate creation/management tool
15 lpd.perms -
16 AUTHFROM set to the 'subject' value of sender CERT
17 AUTHCA set to the 'issuer' value of sender CERT and
18 the hierarchy of 'issuer' values of CERT signers.
19 ${HOME}/.lpr/client.crt, ${HOME}/.lpr/client.pwd -
20 user or client certificate locations
21
22 /etc/lpd/ssl.ca, /etc/lpd/ssl.server
23 - locations of certificates and server certificates
24
25Introduction
26 Why add SSL security to LPRng?
27 a) It's there.
28 b) Everybody and their dog is using it.
29 c) It is needed to support IPP
30
31So I got hold of the SSL and TLS book by Eric Rescorla (he may
32regret this shameless plug, but be it on his head), and started
33reading it. After two weeks and a VERY large bottle of 'Super Strong
34No Doze Wakeup Pills' I figured out what needed to be done:
35 a) Set up some certs (i.e. - X509 Authentication Certificates).
36 b) Get some code from some other places and the examples.
37 c) Read the code, figure out what it was doing, and then
38 reverse engineer the SSL stuff.
39 d) File off serial numbers, recode, etc., where necessary to
40 1) avoid the GNU license curse
41 2) make it LPRng specific
42
43My references were:
44
45Mod_ssl from the Apache project.
46 http://www.apache.org
47 Follow links to Mod_SSL OR get apache2 which has mod_ssl in it.
48 Stole the organization for certs, as well
49 as looking at how the Makefile created and installed the various
50 certificates.
51
52fetchmail
53 ftp://ftp.ccil.org/pub/esr/fetchmail
54 http://www.tuxedo.org/~esr/fetchmail
55 Ummm... this was happenstance, I use fetchmail and it
56 has the SSL authentication in it.
57
58curl
59 http://download.sourceforge.net/curl/
60 Again, I use curl and it has SSL.
61
62The articles by Eric Rescola:
63 An Introduction to OpenSSL Programming
64 http://www.rtfm.com/openssl-examples/
65 wserver, wclient, sclient
66 And the book: SSL and TLS - Desiging and Building Secure Systems
67
68And, of course, the OpenSSL code, the examples in the code,
69 the utilities, etc. etc. etc. About 260,000 lines of etc.
70 Sigh...
71
72WHAT I DID
73
74 a) Started with the Eric Rescola articles, and the
75 examples for wserver, wclient.
76 b) Added various things to handle getting authentication.
77 - printing the Subject and Issuer information
78 - adding directory information for Certificate locations
79 c) Created new certificates using what I thought would work...
80 d) Read 260,000 lines of OpenSSL code and heartily cursed
81 the OpenSSL developers, the OpenSSL coders, and just about
82 anybody who is associated with the project for NOT putting
83 in some trace statements OR better error message reporting.
84 But that is over new, and I have recalled the guys with the
85 baseball bats.
86 e) Documented this so that other people can figure out what I did.
87
88HERE IS WHAT YOU NEED TO KNOW
89
90The idea behind SSL is that you create some files (Certificates)
91that have various private/public key information in them.
92A checksum is calculated over the information, and then the checksum
93is 'encrypted' using a private key of some 'signer'. This is attached
94to the certficate file... and the whole thing is encoded in the most
95obnoxious manner... ANS1 to be exact. This is then EXPANDED into a text
96format called PEM, and forms the 'certificate file'.
97
98 <aside> Ignore the SSL experts who are frothing over this
99 cavalier description of the details.
100 Details, smetails. You listen to them, you be on the No Doze,
101 big time, pretty quick. Boring stuff, the SSL details</aside>
102
103Now lets see what we do to validate that a certificate is correct
104or from the 'Subject' who is identified in the Certificate. We get
105the X509 certificate for the 'signer' (or 'Issuer' in X509 jargon).
106Since the public key of the signer is including in the 'signer'
107certificate, we can use this to check that the information in the
108suspect certificate is valid by using it to decrypt the checksum
109information encoded with the private key. If this matches, we have
110validated the certificate. (Well, not quite. There are a couple
111more gotchas.)
112
113Now we must validate the 'signers' cerificate, which was
114in turn signed by another signer, and so we go up the food chain,
115I mean 'authentication chain', until we reach Nirvana:
116
117 a certificate which is signed by itself (i.e. - root certificate)
118
119or more exactly, a certificate where the 'subject' or the person
120identified by the CERT and the 'issuer' or the person who signed the
121CERT are the same.
122
123Now lets see how we use this for printing.
124
125Each user and/or print spooler is given a certificate with a corresponding
126set of private and secret keys. When a client sends a request to the lpd
127server, he signs it using his private key; the lpd spooler gets the request,
128and then decodes/checks it using the public key in the users certificate.
129
130The SSL protocol provides a way to:
131
132 a) set up an encrypted connection (not our problem)
133 b) exchange certificate information
134 (Hmm... need to tell OpenSSL what certs to exchange)
135 c) validate the certificates (strictly speaking, this X509
136 stuff, but what the hey...) and hence, authenticate the
137 end users.
138 (Need to tell OpenSSL where the certs are).
139 d) set up and perform encrypted data exchange. (not our problem).
140
141So all we really need to do is set up the CERTIFICATES, tell the
142OpenSSL library where they are, and it should do the work for us.
143(Ho ho ho... it sounds so simple...)
144
145There are two components to a certificate:
146 a) the certificate file (name.crt file) itself
147 b) the private key corresponding to the public key in
148 the certificate file (name.key file).
149
150Now clearly if the private key was obtained by somebody
151then they could impersonate a user. So there are two possibilities:
152 a) make the private key file readable only by the people that
153 need it (more on this later).
154 b) encrypt the private key and then when you need to use it
155 to sign something, provide a decryption password/key.
156
157So, we have 3 components: the certificate (name.crt), the encrypted
158private key (name.key, but encrypted) and a password that we use
159to decrypt the private key. But since we do not need to keep the
160private key hidden away, we can put the private key and certificate
161in the same file:
162
163 -----BEGIN RSA PRIVATE KEY-----
164 Proc-Type: 4,ENCRYPTED
165 DEK-Info: DES-EDE3-CBC,3EAD3ED0FA436761
166
167 Vi5K0olpFfe2ltDpY/7gPM4iW74gYqtO1yEFm1DOhp7Kd8hB5Is6TVuVX78zkTaP
168 ...
169 j6Z5TX61x4YCHKleFa9nXFC5god/MCYzIHKKep0f4TKWCZcJLR5AyQ==
170 -----END RSA PRIVATE KEY-----
171 -----BEGIN CERTIFICATE-----
172 MIIDGzCCAoSgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCVVMx
173 ...
174 3VapletoUPtYPvUAAgAg4w28pKWvlVW3tU/CsoHDEw==
175 -----END CERTIFICATE-----
176
177Which is the convention we adopted for LPRng.
178
179Now lets deal with the problem of certificates. There are
180FOUR types of certificates that we need:
181
182 CERTS/files
183 root (/etc/lpd/ssl.ca/ca.crt)
184 - signer1 (/etc/lpd/ssl.ca/signer1.crt - signed by ca)
185 - print spoolers (/etc/lpd/ssl.server/h121.crt - signed by signer1 )
186 - users (${HOME}/.lpd/user1.crt - signed by signer1 )
187 - signer2 (/etc/lpd/ssl.ca/signer2.crt - signed by ca)
188 - print spoolers (/etc/lpd/ssl.server/h121.crt - signed by signer2)
189 - users (${HOME}/.lpd/user2.crt - signed by signer2)
190
191The ROOT cert signs the signer certs, which in turn
192can sign print spooler certs and user certs. If you feel
193lucky, you can also use the root cert to sign print spoolers
194or user certs.
195
196Now, what happens if and when somebody gets hold of the
197private key for the root cert or a signing cert? If it is
198for the root cert, you are doomed. Reissue all the CERTS.
199Start from square 0.
200
201If it is a signing cert, then you can REVOKE it. How do you do this?
202You put it into a 'revocation' directory, and then tell OpenSSL
203to do its magic and update the CERT information so that it is revoked.
204(More on this later).
205
206Finally, how does the certificate information get transferred?
207
208This is a little complicated, and there are a zillion ways to do
209this. I have opted to implement and use a very simple method based
210on the Apached mod_perl SSL setup.
211
212a) A directory (/etc/lpd/ssl.ca/) containing
213 all of the signing certificates, including the root certificate
214 (ca.crt). These will be used by both servers and clients.
215 Note: due to the OpenSSL implementation, it may be necessary
216 to copy files to this directory.
217
218 OpenSSL also supports putting all of the certificates in a single
219 file. The certificates should be put in root to leaf order, i.e.
220 - a breadth first walk of the certificate tree.
221
222 For individual signing/certificate files:
223 printcap/configure option: ssl_ca_path=DIR
224 default=/etc/lpd/ssl.ca/ssl.ca
225 For single signing/certificate files:
226 printcap/configure option: ssl_ca_file=FILE
227 default= NONE
228
229 configure:
230 --with-ssl_ca_path=DIR
231 default ${sysconfdir}/lpd/ssl.crt/
232 --with-ssl_ca_file=FILE
233 default - none
234
235 Note: See the SSL_CTX_load_verify_locations(
236 SSL_CTX *ctx, const char *CAfile, const char *CApath);
237 documentation for the details.
238
239b) The LPRng lpd server certifcate file and the password
240 for using the certificate:
241
242 A file (/etc/lpd/server.crt/server.crt) containing
243 the cert that is used by the server. It should also contain
244 the private key for the server.
245
246 printcap/configure option: ssl_server_cert=FILE
247 default ${sysconfdir}/lpd/server.crt/server.crt
248 configure:
249 --with-ssl_server_cert=PATH
250 default ${sysconfdir}/lpd/server.crt/server.crt
251
252 Note: See SSL_CTX_use_certificate_chain_file(
253 SSL_CTX *ctx, const char *file);
254 SSL_use_PrivateKey_file(SSL *ssl, char *file,
255 int type);
256 documentation for details. Note that this file can
257 contain multiple certs, but these must be sorted in top
258 (root CA) to bottom (server) order.
259 i.e. -
260 private_key, server cert (additional certs
261 specified by ssl_ca_path or ssl_ca_file)
262 OR
263 root CA cert, signer1 cert, ..., server cert
264
265 Note: the private key can be in any position.
266
267 The password file file contains the password for the private
268 key in the server cert file. This file should to be 600, owned
269 by the LPD server user.
270
271 printcap/configure option: ssl_server_passwd=FILE
272 default ${sysconfdir}/lpd/server.crt/server.crt
273 configure:
274 --with-ssl_server_passwd=PATH
275
276 Note: See the SSL_CTX_set_default_passwd_cb for details.
277 The password is read from the file.
278
279d) For user authentication to the server, users will need to
280 specify a certificate and password. This can be by using
281 values in default files or
282
283 ${HOME}/.lpr/ssl.ca/ - signing/root certificates
284 (if not present, then ${sysconfdir}/lpd/ssl.ca/ is used)
285 Environment variable: LPR_CA_PATH
286 ${HOME}/.lpr/client.crt - client cert and key
287 Environment variable: LPR_SSL_CERT
288 ${HOME}/.lpr/client.pwd - file containing client password
289 Environment variable: LPR_SSL_PASSWORD
290
291CERTIFICATE FIELDS:
292
293 There are several fields that need to be set in a certificate/
294 C = country [US]
295 ST = state [California]
296 L = city [San Diego]
297 OU = Organization Unit [OU=Certificate Authority for root cert]
298 [OU=Server for server cert]
299 [OU=User for user cert]
300 CN = Common Name [CN=Orgname for root cert]
301 [CN=ServerID (h110.astart) for server cert]
302 [CN=papowell for user cert]
303 Email = email address [Email=hostmaster@astart.com for root cert]
304 [Email=hostmaster@h110.astart for server cert]
305 [Email=papowell@astart.com for user cert]
306
307 You can set default values for these fields.
308
309SETTING UP CERTIFICATE AUTHORITY
310
311There are several types of certificate files:
312 - CA root (self signed)
313 - signing certs (signed by CA or by signing cert)
314 - server certs (used by lpd server AND by lpd server when
315 forwarding to a remote queue)
316 - user certs (used to identify users programs)
317
318The certificates are arranged as follows:
319
3201. signing certs are in a directory (or a single file)
321 default: /etc/lpd/ssl.ca/*
322
3232. server certs are in a directory
324 default: /etc/lpd/ssl.server/*
325
3263. user certificates are kept in a subdirectory of the
327 user home directory, say:
328 ${HOME}/.lpr/client.crt - cert
329 ${HOME}/.lpr/client.pwd - password to use cert
330 private key for authentication
331
3324. certificates are created in a working directory and are
333 then copied (if necessary) to the correct directory.
334
335 default: /etc/lpd/ssl.certs
336
337PRINTCAP INFORMATION:
338 the following entries are added to the printcap or lpd.conf file:
339
340 lp:
341 :auth=ssl # ssl authentication
342 :ssl_id=lp # id value
343 :ssl_ca_file=/etc/lpd/ssl.ca/ca.crt # certs for signing
344 :ssl_crl_file=/etc/lpd/ssl.crl/ssl.crl # revocation certs
345 :ssl_server_cert=/etc/lpd/ssl.server/server.crt # server cert
346 :ssl_server_password_file=/etc/lpd/ssl.server/server.pwd # password
347
348CREATING CERTS
349
350The lprng_certs script provides a way to create ROOT certs,
351signer certs, server (lpd) certs, and user certs. You may need
352to copy the certificate files to the appropriate locations.
353
354usage: lprng_certs option
355 init - make directory structure
356 newca - make new root CA and defaults
357 defaults - set new default values
358 encrypt keyfile - set or change password on private key file
359 gen - generate user, server, or signing cert
360 verify cert* - verify certs
361 certs can be path or user-XX.csr values
362
363STEP 1: CREATE DIRECTORY STRUCTURE
364
365 Use: lprng_certs [--TEMP=/dir] init
366 - creates directories for lpd server
367 TEMP=/dir sets the directory; byt default, TEMP=/etc/lpd
368 ${TEMP}/ssl.ca/ - ca root and/or signer certs
369 default location for creation
370 ${TEMP}/ssl.server/ - server cert
371 (usually server.crt and server.pwd files)
372 ${TEMP}/ssl.certs/ - server and/or user certs
373 default location for creation
374 You use this to set up the directories for certificates
375 on a non-master system.
376
377STEP 2: CREATE CA ROOT CERT AND SET CERTIFICATE DEFAULTS
378
379 Use: lprng [--TEMP=/dir] newca
380
381 You use this when you want to set up a totally new CA on a master system.
382
383 Example of use:
384
385 #> lprng_certs newca
386
387 lprng_certs -- LPRng SSL Certificate Management
388 Copyright (c) 2002 Patrick Powell
389 Based on CCA by Ralf S. Engelschall
390 (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)
391
392 WARNING: /etc/lpd/ssl.ca/ca.crt already exists! Do you want to overwrite it? [N/y] Y
393
394 INITIALIZATION - SET DEFAULTS
395
396 There are several fields that need to be set in a certificate/
397 C = country [US]
398 ST = state [California]
399 L = city [San Diego]
400 OU = Organization Unit [OU=Certificate Authority for root cert]
401 [OU=Server for server cert]
402 [OU=User for user cert]
403 CN = Common Name [CN=Orgname for root cert]
404 [CN=ServerID (h110.astart) for server cert]
405 [CN=papowell for user cert]
406 Email = email address [Email=hostmaster@astart.com for root cert]
407 [Email=hostmaster@h110.astart for server cert]
408 [Email=papowell@astart.com for user cert]
409
410 You can set default values for these fields.
411
412 110: {90} % lprng_certs --TEMP=/tmp newca
413 lprng_certs -- LPRng SSL Certificate Management
414 Copyright (c) 2002 Patrick Powell
415 Based on CCA by Ralf S. Engelschall
416 (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)
417
418 INITIALIZATION - SET DEFAULTS in /tmp/ssl.ca/ca.defaults
419
420 *** you can change the defaults as shown ***
421
422 1. Country Name (2 letter code, C) [default 'XY'] US
423 2. State or Province Name (full name, ST) [default 'Snake Desert'] California
424 3. Locality Name (eg, city, L) [default 'Snake Town'] San Diego
425 4. Organization Name (eg, company, O) [default 'Snake Oil, Ltd'] Astart Technologies
426 5. Organizational Unit Name for CA (eg, section, OU) [default 'CA']
427 6. Organizational Unit Name for Signer (eg, section, OU) [default 'Signer']
428 7. Organizational Unit Name for Server (eg, section, OU) [default 'Server']
429 8. Organizational Unit Name for User (eg, section, OU) [default 'User']
430 9. Common Name for CA (eg, CA name, CN) [default 'Snake Oil CA'] Astart CA
431 10. Common Name for Signer (eg, signer name, CN) [default 'Signer Name']
432 11. Common Name for Server (eg, server name, CN) [default 'PrintServer Name']
433 12. Common Name for User (eg, user name, CN) [default 'John Q. User']
434 13. Email Address (eg, name@FQDN, Email) [default 'name@snakeoil.dom'] name@astart.com
435 14. CA Certificate Validity in days [default '365']
436 15. Signer Certificate Validity in days [default '365']
437 16. Server Certificate Validity in days [default '365']
438 17. User Certificate Validity in days [default '365']
439 18. Signer Certificate Path (blank indicates CA signs) [default '']
440 19. Signer Private Key File (blank indicates key in cert file) [default '']
441 20. Created Certificates Directory (blank indicates default /tmp/ssl.certs) [default '']
442 21. Revoked Certificates File (blank indicates default /tmp/certs.crl) [default '']
443
444 **** this shows what the new default value will be *****
445 C_val US
446 ST_val California
447 L_val San Diego
448 O_val Astart Technologies
449 OU_ca_val CA
450 OU_signer_val Signer
451 OU_server_val Server
452 OU_user_val User
453 CN_ca_val Astart CA
454 CN_signer_val Signer Name
455 CN_server_val PrintServer Name
456 CN_user_val John Q. User
457 Email_val name@astart.com
458 Validity_ca_val 365
459 Validity_signer_val 365
460 Validity_server_val 365
461 Validity_user_val 365
462 Signer_cert_path
463 Signer_key_path
464 Cert_dir
465 Revoke_file
466
467 ...
468 ______________________________________________________________________
469
470 STEP 1: Generating RSA private key for CA (1024 bit)
471 49279 semi-random bytes loaded
472 Generating RSA private key, 1024 bit long modulus
473 .........................................++++++
474 .................++++++
475 e is 65537 (0x10001)
476 ______________________________________________________________________
477
478 STEP 2: Generating X.509 certificate signing request for CA
479 You are about to be asked to enter information that will be incorporated
480 into your certificate request.
481 What you are about to enter is what is called a Distinguished Name or a DN.
482 There are quite a few fields but you can leave some blank
483 For some fields there will be a default value,
484 If you enter '.', the field will be left blank.
485
486 *** change any of the field names ***
487 -----
488 1. Country Name (2 letter code, C) [US]:
489 2. State or Province Name (full name, ST) [California]:
490 3. Locality Name (eg, city, L) [San Diego]:
491 4. Organization Name (eg, company, 0) [Astart Technologies]:
492 5. Organizational Unit Name (eg, section, OU) [CA]:
493 6. Common Name (eg, ca name, CN) [Astart CA]:
494 7. Email Address (eg, name@FQDN, Email) [name@astart.com]:root@astart.com
495 ______________________________________________________________________
496
497 STEP 3: Generating X.509 certificate for CA signed by itself
498 Signature ok
499 subject=/C=US/ST=California/L=San Diego/O=Astart Technologies/OU=CA/CN=Astart CA/emailAddress=root@astart.com
500 Getting Private key
501 ______________________________________________________________________
502
503 RESULT:
504 /tmp/ssl.ca/ca.crt: /C=US/ST=California/L=San Diego/O=Astart Technologies/OU=CA/CN=Astart CA/emailAddress=root@astart.com
505 error 18 at 0 depth lookup:self signed certificate
506 OK
507 ______________________________________________________________________
508
509 STEP 4. Enrypting RSA private key /tmp/ssl.ca/ca.key with a pass phrase for security
510
511 The contents of the certificate key file (the generated private key)
512 should be echo kept secret, especially so if it is used to sign
513 Certificates or for User authentication.
514 SSL experts strongly recommend you to encrypt the key file with
515 a Triple-DES cipher and a Pass Phrase. When using LPRng, you provide
516 the password via a file specified by the LPR_SSL_PASSWORD
517 environent variable, or in the /home/papowell/.lpr/client.pwd file.
518 The LPD server uses the ssl_server_password_file option to specify
519 the location of a file containing the password.
520
521 Encrypt the private key now? [Y/n]:
522 writing RSA key
523 Enter PEM pass phrase:
524 Verifying - Enter PEM pass phrase:
525 Fine, you're using an encrypted private key to sign CERTS.
526 ______________________________________________________________________
527
528 STEP 5: Combine CERT and KEY file
529 Generate single CERT and KEY file? [N/y]
530
531 Indexing /tmp/ssl.ca
532 ca.crt ... cbd552ae.0
533
534 Use the following commands to examine the CERT and KEY files:
535 openssl x509 -text -in /tmp/ssl.ca/ca.crt
536 openssl rsa -text -in /tmp/ssl.ca/ca.key
537
538STEP 3: CREATE SERVER CERTS AND INSTALL ON SERVERS
539
540 Creates a certificate with the appropriate entries for use
541 as a server (lpd) certificate.
542
543Example:
544
545 #> lprng_certs gen
546 lprng_certs -- LPRng SSL Certificate Management
547 Copyright (c) 2002 Patrick Powell
548 Based on CCA by Ralf S. Engelschall
549 (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)
550
551 CERTIFICATE GENERATION
552 What type of certificate? User/Server/Signing Authority/Help? [u/s/a/H] s
553 Create in '/etc/lpd/ssl.certs' [return for yes, or specify directory] y
554 CERT name 'server-01'? [return for yes, or specify name] h110
555 CERT name 'h110'? [return for yes, or specify name]
556 Creating h110 in /etc/lpd/ssl.certs
557 Sign with Certificate '/etc/lpd/ssl.ca/ca.crt' [return for yes, or specify cert file]
558 Private key in /etc/lpd/ssl.ca/ca.crt
559
560 Generating user Certificate [h110]
561 ______________________________________________________________________
562
563 STEP 1: Generating RSA private key for user (1024 bit)
564 ______________________________________________________________________
565
566 STEP 2: Generating X.509 certificate signing request for user
567 User Certificate Validity in days [default 365]
568 ______________________________________________________________________
569
570 STEP 3: Generating X.509 certificate signed by own CA
571 ______________________________________________________________________
572
573 RESULT:
574 /etc/lpd/ssl.certs/h110.crt: OK
575 ______________________________________________________________________
576
577 STEP 4. Enrypting RSA private key with a pass phrase for security
578 The contents of the certificate key file (the generated private key)
579 should be echo kept secret, especially so if it is used to sign
580 Certificates or for User authentication.
581 SSL experts strongly recommend you to encrypt the key file with
582 a Triple-DES cipher and a Pass Phrase. When using LPRng, you provide
583 the password via a file or file descriptor specified by an environent
584 variable, i.e. - SSL_PASSWORD_FILE or SSL_PASSWORD_FD, or in the
585 ${HOME}/.ssl_password file.
586 The LPD server uses the ssl_server_password_file option to specify
587 the location of a file containing the password.
588 See the LPRng Refernce Manual for details, or the printcap(5) man page.
589
590 key file is /etc/lpd/ssl.certs/h110.key
591 Encrypt the private key now? [Y/n]: y
592 Fine, you're using an encrypted private key to sign CERTS.
593 ______________________________________________________________________
594
595 STEP 5: Combine CERT and KEY file
596 Generate single CERT and KEY file? [Y/n] y
597
598 Use the following commands to examine the CERT and KEY files:
599 openssl x509 -text -in /etc/lpd/ssl.certs/h110.crt
600 openssl rsa -text -in /etc/lpd/ssl.certs/h110.crt
601
602
603 ----------
604
605 You must now copy the h110.crt certificate to the lpd server certificate
606 file location:
607 cp /etc/lpd/ssl.certs/h110.crt /etc/lpd/server.cert/server.crt
608 echo 'password' >/etc/lpd/server.crt/server.pwd
609 chown lpd /etc/lpd/server.crt/server.pwd
610 chmod 700 /etc/lpd/server.crt/server.pwd
611 (Note: lpd is the user that the LPD server will run as. This value is set
612 by the configuration in the lpd.conf file.)
613
614STEP 5: CREATE AND INSTALL USER CERTS
615
616 Creates a certificate with the appropriate entries for use
617 as a server (lpd) certificate.
618
619Example:
620
621 #> lprng_certs gen
622 lprng_certs -- LPRng SSL Certificate Management
623 Copyright (c) 2002 Patrick Powell
624 Based on CCA by Ralf S. Engelschall
625 (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)
626
627 CERTIFICATE GENERATION
628 What type of certificate? User/Server/Signing Authority/Help? [u/s/a/H] u
629 Create in '/etc/lpd/ssl.certs' [return for yes, or specify directory] y
630 CERT name 'user-01'? [return for yes, or specify name] papowell
631 CERT name 'papowell'? [return for yes, or specify name]
632 Creating h110 in /etc/lpd/ssl.certs
633 Sign with Certificate '/etc/lpd/ssl.ca/ca.crt' [return for yes, or specify cert file]
634 Private key in /etc/lpd/ssl.ca/ca.crt
635
636 ...
637 Use the following commands to examine the CERT and KEY files:
638 openssl x509 -text -in /etc/lpd/ssl.certs/papowell.crt
639 openssl rsa -text -in /etc/lpd/ssl.certs/papowell.crt
640
641
642 ----------
643
644 You must now copy the papowell.crt certificate to the user .lpd directory
645 and then set the password.
646
647 cp /etc/lpd/ssl.certs/papowell.crt ~papowell/.lpd/client.crt
648 echo 'password' >~papowell/.lpd/client.pwd
649 chown papowell ~papowell/.lpd/client.pwd
650 chmod 700 ~papowell/.lpd/client.pwd
651
652
653CREATE A SIGNING CERT
654
655 You will need to do this if you want to create a certificate that
656 you can use to sign other certificates - i.e. - delegate signing
657 authority. This is done by creating a signing certificate. The
658 private key file for this certificate should be treated in the same
659 was as for the root certificate - it should not be stored in the
660 same file as the certificate, or if it is, the password for the
661 key should be very long and resistant to a dictionary attack.
662 I do not recommend storing the private key and certificate in the
663 same file.
664
665 lprng_certs -- LPRng SSL Certificate Management
666 Copyright (c) 2002 Patrick Powell
667 Based on CCA by Ralf S. Engelschall
668 (Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved.)
669
670 CERTIFICATE GENERATION
671 What type of certificate? User/Server/Signing Authority/Help? [u/s/a/H] a
672 Create in '/etc/lpd/ssl.ca' [return for yes, or specify directory]
673 CERT name 'signer-02'? [return for yes, or specify name]
674 Creating signer-02 in /etc/lpd/ssl.ca
675 Sign with Certificate '/etc/lpd/ssl.ca/ca.crt' [return for yes, or specify cert file]
676 Private key in /etc/lpd/ssl.ca/ca.crt
677
678 Generating signer Certificate [signer-02]
679 ______________________________________________________________________
680
681 STEP 1: Generating RSA private key for signer (1024 bit)
682 ______________________________________________________________________
683
684 STEP 2: Generating X.509 certificate signing request for signer
685 User Certificate Validity in days [default 365]
686 ______________________________________________________________________
687
688 STEP 3: Generating X.509 certificate signed by own CA
689 ______________________________________________________________________
690
691 RESULT:
692 /etc/lpd/ssl.ca/signer-02.crt: OK
693 ______________________________________________________________________
694
695 STEP 4. Enrypting RSA private key with a pass phrase for security
696 The contents of the certificate key file (the generated private key)
697 should be echo kept secret, especially so if it is used to sign
698 Certificates or for User authentication.
699 SSL experts strongly recommend you to encrypt the key file with
700 a Triple-DES cipher and a Pass Phrase. When using LPRng, you provide
701 the password via a file or file descriptor specified by an environent
702 variable, i.e. - SSL_PASSWORD_FILE or SSL_PASSWORD_FD, or in the
703 ${HOME}/.ssl_password file.
704 The LPD server uses the ssl_server_password_file option to specify
705 the location of a file containing the password.
706 See the LPRng Refernce Manual for details, or the printcap(5) man page.
707
708 key file is /etc/lpd/ssl.ca/signer-02.key
709 Encrypt the private key now? [Y/n]:
710 Fine, you're using an encrypted private key to sign CERTS.
711 ______________________________________________________________________
712
713 STEP 5: Combine CERT and KEY file
714 Generate single CERT and KEY file? [Y/n]
715
716 Use the following commands to examine the CERT and KEY files:
717 openssl x509 -text -in /etc/lpd/ssl.ca/signer-02.crt
718 openssl rsa -text -in /etc/lpd/ssl.ca/signer-02.crt
719
720 - creates a certificate with the appropriate entries for use
721 as a signing, server (lpd), or client (user) certificate.
722
723
724TESTING SSL AUTHENTICATION
725
726Set up a printcap entry:
727 ssl:
728 :auth=ssl
729 :ssl_id=lp
730 :ssl_ca_file=/etc/lpd/ssl.ca/ca.crt
731 :ssl_crl_file=/etc/lpd/ssl.crl/ssl.crl
732 :ssl_server_cert=/etc/lpd/ssl.server/server.crt
733 :ssl_server_password_file=/etc/lpd/ssl.server/server.pwd
734 :sd=/var/spool/lpd/%P
735 :lp=/dev/null
736 # for debugging only!
737 :db=2
738
739Create the spool queue by using:
740 checkpc -f
741
742Use the lprng_ssl script described above to create the ssl certs and install
743them as required.
744
745Now restart LPD in debug mode, so you can kill it:
746 lpd -F -D1
747
748Use the 'lpq' command to connect to the server:
749 lpq -Pssl -D1 |&tee /tmp/log
750
751If this fails, examine the /var/spool/lpd/ssl/log file for
752reasons that the server failed. Examine the /tmp/log
753file for reasons that the client failed.
754
755CERTIFICATE REVOCATION AND PERMSSIONS CHECKING
756
757The current implementation does not support or provide support
758for the X509 Certificate Revocation List or files. Instead,
759we use the lpd.perms facilities and reject user and/or signers
760based on the information in their 'subject' or 'issuer' information.
761The AUTHFROM and AUTHCA contain the subject and issuer information
762for the user certificate received by the LPD server. Actually,
763the AUTHCA information contains the hierarchy of certificate signers,
764so you can reject a request based on the presence or abscence
765of a certificate signer.
766
767For example:
768h110: {230} % openssl x509 -issuer -subject -noout -in ${HOME}/.lpr/client.crt
769issuer= /C=US/ST=California/L=San Diego/O=Astart/\
770 OU=CertificateAuthority/CN=AstartCA/Email=ca@astart.com
771subject= /C=US/ST=California/L=San Diego/O=Astart/\
772 OU=Server/CN=papowell/Email=papowell@astart.com
773
774You can now use:
775
776# /etc/lpd.perms
777REJECT NOT AUTHTYPE=ssl
778REJECT NOT AUTHCA=*/CN=AstartCA/*
779REJECT AUTHFROM=*/CN=papowell/*
780
781You can also put this in a file, say /etc/lpd/signers.auth
782 */CN=AstartCA/*
783and, say /etc/lpd/reject.users
784 */CN=papowell/*
785
786Now you can use:
787REJECT NOT AUTHCA=</etc/lpd/signers.auth
788REJECT AUTHFROM=</etc/lpd/reject.users
789