Re: [9fans] https

Re: [9fans] https

[David Presotto]

[-- Attachment #1: Type: text/plain, Size: 94 bytes --]

Add an 'owner=*' field to the key that you dump into factotum.  See if your
old key has that.

[-- Attachment #2: Type: message/rfc822, Size: 2397 bytes --]

From: Sam <sah@softcardsystems.com>
To: <9fans@cse.psu.edu>
Subject: [9fans] https
Date: Fri, 11 Jul 2003 12:57:23 -0400 (EDT)
Message-ID: <Pine.LNX.4.30.0307111235560.16824-100000@athena>

I recently have had cause to regenerate our certificate
to indicate our more recent domain name.  I've followed
the instructions in rsa(8) for key/cert generation.

Restarting httpd with the new cert causes https auths to fail
with ``no key matches.''  Given my penchant for boobism, I've
very carefully made certain the right key was in factotum and
even pulled the httpd binary from sources, just in case.

If I switch back to the old key/cert pair, authentication
works as expected.

Can anyone else see this or am I having local issues?

Thanks,

Sam

[9fans] https

[Sam]

I recently have had cause to regenerate our certificate
to indicate our more recent domain name.  I've followed
the instructions in rsa(8) for key/cert generation.

Restarting httpd with the new cert causes https auths to fail
with ``no key matches.''  Given my penchant for boobism, I've
very carefully made certain the right key was in factotum and
even pulled the httpd binary from sources, just in case.

If I switch back to the old key/cert pair, authentication
works as expected.

Can anyone else see this or am I having local issues?

Thanks,

Sam

Re: [9fans] https

[Russ Cox]

Notice that if you haven't pulled in a while, you might have
an old ip/httpd/httpd binary, which will still be looking for
proto=sshrsa keys.

Also you need to recompile your kernel in order to link in
a new factotum that knows about proto=rsa.

Russ

Re: [9fans] https

[Dan Cross]

Sam <sah@softcardsystems.com> writes:
>
> > Shouldn't that be, ``proto=rsa'' ?
>
> Yeah, it probably *should* be, but it's not.
> Therein lies my confusion.

Okay, I'll be definative.  It should be, ``proto=rsa service=tls'';
that's what I'm using on my web server.  The documentation is probably
out of date.  There was a note to 9fans from Russ about it, but it was
a while back.  Make that change, and you'll be good to go.  Make sure
you have, ``owner=none'' in there, too, but I think you mentioned
that earlier and are already good to go with it.

	- Dan C.

Re: [9fans] https

[Dan Cross]

Shouldn't that be, ``proto=rsa'' ?

	- Dan C.

Re: [9fans] https

[Sam]

> Shouldn't that be, ``proto=rsa'' ?

Yeah, it probably *should* be, but it's not.
Therein lies my confusion.

Sam

[9fans] https

[Sam]

Having followed the directions in rsa(8),
I'm still not able to make secure connections.

The following is in the logfile for httpd:

  can't open /net/tcp/25/data: tls: local
    factotum_rsa_open: no key matches
    proto=sshrsa role=client

% lookman sshrsa
man 4 factotum # factotum(4)
% man 4 factotum | grep sshrsa
%

tips?

Sam