2008-04-06 11:17:41 hobbitlaunch starting
2008-04-06 11:17:41 Loading tasklist configuration from /home/hobbit/server/etc/
hobbitlaunch.cfg
2008-04-06 11:17:41 Loading hostnames
2008-04-06 11:17:41 Loading saved state
2008-04-06 11:17:42 Setting up network listener on 0.0.0.0:1984
2008-04-06 11:17:42 Setting up local listener
2008-04-06 11:17:43 Cannot load SSL certificate
18193:error:02001002:system library:fopen:No such file or directory:bss_file.c:3
49:fopen('/home/hobbit/server/etc/hobbitserver.cert','r')
18193:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:
18193:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:
ssl_rsa.c:720:
Regards Lars Ebeling
http://leopg9.no-ip.org Hobbithobbyist
"I am not young enough to know everything." -- Oscar Wilde
On Sun, Apr 06, 2008 at 11:39:15AM +0200, Lars Ebeling wrote:
2008-04-06 11:17:41 hobbitlaunch starting
2008-04-06 11:17:41 Loading tasklist configuration from /home/hobbit/server/etc/ hobbitlaunch.cfg
2008-04-06 11:17:41 Loading hostnames
2008-04-06 11:17:41 Loading saved state
2008-04-06 11:17:42 Setting up network listener on 0.0.0.0:1984
2008-04-06 11:17:42 Setting up local listener
2008-04-06 11:17:43 Cannot load SSL certificate
18193:error:02001002:system library:fopen:No such file or directory:bss_file.c:3 49:fopen('/home/hobbit/server/etc/hobbitserver.cert','r')
Yep, working on adding support for SSL-encrypted connections to the Hobbit server. Server-side is done, client-side needs some re-writing of a module.
There's a decent tutorial on creating your own SSL certificates at http://www.akadia.com/services/ssh_test_certificate.html
Although You obviously cannot use it until I get the client-side code finished.
Regards, Henrik
----- Original Message ----- From: "Henrik Stoerner" <henrik at hswn.dk> To: <hobbit at hswn.dk> Sent: Monday, April 07, 2008 7:31 AM Subject: Re: [hobbit] Todays snapshot 20080406
Yep, working on adding support for SSL-encrypted connections to the Hobbit server. Server-side is done, client-side needs some re-writing of a module.
There's a decent tutorial on creating your own SSL certificates at http://www.akadia.com/services/ssh_test_certificate.html
I restored yesterdays snapshot from backup, and followed the tutorial mentioned above. Now yesterdays snapshot works.
But does it have any impact on todays snapshot?
-- Regards Lars Ebeling
http://leopg9.no-ip.org Hobbithobbyist
"I am not young enough to know everything." -- Oscar Wilde
----- Original Message ----- From: "Lars Ebeling" <lars.ebeling at leopg9.no-ip.org> To: <hobbit at hswn.dk> Sent: Monday, April 07, 2008 8:29 AM Subject: Re: [hobbit] Todays snapshot 20080406
I restored yesterdays snapshot from backup, and followed the tutorial mentioned above. Now yesterdays snapshot works.
I was to fast ;)
All built in tests went purple except hobbitd
-- Regards Lars Ebeling
http://leopg9.no-ip.org Hobbithobbyist
"I am not young enough to know everything." -- Oscar Wilde
On Mon, Apr 07, 2008 at 08:52:31AM +0200, Lars Ebeling wrote:
I restored yesterdays snapshot from backup, and followed the tutorial mentioned above. Now yesterdays snapshot works. I was to fast ;)
All built in tests went purple except hobbitd
Should work better with this patch on top of the snapshot.
Henrik
----- Original Message ----- From: "Henrik Stoerner" <henrik at hswn.dk> To: <hobbit at hswn.dk> Sent: Monday, April 07, 2008 12:52 PM Subject: Re: [hobbit] Todays snapshot 20080406
Should work better with this patch on top of the snapshot.
Yes, hope I wasn't to fast this time.
Btw. Today the golfcourse opened for the season. The weather is nice and I played 9 holes.
-- Regards Lars Ebeling
http://leopg9.no-ip.org Hobbithobbyist
"I am not young enough to know everything." -- Oscar Wilde
On Monday 07 April 2008 07:31:57 Henrik Stoerner wrote:
On Sun, Apr 06, 2008 at 11:39:15AM +0200, Lars Ebeling wrote:
2008-04-06 11:17:41 hobbitlaunch starting 2008-04-06 11:17:41 Loading tasklist configuration from /home/hobbit/server/etc/ hobbitlaunch.cfg 2008-04-06 11:17:41 Loading hostnames 2008-04-06 11:17:41 Loading saved state 2008-04-06 11:17:42 Setting up network listener on 0.0.0.0:1984 2008-04-06 11:17:42 Setting up local listener 2008-04-06 11:17:43 Cannot load SSL certificate 18193:error:02001002:system library:fopen:No such file or directory:bss_file.c:3 49:fopen('/home/hobbit/server/etc/hobbitserver.cert','r')
Yep, working on adding support for SSL-encrypted connections to the Hobbit server. Server-side is done, client-side needs some re-writing of a module.
There's a decent tutorial on creating your own SSL certificates at http://www.akadia.com/services/ssh_test_certificate.html
Note that this says nothing about certificate validation. Will requiring certificate validation be possible with Hobbit (both client and server-side)?
Although You obviously cannot use it until I get the client-side code finished.
I'll note that on larger deployments, it may be better to generate an internal CA certificate. We use OpenCA (although OpenXPKI is worth a look) for certificates for OpenVPN, Cisco VPN routers and clients, our LDAP servers, our audited shell server and clients etc. It supports enrolment via SCEP (Cisco routers, Cisco VPN client, autosscep or sscep for generic Unix machines).
Regards, Buchan
On Mon, Apr 07, 2008 at 09:54:22AM +0200, Buchan Milne wrote:
On Monday 07 April 2008 07:31:57 Henrik Stoerner wrote:
49:fopen('/home/hobbit/server/etc/hobbitserver.cert','r')
Yep, working on adding support for SSL-encrypted connections to the Hobbit server. Server-side is done, client-side needs some re-writing of a module.
Note that this says nothing about certificate validation. Will requiring certificate validation be possible with Hobbit (both client and server-side)?
Not implemented yet - I want the basic stuff working first. But yes, you will be able to require clients to provide a valid client certificate, and clients to require a valid certificate from the Hobbit server.
There's a decent tutorial on creating your own SSL certificates at http://www.akadia.com/services/ssh_test_certificate.html
I'll note that on larger deployments, it may be better to generate an internal CA certificate. We use OpenCA (although OpenXPKI is worth a look) for certificates for OpenVPN, Cisco VPN routers and clients, our LDAP servers, our audited shell server and clients etc. It supports enrolment via SCEP (Cisco routers, Cisco VPN client, autosscep or sscep for generic Unix machines).
You can use whatever suits you best for generating the certificates. OpenCA is nice - I've only used it with OpenVPN, but it seems OK. Doing it with a couple of shell scripts is also possible once you get the hang of it.
Regards, Henrik
participants (3)
-
bgmilne@staff.telkomsa.net
-
henrik@hswn.dk
-
lars.ebeling@leopg9.no-ip.org