Hi all,
I understand that in order for Stunnel to find a certificate, it has to be renamed to something like xxxxxx.0 (where xxxxxx is obtained by using the "openssl x509" command on the certificate).
Why is this the case? I read somewhere that this helps Stunnel find the certificate quicker (i.e. Stunnel does not need to look at every certificate file before it knows which one it wants).
Can someone provide me a better explanation please?
Is there any way around this? Renaming the certificate file in such a manner causes confusion when searching for the certificate of a particular client...
Cheers. Paul
_________________________________________________________________ REALESTATE: biggest buy/rent/share listings http://ninemsn.realestate.com.au
On Mon, Jul 04, 2005 at 10:49:06AM +1000, Paul Jones wrote:
Hi all,
I understand that in order for Stunnel to find a certificate, it has to be renamed to something like xxxxxx.0 (where xxxxxx is obtained by using the "openssl x509" command on the certificate).
Why is this the case? I read somewhere that this helps Stunnel find the certificate quicker (i.e. Stunnel does not need to look at every certificate file before it knows which one it wants).
Can someone provide me a better explanation please?
Is there any way around this? Renaming the certificate file in such a manner causes confusion when searching for the certificate of a particular client...
This is more related to openssl that stunnel. You can use openssl's c_rehash tool to create the proper symbolic links to all certificates in a directory.
Will c_rehash work on Windows?
Also, if anyone can give me a detailed explanation (or a website that does) of this process, and why it is necessary, I would be very greatful.
Cheers. Paul
From: Vasil Dimov vd@datamax.bg Reply-To: vd@datamax.bg To: Paul Jones jonesy_boy10@hotmail.com CC: stunnel-users@mirt.net Subject: Re: [stunnel-users] Certificate renaming Date: Mon, 4 Jul 2005 08:48:55 +0300
On Mon, Jul 04, 2005 at 10:49:06AM +1000, Paul Jones wrote:
Hi all,
I understand that in order for Stunnel to find a certificate, it has to
be
renamed to something like xxxxxx.0 (where xxxxxx is obtained by using
the
"openssl x509" command on the certificate).
Why is this the case? I read somewhere that this helps Stunnel find the certificate quicker (i.e. Stunnel does not need to look at every certificate file before it knows which one it wants).
Can someone provide me a better explanation please?
Is there any way around this? Renaming the certificate file in such a manner causes confusion when searching for the certificate of a
particular
client...
This is more related to openssl that stunnel. You can use openssl's c_rehash tool to create the proper symbolic links to all certificates in a directory. << attach3 >>
_________________________________________________________________ SEEK: Over 80,000 jobs across all industries at Australia's #1 job site. http://ninemsn.seek.com.au?hotmail
Hi,
Will c_rehash work on Windows?
I think it will work, but that it will make copies of the certificates instead of symbolic links. However, it might as well do nothing. (Depends on how it will handle creation of symbolic links which don't exist on Windows)
Also, if anyone can give me a detailed explanation (or a website that does) of this process, and why it is necessary, I would be very greatful.
It is an optimization to find the certificate quicker. If the SSL library is presented with a certificate it will need to find the matching file to verify the certificate. If there is no hashing done, it will need to open every file and read its contents until it finds the right one. If you hash the filenames with the certificate the library can find the right file using the directory entry and only needs to open one file. With only a couple of files, this doesn't make much of a difference, but if you have thousands of certifcates, it will make a huge speed difference. There are other hashing schemes that could have been implemented and that might be more friendly to the administrator. For example some other libraries use the hostnames as hash values and sort in directories. My certificate for sokrates.vanenckevort.net would then be stored under net/vanenckevort/sokrates.pem. However the OpenSSL authors have chosen to use a flat structure that is quicker with up to a few thousand certificates, but it does have the disadvantage you mentioned that it is harder to maintain, especially on systems that do not support symbolic links.
Ciao, David
"Paul Jones" jonesy_boy10@hotmail.com wrote:
Will c_rehash work on Windows?
No, it won't.
Also, if anyone can give me a detailed explanation (or a website that does) of this process, and why it is necessary, I would be very greatful.
The easiest option is to use CAfile instead of CApath.
Alternative solution:
1. Determine the hash of the certificate: C:\stunnel\capath>openssl x509 -hash -noout -in some_certificate.pem a4644b49
2. Copy your certificate to the new name derived from hash value: C:\stunnel\capath>copy some_certificate.pem a4644b49.0
Best regards, Mike
-
D.J. van Enckevort -
Michal Trojnara -
Paul Jones -
Vasil Dimov