EDSSL - Security enhancement daemon

Version 0.8.3 is designed to work with SSLeay 0.8.1 and provide
support for Mozilla!

Simply add the following two lines to ~/.netscape/preferences.js

user_pref("network.proxy.ssl", "localhost");
user_pref("network.proxy.ssl_port", 5010);

Define ALLOWILD to allow matching wildcards in X509 Common Names.

READ THE SAMPLE CONFIG FILE FOR DETAILS ON CONFIGURABLE OPTIONS

This is a daemon that is designed to listen on port X for SSL
connections and connect normally to port Y (optionally on another
machine), or the reverse (listen and create an SSL), or to go SSL both
ways as a proxy.

In the first usage, it adds https support to any httpd server, and
snews support to any nntp news server.  It can also proxy telnet so
that a normal telnetd will establish an SSL connection with the telnet
application from SSLeay.

It can be optionally set to ask for user certs, and (with grab) save
them in a file.  It also has a debug option that prints info about the
certs and during connections.  If verify is specified, the connection
is only allowed if the oneline value matches an entry in
/etc/ssl.users.

When running, it writes its pid to /var/log/edssl.pid.

Check the sample edssl.conf for example usage (place in /etc to use
after editing).  Many options are settable including the files
mentioned below.

Upon connecting, it will create a file in /var/run named edssl.<pid>.
It will contain one line with several entries.  The first four are of
the form of ip_address:port (ip_address in dotted decimal, port in
decimal).  A cgi program can determine the connection by looking
through the entries.  The last entry is the oneline user cert string.

The same line will be written to /var/log/edssl with the time
prepended, but if an error occurs a message will be also be appended.

If a parameter is specified, it will be the name of the config file
instead of /etc/edssl.conf.

Like most daemons, SIGHUP causes it to reread the config file.  This
will not kill child processes, and won't be recognized until a
connection is in progress.

(It doesn't put itself into the background automatically.  Add a
daemon(0,0) call near the begining or use & in the invocation).

Each cert line will present that certificate for any connections in
the lines which follow.

NOTE: in most cases, hostnames can be used instead of addresses, so
localhost can replace 127.0.0.1, but the DNS or /etc/hosts or NIS or
other lookup methods must be working, and should be made secure.



AUTOMATICALLY SELECTING SSL or NON-SSL on the same port

use ssl instead of secure, i.e.

ssl 8023 localhost 23

will allow either ssl or non-ssl to connect to 8023, whereas

secure 8023 localhost 23

requires an SSL session



SSL WRAPPER FOR LYNX:

(EASSL implements just this function, but with all the cert functions.
LXP is only the ssl layer and doesn't send or heavily verify certs)

Add the following to the /usr/(local/)lib/lynx.cfg file:
(this assumes it is running on the localhost, if it is on a firewall,
replace localhost with the name or address of a firewall);

https_proxy:http://localhost:4443/
snews_proxy:nntp://localhost:4443/

or set the environment before running lynx:

setenv https_proxy "http://localhost:4443/"
setenv snews_proxy "nntp://localhost:4443/"

Add the following to /etc/edssl.conf (4443 is the port number above,
and 0.0.0.0 means listen on all interfaces.  Note that if it is
running on the local machine, 127.0.0.1 (or "localhost") would be more
secure):

4443 0.0.0.0 0 lynxproxy



TO MANAGE SSL FOR NETSCAPE:

Enter the ip address where nsed is into Netscape's Options... Network
Preferences... Proxies... (Manual) View... Security Proxy: box, and
the port in the Port: box to the right.  Most of these will be set in
the nsed.conf file, but the IP address can be either a local or
external (or any) interface.  For best security, the localhost
address, 127.0.0.1 should be used.

This is an example entry for the edssl.conf file:

8443 127.0.0.1 0 netscape

So 127.0.0.1 and 8443 would be put into the security proxy box.  If
the program is on a firewall, replace 127.0.0.1 with the address of
the port where it should listen, or 0.0.0.0 for all interfaces.

Now, when netscape wants to initiate an SSL connection, it will
contact the proxy that will get the forwarding information and use
SSLeay to establish a secure connection to the outside.  Once this
connection is made, it will establish a second secure connection
between the proxy and Netscape.  It will then pass packets between the
two systems.

You will need to generate a universal certificate.  You will need to
have a local CA authority, and its certificate in Netscapes list (or
will get a dialog box for each session).  With the local CA, create a
certificate for the local domain with "Common Name" as a single
asterisk - * - which will match all names.  Save this as
/usr/local/ssl/certs/universal.pem (or alter the entry in the
nsed.conf file to where it will be located).  If user certs are to be
requested, insure the proper entry in the conf file is set, otherwise
point it to any cert.

Also note that any remotely generated certs will be added to
Netscape's database and not to the proxy which is not where they
belong.  I have a program to generate the spkac structure (included in
upget - my command line browser), but something equivalent should be
in the next (0.6.5) SSLeay, and another, independant browser should be
used to upload it and grab the certs (read the SSLeay docs for details
on genrsa):

genrsa -out mykeys.pem
spkac mykeys.pem "challenge string"

Place this string into the <KEYGEN...> value of the form.

Versign.com returns a application/x-x509-user-cert as a pkcs7
structure.  use "pkcs7 -inform DER -print_certs" to extract the certs
as PEM.  The first one is the user cert, the rest are CA certs.



NOTES for reverse connections (reverse, lynxproxy and netscape)

If the hostname does not match the CN of the cert, the connection will
not be forwarded.  Any bad cert will generate a message so that the
Subject Cert Online can be copied to /etc/goodcerts (or where the
.conf file points to) to override the error.  Shell expression
expansion is still experimental, so something might not work.

edssl can be socksified if necessary (the security proxy entry will
override the socks proxy entry in netscape).


INSTANT SSL CLIENTS USING LYNX PROXY, such as telnet.

To proxy to a Tim Hudson SSL telnet server, configure the lynx proxy,
and use "telnet proxyhost proxyport" using the same values as the
proxy settings, e.g. "telnet localhost 4443" in the above lynx
example.  Upon connecting, type "GET snews://remote.host:port/"
followed by two returns.  The snews:// proxy simply establishes an SSL
connection to the given port on remote.host (yes, it checks the cert).
(You can omit the "GET", but it does need a space).
