query on files under /etc/raddb/certs

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

query on files under /etc/raddb/certs

SIMON BABY
Hello,

I see the files below are generated under /etc/raddb/certs directory. Can
someone  explain to me the usage of these files? Our system is very secure
and did not want to create certs and keys dynamically.
-rw-r--r-- 1 root 0 4393 Nov  5 18:47 01.pem
-rw-r--r-- 1 root 0 4370 Nov  5 18:47 02.pem
-rw-r----- 1 root 0 6155 Nov  5 18:42 Makefile
-rw-r----- 1 root 0 8714 Nov  5 18:42 README
-rwxr-x--- 1 root 0 2706 Nov  5 18:47 bootstrap
-rw-r----- 1 root 0 1432 Nov  5 18:42 ca.cnf
-rw-r--r-- 1 root 0 1256 Nov  5 18:47 ca.der
-rw-r--r-- 1 root 0 1751 Nov  5 18:47 ca.key
-rw-r--r-- 1 root 0 1757 Nov  5 18:47 ca.pem
-rw-r----- 1 root 0 1103 Nov  5 18:42 client.cnf
-rw-r--r-- 1 root 0 4370 Nov  5 18:47 client.crt
-rw-r--r-- 1 root 0 1045 Nov  5 18:47 client.csr
-rw-r--r-- 1 root 0 1743 Nov  5 18:47 client.key
-rw-r--r-- 1 root 0 2581 Nov  5 18:47 client.p12
-rw-r--r-- 1 root 0 3545 Nov  5 18:47 client.pem
-rw-r--r-- 1 root 0  424 Nov  5 18:47 dh
-rw-r--r-- 1 root 0  229 Nov  5 18:47 index.txt
-rw-r--r-- 1 root 0   21 Nov  5 18:47 index.txt.attr
-rw-r--r-- 1 root 0   21 Nov  5 18:47 index.txt.attr.old
-rw-r--r-- 1 root 0  120 Nov  5 18:47 index.txt.old
-rw-r----- 1 root 0 1131 Nov  5 18:42 inner-server.cnf
-rw-r--r-- 1 root 0  166 Nov  5 18:42 passwords.mk
-rw-r--r-- 1 root 0    3 Nov  5 18:47 serial
-rw-r--r-- 1 root 0    3 Nov  5 18:47 serial.old
-rw-r----- 1 root 0 1125 Nov  5 18:42 server.cnf
-rw-r--r-- 1 root 0 4393 Nov  5 18:47 server.crt
-rw-r--r-- 1 root 0 1062 Nov  5 18:47 server.csr
-rw-r--r-- 1 root 0 1751 Nov  5 18:47 server.key
-rw-r--r-- 1 root 0 2589 Nov  5 18:47 server.p12
-rw-r--r-- 1 root 0 3576 Nov  5 18:47 server.pem
-rw-r--r-- 1 root 0 3545 Nov  5 18:47 [hidden email]
-rw-r----- 1 root 0  708 Nov  5 18:42 xpextensions

Regards
Simon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: query on files under /etc/raddb/certs

Alan DeKok-2


> On Nov 12, 2020, at 1:43 PM, SIMON BABY <[hidden email]> wrote:
>
> Hello,
>
> I see the files below are generated under /etc/raddb/certs directory. Can
> someone  explain to me the usage of these files? Our system is very secure
> and did not want to create certs and keys dynamically.

  There's a README in that directory which explains how to create certificates.  It also explains what the various files are for.

> -rw-r--r-- 1 root 0 4393 Nov  5 18:47 01.pem
> -rw-r--r-- 1 root 0 4370 Nov  5 18:47 02.pem
> -rw-r----- 1 root 0 6155 Nov  5 18:42 Makefile
> -rw-r----- 1 root 0 8714 Nov  5 18:42 README

  Oh look, a "README".  Perhaps it should be read?

  As for you "do not want to create certs and keys dynamically", well, the server doesn't randomly create certificates and keys.  It only does so when you tell it to.

  So.... if you don't want to create certs and keys, then don't create the certs and keys.  It's that simple.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: query on files under /etc/raddb/certs

SIMON BABY
Hi Alan,

Thank you for replying to me. So if, I don't need to create certs and keys
Can I delete all those files (To make them more secure by not creating any
cert and key by someone who can hack) . I have some static certs and key
files.

Regards
Simon

On Thu, Nov 12, 2020 at 11:01 AM Alan DeKok <[hidden email]>
wrote:

>
>
> > On Nov 12, 2020, at 1:43 PM, SIMON BABY <[hidden email]> wrote:
> >
> > Hello,
> >
> > I see the files below are generated under /etc/raddb/certs directory. Can
> > someone  explain to me the usage of these files? Our system is very
> secure
> > and did not want to create certs and keys dynamically.
>
>   There's a README in that directory which explains how to create
> certificates.  It also explains what the various files are for.
>
> > -rw-r--r-- 1 root 0 4393 Nov  5 18:47 01.pem
> > -rw-r--r-- 1 root 0 4370 Nov  5 18:47 02.pem
> > -rw-r----- 1 root 0 6155 Nov  5 18:42 Makefile
> > -rw-r----- 1 root 0 8714 Nov  5 18:42 README
>
>   Oh look, a "README".  Perhaps it should be read?
>
>   As for you "do not want to create certs and keys dynamically", well, the
> server doesn't randomly create certificates and keys.  It only does so when
> you tell it to.
>
>   So.... if you don't want to create certs and keys, then don't create the
> certs and keys.  It's that simple.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: query on files under /etc/raddb/certs

Alan DeKok-2
On Nov 12, 2020, at 2:44 PM, SIMON BABY <[hidden email]> wrote:
>
> Thank you for replying to me. So if, I don't need to create certs and keys
> Can I delete all those files

  If you're not using them, yes.

> (To make them more secure by not creating any
> cert and key by someone who can hack).

  That doesn't make sense.  If you're not using them, it doesn't matter if someone else reads them.  They don't mean anything, and they don't contain any useful information.

> I have some static certs and key
> files.

  You can *look* at those files to see what they are.  There's a Makefile in raddb/certs  which includes targets to print out the contents of the files.  Or, you can use OpenSSL.  These files aren't specific to FreeRADIUS.  They're created with OpenSSL.  So they can be read by OpenSSL.

  If you look at the files, odds are that they will be for "example.com" or "example.org".  Which are web sites *not* owned by you.  So the certs are entirely meaningless. and leaking the contents of these files does nothing.

  I am extremely wary of security theatre.  If you want to delete files you don't use, that's one thing.  But doing so does not make your systems any more secure.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: query on files under /etc/raddb/certs

SIMON BABY
Hi Alan,
When I read the file README it says below content:

This directory contains scripts to create the server certificates.
To make a set of default (i.e. test) certificates, simply type:

$ ./bootstrap

  The "openssl" command will be run against the sample configuration
files included here, and will make a self-signed certificate authority
(i.e. root CA), and a server certificate.  This "root CA" should be
installed on any client machine needing to do EAP-TLS, PEAP, or
EAP-TTLS.

So  can someone  create a false certificate and key and create a session ?
If we delete all these scripts also it is not possible to create any
certificate and we get complete control of where it gets the
certificates and keys ?

Regards
Simon

On Thu, Nov 12, 2020 at 1:48 PM Alan DeKok <[hidden email]>
wrote:

> On Nov 12, 2020, at 2:44 PM, SIMON BABY <[hidden email]> wrote:
> >
> > Thank you for replying to me. So if, I don't need to create certs and
> keys
> > Can I delete all those files
>
>   If you're not using them, yes.
>
> > (To make them more secure by not creating any
> > cert and key by someone who can hack).
>
>   That doesn't make sense.  If you're not using them, it doesn't matter if
> someone else reads them.  They don't mean anything, and they don't contain
> any useful information.
>
> > I have some static certs and key
> > files.
>
>   You can *look* at those files to see what they are.  There's a Makefile
> in raddb/certs  which includes targets to print out the contents of the
> files.  Or, you can use OpenSSL.  These files aren't specific to
> FreeRADIUS.  They're created with OpenSSL.  So they can be read by OpenSSL.
>
>   If you look at the files, odds are that they will be for "example.com"
> or "example.org".  Which are web sites *not* owned by you.  So the certs
> are entirely meaningless. and leaking the contents of these files does
> nothing.
>
>   I am extremely wary of security theatre.  If you want to delete files
> you don't use, that's one thing.  But doing so does not make your systems
> any more secure.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: query on files under /etc/raddb/certs

Alan DeKok-2
On Nov 12, 2020, at 5:00 PM, SIMON BABY <[hidden email]> wrote:
>
> When I read the file README it says below content:

  Yes, please post that to the list.  Because we haven't seen it before.

> So  can someone  create a false certificate and key and create a session ?

  I think you didn't read my previous message.

  If someone breaks into your system, then having them read these certificate files is the LEAST of your worries.  Stop worrying about useless things.

  If you want to know how the server uses these files, read the documentation and then default configuration files.

> If we delete all these scripts also it is not possible to create any
> certificate and we get complete control of where it gets the
> certificates and keys ?

  Yes, because the scripts aren't available anywhere else on the Internet.

  Oh, wait...

  A secure system is *not* created by worrying about random things.  A secure system is created by *understanding* things.

  Right now, you're asking very detailed questions, and not paying attention to the bigger picture.  This is entirely the wrong approach.

  Your questions are irrelevant because they're based on a false understanding of how things work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: query on files under /etc/raddb/certs

Dan Swartzendruber
In reply to this post by SIMON BABY
Alan is on a roll, here!

On November 12, 2020, at 7:14 PM, Alan DeKok <[hidden email]> wrote:

On Nov 12, 2020, at 5:00 PM, SIMON BABY <[hidden email]> wrote:
>
> When I read the file README it says below content:

  Yes, please post that to the list.  Because we haven't seen it before.

> So  can someone  create a false certificate and key and create a session ?

  I think you didn't read my previous message.

  If someone breaks into your system, then having them read these certificate files is the LEAST of your worries.  Stop worrying about useless things.

  If you want to know how the server uses these files, read the documentation and then default configuration files.

> If we delete all these scripts also it is not possible to create any
> certificate and we get complete control of where it gets the
> certificates and keys ?

  Yes, because the scripts aren't available anywhere else on the Internet.

  Oh, wait...

  A secure system is *not* created by worrying about random things.  A secure system is created by *understanding* things.

  Right now, you're asking very detailed questions, and not paying attention to the bigger picture.  This is entirely the wrong approach.

  Your questions are irrelevant because they're based on a false understanding of how things work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html