XMLRPC and OpenSSL switch to aes encryption

21 views
Skip to first unread message

Mitchell Carroll

unread,
Feb 21, 2019, 3:02:12 PM2/21/19
to emulab-admins
I have a user that needs to use XMLRPC with our emulab installation.  They've tried to use the web interface to generate their certificate, but it appears to be using des encryption instead of aes, which isn't supported by what they need it for.  Is there a way for me to change the way this works through the web interface, or would I need to generate a key manually on boss?

Thanks,
Mitchell

Leigh Stoller

unread,
Feb 21, 2019, 3:27:15 PM2/21/19
to emulab...@googlegroups.com

> I have a user that needs to use XMLRPC with our emulab installation. They've tried to use the web interface to generate their certificate, but it appears to be using des encryption instead of aes, which isn't supported by what they need it for. Is there a way for me to change the way this works through the web interface, or would I need to generate a key manually on boss?

Looking in account/mkusercert.in, there are several places where we
specify -des3 … you can change this, although that will make it hard
to reuse existing encrypted keys.

Leigh

Mitchell Carroll

unread,
Feb 21, 2019, 4:23:53 PM2/21/19
to emulab-admins
To make this change I would have to edit the file in /usr/testbed/src/testbed, then run configure in the obj directory the same way as in the installation, correct?  Would I only need to do this on boss, or will it complain if it's not the same on ops?

Mitchell

Leigh Stoller

unread,
Feb 21, 2019, 6:16:29 PM2/21/19
to emulab...@googlegroups.com
>
> To make this change I would have to edit the file in /usr/testbed/src/testbed, then run configure in the obj directory the same way as in the installation, correct? Would I only need to do this on boss, or will it complain if it's not the same on ops?

Hi. After you edit the file:

boss> cd /usr/testbed/obj/testbed/account
boss> gmake
boss> sudo gmake install

Thats it.

Leigh













Mitchell Carroll

unread,
Feb 25, 2019, 1:12:31 PM2/25/19
to emulab-admins
I put in the changes but now when we try to generate a new certificate it gives an empty error text and doesn't work, I'm not sure how to find out what's going wrong with it now.

Thanks,

Mitch

Leigh Stoller

unread,
Feb 25, 2019, 1:17:11 PM2/25/19
to emulab...@googlegroups.com
at 10:12 AM, Mitchell Carroll <mitchell....@gmail.com> wrote:

> I put in the changes but now when we try to generate a new certificate it gives an empty error text and doesn't work, I'm not sure how to find out what's going wrong with it now.

You can try this:

boss> wap mkusercert -d -p xxxyyy someuser

and see what it complains about.

Leigh

Mitchell Carroll

unread,
Feb 25, 2019, 2:04:45 PM2/25/19
to emulab-admins
Thanks, that worked!  The output for that was the usage information for the genrsa command, from which I learned I was using the wrong option for aes ( I had '-aes-256-cbc' and the correct form was '-aes256'), I replaced them all and the user was able to generate a new certificate.

Mitch
Reply all
Reply to author
Forward
0 new messages