START_TLS and FORWARD_X patch for GNU inetutils-1.3.2 together with OpenSSL >= 0.9.4 (c) Peter 'Luna' Runestig 1999 - 2002 Interoperability testing by Jeffrey Altman The verify_crl() function by Ralf S. Engelschall This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) This product includes cryptographic software written by Eric Young (eay@cryptsoft.com) START_TLS spec: http://www.ietf.org/internet-drafts/draft-ietf-tn3270e-telnet-tls-04.txt FORWARD_X spec: http://www.ietf.org/internet-drafts/draft-altman-telnet-fwdx-02.txt Patching: $ tar xzf inetutils-1.3.2.tar.gz $ cd inetutils-1.3.2 $ patch -p1 < ../start_tls-telnet.current.patch Or just download and untar the pre-patched tarball. Configuring: Before compiling, the software package must be configured by running the "configure" shell script in the root of the source tree: $ ./configure [--with-openssl-dir=DIR] If your host system doesn't have the 127.0.0.1 ip loop back address, you want to do: $ ./configure --disable-fwdx_loopback If your host system supports unix domain sockets, and it's X client libraries also support it, you might want to do: $ ./configure --enable-fwdx_unix_sock If you don't want the FORWARD_X support at all: $ ./configure --disable-forward_x To see all of the available "configure" options: $ ./configure --help Building: $ make Install: $ make install X509 client authentication in telnetd ------------------------------------- Support for user authentication is possible through the custom function int x509_to_user(X509 *peer_cert, char *userid, int len) in the file src/x509_to_user.c, and by a .tlslogin file in the user's home directory. o tls_userid_from_client_cert() is called and returns a user id or NULL. tls_userid_from_client_cert() calls the site specific function x509_to_user(). o If the environment variable $USER (set by the telnet client by the means of standard telnet options) is _not_ set or equals the user id mapped from the client cert, the user $USER is logged right in. o If $USER is set and differ from the user id mapped from the client cert the function tls_is_user_valid() is called to check $USER's ~/.tlslogin file. That file, if it exist, contains one or more X509 certificates in PEM for- mat. If the client cert is present in the file, the user $USER is logged right in. o If tls_userid_from_client_cert() can't map a user id from the client cert, but the $USER env var is set, tls_is_user_valid() is called to check $USER's ~/.tlslogin file. If the client cert is present in the file, the user $USER is logged right in. o In all other cases, a standard login prompt is presented. The telnetd server tries to use these files by default: telnetd-rsa.pem RSA certificate, may include private key telnetd-rsa-key.pem RSA private key telnetd-dsa.pem DSA certificate, may include private key telnetd-dsa-key.pem DSA private key telnetd-crl.pem Certificate Revokation List telnetd-dhparam.pem DH Parameters (a set of DH params is compiled in) These files is searched for in the following directorys (in this order): * Current working directory of the process. * Specified by the `X509_get_default_cert_dir_env()` environment variable (usually $SSL_CERT_DIR). * `X509_get_default_cert_dir()`, usually (openssl-dir)/certs. * `X509_get_default_private_dir()`, usually (openssl-dir/private. Default CRL directory for the telnetd server is (openssl-dir)/crl. If you don't have any "proper" certificate files (sign by some CA), you might create a self-signed one for testing purposes: $ openssl req -new -x509 -days 365 -nodes -out telnetd-rsa.pem -keyout \ telnetd-rsa-key.pem This creates a cert which is valid 365 days, you might want to adjust that. Hash symlinks for certs: ln -s cert.pem `openssl x509 -hash -noout -in cert.pem`.0 Hash symlinks for CRLs: ln -s crl.pem `openssl crl -hash -noout -in crl.pem`.r0 How to put together a 'cipher list string': Key Exchange Algorithms: "kRSA" RSA key exchange "kDHr" Diffie-Hellman key exchange (key from RSA cert) "kDHd" Diffie-Hellman key exchange (key from DSA cert) "kEDH' Ephemeral Diffie-Hellman key exchange (temporary key) Authentication Algorithm: "aNULL" No authentication "aRSA" RSA authentication "aDSS" DSS authentication "aDH" Diffie-Hellman authentication Cipher Encoding Algorithm: "eNULL" No encodiing "DES" DES encoding "3DES" Triple DES encoding "RC4" RC4 encoding "RC2" RC2 encoding "IDEA" IDEA encoding MAC Digest Algorithm: "MD5" MD5 hash function "SHA1" SHA1 hash function "SHA" SHA hash function (should not be used) Aliases: "ALL" all ciphers "SSLv2" all SSL version 2.0 ciphers (should not be used) "SSLv3" all SSL version 3.0 ciphers "EXP" all export ciphers (40-bit) "EXPORT56" all export ciphers (56-bit) "LOW" all low strength ciphers (no export) "MEDIUM" all ciphers with 128-bit encryption "HIGH" all ciphers using greater than 128-bit encryption "RSA" all ciphers using RSA key exchange "DH" all ciphers using Diffie-Hellman key exchange "EDH" all ciphers using Ephemeral Diffie-Hellman key exchange "ADH" all ciphers using Anonymous Diffie-Hellman key exchange "DSS" all ciphers using DSS authentication "NULL" all ciphers using no encryption Each item in the list may include a prefix modifier: "+" move cipher(s) to the current location in the list "-" remove cipher(s) from the list (may be added again by a subsequent list entry) "!" kill cipher from the list (it may not be added again by a subsequent list entry) If no modifier is specified the entry is added to the list at the current position. "+" may also be used to combine tags to specify entries such as "RSA+RC4" describes all ciphers that use both RSA and RC4. For example, all available ciphers not including ADH key exchange: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP All algorithms including ADH and export but excluding patented algorithms: HIGH:MEDIUM:LOW:EXPORT56:EXP:ADH:!kRSA:!aRSA:!RC4:!RC2:!IDEA The OpenSSL command openssl ciphers -v may be used to list all of the ciphers and the order described by a specific .