How to sign an email with Mail

Alert!: Attention: Cet article/tutorial est ‰gé de plus de 45 jours. Ainsi les informations qu’il contient peuvent être, maintenant, dépassé. Merci de lire toutes les informations qu’il contient pour vous assurez que cet article fonctionnera bien sur votre système

 

FYI Mac OS X 10.3 and up-to-date Mozilla [Firefox] or Safari 1.2.4 or greater are required for this tutorial.
This tutorial updated on 20th October 2005

Digitally signing email is a way to guarantee not only that email is most definitively from you, but also guards against possible spamming claims. Add to this the ability to encrypt messages and it’s clear to see the advantages of signing your email. This tutorial shows how to start signing your email with OS X Mail.

The first part of this tutorial is to request your actual digital certificate. Thanks to the people at Thawte, this is free for everyone, and it is as simple as filling out an online form.

Go to http://www.thawte.com/secure-email/personal-email-certificates/index.html in your browser.

Click the “Join” button at the top right of the page

You will be brought through a fairly standard enrolment process where Thawte take some information about you – state ID number, Passport Number, etc. It should be noted that this is secure and Thawte are trustworthy.

Once you have completed your signup and confirmed your email, you will be asked to login using the email and password you supplied in the enrolment stage.

Once logged in, click “Certificates” in the left menu, on the resulting page click “Request a Certificate” and following that click the button in the main area to request an X.509 format certificate.

In the resulting pop-up window, select “Netscape Communicator or Messenger” and then click request. Click Next. Choose your email address (one only if there are more then one) and click next. Once again click next, followed by Accept.

Under the Public Key heading be sure to choose 2048 (High Grade) and once again click next. Confirm that everything is correct and click “Finish”.

The next part of this tutorial is actually acquiring your certificate. In the main account area, click “View Certificate Status”. You should see you requested certificate with either a status of pending or issued. If it has been issued, click on it. View the details of the certificate and then click fetch.

If you are using Mozilla Firefox:
Once Mozilla has received the certificate, go to the Mozilla application menu and click preferences. Choose “Certificates” under the advanced tab and click the button to “Manage Certificates”. You should see your new certificate from Thawte in the list. Select it and click “Backup”. Save this file to your desktop. You can now quit Mozilla.

If you are using Safari:
The file should download to the desktop, or your download folder.

The final part of this tutorial demonstrates how to actually add this new certificate to your keychain so it can be used by Mail. In typical Apple style this is probably the most easy stage. Simply go to your desktop to where you saved the file from Mozilla and double click it. Keychain Access will open and ask you what Keychain to add it to. Personally I added it to my login one, and for most people this will be perfect – however, if you have advanced keychains feel free to add where you wish. Quit Keychain Access.

That is basically it. From now on when you compose mail with your address you will see a small tick in the top right. If this is selected the email will be signed. If you have received a signed email off someone, you will be able to reply with an encrypted email. If available you will also see a padlock beside the tick.

From now on, people will receive a “Security: Signed” header when viewing emails from you.

Enabling SSL on Mac OS X 10.1.5

Alert!: Attention: Cet article/tutorial est ‰gé de plus de 45 jours. Ainsi les informations qu’il contient peuvent être, maintenant, dépassé. Merci de lire toutes les informations qu’il contient pour vous assurez que cet article fonctionnera bien sur votre système

 

FYI This article was taken from the Apple Developer Connection (ADC) and credit is due entirly to that site.

One script needs to be downloaded for this process. Click Here to Download

Configuring SSL-------------------
The first thing you need to do is generate the keys and certifications for the server. This requires using the Terminal. For sanity’s sake, create a directory (Folder) on the desktop called KeyGen.
Start by generating some random data to seed the PRNG (Pseudo Random Number Generator), which is used to generate the keys.
Using the following commands, you will generate a file containing random data:

cd /
openssl md5 * > ~/Desktop/KeyGen/rand.dat

You can view the contents of this new file you’ve created by typing:

less ~/Desktop/KeyGen/rand.dat

You should see something like this:

MD5(Applications)= d41d8cd98f00b204e9800998ecf8427e
MD5(Desktop DB)= 978c9f12cac7a8985d6e9832a48264a4
MD5(Desktop DF)= ff3a2de40b6e6c53d882337bd551d271
MD5(Desktop Folder)= d41d8cd98f00b204e9800998ecf8427e
MD5(Developer)= d41d8cd98f00b204e9800998ecf8427e
MD5(Library)= d41d8cd98f00b204e9800998ecf8427e
MD5(Network)= d41d8cd98f00b204e9800998ecf8427e
MD5(System)= d41d8cd98f00b204e9800998ecf8427e
MD5(TheFindByContentFolder)= d41d8cd98f00b204e9800998ecf8427e
MD5(TheVolumeSettingsFolder)= d41d8cd98f00b204e9800998ecf8427e
MD5(Trash)= d41d8cd98f00b204e9800998ecf8427e
MD5(Users)= d41d8cd98f00b204e9800998ecf8427e
MD5(Volumes)= d41d8cd98f00b204e9800998ecf8427e
MD5(bin)= d41d8cd98f00b204e9800998ecf8427e
MD5(cores)= d41d8cd98f00b204e9800998ecf8427e
MD5(dev)= d41d8cd98f00b204e9800998ecf8427e
MD5(etc)= d41d8cd98f00b204e9800998ecf8427e
MD5(mach)= 1d04c74bca1afc36bddb405b5c61d43e
MD5(mach.sym)= 1d04c74bca1afc36bddb405b5c61d43e
MD5(mach_kernel)= 04b63e48cad1ef442929e3f5f3185b9e
MD5(private)= d41d8cd98f00b204e9800998ecf8427e
MD5(sbin)= d41d8cd98f00b204e9800998ecf8427e
MD5(tmp)= d41d8cd98f00b204e9800998ecf8427e
MD5(usr)= d41d8cd98f00b204e9800998ecf8427e
MD5(var)= d41d8cd98f00b204e9800998ecf8427e

Now, move to the KeyGen directory for the rest of this work.

cd ~/Desktop/KeyGen

Keep in mind that the more you have in a given directory, the longer the

rand.dat

will be. Feel free to create this file from whatever directory you feel would suit your needs.

Using this random data, you can now create an RSA private key and a CSR (Certificate Signing Request) for your server. An important part of private key cryptography is making sure that the parties involved in a transaction are who they say they are. This is accomplished through a third party — a trusted Certificate Authority (CA). The CA issues certificates that identify the parties, and confirms that the keys are correct and are cryptographically “signed.” Generating the CSR is the cryptographical equivalent to filling out a passport application. The CA will return the certificate (like a passport) which is used for identification and authentication.

You’re going to be self-signing the keys, so you’ll also be creating a CA key for the signature. The keys and certificates you create are purely for testing purposes. If you need to set up a production server, you should send your CSR to a proper CA, such as Verisign, for signing.

To create the RSA private key, issue the following command:

openssl genrsa -des3 -out server.key -rand rand.dat 1024

You will be asked for a passphrase in the creation of this key. Do not forget this passphrase! You’ll have to do this all over if you forget the passphrase. You will need this passphrase later on in the process.

You have just created the “SSLCertificateKeyFile”, as it is called in the httpd.conf — a 1024 bit RSA key encrypted with Triple-DES in PEM format. You’ll be plugging this into the configuration file for Apache soon.

Now you’re ready to create a CSR (Certificate Signing Request), which is what you would normally send to a CA for signing. You’re going to sign it yourself.

openssl req -new -key server.key -out server.csr

You’ll be asked for some information when you start this. Most of it is pretty self explanatory, but one item, in particular, is not. Here’s what you’ll be asked for:

Country Name (2 letter code) [AU]: (enter your country code here)
State or Province Name (full name) [Some-State]: (Enter your state here)
Locality Name (eg, city) []: (enter your city here)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (enter something here)
Organizational Unit Name (eg, section) []: (enter something here)
Common Name (eg, YOUR name) []: (this is the important one)
Email Address []: (your e-mail address)

The entry for “Common Name” is the one that seems like it should be one thing, but is, in fact, another. For this entry, you want to enter your “Server Name” as it appears in your httpd.conf (which you’ll be modifying soon). As this is just a development environment, you can enter 127.0.0.1, which is the default IP for “localhost”. Now, keep in mind that using 127.0.0.1 is not the same as using “localhost”. The strings either match, or they don’t — Unix is like that.

Looking at your KeyGen directory, you should have this:

[localhost:~/Desktop/KeyGen] bob% ls -la
total 12
drwxr-xr-x 5 bob staff 126 Sep 14 17:01 .
drwx—— 38 bob staff 1248 Sep 14 16:57 ..
-rw-r–r– 1 bob staff 970 Sep 14 16:58 rand.dat
-rw-r–r– 1 bob staff 729 Sep 14 17:01 server.csr
-rw-r–r– 1 bob staff 963 Sep 14 16:59 server.key

Now you need to create a CA for signing the key. The process is similar to what you’ve just done, but there are some differences.

The first thing you need to do is create a key for your CA. It’s just like your server.key – a Triple-DES encrypted, 1024 bit RSA key.

openssl genrsa -des3 -out ca.key -rand rand.dat 1024

Again, you’ll be asked for a passphrase, which, again, you should not forget.
Now you will create a self-signed CA Certificate using the RSA key you just made.

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

You’ll be asked for the passphrase for the key you just made, and, again, you’ll be asked to enter information about yourself. The main difference is that here, when you are asked for your “Common Name”, you want to enter your name — not the server name or IP address. This certificate is not associated with your server — it’s associated with you. It should look something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:TX
Locality Name (eg, city) []:San Antonio
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bogus CA
Organizational Unit Name (eg, section) []:Bogus CA for Dev
Common Name (eg, YOUR name) []:Bob Davis
Email Address []:bobdavis@mac.com

Now you have 5 files in your directory — a CA key and certificate, a server key and certificate signing request, and the random data collected at the very beginning.

The next step is the important one. This is where you sign the server.key with your ca.crt. This will provide the security assurance that browsers need to establish a secure connection. It provides the identification and verification part of the public key encryption system where the keys themselves provide the mechanism for the encryption and decryption.

The easiest way to do this is to use the sign.sh script contained either in the mod_ssl source you downloaded (it’s in the

pkg.contrib sub-directory

) or wherever you put it after downloading it by itself.

Copy the script to your working directory and issue the following command:

./sign.sh server.csr

You should get something like this, but with the information you entered for the server.csr:

CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:’US’
stateOrProvinceName :PRINTABLE:’TX’
localityName :PRINTABLE:’San Antonio’
organizationName :PRINTABLE:’Testing’
organizationalUnitName:PRINTABLE:’Testing’
commonName :PRINTABLE:’127.0.0.1′
emailAddress :IA5STRING:’bobdavis@mac.com’
Certificate is to be certified until Sep 14 23:09:20 2002 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

For the questions “Sign the certificate?” and “1 out of 1 certificate requests certified, commit?”, you just need to type “y” (without quotes) and hit enter/return.

Looking at your working directory now, you’ll see that you have a number of new files and directories in KeyGen.

[localhost:~/Desktop/KeyGen] bob% ls -la
total 36
drwxr-xr-x 12 bob staff 364 Sep 14 18:16 .
drwx—— 38 bob staff 1248 Sep 14 18:12 ..
-rw-r–r– 1 bob staff 1298 Sep 14 17:55 ca.crt
drwxr-xr-x 3 bob staff 58 Sep 14 18:09 ca.db.certs
-rw-r–r– 1 bob staff 111 Sep 14 18:09 ca.db.index
-rw-r–r– 1 bob staff 3 Sep 14 18:09 ca.db.serial
-rw-r–r– 1 bob staff 963 Sep 14 17:52 ca.key
-rw-r–r– 1 bob staff 970 Sep 14 16:58 rand.dat
-rw-r–r– 1 bob staff 2679 Sep 14 18:09 server.crt
-rw-r–r– 1 bob staff 729 Sep 14 17:01 server.csr
-rw-r–r– 1 bob staff 963 Sep 14 16:59 server.key
-rwxr-xr-x 1 bob staff 1784 Sep 14 17:59 sign.sh

Now, make a directory in your

/etc/httpd

called

ssl.key

 

sudo mkdir /etc/httpd/ssl.key

You’ll be prompted for your login password (you have to be in the admin group to use sudo), and the directory will be created.

Move all of the contents of your working directory to the

ssl.key

directory you just made. In a production system, it would be a very, very bad idea to keep your CA keys, certs and such on the server. If the security of the server is compromised, the ca.crt could be used to “sign” certificate signing requests on any machine. In other words, it gives anyone the power to impersonate you on the internet. Since you’re just using this for testing, and the certificates have bogus information in them, it’s not so terribly important. It is worth noting that this practice would be considered irresponsible on a server accessible to the outside world.

sudo cp -r * /etc/httpd/ssl.key/

From now on we will be working in the

/etc/httpd

directory, so change to that directory:

cd /etc/httpd

One more step — and it’s another step that would not have a place in a production environment, but definitely makes life with your development system better: you’re going to remove the passphrase requirement from the server key by removing its encryption.

As things stand, when you start Apache, you will be prompted for a passphrase to read the private key. While this is fine for those who start and stop Apache manually from the command line every time, it does create some problems for those of us who have Apache (a.k.a. Web Sharing) start up automatically every time the system reboots. The system will hang on startup, patiently waiting for a passphrase that will never come — because there’s no way to enter the passphrase you’ve given the key! You’ll have to either boot into Mac OS 9 or boot into verbose mode to clear this problem if you forget.

Removing the pass phrase requirement is dangerous in a production environment, but acceptable for testing (especially if you enter information in your certificate request that makes it clear that this is a testing certificate, and not for production use).

Enter the following:

cd ssl.key
sudo cp server.key server.key.original
sudo openssl rsa -in server.key.original -out server.key
cd ..

You’ll be asked for your passphrase for both the

sudo

command (your system passphrase) and the RSA command (the passphrase for the key). Comparing the two files server.key and server.key.original will show that they are now very different and that server.key.original contains a line stating, “Proc-Type: 4,ENCRYPTED”, that the decrypted file lacks.

Now, you have all of the files you need to make mod_ssl work with Apache. But you still need to configure the Apache server to use mod_ssl. Apple’s engineers have thoughtfully provided Apache compiled with EAPI, which allows modules to be included in Apache without recompiling the server. It makes it a lot easier to enable various modules as you need them.

Stop your web server if you haven’t already, either by using the Sharing control panel or through the command line using:

sudo apachectl stop

The file you want to edit is

/etc/httpd/httpd.conf

. The first thing you want to do is make a backup of the file. Keeping in mind that this directory is owned by root, you will have to use

sudo

for all of these commands. So, change directories to /etc/httpd and then make a copy of your httpd.conf.

sudo cp httpd.conf httpd.conf.backup

Now edit your httpd.conf file using the editor of your choice. I use emacs, so the instructions here are for emacs.

sudo emacs httpd.conf

You will need to add the following just below where the Listen directive is. If you have any personal listen directives comment then out by placing a # infront of the line:

## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##

<IfModule mod_ssl.c>
Listen 443
Listen 80
</IfModule>

Adding these lines tells the server to be aware of traffic on port 80 (the standard HTTP port) and port 443 (the HTTPS port). This allows your SSL aware Apache installation to serve non-secure documents on port 80, while it is serving secure documents on 443.

When you have added the previous directive you need to find the lines that read:

#LoadModule ssl_module libexec/httpd/libssl.so

and a little further down:

#AddModule mod_ssl.c

You need to remove the comments (#) to activate these lines. You can quickly search for these lines by using CMD + s (in emacs) and typing “ssl”.
The two lines should now look like this:

LoadModule ssl_module libexec/httpd/libssl.so

AddModule mod_ssl.c

Now find the “ServerName” directive and make sure it has 127.0.0.1 for it’s entry.

ServerName 127.0.0.1

Finally, just below the last line of the current httpd.conf, enter the following information which covers some of the global SSL directives and the specific directives for the port based virtual hosts.

<IfModule mod_ssl.c>
# Some MIME-types for downloading Certificates and CRLs
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl

# inintial Directives for SSL

SSLProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
SSLRandomSeed startup builtin
SSLLog /var/log/httpd/ssl_engine_log
SSLLogLevel info
##
## SSL Virtual Host Context
##
<VirtualHost 127.0.0.1:80>
#Just to keep things sane…
DocumentRoot “/Library/WebServer/Documents”
ServerName 127.0.0.1
ServerAdmin bobdavis@mac.com
SSLEngine off
</VirtualHost>
<VirtualHost 127.0.0.1:443>
# General setup for the virtual host
DocumentRoot “/Library/WebServer/Documents”
#ServerName has to match the server you entered into the CSR
ServerName 127.0.0.1
ServerAdmin bobdavis@mac.com
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol all -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Path to your certificates and private key
SSLCertificateFile /etc/httpd/ssl.key/server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars
</Files>
<Directory “/Library/WebServer/CGI-Executables”>
SSLOptions +StdEnvVars
</Directory>
# correction for browsers that don’t always handle SSL connections well
SetEnvIf User-Agent “.*MSIE.*”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/httpd/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”
</VirtualHost>
</IfModule>

At this point, save your document (CTRL-x CTRL-s) and close emacs (CTRL-x CTRL-c).

There are many directives you can add to the SSL configuration for your machine, including extended logging, restrictions on ciphers used, encryption levels, etc. Full documentation is included in the Apache documents provided with MacOS-X (

/Library/Documentation/Services/apache_mod_ssl/index.html

) or on-line at http://www.modssl.org/.

Now it’s time to start your SSL enabled web server. You have the option of using either the command line or the Sharing control panel to start your web server. Since you have removed the passphrase requirement from your server key, it’s very simple. Either start Web Sharing from the control panel, or type either of the following lines into the command line:

sudo httpd -D SSL
sudo apachectl start

You will be asked for your system password, and you’ll get the output of Apache starting. It’s that simple. If you have Web Sharing set to start at startup it will start normally (this is why we removed the passphrase requirement).

Now test your installation using the browser of your choice. Mozilla provides more information and allows you to accept unknown Certificate Authorities very easily. MicroSuck’s Internet Explorer 5 still has issues with unknown certificate issuers — and will fail authentication.

Using Mozilla, you’ll see the little open lock in the right corner has become a closed, illuminated lock. Success! You have enabled mod_ssl in your MacOS-X development environment.

Top 5 things to do with the Terminal

Attention: Cet article/tutorial est ‰gé de plus de 45 jours. Ainsi les informations qu’il contient peuvent être, maintenant, dépassé. Merci de lire toutes les informations qu’il contient pour vous assurez que cet article fonctionnera bien sur votre système

I have compiled a list of the top 5 things you as a user can do with the terminal in OS X.

Please Note: These commands have been tested and work under OS X 10.1.

5. Who am I?

At number 5 is the who am i function. This is a nice function incase you forget who you are… it’s surprising how many times it really happens.

[localhost:~] jamesnp% who am i
jamesnp ttyp1 Oct 19 18:21

 

4. Instant Calendar

One of my personal favourites of the terminal is the ability to get an acurate calender of any month/year you choose with the cal function.

[localhost:~] jamesnp% cal
October 2001
S M Tu W Th F S
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31

 

3. Word Count

Opening a simple text file in Appleworks or Word is time consuming. Insted you can simply open up your terminal, type wc filename. It returns the number of lines, words and characters in the file.

For example take the following extract from a poem:

I shall be telling this with a sigh
Somewhere ages and ages hence:
Two roads diverged in a yellow wood, and I –
I took the one less travelled by,
And that has made all the difference.

Save the file as poem.

[localhost:~] jamesnp% wc poem
5 37 184 poem

5 lines, 37 words, and 184 characters.

2. Wall

Wouldn’t it be great to send everyone logged on to your computer a little message saying whatever you want? Well… Yes, you guessed it; with UNIX you can!

Assume root access. This can be done with su

Type wall then type your message. Pres Cntrl-D and everyone logged into you will get the message!

[localhost:/Users/jamesnp] root# wall

this is a wall message

And everyone logged on gets:

Broadcast Message from jamesnp@localhost

(/dev/ttyp1) at 18:46 …

this is a wall message

 

1. kill

Any application ever stopped working in OS X? Not showing up in the Force Quit dialogue, but you know it’s running?

With kill you can kill any application running on the entire system!

First find out what you want to kill, type ps aux. Choose what you want to kill and take note of its PID.

Now type sudo kill 000 where 000 is your PID.

If it still doesn’t quit add -9, ie. sudo kill -9 000 where 000 is the PID