Full download ebooks at https://ebookmeta.

com

OpenSSL Cookbook The Definitive Guide to the

Most Useful Command Line Features 3rd edition
Ivan Risti■

For dowload this book click link below

https://ebookmeta.com/product/openssl-cookbook-the-
definitive-guide-to-the-most-useful-command-line-
features-3rd-edition-ivan-ristic/

OR CLICK BUTTON

DOWLOAD NOW
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

OpenSSL Cookbook 3rd Edition Ivan Risti■

https://ebookmeta.com/product/openssl-cookbook-3rd-edition-ivan-
ristic/

Efficient Linux at the Command Line: Boost Your

Command-Line Skills 1st Edition Daniel J. Barrett

https://ebookmeta.com/product/efficient-linux-at-the-command-
line-boost-your-command-line-skills-1st-edition-daniel-j-barrett/

Take Control of the Mac Command Line with Terminal 3rd

Edition Joe Kissell

https://ebookmeta.com/product/take-control-of-the-mac-command-
line-with-terminal-3rd-edition-joe-kissell/

Spice Mix Cookbook: The Definitive Guide to Every Spice

Mix (2nd Edition) Booksumo Press

https://ebookmeta.com/product/spice-mix-cookbook-the-definitive-
guide-to-every-spice-mix-2nd-edition-booksumo-press/
JavaScript JSON Cookbook Over 80 recipes to make the
most of JSON in your desktop server web and mobile
applications 1st Edition Ray Rischpater

https://ebookmeta.com/product/javascript-json-cookbook-
over-80-recipes-to-make-the-most-of-json-in-your-desktop-server-
web-and-mobile-applications-1st-edition-ray-rischpater/

The Linux Command Line A Complete Introduction 2nd

Edition William Shotts

https://ebookmeta.com/product/the-linux-command-line-a-complete-
introduction-2nd-edition-william-shotts/

The Linux Command Line A Complete Introduction Second

Edition William Shotts

https://ebookmeta.com/product/the-linux-command-line-a-complete-
introduction-second-edition-william-shotts/

Command-Line Rust 1st Edition Ken Youens-Clark

https://ebookmeta.com/product/command-line-rust-1st-edition-ken-
youens-clark/

The Linux Command Line A Complete Introduction 2d

edition William E. Shotts

https://ebookmeta.com/product/the-linux-command-line-a-complete-
introduction-2d-edition-william-e-shotts/
 THIRD
EDITION

OPENSSL
COOKBOOK
The Definitive Guide to the Most
Useful Command Line Features

Ivan Ristić
Last update: Thu Feb 17 04:24:43 GMT 2022 (build 766)
OpenSSL Cookbook
Ivan Ristić
OpenSSL Cookbook
by Ivan Ristić
Third edition (build 766). Published in February 2022.
Copyright © 2022 Feisty Duck Limited. All rights reserved.

First edition published in May 2013.

Feisty Duck Limited

www.feistyduck.com
[email protected]

Technical reviewer: Matt Caswell

Production editor: Jelena Girić-Ristić
Copyeditors: Melinda Rankin, Nancy Wolfe Kotary

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or
by any means, without the prior permission in writing of the publisher.
The author and publisher have taken care in preparation of this book, but make no expressed or implied warranty of any kind and
assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection
with or arising out of the use of the information or programs contained herein.
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Feedback v
Acknowledgments vi
About Bulletproof TLS and PKI vi
About the Author vii
1. OpenSSL Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Getting Started 1
Determine OpenSSL Version and Configuration 2
Building OpenSSL 3
Examine Available Commands 5
Building a Trust Store 7
Key and Certificate Management 8
Key Generation 8
Creating Certificate Signing Requests 12
Creating CSRs from Existing Certificates 14
Unattended CSR Generation 14
Signing Your Own Certificates 15
Creating Certificates Valid for Multiple Hostnames 15
Examining Certificates 16
Examining Public Certificates 17
Key and Certificate Conversion 20
Configuration 23
Obtaining Supported Suites 24
Understanding Security Levels 25
Configuring TLS 1.3 26
Configuring OpenSSL Defaults 28
Recommended Suite Configuration 29
Generating DH Parameters 31
Legacy Suite Configuration 31

iii
 Performance 36
Creating a Private Certification Authority 39
Features and Limitations 40
Creating a Root CA 40
Creating a Subordinate CA 47
2. Testing TLS with OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Custom-Compile OpenSSL for Testing 51
Connecting to TLS Services 52
Certificate Verification 56
Testing Protocols That Upgrade to TLS 57
Extracting Remote Certificates 57
Testing Protocol Support 58
Testing Cipher Suite Configuration 59
Testing Cipher Suite Preference 61
Testing Named Groups 62
Testing DANE 64
Testing Session Resumption 65
Keeping Session State across Connections 66
Checking OCSP Revocation 67
Testing OCSP Stapling 69
Checking CRL Revocation 70
Testing Renegotiation 72
Testing for Heartbleed 74
Determining the Strength of Diffie-Hellman Parameters 77

iv
Preface
For all its warts, OpenSSL is one of the most successful and most important open source
projects. It’s successful because it’s so widely used; it’s important because the security of large
parts of the Internet infrastructure relies on it. The project consists of a high-performance
implementation of key cryptographic algorithms, a complete TLS and PKI stack, and a com-
mand-line toolkit. I think it’s safe to say that if your job has something to do with security,
web development, or system administration, you can’t avoid having to deal with OpenSSL
on at least some level. The majority of the Internet is powered by open source products, and
most of them rely on OpenSSL.
This book covers two ways in which OpenSSL can be used. Chapter 1, OpenSSL Command
Line, will help users who need to perform routine tasks of key and certificate generation, and
configure programs that rely on OpenSSL for TLS functionality. This chapter also discusses
how to create a complete private CA, which is useful for development and similar internal
environments. Chapter 2, Testing TLS with OpenSSL, focuses on server security testing using
OpenSSL. Although sometimes time consuming, this type of low-level testing can’t be avoided
when you wish to know exactly what’s going on.
Both chapters are borrowed from my larger work, called Bulletproof TLS and PKI. I decided
to publish the OpenSSL chapters as a separate free book because there is a severe lack of good
and easily available documentation. As is often true for complex and long-lived projects, the
OpenSSL documentation you can find on the Internet is often wrong and outdated.
Besides, publishers often give away one or more chapters in order to show what the book is
like, and I thought I should make the most of this practice by not only making the OpenSSL
chapters free, but also by committing to continue to maintain and improve them over time.
So here they are.

Feedback
Reader feedback is always very important, but especially so in this case, because this is a living
book. In traditional publishing, often years pass before reader feedback goes back into the
book, and then only if another edition actually sees the light of day (which often does not

v
happen for technical books, because of the small market size). With this book, you’ll see new
content appear in a matter of days. Ultimately, what you send to me will affect how the book
will evolve.
The best way to contact me is to use my email address, [email protected]. Sometimes I
may also be able to respond via Twitter, where you will find me under the handle @ivanristic.

Acknowledgments
This is a short book, but it’s packed with technical information. As a result, there are ample
opportunities for mistakes. I am very grateful to Matt Caswell for his help in keeping the mis-
takes away. Matt, who is a member of the OpenSSL development team, joined me as technical
reviewer for the third edition.
Various people have written to me with their thoughts and corrections. They, too, made this
book better. I extend my thanks to Brian Howson, Christian Folini, Jeff Kayser, Martin Car-
penter, Michael Reschly, Karsten Weiss, Olivier Levillain, and Stephen N. Henson.
My special thanks goes to my copyeditor, Melinda Rankin. She has been a pleasure to work
with, as always.

About Bulletproof TLS and PKI

Bulletproof TLS and PKI is the book I wish I had back when I was starting to use SSL. I don’t
remember when that was exactly, but it was definitely very early on, back when you still had to
patch Apache to get it to support SSL. What I do remember is how, in 2005, when I was writing
my first book, Apache Security, I started to appreciate the complexities of cryptography. I even
began to like it.
In 2009 I started to work on SSL Labs, and for me, the world of cryptography began to unravel.
Fast-forward a decade, and in 2020 I am still learning. Cryptography is a unique field in which
the more you learn, the less you know.
In supporting SSL Labs users over the years, I realized that there was a lot written on SSL/TLS
and PKI, but that the material generally suffered from two problems: (1) all you need is not
in one place, making the little bits and pieces (e.g., RFCs) difficult to find, and (2) most of it
is too detailed and low level. Many documents are also obsolete. I tried to make sense of it all
and it took me years of work and study to even begin to understand the ecosystem.
Bulletproof TLS and PKI addresses the documentation gap. It’s a practical book that starts with
a gentle introduction and a solid theory background, but then moves to discuss everything
you need for your daily work. It also provides deep coverage of certain key aspects, for example
protocol attacks. For those who want even more, there are hundreds of references to research
papers and other external resources.

vi Preface
About the Author
Ivan Ristić writes computer security books and builds security products. His book Bulletproof
TLS and PKI, the result of more than a decade of research and study, is widely recognized
as the de-facto SSL/TLS and PKI reference manual. His work on SSL Labs made hundreds
of thousands of web sites more secure. Before that, he created ModSecurity, a leading open
source web application firewall.
More recently, Ivan founded Hardenize, a platform for continuous security monitoring that
provides free assessments to everyone. He’s a member of Let’s Encrypt’s technical advisory
board.

About the Author vii

1 OpenSSL Command Line
OpenSSL is the world’s most widely used implementation of the Transport Layer Security
(TLS) protocol. At the core, it’s also a robust and a high-performing cryptographic library
with support for a wide range of cryptographic primitives. In addition to the library code,
OpenSSL provides a set of command-line tools that serve a variety of purposes, including
support for common PKI operations and TLS testing.
OpenSSL is a de facto standard in this space and comes with a long history. The code initially
began its life in 1995 under the name SSLeay,1 when it was developed by Eric A. Young and
Tim J. Hudson. OpenSSL as a separate project was born in 1998, when Eric and Tim decided
to begin working on a commercial SSL/TLS toolkit called BSAFE SSL-C. A community of
developers picked up the project and continued to maintain it.
Today, OpenSSL is ubiquitous on the server side and in many client programs. The com-
mand-line tools are also the most common choice for key and certificate management. When
it comes to browsers, OpenSSL also has a substantial market share, albeit via Google’s fork,
called BoringSSL.
OpenSSL used to be dual-licensed under OpenSSL and SSLeay licenses. Both are BSD-like,
with an advertising clause. With version 3.0, released in September 2021, OpenSSL simplified
its licensing by moving to Apache License v2.0.

Getting Started
If you’re using one of the Unix platforms, getting started with OpenSSL should be easy; you’re
virtually guaranteed to have it already installed on your system. Still, things could go wrong.
For example, you could have a version that’s just not right, or there could be other tools (e.g.,
LibreSSL) configured to respond when OpenSSL is invoked. For this reason, it’s best to first
check what you have installed and resort to using a custom installation only if absolutely
necessary. Another option is to look for a packaging platform. For example, for OS X you

1
The letters “eay” in the name SSLeay are Eric A. Young’s initials.

1
could use Brew or MacPorts. As always, compiling something from scratch once is rarely a
problem; maintaining that piece of software indefinitely is.
In this chapter, I assume that you’re using a Unix platform because that’s the natural envi-
ronment for OpenSSL. On Windows, it’s less common to compile software from scratch be-
cause the tooling is not readily available. You can still compile OpenSSL yourself, but it might
take more work. Alternatively, you can consider downloading the binaries from the Shining
Light Productions web site.2 If you’re downloading binaries from multiple web sites, you need
to ensure that they’re not compiled under different versions of OpenSSL. If they are, you
might experience crashes that are difficult to troubleshoot. The best approach is to use a single
bundle of programs that includes everything that you need. For example, if you want to run
Apache on Windows, you can get your binaries from the Apache Lounge web site.3

Determine OpenSSL Version and Configuration

Before you do any work, you should know which OpenSSL version you’ll be using. TLS and
PKI continue to develop at a fairly rapid pace, and you may find that what you can do is limited
if your version of OpenSSL doesn’t support them. Here’s what I get for version information
with openssl version on Ubuntu 20.04 LTS, which is the system that I’ll be using for the
examples in this chapter:
$ openssl version
OpenSSL 1.1.1f 31 Mar 2020

At the time of writing, OpenSSL 1.1.1 is the dominant branch used in production and has
all the nice features. On older systems, you may find a release from the 1.1.0 branch, which
is fine because it can be used securely with TLS 1.2, but it won’t support modern features,
such as TLS 1.3. In the other direction is OpenSSL 3.0, which introduces a major update of
the libraries, with substantial architectural changes and a switch to the Apache License 2.0 for
better interoperability with other programs and libraries. The command-line tooling, which
is what I am covering in this chapter and the next, should be pretty much the same. That
said, every release—and especially the major ones—is very likely to change the tools’ behavior,
often in subtle ways. When you’re changing from one branch to another, it’s worth going
through the change documentation to understand what the differences might be.

Note
Although you wouldn’t know it from looking at the version number, various oper-
ating systems often don’t actually ship the exact official OpenSSL releases. More of-
ten than not, they contain forks that are either customized for a specific platform
or patched to address various known issues. However, the version number generally

2
Win32/Win64 OpenSSL (Shining Light Productions, retrieved 19 July 2020)
3
Apache 2.4 VS16 Windows Binaries and Modules (Apache Lounge, retrieved 18 September 2021)

2 Chapter 1: OpenSSL Command Line

 stays the same, and there is no indication that the code is a fork of the original project
that may have different capabilities. Keep this in mind if you notice something un-
expected.

To get complete version information, use the -a switch:

$ openssl version -a
OpenSSL 1.1.1f 31 Mar 2020
built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 …
-fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. -fstack-protector-strong …
-Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE…
_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 …
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM …
-DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES…
_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG …
-Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

I don’t suppose that you would find this output very interesting initially, but it’s useful to know
where you can find out how your OpenSSL was compiled. Of special interest is the OPENSSLDIR
setting, which in my example points to /usr/lib/ssl; it will tell you where OpenSSL looks
for its default configuration and root certificates. On my system, that location is essentially an
alias for /etc/ssl, Ubuntu’s main location for PKI-related files:
lrwxrwxrwx 1 root root 14 Apr 20 11:53 certs -> /etc/ssl/certs
drwxr-xr-x 2 root root 4096 May 14 21:38 misc
lrwxrwxrwx 1 root root 20 Apr 20 11:53 openssl.cnf -> /etc/ssl/openssl.cnf
lrwxrwxrwx 1 root root 16 Apr 20 11:53 private -> /etc/ssl/private

The misc/ folder contains a few supplementary scripts, the most interesting of which are the
scripts that allow you to implement a private certification authority (CA). You may or may
not end up using it, but later in this chapter I will show you how to do the equivalent work
from scratch.

Building OpenSSL
In most cases, you will be using the system-supplied version of OpenSSL, but sometimes there
are good reasons to use a newer or indeed an older version. For example, if you have an older
system, it may be stuck with a version of OpenSSL that does not support TLS 1.3. On the
other side, newer OpenSSL versions might not support SSL 2 or SSL 3. Although this is the

Building OpenSSL 3
right thing to do in a general case, you’ll need support for these older features if your job is
to test systems for security.
You can start by downloading the most recent version of OpenSSL (in my case, 1.1.1g):
$ wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz

The next step is to configure OpenSSL before compilation. For this, you will usually use
the config script, which first attempts to guess your architecture and then runs through the
configuration process:
$ ./config \
--prefix=/opt/openssl \
--openssldir=/opt/openssl \
no-shared \
-DOPENSSL_TLS_SECURITY_LEVEL=2 \
enable-ec_nistp_64_gcc_128

The automated architecture detection can sometimes fail (e.g., with older versions of
OpenSSL on OS X), in which case you should instead invoke the Configure script with the
explicit architecture string. The configuration syntax is otherwise the same.
Unless you’re sure you want to do otherwise, it is essential to use the --prefix option to install
OpenSSL to a private location that doesn’t clash with the system-provided version. Getting
this wrong may break your server. The other important option is no-shared, which forces
static linking and makes self-contained command-line tools. If you don’t use this option,
you’ll need to play with your LD_LIBRARY_PATH configuration to get your tools to work.
When compiling OpenSSL 1.1.0 or later, the OPENSSL_TLS_SECURITY_LEVEL option configures
the default security level, which establishes default minimum security requirements for all
library users. It’s very useful to set this value at compile time as it can be used to prevent
configuration mistakes. I discuss security levels in more detail later in this chapter.
The enable-ec_nistp_64_gcc_128 parameter activates optimized versions of certain frequent-
ly used elliptic curves. This optimization depends on a compiler feature that can’t be auto-
matically detected, which is why it’s disabled by default. The complete set of configuration
options is available on the OpenSSL wiki.4

Note
When compiling software, it’s important to be familiar with the default configuration
of your compiler. System-provided packages are usually compiled using various
hardening options, but if you compile some software yourself there is no guarantee
that the same options will be used.5

4
Compilation and Installation (OpenSSL, retrieved 12 August 2020)
5
Hardening (Debian, 3 August 2020)

4 Chapter 1: OpenSSL Command Line

If you’re compiling a version before 1.1.0, you’ll need to build the dependencies first:
$ make depend

OpenSSL 1.1.0 and above will do this automatically, so you can proceed to build the main
package with the following:
$ make
$ make test
$ sudo make install

You’ll get the following in /opt/openssl:

drwxr-xr-x 2 root root 4096 Jun 3 08:49 bin

drwxr-xr-x 2 root root 4096 Jun 3 08:49 certs
drwxr-xr-x 3 root root 4096 Jun 3 08:49 include
drwxr-xr-x 4 root root 4096 Jun 3 08:49 lib
drwxr-xr-x 6 root root 4096 Jun 3 08:48 man
drwxr-xr-x 2 root root 4096 Jun 3 08:49 misc
-rw-r--r-- 1 root root 10835 Jun 3 08:49 openssl.cnf
drwxr-xr-x 2 root root 4096 Jun 3 08:49 private

The private/ folder is empty, but that’s normal; you do not yet have any private keys. On the
other hand, you’ll probably be surprised to learn that the certs/ folder is empty too. OpenSSL
does not include any root certificates; maintaining a trust store is considered outside the scope
of the project. Luckily, your operating system probably already comes with a trust store that
you can use immediately. The following worked on my server:
$ cd /opt/openssl
$ sudo rmdir certs
$ sudo ln -s /etc/ssl/certs

Examine Available Commands

OpenSSL is a cryptographic toolkit that consists of many different utilities. I counted 48 in
my version. If there was ever an appropriate time to use the phrase Swiss Army knife of cryp-
tography, this is it. Even though you’ll use only a handful of the utilities, you should familiar-
ize yourself with everything that’s available because you never know what you might need in
the future.
To get an idea of what is on offer, simply request help:
$ openssl help

The first part of the help output lists all available utilities. To get more information about a
particular utility, use the man command followed by the name of the utility. For example, man

Examine Available Commands 5

ciphers will give you detailed information on how cipher suites are configured. However, man
openssl-ciphers should also work:

Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dhparam
dsa dsaparam ec ecparam
enc engine errstr gendsa
genpkey genrsa help list
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand rehash
req rsa rsautl s_client
s_server s_time sess_id smime
speed spkac srp storeutl
ts verify version x509

The help output doesn’t actually end there, but the rest is somewhat less interesting. In the
second part, you get the list of message digest commands:
Message Digest commands (see the `dgst' command for more details)
blake2b512 blake2s256 gost md4
md5 rmd160 sha1 sha224
sha256 sha3-224 sha3-256 sha3-384
sha3-512 sha384 sha512 sha512-224
sha512-256 shake128 shake256 sm3

And then in the third part, you’ll see the list of all cipher commands:
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 seed seed-cbc seed-cfb

6 Chapter 1: OpenSSL Command Line

 seed-ecb seed-ofb sm4-cbc sm4-cfb
sm4-ctr sm4-ecb sm4-ofb

Building a Trust Store

OpenSSL does not come with a collection of trusted root certificates (also known as a root store
or a trust store), so if you’re installing from scratch you’ll have to find them somewhere else.
One possibility is to use the trust store built into your operating system, as I’ve shown earlier.
This choice is usually fine, but the built-in trust stores may not always be up to date. Also, in
a mixed environment there could be meaningful differences between the default stores in a
variety of systems. A consistent and possibly better choice—but one that involves more work
—is to reuse Mozilla’s work. Mozilla put a lot of effort into maintaining a transparent and
up-to-date root store for use in Firefox.6
Because it’s open source, Mozilla keeps the trust store in the source code repository:
https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/nss/lib/ckfw…
/builtins/certdata.txt

Unfortunately, its certificate collection is in a proprietary format, which is not of much use to
others as is. If you don’t mind getting the collection via a third party, the Curl project provides
a regularly updated conversion in Privacy-Enhanced Mail (PEM) format, which you can use
directly:
http://curl.haxx.se/docs/caextract.html

If you’d rather work directly with Mozilla, you can convert its data using the same tool that
the Curl project is using. You’ll find more information about it in the following section.

Note
If you have an itch to write your own conversion script, note that Mozilla’s root
certificate file is not a simple list of certificates. Although most of the certificates are
those that are considered trusted, there are also some that are explicitly disallowed.
Additionally, some certificates may only be considered trusted for certain types of
usage. The Perl script I describe here is smart enough to know the difference.

At this point, what you have is a root store with all trusted certificates in the same file. This
will work fine if you’re only going to be using it with, say, the s_client tool. In that case, all
you need to do is point the -CAfile switch to your root store. Replacing the root store on a
server will require more work, depending on what operating system is used.
On Ubuntu, for example, you’ll need to replace the contents of the /etc/ssl/certs folder.
Ubuntu ships with a tool called update-ca-certificates that might work. Alternatively, you

6
Mozilla CA Certificate Store (Mozilla; 9 August 2020)

Building a Trust Store 7

Another random document with
no related content on Scribd:
 "Very glad; it is so nice for us."

"It will not be nice for me; I shall not wish to see him; I
don't remember him."

"But, dear Tom, he is your brother, and so kind, and

when you know him, you will love him."

"No, mamma, I shall not," he answered quietly;

"nothing makes any difference to me. They will all be off for
walks away from me. No; I wish he were not coming."

Mrs. Arundel could not keep back a sigh, and Tom was
quick to perceive it. He hated himself for his petulance, and
yet he felt unable to overcome it.

"You must watch for them coming up the lane, dear,"

she said, trying to speak cheerfully; "and when you first
hear them or see them, give a sound on your little whistle
and I will come out."

"All right!" said Tom, with a trifle more energy. And then
finding he could look up into the trees with his telescope, he
began to adjust it, and Mrs. Arundel went indoors.

Tom was the first to hear the sound of the approaching

party, and in his excitement gave a very shrill whistle, which
brought his mother running out long before anything was to
be seen.

But in a few minutes, they came within sight over the

brow of the little hill. Nellie, looking the picture of
happiness, leaning on the arm of a sunburnt, pleasant
young man of about twenty-two, who was laughing and
talking, and holding Isabel by his disengaged hand.
 The others were conveying his bag, umbrella, &c.; for
Walter certainly should not have anything to carry this first
day.

He came forward quickly when he saw his stepmother,

and kissed her affectionately; and before Tom had time to
object, he had stooped and kissed him also, saying with a
sweet smile, "Ah, Tom! Here's somebody come that will be
able to push you along finely!"

Tom looked astonished, and then a little ashamed as his

eyes rested on his mother's face. And her touched and
grateful smile set him thinking even in that moment of
arrival how it was that his mother could love him so much.
He thought he would ask her some day.

After tea nobody seemed inclined to walk down into the

town again, so they gathered round their mother and Walter
in the orchard. And with the sweet air blowing up gently
from the sea, and the scent of the flowers coming over from
the garden, he explained to them how it was that he came
so suddenly, and what were his plans.

"I should not have taken you by surprise if I could have

helped it; but one of the partners of our firm was coming
over on business, and was thrown from his horse and
seriously hurt at the last moment. They were obliged to
send someone trustworthy, and luckily fixed on me; so with
only twenty-four hours' notice I was off, instead of him, in
the steamer in which his passage was taken."

"Jolly!" said Arthur.

"Very," answered Walter, smiling; "for I should not have

come in such style on my own account."
 "How long are you likely to be able to stay?" asked Mrs.
Arundel. "Or perhaps you do not know?"

"I think three clear months. So, as my father tells me

you are here for a month, if you will have me, I have come
to stay."

"Indeed we will," said Mrs. Arundel; "and shall only be

too delighted."

"I have brought something for all of you to do!"

"Have you?" said Arthur. "What sort of thing?"

"Ah! I am going to leave you in uncertainty till the day

after to-morrow."

"What an age!" exclaimed Ada. "But, after all, I do not

expect it will be anything nice to do."

Nellie looked pained. "I dare say it will, Ada; Walter

would not propose anything disagreeable."

"We shall see," said Ada.

"I am sure it will be nice," said Isabel; "for Walter looks

so kind!"

"Dear little girl!" he said. "I am glad you trust me."

 CHAPTER VII.
WALTER'S TREAT.

"WHO likes donkey rides?" asked Walter the next

morning.

Plenty of voices answered, "Oh, I do!"

"Who has heard of Melton Castle, three miles from

here?"

"I think we all have," said mamma.

"Who likes rolled tongue and pickled salmon?"

"What nonsense!" exclaimed Ada. "You are only trying

to take us in. Though there are donkeys and Melton Castle,
there are certainly no rolled tongue and pickled salmon."

"Are there not? So much you know, Miss Ada."

"But, Walter, you should not tell them your bill of fare so
early in the day," said Nellie, laughing.
 "Well, anyone who likes all these dainties combined,
must be at this door at half-past eleven precisely."

"What for?" asked Netta with wide-open eyes.

"You will see. By the bye, Netta, do you like a saddle or

a chair?"

"A saddle, of course," answered Netta with dignity;

"should not you, Isabel? That is, if you mean for a donkey
ride."

"But what are you going to do, Walter?" asked Arthur;

"but I guess."

"A picnic!" growled Walter in a sepulchral tone.

They all laughed joyfully.

"But mamma, how can she go? And Tom?"

"All arranged for. You shall behold at half-past eleven,"

said Walter.

"I believe Nellie is in the secret," said Ada a little

jealously.

"Nellie is always in all my secrets," said Walter, smiling

at her.

Nellie blushed with pleasure; but she only said, "But

mamma is in the secret too."

"Of course," said Isabel; "nothing could be done without

mamma."

Before half-past eleven the children were all assembled;

and five minutes before that time, six donkeys came up and
took their stand near the door.

The children counted and counted, but could not make

out how six would be enough to "go round." Walter was
lying under a tree in the orchard, and all he did was to
laugh at all their questions and leave them unanswered.

Still, he kept his eye on them all, and when an open

carriage drove up, he leapt from the ground and hurried
across the road.

"Nellie is going to condescend to a donkey," he said,

laughing, "and so I shall choose the best for her."
 Next came Arthur and Ada,
and the riding party were all ready.

She came out at the moment, and he mounted her first

of all. And then Dolly was placed in a little arm-chair; Netta
and Isabel, with their curls dancing in the sunshine, had
saddles; but Walter had discovered there were some to be
obtained with a sort of hoop round them, and with these
they seemed delighted.

Next came Arthur and Ada, and the riding party were all
ready.
 Mrs. Arundel, Tom, and the baby, with the two servants
and two hampers, were packed into the carriage.

"Where are you going to ride?" asked Isabel anxiously.

"Oh, I walk! No donkeys for me, thank you," answered

Walter; "my legs are too long."

"So they are," said Dolly; "they would touch."

Mrs. Ross and Alfy came to the door to see them off.
The carriage started at the pace of the donkeys, Walter
generally walking by Nellie, and holding Dolly's bridle.

Shouts, screams, and laughter filled the air as the

donkeys jogged their riders up and down. Tom leaned as far
as he dared to see the merry party, and could not help
enjoying their pleasure, though he kept on telling himself "it
was very hard."

Arthur managed to urge his donkey alongside of the

carriage. "Where are the 'goodies'?" he asked mysteriously
of his mother.

She pointed to the coachman's seat.

"Pickled salmon?"

His mother laughed. "No questions, sir," she said.

By-and-by the ruins of the old castle appeared against

the sky, and very soon the carriage pulled up at a low
boundary-wall, after which they would have to walk.

Tom's perambulator had been fastened to the back of

the carriage, and he was now placed on it. The coachman
and the donkey-boy were engaged to carry the hampers up
the hill for them, and Walter took Tom in charge; while
shawls, rugs, and baskets occupied most of the others.

They found the hill in the burning sun rather fatiguing,

but were rewarded when they reached the top by finding
that part of the inside of the castle was in deep shade, and
that overhanging the moat there were two fine old trees,
which looked very inviting. Baskets, wraps, and hampers
were quickly deposited, and the young people soon spread
over the ruins in every direction.

Mrs. Arundel, with Nellie's help, aided by the two

servants, now began to unpack the hampers. Tom, very
interested, lay looking at them, suggesting where the
viands were to be put.

"Who lent you the cloth?" he asked.

"It is one of ours, from home," said his mother.

"I am so thirsty!" he said, as he saw sundry bottles of

water and lemonade lifted out.

"Wait till they come, dear," said his mother.

The servants had a little "nursery table," as Mrs.

Arundel called it, spread at a short distance for baby and
Dolly; but on this at present was laid nothing but some very
tempting-looking rolls, with some tarts and cakes. As to
Tom, he felt so dreadfully hungry that he held his whistle in
his hand, only waiting a word from his mother to give the
promised signal.

"Now, dear," said Mrs. Arundel, "we are all ready."

And before she had time to finish the sentence, Tom

gave a whistle, which woke the echoes and brought the
hungry party trooping back.

"You can do something, you see," said Nellie, smiling.

"Well, I declare," said Arthur, walking round the table-

cloth, and surveying the viands. "Here's a spread! Well
done, mother!"

"It is 'well done, Walter,'" said Mrs. Arundel; "more than

half this came from London!"

"Pickled salmon, tongue, chickens, tarts, salad, rolls,

blanc-mange, cakes, lemonade, and a lot more! Well done,
Walter!"

"I'm glad you are satisfied; now then to enjoy it. But
first we will ask a blessing." He raised his hat reverently,
and calling to Dolly to be still a moment, he thanked God
for giving them all this pleasure.

Mrs. Arundel said she should begin by helping the

"nursery table," and sent a goodly supply by Arthur, who
was head waiter. After that they all fell to, and did ample
justice to all that Walter and Mrs. Arundel had prepared.

"There is no water left, Nellie," said Netta. "What shall

we do? I am so thirsty."

"I know where we can get some more," said Ada. "I saw
a little cottage down the other side, and there was a board
up, 'Water or tea to be obtained here.'"

"Capital!" said Walter. "Where are the empty bottles?"

"We will fetch it, won't we, Arthur?" said Ada, jumping
up.
 "All right," said Arthur, taking a last bite of a nice tart.
"And look here, mother, I don't think I have quite finished.
Don't you clear it all away!" And with a laugh, he and Ada
scampered off.

"Supposing we sing to pass away the time," suggested

Walter.

"Mamma can sing," said Isabel, "and so can Nellie."

"Well, perhaps they will sing a duet first."

They willingly complied; and the sweet sound filled the

old ruin, and seemed to float away on the wind. Walter lay
with closed eyes; and when they had finished, no one spoke
for a moment.

"Now you sing," said Dolly, getting up from her little

table, and trotting round to her eldest brother.

He started up. "I? Well I will sing a funny one; and then
when the others come we will see if we can sing something
all together."

"Mamma," said Ada, when they came back breathless,

and Nellie was pouring out the cool fresh water, "it is such a
nice little cottage, and such a nice woman; she has a table
under a great mulberry tree; and she said, 'Should we want
tea? Because of putting on the water.'"

"Yes; we will go down there presently and tell her. I

thought I had heard there was a cottage."

"So nice!" said Ada.

Arthur sat down by his mother and pretended he had

not finished dinner; but after one more tart, he protested
the run had taken away his appetite, and turned from the
table.

"We were going to have some more singing," said Mrs.

Arundel.

"Oh, that was what we heard!" answered Ada. "We

could not think what it was."

"What shall we sing, Walter?" asked Mrs. Arundel. "See,

I have a few hymn sheets here. The first is, 'O God, our
help in ages past.'"

"That is dear papa's favourite," said Mrs. Arundel; "how

I wish he were here!"

"Yes," said Ada, sighing; "I often think of him all alone,
only it spoils one's pleasure so to think about it."

"We will sing it, then, in remembrance of him," said

Walter.

Mary, the nurse, sang a nice second, and they all drew
together into one circle, and the familiar words sounded
wonderfully sweet with all the voices.

On the back of this hymn sheet was printed another, on

hearing the name of which Dolly exclaimed: "That's my
hymn; we'll have that now!"

Everybody was willing, and the voices rose in "There is

a happy land, far, far away!"

When Dolly's hymn was finished, they all dispersed.

Simmons told Mrs. Arundel that she would clear up the
dinner things, and see to their being packed safely. Baby
had fallen asleep; Tom's eyes looked heavy; so leaving the
spot where they had dined, Mrs. Arundel and Ada, followed
by Netta and Isabel, walked down to the cottage to see
about tea. Arthur began to climb the old castle walls; and
Nellie and Walter found a little nook half way up the old
tower, from which they could see the sea, and enjoy a really
cosy chat—the first quiet time the brother and sister had
yet had.

"Oh, Walter," said Nellie, looking up in his face, "I am so

glad to see you again!"

"Dear Nellie!" he answered, putting his arm round her,

and drawing her to him. "So am I. And how have you been
getting on these three years? You were almost a little girl
when I left, and now you are quite a little woman."

"Yes, nineteen," said Nellie gravely.

"I do not think I need ask how you have been getting
on; your face, your whole life, shows that it is well with
you."

"Yes; Walter, I am very happy. I have plenty to do—

teaching the little ones, helping mamma, and all that; but it
is happy work, and they do all love me so."

"I am sure they do," he answered warmly; "and I know

by your letters that you, like myself, have found our
Saviour, Nellie, during these three years; or been found of
Him, for I am afraid we should never have looked for Him, if
He had not looked for us first."

"No, I suppose not, Walter. It was your going away that

led me. Oh, I was so miserable at first! And then, when I
was reading one day, those words in the gospel of John
seemed to shine out from the page:
 "'Thy brother shall rise again.'

"And then I thought, Walter, that, whatever you might

do, I was not sure of rising again; and this increased my
unhappiness tenfold. So I went back to my chapter to see if
the words were there, and then there flashed out on me a
new sentence:

"'I am the resurrection, and the life: whoso

believeth on Me shall never die.

"I think those words rang in my ears for more than a

week, and then—somehow—so wonderfully, God in His
mercy helped me to believe on Him."

"Yes, darling, it is very wonderful, and so kind of our

Father to draw us both at the same time. And you have no
secrets, Nellie?" he asked, looking in her sweet face.

"No; how should I?" she answered, surprised. "I always

tell you everything, Walter."

He pressed her closely. "You are a dear, dear little

sister!" he said.

Tea at the cottage was another pleasure. It was spread

on a long narrow table, under the shade of the mulberry
tree. The woman produced cream and milk and mulberries,
besides as much boiling water as they required.

All were very glad of their tea, and the chat was very
merry. Tom was propped up as high as possible, and pushed
close up to the table, and for once felt himself one of the
party. His eyes shone with pleasure, and his mother thought
the sea air must be doing him good. He even stretched out
one of his little thin hands to help pass the cups to his
mamma, and all looked delighted at the success with which
he managed it.

When they were nearly through tea, Walter said, with a

meaning look, "Well, now I want to know what you are all
doing."

"Doing!" echoed Ada. "Why enjoying ourselves."

Still, he looked at them with the same enquiring glance;

and then, not getting any exact reply, he said, "Now, I'll
begin with the youngest."

"That's baby!" said Dolly, who was sitting next him.

"Well baby can't answer," said Arthur, "so I'll answer for
him: 'Eats and sleeps.'"

"Good. Now, Dolly, what do you do?"

"Do as I am told," said Dolly deliberately.

The others laughed. And Netta and Isabel began

blushing and hanging their heads in anticipation of their
turns coming.

"And you?" he said, looking towards them.

"Play with our dolls, and dig, and help Dolly over the
shingle."

"And you, Tom dear?"

"Lie here," said Tom, gruffly.

 "Ah, the hardest of all!" said Walter compassionately.
"But we shall see, Tom."

"And you, Arthur?"

"I'm like Dolly—do as I am bid!"

"I daresay!" said Walter. "And now you, Ada?"

"Walk, and dig, and carry baby, and sleep, and eat, and
bathe, and enjoy myself."

"Now it is Nellie's turn!" they all burst out.

"Well, Nellie?" said Walter affectionately.

Nellie blushed. "I don't know, Walter, but I guess what

you mean, and I should like to do anything I could."

"I should think, if you really mean sensible duties," said

Arthur, "that Nellie has no need to be ashamed, as she is
always helping everybody, and being just as kind as she can
be."

"Arthur always praises me," said Nellie; "but now,

Walter, we will question you. What are you going to do?"

"Ah, that's it, is it? Well and good; but I do not mean to
tell you that to-day. Is that hard? I am only going to give
you a hint, which will last you till to-morrow to think about.
I shall not even explain a word about it, and just leave you
this text to think of. I will tell you my little plans to-
morrow."

He drew from his pocket a well-worn little Bible, and

turning over the leaves soon found these words: "'Ye are
not your own. For ye are bought with a price: therefore
glorify God in your body, and in your spirit, which are
God's.'"

* * * * * *

After tea, Walter proposed a game at rounders. Ada and

Arthur were capital players; Netta and Isabel were not to be
despised; and the game went on with great spirit. Nellie
said she would rather watch, and she held the baby while
the nurse and Simmons did the final packing up; and then
she sent them to explore the castle.

At seven o'clock the carriage and the donkeys came up

the road leading to the cottage, and Tom was told to give a
loud whistle to collect the party. The advent of the donkeys
was a fresh delight. The children did not need much telling
as to which steed to choose. They were soon off; the
donkeys were on their homeward road, and knew it; and
the children had plenty of jogging before they had done.
Bump, bump, they went, until Nellie said she should be too
stiff to walk to-morrow. Ada and Arthur declared they did
not mind a bit, and let the animals go at any pace they
chose; only sorry that they soon distanced the others, and
had to bump along without the pleasant sympathy of fellow-
sufferers. It was all fun, however, and perhaps the greatest
enjoyment of that enjoyable day.

By the time all reached the farm, they were pretty well
tired out. Tom was carried up to his mother's room, and she
and Simmons quickly and tenderly undressed him, and laid
him in his little bed. Nurse meanwhile did the same for her
baby; Dolly had a few tears, but denied that she was the
least tired. Nevertheless, before Nellie had well tucked her
up, she was fast asleep. The rest were glad to take arm-
chairs, sofas, or stools, and to rest quietly; while Mrs.
Arundel took out the interesting book she was reading to
them and offered to begin.

"You are as tired as anybody, mamma?" said Ada,

yawning.

"No; I have not been shaken to pieces by a delightful

donkey!" answered Mrs. Arundel. "I can easily read, if you
all like. We will have supper early, and go to bed soon.
Netta and Isabel, do you care to sit up?"

"Oh, yes, please mamma! We would not miss that book

for anything!"

"Very well; just one chapter then."

CHAPTER VIII.
SETTING TO WORK.
 WHEN Walter and Arthur were returning together next
morning from their early bath, Walter referred to the
conversation of the previous evening.

"Have you thought at all about it, Arthur?" he asked.

"On and off I have thought about that sort of thing for a
good while," said Arthur, reddening; "but I do not quite see
what you want me to do now."

"That I am going to explain to you all after breakfast;

but there is one thing that comes first by rights, and that is
to remember the opening words of our text."

"'Ye are not your own,'" assented Arthur.

"Yes; not our own at all. Servants to do the will of

another. Are you His or your own, dear Arthur?"

"I should like to be His, but I don't know yet," answered

the boy in a low tone.

"'Ask, and ye shall receive,'" said Walter earnestly; and

no more was said till they reached the farm.

When the children assembled at breakfast, to their

surprise they found a text, nicely painted, pinned by its four
corners to their dining room wall. They could all see it, for it
was large; they could all read it, for it was plain: "Ye are not
your own. For ye are bought with a price: therefore glorify
God in your body, and in your spirit, which are God's."

"Who did it?" said Ada.

"I guess," said Isabel, looking at her eldest brother.

 "It is a message for you all," said mamma gently. "But
now, dears, to breakfast, and we can talk about the text
afterwards."

When the first clatter of knives and forks had subsided,

and the cups had been filled the second time, Walter began
to explain his plans.

"You all know that there are many children down here,
come like yourselves for a summer holiday. Of these many,
no doubt, are from Christian families, and have been taught
about God and the Bible as you have. But there are others
who have heard very little of Jesus, or having heard, have
not cared. Should we not like to reach even one of these
children who have never heard?"

Several sympathising eyes were raised to Walter's.

"I know we should; but I see the question on your lips—

How? Well, there are several ways; but the way that seems
easiest to me is to try and gather them together on the
sands, and tell them about Jesus."

"Oh, I have read of that!" said Nellie, "But could you,

Walter?"

"I think we could manage it all together."

"I could not do anything," said Ada decidedly; "I should

hate to be seen going about like that."

"Yes, I know it needs a little bit of self-denial at first;

but if we remember our text, that will help us," he
answered, glancing at the opposite wall.

"But we can't preach," said Arthur; "and you said you

had something for us all to do."
 "So I have. Nellie can sing, Ada can sing, so can Isabel
and Netta a little; the rest can give round hymn papers,
invite the children, and join in looking pleased and happy to
see them come."

"I can't," said Ada; "for I shall dislike it extremely."

"We shall see," answered her brother patiently;

"meanwhile, Ada, think of our text, dear, and try not to say
anything to discourage the others. And then we must pray."

"Pray?" said Arthur.

"For God's blessing on what we do; for His help to get

the children together; for His Holy Spirit to send the arrow
to the dear little hearts. When we get to the beach, I will
set you all to work. I have brought some hymn sheets with
me."

Nellie felt the responsibility great of being considered

"able to sing," And as they all with beating hearts walked
down to the shore, she said to her brother, "I am afraid you
count on me too much. I can start the tune, or I will try to,
but my voice is not very loud, and if the children do not
catch it up, I am afraid—"

"Don't be afraid," said Walter; "it will be sure to be all

right, and someone will be there, I daresay, who will help.
Think of our text."

Nellie smiled, reassured, and they soon reached the

beach, where Walter set the children to work to make a
circle on the sand. Tom's little carriage was wheeled into
one side of it, and while the children were diligently digging
a trench round the circle, Walter took a cane and wrote on
the smooth sand in the centre what he called "their text."
 When this was done, he began inviting a few children
who stood near to help them. "We are going to have a little
service," he said, "only lasting half an hour, and we want
you to come and sing a few hymns; will you?"

Some of the children stared; others turned away; but

one or two, who had seen the same sort of thing at other
places, joined very heartily, and the circle was soon made,
and some of the children began seating themselves with
their feet in the trench.

Mrs. Arundel had her camp stool close to little Tom, and
she too would be able to help the singing.

They were to begin at half-past eleven. The hymn

sheets were handed round; and when Walter had given out
in a clear voice the number, and read one verse of "A
charge to keep I have," Nellie in rather trembling tones set
the tune.

If Ada had not loved Nellie she told herself that she
would not have joined, but in order to help her sister she
did her best. And before the end of the first verse, the
children took it up, and the hymn went well to the end.

Nellie found a lovely voice helping, close behind her, but

was too nervous to turn; but when they all sat down she
caught a glimpse of Miss Arbuthnot's dress, and guessed it
was she who had sung so sweetly.

"Walter said we should find someone," thought Nellie

thankfully; but she had no time to think more, for Walter,
who was standing close to the upper end of the little circle,
began in his pleasant voice—

"Now, children, can you all read our teat? It is upside

down to a few of you; but see, I have written it so as to be
read by those at the bottom, and I know it by heart. Let me
see if you can all say it after me—'Ye are not your own. For
ye are bought with a price: therefore glorify God in your
body, and in your spirit, which are God's.'

"Now I shall only keep you half an hour altogether; and

as we are going to sing two hymns there will not be too
much time, so I hope you will all be very attentive, and be
able to tell your mammas every word I say.

"'You are not your own!' Now whom do you belong to?"

He paused, and looked round the little circle.

"Some of you will say, I belong to mamma; some of you

will say, I belong to papa, or to my grandparents, or to
whoever has the charge of you. But whom do you belong
to?

"It says here—can you read it?—'Your body and your

spirit are God's.' Yes, you belong to God; therefore you
must serve Him! Some of you love to please those who
have the charge of you. Now do you not? How nice it is to
hear one who loves you say, 'That is a good boy!' 'That is a
good girl!' Yes, I know you do. But much, much more you
will like to hear God say to you, 'Well done, good and
faithful servant!'

"YOU BELONG TO GOD! This is what I want you to

remember to-day!

"There was once a little boy—he was a slave in South

America—whose master was very hard and cruel, often
having him beaten when he had done no harm, and
teaching him many cruel and wicked ways.
 "One day a traveller came to this hard master's
plantation. He was driven to take shelter there while a
swarm of locusts passed over. His horse refused to go a
step further, and turning in at the gate, he asked if he might
remain there for a few hours. Leave was readily given; for
people are very hospitable in South America, and this little
slave was sent forward to put the stranger's horse in the
stable.

"The traveller noticed the miserable plight of the poor

boy, and gave him a kind word, at which the boy looked up
astonished. He pitied the little slave, and afterwards,
conversing with the master of the plantation, offered to buy
him.

"'What, Harry?' said the master. 'He is a rascal, as idle

as can be! But if you want him you shall have him, at my
price; but you'll repent it!'

"The traveller paid the price, and by-and-by went out to

find his horse and his slave. The boy was lying under a
verandah; not attempting to work, but thinking how he
could be idle, and yet avoid a fresh beating.

"The traveller strolled up to him. 'Harry,' he said, 'why

do you not work?'

"'No good working, massa,' answered the boy sullenly.

'Harry work, gets a beating; Harry no work, gets beating
too. So Harry please 'self, and no work.'

"'But I want you to untie my horse,' said the traveller.

"'Yes, massa,' said the boy, rousing himself a little at

the mild tone; 'I get your horse for you.'

"'But you are mine, Harry; I have bought you!'

 "'Yours, massa?' said the boy, leaping up. 'Yours? Why
me not know dat; me do anything in worl' for you, massa!'

"The traveller smiled. 'Will you, Harry? And why will you
do anything in the world for me?'

"''Cause massa's kind,' said the boy huskily; ''cause

massa say nice words; 'cause massa's bought me from my
cruel old massa!'

"Yes, children, you are not your own; you are bought
with a price! What price? Is it money? No! Something much
more precious than money! What can it be?

"God has plenty of money, but that would not do for

you! He had only one precious thing that would do to buy
you! What was it? For He gave it! The Bible says, 'Bought
with the precious blood of Christ!' It was His own only Son!
Yes; He gave His Son for all of you! Will you spring up as
Harry did, and say to God, 'I did not know that; I will do
anything in the world for you'?

"Now all repeat our text once more: 'Ye are not your
own. For ye are bought with a price: therefore glorify God in
your body, and in your spirit, which are God's.'"

By this time quite a little group had gathered together;

but most of the inner circle had been too absorbed to
notice. They now sang another hymn, which was well taken
up; and after two or three words of prayer to ask God's
blessing, the little party broke up, just as the clock near the
beach struck twelve.

"Was it so very dreadful?" Walter said to Ada; but she

turned away hastily, and would have nothing to say about
it.
 The children now dispersed to their digging or bathing;
Walter and Arthur pushed Tom off on a promised
expedition; and Miss Arbuthnot sat down by Nellie and Mrs.
Arundel.

"Thank you for helping us so nicely," said Nellie. "We all

felt it rather an ordeal, never having done such a thing
before; but—"

"So it was; and it only shows what may be done with a

little courage."

"Yes; and Walter has so much. He is truly brave."

"Your brother?"

"My own dear brother!"

CHAPTER IX.
 CHRISTINA.

THREE months before this, two visitors were sitting in

one of the large houses in South Bay. The blinds were
down, and the room, though large and handsome, seemed
dull and cheerless.

"Dear father," said the girl, addressing the old man

tenderly, "you will feel better for a cup of tea."

"No, my dear, I think not," he answered quietly.

"To please me, dear father," she still persisted.

And the old man allowed her to persuade him into

drinking half a cup, but he would not eat or come to the
table.

Christina ate a slice of bread and butter mechanically,

and swallowed her tea, and had an almost guilty feeling
when she felt less unutterably desolate than she had done
half an hour ago.

Her mother had died early in the afternoon. As yet the

real desolation had not swept over her. That would be,
perhaps, when she had ministered all she could to her
bereaved father, and came to lay her head on her pillow at
night. Yes; the sorrow must wait till then.

She seated herself again by the arm-chair, and softly

stroked her father's hand. She felt anxious about him. He
had given way to no sorrow, had not, broken down in any
way; but she thought he looked exceedingly pale, and there
was a gravity about him which she did not quite like.
 He soon took her hand in his, with a mute intimation
that he did not wish to be stroked. And after a long silence,
he said gravely, "Christina, my child, I do not think it will be
long ere I follow your mother home."

"Dear father," she answered deprecatingly, "do not say

so; you will feel better soon, I hope."

"I do not say it lightly, my dear; nor can I tell you why I
think so; but I feel assured of it."

Christina's heart gave a strange leap, and she felt

powerless to say anything to break the spell, as it were, of
her father's words. It was like walking with her eyes open
over a frightful precipice. She shuddered.

"My dear child," he continued quietly, "you have been a

good daughter to us—God bless you!—now I want to leave
a few directions with you in case it should be as I think it
will. You will have enough to live on; plenty for you, and a
friend to take care of you. Christina, I should like you to ask
your aunt Mary to come and live with you. Promise me."

Christina, even in that bitter hour, felt a certain

repugnance to comply with her father's wish in this respect;
but how could she hesitate? She would have time to talk it
over with him another day—not now; oh, not now!

So she promised. "Anything you wish, my precious

father!" she said, with anguish in her voice.

"I do wish it; I know it will be best—for a few years at

any rate, my child."

They sat on in deep silence for some time longer. Then

he spoke again; but this time the voice was not grave and
authoritative, but loving and simple: "Christina, your
mother and I have loved each other for forty years. We
have never been separated for a single day; we have
walked hand in hand all our pilgrimage; she has gone just a
little way in front, and I am following. My dear, let no one
think I am following her. Oh, blessed, blessed truth!

"'He calleth His own sheep by name, and

leadeth them out.'

"It is Jesus we follow, my dear. He has taken her this

afternoon across the water, and He tells me He thinks it is
time for me to go too. But if He did not, my dear, I should
have to wait; yes, wait patiently for the Lord.

"My child," he said again, clasping her hand tightly, "you

must wait for the Lord! I had hoped we should all welcome
Him together when He came; but He knows best!"

As the room darkened, Christina's desolation crept over

her. She still believed her dear father would feel better to-
morrow; but, oh, why could not she raise her head and
trust in her God? What was this anguish at her heart which
made her shudder to think she should never, never hear her
mother's voice again? All the tenderness that she had
received from her, all her own waywardness in past times,
all the sins of her youth, flashed over her mind.

"Closed for ever," she said to herself; "that book can

never be opened again."

The room grew darker still. She ventured to chafe the

fingers of the loved hand she held. He did not respond; and
she rose to light the gas, feeling for the first time that
perhaps she ought to speak to the doctor about her father's
low condition. But the fingers did not yield as usual to her
movement, and, terrified, she called him over and over
again. Then she stooped and kissed his forehead; it was
cold; and at that moment she knew that he too had been
safely carried through the dark river, and landed on the
other side.

When supper-time had passed, and the maid at last

entered the room, the sight that met her eyes remained
printed on her memory for many a long day. In the arm-
chair sat the dear old gentleman who had won all their
hearts, and kneeling before him, with her arms tightly
clasped round his neck, and her face buried in his breast,
lay his daughter. Worn out by long watching, spent with
grief, and finding comfort for a few moments in her
passionate embrace, Christina had fallen asleep.

The people at the lodgings dared not wake her, but sent
quickly for the doctor, who lived near. He soon came; and in
a moment whispered that "their care must be for her."

A small mattress was lifted in; her clinging arms were

tenderly loosened, and she was laid upon it, and borne into
the next room.

"He was all I had left," she murmured, as her head

touched the pillow—"all but Jesus."