Re: The same old self-signed CA problem!
Hi George, ... But when I get to needing sign.sh to sign the certificate I lose it. I cannot relate what is in that script to anything I have done. Nor, it seems, can it. What means you lose it, has it been deleted or does it have 0 bytes afterwards? ... The server.key and the server.csr are in the apache/conf directory. You don't need them in apache/conf at the signing-time (only after you've signed them). server.csr, server.csr and also ca.crt ca.key MUST be in the same directory! Maybe you did forget the last two files? And also the filename MUST be ca.crt ca.key! GreetingX, Alex __ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Information.
Hello, I want to use SSL for my web site, I am using an Apache server but I do not really know how to start. Can you help me?? Thanks. Laurent. Laurent LARWENCE UNIVERS INFORMATIQUE - Tél. 01.40.16.66.10 - Fax. 01.40.16.66.00 - Mob. 06.81.12.83.77 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Example of OpenSSL Multithreading
Hi All, Is there anyone who has an example of SSL Multithreading in Linux platform. I saw the example shipped with OpenSSL. But it seem to be bit unclear for me. If anyone have an example on Multithreading please send me. Ashada __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG problems on Solaris 7 sparc
# openssl genrsa -des3 -out server.key 1024 warning, not much extra random data, consider using the -rand option how about adding -rand option? e.g., openssl genrsa -des3 -out server.key -rand /dev/random 1024 openssl rand(1) manpage may be informative for you. -- yozo. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PRNG problems on Solaris 7 sparc
Title: RE: PRNG problems on Solaris 7 sparc Creed Millman can no longer be reached at cmillman@chrysalis-its. Please remove Creed's name from the mailing list. Thank you. -Original Message- From: Yozo TODA [mailto:[EMAIL PROTECTED]] Sent: Monday, August 27, 2001 3:46 PM To: [EMAIL PROTECTED] Subject: Re: PRNG problems on Solaris 7 sparc # openssl genrsa -des3 -out server.key 1024 warning, not much extra random data, consider using the -rand option how about adding -rand option? e.g., openssl genrsa -des3 -out server.key -rand /dev/random 1024 openssl rand(1) manpage may be informative for you. -- yozo. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
howto? SSL+SMTP+IMAP+POP3
Hi all, this is what I did: # openssl genrsa -des3 -out ca.key # openssl req -key ca.key -nodes -new -out ca.req # openssl x509 -days 1000 -in ca.req -req -signkey ca.key -out ca.pem moved ca.pem to demoCA/cacert.pem and ca.key to demoCA/private/cakey.pem Then: # openssl ca -cert demoCA/cacert.pem -ss_cert demoCA/cacert.pem -out ca.pem Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Hamburg' localityName :PRINTABLE:'Hamburg' organizationName :PRINTABLE:'zaplinski.de certificate services' commonName:PRINTABLE:'zaplinski.de root CA' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Aug 27 21:18:49 2002 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated # mv ca.pem demoCA/cacert.pem So I now have my self signed CA. But how can I import that in IE and NS? I could not find any information on the web. 'openssl pkcs7 -i demoCA/cacert.pem -outform DER -out ca.p7b' did not work, and AFAIK MS IE5 only eats pkcs7 files. But, even if I show it pkcs7, it continues to say the file format isn't recognized. I even had an own little CA and a CA signed cert for SSL'ed POP3 and SMTP, but after importing that cert to Netscape it did not know anything about my CA. MS IE5 refused to import that. So I deleted everything and started all over. Is there any HOWTO/FAQ how to - build an own CA - import that CA into Netscape/IE - build a server cert signed by that CA *not* to be used by apache but mailer apps - also import that into Netscape/IE? I could not find any information on the web. Any hints welcome! Olaf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PEM stored in memory, not in file
Hi, certificates and private keys are usually stored in PEM-formatted files and are loaded using the functions SSL_CTX_use_certificate_file() and SSL_CTX_use_PrivateKey_file(). If I want to hard code the keys in my application, such as char* certificate = -BEGIN CERTIFICATE- MIIC1...; is there an API that I can use in this case to initialize the keys? Thx, Arno __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM stored in memory, not in file
Arno, You could use a memory bio. I had to do something like this when I stored my keys PEM encoded into a gdbm database. ie: BIO *in; char *certificate = BEGIN CERT in = BIO_new(BIO_s_mem()); if (BIO_write(certificate,strlen(certificate))0) { BIO_free(in); return NULL; } then you can just do the following once the bio is setup. X509 *cert = PEM_read_bio_X509(in,NULL,NULL,NULL); see BIO_s_mem manpage, there is another way to do it where you can pass the BIO the actual buffer, but I don't recall how. The other option would be to use openssl x509 -C -in cert.pem to convert the pem into a C variable. I'm not sure how to get it into an X509 structure from there though. hope this helps, -jr Arno Puder wrote: Hi, certificates and private keys are usually stored in PEM-formatted files and are loaded using the functions SSL_CTX_use_certificate_file() and SSL_CTX_use_PrivateKey_file(). If I want to hard code the keys in my application, such as char* certificate = -BEGIN CERTIFICATE- MIIC1...; is there an API that I can use in this case to initialize the keys? Thx, Arno __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM stored in memory, not in file
Arno Puder wrote: Hi, certificates and private keys are usually stored in PEM-formatted files and are loaded using the functions SSL_CTX_use_certificate_file() and SSL_CTX_use_PrivateKey_file(). If I want to hard code the keys in my application, such as char* certificate = -BEGIN CERTIFICATE- MIIC1...; is there an API that I can use in this case to initialize the keys? For certificates DER format is more efficient. Also look at the -C option for the 'x509' utility. You can also use the d2i_*() functions to read from a DER encoded array (see FAQ) you can also convert binary files to arrays using the Unix xxd utility. For PEM files in strings you can use a memory BIO: see BIO_s_mem() manual pages. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problems with connection
hai everyone, i donot know why my previous message has been ignored. i think i have not provided sufficient information. so i am providing some more additional information. i have created the certificates(using openssl) and signed them myself.i used ssldump to verify my ssl handshake information using Netscape and IE when a request is being sent to my ssl server. i found #when a request is sent through I.E ssl handshake is being performed. then the client is closing the connection and reestablishing a new connection and this time it is succesful more over it is asking for session resumption. (i understand that the client should close the connection abruptly when it finds that the server does not support strong ciphers or when it cannot trust the client -- please correct me if i am wrong). this problem is causing me a large overhead when ever i get request from I.E, as i am creating a new process for every request. i am not facing this problem with netscape. can any one tell me how i can overcome the problem? i am currently using *SSLv23_server_method* methods. any pointers would be greatly appreciated. i am enclosing a copy of the ssldump. thanks in advance ganesh *i am using external session caching to perform session handling with a time out of 10 sec. 5'th request was from I.E(u notice that the connection was closed abruptly and it established a new connection i.e request-no 6 which is succesfull. all other requests are send using Netscape)* ***ssldump details*** New TCP connection #1: dilbert.uccs.edu(3433) - oblib.uccs.edu(443) 1 1 0.0126 (0.0126) CS SSLv2 compatible client hello Version 3.1 cipher suites SSL2_CK_RC4 SSL2_CK_3DES SSL2_CK_RC2 SSL2_CK_DES SSL2_CK_RC4_EXPORT40 SSL2_CK_RC2_EXPORT40 TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 1 2 0.0137 (0.0010) SC Handshake ServerHello Version 3.1 session_id[32]= bf 67 3d d8 51 a8 ec 1d a7 72 0e 59 ce 52 95 3f 34 75 a8 d3 da ec 62 f0 bf 31 c1 25 bc 20 3d 08 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 1 3 0.1905 (0.1768) SC Handshake Certificate 1 4 0.1905 (0.) SC Handshake ServerHelloDone 1 5 2.8011 (2.6105) CS Handshake ClientKeyExchange 1 6 2.8011 (0.) CS ChangeCipherSpec 1 7 2.8011 (0.) CS Handshake 1 8 2.8167 (0.0156) SC ChangeCipherSpec 1 9 2.8167 (0.) SC Handshake 1 10 2.8177 (0.0010) CS application_data 1 11 2.8381 (0.0204) CS application_data 1 12 2.9043 (0.0661) SC application_data 1 13 2.9098 (0.0055) SC application_data 1 14 2.9098 (0.) SC application_data 1 15 2.9098 (0.) SC application_data 1 16 2.9098 (0.) SC application_data 1 17 2.9098 (0.) SC application_data 1 18 2.9098 (0.) SC application_data 12.9098 (0.) SC TCP FIN 1 19 2.9805 (0.0706) CS Alert 12.9805 (0.) CS TCP FIN New TCP connection #2: dilbert.uccs.edu(3434) - oblib.uccs.edu(443) 2 1 0.0184 (0.0184) CS Handshake ClientHello Version 3.1 resume [32]= bf 67 3d d8 51 a8 ec 1d a7 72 0e 59 ce 52 95 3f 34 75 a8 d3 da ec 62 f0 bf 31 c1 25 bc 20 3d 08 cipher suites TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 compression methods NULL 2 2 0.0536 (0.0351) SC Handshake ServerHello Version 3.1 session_id[32]= bf 67 3d d8 51 a8 ec 1d a7 72 0e 59 ce 52 95 3f 34 75 a8 d3 da ec 62 f0 bf 31 c1 25 bc 20 3d 08 cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL 2 3 0.0536 (0.) SC ChangeCipherSpec 2 4 0.0536 (0.) SC Handshake 2 5 0.0553 (0.0016) CS ChangeCipherSpec 2 6 0.0553 (0.) CS Handshake 2 7 0.0553 (0.) CS application_data 2 8 0.0754 (0.0201) CS application_data 2 9 0.1239 (0.0485) SC application_data 2 10 0.1291 (0.0052) SC application_data 2 11 0.1291 (0.) SC application_data 2 12 0.1291 (0.) SC application_data 2 13 0.1291 (0.) SC application_data 2 14 0.1291 (0.) SC application_data 2 15 0.1291 (0.) SC application_data 20.1291 (0.) SC TCP FIN 2 16 0.1948 (0.0656) CS Alert 20.1949 (0.0001) CS TCP FIN New TCP connection #3: dilbert.uccs.edu(3435) - oblib.uccs.edu(443) 3 1 0.0077 (0.0077) CS Handshake ClientHello Version
no authentication vs plaintext+TLS
Hello, Can someone elaborate on these two log entries: Aug 27 21:22:12 catfish imapd[3449]: [ID 781445 local6.notice] starttls: TLSv1 w ith cipher RC4-MD5 (128/128 bits) no authentication Aug 27 21:22:14 catfish imapd[3449]: [ID 237943 local6.notice] login: chirs.home .net[206.150.228.61] chirs plaintext+TLS Why no authentication when I am using sasl? Is this actualy beinag encrypted then? Any feedback would be appreciated. Thanks __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem to connect with IExplorer
Today I installed on my site new SSL certificate. When I try to connect with IExplorer using https, I've receive The page cannot be displayed error and apache's ssl-error log file indicate ... [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]. There are no problems with Netscape connecting at all. Temporary I've return old certificate, but it will expire Aug. 29. Trying to fix problem, today I've upgraded Apache but still have the same error. Newest versions are: openssl-0.9.6b, mod_ssl-2.8.4-1.3.20, apache-1.3.20 Any suggestions, please? Thanks, --- Vladimir Sokolov Entigen System Administrator (408) 542-5570 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]