Re: Creating password-protected certs.

2002-05-01 Thread Richard Levitte - VMS Whacker 

In message <[EMAIL PROTECTED]> on Tue, 30 Apr 2002 
06:30:34 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said:

t0psecret> Thanks for the help... I'm pretty new at this stuff. 
t0psecret> So, the private key is protected with the export
t0psecret> password, but this is a one-time password that is only
t0psecret> used when importing?  From my standpoint it would
t0psecret> really be nice to have a permanent password on the
t0psecret> private key... Is this something that is common with
t0psecret> SSL?  If not, I'm wondering how Windows would react to
t0psecret> such a thing.

It *is* a permanent password.  The private key is simply encrypting
with that password as a master key.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: accept of SSLeay hangs up.

2002-05-01 Thread Atsushi Ikeda 


 Thank you for giving me advice. I will check "timing out slow
operations" out.

Thank you,
Atsushi

hierophant> You may want to review the section on "timing out slow operations" as well
hierophant> as blocking/non-blocking I/O in the "Programming Perl" book. IIRC, this
hierophant> behavior with read() is not uncommon.
hierophant> 
hierophant> Keary Suska
hierophant> Esoteritech, Inc.
hierophant> "Leveraging Open Source for a better Internet"


###
Atsushi Ikeda 
Elegant Solutions Consulting Inc. 
TEL:604-709-0712  FAX:604-709-0733  Email: [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Error when using Netscape to access a https site

2002-05-01 Thread Brandon Amundson 

I am trying to access a secure site from my machine with Netscape 4*
thru 6.2 and IE.  When access the site with IE I get to it fine.  When
using Netscape, I get the following error.

The certificate is not approved for the following application.

I do not get an error that says I do not have a certificate to access
the site.

The server cert was generated with the following command.

Openssl ca -policy policy_anything -out demo.cer -config
/usr/local/ssl/openssl.cnf -infiles certreq.txt

Everything looks like it comes across fine. I edited the demo.cer file
and took out the excess jibberish that MS does not like and installed it
as a server cert.

Am I missing something? Has anyone seen the error on the 3rd line?

Thanks..

Brandon Amundson 
BBN Technologies
LAB: 703 284 8189
[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problem linking on Linux

2002-05-01 Thread Tim McClure 

I have been running for months on AIX with OpenSSl.  I am porting my
software to Linux and I am having trouble linking my application.  I have
included the make report results as well as my link errors.  I suspect I am
missing a link option.  Any help would be greatly appreciated.




OpenSSL self-test report:

OpenSSL version:  0.9.6c
Last change:  Fix BN_rand_range bug pointed out by Dominikus Scherkl...
Options:  no-asm no-shared
OS (uname):   Linux picture 2.4.7-10smp #1 SMP Thu Sep 6 17:09:31 EDT
2001 i686 unknown
OS (config):  i686-whatever-linux2
Target (default): linux-elf
Target:   linux-elf
Compiler: gcc version 2.96 2731 (Red Hat Linux 7.1 2.96-98)

Test skipped.

Test report in file testlog

/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(t1_enc.o): In
function `tls1_P_hash':
t1_enc.o(.text+0x35): undefined reference to `HMAC_Init'
t1_enc.o(.text+0x46): undefined reference to `HMAC_Update'
t1_enc.o(.text+0x63): undefined reference to `HMAC_Final'
t1_enc.o(.text+0x78): undefined reference to `HMAC_Init'
t1_enc.o(.text+0x9b): undefined reference to `HMAC_Update'
t1_enc.o(.text+0xc0): undefined reference to `HMAC_Update'
t1_enc.o(.text+0xe6): undefined reference to `HMAC_Final'
t1_enc.o(.text+0x137): undefined reference to `HMAC_Final'
t1_enc.o(.text+0x15c): undefined reference to `HMAC_cleanup'
t1_enc.o(.text+0x16a): undefined reference to `HMAC_cleanup'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(t1_enc.o): In
function `tls1_change_cipher_state':
t1_enc.o(.text+0x23e): undefined reference to `COMP_CTX_free'
t1_enc.o(.text+0x25f): undefined reference to `COMP_CTX_new'
t1_enc.o(.text+0x369): undefined reference to `COMP_CTX_free'
t1_enc.o(.text+0x389): undefined reference to `COMP_CTX_new'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(t1_enc.o): In
function `tls1_mac':
t1_enc.o(.text+0x10a7): undefined reference to `HMAC_Init'
t1_enc.o(.text+0x10b3): undefined reference to `HMAC_Update'
t1_enc.o(.text+0x10c3): undefined reference to `HMAC_Update'
t1_enc.o(.text+0x10d4): undefined reference to `HMAC_Update'
t1_enc.o(.text+0x10ea): undefined reference to `HMAC_Final'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_lib.o): In
function `SSL_CTX_new':
ssl_lib.o(.text+0xac0): undefined reference to `X509_STORE_new'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_lib.o): In
function `SSL_CTX_free':
ssl_lib.o(.text+0xcb5): undefined reference to `X509_STORE_free'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_lib.o): In
function `ssl_init_wbio_buffer':
ssl_lib.o(.text+0x16ee): undefined reference to `BIO_f_buffer'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_lib.o): In
function `SSL_CTX_set_cert_store':
ssl_lib.o(.text+0x18df): undefined reference to `X509_STORE_free'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_lib.o): In
function `SSL_CTX_set_trust':
ssl_lib.o(.text+0x22f8): undefined reference to `X509_TRUST_get_by_id'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_lib.o): In
function `SSL_set_trust':
ssl_lib.o(.text+0x2368): undefined reference to `X509_TRUST_get_by_id'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_lib.o): In
function `SSL_CTX_set_default_verify_paths':
ssl_lib.o(.text+0x2d6c): undefined reference to
`X509_STORE_set_default_paths'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_lib.o): In
function `SSL_CTX_load_verify_locations':
ssl_lib.o(.text+0x2da4): undefined reference to `X509_STORE_load_locations'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_lib.o): In
function `ssl_clear_cipher_ctx':
ssl_lib.o(.text+0x3097): undefined reference to `COMP_CTX_free'
ssl_lib.o(.text+0x30b4): undefined reference to `COMP_CTX_free'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_err2.o): In
function `SSL_load_error_strings':
ssl_err2.o(.text+0x11): undefined reference to `ERR_load_crypto_strings'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_cert.o): In
function `ssl_verify_cert_chain':
ssl_cert.o(.text+0x40d): undefined reference to `X509_STORE_CTX_init'
ssl_cert.o(.text+0x450): undefined reference to
`X509_STORE_CTX_get_ex_new_index'
ssl_cert.o(.text+0x460): undefined reference to `X509_STORE_CTX_set_ex_data'
ssl_cert.o(.text+0x47f): undefined reference to
`X509_STORE_CTX_purpose_inherit'
ssl_cert.o(.text+0x496): undefined reference to
`X509_STORE_CTX_set_verify_cb'
ssl_cert.o(.text+0x4c5): undefined reference to `X509_verify_cert'
ssl_cert.o(.text+0x4e1): undefined reference to `X509_STORE_CTX_cleanup'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_cert.o): In
function `SSL_get_ex_data_X509_STORE_CTX_idx':
ssl_cert.o(.text+0xccd): undefined reference to
`X509_STORE_CTX_get_ex_new_index'
/build/cas/src/contrib/openssl-0.9.6c/dist/lib/libssl.a(ssl_ciph.o): In
function `ssl_cipher_get_evp':
ssl_ciph.o(.text+0x126): undefined reference to `EVP_enc_null'
/build/cas/src/contr

Re: 3DES decrytpion

2002-05-01 Thread Aleksey Sanin 

Well, using EVP functions is not too difficult 
(http://www.openssl.org/docs/crypto/EVP_EncryptInit.html#):
1) init context
EVP_CIPHER_CTX ctx;
EVP_CIPHER_CTX_init(&ctx);
2) init cipher
EVP_CipherInit(&ctx, EVP_des_ede3_cbc(), key, iv, encrypt);
3) encrypt/decrypt data while available
EVP_CipherUpdate(&ctx, out, &outLen, in, inLen);
4) encrypt/decrypt the last block
EVP_CipherFinal(&ctx, out, &outLen);
5) cleanup context
EVP_CIPHER_CTX_cleanup(&ctx);

You can also take a look at test/evp_test.c file in OpenSSL package.


Aleksey Sanin.
  

Stella Power wrote:

>I'm afraid that I couldn't find any examples on how to use the EVP functions, and 
>still do not know how I would go about implementing it.  The only restriction I have 
>on my code is that the encrypted input file is 3DES ECB encrypted.
>
>Stella
>
>On Wed, May 01, 2002 at 09:03:42AM -0700, Aleksey Sanin wrote:
>
>>Do you have any reason to do not use EVP_Cipher*() functions instead of
>>low-level des_ecb3_encrypt()? EVP functions provide very good abstraction
>>layer and hide many algorithm specific details.
>>
>>Aleksey Sanin.
>>
>>Stella Power wrote:
>>
>>>hi,
>>>
>>>I'm trying to use the crypto library to decrypt a file which has been 
>>>encrypted using triple-DES.
>>>
>>>I have the following declarations:
>>>char *temp;
>>>char **elines;
>>>des_cblock *input;
>>>
>>>I have a function which parses the file and grabs the encrypted strings
>>> temp = parse_file(&mapped_file);
>>>I then set elines[i] = temp;
>>>However I can't pass elines[i] to des_ecb3_encrypt() as it is not declared 
>>>as des_cblock.
>>>Is there any way of casting it, passing it, some way of passing the data 
>>>returned by the parse_file() function to des_ecb3_encrypt()?
>>>
>>>Also, am I right in thinking that des_cblock being defined the way it is , 
>>>that you can only decrypt in batches of 8 characters??
>>>
>>>Thanks!
>>>Stella
>>>
>>>__
>>>OpenSSL Project http://www.openssl.org
>>>User Support Mailing List[EMAIL PROTECTED]
>>>Automated List Manager   [EMAIL PROTECTED]
>>>
>>
>>__
>>OpenSSL Project http://www.openssl.org
>>User Support Mailing List[EMAIL PROTECTED]
>>Automated List Manager   [EMAIL PROTECTED]
>>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: accept of SSLeay hangs up.

2002-05-01 Thread Keary Suska 

on 4/30/02 10:33 PM, [EMAIL PROTECTED] purportedly said:

> Hi,
> 
> if anybody know this problem, please give me some advice.
> I made a simple web server with SSLeay in perl, but sometime it
> hangs up. It hangs up in accept(). accept() calls read() system call
> and the read() system call is always waiting for coming data when it
> hangs up. I read a manual of SSLeay and I found Net::SSLeay::slowly.
> I set 1 on it.
> It looks slowdown, but hanging up doesn't happen so far. Did I
> choose a right solution?
> 
> Thank you,
> Atsushi

I haven't done this, but it doesn't sound like this is the best solution.
You may want to review the section on "timing out slow operations" as well
as blocking/non-blocking I/O in the "Programming Perl" book. IIRC, this
behavior with read() is not uncommon.

Keary Suska
Esoteritech, Inc.
"Leveraging Open Source for a better Internet"

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Stuck with base64 bio

2002-05-01 Thread jjarvie 

I'm really stuck trying to base64 decode a string with bios.  Any help 
on what I''m doing wrong or how to work out what the problem is would be 
very much appreciated.  My code is:

int i = 0, j = 0;
BIO *bio, *b64;

b64 = BIO_new(BIO_f_base64());

bio = BIO_new(BIO_s_mem());

BIO_set_mem_eof_return(bio, 0); // no error checking but allocations 
seem OK in debug

i = BIO_write(bio, "SGVsbG8gd29ybGRcIQo=",20); //simple example 
"Hello World\!"

bio = BIO_push(b64, bio);  // if I take this out I get the still 
encoded string back

j = BIO_ctrl_pending(bio); // = 20, i.e. length of encoded srting

i = BIO_read(bio, sbuf2, j); //  always return 0, sbuf2 is unchanged

i = BIO_eof(bio); // = 1, i.e. EOF
i = BIO_ctrl_pending(bio); // = 0, i.e. now empty

BIO_free_all(bio);

This is driving me nuts (no-one can help me with that!)

Thanks

John Jarvie
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: 3DES decrytpion

2002-05-01 Thread Stella Power 

I'm afraid that I couldn't find any examples on how to use the EVP functions, and 
still do not know how I would go about implementing it.  The only restriction I have 
on my code is that the encrypted input file is 3DES ECB encrypted.

Stella

On Wed, May 01, 2002 at 09:03:42AM -0700, Aleksey Sanin wrote:
> Do you have any reason to do not use EVP_Cipher*() functions instead of
> low-level des_ecb3_encrypt()? EVP functions provide very good abstraction
> layer and hide many algorithm specific details.
> 
> Aleksey Sanin.
> 
> Stella Power wrote:
> 
> >hi,
> >
> >I'm trying to use the crypto library to decrypt a file which has been 
> >encrypted using triple-DES.
> >
> >I have the following declarations:
> >char *temp;
> >char **elines;
> >des_cblock *input;
> >
> >I have a function which parses the file and grabs the encrypted strings
> > temp = parse_file(&mapped_file);
> >I then set elines[i] = temp;
> >However I can't pass elines[i] to des_ecb3_encrypt() as it is not declared 
> >as des_cblock.
> >Is there any way of casting it, passing it, some way of passing the data 
> >returned by the parse_file() function to des_ecb3_encrypt()?
> >
> >Also, am I right in thinking that des_cblock being defined the way it is , 
> >that you can only decrypt in batches of 8 characters??
> >
> >Thanks!
> >Stella
> >
> >__
> >OpenSSL Project http://www.openssl.org
> >User Support Mailing List[EMAIL PROTECTED]
> >Automated List Manager   [EMAIL PROTECTED]
> >
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: 3DES decrytpion

2002-05-01 Thread Aleksey Sanin 

Do you have any reason to do not use EVP_Cipher*() functions instead of
low-level des_ecb3_encrypt()? EVP functions provide very good abstraction
layer and hide many algorithm specific details.

Aleksey Sanin.

Stella Power wrote:

>hi,
>
>I'm trying to use the crypto library to decrypt a file which has been encrypted using 
>triple-DES.
>
>I have the following declarations:
>char *temp;
>char **elines;
>des_cblock *input;
>
>I have a function which parses the file and grabs the encrypted strings
>   temp = parse_file(&mapped_file);
>I then set elines[i] = temp;
>However I can't pass elines[i] to des_ecb3_encrypt() as it is not declared as 
>des_cblock.
>Is there any way of casting it, passing it, some way of passing the data returned by 
>the parse_file() function to des_ecb3_encrypt()?
>
>Also, am I right in thinking that des_cblock being defined the way it is , that you 
>can only decrypt in batches of 8 characters??
>
>Thanks!
>Stella
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]
>


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL on BeOS^H^H^H^Hnon-Windows & non-Linux OSes

2002-05-01 Thread Zero One 


--- "GOLDING,CHARLTON (Non-HP-Corvallis,ex1)"
<[EMAIL PROTECTED]> wrote:
> Hi, yeah true, having been burned by Be when working on their OS I
> wish the
> OS would go away, but not really.  I'm glad to hear it might have
> been
> purchased by 3Com (is that true?)  
> 

Somewhat; Be's assets (most of the engineers, BeOS and BeIA) were
purchased by Palm (which is a subsidiary of 3Com), but it's very
unlikely that the latest internal versions of BeOS will ever legally
see the light of day. (There were some leaks in November.)

> 
> If the OS doesn't have good TCP/IP stack support such as a lack of
> getsockopt() it sounds like the OS needs fixed.  I think from what

Yeah, it was fixed in an networking system rewrite that went as far
as closed/private beta tests (and it rocked) but it was never
formally released; even as an open beta.

> I
> remember of the little I ever knew of this, to call getsockopt()
> from some
> stacks you have to be root (a scary concept to me), so perhaps if
> that's the
> case in BeOS your app isn't running as root or doesn't have
> security
> privilege? 

Scary thought but not the problem. Everything in BeOS runs as root,
because the multiuser support was never fully implemented. Everyone
always has full access to BeOS's resources.

> If you feel up to it you might write (ugly proposal
> sorry) your
> own glue to fix the hole in the BeOS networking stack.

 :)

> I never
> dealt with
> this side of BeOS so can't comment on how hard that might be, my
> interest
> was mostly in video drivers.  This was back when Be had it's own
> box, and
> the code ports related to PowerPC.  (Yeah, some time ago sorry.)
> 

Thanks for the response and thoughts!

> -Original Message-
> From: Zero One [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, April 30, 2002 4:59 PM
> To: [EMAIL PROTECTED]
> Subject: Re: OpenSSL on BeOS^H^H^H^Hnon-Windows & non-Linux OSes
> 
>  
> 
> 
> 
> Ok, let me amend and repeat this request since there wasn't even so
> much as
> a "No! BeOS is stupid! Go away!" response to my original message.
> (Yes,
> sometimes a flame is better than utter silence ;) ) 
> 
> The biggest problem that I seem to be running into in getting
> OpenSSL to
> compile and generate shared libraries is that the net_server
> version of BeOS
> does not apparently have getsockopt() in it's networking libraries.
> At least
> not in the standard ones that I have. 
> 
> So, my question is now how would one get around this lack of
> functionality
> on any operating system? The reason this is important is because
> one of the
> required files (crypto/bio/b_sock.c) in OpenSSL uses this function,
> precisely once (line 224). I've tried working around it by
> supplying the
> value of errno if there is an error, and I've tried following a
> 1998 era
> suggestion on it, though neither method worked. 
> 
> So, does anyone have suggestions based on lack of a particular
> function as
> opposed to OS wonkiness?
> 
> Thanks. --- Zero One wrote: > Has anyone out there had any luck
> getting
> OpenSSL compiled and > running properly under BeOS R5.0.x, in
> particular
> with the > "net_server" rather than "BONE"?If so, please drop me an
> email >
> telling me precisely how you managed this feat, and whether you >
> compiled
> the shared libraries or not.Thank you. > > >
> - > Do You Yahoo!? > Yahoo! Games -
> play
> chess, backgammon, pool and more 
> 
>  
> 
>   _  
> 
> Do You Yahoo!?
> Yahoo! Health 
>  - your
> guide to health and wellness
> 
> 


__
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

3DES decrytpion

2002-05-01 Thread Stella Power 

hi,

I'm trying to use the crypto library to decrypt a file which has been encrypted using 
triple-DES.

I have the following declarations:
char *temp;
char **elines;
des_cblock *input;

I have a function which parses the file and grabs the encrypted strings
temp = parse_file(&mapped_file);
I then set elines[i] = temp;
However I can't pass elines[i] to des_ecb3_encrypt() as it is not declared as 
des_cblock.
Is there any way of casting it, passing it, some way of passing the data returned by 
the parse_file() function to des_ecb3_encrypt()?

Also, am I right in thinking that des_cblock being defined the way it is , that you 
can only decrypt in batches of 8 characters??

Thanks!
Stella

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

about function SSL_CTX_use_PrivateKey_file(...)!

2002-05-01 Thread 刘 峰 

hello
   I meet a problem when I develop program with openssl.
   I was doing server program, and when I come to the function   
SSL_CTX_use_PrivateKey_file(...),the program consumed 100% cpu ,and this 
state
remains for almost 7 minutes and seems to be no end. I just closed it!
   I do not know it is normal, or it is a error. I wonder if it is just
  dencrypting (I use a 1024 bit rsa key encrypted with DES-EDE3-CBC)
  Thank you very much!
 [EMAIL PROTECTED]

_
ÓëÁª»úµÄÅóÓѽøÐн»Á÷£¬ÇëʹÓà MSN Messenger: 
http://messenger.microsoft.com/cn
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]