Cancelling RSA Key Generation
Is there a way of cancelling the generation of an RSA key pair when RSA_generate_key(...) is used? I plan to use a callback function. Thanks, Aram Perez __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file
On Wed, Jan 08, 2003 at 09:40:58AM -0800, Fisk, Kevin wrote: > Okay. Right now, I call SSL_CTX_use_PrivateKey_file with the parameter > SSL_FILETYPE_PEM. What do I pass for the type PK (first parameter) to > pass this. Do I need to convert the PEM file before it can be passed as > an ASN.1 certificate? I tried only passing the private key portion as a > string, the entire thing as a string, and I tried using > SSL_CTX_use_RSAPrivateKey_ASN1 with both strings. ASN1 (in OpenSSL also referred to as DER format) is a binary representation in ASN.1 format. PEM is the base64 encoded DER format. You can use the int PEM_read(FILE *fp, char **name, char **header, unsigned char **data, long *len) or PEM_read_bio() routines. Please refer to the "pem" manual page. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing certificates on Windows
> Franck Martin wrote: > You can't use virtual hosts on apache with https. > Each host must have its own IP address, that's what I learnt from the doc... > May be it is fixed somehow... The reason is that the security is negotiated before even one byte is sent down the channel, and the server has no way of knowing WHICH of the various virtual hosts you want to talk to until it has read the incoming HTTP header, which it cannot do until the security has been negotiated. One might think the server would have a single certificate that it uses before trying to find out the desired virtual host name. However, it turns out it has to know WHICH virtual host name is wanted to select WHICH certificate to use! Chicken and egg. There might be a solution with a single certificate that has all the virtual host names as subjectAltNames but I'm too much in alligator mode to look at such swamps... -- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Signing certificates on Windows
i ported the cert.sh to work on win32 ( windows 95, 98, ME, 2k, XP ) isnt that great ! just use that here is the location for the script http://members.fortunecity.net/adityald/ssh-scripts does any one know how do i submit them to openssl contrib list at openssl.org -aditya my email address >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED]]On Behalf Of >Theodor.Isporidi-at-gmx.net (Theodor Isporidi) |OpenSSL/1.0-Allow| >Sent: Tuesday, January 07, 2003 10:12 PM >To: X >Subject: Signing certificates on Windows > > >Hi ! > >My first try at posting to the list probably didn't work, so I'm >posting again. In case this shows up twice please disregard this mail >and accept my apology. > >I am just trying to get the latest Apache running with SSL support. >Well, in fact it is already compiled and running but to use SSL I >need to generate a certificate and sign it. > >I have already generated a certificate but since sign.sh is a unix >shell script it is useless on Windows systems. Has nobody ever tried >to sign certificates on Windows and can tell me how to do it? > >Thanks a lot. > >Bye ! > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL_CTX_use_PrivateKey_file
Okay. Right now, I call SSL_CTX_use_PrivateKey_file with the parameter SSL_FILETYPE_PEM. What do I pass for the type PK (first parameter) to pass this. Do I need to convert the PEM file before it can be passed as an ASN.1 certificate? I tried only passing the private key portion as a string, the entire thing as a string, and I tried using SSL_CTX_use_RSAPrivateKey_ASN1 with both strings. My PEM file looks like the following: -BEGIN RSA PRIVATE KEY- MIICXQIBAAKBgQCamuFIkojgw5GQGNEsb3vazceGiflAdiHLdGnQhTX8Ihxrshpz iy2K1lWmX+YRXUXTdk+d+bVtP/a1i1tBLFssL0j6rmyt3z+WuGHinKdOIFYZ9uzU RTemcUQ3WSN/ngvK68lnA5kqdWVkGgFqdMGyP/QmdlQvvrq9vD3TmQVxhQIDAQAB AoGAFrJIAlRovb5YHzRVeNWA9DUjZm/Y5IqzGWAkrJTxwOrtCy5hTbcP34LpnfwU FVaBCrMiqwlehgRO3oXvxpiRZae8uki0RSLld2XLkyb3EoAJb+HpUgW9FbjqZwYm hKxFqVlyyrDQait352txTtlGQGTIglSaV+KFL5810ybEM50CQQDJf2WVA9J4doY9 /aRnyDix5oIRnOwS2wfwSvQ773Q0a/A+XETaXE1MGbBsr06aYOQo6AR/6yv/iD18 Bp7LhFn3AkEAxGxs9lMs5hdCQWxwlq2bMHCbStg5Uwi8rYNO93wUEOBWKhVLkwe6 LJ6rho84fq7G0zLKrw4UnslJj1Za6rzRYwJBAKJhRi2WTPDDI1+lne38zqOfDUbA XQa8+GLPJI+AYvcz3QGEPgByzd/7+886X2/NkVDd2XJ0xJpC4rmmZCXCXPUCQBCV Stm9CfRfEFPvsM232HtNdn7qJGTTPwKzLE6Opi8KkZu58oh2RYyQ1NBmdRGU9epM xnnjCXCic9hrJP/ecxsCQQCZ6E3Ww8p+R5ssVCWL5Lm4RNgqhH1Dw+KC0jHBG31B HDQFIAxi9C0Jfzx6jUFJ8xWA93SAJFkSFPw5IVVWa2BT -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- MIICMTCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwYTELMAkGA1UECBMCQ0ExETAPBgNV BAcTCE1vb3JwYXJrMQwwCgYDVQQKEwNWTFAxDDAKBgNVBAMTA1ZMUDEjMCEGCSqG SIb3DQEJARYUYmtvemluQGxpbmtwb2ludC5jb20wHhcNMDExMTA2MTg1MDE3WhcN MzExMTA0MTg1MDE3WjBhMQswCQYDVQQIEwJDQTERMA8GA1UEBxMITW9vcnBhcmsx DDAKBgNVBAoTA1ZMUDEMMAoGA1UEAxMDVkxQMSMwIQYJKoZIhvcNAQkBFhRia296 aW5AbGlua3BvaW50LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmprh SJKI4MORkBjRLG972s3Hhon5QHYhy3Rp0IU1/CIca7Iac4stitZVpl/mEV1F03ZP nfm1bT/2tYtbQSxbLC9I+q5srd8/lrhh4pynTiBWGfbs1EU3pnFEN1kjf54LyuvJ ZwOZKnVlZBoBanTBsj/0JnZUL766vbw905kFcYUCAwEAATANBgkqhkiG9w0BAQQF AAOBgQAxTU7cJG7nE44VW8hMGp6/5eOtHL0K7hsBQ7U0ZO8jESipAyBjWOZuEo9i Cbfs452f4YjEPnJbqbQxJbScf0P50k1S7pMI1elBdSjPKIQXAC5qzDWJGq8gvB9/ cDc/4JOgy8AVC2B0TioKtsxE3k9t/u43oEzlHHrGkSuMRFd+BQ== -END CERTIFICATE- Thanks, Kevin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Motherboards with RNG onboard. Anybody know some?
Edin Dizdarevic wrote: At the CCC congress recently in Berlin a discussion came up about randomness problems and somebody (fefe ;)) said, that the Intel solution is not that bad, since the board with it cost only a few cents more and is far better than /dev/(u)random. Better in what respect? It's arguably a higher-quality source of cryptographically useful random bits, but has a very slow maximum bit rate. It's still only applicable as a seed for software PRNG, at least on a server that must produce large amounts of key material, random pad, nonces, etc. These comments are meant to apply to all hardware RBGs. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: your mail
On Thu, Jan 02, 2003, Ed Harty wrote: > Hi, > > I am generating a client cert for Apache using openssl with my own CA as > follows: > > openssl genrsa -out client.key 1024 > openssl req -new -key client.key -out client.csr > openssl x509 -req -days 365 -CA myCA.cert -CAkey myCA.key -CAcreateserial > -in client.csr -out client.crt > openssl pkcs12 -chain -export -clcerts -CAfile myCA.cert -in client.crt > -inkey client.key -out client.p12 -chain -name "Cert friendly name" > > When I import the cert into IE 5.5 everything is fine except that the cert > is suitable for the following: > > Windows System Component Verification > Windows Hardware Driver Verification > Allow data on disk to be encrypted > Allow secured communication on Internet > Allow you to digitally sign a Certificate Trust List > Allow data to be signed with the current time > Ensure e-mail came from sender > Protect e-mail from tampering > Ensure the content of e-mail cannot be viewed by others > Protect software from tampering after publication > Ensure software came from software publisher > Guarantee your identity to a remote computer > > > QUESTION: How do I set the cert for basic options only, i.e. verify > computer identity ??? > Add an extended key usage extension with appropriate usages, see doc/openssl.txt Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem S/MIME and HTML content
On Wed, Jan 08, 2003, Dr. Stephen Henson wrote: > On Wed, Jan 08, 2003, Stephane Rozes wrote: > > > Hello the list, > > > > I have a problem when I want to sign with S/MIME an HTML mail content. > > > > When I sign HTML data (openssl smime -rc2-128 -text -sign -in > > example.htm -out result.txt -signer cert.pem), OpenSSL adds a Content-Type > > "text/plain" above my HTML part (see below). So when I receive the e-mail, > > the mail client displays the HTML code and does not "interpret" it. > > > > Do you know a way to force the "Content-Type" of the "content" section to be > > "text/html" in order to the HTML e-mail can be viewed correctly in a mail > > client ? or another way to display the signed HTML content correctly in a > > mail client ? > > > Use -notext as mentioned in the fine manual. > Seems like I should read the fine manual first before replying. There was a -notext option in a never-made-public version of my S/MIME code but not in OpenSSL. For OpenSSL don't use the -text option which is mentioned in the fine manual... Then you have to add your own MIME headers to the content. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem S/MIME and HTML content
On Wed, Jan 08, 2003, Stephane Rozes wrote: > Hello the list, > > I have a problem when I want to sign with S/MIME an HTML mail content. > > When I sign HTML data (openssl smime -rc2-128 -text -sign -in > example.htm -out result.txt -signer cert.pem), OpenSSL adds a Content-Type > "text/plain" above my HTML part (see below). So when I receive the e-mail, > the mail client displays the HTML code and does not "interpret" it. > > Do you know a way to force the "Content-Type" of the "content" section to be > "text/html" in order to the HTML e-mail can be viewed correctly in a mail > client ? or another way to display the signed HTML content correctly in a > mail client ? > Use -notext as mentioned in the fine manual. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: little problem
Batoussov Artem wrote: > We are 2 students of a Technical Institute of Telecommunication and Computer > Networks in France. > We have to realize a draft which is a server of certificate X.509. It must > issue certificates to users who connect to the server. We have a probleme > with the automatic creation of certificates. We recover informations about > the user and we place them in default values for the file .cnf which is used > in the creation of certificates. But when we launch .bat file, the program > stops on fields where normally we must enter information. Do you know the > solution to resolve this problem? Our teacher told us that we can create a > file with 2 page breakes and place the file in the entrance of the command > (openssl req -config user-cert.cnf -key user.key -new -out user.csr) > but when you use -new, it's impossible! Do you know a solution? > We hope you've understood us? Also, can you tell us where we can find a good > documentation about this software and its options. I hope I understand what you are asking for. Under Unix I get variable items into certificates by passing them as environment variables. Here is an example configuration file: # OpenSSL configuration file for signing Internet Server Certificates [req] # openssl req params prompt = no distinguished_name = dn-param [dn-param] # DN fields C = US ST = Maryland O = University of Maryland OU = College Park Campus CN = $ENV::CERTHOST 1.DC = umd 2.DC = edu emailAddress = $ENV::CERTMAIL The prompt=no makes openssl not prompt for information (which I think is one of the problems you are trying to solve?). You didn't say anything about what system you are using, but you did mention a .bat file, which might be an indication of an Evil Microsoft operating system. I'm leaving Saturday for a week on Guadalupe, so I might not get back to this conversation for some time. Bon chance mes amis! -- Charles B. (Ben) Cranston mailto:[EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing certificates on Windows
On Wed, Jan 08, 2003 at 11:46:50PM +1200, Franck Martin wrote: > You can't use virtual hosts on apache with https. > > Each host must have its own IP address, that's what I learnt from the > doc... May be it is fixed somehow... It can be fixed by implementing "Upgrade" HTTP request, both by servers and browsers. I cant see how it could be done by sending HTTP headers after SSL connection setup > > So assign multiple IP addresses to your network card. it is quite easy > under Linux... > > Please feel free to contribute to the HOWTO. > > Cheers. > Franck > > > On Wed, 2003-01-08 at 17:19, Theodor Isporidi wrote: > > I know, but my search didn't turn up anything useful. I probably used > the wrong keywords. > > > http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SSL-Cert > > ficates-HOWTO.pdf > > Thanks a lot, that document was just what I needed! I have my > certificates now. > > But Apache is still giving me some headaches. Perhaps you could give me > a hand here too? > > > > > Localhost, localhost2, localhost3 and localhost4 point to 127.0.0.1 > (done with the hosts file). > > What I think this should do is serve localhost, localhost2 and > localhost3 only via http and localhost4 only via https. But that > doesn't work. I can access all 4 via http and https on Netscape 4.79. > With IE 6.0 SP1 I can access all 4 via http but none at all via https. > What is wrong there? > > Bye ! > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing certificates on Windows
You can't use virtual hosts on apache with https. Each host must have its own IP address, that's what I learnt from the doc... May be it is fixed somehow... So assign multiple IP addresses to your network card. it is quite easy under Linux... Please feel free to contribute to the HOWTO. Cheers. Franck On Wed, 2003-01-08 at 17:19, Theodor Isporidi wrote: I know, but my search didn't turn up anything useful. I probably used the wrong keywords. > http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/pdf/SSL-Cert > ficates-HOWTO.pdf Thanks a lot, that document was just what I needed! I have my certificates now. But Apache is still giving me some headaches. Perhaps you could give me a hand here too? Localhost, localhost2, localhost3 and localhost4 point to 127.0.0.1 (done with the hosts file). What I think this should do is serve localhost, localhost2 and localhost3 only via http and localhost4 only via https. But that doesn't work. I can access all 4 via http and https on Netscape 4.79. With IE 6.0 SP1 I can access all 4 via http but none at all via https. What is wrong there? Bye ! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: little problem
Batoussov Artem wrote: Hello, We are 2 students of a Technical Institute of Telecommunication and Computer Networks in France. We have to realize a draft which is a server of certificate X.509. It must issue certificates to users who connect to the server. We have a probleme with the automatic creation of certificates. We recover informations about the user and we place them in default values for the file .cnf which is used in the creation of certificates. But when we launch .bat file, the program stops on fields where normally we must enter information. Do you know the solution to resolve this problem? Our teacher told us that we can create a file with 2 page breakes and place the file in the entrance of the command (openssl req -config user-cert.cnf -key user.key -new -out user.csr) but when you use -new, it's impossible! Do you know a solution? We hope you've understood us? Also, can you tell us where we can find a good documentation about this software and its options. Thanks a lot for your attention! Regards, Artem and Fabrice __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Perhaps you should try the option '-batch' and/or config-file option 'prompt = no' see man req Kind regards, Chris -- Christian Pohl »|secaron -- The From: and Reply-To: addresses are internal news2mail gateway addresses. Reply to the list or to Christian Pohl <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how to generate PRNG in Solaris 8 ?
> From: Leonardo Lagos [mailto:[EMAIL PROTECTED]] > I've also installed patch 112438-01, to enable random support, > but the file /dev/random is not in my system (I even rebooted > the machine after installing the patch). I had the same problem, it's some special kind of "recognize new device drivers" boot that my system support person didn't know how to do -- after he went home I found these scripts on the web: (There are two scripts here, separated by a line of four signs. The first is the newer (and is a followup to the second) but what I actually did was manually type commands from the second script till it worked... heck of a way to program, eh?) http://halplant.com:88/software/Solaris/scripts/setup_random #!/usr/bin/ksh # Set up Solaris random device from patch 112438-01 without reboot # Moderate error checking only since this should be straightforward. # # (c) 2002 Andrew J. Caines. Permission to modify and distribute is # granted on condition the copyright message is included and modifications # are clearly identified. # # Incoporating suggestions and changes from these SunManager list members: # Thomas Anders <[EMAIL PROTECTED]>, Dan Astoorian <[EMAIL PROTECTED]>, # Prmm Gerd <[EMAIL PROTECTED]>, Adam Mazza <[EMAIL PROTECTED]>. # Script rewrite for functional changes and reliability improvement based # on contribution from from Jeff Bledsoe. PATH=/usr/bin:/usr/sbin Patch=${Patch:-112438} # Just in case it ever changes # Set up tempfile TmpFile=/tmp/.$$.$RANDOM ; rm -f $TmpFile ; touch $TmpFile; chmod 600 $TmpFile function bailout { echo "$*. Exiting" >&2 ; exit 1 } # Check patch is installed echo "Checking for patch $Patch...\c" if showrev -p | egrep -s "^Patch: ${Patch}-" thenecho " installed." elsebailout " not installed. Install it and try again." fi # Activate random kernel module with workaround for module dependency problem echo "Removing random device from name_to_major" name_to_major=$( /etc/name_to_major # Add driver to create device nodes and load module echo "Adding driver to system" add_drv -m '* 0644 root sys' random || bailout "Driver random failed to add" # Report results echo "Finished. You now have the following random devices:" ls -l /dev/*random /devices/pseudo/random@0:*random # Test echo "Do you want to test the new device? (y/n) \c" read yn case $yn in [Yy]*) echo "Running: dd if=/dev/random of=$TmpFile bs=512 count=1" dd if=/dev/random of=$TmpFile bs=512 count=1 echo "Running: strings $TmpFile" echo "You should see a few lines of random garbage:" ;; [Nn]*) echo "Your blind faith will be rewarded in the next life." echo "Your reward confiration code is:" ;; esac strings $TmpFile rm -f $TmpFile exit 0 # The remainder of this script never runs, but is left as refernce for use # and locations of the relvant data and commands. # Find device major major=$(nawk '/^random/{print $2}' /etc/name_to_major) # Make pseudodevices for both devices echo "Making device nodes." mknod /devices/pseudo/random@0:random c $major 0 mknod /devices/pseudo/random@0:urandom c $major 1 mode=$(nawk '/^random/{print $2}' /etc/minor_perm) user=$(nawk '/^random/{print $3}' /etc/minor_perm) group=$(nawk '/^random/{print $4}' /etc/minor_perm) chown $user:$group /devices/pseudo/random@0:*random chmod $mode /devices/pseudo/random@0:*random # Make dev links echo "Making device links." cd /dev ln -s ../devices/pseudo/random@0:random /dev/random ln -s ../devices/pseudo/random@0:urandom /dev/urandom # load the module echo "Loading driver." modload /kernel/drv/random # Prime the pump with half-decent data source echo "Priming entropy pool." alias primepool='dd if=/dev/mem bs=512 count=16 2>&- | crypt $RANDOM' primepool > /dev/random 2>&- # Gives "/dev/random: cannot create" primepool > /dev/random # Runs fine http://www.netsys.com/sunmgr/2002-04/msg00679.html To: Sun Managers <[EMAIL PROTECTED]> Subject: SUMMARY Additional: Application of Solaris 8 patch 112438-01 without reboot From: Andrew J Caines <[EMAIL PROTECTED]> Date: Fri, 19 Apr 2002 18:03:23 -0400 Folks, A couple of factors were not obvious to me during my initial tests which are important to consider for anyone following this procedure. The device major varies and should be taken from /etc/name_to_major. The random device needs to be primed with some data before it will work. I have scripted a simple tool to perform all the necessary steps after the patch application. See attached. Run setup_random and answer the questions. UID 0 required. I have tested this and found no problems, but please let me know if you have any problems, comments, criticisms or money you'd like to give me. -Andrew- -- | -Andrew J. Caines- 703-886-2689[EMAIL PROTECTED] | | Uni
RE: how to generate PRNG in Solaris 8 ?
>-Original Message- >From: Leonardo Lagos [mailto:[EMAIL PROTECTED]] >Sent: Freitag, 3. Januar 2003 16:27 >To: [EMAIL PROTECTED] >Subject: how to generate PRNG in Solaris 8 ? > > >Hi People, > >After downloading openssl and openssh from sunfreeware.com, >for my sparc/8, I'm >geeting the error "PRNG not seed" whenever I try to use ssh. > >Reading the FAQ, this error is there, but I still am unable to fix it. > >I've run, as root: > ># /usr/local/ssl/bin/openssl >OpenSSL> rand 128 >unable to load 'random state' >This means that the random number generator has not been seeded >with much random data. >Consider setting the RANDFILE environment variable to point at >a file that >'random' data can be kept in (the file will be overwritten). >563:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not >seeded:md_rand.c:501:You need to read the OpenSSL FAQ, >http://www.openssl.org/support/faq.html >error in rand >OpenSSL> > >So, what am I doing wrong?? > >I've also installed patch 112438-01, to enable random support, >but the file >/dev/random is not in my system (I even rebooted the machine >after installing >the patch). This is the best fix - you have to understand why /dev/random did not appear. Try re-installing the patch carefully until you get /dev/random working. > >Thanks a lot, > >Leo > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: typos in man pages
On Thu, Jan 02, 2003 at 11:46:35AM -0500, Jan Schaumann wrote: > Hello, > > Some typos in the openssl man pages were discovered (see NetBSD's PR > misc/19627 > http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=19627), attached > please find a patch to correct them. The openssl man pages are written in POD format. I would be most pleased if you would also contribute the change you made in the original pod files. Otherwise we'll have to backport them ourselves. Best regards, Lutz PS. Please send bug reports or contributions to [EMAIL PROTECTED] or [EMAIL PROTECTED] Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
little problem
Hello, We are 2 students of a Technical Institute of Telecommunication and Computer Networks in France. We have to realize a draft which is a server of certificate X.509. It must issue certificates to users who connect to the server. We have a probleme with the automatic creation of certificates. We recover informations about the user and we place them in default values for the file .cnf which is used in the creation of certificates. But when we launch .bat file, the program stops on fields where normally we must enter information. Do you know the solution to resolve this problem? Our teacher told us that we can create a file with 2 page breakes and place the file in the entrance of the command (openssl req -config user-cert.cnf -key user.key -new -out user.csr) but when you use -new, it's impossible! Do you know a solution? We hope you've understood us? Also, can you tell us where we can find a good documentation about this software and its options. Thanks a lot for your attention! Regards, Artem and Fabrice __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how to generate PRNG in Solaris 8 ?
Hi People, After downloading openssl and openssh from sunfreeware.com, for my sparc/8, I'm geeting the error "PRNG not seed" whenever I try to use ssh. Reading the FAQ, this error is there, but I still am unable to fix it. I've run, as root: # /usr/local/ssl/bin/openssl OpenSSL> rand 128 unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). 563:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html error in rand OpenSSL> So, what am I doing wrong?? I've also installed patch 112438-01, to enable random support, but the file /dev/random is not in my system (I even rebooted the machine after installing the patch). Thanks a lot, Leo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
hardware accelerator/non-blocking IO
Hi Does openssl provide an api for non-blocking IO over an SSL hardware accelerator? Cheers Paul This message contains confidential information and is intended only for the named individual and may not be disseminated without prior permission. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message in error and delete this e-message from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, delayed in transmission, incomplete, or may contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this Message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any software or services. This email has been scanned for all viruses by the MessageLabs SkyScan service. http://www.messagelabs.com
certificate or crypto usage
Hi all, I’am looking for a secure way to do this : Permit saving files on a media only with a correct passphrase and always permit loading this files but with an automatic checking that the correct passphrase were used to store them In the real world, I want to save settings of a Live cdrom on d7 and restore this settings at boot but I want to be sure that only the owner of the cd can make a setting save ! Of course, if the passphrase is easy to find when consulting cdrom or d7, that’s not a good solution. Alain Degreffe [EMAIL PROTECTED]
[no subject]
Hi, I am generating a client cert for Apache using openssl with my own CA as follows: openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -CA myCA.cert -CAkey myCA.key -CAcreateserial -in client.csr -out client.crt openssl pkcs12 -chain -export -clcerts -CAfile myCA.cert -in client.crt -inkey client.key -out client.p12 -chain -name "Cert friendly name" When I import the cert into IE 5.5 everything is fine except that the cert is suitable for the following: Windows System Component Verification Windows Hardware Driver Verification Allow data on disk to be encrypted Allow secured communication on Internet Allow you to digitally sign a Certificate Trust List Allow data to be signed with the current time Ensure e-mail came from sender Protect e-mail from tampering Ensure the content of e-mail cannot be viewed by others Protect software from tampering after publication Ensure software came from software publisher Guarantee your identity to a remote computer QUESTION: How do I set the cert for basic options only, i.e. verify computer identity ??? Many thanks, Ed Harty. - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
typos in man pages
Hello, Some typos in the openssl man pages were discovered (see NetBSD's PR misc/19627 http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=19627), attached please find a patch to correct them. Cheers, -Jan -- http://www.netbsd.org - Multiarchitecture OS, no hype required. Index: src/lib/libcrypto/man/openssl_rand.1 diff -c src/lib/libcrypto/man/openssl_rand.1:1.8 src/lib/libcrypto/man/openssl_rand.1:1.9 *** src/lib/libcrypto/man/openssl_rand.1:1.8Fri Aug 9 19:15:46 2002 --- src/lib/libcrypto/man/openssl_rand.1Wed Jan 1 23:43:13 2003 *** *** 156,162 .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBrand\fR command outputs \fInum\fR pseudo-random bytes after seeding ! the random number generater once. As in other \fBopenssl\fR command line tools, \s-1PRNG\s0 seeding uses the file \fI$HOME/\fR\fB.rnd\fR or \fB.rnd\fR in addition to the files given in the \fB\-rand\fR option. A new \&\fI$HOME\fR/\fB.rnd\fR or \fB.rnd\fR file will be written back if enough --- 156,162 .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBrand\fR command outputs \fInum\fR pseudo-random bytes after seeding ! the random number generator once. As in other \fBopenssl\fR command line tools, \s-1PRNG\s0 seeding uses the file \fI$HOME/\fR\fB.rnd\fR or \fB.rnd\fR in addition to the files given in the \fB\-rand\fR option. A new \&\fI$HOME\fR/\fB.rnd\fR or \fB.rnd\fR file will be written back if enough Index: src/lib/libcrypto/man/openssl_req.1 diff -c src/lib/libcrypto/man/openssl_req.1:1.8 src/lib/libcrypto/man/openssl_req.1:1.9 *** src/lib/libcrypto/man/openssl_req.1:1.8 Fri Aug 9 19:15:46 2002 --- src/lib/libcrypto/man/openssl_req.1 Wed Jan 1 23:43:13 2003 *** *** 445,451 The actual permitted field names are any object identifier short or long names. These are compiled into OpenSSL and include the usual values such as commonName, countryName, localityName, organizationName, ! organizationUnitName, stateOrPrivinceName. Additionally emailAddress is include as well as name, surname, givenName initials and dnQualifier. .PP Additional object identifiers can be defined with the \fBoid_file\fR or --- 445,451 The actual permitted field names are any object identifier short or long names. These are compiled into OpenSSL and include the usual values such as commonName, countryName, localityName, organizationName, ! organizationUnitName, stateOrProvinceName. Additionally emailAddress is include as well as name, surname, givenName initials and dnQualifier. .PP Additional object identifiers can be defined with the \fBoid_file\fR or *** *** 508,520 \& countryName_max= 2 .Ve .Vb 1 ! \& localityName = Locality Name (eg, city) .Ve .Vb 1 ! \& organizationalUnitName = Organizational Unit Name (eg, section) .Ve .Vb 2 ! \& commonName = Common Name (eg, YOUR name) \& commonName_max = 64 .Ve .Vb 2 --- 508,520 \& countryName_max= 2 .Ve .Vb 1 ! \& localityName = Locality Name (e.g. city) .Ve .Vb 1 ! \& organizationalUnitName = Organizational Unit Name (e.g. section) .Ve .Vb 2 ! \& commonName = Common Name (e.g. YOUR name) \& commonName_max = 64 .Ve .Vb 2 Index: src/lib/libcrypto/man/openssl_rsa.1 diff -c src/lib/libcrypto/man/openssl_rsa.1:1.8 src/lib/libcrypto/man/openssl_rsa.1:1.9 *** src/lib/libcrypto/man/openssl_rsa.1:1.8 Fri Aug 9 19:15:46 2002 --- src/lib/libcrypto/man/openssl_rsa.1 Wed Jan 1 23:43:13 2003 *** *** 259,265 It is not very secure and so should only be used when necessary. .PP Some newer version of \s-1IIS\s0 have additional data in the exported .key ! files. To use thse with the utility view the file with a binary editor and look for the string \*(L"private-key\*(R", then trace back to the byte sequence 0x30, 0x82 (this is an \s-1ASN1\s0 \s-1SEQUENCE\s0). Copy all the data from this point onwards to another file and use that as the input --- 259,265 It is not very secure and so should only be used when necessary. .PP Some newer version of \s-1IIS\s0 have additional data in the exported .key ! files. To use these with the utility view the file with a binary editor and look for the string \*(L"private-key\*(R", then trace back to the byte sequence 0x30, 0x82 (this is an \s-1ASN1\s0 \s-1SEQUENCE\s0). Copy all the data from this point onwards to another file and use that as the input Index: src/lib/libcrypto/man/openssl_s_client.1 diff -c src/lib/libcrypto/man/openssl_s_client.1:1.9 src/lib/libcrypto/man/openssl_s_client.1:1.10 *** src/lib/libcrypto/man/openssl_s_client.1:1.9Fri Aug 9 19:15:46 2002 --- src/lib/libcrypto/man/openssl_s_client.1Wed Jan 1 23:43:13 2003 *** *** 1,4 ! .\" $NetBSD: openssl_s_client.1,v 1.9
Re: Once again
Dnia nie 22. of December 2002 02:42, Geoff Thorpe napisał: > * Marcin Giedz ([EMAIL PROTECTED]) wrote: > > Hi, > > > > I think my rectent mail "disappeard". So I reapeat my question: > > > > Is it possible to check how does zlib compression work?? - > > openssl-0.9.7-SNAP20021216 (any values) > > Configure with "zlib" before building openssl (you'll notice a > corresponding -D... flag being used during compilation). Done > If you then use s_server and/or s_client, s_server,s_client - are these programs included in openssl0.9.7 or I have to create them? you should be able to determine from the > handshake information they spit out whether compression is happening. How? Please,any examples??? > The other thing would be to use ssldump to see what the handshake is > agreeing on (or not agreeing on as the case may be), or of course just > plonk some debugging/logging junk into the compression code inside > crypto/comp/ and see if it lights up like a Christmas tree at run-time > (I just had to squeeze a seasonal metaphor in there at some point). Ohhh, I get it!! and I put something like this to the c_zlib.c outfile = fopen("/tmp/openssl.out","a"); fprintf(outfile,"compress(%4d)->%4d %s\n", ilen,(int)l,(clear)?"clear":"zlib"); fclose(outfile); Then I tried ssltest (included into opessl) with -zlib param ./ssltest -zlib -num 1000 and ... nothing!!! What is wrong ??? > > Note, you won't get any compression unless both sides support it. > > Cheers, > Geoff -- Marcin Giedz Warsaw University of Technology Department of Micro & Optoelectronics [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Motherboards with RNG onboard. Anybody know some?
Hi, for a few days now, I've been looking for motherboards with RNG onboard. Intel integrated such device in their chipset, but since this feature is not that interesting as AGPx8, not many motherboard manufacturers point this out. 'till now I actually found only one board from Epox (EP-4BEAV) offering this feature. Does anybody know (or even have) a motherboard with a (T|P)RNG on board? Both Intel and AMD boards would be interesting. Background: At the CCC congress recently in Berlin a discussion came up about randomness problems and somebody (fefe ;)) said, that the Intel solution is not that bad, since the board with it cost only a few cents more and is far better than /dev/(u)random. Maybe someone have more information, since I'm still reading some whitepapers. Regards, Edin_ -- Edin Dizdarevic __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file
On Tue, Jan 07, 2003 at 04:06:34PM -0800, Fisk, Kevin wrote: > Is there any way to pass a string with the private key, instead of reading it from a >file, such as read it from a database and pass it to the function, without writing it >to disk? Please look into SSL_CTX_use_PrivateKey_ASN1(), which loads the private key from a memory region. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem S/MIME and HTML content
Hello the list, I have a problem when I want to sign with S/MIME an HTML mail content. When I sign HTML data (openssl smime -rc2-128 -text -sign -in example.htm -out result.txt -signer cert.pem), OpenSSL adds a Content-Type "text/plain" above my HTML part (see below). So when I receive the e-mail, the mail client displays the HTML code and does not "interpret" it. Do you know a way to force the "Content-Type" of the "content" section to be "text/html" in order to the HTML e-mail can be viewed correctly in a mail client ? or another way to display the signed HTML content correctly in a mail client ? Thank you in advance for your help Stéphane Rozes Example : MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="1FDE4DC326C7942A34BE2E490714CEBD" This is an S/MIME signed message --1FDE4DC326C7942A34BE2E490714CEBD Content-Type: text/plain .. --1FDE4DC326C7942A34BE2E490714CEBD Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" . __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]