Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
On Fri, Jun 06, 2003, rajagopalan ramanujam wrote: > > > Hi Dr Steve, > > Since its an embedded platform it does not have debug > or a serial interface. But i did debug further and > found that OBJ_obj2nid returning 7 (RSA-md2) incase > of www.google.com and it returns 8 (RSA-md5) incase > of thawte.com. > > Basically its failing in EVP_get_digestbyname() > UNKNOWN_MESSAGE_DIGEST_ALGORITH. > > > I have disabled MD2 switch. But looking at the > certificate below, both the server certificates use > RSA-MD5.I dont understand why its returning RSA-md2. > MD2 is used by some VeriSign chains, in particular their roots use it. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
Hi Dr Steve, Since its an embedded platform it does not have debug or a serial interface. But i did debug further and found that OBJ_obj2nid returning 7 (RSA-md2) incase of www.google.com and it returns 8 (RSA-md5) incase of thawte.com. Basically its failing in EVP_get_digestbyname() UNKNOWN_MESSAGE_DIGEST_ALGORITH. I have disabled MD2 switch. But looking at the certificate below, both the server certificates use RSA-MD5.I dont understand why its returning RSA-md2. Google.com --- Certificate: Data: Version: 3 (0x2) Serial Number: 658869 (0xa0db5) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/[EMAIL PROTECTED] Validity Not Before: Mar 23 13:50:41 2003 GMT Not After : Mar 31 18:52:39 2004 GMT Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:88:dc:7e:9a:fa:8b:5d:24:7d:f1:4a:ea:fb: a8:4a:33:9d:9c:ef:22:c9:4d:2f:ac:a0:d3:86:05: 4f:d1:bb:cb:26:a6:f4:93:b4:43:aa:a9:28:b7:71: cf:a4:47:f1:c3:20:41:2d:d4:8a:1c:20:bd:6f:8a: f0:9d:a4:ea:70:65:5d:10:e3:ea:7d:d2:b9:87:f4: 1e:71:60:23:75:60:49:0d:4c:c0:0e:d9:91:d2:3f: 49:74:3f:6c:bf:a1:56:46:1f:99:e6:16:33:02:4e: 06:b6:54:81:58:de:7e:2e:69:1b:f4:76:85:40:46: b3:fe:19:33:26:8c:fb:89:ad Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication, Netscape Server Gated Crypto X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: md5WithRSAEncryption 92:7d:7f:ce:8f:f9:37:16:d1:53:ec:74:15:2e:94:a8:8e:81: 93:a4:7a:4f:58:73:d2:4c:09:c2:bb:eb:8e:84:66:7e:42:60: 9e:56:a4:89:18:db:1a:bd:f9:9d:a4:6e:53:fb:93:c2:ca:36: a7:f4:3f:95:ad:af:65:36:8b:86:8a:3c:1c:19:aa:fb:63:35: cb:f4:8e:f4:d2:c1:e4:89:6b:21:06:9a:30:8a:5f:c8:0d:8c: 0b:27:82:09:7c:66:91:7e:9a:60:ca:bf:47:2b:d2:1d:51:4e: 94:ec:42:d1:a6:df:b6:27:70:4a:f4:87:4c:0d:13:aa:d7:5e: e4:da www.thawte.com --- Certificate: Data: Version: 3 (0x2) Serial Number: 639573 (0x9c255) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=C ertification Services Division, CN=Thawte Server CA/[EMAIL PROTECTED] awte.com Validity Not Before: Dec 20 15:18:40 2002 GMT Not After : Dec 20 15:18:40 2003 GMT Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting (Pty) L td, OU=Customer Service, CN=www.thawte.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a4:f0:14:f3:ce:0a:4b:fb:0f:d3:e7:e6:86:8b: 68:25:23:37:8d:cb:a7:34:76:da:df:5d:a5:f2:92: f1:9c:1a:9a:02:47:e6:53:1f:1c:c2:91:8b:47:1e: 58:67:31:b2:17:0d:ab:d9:82:79:26:16:e7:c0:51: 93:3d:be:27:b3:dd:07:24:ff:cd:f6:cf:92:0c:fc: 77:9e:23:72:0c:56:fd:40:a5:d8:46:55:b8:3d:72: 82:05:73:3f:d7:c3:ac:c9:c6:68:7a:02:bc:b8:63: 71:cb:af:88:82:67:a5:81:fe:6e:01:f4:1c:87:23: 96:13:77:4d:2b:1e:f3:aa:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: md5WithRSAEncryption 8d:ac:7c:54:45:35:82:b3:b0:89:2f:8e:93:0a:04:1c:fb:3c: 21:56:97:9b:c9:c8:58:9e:c3:e8:c7:60:06:ba:9e:17:1e:34: 38:f7:2d:16:22:87:2f:77:3d:53:af:eb:11:29:db:1c:32:24: cf:ff:65:6a:15:3c:4b:31:5e:08:4b:f9:7b:2d:0f:2a:93:1f: 32:a6:0e:b4:37:78:e5:8c:34:48:ce:7d:26:91:c0:81:6a:4b: 84:40:d1:af:3b:55:ae:9d:6a:f0:10:56:38:86:f0:d9:af:8c: e6:20:77:37:1f:65:a9:1d:b1:6a:37:44:0f:66:d6:9c:20:42: 07:f9 --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Fri, Jun 06, 2003, rajagopalan ramanujam wrote: > > > > > hi, > > > > I have defined SSL_library_init rather then > > openSSL_add_all_algorithms to save memory. > > > > I have turned on DES,RC4 in chipers and MD5,SHA in > > message digest. > > > > Could you let me know what could be problem. > > > > I can connect to www.thawte.com and X509_verify > > is successful. And also i have generated > selfsigned > > certificate which are w
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
On Fri, Jun 06, 2003, rajagopalan ramanujam wrote: > > hi, > > I have defined SSL_library_init rather then > openSSL_add_all_algorithms to save memory. > > I have turned on DES,RC4 in chipers and MD5,SHA in > message digest. > > Could you let me know what could be problem. > > I can connect to www.thawte.com and X509_verify > is successful. And also i have generated selfsigned > certificate which are working too. > > For Ex: www.google.com:443 i cannot connect, > i get error (7). > > See what ERR_print_errors_fp(stderr) gives after a failed verify to see if you can get any more information. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
I tried to openSSL_add_all_algotithms instead of
SSL_library_init but i am still seeing the same
issue.
--- rajagopalan ramanujam <[EMAIL PROTECTED]>
wrote:
>
> hi,
>
> I have defined SSL_library_init rather then
> openSSL_add_all_algorithms to save memory.
>
> I have turned on DES,RC4 in chipers and MD5,SHA in
> message digest.
>
> Could you let me know what could be problem.
>
> I can connect to www.thawte.com and X509_verify
> is successful. And also i have generated selfsigned
> certificate which are working too.
>
> For Ex: www.google.com:443 i cannot connect,
> i get error (7).
>
>
> --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> > On Fri, Jun 06, 2003, rajagopalan ramanujam wrote:
> >
> > > hi,
> > >
> > > I exported thawte server CA and verisign class3
> > > certificates from the browser for testing and
> > > converted to C structure using x509 -C -in
> xxx.cer
> > >
> > > xxx.C and added to my SSL client. Following is
> the
> > > code below.
> > >
> > > I am calling this function in a loop to load the
> > > certificates:
> > >
> > > unsigned char thawte_cert[791] = {
> > > 0x30,0x82...};
> > >
> > > unsigned char verisign_cert[576] = {
> > > 0x30,0x82...};
> > >
> > >
> > > SSL_load_cert(ctx,thawte_cert,791);
> > > SSL_load_cert(ctx,verisign_cert,576);
> > >
> > >
> > > SSL_load_cert(SSL_CTX *ctx,char *c,int size)
> > > {
> > > x = d2i_X509(NULL,&c,size);
> > > cert_store = SSL_CTX_get_cert_store(ctx);
> > > X509_STORE_add_cert(cert_store,x);
> > > return;
> > > }
> > >
> > > I verified the same certificates in .pem format
> > using
> > > openssl s_client and its connects to
> > > www.paypal.com..but when i connect from my
> client
> > it
> > > gives X509_V_ERR_CERT_SIGNATURE_FAILURE.
> > >
> > > If i try connecting to www.thwate.com:443 it
> works
> > but
> > > it gives the same error when i am trying to
> > connect to
> > > other servers with thawte signed certificates.
> > >
> > >
> > > Can anyone plese let me know what's going on
> > >
> >
> > Well I could say read the FAQ...
> >
> > Alternatively since I'm feeling in a good mood
> I'll
> > say its probably a missing
> > OpenSSL_add_all_algorithms(). With appologies in
> > advance if it isn't :-)
> >
> > Steve.
> > --
> > Dr Stephen N. Henson.
> > Core developer of the OpenSSL project:
> > http://www.openssl.org/
> > Freelance consultant see:
> > http://www.drh-consultancy.demon.co.uk/
> > Email: [EMAIL PROTECTED], PGP
> key:
> > via homepage.
> >
>
__
> > OpenSSL Project
> > http://www.openssl.org
> > User Support Mailing List
> > [EMAIL PROTECTED]
> > Automated List Manager
> [EMAIL PROTECTED]
>
>
> __
> Do you Yahoo!?
> Yahoo! Calendar - Free online calendar with sync to
> Outlook(TM).
> http://calendar.yahoo.com
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Startup error
I have install apache 1.3.27 with openssl-0.9.7b and mod-ssl2.8.13-1.3.27 This is all running on RH 8.0. I installed the default certificate to play with and all was good. I purchased a certificate from VeriSign and things are so so. When the server starts in the ssl_engine_log I get the following error [warn] Init: (ragnarock.domain.tld:443) RSA server certificate CommonName 'RAGNAROCK' does not match server name!? I have messed with the server name ad nauseum. Any ideas out there? Also since this service runs on a virtual server, should I have the virtual server under a different name then the actual server name? This is a single purpose server only. Thanks All Chris S. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
hi,
I have defined SSL_library_init rather then
openSSL_add_all_algorithms to save memory.
I have turned on DES,RC4 in chipers and MD5,SHA in
message digest.
Could you let me know what could be problem.
I can connect to www.thawte.com and X509_verify
is successful. And also i have generated selfsigned
certificate which are working too.
For Ex: www.google.com:443 i cannot connect,
i get error (7).
--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Fri, Jun 06, 2003, rajagopalan ramanujam wrote:
>
> > hi,
> >
> > I exported thawte server CA and verisign class3
> > certificates from the browser for testing and
> > converted to C structure using x509 -C -in xxx.cer
> >
> > xxx.C and added to my SSL client. Following is the
> > code below.
> >
> > I am calling this function in a loop to load the
> > certificates:
> >
> > unsigned char thawte_cert[791] = {
> > 0x30,0x82...};
> >
> > unsigned char verisign_cert[576] = {
> > 0x30,0x82...};
> >
> >
> > SSL_load_cert(ctx,thawte_cert,791);
> > SSL_load_cert(ctx,verisign_cert,576);
> >
> >
> > SSL_load_cert(SSL_CTX *ctx,char *c,int size)
> > {
> > x = d2i_X509(NULL,&c,size);
> > cert_store = SSL_CTX_get_cert_store(ctx);
> > X509_STORE_add_cert(cert_store,x);
> > return;
> > }
> >
> > I verified the same certificates in .pem format
> using
> > openssl s_client and its connects to
> > www.paypal.com..but when i connect from my client
> it
> > gives X509_V_ERR_CERT_SIGNATURE_FAILURE.
> >
> > If i try connecting to www.thwate.com:443 it works
> but
> > it gives the same error when i am trying to
> connect to
> > other servers with thawte signed certificates.
> >
> >
> > Can anyone plese let me know what's going on
> >
>
> Well I could say read the FAQ...
>
> Alternatively since I'm feeling in a good mood I'll
> say its probably a missing
> OpenSSL_add_all_algorithms(). With appologies in
> advance if it isn't :-)
>
> Steve.
> --
> Dr Stephen N. Henson.
> Core developer of the OpenSSL project:
> http://www.openssl.org/
> Freelance consultant see:
> http://www.drh-consultancy.demon.co.uk/
> Email: [EMAIL PROTECTED], PGP key:
> via homepage.
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager
[EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
For info. MSIE6 xenroll problems. Solved.
Not strictly openssl related but posted here anyway. If anyone can recommend a better place to post this, I would appreciate it. Around the middle of May a number of my users started being unable to apply for certificates from my web based certificate authority using MSIE6. I duplicated this with MSIE6sp1 on Windows2000 and could find no apparent reason. The xenroll would not instanciate in IE no matter what I tried (even the simple example from the MS devnet site). Having had similar problems before, I suspected that it could be a problem with the xenroll itself. As I could not find anything specifically refering to new problems, I resorted to installing likely patches. One of the following patches corrected the problems on my MS PC: 811630 818529 329115 323172 Any users having problems applying for user certificates using the Microsoft xenroll who are using Microsoft Internet Explorer version 6 should be advised that it may not work without upgrading the client with the above "critical" Microsoft patches available from: http://windowsupdate.microsoft.com/ -- Andy Brady Email : [EMAIL PROTECTED] Web Services GroupTel : +44(0)118 9499252 E.C.M.W.F.Fax : +44(0)118 9869450 Shinfield Park, Reading, RG2 9AX Web : http://www.ecmwf.int/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Mutual Authentication
Thank you for your answer. But I used the following command : # openssl pkcs12 -export -in usercert.pem -inkey userkey.pem -out cert.p12 Then I try to install it on my workstation (WinNT) and get a window telling: "Invalid Public Key Security Object File This is an invalid Personal Information Exchange File" I don't understand, the user certificate in x509 format seemed to be valid, I succeed to installed it, indeed without privatekey... Could you help me again ? En réponse à Michael Sierchio <[EMAIL PROTECTED]>: > [EMAIL PROTECTED] wrote: > > > All those certificates are valid, and are in pem and x509 format. > > When I add "SSLVerifyClient require" in httpd.conf, a window "Client > > > Authentication" appear but I can not select any certificate!! > > > > 1- It is important I can't install the user certificate in Personal > tab ? > > 2- It is for this reason I can't select it during the user > authentication ? > > You need not only a certificate, but the private key associated with > it. If you have the two -- usually in a PKCS#12 bundle -- you can > install it as one of yours. Otherwise, certificates are treated as > client certs belonging to "others." HTH > > > -- > > "Well," Brahma said, "even after ten thousand explanations, a fool is > no > wiser, but an intelligent man requires only two thousand five > hundred." > - The Mahabharata > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
On Fri, Jun 06, 2003, Charles B Cranston wrote: > Steve, the other reason I've been forced to move from x509 to ca > is that ca appears to be the ONLY binary program that can sign > SPKAC files. Is there another way to do this that I have missed? > Well if you need SPKAC support then yes currently you also need to use 'ca'. Similarly if you need to generate CRLs. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
On Fri, Jun 06, 2003, rajagopalan ramanujam wrote:
> hi,
>
> I exported thawte server CA and verisign class3
> certificates from the browser for testing and
> converted to C structure using x509 -C -in xxx.cer >
> xxx.C and added to my SSL client. Following is the
> code below.
>
> I am calling this function in a loop to load the
> certificates:
>
> unsigned char thawte_cert[791] = {
> 0x30,0x82...};
>
> unsigned char verisign_cert[576] = {
> 0x30,0x82...};
>
>
> SSL_load_cert(ctx,thawte_cert,791);
> SSL_load_cert(ctx,verisign_cert,576);
>
>
> SSL_load_cert(SSL_CTX *ctx,char *c,int size)
> {
> x = d2i_X509(NULL,&c,size);
> cert_store = SSL_CTX_get_cert_store(ctx);
> X509_STORE_add_cert(cert_store,x);
> return;
> }
>
> I verified the same certificates in .pem format using
> openssl s_client and its connects to
> www.paypal.com..but when i connect from my client it
> gives X509_V_ERR_CERT_SIGNATURE_FAILURE.
>
> If i try connecting to www.thwate.com:443 it works but
> it gives the same error when i am trying to connect to
> other servers with thawte signed certificates.
>
>
> Can anyone plese let me know what's going on
>
Well I could say read the FAQ...
Alternatively since I'm feeling in a good mood I'll say its probably a missing
OpenSSL_add_all_algorithms(). With appologies in advance if it isn't :-)
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Error reading Cert X509_V_ERR_CERT_SIGNATURE_FAILURE
hi,
I exported thawte server CA and verisign class3
certificates from the browser for testing and
converted to C structure using x509 -C -in xxx.cer >
xxx.C and added to my SSL client. Following is the
code below.
I am calling this function in a loop to load the
certificates:
unsigned char thawte_cert[791] = {
0x30,0x82...};
unsigned char verisign_cert[576] = {
0x30,0x82...};
SSL_load_cert(ctx,thawte_cert,791);
SSL_load_cert(ctx,verisign_cert,576);
SSL_load_cert(SSL_CTX *ctx,char *c,int size)
{
x = d2i_X509(NULL,&c,size);
cert_store = SSL_CTX_get_cert_store(ctx);
X509_STORE_add_cert(cert_store,x);
return;
}
I verified the same certificates in .pem format using
openssl s_client and its connects to
www.paypal.com..but when i connect from my client it
gives X509_V_ERR_CERT_SIGNATURE_FAILURE.
If i try connecting to www.thwate.com:443 it works but
it gives the same error when i am trying to connect to
other servers with thawte signed certificates.
Can anyone plese let me know what's going on
regards,
raj
__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: Startup error
Do I need to include the :443 when I apply for the certificate? Thanks CS -Original Message- From: pablo neira [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 4:41 AM To: [EMAIL PROTECTED] Subject: Re: Startup error Swenson, Chris wrote: >I have install apache 1.3.27 with openssl-0.9.7b and mod-ssl2.8.13-1.3.27 >This is all running on RH 8.0. >I installed the default certificate to play with and all was good. >I purchased a certificate from VeriSign and things are so so. > >When the server starts in the ssl_engine_log I get the following error >[warn] Init: (ragnarock.domain.tld:443) RSA server certificate CommonName >'RAGNAROCK' does not match server name!? > >I have messed with the server name ad nauseum. Any ideas out there? > > the Common Name of your server certificate should be the FDQN, so it should be "ragnarock.domain.tld" and not "ragnarock", that's why you got that warning message. >Also since this service runs on a virtual server, should I have the virtual >server under a different name then the actual server name? This is a single >purpose server only. > > Cheers, Pablo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Mutual Authentication
[EMAIL PROTECTED] wrote: All those certificates are valid, and are in pem and x509 format. When I add "SSLVerifyClient require" in httpd.conf, a window "Client Authentication" appear but I can not select any certificate!! 1- It is important I can't install the user certificate in Personal tab ? 2- It is for this reason I can't select it during the user authentication ? You need not only a certificate, but the private key associated with it. If you have the two -- usually in a PKCS#12 bundle -- you can install it as one of yours. Otherwise, certificates are treated as client certs belonging to "others." HTH -- "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred." - The Mahabharata __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Mutual Authentication
Hello, I would like to use mutual authentication : authenticate the server and the user. I created a CA, a server and a client certificate signed by this CA. I installed the CA certificate on my IE. I tested a connection to my server and the server authentication seems to be good. I installed my user certificate on IE but it appear in "Other People" and not in "Personal" tab. All those certificates are valid, and are in pem and x509 format. When I add "SSLVerifyClient require" in httpd.conf, a window "Client Authentication" appear but I can not select any certificate!! 1- It is important I can't install the user certificate in Personal tab ? 2- It is for this reason I can't select it during the user authentication ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
Steve, the other reason I've been forced to move from x509 to ca is that ca appears to be the ONLY binary program that can sign SPKAC files. Is there another way to do this that I have missed? Dr. Stephen Henson wrote: On Fri, Jun 06, 2003, pablo neira wrote: Dr. Stephen Henson wrote: On Fri, Jun 06, 2003, Kwan Hon Luen wrote: Hi, How do I automate the signing of server certificate by a CA ? without the following prompt: (1) "Enter PEM pass phrase:" (2) "Sign the certificate?" (3) "commit?" Use the 'x509' utility instead, passphrase can be entered via -passin there are no other prompts. but this way you don't keep the index.txt file the all valid certificates generated, so it seems there's no way to automate the process by using the 'ca' utility, am I right? Well if you need 'ca' you can try the -batch option. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Blinding Breaks Engines?
Here is an email I sent to the list back in March regarding what I think is the
same issue (this was entered into the bug database though, I don't know the bug
number). Basically, I saw the same issue with the ESA Blinding patch when
using a Broadcom card (engine ubsec). If I backed out the patch then the
problem went away. However, I was using 0.9.7a, which did not contain the
patch so it was easy to back out, just don't apply it.
I thought the issue was fixed with the version of the RSA Blinding patch that
worked in multithreaded environments, which I think is what's in 0.9.7b.
However, I have not actually tried 0.9.7b.
-- Jonathan
--- Jonathan Hersch <[EMAIL PROTECTED]> wrote:
> Date: Wed, 26 Mar 2003 19:44:30 -0800 (PST)
> From: Jonathan Hersch <[EMAIL PROTECTED]>
> Subject: Crash with openssl and ubsec and RSA blinding patch (CAN-2003-0147)
> To: [EMAIL PROTECTED]
>
> Hi,
>
> I'm using openssl 0.9.7a with a Broadcom accelerator card (engine type
> ubsec).
> If I apply the patches to rsa_eay.c and rsa_lib.c which fix CAN-2003-0147,
> and
> then try and create an RSA key and CSR at the command line while using the
> Broadcom card then openssl crashes. The command is:
>
> openssl req -engine ubsec -newkey rsa:1024 -sha1 -keyout foo.pem -out
> foo.csr
>
> (I use "foobar" for the password, CN, etc., doesn't matter for the test.)
>
> Doing:
>
> openssl req -newkey rsa:1024 -sha1 -keyout foo.pem -out foo.csr
>
> does not crash.
>
> Similarly, building openssl without the patches avoids the crash, even when
> using -engine ubsec.
>
> After some poking around there is a suspicous looking line of code in
> hw_ubsec.c:ubsec_mod_exp() (which gets called eventually by the blinding
> code),
> here's part of that function:
>
>
> /* Check if hardware can't handle this argument. */
> y_len = BN_num_bits(m);
> if (y_len > max_key_len) {
> UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_SIZE_TOO_LARGE_OR_TOO_SMALL);
> return BN_mod_exp(r, a, p, m, ctx);
> }
>
> if(!bn_wexpand(r, m->top))
> {
> UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_BN_EXPAND_FAIL);
> return 0;
> }
> memset(r->d, 0, BN_num_bytes(m)); /* IS THIS RIGHT ??? */
>
> if ((fd = p_UBSEC_ubsec_open(UBSEC_KEY_DEVICE_NAME)) <= 0) {
> fd = 0;
> UBSECerr(UBSEC_F_UBSEC_INIT, UBSEC_R_UNIT_FAILURE);
> return BN_mod_exp(r, a, p, m, ctx);
> }
>
> if (p_UBSEC_rsa_mod_exp_ioctl(fd, (unsigned char *)a->d, BN_num_bits(a),
> (unsigned char *)m->d, BN_num_bits(m), (unsigned char *)p->d,
> BN_num_bits(p), (unsigned char *)r->d, &y_len) != 0)
> {
> UBSECerr(UBSEC_F_UBSEC_MOD_EXP, UBSEC_R_REQUEST_FAILED);
> p_UBSEC_ubsec_close(fd);
>
> return BN_mod_exp(r, a, p, m, ctx);
> }
>
> Coming into this function from the blinding code the arguments "r" and "a"
> are
> the same BIGNUM. If "r" is zeroed then when the BN_num_bits(a) call is made
> a
> few lines later there is a problem since "a" is now zero.
>
> I don't know the BIGNUM stuff, but this seems suspicious. And removing this
> line of code fixes the problem. Maybe someone who knows this stuff better
> can
> say if it seems ok?
>
> Thanks,
>
> -- Jonathan
>
>
> __
> Do you Yahoo!?
> Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
> http://platinum.yahoo.com
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
__
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
On Fri, Jun 06, 2003, pablo neira wrote: > Dr. Stephen Henson wrote: > > >On Fri, Jun 06, 2003, Kwan Hon Luen wrote: > > > > > > > >>Hi, > >> > >>How do I automate the signing of server certificate by a CA ? > >>without the following prompt: > >> > >>(1) "Enter PEM pass phrase:" > >>(2) "Sign the certificate?" > >>(3) "commit?" > >> > >> > >> > > > >Use the 'x509' utility instead, passphrase can be entered via -passin there > >are no other prompts. > > > > but this way you don't keep the index.txt file the all valid > certificates generated, so it seems there's no way to automate the > process by using the 'ca' utility, am I right? > Well if you need 'ca' you can try the -batch option. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
Dr. Stephen Henson wrote: On Fri, Jun 06, 2003, Kwan Hon Luen wrote: Hi, How do I automate the signing of server certificate by a CA ? without the following prompt: (1) "Enter PEM pass phrase:" (2) "Sign the certificate?" (3) "commit?" Use the 'x509' utility instead, passphrase can be entered via -passin there are no other prompts. but this way you don't keep the index.txt file the all valid certificates generated, so it seems there's no way to automate the process by using the 'ca' utility, am I right? Thanks Pablo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: About the function SSL_CTX_use_PrivateKey_file
On Fri, Jun 06, 2003, Terence Leung wrote: > Dear sir, > I am writing Visual C++ to create secure communication socket. > But when I use the function SSL_CTX_use_PrivateKey_file(), > it always prompt "Enter PEM pass phrase:" to input the pass phrase in the screen. > > I want to ask how can I modify the program so that the program can automatically > input the pass phrase, no need to input it in the console. > Call PEM_read_PrivateKey() and the passphrase can be entered either in the last argument or via a callback. Then pass the EVP_PKEY structure using SSL_CTX_use_PrivateKey(). Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
On Fri, Jun 06, 2003, Kwan Hon Luen wrote: > Hi, > > How do I automate the signing of server certificate by a CA ? > without the following prompt: > > (1) "Enter PEM pass phrase:" > (2) "Sign the certificate?" > (3) "commit?" > Use the 'x509' utility instead, passphrase can be entered via -passin there are no other prompts. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
More CRL questions
I'd like to aperiodically update my CRL. Is there a way that I can tell the x509 store to flush a CRL from it's cache, so that it reloads the CRL on the next connection? If the CRL is reloaded, is there a way to examine existing connections to see if their certificate has been revoked? Thanks for all the help with my newby questions! David __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: About the function SSL_CTX_use_PrivateKey_file
You have private key protected by password. To solve this, type: OpenSSL>rsa -in -out ?ukasz Wojcicki e-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Minimum RSA Key length ?
On Thu, Jun 05, 2003, [EMAIL PROTECTED] wrote: > Are we at cross-purposes here? I'm referring to server certificates, not > client certificates (about which I am completely clueless as I currently > have no business reason to use them). > > Anyway, the proof of the pudding is in the eating. Can you point me to a > secure site that uses a key size >1024 bits? I can't find one for love nor > money. > I don't know of any public sites but its easy enough to do a test. I made a sample self signed certificate with an 8192 bit key: openssl req -x509 -nodes -keyout x.pem -out x.pem -newkey rsa:8192 Then pointed the test server at it: openssl s_server -cert x.pem -www -port 443 Then putting https://127.0.0.1/ into browsers and clicking past the warnings brought up the test page on two browsers, Mozilla 1.3 and MSIE 6.0. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Minimum RSA Key length ?
[EMAIL PROTECTED] wrote: Anyway, the proof of the pudding is in the eating. Can you point me to a secure site that uses a key size >1024 bits? I can't find one for love nor money. This root certificate was found in the binary code for Netscape 7 Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=America Online Inc., CN=America Online Root Certification Authority 2 Validity Not Before: May 28 06:00:00 2002 GMT Not After : Sep 29 14:08:00 2037 GMT Subject: C=US, O=America Online Inc., CN=America Online Root Certification Authority 2 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) == Modulus (4096 bit): 00:cc:41:45:1d:e9:3d:4d:10:f6:8c:b1:41:c9:e0: 5e:cb:0d:b7:bf:47:73:d3:f0:55:4d:dd:c6:0c:fa: b1:66:05:6a:cd:78:b4:dc:02:db:4e:81:f3:d7:a7: ... === There used to be a 16384 bit root certificate in Netscape 6 but I see it has been removed. It belonged to Thawte. === grep Modulus foombar | sort | uniq -c 1 Modulus (1000 bit): 38 Modulus (1024 bit): 26 Modulus (2048 bit): 2 Modulus (4096 bit): So, slightly less than half the commercial roots have moved to 2048 bits and several have moved to 4096. These are the numbers for the old Netscape 6: 1 Modulus (1000 bit): 54 Modulus (1024 bit): 1 Modulus (16384 bit): 34 Modulus (2048 bit): 1 Modulus (4096 bit): This should give you a pretty good snapshot of what the people who can pay Netscape $250,000 dollars a shot to have their roots included are doing... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
About the function SSL_CTX_use_PrivateKey_file
Dear sir, I am writing Visual C++ to create secure communication socket. But when I use the function SSL_CTX_use_PrivateKey_file(), it always prompt "Enter PEM pass phrase:" to input the pass phrase in the screen. I want to ask how can I modify the program so that the program can automatically input the pass phrase, no need to input it in the console. Looking forward to your reply. Your help will be much appreciated. Best Regards, Terence Leung
RE: differentiate incoming data
> Hi everyone,
>
> when BIO_puts writes data after a handshake, is the data encrypted during
> the send?
Yes. You *can't* send unencrypted data over an SSL connection (unless you
negotiate a null cipher).
> I want to write a server to run to accept data from one
> connection(insecure) and encrypt it and send it to a process waiting on
> another server and from there decrypt it and send it to another
> process(port forwarding?) Now in that case each of the two servers will
> need to accept data from two sources and also depending on which source
> the data appears to come from needs to encrypt/decrypt data and send it
> accordingly.
Okay.
> How can i differentiate between encrypted and unencrypted
> data. or can i identify sources from the data hearders? What are the
> api's i can use.
You're writing the server, so you should know which connection is which.
You can keep, for each connection, a flag indicating whether it's encrypted
or not and a pointer to the associated peer connection.
> also which api's can be used to write/read such data.?
For encrypted data, just use the OpenSSL APIs. For unencrypted data, use
the normal network APIs.
Your question is one of those questions where what you're trying to do is
so simple that there's no way in general to answer your question to your
satisfaction. I have no idea what part of the problem you're having
difficulty with.
As you described things, if you make the connection outbound, it's SSL. If
you received the connection inbound, it's plaintext. So just keep track.
Maybe:
typedef struct
{
int peer_fd;
SSL *ssl;
} connection;
Just use an array of these indexed off the file descriptor. You can use a
'peer_fd' of -1 to indicate inactive and you can use an 'ssl' of NULL to
indicate an unencrypted connection.
If you need to *receive* both SSL and plaintext connections inbound, the
simplest solution is to use two different ports.
DS
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Minimum RSA Key length ?
Dear John- I have used >1024 certs on my test 2k server for SSL connections to a browser, no problem. Encryption confirmed with a pacekt sniffer. As PK encryption is a hybrid, the use of resource intensive Asymmetric encryption (RSA or DH public key) is reserved for securely exchanging the 128 bit session key so that the connection can then use resource efficient symmetric encryption (3des, CAST5, IDEA, AES, TwoFish) for the data transmission. Since the certificate is used solely for authentication and session key exchange, its size is not a factor except in high volume sites where it may be a drag on responses. If volume was not a major consideration, and data security was...I would use a large key and better symmetric algorithms for things like a IPSec VPN, a "lite" VPN through SSL, or http over SSL. As I said, the literature by respected cryptographers supposes that 1024 bit asymmetric/90 bit symmetric keys are in danger or have been broken by now. The Bernstein paper suggests a work reduction of those suppositions by 1/3. So , if he is correct (jury is out but no major flaws found) a 1024 bit cert is really about 683 bits in effective strength. That would give you the session key for that particular SSL session and decrypt it. Who and why anyone would want to do that depends on your threat model. > Anyway, the proof of the pudding is in the eating. Can you point me to a > secure site that uses a key size >1024 bits? I can't find one for love nor > money. > Why commercial CAs don't issue larger certs may be the volume/work load factor. Maybe its business, larger one's now would be an admission that 1024 bits are compromised. I know Thawte will trigger and sign 2048 bit personal certificates created in a Mozilla browser. But in any case, you can create a server certificate of any size using OpenSSL. The benefit of going with a commercial CA is that they are listed in the Root Stores of the browsers. However, adding a Root cert to those stores is very easy. If you can securely distribute a Root (either out of channel or get visitors to your site to install them), then you can offer a better level of security for the data exchanged over SSL. Yours- Ridge [EMAIL PROTECTED] wrote: -Original Message- From: Ridge Cook [mailto:[EMAIL PROTECTED] Sent: 03 June 2003 03:10 To: [EMAIL PROTECTED] Subject: Re: Minimum RSA Key length ? >>>To answer your other question, I don't believe there are >>any browsers that can accept a RSA key > 1024 bits. I did look into this >>last year as I was >>>creating a new SSL key but was advised by the Thawte >>representative that >>>although I could create a certificate with this size key, >>it wouldn't work. The Thawte Rep was incorrect. I have imported and used certificates/RSA v3 keys of 4096 bit size and higher in Internet Explorer and Mozilla. > Anyway, the proof of the pudding is in the eating. Can you point me to a > secure site that uses a key size >1024 bits? I can't find one for love nor > money. Are we at cross-purposes here? I'm referring to server certificates, not client certificates (about which I am completely clueless as I currently have no business reason to use them). - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] What is "real"? How do you define "real"? If you're talking about what you can feel, what you can smell, what you can taste and see, then "real" is simply electrical signals interpreted by your brain... (Morpheus, The Matrix, 1999) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://ww
Re: Startup error
Swenson, Chris wrote: I have install apache 1.3.27 with openssl-0.9.7b and mod-ssl2.8.13-1.3.27 This is all running on RH 8.0. I installed the default certificate to play with and all was good. I purchased a certificate from VeriSign and things are so so. When the server starts in the ssl_engine_log I get the following error [warn] Init: (ragnarock.domain.tld:443) RSA server certificate CommonName 'RAGNAROCK' does not match server name!? I have messed with the server name ad nauseum. Any ideas out there? the Common Name of your server certificate should be the FDQN, so it should be "ragnarock.domain.tld" and not "ragnarock", that's why you got that warning message. Also since this service runs on a virtual server, should I have the virtual server under a different name then the actual server name? This is a single purpose server only. Cheers, Pablo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: a new command in openssl
Hi! --- Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> a écrit : > In message > <[EMAIL PROTECTED]> > on Thu, 5 Jun 2003 02:11:40 +0200 (CEST), mohamed > zhaounia <[EMAIL PROTECTED]> said: > > mzhaounia> First, I am so thankful for your > suggestion. > mzhaounia> Well, i have added my cammand in > apps/Makefile.ssl,but > mzhaounia> the openssl doesn't see it:( > mzhaounia> About progs.pl have you please any idea > if it is > mzhaounia> necessary to change it or not and if it > is so how > mzhaounia> could i make that because am not expert > in perl:) > > There should be no need to change progs.pl. > > Quick question, is this on Unix or wome other OS? > If non-Unix, there > are some extra things needed. I am working with RED Hat 8.0. Well i think that you have reason because as you suggested i deleted progs.h and after making the whole code progs.h was generated.The problem was that it was generated succefully that means it includes the functions that i added but the prompt openssl does not see the command:( I can't really understand the problem because it seems that everything is OK.For example when i configure openssl it can see the directories that i added and when making apps the .obj of my command is generated but the unique problem is the .exe still not exist:( I have a question please, is the problem in openssl.c because i did not change this file( except by adding in the header the include library that i created ) since there is no specific thing to change there. Please i need you help!! Thank you for all your suggestions. ___ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Automating Openssl commands
Hi, How do I automate the signing of server certificate by a CA ? without the following prompt: (1) "Enter PEM pass phrase:" (2) "Sign the certificate?" (3) "commit?" Thanks. Hon Luen F:\openssl_test>openssl ca -policy policy_anything -out test_cert.pem -config test.conf -infiles test_new.pem Using configuration from test.conf Loading 'screen' into random state - done Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'AU' stateOrProvinceName :PRINTABLE:'AU' localityName :PRINTABLE:'AU' organizationName :PRINTABLE:'TEST' organizationalUnitName:PRINTABLE:'TEST' commonName:PRINTABLE:'192.168.168.222' Certificate is to be certified until Jun 5 08:25:47 2004 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated - Original Message - From: "Michael Czapski" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, June 04, 2003 4:53 AM Subject: RE: Automating Openssl commands > You could try something like: > > echo [ req ] > abc\abc_csr.conf > echo distinguished_name=req_distinguished_name >> abc\abc_csr.conf > echo req_extensions = v3_req >> abc\abc_csr.conf > echo prompt=no >> abc\abc_csr.conf > echo [ req_distinguished_name ] >> abc\abc_csr.conf > echo C=AU >> abc\abc_csr.conf > echo ST=New South Wales >> abc\abc_csr.conf > echo L=Sydney >> abc\abc_csr.conf > echo O=Doddgy Brothers Very Limited >> abc\abc_csr.conf > echo OU=Security Division >> abc\abc_csr.conf > echo [EMAIL PROTECTED] >> abc\abc_csr.conf > echo [EMAIL PROTECTED] >> abc\abc_csr.conf > echo [ v3_req ] >> abc\abc_csr.conf > echo basicConstraints = critical,CA:FALSE >> abc\abc_csr.conf > echo keyUsage = nonRepudiation, digitalSignature, keyEncipherment, > dataEncipherment, keyAgreement >> abc\abc_csr.conf > echo extendedKeyUsage=emailProtection,clientAuth >> abc\abc_csr.conf > > .\bin\openssl req -outform PEM -out abc\abc.pem.csr -key > abc\abc.pem.private.key -keyform PEM -sha1 -days 700 -new -config > abc\abc_csr.conf -passin pass:somepassphrase > > Cheers > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kwan Hon Luen > Sent: Tuesday, June 03, 2003 5:31 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: Automating Openssl commands > > Hi , > > Thanks. > > How do I automate the creation of certificate as well by supplying the > following attributes? > > countryName > stateOrProvinceName > localityName > organizationName > organizationalUnitName > commonName > > Thanks. > > Hon Luen > > > > - Original Message - > From: "Marcus Carey" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, June 03, 2003 3:23 PM > Subject: Re: Automating Openssl commands > > > > Under the request section in the openssl.cnf file add the password > > parameters. > > > > [req] > > input_password = > > output_password = > > > > Marcus > > > > - Original Message - > > From: "Kwan Hon Luen" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Monday, June 02, 2003 7:07 PM > > Subject: Automating Openssl commands > > > > > > > Hi , > > > > > > I am currently using Openssl to generate CA and server/client key certs. > > > > > > Right now, the Openssl prompt me for password when generating CA > key/cert: > > > > > > openssl req -new -x509 -days 3650 -keyout cakey.pem -out > > > trusted_ca_cert.pem -config openssl.cnf > > > > > > (1) Is there a way to use the password as a parameter so that I can > create > > > the CA key/cert with just one command, without any password prompting? > > > > > > The command below is for generating client/server key/cert. It prompt me > > for > > > password, the CN, etc. > > > > > > openssl req -new -keyout test_key.pem -out test_request.pem -config > > > openssl.cnf > > > > > > (2) Is there a way to use the password, CN,etc as parameters so that I > can > > > create the CA key/cert with just one command, without any password, CN, > > etc > > > prompting? > > > > > > The command below is for certifying the client/server cert using the CA. > > It > > > prompt me to approve the certifying. > > > > > > openssl ca -policy policy_anything -out test_cert.pem -config > > > openssl.cnf -infiles test_new.pem > > > > > > (3) Is there a way to use parameter such that the command will not > prompt > > me > > > to confirm certifying the certificate? > > > > > > Thanks. > > > > > > Hon Luen > > > > > > __ > > > OpenSSL Project http://www.openssl.org > > > User Support Mailing List[EMAIL PROTECTED] > > > Automated List Manager [EMAIL PROTECTED] > > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG an
revoking the OCSP responder certificate
Hi everyone, I just revoked the OCSP responder certificate as you can see: file index.txt -- R 040530223109Z 030605151409Z 03 unknown /C=ES/ST=Andalusia/L=Seville/O=Mazinger Z inc./OU=pepe/CN=OCSP responder prueba 2/emailAddress=ocsp - end of index.txt - openssl ocsp -index private/index.txt -port 8890 -CA private/cacert.crt -rsigner certs/3.crt -rkey key/3.key -text -out log.txt certs/3.crt is the file which contents the certificate and key/3.key contents the private key. It still works as OCSP responder whether it even returned info about its status (revoked). What shall I do if I want to revoke the OCSP responder certificate? by using a CRL? Thank you, Pablo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Minimum RSA Key length ?
> -Original Message- > From: Ridge Cook [mailto:[EMAIL PROTECTED] > Sent: 03 June 2003 03:10 > To: [EMAIL PROTECTED] > Subject: Re: Minimum RSA Key length ? > > > >>>To answer your other question, I don't believe there are > >>any browsers that can accept a RSA key > 1024 bits. I did > look into this > >>last year as I was > >>>creating a new SSL key but was advised by the Thawte > >>representative that > >>>although I could create a certificate with this size key, > >>it wouldn't work. > > The Thawte Rep was incorrect. I have imported and used > certificates/RSA v3 > keys of 4096 bit size and higher in Internet Explorer and Mozilla. > Are we at cross-purposes here? I'm referring to server certificates, not client certificates (about which I am completely clueless as I currently have no business reason to use them). Anyway, the proof of the pudding is in the eating. Can you point me to a secure site that uses a key size >1024 bits? I can't find one for love nor money. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] What is "real"? How do you define "real"? If you're talking about what you can feel, what you can smell, what you can taste and see, then "real" is simply electrical signals interpreted by your brain... (Morpheus, The Matrix, 1999) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
