Re: *param_dup() C++
On Mon, Nov 22, 2004, J.T. Conklin wrote: The TAO SSLIOP implementation uses openssl, but does not compile with some C++ compilers (including current versions of g++) due to what appears to be problems with the DSAparams_dup() and DHparams_dup() macros. This bit of code is similar to that in TAO's SSLIOP_EVP_PKEY.cpp. It compiles fine with gcc, but fails with with g++. I'm using gcc 3.3.3 and openssl 0.9.7d as distributed with NetBSD 2.0RC4 and gcc 3.3 and openssl 0.9.7b as distributed with MacOSX 10.3.6 Panther. I've also reproduced the same problem with gcc 3.4.2. Compiling this code: #include openssl/asn1.h #include openssl/dsa.h #include openssl/dh.h DSA * duplicate_dsa(DSA *dsa) { return DSAparams_dup (dsa); } DH * duplicate_dh(DH *dh) { return DHparams_dup (dh); } Yields: $ g++ -O2 -c ssl.cc ssl.cc: In function `DSA* duplicate_dsa(DSA*)': ssl.cc:9: error: invalid conversion from `int (*)()' to `int (*)(...)' ssl.cc:9: error: invalid conversion from `char*(*)()' to `char*(*)(...)' ssl.cc: In function `DH* duplicate_dh(DH*)': ssl.cc:15: error: invalid conversion from `int (*)()' to `int (*)(...)' ssl.cc:15: error: invalid conversion from `char*(*)()' to `char*(*)(...)' I'm not quite sure whether it's TAO, g++, or openssl that's at fault, but I'd appreciate any pointers. The problem is that *_dup() are all macros and there's a conflict between the C definition of func() (undefined parameters) and the C++ version (no parameters). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: X509_STORE_CTX_init function
On Mon, Nov 22, 2004, dragos liciu wrote: Hi, I would like to hear somebody's opinion about the issue below (couldn't figure it out from code) The question is related to the fourth parameter of X509_STORE_CTX_init function (I've implemented an SSL client): int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain ); The forth parameter should contain the whole certificate chain received from an SSL server including server certificate (I pass this one as the third parameter anyway), or server's certificate must be removed from chain before passing it to X509_STORE_CTX_init function ? The only way I could make certificate verification work was to remove server's certificate from chain (though I've seen some code snippets suggesting the contrary) The fourth parameter is a collection of any certificates that might help the verify process. It will normally be searched for untrusted CAs. It can contain other certificates in the expected path, unrelated certificates or none at all. There are several places in OpenSSL (including the S/MIME code) where the whole pacth and unrelated certificates are passed in that parameter. What error do you get during verify? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate validation failure, Successful
Jason, I'm glad to hear that someone else has a similar scenario working. I am a little bit new to this. I am publishing the CRL with Apache. I placed a copy of the file in the default DocumentRoot in a folder named crl. I can access the file from Internet Explorer. How do I ensure that the URL is application/x-x509-crl ? Is this something that can be generated into the DER encoded crl using openssl? Also, rather than just making a copy of the crl file and placing it in a different location for publishing, do I need to maintain the openssl CA directory structure for this to work? Thank you in advance for your assistance. Richard A. Faulk Jr., MCSE, ASE, CCA, Linux+ Plummer Slade, Inc. Tel: (412)261-5600 x226 [EMAIL PROTECTED] http://www.plummerslade.com - Original Message - From: Jason Haar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 20:30 Subject: Re: Certificate validation failure, Successful We do this here. Ensure your URLs are application/x-x509-crl, and the CRL is DER encoded and you'll be fine. Cisco did a real good job with their PKI support in the VPN-3000 series - I wish I could say the same for IOS (our CA has a serial number of 0, and IOS refuses to trust a CA with a serial 1. Strange - I always thought 0 was an integer as required by the SSL RFCs... :-() -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate validation failure, Successful
On Tue, Nov 23, 2004, Jason Haar wrote: Cisco did a real good job with their PKI support in the VPN-3000 series - I wish I could say the same for IOS (our CA has a serial number of 0, and IOS refuses to trust a CA with a serial 1. Strange - I always thought 0 was an integer as required by the SSL RFCs... :-() The RFCs were a bit ambiguous on that score. Various people have said since that 0 shouldn't be used as a serial number so OpenSSL doesn't do this by default in the very latest versions (it uses a random 64 bit serial number instead). Various public CAs have zero as a serial number: some of the Thawte ones for example. However that's just the rules for generating serial numbers. As is usual the criteria for acceptance are more general. For example in RFC3280 4.1.2.2: Non-conforming CAs may issue certificates with serial numbers that are negative, or zero. Certificate users SHOULD be prepared to gracefully handle such certificates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
cacert.pem selfsigned certificate problem
Hello I am trying to set up an ssl acces to ldap following http://www.openldap.org/faq/data/cache/185.html i created my ca and signed the certificates for the server and client but i still get a 'self signed error' i checked and i saw that it was because of cacert.pem which is selfsigned question : how to solve this ??? (do i have to sign the CA certificate by another CA ? and how ? ) thank you very much __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: *param_dup() C++
Dr. Stephen Henson [EMAIL PROTECTED] writes: I'm not quite sure whether it's TAO, g++, or openssl that's at fault, but I'd appreciate any pointers. The problem is that *_dup() are all macros and there's a conflict between the C definition of func() (undefined parameters) and the C++ version (no parameters). While it would be useful if openssl was changed so that the entire API could be used by both C++ and C, I'll need to add a workaround for TAO anyway so it will work with older versions of openssl. I think I can workaround this by having C-language functions that wrap the *_dup() macros which are called by the C++ method. Thanks. --jtc -- J.T. Conklin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
HMAC-128
Hi Everyone, I know that OpenSSL has the following HMAC(EVP_sha1 (), ) which supports 160 bits. But does OpenSSL support HMAC-128 as well? If yes, could you please tell me where/how I can get information about it. If no, Could you point me to a place where I can get it. OpenSSL version that I am using is openssl-0.9.7d. Thanks, Elie Elie Lalo Senior Software Engineer Desktop Technologies Group 1414 Mass Avenue Boxborough, MA 01719 Cisco Systems, Inc. Tel : (978)936-1160 Fax: (978)936-2212 Url : www.cisco.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate validation failure, Successful
I just tried setting the crl file to DER encoding and specified that files with .crl extensions are application/x-x509-crl. I am still receiving the certificate validation failure error on the Cisco concentrator. Is there anything else that I need to do? Am I doing something wrong? Thanks, Richard A. Faulk Jr., MCSE, ASE, CCA, Linux+ Plummer Slade, Inc. Tel: (412)261-5600 x226 [EMAIL PROTECTED] http://www.plummerslade.com - Original Message - From: Richard A. Faulk Jr. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 08:07 Subject: Re: Certificate validation failure, Successful Jason, I'm glad to hear that someone else has a similar scenario working. I am a little bit new to this. I am publishing the CRL with Apache. I placed a copy of the file in the default DocumentRoot in a folder named crl. I can access the file from Internet Explorer. How do I ensure that the URL is application/x-x509-crl ? Is this something that can be generated into the DER encoded crl using openssl? Also, rather than just making a copy of the crl file and placing it in a different location for publishing, do I need to maintain the openssl CA directory structure for this to work? Thank you in advance for your assistance. Richard A. Faulk Jr., MCSE, ASE, CCA, Linux+ Plummer Slade, Inc. Tel: (412)261-5600 x226 [EMAIL PROTECTED] http://www.plummerslade.com - Original Message - From: Jason Haar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 20:30 Subject: Re: Certificate validation failure, Successful We do this here. Ensure your URLs are application/x-x509-crl, and the CRL is DER encoded and you'll be fine. Cisco did a real good job with their PKI support in the VPN-3000 series - I wish I could say the same for IOS (our CA has a serial number of 0, and IOS refuses to trust a CA with a serial 1. Strange - I always thought 0 was an integer as required by the SSL RFCs... :-() -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate validation failure, Successful
I just tried setting the crl file to DER encoding and specified that files with .crl extensions are application/x-x509-crl. I am still receiving the certificate validation failure error on the Cisco concentrator. Is there anything else that I need to do? Am I doing something wrong? Thanks, Richard A. Faulk Jr., MCSE, ASE, CCA, Linux+ Plummer Slade, Inc. Tel: (412)261-5600 x226 [EMAIL PROTECTED] http://www.plummerslade.com - Original Message - From: Richard A. Faulk Jr. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 23, 2004 08:07 Subject: Re: Certificate validation failure, Successful Jason, I'm glad to hear that someone else has a similar scenario working. I am a little bit new to this. I am publishing the CRL with Apache. I placed a copy of the file in the default DocumentRoot in a folder named crl. I can access the file from Internet Explorer. How do I ensure that the URL is application/x-x509-crl ? Is this something that can be generated into the DER encoded crl using openssl? Also, rather than just making a copy of the crl file and placing it in a different location for publishing, do I need to maintain the openssl CA directory structure for this to work? Thank you in advance for your assistance. Richard A. Faulk Jr., MCSE, ASE, CCA, Linux+ Plummer Slade, Inc. Tel: (412)261-5600 x226 [EMAIL PROTECTED] http://www.plummerslade.com - Original Message - From: Jason Haar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 22, 2004 20:30 Subject: Re: Certificate validation failure, Successful We do this here. Ensure your URLs are application/x-x509-crl, and the CRL is DER encoded and you'll be fine. Cisco did a real good job with their PKI support in the VPN-3000 series - I wish I could say the same for IOS (our CA has a serial number of 0, and IOS refuses to trust a CA with a serial 1. Strange - I always thought 0 was an integer as required by the SSL RFCs... :-() -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Tue, Nov 23, 2004, Florin Angelescu wrote: Hello I am trying to set up an ssl acces to ldap following http://www.openldap.org/faq/data/cache/185.html i created my ca and signed the certificates for the server and client but i still get a 'self signed error' i checked and i saw that it was because of cacert.pem which is selfsigned question : how to solve this ??? (do i have to sign the CA certificate by another CA ? and how ? ) thank you very much Firstly I'd suggest you use CA.pl instead of CA.sh which is older. What is giving you the error? If its a client then you'd need to include a command line switch or configuration option telling it to include 'cacert.pem' in its trusted list of CAs. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Reverse engineering program protocol under ssl
Hello all, I'm looking to locally reverse engineer a network protocol that's encrypted using ssl. The program runs under windows and is using ssl dll's. I'm currently trying to work out the easiest solution, and am looking for suggestions. I'm considering either trying to wrap the dll's to read data passed to/from ssl_read/ssl_write, or recompiling the dll's to print the key after the key exchange. Can anyone think of a better way to do this? I can't be the first person looking for this, but I looked through the archive, and online, to no avail. Any ideas? Thanks in advance, Kenny -- Outgoing mail is certified Virus Contaminated: [EMAIL PROTECTED](P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Checked by AVG Anti-Virus. Version: 7.0.290 / Virus Database: 265.4.1 - Release Date: 19/11/2004 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Issues creating Certificate Authority
On Nov 22, 2004, at 1:41 PM, Dr. Stephen Henson wrote: On Mon, Nov 22, 2004, Dan O'Brien wrote: Searched for openssl.cnf and it is on the system: [EMAIL PROTECTED]:/etc/ssl# locate openssl.cnf /usr/lib/ssl/openssl.cnf Is this a clue to the problem? Might be :-) Depends what's in that file. Does it contain a line with: [distinguished_name] on it? Does it have world read permissions? What happens if you include the command line switch: -config /usr/lib/ssl/openssl.cnf to the req command that was failing before? Progress! It appears that although locate indicated the presence of the openssl.cnf file... (as in: [EMAIL PROTECTED]:~$ locate openssl.cnf /usr/lib/ssl/openssl.cnf) ...when I vi'd it as root, the file was blank, and vi indicated that it was making a new file. Adding the -config /usr/lib/ssl/openssl.cnf switch yielded this: [EMAIL PROTECTED]:~# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7000 -config /usr/lib/ssl/openssl.cnf Using configuration from /usr/lib/ssl/openssl.cnf error on line 1074095624 of /usr/lib/ssl/openssl.cnf 1708:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('/usr/lib/ssl/openssl.cnf','rb') 1708:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:106: 1708:error:0E064002:configuration file routines:CONF_load:system lib:conf_lib.c:91: Changing directories and listing showed this: [EMAIL PROTECTED]:/usr/lib/ssl# ls certs lib misc openssl.cnf private ...wherein openssl.cnf was displayed in red text set against a black selection rectangle -- what does this indicate? In any case, all signs pointed to a malfunctioning file, so I rm'd it. You previously suggested that I unpack one from another installation. Unless you have a better idea, I believe the next move will be to try to install 0.9.7e. - Dan O'Brien __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reverse engineering program protocol under ssl
MacDermid, Kenny wrote: I'm looking to locally reverse engineer a network protocol that's encrypted using ssl. The program runs under windows and is using ssl dll's. I'm currently trying to work out the easiest solution, and am looking for suggestions. I'm considering either trying to wrap the dll's to read data passed to/from ssl_read/ssl_write, or recompiling the dll's to print the key after the key exchange. Can anyone think of a better way to do this? I can't be the first person looking for this, but I looked through the archive, and online, to no avail. Any ideas? Another method would be to use a man-in-the-middle attack on a third machine, but that machine would need access to the private key of the certificate to be used. Somewhere around I have a generic man-in-the-middle Unix program that I wrote to try to debug some early IMAP problems on the Handspring Visor, but it doesn't have any SSL. -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Issues creating Certificate Authority
It's possible from what you describe that it was a hanging alias, that is, a symbolic link pointing to a file that does not actually exist. This looks like a file initially but gets a file does not exist when you try to actually use it... Dan O'Brien wrote: On Nov 22, 2004, at 1:41 PM, Dr. Stephen Henson wrote: On Mon, Nov 22, 2004, Dan O'Brien wrote: Searched for openssl.cnf and it is on the system: [EMAIL PROTECTED]:/etc/ssl# locate openssl.cnf /usr/lib/ssl/openssl.cnf Is this a clue to the problem? Might be :-) Depends what's in that file. Does it contain a line with: [distinguished_name] on it? Does it have world read permissions? What happens if you include the command line switch: -config /usr/lib/ssl/openssl.cnf to the req command that was failing before? Progress! It appears that although locate indicated the presence of the openssl.cnf file... (as in: [EMAIL PROTECTED]:~$ locate openssl.cnf /usr/lib/ssl/openssl.cnf) ...when I vi'd it as root, the file was blank, and vi indicated that it was making a new file. Adding the -config /usr/lib/ssl/openssl.cnf switch yielded this: [EMAIL PROTECTED]:~# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7000 -config /usr/lib/ssl/openssl.cnf Using configuration from /usr/lib/ssl/openssl.cnf error on line 1074095624 of /usr/lib/ssl/openssl.cnf 1708:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('/usr/lib/ssl/openssl.cnf','rb') 1708:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:106: 1708:error:0E064002:configuration file routines:CONF_load:system lib:conf_lib.c:91: Changing directories and listing showed this: [EMAIL PROTECTED]:/usr/lib/ssl# ls certs lib misc openssl.cnf private ...wherein openssl.cnf was displayed in red text set against a black selection rectangle -- what does this indicate? In any case, all signs pointed to a malfunctioning file, so I rm'd it. You previously suggested that I unpack one from another installation. Unless you have a better idea, I believe the next move will be to try to install 0.9.7e. - Dan O'Brien __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HMAC-128
On Wed, 24 Nov 2004 02:34 am, Elie Lalo wrote: I know that OpenSSL has the following HMAC(EVP_sha1 (), ) which supports 160 bits. But does OpenSSL support HMAC-128 as well? If yes, could you please tell me where/how I can get information about it. You should be able to use whatever MAC algorithm is required. I don't know what MAC HMAC-128 is though, because your question doesn't have enough context. Perhaps MD5, less likely RIPEMD. So you would just use EVP_md5() instead of EVP_sha1() in the init call: MAC_Init_ex( c, key_data, key_size, EVP_md5(), 0 ); HTH Brad pgp3GGdXWobp5.pgp Description: PGP signature
ENGINE and crypto function access
Hi, I tried searching through the archives of this mailing list, but the search function didn't work so pardon me if this has been asked many times before. I'm trying to do a bunch of stuff (encrypting with DES, RSA, getting random data) and I'd like it to be as painless as possible. I assumed that this was what the ENGINE functions were for but the man pages and documentation for that are really lousy. It seems like it was created solely for openssl and as an afterthought was made with the intention that someday it could be used by someone else. I've tried looking through the openssl source to findout how to call these things, but its a maze of function pointers and I'm just getting really down and frustrated. So what's the easiest way to access basic cryptographic functions and PRNGs from a stand alone C program. What headers should I include? What should I link against? I'd like things like: encrypt(SOME_CIPHER_TYPE, char * data, int size_of_data) and get_random(char * output, int random_bytes) I don't particularly want to have to call tons of init_opaque_structure(x) and the like just to get functions like the ones above, but I will if I have to. And are there any good HOW-TOs for this kind of stuff? - Peter __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ENGINE and crypto function access
Peter wrote: ... I'm trying to do a bunch of stuff (encrypting with DES, RSA, getting random data) and I'd like it to be as painless as possible. I assumed that this was what the ENGINE functions were for but the man pages and documentation for that are really lousy. do want to use some hardware modul or an alternative software implementation of existing algorithm or why do you want to use the ENGINE ? It seems like it was created solely for openssl and as an afterthought was made with the intention that someday it could be used by someone else. I've tried looking through the openssl source to findout how to call these things, but its a maze of function pointers and I'm just getting really down and frustrated. So what's the easiest way to access basic cryptographic functions and PRNGs from a stand alone C program. What headers should I include? What should I link against? I'd like things like: encrypt(SOME_CIPHER_TYPE, char * data, int size_of_data) see `man EVP_EncryptInit` [1] and get_random(char * output, int random_bytes) see `man RAND_bytes` Cheers, Nils [1] in case you use a os without manpages, see: http://www.openssl.org/docs/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL_read() - SSL_ERROR_SYSCALL / EOF
On 11/22/04 02:20 PM, Louis LeBlanc sat at the `puter and typed: Hey everyone. Been a long time since I've been able to spend much time on SSL code, but here I am again. My app is a client side HTTP/HTTPS application, and the problem that recently showed up (more likely it was just recently noticed) is a problem of sorts with SSL_read(). But only with some servers. Connections to other servers work just fine. Here's a snippet of the code giving problems: n = SSL_read(c-data, c-buf+c-bufend, len); if (n = 0) { int sslerr = ERR_get_error(); errcode = SSL_get_error(c-data, n); if (errno) eptr = strerror(errno); if (sslerr) { (void *)ERR_error_string(sslerr, errbuf); errptr = errbuf; } switch(errcode) { case SSL_ERROR_SYSCALL: /* Some kind of I/O error; */ if (DebugSSL) { if (sslerr) /* SSL IO error? */ { /* SSL_13013:I:Problem in SSL_read():%s: %s:%d */ if (errptr *errptr) ERROR(errmsgs[SSL_13013], errptr, __FILE__, __LINE__); else ERROR(errmsgs[SSL_13013], SSL_ERROR_SYSCALL , __FILE__, __LINE__); } else if (eptr *eptr) /* Some system error - check errno */ ERROR(errmsgs[SSL_13013], eptr, __FILE__, __LINE__); else if (n == 0) ERROR(errmsgs[SSL_13013], SSL_ERROR_SYSCALL/EOF , __FILE__, __LINE__); // XXX else ERROR(errmsgs[SSL_13013], SSL_ERROR_SYSCALL/SOCKET , __FILE__, __LINE__); } sslsock_shutdown(c); return -1; break; . . . // leaving out unrelated error handling } } The error being logged is SSL_ERROR_SYSCALL/EOF - the section marked with XXX. Far as I can tell, this really shouldn't happen. There appear to be no problems in the SSL_connect phase. This code snippet is from the first read after the connection is established - the first attempt to read the headers. My first assumption was that I must have mishandled the error condition somehow. I reread the manpages for SSL_read() and SSL_get_error(), and unless I'm interpreting these pages incorrectly, I have it right in the code above. Also, I should note that regular browsers have no problem conecting to the server, and my client app has no trouble connecting to other secure servers. The problem has been occurring with my app linked to OpenSSL 0.9.7a, but is easily reproduced with 0.9.7e. Here's the server string returned by the origin: Server: IBM_HTTP_SERVER/1.3.19 Apache/1.3.20 (Unix) Anyone have any ideas how best to debug this? I guess there are no ideas out there. Not surprised. I've gone through the online docs, the Rescorla book, and the O'Reilly book. No idea, no mention of SSL_ERROR_SYSCALL, nothing. Nada. I guess my last option is to parse the code. Still not sure that'll tell me anything. Once again, any and all relevant suggestions and ideas are welcome. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ QOTD: Money isn't everything, but at least it keeps the kids in touch. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
IBMs ikeyman and openssl
Hi, i have the following problem: Server: AIX5.2 Web-Server: IBM HTTPServer (apache2), mod_ibm_ssl I created a key and certification request with openssl - key.pem and req.pem The req.pem was sent to the CA. The CA sent back the signed certificate. The IBM HTTPServer needs a different format of the ssl certificate, a key.kdb. This can be created within ikeyman. My problem is, the certification request was created with openssl and i can't import the request and the key.pem into ikeyman. Please help Regards Jens
Invalid method in request
Hello All, I am new to OpenSSL and I am having trouble getting my server secured. I've been trying to get this working on my own for a few days now but now I need some help. I am running FreeBSD 4.1, Apache 1.3.29, OpenSSL 0.9.7d. After I installed the certificates Apache starts up fine but when I actually try https in IE I get a 404 error and in my /var/log/httpd-error.log I get an error from OpenSSL: Invalid method in request. I'd appreciate the help. Thanks, Kyle Young __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL_read() - SSL_ERROR_SYSCALL / EOF
On Tue, Nov 23, 2004, Louis LeBlanc wrote: On 11/22/04 02:20 PM, Louis LeBlanc sat at the `puter and typed: Hey everyone. Been a long time since I've been able to spend much time on SSL code, but here I am again. My app is a client side HTTP/HTTPS application, and the problem that recently showed up (more likely it was just recently noticed) is a problem of sorts with SSL_read(). But only with some servers. Connections to other servers work just fine. Here's a snippet of the code giving problems: n = SSL_read(c-data, c-buf+c-bufend, len); if (n = 0) { int sslerr = ERR_get_error(); errcode = SSL_get_error(c-data, n); if (errno) eptr = strerror(errno); if (sslerr) { (void *)ERR_error_string(sslerr, errbuf); errptr = errbuf; } switch(errcode) { case SSL_ERROR_SYSCALL: /* Some kind of I/O error; */ if (DebugSSL) { if (sslerr) /* SSL IO error? */ { /* SSL_13013:I:Problem in SSL_read():%s: %s:%d */ if (errptr *errptr) ERROR(errmsgs[SSL_13013], errptr, __FILE__, __LINE__); else ERROR(errmsgs[SSL_13013], SSL_ERROR_SYSCALL , __FILE__, __LINE__); } else if (eptr *eptr) /* Some system error - check errno */ ERROR(errmsgs[SSL_13013], eptr, __FILE__, __LINE__); else if (n == 0) ERROR(errmsgs[SSL_13013], SSL_ERROR_SYSCALL/EOF , __FILE__, __LINE__); // XXX else ERROR(errmsgs[SSL_13013], SSL_ERROR_SYSCALL/SOCKET , __FILE__, __LINE__); } sslsock_shutdown(c); return -1; break; . . . // leaving out unrelated error handling } } The error being logged is SSL_ERROR_SYSCALL/EOF - the section marked with XXX. Far as I can tell, this really shouldn't happen. There appear to be no problems in the SSL_connect phase. This code snippet is from the first read after the connection is established - the first attempt to read the headers. My first assumption was that I must have mishandled the error condition somehow. I reread the manpages for SSL_read() and SSL_get_error(), and unless I'm interpreting these pages incorrectly, I have it right in the code above. Also, I should note that regular browsers have no problem conecting to the server, and my client app has no trouble connecting to other secure servers. The problem has been occurring with my app linked to OpenSSL 0.9.7a, but is easily reproduced with 0.9.7e. Here's the server string returned by the origin: Server: IBM_HTTP_SERVER/1.3.19 Apache/1.3.20 (Unix) Anyone have any ideas how best to debug this? I guess there are no ideas out there. Not surprised. I've gone through the online docs, the Rescorla book, and the O'Reilly book. No idea, no mention of SSL_ERROR_SYSCALL, nothing. Nada. I guess my last option is to parse the code. Still not sure that'll tell me anything. Once again, any and all relevant suggestions and ideas are welcome. Does the connection seem otherwise OK and you just get this error after all data has been transferred? Its possible that the system is being impolite and forcibly closing the connection at the socket level. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl's nextUpdate
I want to kown how to make the nextUpdate in the openssl, any principle could be according to?Do You Yahoo!? 150MP3 1G1000
Re: cacert.pem selfsigned certificate problem
On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: On Tue, Nov 23, 2004, Florin Angelescu wrote: Hello I am trying to set up an ssl acces to ldap following http://www.openldap.org/faq/data/cache/185.html i created my ca and signed the certificates for the server and client but i still get a 'self signed error' i checked and i saw that it was because of cacert.pem which is selfsigned question : how to solve this ??? (do i have to sign the CA certificate by another CA ? and how ? ) thank you very much Firstly I'd suggest you use CA.pl instead of CA.sh which is older. What is giving you the error? If its a client then you'd need to include a command line switch or configuration option telling it to include 'cacert.pem' in its trusted list of CAs. Steve. -- Thank you for answering. The error is given by ldapsearch ( and ldap.conf sldap.conf are well configured). The error is also reported by openssl. self signed certificate in certification chain (the CA certificate) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]