WG: [Openca-Users] After 100000 certificate issued...
I found this in the OpenCA-Users mailinglist. Any ideas or suggestions? Regards Thomas -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Diego de Felice Gesendet: Montag, 18. September 2006 23:32 An: Ideas, tips and discussions about OpenCA installation and management. Betreff: [Openca-Users] After 10 certificate issued... I've tested OpenCA (an old version to be honest) by issuing more than 10 certificates. The response times of course are a bit degraded. I can say that the global functionality of OpenCA are not so much influenced (only some pages regardings searches, but I think they can be simply fixed). The most terrible issue however is OpenSSL and its index.txt! With 10 and more certificates the index.txt file is about 19 megabytes and for every certificate you must wait a lot of seconds and this is more and more notable when this number grows. I know this is not to OpenCA related, but someone knows if there is a project to enhance index.txt in a more performing solution ? Is the nextgen OpenCA less dependent from the command line openssl ? Thanks in advance. -- Diego de Felice -- --- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforge CID=DEVDEV ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: WG: [Openca-Users] After 100000 certificate issued...
[EMAIL PROTECTED] wrote: I found this in the OpenCA-Users mailinglist. Any ideas or suggestions? use the 'openssl ca' command with an empty index.txt file for each new certificate. and then manages the files differently, i.e. copy the content into a database. Or don't use the ca at all and use x509 and for revocation, just create an index.txt with the revoked certs. -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. smime.p7s Description: S/MIME Cryptographic Signature
Get Information about SSL Handshake
Hello Everybody! I got my server and client running. I want to do some testing and need some information about the ssl handshake... whitch mechanism is used and if diffie-hellman is used what size of the primary secret is used? I was able to get information about the cipher with SSL_get_cipher_version() and SSL_get_cipher_name() for a established connection but I couldn't figure out to get the information about the handshake. Thanks a lot for any suggestions! Hubert
RE: How do I remove padding during AES encryption/ decryption
Hello, Thanks for the reply. I have my sample test case like this. #define KEYSIZE 256 #define AES_BLOCK_SIZE 32 AES block size for this implementation is 16 bytes (of course AES standard talks about block size 24 and 32 bytes - Nb variable - but this implementation use only 16 byte AES block) void test_main() { char key[KEYSIZE+1]; int I,keylen; char data[AES_BLOCK_SIZE] ; char cbuf[AES_BLOCK_SIZE]; char pbuf[AES_BLOCK_SIZE]; strcpy(key,2ea24d27bc6e40e70b0a2ab08b0831675cf1274834f98a58709edeeb56af f547); strcpy(data,000 0); I guess that this strings should be converted from hex form to binary for using (something like 0x41 = 'A') keylen = strlen(key); { AES_KEY ctx; unsigned char iv[AES_BLOCK_SIZE]; memset(cbuf, 0,AES_BLOCK_SIZE); AES_set_encrypt_key(key, KEYSIZE, ctx); AES_cbc_encrypt(data, cbuf, AES_BLOCK_SIZE, ctx, iv, AES_ENCRYPT); iv is not initialized here and you should check return code of AES_set_encrypt_key() - this function accept key length of 128,192,256. Here this works good but checking error code is good practise. for (i =0 ; i sizeof(data) ; i++) printf(%d...input = %d \n,data[i],i); printf(\n); for (i =0 ; i sizeof(cbuf); i++) printf(%d...encoded data =%d \n,cbuf[i],i); printf(\n); } { AES_KEY ctx; int len,pad,flag =0; unsigned char iv[AES_BLOCK_SIZE]; memset(pbuf, 0,AES_BLOCK_SIZE); memset(iv, 0, AES_BLOCK_SIZE); iv should have the same value as in encrypting. AES_set_decrypt_key(key, KEYSIZE, ctx); check error code AES_cbc_encrypt(cbuf,pbuf, AES_BLOCK_SIZE, ctx, iv, AES_DECRYPT); } } Please can any tell me what could be the problem with this code? There are many problems with using AES_cbc*(). If we are talking of padding - this functions do not support normal padding - i suggest add proper padding on encryption yourself and remove padding after decryption. This functions should take properly padded data rounded to 16 bytes. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Get Information about SSL Handshake
Hello, Hello Everybody! I got my server and client running. I want to do some testing and need some information about the ssl handshake... whitch mechanism is used and if diffie-hellman is used what size of the primary secret is used? I was able to get information about the cipher with SSL_get_cipher_version() and SSL_get_cipher_name() for a established connection but I couldn't figure out to get the information about the handshake. Peer RSA/DSA parameters used in handshake may be printed for example with code: EVP_PKEY *pkey; X509 *cert; cert = SSL_get_peer_certificate(ssl); if ((cert != NULL) ((pkey = X509_get_pubkey(cert)) != NULL)) { if (pkey-type == EVP_PKEY_RSA pkey-pkey.rsa != NULL pkey-pkey.rsa-n != NULL) { printf(RSA-%d\n, BN_num_bits(pkey-pkey.rsa-n)); } if (pkey-type == EVP_PKEY_DSA pkey-pkey.dsa != NULL pkey-pkey.dsa-p != NULL) { printf(DSA-%d\n, BN_num_bits(pkey-pkey.dsa-p)); } } if (cert != NULL) { X509_free(cert); } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Runtime link problems on HP-UX
Hi all, Im writing an XML-RPC client call under a Tuxedo app on HP-UX 11 and having run-time troubles due to an Oracle .so being picked up instead of OpenSSL libraries. My app statically links in the XML-RPC library, libcurl, libssl and libcrypto, but at run-time it seg-faults with the following trace: #0 0xc2433570:0 in BN_div+0x120 () from /u01/app/oracle/OraHome_1/lib/libnnz10.so #1 0x409f1e70:0 in BN_nnmod+0x30 () #2 0x409f7de0:0 in S_BN_mod_inverse+0x300 () #3 0x409ff2b0:0 in BN_MONT_CTX_set_locked+0x3d0 () #4 0x40a19740:0 in RSA_eay_public_decrypt+0x440 () #5 0x4088a6f0:0 in RSA_public_decrypt+0x70 () #6 0x4088bfd0:0 in RSA_verify+0x130 () #7 0x408d1380:0 in EVP_VerifyFinal+0x200 () #8 0x40a45bb0:0 in ASN1_item_verify+0x190 () #9 0x409479f0:0 in X509_verify+0x50 () #10 0x40936f90:0 in internal_verify+0xab0 () #11 0x409338e0:0 in X509_verify_cert+0xbd0 () #12 0x40838a20:0 in ssl_verify_cert_chain+0x230 () #13 0x40809460:0 in ssl3_connect+0x4ed0 () #14 0x408301a0:0 in SSL_connect+0x90 () #15 0x40824ab0:0 in ssl23_connect+0x1440 () #16 0x408301a0:0 in SSL_connect+0x90 () #17 0x407acbf0:0 in Curl_ossl_connect_step2 (conn=0x6070cf40, sockindex=0, timeout_ms=0x9fffcf10) at ssluse.c:1391 Actually the error was originally in BN_set_word but I renamed that, and then in BN_mod_inverse and I renamed that (to S_BN_mod_inverse as you can see above) The BN_ functions are being picked up from Oracles libnnz10.so instead of libcrypto.a which Ive statically linked in. At link time, $ORAHOME/lib is included with a L flag, and it is required. Ive tried changing the order of libraries on the command line, and also tried -a,archive_shared flags on the linker to give static libs a higher preference than shared. Ive also tried temporarily removing $ORAHOME/lib from my SHLIB_PATH and LD_LIBRARY_PATH environment variables. However, nothing I do seems to get around this problem. Does anybody have an idea how I can link my app correctly to avoid this problem? Does Oracle use openSSL internally (and hence the conflict)? Has anybody had troubles with this before? If I cant fix the linking, should I perform some preprocessor trickery to put the OpenSSL bn.h functions in some namespace, or would the Oracle/OpenSSL overlap be so great that this will be too hard and encompass more than just the functions in bn.h? Any help or hints would be much appreciated, cheers, Daniel Young Senior Software Engineer Level 13, 175 Eagle Street BrisbaneQLD 4000 T. +61 7 3406 1939 F. +61 7 3406 1999 www.synyati.com.au This email message and information contained in or attached to this message may be privileged, confidential, and protected from disclosure and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination, printing or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this message in error, please immediately inform the sender by reply e-mail and delete the message and any attachments.
Re: Get Information about SSL Handshake
Thank you very much this works fine but how do I get the information if diffie hellman (DH) is used to negotiate the key? I wanted to compare the differnce in cpu consumption and time delay if session reuse is used or not! (Keyexchange with Diffie Hellman) Therefore I set: SSL_CTX_set_session_cache_mode( ctx, SSL_SESS_CACHE_OFF ); If I connect to the server there is a delay fore about 20 seconds but the server doesn't consume any cpu in this time, just the client... Shouldn't the server waste some CPU while computing his key? Do you the approximate delay if session reuse is not used? Furthermore, it would be great to display the DH secret length somehow? Thanks a lot for any suggestions! Best Regards Hubert -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Marek Marcola Gesendet: Dienstag, 19. September 2006 22:00 An: openssl-users@openssl.org Betreff: Re: Get Information about SSL Handshake Hello, Hello Everybody! I got my server and client running. I want to do some testing and need some information about the ssl handshake... whitch mechanism is used and if diffie-hellman is used what size of the primary secret is used? I was able to get information about the cipher with SSL_get_cipher_version() and SSL_get_cipher_name() for a established connection but I couldn't figure out to get the information about the handshake. Peer RSA/DSA parameters used in handshake may be printed for example with code: EVP_PKEY *pkey; X509 *cert; cert = SSL_get_peer_certificate(ssl); if ((cert != NULL) ((pkey = X509_get_pubkey(cert)) != NULL)) { if (pkey-type == EVP_PKEY_RSA pkey-pkey.rsa != NULL pkey-pkey.rsa-n != NULL) { printf(RSA-%d\n, BN_num_bits(pkey-pkey.rsa-n)); } if (pkey-type == EVP_PKEY_DSA pkey-pkey.dsa != NULL pkey-pkey.dsa-p != NULL) { printf(DSA-%d\n, BN_num_bits(pkey-pkey.dsa-p)); } } if (cert != NULL) { X509_free(cert); } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
subjectinfoaccess?
hi, I want to use SIA(subjectinfoaccess) to get the url of caRepository. but i can't find the accessmethod. it should be nid_ad_caRepository defined in rfc3280. does openssl support it? laura [EMAIL PROTECTED] 2006-09-20 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BN_bin2bn() gets coredump in 0.9.7k
Hi, I have compiled 64-bit OpenSSL 0.9.7k on HP-UX 11.23 PA architecture withoptimization level +O3 (default). When i test BN_bin2bn() function in cryto library with the following test program, it gets coredump. Here is my test program.=#include stdio.h#include openssl/rsa.h int main() { RSA *public; unsigned int bits, len; char *buf, *uu; unsigned char *blob; public = RSA_generate_key(1024, 35, NULL, NULL); bits = BN_num_bits(public-n); printf("%u", bits); buf = BN_bn2dec(public-e); printf(" %s", buf); OPENSSL_free(buf); buf = BN_bn2dec(public-n); printf(" %s", buf); OPENSSL_free(buf); return 0;}= But the problem does not occur with +O1 optimization level compilation. Also when the same test program is linked with OpenSSL 0.9.8c 64bit library compiled with +O3 optimization level, it executes successfully. The reason would be CVS check-in 12579 and 13128, which are only appliedin 0.9.8 series. Why these changes are not applied to 0.9.7 trunk ??? Can any body know about this issue..? Thanks -Siva.