RE: Duplicate serial number

2010-09-23 Thread Dave Thompson
>   From: owner-openssl-us...@openssl.org On Behalf Of Pascal Delaunay
>   Sent: Thursday, 23 September, 2010 12:00

>   The "database" file (an option in your openssl.conf) handles that
perfectly.  

If you use 'ca'; or as Patrick Patterson said, the scripts which do so.
Not 'x509 -req [-CAserial file]'; that stores only the (last-used) number.

>   2010/9/22 Andy GOKTAS 

>   So using the "-CAserial serial.srl" might be a good idea to avoid
this.

>   Now this leads me to the next question:
>   -  Besides manually documenting a cross-reference for each
certificate 
> that I sign to a serial number, is there any way to have this scripted 
> and for an appending log to the serial.srl file that's updated each time 
> it's used?  In short, a list of cert name (=CN perhaps) and serial number 
> associated with it.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: where is the memory being held

2010-09-23 Thread David Schwartz

On 9/23/2010 11:42 AM, zhu qun-ying wrote:

Hi,

I have an SSL apllication, that it suppose to run for a long time. After some 
time of running, I found the usage of the memory is growing.  I stop all SSL 
connections and checked all SSL * has been freed  but it could not release the 
memory back to the system.

After some investigation, I found there is no memory leak, but seems lot of 
memory are unable to release back to system.  mtrace found out there are quite 
a lot of fragmented memory being held by the SSL library.  I would like to know 
what could I do to reduce the memory held by SSL library after all connections 
have been dropped?

I am handling the SSL session through share memory myself and that part of the 
memory is allocated from the start.

mallinfo() reports after some test and no connection for a while:

system bytes = 28271952
in use bytes =  1809184
non-inuse bytes  = 26462768
non-inuse chunks =   81
mmap regions =4
mmap bytes   =  1773568
Total (incl. mmap):
system bytes = 30045520
in use bytes =  3582752
releasable bytes =   462496

--
qun-ying


This all seems normal. Virtual memory is not normally considered a 
scarce resource and unless the consumption is really absurd, it's not 
worth worrying about.


Unless your virtual memory use grows linearly with constant load, it's 
generally not worth worrying about. If it grows in an exponentially 
decreasing way with constant load or grows linearly with increasing peak 
load, I wouldn't worry about it at all.


DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Creating Extended Validation SSL Certificates

2010-09-23 Thread David Schwartz

On 9/23/2010 7:16 AM, Gumbie wrote:

   Can someone explain what is needed to create and EV (Extended
Validation) Certificate? I have been trying to research this and have
found limited information on this. Only one document that was of any
help -àhttp://www.cabforum.org/EV_Certificate_Guidelines.pdf.

   My issue is with OpenSSL and adding the needed additional OIDs to the
certificate.

Thanks in advance,

Gumbie



Either request them from any CA that offers them or yourself make a CA 
that follows the EV guidelines. The whole point of EV certificates is 
that you cannot create them without going through extended validation. 
By design, there is no way to bypass this requirement.


DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


RE: rsa key format

2010-09-23 Thread Dave Thompson
>   From: owner-openssl-us...@openssl.org On Behalf Of Panikulam Vivek
>   Sent: Thursday, 23 September, 2010 10:53

>   I have generated a private key using the below command and 
> want to extract the public key in a format that is compatible 
> with sites using Java.
 
>   openssl genrsa -out priv_key.txt 1024
 
>   Is there a command in openssl that will extract the public key 
> for this private key in a cert file or xml format that is compatible 
> with Java sites?

For a certificate: you can't 'extract' a cert from a keypair 
because a cert contains much more information than the publickey. 
You can get a cert *containing* your publickey by several methods 
which are nearly equivalent in principle but different in detail:

1. generate a CSR (certificate signing request) with 
  openssl req -new [-config $conf] -key priv_key.txt -out $req
  # uses default config (must exist) if you don't specify one
  # if you have your own config it can also specify the keyfile
send CSR to a CA which issues a cert. Often this costs money.

This cert can be imported to a Java truststore/keystore by standard 
keytool, IF either the CA is in the existing (shipped or customized) 
truststore, or the user decides (is persuaded) to trust it manually. 
For other programs that might read a cert, it depends on the program.

2. set up your own (basic) CA with openssl, generate a CSR as above, 
and use 'openssl ca' to issue a cert for it. This setup is a bit more 
complicated, more than I have time to check and type right now,
but there's undoubtedly lots of webpages, some possibly correct.

3. create just a CA keypair and (selfsigned) CA cert with openssl 
(even more basic), generate a CSR as above, and
  openssl x509 -req -in $req [-CAkey $CAkey] -CA $CAcert -out $cert
{[-CAserial $file] [-CAcreateserial] | -set_serial $hexnum}

These two use a (pseudo)CA you create yourself, so to have its certs 
trusted automatically, you (or your users) must put your DIY CA cert 
in their Java's truststore(s), normally JRE/lib/security/cacerts .

4. create a CSR as above and self-sign it
  openssl x509 -req in $req -signkey priv_key.txt -out $cert 
or simpler 5. generate a self-signed cert directly
  openssl req -new -x509 -key priv_key.txt [-config $conf] -out $cert 

These self-signed certs must always be trusted manually.

There are various extension data-items that can be included 
in a CSR to be copied in the cert at the choice of the CA, 
and/or directly put in the cert by the action of the CA.
In case 2 you are the CA and can do both; in 3 and 4 
you can put extensions in the cert (but AFAIK not copy); 
in 5 you can directly put extensions.

Whether your 'Java site' needs any of these extensions 
depends on what your 'Java site' is. For SSL using default 
SSLSocket's (JSSE) to trust an issuer, IME no extensions 
are needed and a plain v1 cert works fine.

>   Note: I have used below command to extract public key 
> in default PEM format. But the vendor requires the key format 
> to be one which is compatible with Java. 
 
>   openssl rsa -in priv_key.txt -out pub_key.txt -pubout

Java, specifically the default SunRsaSign factory, is 
certainly able to handle X509-style publickeyinfo-RSA 
generated (and used) by openssl, in DER format, which 
you can easily create by adding -outform DER to that 
command (and changing the filename as appropriate).

The mapping to and from PEM is (almost) orthogonal to 
the contents, and could easily be written separately, 
but I have not found exported by standard Java.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


where is the memory being held

2010-09-23 Thread zhu qun-ying
Hi,

I have an SSL apllication, that it suppose to run for a long time. After some 
time of running, I found the usage of the memory is growing.  I stop all SSL 
connections and checked all SSL * has been freed  but it could not release the 
memory back to the system.

After some investigation, I found there is no memory leak, but seems lot of 
memory are unable to release back to system.  mtrace found out there are quite 
a lot of fragmented memory being held by the SSL library.  I would like to know 
what could I do to reduce the memory held by SSL library after all connections 
have been dropped?

I am handling the SSL session through share memory myself and that part of the 
memory is allocated from the start.

mallinfo() reports after some test and no connection for a while:

system bytes = 28271952
in use bytes =  1809184
non-inuse bytes  = 26462768
non-inuse chunks =   81
mmap regions =4
mmap bytes   =  1773568
Total (incl. mmap):
system bytes = 30045520
in use bytes =  3582752
releasable bytes =   462496

--
qun-ying


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


is there way to set default ciphers in openssl system wide?

2010-09-23 Thread Eero Volotinen
Hi List,

Is there way to set openssl default ciphers ("“DEFAULT”), that all
openssl enabled programs use by default?
Without recompiling the openssl?

br,

--
Eero
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Duplicate serial number

2010-09-23 Thread Pascal Delaunay
Hi,

The "database" file (an option in your openssl.conf) handles that
perfectly.

Cheers

Pascal




2010/9/22 Andy GOKTAS 

> So using the "-CAserial serial.srl" might be a good idea to avoid this.
>
> Now this leads me to the next question:
> -  Besides manually documenting a cross-reference for each certificate that
> I sign to a serial number, is there any way to have this scripted and for an
> appending log to the serial.srl file that's updated each time it's used?  In
> short, a list of cert name (=CN perhaps) and serial number associated with
> it.
>
> ??
>
> Thanks,
> Andy Goktas
>
> >>>  9/19/2010 1:53 PM >>>
> If you generate multiple certs with the same serial number, Firefox (and
> anything built with NSS) will absolutely refuse to have anything to do with
> those sites.  There's no "click 3 times to get access", it's a simple
> refusal to talk with a non-standards-compliant server.  (Of course, this
> puts the owner of the site in a lurch, because he doesn't run the CA in the
> vast majority of circumstances.)
>
> Other TLS clients and browsers likely will do the same.  I haven't checked
> though.
>
> -Kyle H
>
> On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS 
> wrote:
> > Hello,
> >
> > Just curious if anyone knows, but what happens if I generate multiple
> server certs (using my self generated signing CA using openssl) that have
> the same assigned serial number?
> >
> > Does this create a conflict within the network and if users's end up
> accessing both certs, kabm?
> >
> > Is it merely a method of basic tracking on how many certificates a CA
> signs?
> >
> > Thanks,
> > Andy Goktas
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing Listopenssl-users@openssl.org
> > Automated List Manager   majord...@openssl.org
> >
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>


Re: Creating Extended Validation SSL Certificates

2010-09-23 Thread Patrick Patterson
Hey there:

Well, the first thing to do to be able to issue EV certs and have them 
recognised by the various browsers is to build a CA and issuance regime that 
will pass an audit according to the rules from the CABrowser folks, do a proper 
key ceremony, and then have that audit.

And then, wait until your Root CA Cert and EV OIDs are accepted and shipped in 
a Browser update by the various Browser vendors.

Just adding some OIDs to the server certificate is not enough. 

Have fun.

On 2010-09-23, at 10:16 AM, Gumbie wrote:

>   Can someone explain what is needed to create and EV (Extended Validation) 
> Certificate? I have been trying to research this and have found limited 
> information on this. Only one document that was of any help 
> -àhttp://www.cabforum.org/EV_Certificate_Guidelines.pdf.
>  
>   My issue is with OpenSSL and adding the needed additional OIDs to the 
> certificate.
>  
> Thanks in advance,
> Gumbie

---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca

tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559





__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Duplicate serial number

2010-09-23 Thread Patrick Patterson
Hi Andy:

If you use the OpenSSL CA scripts as shipped and documented both in the OpenSSL 
document, the book, or numerous places on the web, they already use "index.txt" 
as a list of all issued certificates. So no extra work is needed.

Have fun.

Patrick.

On 2010-09-22, at 4:52 PM, Andy GOKTAS wrote:

> So using the "-CAserial serial.srl" might be a good idea to avoid this.  
> 
> Now this leads me to the next question:  
> -  Besides manually documenting a cross-reference for each certificate that I 
> sign to a serial number, is there any way to have this scripted and for an 
> appending log to the serial.srl file that's updated each time it's used?  In 
> short, a list of cert name (=CN perhaps) and serial number associated with 
> it.  
> 
> ??
> 
> Thanks,
> Andy Goktas
> 
  9/19/2010 1:53 PM >>>
> If you generate multiple certs with the same serial number, Firefox (and 
> anything built with NSS) will absolutely refuse to have anything to do with 
> those sites.  There's no "click 3 times to get access", it's a simple refusal 
> to talk with a non-standards-compliant server.  (Of course, this puts the 
> owner of the site in a lurch, because he doesn't run the CA in the vast 
> majority of circumstances.)
> 
> Other TLS clients and browsers likely will do the same.  I haven't checked 
> though.
> 
> -Kyle H
> 
> On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS  wrote:
>> Hello,
>> 
>> Just curious if anyone knows, but what happens if I generate multiple server 
>> certs (using my self generated signing CA using openssl) that have the same 
>> assigned serial number?
>> 
>> Does this create a conflict within the network and if users's end up 
>> accessing both certs, kabm?
>> 
>> Is it merely a method of basic tracking on how many certificates a CA signs?
>> 
>> Thanks,
>> Andy Goktas
>> __
>> OpenSSL Project http://www.openssl.org 
>> User Support Mailing Listopenssl-users@openssl.org 
>> Automated List Manager   majord...@openssl.org 
>> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org

---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca

tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559





__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: [openssl-users] Creating Extended Validation SSL Certificates

2010-09-23 Thread Erwann ABALEA
Hodie IX Kal. Oct. MMX, Gumbie scripsit:
>  Can someone explain what is needed to create and EV (Extended
>Validation) Certificate? I have been trying to research this and have
>found limited information on this. Only one document that was of any help
>-àhttp://www.cabforum.org/EV_Certificate_Guidelines.pdf.

That's the only necessary document for technical issues.

>  My issue is with OpenSSL and adding the needed additional OIDs to the
>certificate.

Using OpenSSL and adding additional OIDs is not sufficient for a
certificate to be "EV with a green bar". You need your CA to be
integrated in supported browsers as an EV-compliant one, and for this,
you need to be audited, have correct validation procedures, have a
correct facility, etc.

-- 
Erwann ABALEA 
Département R&D
KEYNECTIS
11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France
Tél.: +33 1 55 64 22 07
http://www.keynectis.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


regarding binary size in OpenSSL 1.0.0a

2010-09-23 Thread Madhu Gowda
Hi All,

We are using OpenSSL (binaries built as static version) in our application.
We are using the version 0.9.8i and the size of libeay32.lib (built in 32 bit 
windows) is 3.392 MB.
We are thinking of updating to latest version of OpenSSL 1.0.0a.

When we built the binaries for 1.0.0a (static version on 32 bit windows) from 
source code we are getting the size of libeay32.lib as 12.374 MB.

Is there any reason for such a huge difference in size of libeay32.lib ?
Or I am missing something while building the binaries ?

Regards,
Madhu Gowda



  

2nd try : REGD : openssl vulnerability CVE-2010-2939 : double in ssl3_get_key_exchange

2010-09-23 Thread Aparajita Sood (apsood)
Would be great if I can get answers to the below questions
 
thanks
aparajita


From: Aparajita Sood (apsood) 
Sent: Tuesday, September 21, 2010 11:54 AM
To: 'openssl-users@openssl.org'
Subject: REGD : openssl vulnerability CVE-2010-2939 : double in
ssl3_get_key_exchange


Hi OpenSSL Folks,
 
I'm evaluating our product for this vulnerability.
http://www.mail-archive.com/openssl-...@openssl.org/msg28049.html
 
 
I have a few questions :
 
1. The vulnerability says
> "You are right : there is a double free bug in the function 
> *ssl3_get_key_exchange* which leads to crash if an error occurs.
> The bug is in line 1510 of s3_clnt.c where we forget to set the
> variable bn_ctx to NULL after freeing it and this leads to the
> double free error when BN_CTX_free is called a second time on line
> 1650. "
> 

In 0.9.7d and prior I see no reference to bn_ctx or BN_CTX_free
 
QUESTION:  Since I do not see references to bn_ctx or BN_CTX_free in
0.9.7d can I assume that the vulnerability does not exist on that
version?
 
2. The link says " OpenSSL versions 1.0.0a, 0.9.8, 0.9.7,
> and possibly other versions, are affected when Elliptic curve
> Diffie-Hellman (ECDH) is enabled"
> 
QUESTION: Since I don't see BN_CTX_free being used in 0.9.7d and  prior,
do they mean that 7e, f , g have these definitions ?

3. I checked in the opensslconf.h file for #define OPENSSL_NO_ECDH to
check if ECDH is enabled or not 

QUESTION: is this the correct way to find if ecdh is enabled or not?
 
Would be great if I can get a response to these 
 
thanks
aparajita



OpenSSL state and suspend/resume

2010-09-23 Thread Kenneth Goldman
How does one handle a suspend/resume power cycle when using OpenSSL?

Specifically, suppose one is in the middle of a SHA-1 Init/Update/Final 
sequence when the suspend signal occurs?  What happens to SHA_CTX?

I know I can save and restore SHA_CTX by peering into the structure.  I 
also know that OpenSSL won't guarantee that the structure will be fixed 
forever, so my code will be fragile.  Is there a better alternative?



I have a similar question regarding the RNG state, but I think I can 
reseed it after the resume.



I don't see any other functions that keep internal or opaque state.  Are 
there any I should be concerned with?  I use only SHA-1, RSA, AES, lots of 
bignum functions, and the RNG.


Re: Duplicate serial number

2010-09-23 Thread Andy GOKTAS
So using the "-CAserial serial.srl" might be a good idea to avoid this.  

Now this leads me to the next question:  
-  Besides manually documenting a cross-reference for each certificate that I 
sign to a serial number, is there any way to have this scripted and for an 
appending log to the serial.srl file that's updated each time it's used?  In 
short, a list of cert name (=CN perhaps) and serial number associated with it.  

??

Thanks,
Andy Goktas

>>>  9/19/2010 1:53 PM >>>
If you generate multiple certs with the same serial number, Firefox (and 
anything built with NSS) will absolutely refuse to have anything to do with 
those sites.  There's no "click 3 times to get access", it's a simple refusal 
to talk with a non-standards-compliant server.  (Of course, this puts the owner 
of the site in a lurch, because he doesn't run the CA in the vast majority of 
circumstances.)

Other TLS clients and browsers likely will do the same.  I haven't checked 
though.

-Kyle H

On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS  wrote:
> Hello,
>
> Just curious if anyone knows, but what happens if I generate multiple server 
> certs (using my self generated signing CA using openssl) that have the same 
> assigned serial number?
>
> Does this create a conflict within the network and if users's end up 
> accessing both certs, kabm?
>
> Is it merely a method of basic tracking on how many certificates a CA signs?
>
> Thanks,
> Andy Goktas
> __
> OpenSSL Project http://www.openssl.org 
> User Support Mailing Listopenssl-users@openssl.org 
> Automated List Manager   majord...@openssl.org 
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Duplicate serial number

2010-09-23 Thread Andy GOKTAS
Great!  Thanks for that information Patrick.  :) 

Thanks,
Andy Goktas

>>> Patrick Patterson  9/17/2010 6:11 AM >>>
Hi Andy:

Well, aside from violating most of the standards around PKI, the main problem 
you will have is revocation - the way you revoke a certificate is to put it's 
serial number on a CRL. So if you have multiple certs with the same serial 
number, if you ever need to revoke one of those certificates, you will end up 
revoking them all.

The reason that the standards are written that way is that the principle is 
that the tuple of the Issuer Name and Serial Number is able to uniquely 
identify any given certificate, which is important for any number of very good, 
trust related reasons.

Have fun!

Patrick.

On 2010-09-15, at 4:34 PM, Andy GOKTAS wrote:

> Hello, 
> 
> Just curious if anyone knows, but what happens if I generate multiple server 
> certs (using my self generated signing CA using openssl) that have the same 
> assigned serial number?  
> 
> Does this create a conflict within the network and if users's end up 
> accessing both certs, kabm?  
> 
> Is it merely a method of basic tracking on how many certificates a CA signs?  
> 
> Thanks,
> Andy Goktas
> __
> OpenSSL Project http://www.openssl.org 
> User Support Mailing Listopenssl-users@openssl.org 
> Automated List Manager   majord...@openssl.org 

---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca 

tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559





__
OpenSSL Project http://www.openssl.org 
User Support Mailing Listopenssl-users@openssl.org 
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


rsa key format

2010-09-23 Thread Panikulam Vivek
Hi

I have generated a private key using the below command and want to extract the 
public key in a format that is compatible with sites using Java.

openssl genrsa -out priv_key.txt 1024

Is there a command in openssl that will extract the public key for this private 
key in a cert file or xml format that is compatible with Java sites?

Note: I have used below command to extract public key in default PEM format. 
But 
the vendor requires the key format to be one which is compatible with Java. 


openssl rsa -in priv_key.txt -out pub_key.txt -pubout

Regards
Vivek Panikulam


  

Re: Self-signed CA problem for internal web application

2010-09-23 Thread Chris Rider

Thanks for the suggestion, but I've already tried that, more or less
My web server config already has that mime type configured, and the 
client is capable of recognizing the properly served filetype. I've 
tried installing certificates through IE's wizard automatically in such 
a way... as well as manually in it and other browsers (downloading 
certificate and importing).
My primary skills are that of webmaster (using that word should tell how 
long I've been in that game! ), so I am aware of how much the 
browsers vary in doing things... which is why I tried every way of 
installing in every browser I have. I agree with you about the latest 
versions of MSIE and that stupid wizard they now use!


I'm pretty sure it something in my generating keys, rather than client 
issues.



John R Pierce wrote:

 On 09/22/10 11:57 AM, Chris Rider wrote:
We have a client/server architecture based product that needs to 
allow SSL communication between our server (CentOS) and various 
clients' web browsers (and additionally, other devices, but that's 
beyond the scope of this post).


We've been able to get SSL working in both of two different ways 
(self-signed certificate & self-signed CA with certificates signed by 
that) -- so that is not the issue. Rather, our whole issue is that we 
don't want the end-users to confronted with a big scary browser 
message that says something akin to "There's a Problem With Security! 
/ Allow Exception, etc." If they must install a certificate or two, 
that would be acceptable, though. So I thought that creating my own 
CA to sign certificates with would be a solution apparently not. 
I'm now getting browser messages that say the certificate's issuer is 
not trusted!!! Very frustrating.


take your selfsigned CA public certificate, name it something.cer, and 
place it on a web server, making sure the webserver understands that 
.cer is mime type application/x-x509-ca-cert


give your clients the link to that .CER ...  they have to accept it 
and add it to their trusted root certificate storage, the specifics of 
doing this vary by web browser (current versions of MSIE have made 
this harder than it should be)



once that .cer is installed in the browsers trusted root authorities, 
then anything signed by that CA will be accepted.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Creating Extended Validation SSL Certificates

2010-09-23 Thread Gumbie
  Can someone explain what is needed to create and EV (Extended Validation)
Certificate? I have been trying to research this and have found limited
information on this. Only one document that was of any help
-àhttp://www.cabforum.org/EV_Certificate_Guidelines.pdf.

 

  My issue is with OpenSSL and adding the needed additional OIDs to the
certificate.

 

Thanks in advance,

Gumbie



Re: LNK4078 and LNK4210 linking with x64 static libs

2010-09-23 Thread per fry kenvall
I disagree; according to 
http://blogs.msdn.com/b/vcblog/archive/2006/10/20/crt-initialization.aspx
.CRT$XCU is for setting up static initializers. Also, the text of the 
source file from which the assembler file is generated gives a hint that 
it is a call:

.extern OPENSSL_cpuid_setup
.section.init
   callOPENSSL_cpuid_setup

And maybe the parts of openssl that you are using work perfectly, while 
there might be other parts relying on this initialization. 
(Unfortunately I can't run "make test" on 64-bit as I don't have any 
such box with Visual Studio).


/Per

Jack Zhang wrote:
According to my understanding, that section is just a declaration of 
an external function. The section is needed to be there only if the 
function is called in the x86_64cpuid.asm. So, I don't think it will 
affect anything. In fact, my x64 version build runs perfectly. (I am 
using openssl 1.0.0 and then 1.0.0a)




On Thu, Sep 23, 2010 at 7:12 AM, per fry kenvall > wrote:


Hi,

Thanks for your suggestion! But as far as I see, the assembler
code in x86_64cpuid.asm _is_ the reference to OPENSSL_cpuid_setup!
The runtime will call the functions given in the .CRT$XCU section
before calling the main() entry. And it seems to me that the
OPENSSL_cpuid_setup function in crypto/cryptlib.c does have useful
code on Windows platforms, and so should be called, shouldn't it?
It initializes a static variable with some processor specific
info, whose value may be taken via the OPENSSL_ia32cap_loc() function.

I tried printf("%lu", *OPENSSL_ia32cap_loc()), which prints out 0
using the x64 code, while printing 2951479295 using 32-bit code,
indicating that OPENSSL_cpuid_setup has only been executed with
the 32-bit code. What's the impact of this? Isn't it a bug?

Cheers,
Per

Jack Zhang wrote:

I had got the same problem. I just simply deleted that section
 EXTERNOPENSSL_cpuid_setup
 section.CRT$XCU
 ALIGN8
 DQOPENSSL_cpuid_setup

 section.text code align=64

from the asm file because the extern OpenSSL_cpuid_setup is
never referenced.

Good luck

On Tue, Sep 21, 2010 at 9:57 AM, perfry wrote:

   Hi,

   I've built 1.0.0a on Windows with VS2005, using nt.mak to get
   static libraries.
   With x64 I get warnings when linking applications, both
   openssl.exe and test programs like sha1test.exe. A snippet of
   output from nmake -f ms\nt.mak:
 link /nologo /subsystem:console /opt:ref /debug
   /out:out32\openssl.exe
@C:\DOCUME~1\FRYKEN~1\LOCALS~1\Temp\nm3B3.tmp
   LIBCMT.lib(crt0init.obj) : warning LNK4254: section '.CRT'
   (6020) merged into '.rdata' (4040) with different
attributes


   And when linking our own application on x64/Release platform:
 libeay32.lib(x86_64cpuid.obj) : warning LNK4078: multiple
'.CRT'
   sections found with different attributes (60500020)
 libeay32.lib(x86_64cpuid.obj) : warning LNK4210: .CRT section
   exists; there may be unhandled static initializers or
terminators


   The linker command can be deduced from the following:
 Creating temporary file
   "c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp"
with contents
 [
 /OUT:"../deploy/execs/x64/Release/etnode.exe" /INCREMENTAL:NO
   /MANIFEST
   /MANIFESTFILE:"x64/Release\etnode.exe.intermediate.manifest"
   /DELAYLOAD:"oci.dll" /DEBUG
   /PDB:"../deploy/execs/x64/Release/etnode.pdb"
/SUBSYSTEM:CONSOLE
   /LTCG psapi.lib odbc32.lib odbccp32.lib WS2_32.LIB ADVAPI32.LIB
   GDI32.LIB USER32.LIB dbghelp.lib
   ../snibu/logging-log4cxx/msvc/lib/x64/Release/log4cxxs.lib
   ../snibu/openssl-1.0.0a/x64/Release/lib/ssleay32.lib
   ../snibu/openssl-1.0.0a/x64/Release/lib/libeay32.lib
   ../snibu/oracle/x64/instantclient_10_2/sdk/lib/msvc/oci.lib
   ../snibu/zlib/msvc/lib/x64/Release/zlibstat.lib kernel32.lib
   user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib
   shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib
   odbccp32.lib DelayImp.lib

 ".\x64\Release\CCcServApp.obj"
 ...
 ".\x64\Release\Bas4Bridge.obj"
 ]
 Creating command line "link.exe
   @c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp /NOLOGO
   /ERRORREPORT:PROMPT"


   I've done the following to build openssl:
 cd /d C:\utv\snibu\openssl\x64\release\openssl-1.0.0a
 call "C:\Program Files\Microsoft Visual Studio
   8\VC\vcvarsall.bat" x86_amd64
 perl Configure VC-WIN64A
--prefix=c:\

Re: LNK4078 and LNK4210 linking with x64 static libs

2010-09-23 Thread Jakob Bohm

Actually, that section (specifically, the DQ line) places a single
pointer constant in a data section with the "magic" name ".CRT$XCU".

Background:

The Microsoft linker, upon seeing a $ sign in a section name will
merge this section with all other sections name ".CRT" or 
".CRT$whatever", but only after it has ordered the layout of that

section alphabetically according to the non-truncated section name.
Thus the constants in .obj section ".CRT$XCU" will be placed between
anything in sections ".CRT$XCT" (or less) and anything in sections
".CRT$XCV" (or more).

The Microsoft C runtime startup code contains declarations for dummy
NULL variables in sections ".CRT$XCA" and ".CRT$XCZ" and a loop
which treats the data between those sections (including the DQ placed
there by this ASM file and any constructors for C++ global variables
etc.) as an array of function pointers to be called before
invoking main().  A similar method (with a different letter after X
is used for functions to call after main() returns or during a call to
exit()).

The above description matches at least the C runtime in Visual Studio
2005 (look at the files VC\CRT\src\crt0init.c and VC\CRT\src\crt0dat.c).

Error message analysis:

The warning complains that something in section .CRT has been given
the section attributes 0x6020 (meaning Read/Execute, contains code),
even though the rest of the file section it ultimately goes into 
(".rdata") has attributes 0x4040 (meaning Read, contains initialized 
data).


Thus my guess is that the line "section.CRT$XCU" is lacking
some keywords to tell the assembler to mark that section as
read-only data, not code.  Unfortunately, I am not sure of the
syntax to do that in the x86_64 version of MASM.


On 23-09-2010 15:09, Jack Zhang wrote:

According to my understanding, that section is just a declaration of an
external function. The section is needed to be there only if the
function is called in the x86_64cpuid.asm. So, I don't think it will
affect anything. In fact, my x64 version build runs perfectly. (I am
using openssl 1.0.0 and then 1.0.0a)



On Thu, Sep 23, 2010 at 7:12 AM, per fry kenvall mailto:per...@got.wmdata.se>> wrote:

Hi,

Thanks for your suggestion! But as far as I see, the assembler code
in x86_64cpuid.asm _is_ the reference to OPENSSL_cpuid_setup! The
runtime will call the functions given in the .CRT$XCU section before
calling the main() entry. And it seems to me that the
OPENSSL_cpuid_setup function in crypto/cryptlib.c does have useful
code on Windows platforms, and so should be called, shouldn't it? It
initializes a static variable with some processor specific info,
whose value may be taken via the OPENSSL_ia32cap_loc() function.

I tried printf("%lu", *OPENSSL_ia32cap_loc()), which prints out 0
using the x64 code, while printing 2951479295 using 32-bit code,
indicating that OPENSSL_cpuid_setup has only been executed with the
32-bit code. What's the impact of this? Isn't it a bug?

Cheers,
Per

Jack Zhang wrote:

I had got the same problem. I just simply deleted that section
  EXTERNOPENSSL_cpuid_setup
  section.CRT$XCU
  ALIGN8
  DQOPENSSL_cpuid_setup

  section.text code align=64

from the asm file because the extern OpenSSL_cpuid_setup is
never referenced.

Good luck

On Tue, Sep 21, 2010 at 9:57 AM, perfry wrote:

Hi,

I've built 1.0.0a on Windows with VS2005, using nt.mak to get
static libraries.
With x64 I get warnings when linking applications, both
openssl.exe and test programs like sha1test.exe. A snippet of
output from nmake -f ms\nt.mak:
  link /nologo /subsystem:console /opt:ref /debug
/out:out32\openssl.exe
@C:\DOCUME~1\FRYKEN~1\LOCALS~1\Temp\nm3B3.tmp
LIBCMT.lib(crt0init.obj) : warning LNK4254: section '.CRT'
(6020) merged into '.rdata' (4040) with different
attributes


And when linking our own application on x64/Release platform:
  libeay32.lib(x86_64cpuid.obj) : warning LNK4078: multiple
'.CRT'
sections found with different attributes (60500020)
  libeay32.lib(x86_64cpuid.obj) : warning LNK4210: .CRT section
exists; there may be unhandled static initializers or
terminators


The linker command can be deduced from the following:
  Creating temporary file
"c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp" with
contents
  [
  /OUT:"../deploy/execs/x64/Release/etnode.exe" /INCREMENTAL:NO
/MANIFEST
/MANIFESTFILE:"x64/Release\etnode.exe.intermediate.manifest"
/DELAYLOAD:"oci.dll" /DEBUG
/PDB:"../deploy/execs/x64/Release/etnode.pdb" /SUBSYSTEM:CONSOLE
   

Re: Self-signed CA problem for internal web application

2010-09-23 Thread Chris Rider
Sorry, I think I should make clear that I'm using two different 
setups... one for the CA and another for the end user certificate.


For example, my CA is in /etc/pki_MessageNet/CA while my end-user is in 
/etc/pki_MessageNet/tls --- so when I generate my CA keys, it has its 
own config file / scope... and when I generate my end user CSR, it has 
its own config file / scope. I am, however, granting my CSR from within 
the scope of my CA and its configuration. In other words, I'm 
replicating a "real world" type situation -- or that is the hope!



Chris Rider wrote:
I think we're on to something here... thank you for your time and 
attention, btw!


I still can't see anything about the AIA thing, but I took another go 
at the basicConstraints and keyUsage, and seem to have slightly better 
results. I changed basicConstraints to True (it was FALSE by default), 
so that makes sense. I also just tacked on certSign to the end of the 
keyUsage string. Now, when I generate the keys and install the CA's 
certificate on the client, even IE will automatically detect/install 
as a trusted root... which it wasn't before. So I think we're onto 
something with my CA.


But now, when I go to sign the server certificate using my CA, I am 
getting the following errors: (using the exact same process -- 
scripted -- as before, so the only thing changed is the CA config file 
/ CA keys)

Error Loading extension section usr_cert
14488:error:02001002:system library:fopen:No such file or 
directory:bss_file.c:122:fopen('/etc/pki_MessageNet/CA/index.txt.attr','rb') 

14488:error:2006D080:BIO routines:BIO_new_file:no such 
file:bss_file.c:125:
14488:error:0E078072:configuration file routines:DEF_LOAD:no such 
file:conf_def.c:197:
14488:error:0E06D06C:configuration file routines:NCONF_get_string:no 
value:conf_lib.c:329:group=CA_default name=email_in_dn
14488:error:2206E068:X509 V3 routines:X509V3_get_value_bool:invalid 
boolean string:v3_utl.c:229:section:,name:CA,value:True
14488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in 
extension:v3_conf.c:93:name=basicConstraints, value=CA:True


What is the best way to include my file contents for you? (worried 
about posting something a mile long)



Patrick Patterson wrote:

Hi Chris:
On 2010-09-22, at 4:13 PM, Chris Rider wrote:

 
For now, I've just copied the CA's public .crt file to a public_html 
type directory and downloading on the client ~ from there, depending 
on whether I use FireFox or IE, I go into the respective 
certificates manager and import the one I downloaded. I've been very 
deliberate in making sure it actually gets installed under the 
root/trusted category, and not some other category.


I haven't investigated the AIA field... (didn't even know about it)

Would that be specified when creating the CA's keys? Is that best 
specified in my CA's cnf file somewhere?





Yes - it would.
 
Barring all else, it seems to me like the browser is hanging up on 
the fact that the CA's certificate is self-signed. (??)





Things that would make the browser hang include:

CA cert not including basicConstraints: CA=True, or keyUsage not 
including certSign.

and
User Certs that DO include either of those values.

Also, what could be happening is a mismatch between AKI and SKI 
values in the CA and Server certs.


That's why I requested you to send along a copy of the certs that you 
are using - the values need to be set correctly, just having one key 
signed by the other, which happens to be self signed, is not enough. 
Unless you have extensively edited your openssl.cnf file, you are 
probably not generating correct CA or end entity certs.


Have fun.

Patrick.


 

-Chris


Hugo Garza wrote:
   

Hi Chris, how are you installing the root CA on the client machines?

In windows once you double click the root certificate you get a 
message dialog box and click the install certificate button. On the 
following screen press next and on the next screen tell it to 
install the certificate to the Trusted Root Certificate 
Authorities, hit next then finish. You should get a Windows dialog 
warning saying that you are adding a root certificate, and you just 
say yes.


Now the other possible problem is that on the server certificate 
that you created you aren't including the Authority Information 
Access (AIA) field. This is crucial so that your customers only 
have to install the root CA and implicitly trust any certificates 
signed by the root.


On Wed, Sep 22, 2010 at 2:29 PM, Chris Rider 
> wrote:


   We have a client/server architecture based product that needs to
   allow SSL communication between our server (CentOS) and various
   clients' web browsers (and additionally, other devices, but that's
   beyond the scope of this post).

   We've been able to get SSL working in both of two different ways
   (self-signed certificate & self-signed CA with certificates signed
   by that) -- so that is not the issue. Rathe

Re: LNK4078 and LNK4210 linking with x64 static libs

2010-09-23 Thread Jack Zhang
According to my understanding, that section is just a declaration of an
external function. The section is needed to be there only if the function is
called in the x86_64cpuid.asm. So, I don't think it will affect anything. In
fact, my x64 version build runs perfectly. (I am using openssl 1.0.0 and
then 1.0.0a)



On Thu, Sep 23, 2010 at 7:12 AM, per fry kenvall wrote:

> Hi,
>
> Thanks for your suggestion! But as far as I see, the assembler code in
> x86_64cpuid.asm _is_ the reference to OPENSSL_cpuid_setup! The runtime will
> call the functions given in the .CRT$XCU section before calling the main()
> entry. And it seems to me that the OPENSSL_cpuid_setup function in
> crypto/cryptlib.c does have useful code on Windows platforms, and so should
> be called, shouldn't it? It initializes a static variable with some
> processor specific info, whose value may be taken via the
> OPENSSL_ia32cap_loc() function.
>
> I tried printf("%lu", *OPENSSL_ia32cap_loc()), which prints out 0 using the
> x64 code, while printing 2951479295 using 32-bit code, indicating that
> OPENSSL_cpuid_setup has only been executed with the 32-bit code. What's the
> impact of this? Isn't it a bug?
>
> Cheers,
> Per
>
> Jack Zhang wrote:
>
>> I had got the same problem. I just simply deleted that section
>>  EXTERNOPENSSL_cpuid_setup
>>  section.CRT$XCU
>>  ALIGN8
>>  DQOPENSSL_cpuid_setup
>>
>>  section.text code align=64
>>
>> from the asm file because the extern OpenSSL_cpuid_setup is never
>> referenced.
>>
>> Good luck
>>
>> On Tue, Sep 21, 2010 at 9:57 AM, perfry wrote:
>>
>>Hi,
>>
>>I've built 1.0.0a on Windows with VS2005, using nt.mak to get
>>static libraries.
>>With x64 I get warnings when linking applications, both
>>openssl.exe and test programs like sha1test.exe. A snippet of
>>output from nmake -f ms\nt.mak:
>>  link /nologo /subsystem:console /opt:ref /debug
>>/out:out32\openssl.exe @C:\DOCUME~1\FRYKEN~1\LOCALS~1\Temp\nm3B3.tmp
>>LIBCMT.lib(crt0init.obj) : warning LNK4254: section '.CRT'
>>(6020) merged into '.rdata' (4040) with different attributes
>>
>>
>>And when linking our own application on x64/Release platform:
>>  libeay32.lib(x86_64cpuid.obj) : warning LNK4078: multiple '.CRT'
>>sections found with different attributes (60500020)
>>  libeay32.lib(x86_64cpuid.obj) : warning LNK4210: .CRT section
>>exists; there may be unhandled static initializers or terminators
>>
>>
>>The linker command can be deduced from the following:
>>  Creating temporary file
>>"c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp" with contents
>>  [
>>  /OUT:"../deploy/execs/x64/Release/etnode.exe" /INCREMENTAL:NO
>>/MANIFEST
>>/MANIFESTFILE:"x64/Release\etnode.exe.intermediate.manifest"
>>/DELAYLOAD:"oci.dll" /DEBUG
>>/PDB:"../deploy/execs/x64/Release/etnode.pdb" /SUBSYSTEM:CONSOLE
>>/LTCG psapi.lib odbc32.lib odbccp32.lib WS2_32.LIB ADVAPI32.LIB
>>GDI32.LIB USER32.LIB dbghelp.lib
>>../snibu/logging-log4cxx/msvc/lib/x64/Release/log4cxxs.lib
>>../snibu/openssl-1.0.0a/x64/Release/lib/ssleay32.lib
>>../snibu/openssl-1.0.0a/x64/Release/lib/libeay32.lib
>>../snibu/oracle/x64/instantclient_10_2/sdk/lib/msvc/oci.lib
>>../snibu/zlib/msvc/lib/x64/Release/zlibstat.lib kernel32.lib
>>user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib
>>shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib
>>odbccp32.lib DelayImp.lib
>>
>>  ".\x64\Release\CCcServApp.obj"
>>  ...
>>  ".\x64\Release\Bas4Bridge.obj"
>>  ]
>>  Creating command line "link.exe
>>@c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp /NOLOGO
>>/ERRORREPORT:PROMPT"
>>
>>
>>I've done the following to build openssl:
>>  cd /d C:\utv\snibu\openssl\x64\release\openssl-1.0.0a
>>  call "C:\Program Files\Microsoft Visual Studio
>>8\VC\vcvarsall.bat" x86_amd64
>>  perl Configure VC-WIN64A --prefix=c:\appl\openssl-1.0.0a\x64\release
>>  ms\do_win64a.bat
>>  nmake -f ms\nt.mak
>>  nmake -f ms\nt.mak install
>>
>>And the file x86_64cpuid.asm mentioned in the warnings starts with
>>the following:
>>  defaultrel
>>  EXTERNOPENSSL_cpuid_setup
>>  section.CRT$XCU
>>  ALIGN8
>>  DQOPENSSL_cpuid_setup
>>
>>  section.text code align=64
>>...
>>
>>
>>Could somebody help me solve this warning, it seems to me that
>>OPENSSL_cpuid_setup will not be executed.
>>
>>
>>Best regards,
>>Per Frykenvall
>>__
>>OpenSSL Project http://www.openssl.org
>>User Support Mailing List
>> openssl-users@openssl.org 
>>Automated List Manager
>> majord...@openssl.org 
>>
>>
>>
> _

Re: Self-signed CA problem for internal web application

2010-09-23 Thread Chris Rider
I think we're on to something here... thank you for your time and 
attention, btw!


I still can't see anything about the AIA thing, but I took another go at 
the basicConstraints and keyUsage, and seem to have slightly better 
results. I changed basicConstraints to True (it was FALSE by default), 
so that makes sense. I also just tacked on certSign to the end of the 
keyUsage string. Now, when I generate the keys and install the CA's 
certificate on the client, even IE will automatically detect/install as 
a trusted root... which it wasn't before. So I think we're onto 
something with my CA.


But now, when I go to sign the server certificate using my CA, I am 
getting the following errors: (using the exact same process -- scripted 
-- as before, so the only thing changed is the CA config file / CA keys)

Error Loading extension section usr_cert
14488:error:02001002:system library:fopen:No such file or 
directory:bss_file.c:122:fopen('/etc/pki_MessageNet/CA/index.txt.attr','rb')

14488:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
14488:error:0E078072:configuration file routines:DEF_LOAD:no such 
file:conf_def.c:197:
14488:error:0E06D06C:configuration file routines:NCONF_get_string:no 
value:conf_lib.c:329:group=CA_default name=email_in_dn
14488:error:2206E068:X509 V3 routines:X509V3_get_value_bool:invalid 
boolean string:v3_utl.c:229:section:,name:CA,value:True
14488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in 
extension:v3_conf.c:93:name=basicConstraints, value=CA:True


What is the best way to include my file contents for you? (worried about 
posting something a mile long)



Patrick Patterson wrote:

Hi Chris:
On 2010-09-22, at 4:13 PM, Chris Rider wrote:

  

For now, I've just copied the CA's public .crt file to a public_html type 
directory and downloading on the client ~ from there, depending on whether I 
use FireFox or IE, I go into the respective certificates manager and import the 
one I downloaded. I've been very deliberate in making sure it actually gets 
installed under the root/trusted category, and not some other category.

I haven't investigated the AIA field... (didn't even know about it)

Would that be specified when creating the CA's keys? Is that best specified in 
my CA's cnf file somewhere?




Yes - it would. 

  

Barring all else, it seems to me like the browser is hanging up on the fact 
that the CA's certificate is self-signed. (??)




Things that would make the browser hang include:

CA cert not including basicConstraints: CA=True, or keyUsage not including 
certSign.
and
User Certs that DO include either of those values.

Also, what could be happening is a mismatch between AKI and SKI values in the 
CA and Server certs.

That's why I requested you to send along a copy of the certs that you are using 
- the values need to be set correctly, just having one key signed by the other, 
which happens to be self signed, is not enough. Unless you have extensively 
edited your openssl.cnf file, you are probably not generating correct CA or end 
entity certs.

Have fun.

Patrick.


  

-Chris


Hugo Garza wrote:


Hi Chris, how are you installing the root CA on the client machines?

In windows once you double click the root certificate you get a message dialog 
box and click the install certificate button. On the following screen press 
next and on the next screen tell it to install the certificate to the Trusted 
Root Certificate Authorities, hit next then finish. You should get a Windows 
dialog warning saying that you are adding a root certificate, and you just say 
yes.

Now the other possible problem is that on the server certificate that you 
created you aren't including the Authority Information Access (AIA) field. This 
is crucial so that your customers only have to install the root CA and 
implicitly trust any certificates signed by the root.

On Wed, Sep 22, 2010 at 2:29 PM, Chris Rider mailto:chris.ri...@messagenetsystems.com>> wrote:

   We have a client/server architecture based product that needs to
   allow SSL communication between our server (CentOS) and various
   clients' web browsers (and additionally, other devices, but that's
   beyond the scope of this post).

   We've been able to get SSL working in both of two different ways
   (self-signed certificate & self-signed CA with certificates signed
   by that) -- so that is not the issue. Rather, our whole issue is
   that we don't want the end-users to confronted with a big scary
   browser message that says something akin to "There's a Problem
   With Security! / Allow Exception, etc." If they must install a
   certificate or two, that would be acceptable, though. So I thought
   that creating my own CA to sign certificates with would be a
   solution apparently not. I'm now getting browser messages that
   say the certificate's issuer is not trusted!!! Very frustrating.

   So, as I said, I've created my own CA (using this link as a guide:
   http://www.g-loa

Re: Self-signed CA problem for internal web application

2010-09-23 Thread Chris Rider
Sure.. but please excuse me as this is the first time posting on this 
forum ~ post in plain text or does this system support attached files?



Patrick Patterson wrote:

Hi Chris:

Can you post the certificates in question? My guess is that you don't have the 
various extensions set according to the PKIX standards that the Browsers are 
expecting.

Thanks.

Patrick.
On 2010-09-22, at 2:57 PM, Chris Rider wrote:

  

We have a client/server architecture based product that needs to allow SSL 
communication between our server (CentOS) and various clients' web browsers 
(and additionally, other devices, but that's beyond the scope of this post).

We've been able to get SSL working in both of two different ways (self-signed certificate 
& self-signed CA with certificates signed by that) -- so that is not the issue. Rather, 
our whole issue is that we don't want the end-users to confronted with a big scary browser 
message that says something akin to "There's a Problem With Security! / Allow Exception, 
etc." If they must install a certificate or two, that would be acceptable, though. So I 
thought that creating my own CA to sign certificates with would be a solution apparently 
not. I'm now getting browser messages that say the certificate's issuer is not trusted!!! 
Very frustrating.

So, as I said, I've created my own CA (using this link as a guide: 
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ ), and can sign my own certificates 
without problem. I then install the root certificate, followed by a server certificate 
signed by that CA. And, while I can click "allow exception" in the browser to 
make it all work, that is not the desired way. We just want to be able to have the 
end-user install a trusted root certificate and everything just work from there. Testing 
in IE and FireFox nets the same big scary warning message, no matter what combination of 
fields I use in the CSR, etc.

We really don't want to go with a third party CA like VeriSign, for example -- 
not so much because of the cost, but we just don't want to deal with updating 
countless remote installations of our product whenever the certificate expires. 
Not to mention the support that would be associated with doing that! The other 
issue is that some/most of these installations do not have outside internet 
connectivity with which to query the CA's (for CRL's, or whatever). We really 
need to manage our own certificates, all in all but without these warning 
messages.

Is it possible?
If so, what am I missing?

--
Chris Rider,
Systems Architect
MessageNet Systems
chris.ri...@messagenetsystems.com
__ OpenSSL 
Project http://www.openssl.org User Support Mailing List 
openssl-users@openssl.org Automated List Manager majord...@openssl.org



---
Patrick Patterson
President and Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca

tel: +1 514 485 0789
mobile: +1 514 994 8699
fax: +1 450 424 9559





__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


  

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: LNK4078 and LNK4210 linking with x64 static libs

2010-09-23 Thread per fry kenvall

Hi,

Thanks for your suggestion! But as far as I see, the assembler code in 
x86_64cpuid.asm _is_ the reference to OPENSSL_cpuid_setup! The runtime 
will call the functions given in the .CRT$XCU section before calling the 
main() entry. And it seems to me that the OPENSSL_cpuid_setup function 
in crypto/cryptlib.c does have useful code on Windows platforms, and so 
should be called, shouldn't it? It initializes a static variable with 
some processor specific info, whose value may be taken via the 
OPENSSL_ia32cap_loc() function.


I tried printf("%lu", *OPENSSL_ia32cap_loc()), which prints out 0 using 
the x64 code, while printing 2951479295 using 32-bit code, indicating 
that OPENSSL_cpuid_setup has only been executed with the 32-bit code. 
What's the impact of this? Isn't it a bug?


Cheers,
Per

Jack Zhang wrote:

I had got the same problem. I just simply deleted that section
  EXTERNOPENSSL_cpuid_setup
  section.CRT$XCU
  ALIGN8
  DQOPENSSL_cpuid_setup

  section.text code align=64

from the asm file because the extern OpenSSL_cpuid_setup is never 
referenced.


Good luck

On Tue, Sep 21, 2010 at 9:57 AM, perfry wrote:

Hi,

I've built 1.0.0a on Windows with VS2005, using nt.mak to get
static libraries.
With x64 I get warnings when linking applications, both
openssl.exe and test programs like sha1test.exe. A snippet of
output from nmake -f ms\nt.mak:
  link /nologo /subsystem:console /opt:ref /debug
/out:out32\openssl.exe @C:\DOCUME~1\FRYKEN~1\LOCALS~1\Temp\nm3B3.tmp
LIBCMT.lib(crt0init.obj) : warning LNK4254: section '.CRT'
(6020) merged into '.rdata' (4040) with different attributes


And when linking our own application on x64/Release platform:
  libeay32.lib(x86_64cpuid.obj) : warning LNK4078: multiple '.CRT'
sections found with different attributes (60500020)
  libeay32.lib(x86_64cpuid.obj) : warning LNK4210: .CRT section
exists; there may be unhandled static initializers or terminators


The linker command can be deduced from the following:
  Creating temporary file
"c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp" with contents
  [
  /OUT:"../deploy/execs/x64/Release/etnode.exe" /INCREMENTAL:NO
/MANIFEST
/MANIFESTFILE:"x64/Release\etnode.exe.intermediate.manifest"
/DELAYLOAD:"oci.dll" /DEBUG
/PDB:"../deploy/execs/x64/Release/etnode.pdb" /SUBSYSTEM:CONSOLE
/LTCG psapi.lib odbc32.lib odbccp32.lib WS2_32.LIB ADVAPI32.LIB
GDI32.LIB USER32.LIB dbghelp.lib
../snibu/logging-log4cxx/msvc/lib/x64/Release/log4cxxs.lib
../snibu/openssl-1.0.0a/x64/Release/lib/ssleay32.lib
../snibu/openssl-1.0.0a/x64/Release/lib/libeay32.lib
../snibu/oracle/x64/instantclient_10_2/sdk/lib/msvc/oci.lib
../snibu/zlib/msvc/lib/x64/Release/zlibstat.lib kernel32.lib
user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib
shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib
odbccp32.lib DelayImp.lib

  ".\x64\Release\CCcServApp.obj"
  ...
  ".\x64\Release\Bas4Bridge.obj"
  ]
  Creating command line "link.exe
@c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp /NOLOGO
/ERRORREPORT:PROMPT"


I've done the following to build openssl:
  cd /d C:\utv\snibu\openssl\x64\release\openssl-1.0.0a
  call "C:\Program Files\Microsoft Visual Studio
8\VC\vcvarsall.bat" x86_amd64
  perl Configure VC-WIN64A --prefix=c:\appl\openssl-1.0.0a\x64\release
  ms\do_win64a.bat
  nmake -f ms\nt.mak
  nmake -f ms\nt.mak install

And the file x86_64cpuid.asm mentioned in the warnings starts with
the following:
  defaultrel
  EXTERNOPENSSL_cpuid_setup
  section.CRT$XCU
  ALIGN8
  DQOPENSSL_cpuid_setup

  section.text code align=64
...


Could somebody help me solve this warning, it seems to me that
OPENSSL_cpuid_setup will not be executed.


Best regards,
Per Frykenvall
__
OpenSSL Project http://www.openssl.org
User Support Mailing List  
 openssl-users@openssl.org 
Automated List Manager  
majord...@openssl.org 





__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Problem with rsa_keygen

2010-09-23 Thread Christian Hohnstaedt
On Thu, Sep 23, 2010 at 10:08:40AM +0200, Nacho ?lvarez wrote:
> That's not the problem, I think, because if the only instruction of the
> function is:
> 
> int rsa_keygen (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb) {
> return 1;
> }
> 
> I get the "segmentation fault" when the rsa_keygen ends. But if I return 0
> or -1 (errors) OpenSSL reports me "error in genrsa" and call ends ok (no
> segmentation fault or something like that).

What about posting the relevant part of the code?
And the gdb output.

It would help a lot.

Cheers

Christian


> 
> 2010/9/22 Christian Hohnstaedt 
> 
> > On Wed, Sep 22, 2010 at 03:41:30PM +0200, Nacho ?lvarez wrote:
> > > Hello everybody
> > >
> > > Several months ago I developed an OpenSSL PKCS#11 engine for Windows XP
> > and
> > > it worked ok (it was compiled with MinGW).
> > > Now I'm trying to compile it on Linux (Debian 5 with GCC 4.3.1) but I
> > have
> > > the next problem:
> > >
> > > In the overwritten function *rsa_keygen* (whose signature is *int
> > rsa_keygen
> > > (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)*) always when the function
> > > ends (after the return instrucction) System reports me *Segmentation
> > Fault*.
> >
> > You overwrote you return address on the stack most probably by
> > accessing a locally declared array out of bounds.
> >
> > Cheers
> >
> >Christian
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing Listopenssl-users@openssl.org
> > Automated List Manager   majord...@openssl.org
> >
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org


Re: Problem with rsa_keygen

2010-09-23 Thread Nacho Álvarez
That's not the problem, I think, because if the only instruction of the
function is:

int rsa_keygen (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb) {
return 1;
}

I get the "segmentation fault" when the rsa_keygen ends. But if I return 0
or -1 (errors) OpenSSL reports me "error in genrsa" and call ends ok (no
segmentation fault or something like that).

2010/9/22 Christian Hohnstaedt 

> On Wed, Sep 22, 2010 at 03:41:30PM +0200, Nacho ?lvarez wrote:
> > Hello everybody
> >
> > Several months ago I developed an OpenSSL PKCS#11 engine for Windows XP
> and
> > it worked ok (it was compiled with MinGW).
> > Now I'm trying to compile it on Linux (Debian 5 with GCC 4.3.1) but I
> have
> > the next problem:
> >
> > In the overwritten function *rsa_keygen* (whose signature is *int
> rsa_keygen
> > (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)*) always when the function
> > ends (after the return instrucction) System reports me *Segmentation
> Fault*.
>
> You overwrote you return address on the stack most probably by
> accessing a locally declared array out of bounds.
>
> Cheers
>
>Christian
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>


Re: get subjectAltName

2010-09-23 Thread Naveen B.N

Thank you Christian, it helped to decode the kerberos principal name .
The code worked.

Regards
Naveen
Christian Hohnstaedt wrote:

On Wed, Sep 22, 2010 at 05:48:07PM +0530, Naveen B.N wrote:
  

Thank you Christian,
your suggestions helped us to get the position but as you mentioned the 
problem
of resolving to kerberos principal name, i tried Google and added a 
piece  of code

but i am not getting the out put  as  shown below .

#include 
#include 

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define CERT_INFO_MAX_ENTRIES 15
#define CERT_INFO_SIZE 10



/*
  http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html

KRB5PrincipalName ::= SEQUENCE {
realm [0] Realm,
principalName [1] PrincipalName
 }

Maybe this is already defined somewhere in OpenSSL - I didn't find it.
*/

typedef struct kdc_princname_st
{
ASN1_GENERALSTRING  *realm;
KRB5_PRINCNAME  *princname;
}   KDC_PRINCNAME;

ASN1_SEQUENCE(KDC_PRINCNAME) = {
ASN1_EXP(KDC_PRINCNAME, realm, ASN1_GENERALSTRING, 0),
ASN1_EXP(KDC_PRINCNAME, princname, KRB5_PRINCNAME, 1)
} ASN1_SEQUENCE_END(KDC_PRINCNAME)

IMPLEMENT_ASN1_FUNCTIONS(KDC_PRINCNAME)


  

static char **cert_info_kpn(X509 *x509) {
   int i,j;
   static char *entries[CERT_INFO_SIZE];
   STACK_OF(GENERAL_NAME) *gens;
   GENERAL_NAME *name;
   ASN1_OBJECT *krb5PrincipalName;
   printf("Trying to find a Kerberos Principal Name in 
certificate");

   gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
   krb5PrincipalName = OBJ_txt2obj("1.3.6.1.5.2.2", 1);
   if (!gens) {
   printf("No alternate name extensions");
   return NULL; /* no alternate names */
   }
   if (!krb5PrincipalName) {
   printf("Cannot map KPN object");
   return NULL;
   }
   for (i=0,j=0; (i < sk_GENERAL_NAME_num(gens)) && 
(j
   name = sk_GENERAL_NAME_value(gens, i);
   if ( name && name->type==GEN_OTHERNAME ) {  /* test for 
UPN */
   if (OBJ_cmp(name->d.otherName->type_id, 
krb5PrincipalName)) continue; /* object is not a UPN */

   else {
   /* NOTE:
   from PKINIT RFC, I deduce that stored format for 
kerberos

   Principal Name is ASN1_STRING, but not sure at 100%
   Any help will be granted
   */
   unsigned char *txt;
   ASN1_TYPE *val = name->d.otherName->value;
   ASN1_STRING *str= val->value.asn1_string;
   printf("Found Kerberos Principal Name ");




unsigned char * p = str->data;
KDC_PRINCNAME *pn = d2i_KDC_PRINCNAME(NULL, &p, 
str->length);
KRB5_PRINCNAME *princname = pn->princname;
printf("Realm '%*s'\nNAMETYPE: %ld\n",
pn->realm->length, pn->realm->data,
ASN1_INTEGER_get(princname->nametype));
for (j=0; 
jnamestring); j++) {
ASN1_GENERALSTRING *gs = 
sk_ASN1_GENERALSTRING_value(princname->namestring,j);
printf("[%i] %*s\n", j, gs->length, gs->data);
}



Cheers

Christian
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

  

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org