Re: UI
In message [EMAIL PROTECTED] on Wed, 10 Jul 2002 18:56:20 +0200, Götz Babin-Ebell [EMAIL PROTECTED] said: babinebell Is there a easy way to convert a passphrase callback to a UI ? babinebell babinebell meaning: babinebell I have a pem_password_callback (and a pointer to babinebell additional data) But the function wants an UI babinebell (ENGINE_load_privatekey())... First of all, you're not quite correct, what it wants is a UI_METHOD. I assume that you're using the nCipher/chil engine, but that doesn't matter, you should be safe enough if you use UI_OpenSSL(). If you want to create your own method, that's perfectly fine. You might want to look at apps/apps.c:setup_ui_method() as an example that creates a method with UI_OpenSSL() as a base. babinebell BTW: babinebell there seems to be a bug in crypto/ui/ui_util.c: babinebell (0.9.7 stable SNAP 2002070) I'll check that out, thanks for the report. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #141] Error while writing zero-length string
When you write a zero-length string with SSL_write, OpenSSL signals a protocol-violating EOF even though no such thing has happened. My guess is that a zero returned is misinterpreted somewhere though I have not had time to dig through the source. I attached a program that (at least on my machine) reproduces the problem. $ uname -a Linux ratthing-b3cf 2.4.18 #5 Thu Jul 4 12:01:50 CEST 2002 i686 unknown $ /tmp/openssl-0.9.7-beta2/bin/openssl version OpenSSL 0.9.7-beta2 16 Jun 2002 Regards, Martin -- Martin Sjögren [EMAIL PROTECTED] ICQ : 41245059 Phone: +46 (0)31 7710870 Cell: +46 (0)739 169191 GPG key: http://www.strakt.com/~martin/gpg.html __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Update: Bull TrustWay PKCS#11 engine
aSteven A. Bade wrote The 64$ question from my mind is are you working on a 0.9.7 engine for PKCS#11... That's the one of particular interest to me in the long run. of course. afchine __ [EMAIL PROTECTED] Bull - Trustway RD - Networking Security http://www.servers.bull.com/trustway __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #142] (no subject)
Dear all, I get error messages when I tryed to compile the latest version of openssl. I attach a logfile of make OpenSSL self-test report: OpenSSL version: 0.9.6d Last change: Fix crypto/asn1/a_sign.c so that 'parameters' is omitte... Options: -mips4 OS (uname): IRIX gold 6.5 10181059 IP32 OS (config): mips3-sgi-irix Target (default): irix-mips3-gcc Target: irix-mips3-gcc Compiler: gcc version 2.8.1 please reply directly to me because I am not a mailing-list users Marta Ferraroni -- Marta Ferraroni Universita' di Firenze Via della Lastruccia,5- 50019 Sesto Fiorentino Firenze-ITALIA e-mail: [EMAIL PROTECTED] tel: +39-055-457-3342 fax: +39-055-457- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Getting the CERT chain
On Thu, Jul 11, 2002 at 07:12:30AM -0700, Patrick Powell wrote: Question 1: Is there a simple way using exported (i.e. - available to general use via the openssl library and having definitions in openssl.h) OpenSSL functions to do the following: During the SSL connection process, if a user CERT has been presented, get the cert chain? SSL_get_peer_cert_chain(). Question 2: Now I just KNOW that I saw this, and everybody is going to laugh at this, but: If I have found a CERT using, say, peer = SSL_get_peer_certificate(ssl) as in the example above, and I have a list of CERTS in a file or directory (i.e. - as for the CA cert, etc), how can I check to see if the peer cert (in the example) is in this list or directory? I just KNOW that I saw this in some SSL or related code, but I cannot remember the exact details and searching has not found it again. OpenSSL itself uses hashes for comparison. If the hashes are identical, so are the certificates. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Getting the CERT chain
Question 1:
Is there a simple way using exported (i.e. - available
to general use via the openssl library and having definitions
in openssl.h) OpenSSL functions to do the following:
During the SSL connection process, if a user CERT has
been presented, get the cert chain?
Here is the code that I am using the check the
USER certificate. Note that I uses SSL_get_peer_certificate(ssl)
to get the peer certificate.
Is there a function such as SSL_get_issuer_certifivate(ssl,peer)?
i.e. - issuer = SSL_get_issuer_certificate( ssl, peer );
If not, then where can I find a code template or the internal
information to write one?
/* now we check to see which server we talked to */
verify_result = SSL_get_verify_result(ssl);
if( verify_result != X509_V_OK ){
DEBUG1(Open_SSL_connection: SSL_get_verify_result '%s',
X509_verify_cert_error_string(verify_result) );
SNPRINTF(errmsg,errlen)
SSL_connect failed, peer certificat not verified: '%s',
X509_verify_cert_error_string(verify_result) );
status = -1;
goto done;
} else {
X509 *peer;
peer = SSL_get_peer_certificate(ssl);
if( peer ){
if( X509_NAME_oneline( X509_get_subject_name( peer ),
buffer, sizeof(buffer) ) ){
DEBUG1(Open_SSL_connection: subject '%s', buffer );
if( info ) Set_str_value(info,SERVER,buffer);
}
if( X509_NAME_oneline( X509_get_issuer_name( peer ),
buffer, sizeof(buffer) ) ){
if( info ) Set_str_value(info,ISSUER,buffer);
DEBUG1(Open_SSL_connection: issuer '%s', buffer );
}
/* the SSL_get_peer_certificate man page indicates that
this memory is not freed */
X509_free(peer); peer = 0;
}
}
Question 2:
Now I just KNOW that I saw this, and everybody is going to laugh at this,
but:
If I have found a CERT using, say, peer = SSL_get_peer_certificate(ssl)
as in the example above, and I have a list of CERTS in a file or
directory (i.e. - as for the CA cert, etc), how can I check to see
if the peer cert (in the example) is in this list or directory?
I just KNOW that I saw this in some SSL or related code, but I cannot
remember the exact details and searching has not found it again.
Patrick Powell Astart Technologies
[EMAIL PROTECTED]6741 Convoy Court
Network and System San Diego, CA 92111
Consulting 858-874-6543 FAX 858-279-8424
LPRng - Print Spooler (http://www.lprng.com)
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
[openssl.org #142] (no subject)
[[EMAIL PROTECTED] - Thu Jul 11 15:25:40 2002]: I get error messages when I tryed to compile the latest version of openssl. I attach a logfile of make... The error messages indicate, that there is something odd with your gcc setup. It seems, that the assembler used cannot correctly handle the code generated by your compiler. Can you compile other code without problems? In this case it would be a question of the compiler flags being used: -mips4 -mabi=n32 -mmips-as I am however no expert on IRIX problems... Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #141] Error while writing zero-length string
Martin Sjögren: When you write a zero-length string with SSL_write, OpenSSL signals a protocol-violating EOF even though no such thing has happened. My guess is that a zero returned is misinterpreted somewhere though I have not had time to dig through the source. SSL_write() with length 0 will return 0, and this return value is always interpreted as protocol-violating EOF according to the SSL_get_error() manpage (SSL_get_error() returns SSL_ERROR_ZERO_RETURN). This is an inconsistency, but even if we change SSL_write() to return a different value, the program will not work -- we cannot return a positive value, and negative values would be interpreted as errors too. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #127] AES draft cipher suites
Lutz Jaenicke: I have already worked in the cipher selection routines yesterday with respect to PR#130. I will add an appropriate NOTDEFAULT selection keyword that will cover cipher suites not selected by default. As this is a new feature I intend to only add it to 0.9.7 (and later). Technically spoken we have two things: * ALL: all ciphers _except_ eNULL (no encryption is left out) * DEFAULT: ALL ciphers, then ADH is removed, then some sorting We would therefore have two classes of non-selected ciphers: * NODEFAULT: meaning effectively ADH in the moment * NOALL: meaning effectively eNULL in the moment Of course, this distinction is not necessarily clear unless you look up the realization of DEFAULT and ALL. Should I realize both classes? Actually it would make sense from the logical point of view and in the documentation I would propose to use something like RSA:NODEFAULT:NOALL to unselect the unwanted ciphers. I propose NOALL instead of NONE in order to reflect its logic interaction with the ALL keyword. The NO prefix in NODEFAULT and NOALL could be misleading. (Of course, NONE isn't any better.) COMPLEMENT_OF_ALL and COMPLEMENT_OF_DEFAULT is clearer. It is also longer, but it may be worth it. I don't particularly like the RSA:NODEFAULT:NOALL example because the NO... or COMPLEMENT_OF_... group aliases are not really useful for *enabling* ciphersuites (it can be done, but this is quite pointless). Their real purpose is *disabling* ciphersuites: RSA:!COMPLEMENT_OF_ALL or RC4:!COMPLEMENT_OF_DEFAULT will enable all RSA ciphersuites with the exception of the eNULL ciphersuites, and RC4:!COMPLEMENT_OF_DEFAULT will enable all non-anonymous RC4 ciphersuites. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #143] pod2mantest gives wrong return value
During make install on a Solaris 2.6 with Perl 5.005_002 pod2mantest is called via `cd ../../util; ./pod2mantest ignore` It complains MultilineTest failed and returns util/pod2man.pl This path does not work at this place. It should be ../../util/pod2man.pl The installation stops here. I changed echo util/pod2man.pl to echo ../../util/pod2man.pl and install went through. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
