[openssl.org #249] 'openssl verify' broken
I saw Stephens reply on this (it didn't get into RT *#$%^#), but nothing more. Has this been resolved or is it still an issue? If the issue has been resolved, this ticket should be marked resolved. [[EMAIL PROTECTED] - Mon Aug 26 10:30:51 2002]: OpenSSL self-test report: OpenSSL version: 0.9.6g Last change: [In 0.9.6g-engine release:]... Options: no-idea --prefix=/usr/local --openssldir=/usr/local/ssl no-threads shared OS (uname): Linux binky 2.4.19 #1 Fri Aug 9 10:17:44 CEST 2002 i586 unknown OS (config): i586-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: gcc version 2.95.3 20010315 (release) Hi all, openssl x509 -purpose -in /etc/certs/foo.pem says: Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes But openssl verify -verbose -CAfile /etc/certs/ca.pem /etc/certs/foo.pem says: 'error 20 at 0 depth lookup:unable to get local issuer certificate' Regards Olaf -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #248] bad serial number length
In message [EMAIL PROTECTED] on Mon, 2 Sep 2002 15:01:28 +0200, Dr. Stephen Henson [EMAIL PROTECTED] said: steve That is the problem. You should not create 00 in the serial steve file because the serial number 00 is used by default for the steve root CA. You should instead use 01. This is mentioned in the steve EXAMPLES section of the ca manual page and CA.pl does this. steve steve OpenSSL shouldn't corrupt index.txt though even if serial is 00. A way to solve this is to have load_serial() in ca.c check if the loaded serial number is 0, and set it to 1 in such a case. What would the implications be? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cvs commit: openssl/crypto/des des_old.h
[EMAIL PROTECTED] wrote: levitte 06-Oct-2002 02:23:34 Modified:crypto/des Tag: OpenSSL_0_9_7-stable des_old.h Log: Do not define crypt(). The supported function is DES_crypt() (an des_crypt() when backward compatibility is desired). Hooray! Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #283] Documentation for d2i_RSAPrivateKey etc (1/1)
I've written some docs for the d2i/i2d functions which I've just committed, this covers d2i_RSAPrivateKey and friends too. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #249] 'openssl verify' broken
[levitte - Sun Oct 6 11:07:19 2002]: I saw Stephens reply on this (it didn't get into RT *#$%^#), but nothing more. Has this been resolved or is it still an issue? If the issue has been resolved, this ticket should be marked resolved. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #249] 'openssl verify' broken
OK, I just haven't seen further communication on this, so I've no idea what conclusoins you came to. It's very possible that the CA certificate didn't match the issuer of the certificate you wanted to verify. Do you have the possibility to send me the certificates you were using in your test? [guest - Sun Oct 6 17:36:47 2002]: [levitte - Sun Oct 6 11:07:19 2002]: I saw Stephens reply on this (it didn't get into RT *#$%^#), but nothing more. Has this been resolved or is it still an issue? If the issue has been resolved, this ticket should be marked resolved. yes, I still get this error. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL on Vxworks
Hi All, I have ported SSL 0.9.6 onto Vxworks. I could successfully test all the symmetric algorithms. But while testing RSA and DSA, I am not able to generate prime numbers successfully and the trace always points here, 4e4f65 _rsa_test1 +169: _RSA_public_encrypt (8, 4e57cc, 3f61f18, 3ffd4f8, 1) 57c225 _RSA_public_encrypt+21 : 579cce (8, 4e57cc, 3f61f18, 3ffd4f8, 1) 579d77 _RSA_PKCS1_SSLeay+2bf: _BN_MONT_CTX_set (3ffd034, 3ffd6a4, 3ffd11c) 51ebce _BN_MONT_CTX_set+de : _BN_mod_inverse (3f61d30, 3ffd038, 3f61d18, 3ffd11c) 51c93c _BN_mod_inverse+1b4: _BN_div (3ffd15c, 3ffd170, 3ffd120, 3ffd134, 3ffd11c) 51981c _BN_div+58 : _BN_ucmp (3ffd120, 3ffd134) value = 0 = 0x0 Any pointers will be greatly welcome. Thanks in advance, sri vani **Disclaimer** Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited.
Re: [openssl.org #249] 'openssl verify' broken
Richard Levitte via RT wrote: OK, I just haven't seen further communication on this, so I've no idea what conclusoins you came to. It's very possible that the CA certificate didn't match the issuer of the certificate you wanted to verify. Do you have the possibility to send me the certificates you were using in your test? here are the 'openssl x509' dumps, I hope that helps. ca.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=Hamburg, L=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] Validity Not Before: Aug 25 21:56:07 2002 GMT Not After : Aug 22 21:56:07 2012 GMT Subject: C=DE, ST=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:db:0c:f7:81:be:7d:f7:59:26:79:04:aa:9b:4f: ba:05:f5:74:aa:78:65:70:fb:5d:ec:a3:dc:fb:6b: 87:f1:e5:9c:fb:c2:a4:62:5c:16:63:65:44:d5:b8: db:c0:b5:5b:6f:06:40:7f:e5:71:cc:4e:5d:a8:4e: 0a:1d:69:b5:98:c2:4b:10:95:6e:b6:49:17:69:41: 86:00:ef:db:f8:59:24:c9:de:d6:31:90:06:60:2f: 14:63:2c:82:e5:5a:71:16:42:17:36:c1:ce:15:fd: 15:06:dc:48:58:87:b3:81:22:b7:b4:3e:f0:fb:49: 04:5e:90:25:4b:da:3d:8f:e1:36:69:ea:17:d9:2c: 3f:0e:6d:10:1d:37:e9:35:ec:11:1f:3b:2f:72:ad: 69:11:56:8d:a4:45:77:cd:a4:5b:c7:75:74:d2:83: e7:aa:79:f0:cc:38:fe:48:3a:b7:af:03:d7:de:81: fb:42:f4:da:b9:db:b2:41:bc:cf:ec:1c:58:e3:12: fa:cd:80:b3:46:50:1f:ba:f2:2c:90:a5:86:7f:62: de:bb:4b:b3:8c:22:53:bd:42:a2:46:91:c2:fd:d8: 39:25:df:55:57:90:f9:73:1c:0a:06:a0:7c:e7:dc: 70:fc:e8:48:4c:50:82:3a:09:17:a1:51:c9:cd:a2: f1:3b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 7F:F1:51:FB:14:2F:C6:33:5F:5B:9D:EF:10:E0:7C:28:0A:A4:A3:5D X509v3 Authority Key Identifier: keyid:7F:F1:51:FB:14:2F:C6:33:5F:5B:9D:EF:10:E0:7C:28:0A:A4:A3:5D DirName:/C=DE/ST=Hamburg/L=Hamburg/O=zaplinski.de/CN=zaplinski.de root [EMAIL PROTECTED] serial:00 X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] X509v3 Issuer Alternative Name: email:[EMAIL PROTECTED] Signature Algorithm: md5WithRSAEncryption 66:b0:2a:33:12:d8:f8:08:49:71:b3:16:fe:34:9c:af:9d:7f: 68:5c:cf:e6:a5:42:08:15:ab:ce:a9:8a:5b:80:d0:0c:72:c8: 00:bc:a1:1c:73:f5:49:bb:20:35:56:be:82:69:2b:5e:6b:01: 00:6e:ba:ed:d0:ba:e2:fe:45:9f:ad:bd:dd:78:40:9f:cf:1d: c2:9c:8d:15:4b:54:29:9f:cd:d9:28:2f:8a:bb:f4:fd:3d:5a: 12:a6:d1:94:dc:08:e2:a8:c1:9e:ca:72:63:d7:01:c3:60:65: 4f:0c:66:56:7e:13:0c:09:72:26:70:8b:30:2e:83:a7:ae:ea: 61:a4:66:b5:c2:39:c7:fb:28:fc:35:fd:04:c2:cc:5c:fc:ad: 60:29:c9:8f:f3:92:0e:cd:88:03:71:14:3a:b5:be:2d:5d:bc: e0:e5:de:33:87:e7:dd:a2:8b:f0:9a:3f:ea:89:2c:16:04:08: d4:3d:f2:d2:d8:f7:ef:7e:89:d6:71:b6:d1:1a:79:1a:e7:1b: 11:55:73:ed:3a:25:f5:d2:58:7b:ec:ea:c1:24:b5:14:51:6b: f6:a6:b3:9d:e0:70:ea:6b:45:ca:87:06:6b:f0:5f:e7:86:10: db:b6:46:83:76:a4:00:d6:af:82:a9:71:38:9c:3e:73:6a:01: 55:16:cf:7d mail.zaplinski.de.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=Hamburg, L=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] Validity Not Before: Aug 25 22:52:15 2002 GMT Not After : Aug 22 22:52:15 2012 GMT Subject: C=DE, ST=Hamburg, O=zaplinski.de, [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d4:9f:e5:df:02:44:2e:57:c6:f7:f5:1f:30:0d: 47:9c:33:d6:66:7c:b6:04:49:dd:75:04:5d:83:47: 6f:78:eb:10:a3:37:88:f9:98:67:6b:c6:90:8b:a9: e6:81:cb:2c:ac:d1:f3:7e:cf:4a:c3:88:bb:39:16: 66:a2:3e:35:a3:a5:1e:fb:f9:7a:7c:c0:02:b7:f9: 01:84:6a:5a:ee:a5:fa:0d:d4:21:71:c2:89:8c:ad: b6:4d:04:5e:bf:2d:15:86:67:86:c8:e2:7c:5f:f7:
[openssl.org #249] 'openssl verify' broken
[[EMAIL PROTECTED] - Sun Oct 6 21:38:18 2002]: Richard Levitte via RT wrote: OK, I just haven't seen further communication on this, so I've no idea what conclusoins you came to. It's very possible that the CA certificate didn't match the issuer of the certificate you wanted to verify. Do you have the possibility to send me the certificates you were using in your test? here are the 'openssl x509' dumps, I hope that helps. Yup. So lt me see if I got this right, you're trying to verify mail.zaplinski.de.pem using ca.pem, right? And both of those files only contain one certificate, right (openssl x509 will only dump the first certificate found in a .pem file, IIRC)? In that case, the certificate in ca.pem is insufficient for verification, because it in turn depends on another CA certificate. Observe the subject and the issuer that you show us: ca.pem [...] Issuer: C=DE, ST=Hamburg, L=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] Subject: C=DE, ST=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] The issuer has the RDN L=Hamburg, the subject doesn't. The issuer therefore must have another certificate. So, the chain that can be built is mail.zaplinski.de.pem - ca.pem - ???, where '???' is an unknown, and as far as I understand, unavailable certificate. Therefore, 'openssl verify' is absolutely correct in saying 'unable to get local issuer certificate'. Unless you have other facts contradicting my guesses, I'm going to consider this case closed and the ticket resolved. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
