Not recognizing client certificates
Hi,
We have developed our own web server and recently upgraded to SSL 3.0 using
SSLeay 0.8.1. We have noticed that when we try to do an HTTP GET using
client certificates we created that our verify_callback routine for checking
the certificates is never called.
We set the callback this way:
SSL_CTX_set_verify(sslctx, SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE,
ns_verify_callback);
I have been unable to figure out where in the SSLeay code the callback is
called and under what conditions its called.
Later on we try to get the certificate information but this also fails
because the peer member of the SSL session structure is not set.
void ns_snag_cert_info(SSL *ssl, char *client_host)
{
SSL_SESSION *sess = ssl->session;
if ( sess->peer != NULL)
{
Again I have been unable to determine where in the SSLeay code the peer
member is set and under what conditions. Your help would be most
appreciated.
Finally we found that our web server was recognizing HTTP GET calls with
client certificates created with an older version of SSLeay that implemented
SSL 2.0. Unfortunately the client certificates were rejected. Your help in
understaning this would also be most appreciated.
Thanks in advance,
Frank Kim
NetCentric Corporation
28 Crosby Drive, Bedford, MA 01730
(781)685-5288
[EMAIL PROTECTED] http://cag-www.lcs.mit.edu/~frankkim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: Server cert or site cert ?
Yes, I forgot. But then you would have to type that (URL+port) into your browser, right? Juergen -Original Message- From: Goetz Babin-Ebell [SMTP:[EMAIL PROTECTED]] Sent: Friday, March 12, 1999 4:58 AM To: [EMAIL PROTECTED] Subject:RE: Server cert or site cert ? could he use different ports ? https://www.company_a.com:1443/secure_page.html https://www.company_b.com:2443/secure_page.html would be the easiest solution... By Goetz -- Goetz Babin-Ebell mailto:[EMAIL PROTECTED] TC Trust Center for Security http://www.trustcenter.de in Data Networks GmbH Tel.: +49-40-766 29 3301 Am Werder 1 / 21073 Hamburg / Germany Fax.: +49-40-766 29 577 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ATTENTION: Please wake up for 0.9.2...
"Ralf S. Engelschall" <[EMAIL PROTECTED]> writes: > $ rsync -rv rsync://dev.openssl.org/openssl-cvs/openssl/ openssl/ dev.openssl.org: Connection refused unexpected EOF in read_timeout $ lynx ftp://ftp.openssl.org/snapshot/ lynx: Can't access startfile ftp://ftp.openssl.org/snapshot/ ...are these problems at my end or yours? cheers, -- __ \/ o\ [EMAIL PROTECTED] http://www.hedonism.demon.co.uk/paul/ \ / /\__/ Paul CrowleyUpgrade your legacy NT machines to Linux /~\ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Binary format of Netscape Certificate Server gererated CRL
Sorry for this off-topic post, but I need to use a crl produced in Netscape Certificate Server. One of the options in the "Review Certificate Revocation List" panel is to download the crl in binary format. How does one use/read this binary formatted crl? thanks for your help! (And thanks to those who have helped me with previous questions!) John Schuetz __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: test_bn failure
Sorry, never mind. I gave up sparc20 and switched to ultra-sparc and reinstalled everything there. It works fine now. On Thu, 11 Mar 1999, H. Jean Oh wrote: > > Hi, there, > > I installed ssleay on my sun sparc 20(solaris 2.5xx) and ran 'make > test'. First, test_bn failed. I commented out test_bn and continued the > testing and now test_dh is printing dots forever. Can anybody help me? > > --- > Jean > [EMAIL PROTECTED] > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > Jean __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
IIS/Apache
Greetings, Encountering references to openssl on NT I'm wondering if Apache or IIS is referred to - or both. Better stated - is it possible to use openssl with IIS? Thanks, Dan O'D __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
test_bn failure
Hi, there, I installed ssleay on my sun sparc 20(solaris 2.5xx) and ran 'make test'. First, test_bn failed. I commented out test_bn and continued the testing and now test_dh is printing dots forever. Can anybody help me? --- Jean [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: HELP! s_client
I belive the certificate does not match your post location. (i.e. in a browser when you go to https://www.netplaza.com the browser complains that the certificate does not match the DNS of the machine and asks if you want to continue. The cert is for netplaza.com. The certs are generally for specific machines, not entire domains. I think the same thing is happening on your command line binary, but it does not allow you to continue as it connot verify authenticity based on DNS. I do not know if there is a flag to disable and allow pass through, I would think so. Hope this helps. -Dean > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of H. Jean Oh > Sent: Wednesday, March 10, 1999 6:41 PM > To: [EMAIL PROTECTED] > Subject: HELP! s_client > > > > Greetings, > > I'm trying to use SSL to access secure web sites(https) and what I am > trying to do is not much more than what s_client is supposed to do -- > sends "GET / HTTP/1.0\n\n" request and receives the HTML page. I > installed Eric Young's SSLeay and tried to use s_client in the demo > package. Instead of HTML page, I got the following error. Could anyone > tell me what I am missing? A big thanks in advance! > > echo "GET /" | s_client -connect www.netplaza.com:443 > CONNECTED(0004) > depth=0 /C=US/ST=New Hampshire/L=Hampton/O=Receptive Marketing > Inc./CN=netplaza.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /C=US/ST=New Hampshire/L=Hampton/O=Receptive Marketing > Inc./CN=netplaza.com > verify error:num=21:unable to verify the first certificate > verify return:1 > 4080:error:140790E3:SSL routines:SSL23_WRITE:ssl handshake > failure:s23_lib.c:224: > > - > Jean > [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Server cert or site cert ?
Thanks a lot. ST > In your case it is likely that the two companies share the same certificate > (of 'theHost'). You can configure apache for having virtual hosts on the > same real machine for both companies though, ie > > https://www.company_a.com/secure_page.html > https://www.company_b.com/secure_page.html > > Both sites could be hosted on machine 'theHost.com'. A drawback is, that if > you want to use virtual hosts for secure connections, then you would need > separate IP addresses for these. You can configure 'theHost' to respond to > multiple IP addresses, and then you have different secure Web sites that > can use different certificates. > > Juergen > > > -Original Message- > From: S.T. Wong [SMTP:[EMAIL PROTECTED]] > Sent: Friday, March 12, 1999 1:51 AM > To: [EMAIL PROTECTED] > Subject: Server cert or site cert ? > > Hi there, > > I'd like to know on a secure server (e.g. running Apache) which provides > web > hosting service, how can one distinguish between different companies from > the > certificate ? e.g. > > Company A's URL: https://www.theHost.com/company_a/secure_page.html > Company B's URL: https://www.theHost.com/company_b/secure_page.html > > Will they use the same server certificate (of the hosting server) or > they'll > have their own certificate ? Does my browser know which certificate (the > web host's server cert, or the company's own cert) to use if it's the later > case ? > > Sorry that it's a bit off-topic. I'm new to X.509 and can't find the > answer > from the books on hand. Would anyone please help? > > Thanks a lot. > > Regards, > ST Wong > > -- > S.T. Wong | Email: [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Fresh meat -- Java SSL using OpenSSL (SSLeay)
Sorry if I'm not actually answering your problem but I think OpenSSL should maybe start to think about having some Java Interface/integration within the OpenSSL project. Java popularity is growing more than what non-Java developpers tend to think (i.e. Servlet technology is great) ... JNI is not really portable but Java is for sure. Doesn't that sound like a reasonable/plausible suggestion ? Cheerios, --francois -Original Message- From: Buchs Christian <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Thursday, March 11, 1999 6:11 AM Subject: RE: Fresh meat -- Java SSL using OpenSSL (SSLeay) > >> > Do you support (or plan to support) also SSLeay-0.9.0b or OpenSSL ? >> >> >> It builds and works fine with SSLeay-0.9.0b and openssl-0.9.1c without >> changes. (just tested) > >Not under NT unfortunately... >In itissl.h, you include ssl_locl.h which doesn't come out in the inc32 >directory when you build openssl for NT. Does anybody has a hint how I >could change things to make the whole thing work? (not inlcuding ssl_locl.h >doesn't help...) > >Ch. Buchs >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MINGW32
> Please help (or simply be more specific), www.openssl.org has a link to the openssl-users archive at www.mail-archive.com. Enter the word "mingw32" in the search form of that archive, and click the "search" button. Specific enough? ;) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
