Re: I've modify CA.pl
SSL: > My experience : > to let iis allow ie show your testCA during connection, you should do > something in iis : > - get your CA cert ready in pem format > - in your NT, double click the above cert file to let certmgr appears > - install certificate > - Place the cert into by yourself at : > - Show physical stores, expand Trusted Root Certification Authorities, > select "Local Computer" > - ok,ok,ok > - and a reboot !!! don't forget - spended me lots of time :( > I test it and it work :)), I am very happy whit this :) Only i want to add field in the certificated that i Create whit OpenSSL. Anyaone can write a example of openssl.cnf's File and explain it? Thanks in advances . Raul Gutierrez __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
installation problem with openSSL - please help (part 2)
We forgot to attach the httpsd.conf with our previous message. Here we go again: Dear Fellow Netizens and OpenSSL Users, We have been trying to migrate from mod_ssl to openSSL for our latest Apache installation, and are encountering a number of problems which we'd be grateful for helpful comments from established users: 1) When we run "[...]/apache/src/make certificate" the process does not ask for a secret pass phrase as mod_ssl used to do. Is this normal behavior? 2) We can not get the configuration to support making just specified parts of our document tree subject to secure transmission -- it's all or nothing. For example, if we have the following in the Apache configuration file [...]/apache/conf/httpsd.conf: [...] Port 80 Listen 80 Listen 443 SSLEnable SSLRequireSSL [...] The entire htdoc tree requires SSL, not just the htdocs/manual. By this we mean that if we access a file using "http://..." the brower reports that the document contains no data, whereas if we access the same file via "https://..." the document is fully accessible. In contrast, if the file contains: SSLDisable then no documents require the use of SSL, and all are accessible via the "http://..." URL convention. If someone would be willing to make some rapid interations on this with us by email or phone (our call) we would be highy grateful. Thanks in advance for any help... Cheerio, Rick Rodgers ([EMAIL PROTECTED]) Kelley Hu Kelley Hu ([EMAIL PROTECTED]) U.S. National Library of Medicine, Computer Science Branch Bethesda, MD (301) 435-3205 [EMAIL PROTECTED] httpsd.conf
installation problem with openSSL - please help
Dear Fellow Netizens and OpenSSL Users, We have been trying to migrate from mod_ssl to openSSL for our latest Apache installation, and are encountering a number of problems which we'd be grateful for helpful comments from established users: 1) When we run "[...]/apache/src/make certificate" the process does not ask for a secret pass phrase as mod_ssl used to do. Is this normal behavior? 2) We can not get the configuration to support making just specified parts of our document tree subject to secure transmission -- it's all or nothing. For example, if we have the following in the Apache configuration file [...]/apache/conf/httpsd.conf: [...] Port 80 Listen 80 Listen 443 SSLEnable SSLRequireSSL [...] The entire htdoc tree requires SSL, not just the htdocs/manual. By this we mean that if we access a file using "http://..." the brower reports that the document contains no data, whereas if we access the same file via "https://..." the document is fully accessible. In contrast, if the file contains: SSLDisable then no documents require the use of SSL, and all are accessible via the "http://..." URL convention. If someone would be willing to make some rapid interations on this with us by email or phone (our call) we would be highy grateful. Thanks in advance for any help... Cheerio, Rick Rodgers ([EMAIL PROTECTED]) Kelley Hu Kelley Hu ([EMAIL PROTECTED]) U.S. National Library of Medicine, Computer Science Branch Bethesda, MD (301) 435-3205 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Build non MONOLITH applications
Hi I have tried to build individual applications with the "old SSLeay" instructions # It is worth noting that all the applications are built into the one# program, ssleay, which is then has links from the other programs# names to it.# The applicatons can be built by themselves, just don't define the# 'MONOLITH' flag. So to build the 'enc' program stand alone,gcc -O2 -Iinclude apps/enc.c apps/apps.c libcrypto.a but it doesn't work with openssl. Does anybody know how to build them now? Thanks Aniceto Perez ([EMAIL PROTECTED]) BEGIN:VCARD VERSION:2.1 N:Perez y Madrid;Aniceto FN:Aniceto Perez y Madrid ORG:Espartaria Virtual TITLE:Director Gerente TEL;WORK;VOICE:+34 914 111 457 TEL;CELL;VOICE:+34 607 537 115 TEL;WORK;FAX:+34 915 630 704 ADR;WORK:;;Av. Concha Espina, 65;MADRID;;E-28016;ESPAÑA LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Av. Concha Espina, 65=0D=0AMADRID E-28016=0D=0AESPA=D1A ADR;HOME:;;;MAJADAHONDA;;E-28220 LABEL;HOME:MAJADAHONDA E-28220 X-WAB-GENDER:2 URL:http://www.espv.com/~aperez URL:http://www.espv.com KEY;X509;ENCODING=BASE64: MIICHDCCAYWgAwIBAgICGi4wDQYJKoZIhvcNAQEEBQAwVjELMAkGA1UEBhMCRVMxDzANBgNV BAgTBk1hZHJpZDEMMAoGA1UEChMDQUNFMRAwDgYDVQQLEwdDbGFzZSAxMRYwFAYDVQQDEw1B Q0UgQ2xpZW50ZXMxMB4XDTk5MDQyODA4MzgwMVoXDTAwMDQyNzA4MzgwMVowgZQxCzAJBgNV BAYTAkVTMQ8wDQYDVQQIEwZNYWRyaWQxDzANBgNVBAcTBk1hZHJpZDEhMB8GA1UEChMYRXNw YXJ0YXJpYSBWaXJ0dWFsLCBTLkwuMSAwHgYDVQQDExdBbmljZXRvICBQZXJleiB5IE1hZHJp ZDEeMBwGCSqGSIb3DQEJARYPYXBlcmV6QGVzcHYuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAw SAJBAK7i/skTmITg63DTgmpNUX8xnC8UEnIR71yN7urk05pBTsZonA3wz/bdsTFFNnKGVHoa JsRP5coeTb40Uz+jZ2ECAwEAATANBgkqhkiG9w0BAQQFAAOBgQAna8EzyL8I4JgnTR+eVVoa JDGM4zev+l9u6df1QEBPUnYwfweujEsYEZcB9BKEzzRzHJ8HIrSquN+Z3iwYM/JiEkMzC99g X0jbztrnV/fcJQ/HGv6lHhCQoQYXzRKQNGgid2bcZAOtCYNoBFG8LzSjV/qcxNXEuiHEsJ/o FseQWm== EMAIL;INTERNET:[EMAIL PROTECTED] EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:19990611T115214Z END:VCARD
Re: I've modify CA.pl
One more point : "Key manager" accepts DER format when importing the openssl-signed cert. On Fri, 11 Jun 1999, Raul Gutierrez wrote: > Plasma: > > > Raul, and those who's interested , > > > > If you want to import certificate in IIS, here is the instructions I used, > > > > 1. Generate certificate request using Certificate Manager with IIS, > > 2. Sign the certificate request using openssl, or CA.pl -sign, > > 3. Do a little translation (all in one line), > > > > openssl x509 -in newcert.pem -outform PEM | perl -e "while (<>) { print if > > !/^-.*CERTIFICATE-$/; }" > iiscert.pem > > > > (Sorry, I only know Perl syntax. Maybe someone can modify it to use grep > or > > something.) > > > > Or you may just use an editor to keep those BASE64 codes > > between -BEGIN CERTIFICATE- and -END CERTIFICATE- (those 2 > > lines will NOT keep). > > > > 4. Import iiscert.pem using Certifcate Manager, close Certificate Manager > to > > confirm changes, then restart WWW service to make your newly imported > > certificate work. > > > > On my NT workstation with IIS 4, it imports ok. ^_^ > > I do it on my NT server with IIS4 and instaled a certificate create by my > Test CA. But when i conect to my IIS-SSL page, my IE5 dont show the > Certificate issues by my TestCA, it seems that my IIS dont send the Test CA > Certificate to my IE 5, what can i do so that it send it? i did all that i > read in IIS Help , but dont work :(( > > Any hint is welcome. > > Thanks in advances > Raul Gutierrez > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I've modify CA.pl
My experience : to let iis allow ie show your testCA during connection, you should do something in iis : - get your CA cert ready in pem format - in your NT, double click the above cert file to let certmgr appears - install certificate - Place the cert into by yourself at : - Show physical stores, expand Trusted Root Certification Authorities, select "Local Computer" - ok,ok,ok - and a reboot !!! don't forget - spended me lots of time :( Besides, I know I can get a cert req in iis and sign it by openssl, but anyone knows how to import a keyset into iis ? It'll asked me a key file and a cert file. I've tried several format but failed. On Fri, 11 Jun 1999, Raul Gutierrez wrote: > Plasma: > > > Raul, and those who's interested , > > > > If you want to import certificate in IIS, here is the instructions I used, > > > > 1. Generate certificate request using Certificate Manager with IIS, > > 2. Sign the certificate request using openssl, or CA.pl -sign, > > 3. Do a little translation (all in one line), > > > > openssl x509 -in newcert.pem -outform PEM | perl -e "while (<>) { print if > > !/^-.*CERTIFICATE-$/; }" > iiscert.pem > > > > (Sorry, I only know Perl syntax. Maybe someone can modify it to use grep > or > > something.) > > > > Or you may just use an editor to keep those BASE64 codes > > between -BEGIN CERTIFICATE- and -END CERTIFICATE- (those 2 > > lines will NOT keep). > > > > 4. Import iiscert.pem using Certifcate Manager, close Certificate Manager > to > > confirm changes, then restart WWW service to make your newly imported > > certificate work. > > > > On my NT workstation with IIS 4, it imports ok. ^_^ > > I do it on my NT server with IIS4 and instaled a certificate create by my > Test CA. But when i conect to my IIS-SSL page, my IE5 dont show the > Certificate issues by my TestCA, it seems that my IIS dont send the Test CA > Certificate to my IE 5, what can i do so that it send it? i did all that i > read in IIS Help , but dont work :(( > > Any hint is welcome. > > Thanks in advances > Raul Gutierrez > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: What's an rfc822Name, anyway? (was RE: How to add a new x509 extension?)
An Rfc822Name is just an Internet e-mail address and is formally defined in the Rfc 822. In simple terms, it has the form name@domain. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Wade L. Scholine > Sent: Friday, June 11, 1999 3:59 PM > To: '[EMAIL PROTECTED]' > Subject: What's an rfc822Name, anyway? (was RE: How to add a new x509 > extension?) > > > What's the format of an rfc822Name? Is it name@fqdn, or something else? > The X.509 doc doesn't seem to say. > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, June 10, 1999 11:52 AM > > To: [EMAIL PROTECTED] > > Subject: RE: How to add a new x509 extension? > > > > > > For your needs, you can use the "standard" extension > > > > id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } > > > > which enables to give alernative names to the subject. The names > > can be in various forms (rfc822,directory,...) including an "other" > > form which can be anything. > > > > To add the extension, the easiest way is through a "conf" > > file. See the documentiation in /doc/Openssl.txt. > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Little Stone > > > Sent: Thursday, June 10, 1999 3:59 PM > > > To: [EMAIL PROTECTED] > > > Subject: How to add a new x509 extension? > > > > > > > > > Hi: > > > > > > I want to ask a question about how to add a new x509 extersion to > > > a certificate. For example, I want to add a "username" field to a > > > x509 certificate. The type of the "username" is string. > > > > > > What I must do? How to use "X509v3_add_extension"? > > > I need to do some change to openssl source code? Or I just need to > > > change something in openssl.cnf file? > > > > > > Thanks in advance :) > > > > > > Wu Hui > > > > > > > > > __ > > > Get Your Private, Free Email at http://www.hotmail.com > > > > > __ > > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What's an rfc822Name, anyway? (was RE: How to add a new x509 exte nsion?)
Wade L. Scholine wrote: > > What's the format of an rfc822Name? Is it name@fqdn, or something else? > The X.509 doc doesn't seem to say. This may be too obvious, but how about looking at RFC 822? Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
What's an rfc822Name, anyway? (was RE: How to add a new x509 extension?)
What's the format of an rfc822Name? Is it name@fqdn, or something else? The X.509 doc doesn't seem to say. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 10, 1999 11:52 AM > To: [EMAIL PROTECTED] > Subject: RE: How to add a new x509 extension? > > > For your needs, you can use the "standard" extension > > id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } > > which enables to give alernative names to the subject. The names > can be in various forms (rfc822,directory,...) including an "other" > form which can be anything. > > To add the extension, the easiest way is through a "conf" > file. See the documentiation in /doc/Openssl.txt. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Little Stone > > Sent: Thursday, June 10, 1999 3:59 PM > > To: [EMAIL PROTECTED] > > Subject: How to add a new x509 extension? > > > > > > Hi: > > > > I want to ask a question about how to add a new x509 extersion to > > a certificate. For example, I want to add a "username" field to a > > x509 certificate. The type of the "username" is string. > > > > What I must do? How to use "X509v3_add_extension"? > > I need to do some change to openssl source code? Or I just need to > > change something in openssl.cnf file? > > > > Thanks in advance :) > > > > Wu Hui > > > > > > __ > > Get Your Private, Free Email at http://www.hotmail.com > > > __ > > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I've modify CA.pl
Plasma: > Raul, and those who's interested , > > If you want to import certificate in IIS, here is the instructions I used, > > 1. Generate certificate request using Certificate Manager with IIS, > 2. Sign the certificate request using openssl, or CA.pl -sign, > 3. Do a little translation (all in one line), > > openssl x509 -in newcert.pem -outform PEM | perl -e "while (<>) { print if > !/^-.*CERTIFICATE-$/; }" > iiscert.pem > > (Sorry, I only know Perl syntax. Maybe someone can modify it to use grep or > something.) > > Or you may just use an editor to keep those BASE64 codes > between -BEGIN CERTIFICATE- and -END CERTIFICATE- (those 2 > lines will NOT keep). > > 4. Import iiscert.pem using Certifcate Manager, close Certificate Manager to > confirm changes, then restart WWW service to make your newly imported > certificate work. > > On my NT workstation with IIS 4, it imports ok. ^_^ I do it on my NT server with IIS4 and instaled a certificate create by my Test CA. But when i conect to my IIS-SSL page, my IE5 dont show the Certificate issues by my TestCA, it seems that my IIS dont send the Test CA Certificate to my IE 5, what can i do so that it send it? i did all that i read in IIS Help , but dont work :(( Any hint is welcome. Thanks in advances Raul Gutierrez __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Missing MINFO in OpenSSL-0.9.3?
Jan Tomasek wrote: > > Hello, > I'm new to this list, my names is Jan Tomasek I study on Czech Technical > university in Prague. I'm working on interface to OpenSSL libraries for > Delphi. > > I try to compile new version 0.9.3a, but nt.mak and ntdll.mak are > missing. I try to create them by ./util/mk1mf.pl but this program > need MINFO, but this file is missing. I try to use file MINFO from > 0.9.2b version but it isn't working. > > I try to search CHANGES, INSTALL.W32 and openssl-user mail archive > but I didn't found any information. > In INSTALL.W32, OpenSSL 0.9.3a : > Visual C++ > -- > > Firstly you should run Configure and build the Win32 Makefiles: > > > perl Configure VC-WIN32 > > ms\do_ms > If you do this it will build MINFO and the relevant Makefiles. These files are no longer in the distribution because they are now auto generated. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rm -f openssl
On Fri, Jun 11, 1999 at 08:54:24AM +0200, Stéphane CORNOU wrote: > I can't understand why the Makefile in apps/ do a > rm -f openssl > So, when i do a 'make install' after the 'make all', i have to rebuilt > openssl. > My hp-ux takes 1 hour to build this latter. > 'Make clean' directive seems to be the rigth way to remove old files !? $(RM) $(PROGRAM) (aka rm -f openssl) happens only when make has determined that the openssl application has to be rebuilt. What does "make -n install" print after you have run a complete "make"? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: apache with ssl
In article <[EMAIL PROTECTED]> you wrote: > > my question is: > Is openssl 0.9.2b compatible with apache 1.3.3 ? Don't know what exactly you mean, sorry. OpenSSL is always compatible to Apache because it has nothing directly to do with Apache ;) What you perhaps mean is whether you can use Apache 1.3.3 plus some SSL solution like Apache-SSL, mod_ssl, etc. in conjunction with OpenSSL as the driving horse for SSL. Here the questions is yes, of course. But you should nevertheless use newer versions of both Apache and OpenSSL... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Missing MINFO in OpenSSL-0.9.3?
Hello, I'm new to this list, my names is Jan Tomasek I study on Czech Technical university in Prague. I'm working on interface to OpenSSL libraries for Delphi. I try to compile new version 0.9.3a, but nt.mak and ntdll.mak are missing. I try to create them by ./util/mk1mf.pl but this program need MINFO, but this file is missing. I try to use file MINFO from 0.9.2b version but it isn't working. I try to search CHANGES, INSTALL.W32 and openssl-user mail archive but I didn't found any information. Please have some one here info about making 0.9.3 on Win32? Write me, please. Thanks Jan Tomasek, student FEL-CVUT ~~ e-mail: [EMAIL PROTECTED] www: http://mujweb.cz/web/tomasek/ ~~ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I've modify CA.pl
Raul, and those who's interested , If you want to import certificate in IIS, here is the instructions I used, 1. Generate certificate request using Certificate Manager with IIS, 2. Sign the certificate request using openssl, or CA.pl -sign, 3. Do a little translation (all in one line), openssl x509 -in newcert.pem -outform PEM | perl -e "while (<>) { print if !/^-.*CERTIFICATE-$/; }" > iiscert.pem (Sorry, I only know Perl syntax. Maybe someone can modify it to use grep or something.) Or you may just use an editor to keep those BASE64 codes between -BEGIN CERTIFICATE- and -END CERTIFICATE- (those 2 lines will NOT keep). 4. Import iiscert.pem using Certifcate Manager, close Certificate Manager to confirm changes, then restart WWW service to make your newly imported certificate work. On my NT workstation with IIS 4, it imports ok. ^_^ Now you can setup your directory with SSL enabled, and use https:// to test SSL function. For I sign my request with experimental CA, MSIE5 complains about untrusted CA. Netscape 4.5 will ask many questions, and works fine. I think it's OK. ps. Who will ever think about strip those 2 lines out to make it works? ^_^ > It is: > >openssl x509 | grep \\- > outfile > > Or in other words: not inertnal to openssl ;-) > > Raul Gutierrez schrieb: > > > > Pierre: > > > > > IIs is very limited in its supported format of > > > certificates: the imported certificate must be B64-encoded, > > > without the PEM header!!! Any other format, like the useful > > > PKCS7 one does not work. > > > > > > > Whay is the comand in openssl used for create a certificate in B64-encode > > without the PEM Header > > > > Thanks in advances. > > > > Raul Gutierrez > > > > __ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List[EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > -- > Holger Reif Tel.: +49 361 74707-0 > SmartRing GmbH Fax.: +49 361 7470720 > Europaplatz 5 [EMAIL PROTECTED] > D-99091 ErfurtWWW.SmartRing.de > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: compile problem on hpux 10.20
On Fri, Jun 11, 1999 at 12:55:05AM -0700, Little Stone wrote: > >As noted in the current Configure, gcc 2.8.1 is broken on HPUX. That's > >the symptom, as I recall. Are you using 2.8.1 or is there another > >version of gcc that's broken, too? > > Yes I use gcc 2.8.1, but It works good when I complie ssleay0.9.0 > on the same hpux box. What I shold do? Useing another version of gcc? If you have it, use the unbundled HP ANSI C compiler. OpenSSL compiles fine with it (I have it on the latest patchlevel, don't know about older patchlevels). Ah, and I would recommend you to not use the "+O4" optimization. It might give you the best optimization, but the time required is normally unacceptable. +O3 sometimes also tends to hang in loops. My notes for OpenSSL say: use +O2. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client-server authentication.
Have a look at apps/s_{server,client} that should give you a starting point. Carles Xavier Munyoz Baldó schrieb: > > Hello, > > I have an SSL client-server application in which the server > authenticates to the client sending its certificate in the SSL handsake, > but the client doesn't authenticates to the server. > Fo my SSL client-server aplication, I need that both authenticates each > other. > > How can I do this ? > How can I make the server request the client certificate and validates > it ? > I've done lot of testing but get nothing ... :( > > May anyone help me ? > --- > CTV-JET > Carles Xavier Munyoz Baldó / [EMAIL PROTECTED] > http://www.ctv.es/USERS/carles > Dpto. Sistemas / System Department > Clave pública PGP / PGP public KEY > http://www.ctv.es/PGP-STAFF/carles.html > Tel: +34 96 584 52 91 - Fax: +34 96 584 48 96 > --- > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA encrypt/decrypt
HAv a look into the archives (what you anyway should have done before). There was a thread just one or two days ago that answered your question. In short: you can't do this! (And you even would not want to encrypt large buffers with RSA for performance reasons.) ©I©KA Július schrieb: > >Hello, > > how can I simply RSA encrypt buffer (its length may be greater than > RSA_size()) ? > If I use: RSA_public_encrypt(1, from, to, rsa, RSA_PKCS1_PADDING) with > key > with modulo length small enough (e.g. 4096) I am not able correctly decrypt > to buffer. Can somebody help ? > > With best regards, > Julius Siska > <[EMAIL PROTECTED]> > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificates and Pass Phrases.
David A. Lee wrote: > > For example, IIS Server and IE and Netscape clients never ask me for > pass phrases when using certificates. Does this mean as I suspect > that those products are not really secure ? Or have they found another > method to protect certificates from copying without requiring pass phrases ? You can protect client certs (at least with netscape) with a pass phrase (this is the re-translation from german. Don't know wetjher they are completely correct. Communicator->Security information->passwords About IE I never cared ;-) For stand alone applications that automatically start up like webservers you must trust the file protection mechanism to not give out the key to the wrong person... -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: compile problem on hpux 10.20
lcs Mixmaster Remailer wrote: >As noted in the current Configure, gcc 2.8.1 is broken on HPUX. That's >the symptom, as I recall. Are you using 2.8.1 or is there another >version of gcc that's broken, too? Yes I use gcc 2.8.1, but It works good when I complie ssleay0.9.0 on the same hpux box. What I shold do? Useing another version of gcc? Wu Hui __ Get Your Private, Free Email at http://www.hotmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client-server authentication.
Hello, I have an SSL client-server application in which the server authenticates to the client sending its certificate in the SSL handsake, but the client doesn't authenticates to the server. Fo my SSL client-server aplication, I need that both authenticates each other. How can I do this ? How can I make the server request the client certificate and validates it ? I've done lot of testing but get nothing ... :( May anyone help me ? --- CTV-JET Carles Xavier Munyoz Baldó / [EMAIL PROTECTED] http://www.ctv.es/USERS/carles Dpto. Sistemas / System Department Clave pública PGP / PGP public KEY http://www.ctv.es/PGP-STAFF/carles.html Tel: +34 96 584 52 91 - Fax: +34 96 584 48 96 --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Inmortal certificate.
Carles Xavier Munyoz Baldó schrieb: > > Hello, > > Wiht this command I make a CSR (Certificate Signing Request) valid only > for 365 days: > openssl req -new -days 365 -key server.key -out server.csr Havn't you forgot the option -x509? This forces the req utility to issue a (selfsigned x509) certificate instead of a CSR (that a CA would sign). A CSR itsself has no time information in it. Try generating one with openssl req -new and then have a look at the actual request with openssl req -noout -text > How could I make a CSR for a cetificate that never expires ? You can't make a non expiring cert. But you can make it valid long enough (e.g. until 2020) although I don'T know what the reason for this should be. > Greetings. > --- > CTV-JET > Carles Xavier Munyoz Baldó / [EMAIL PROTECTED] > http://www.ctv.es/USERS/carles > Dpto. Sistemas / System Department > Clave pública PGP / PGP public KEY > http://www.ctv.es/PGP-STAFF/carles.html > Tel: +34 96 584 52 91 - Fax: +34 96 584 48 96 > --- > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]