Re: I've modify CA.pl

[Raul Gutierrez]

SSL:

> My experience :
> to let iis allow ie show your testCA during connection, you should do
> something in iis :
> - get your CA cert ready in pem format
> - in your NT, double click the above cert file to let certmgr appears
> - install certificate
> - Place the cert into by yourself at :
> - Show physical stores, expand Trusted Root Certification Authorities,
>   select "Local Computer"
> - ok,ok,ok
> - and a reboot !!! don't forget - spended me lots of time :(
>

I test it and it work :)), I am very happy whit this :)

Only i want to add field in the certificated that i Create whit OpenSSL.
Anyaone can write a example of openssl.cnf's File and explain it?

Thanks in advances .
Raul Gutierrez




__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

installation problem with openSSL - please help (part 2)

[Kelley Hu]

We forgot to attach the httpsd.conf with our previous message.  Here we go
again:


Dear Fellow Netizens and OpenSSL Users,

We have been trying to migrate from mod_ssl to openSSL for our latest Apache
installation, and are encountering a number of problems which we'd be grateful
for helpful comments from established users:

1) When we run "[...]/apache/src/make certificate" the process does not ask
   for a secret pass phrase as mod_ssl used to do.  Is this normal behavior?

2) We can not get the configuration to support making just specified parts of
   our document tree subject to secure transmission -- it's all or nothing.
 
   For example, if we have the following in the Apache configuration file
   [...]/apache/conf/httpsd.conf:

  [...]
  Port 80
  Listen 80
  Listen 443

  SSLEnable

  
  SSLRequireSSL
  
  [...]

   The entire htdoc tree requires SSL, not just the htdocs/manual.
   By this we mean that if we access a file using "http://..." the brower
   reports that the document contains no data, whereas if we access the
   same file via "https://..." the document is fully accessible.

   In contrast, if the file contains:

  SSLDisable

   then no documents require the use of SSL, and all are accessible via the
   "http://..." URL convention.

If someone would be willing to make some rapid interations on this with us by
email or phone (our call) we would be highy grateful.

Thanks in advance for any help...

Cheerio, 
   Rick Rodgers ([EMAIL PROTECTED])
   Kelley Hu Kelley Hu ([EMAIL PROTECTED])

 U.S. National Library of Medicine, Computer Science Branch
 Bethesda, MD
 (301) 435-3205  [EMAIL PROTECTED]
 httpsd.conf

installation problem with openSSL - please help

[Kelley Hu]

Dear Fellow Netizens and OpenSSL Users,

We have been trying to migrate from mod_ssl to openSSL for our latest Apache
installation, and are encountering a number of problems which we'd be grateful
for helpful comments from established users:

1) When we run "[...]/apache/src/make certificate" the process does not ask
   for a secret pass phrase as mod_ssl used to do.  Is this normal behavior?

2) We can not get the configuration to support making just specified parts of
   our document tree subject to secure transmission -- it's all or nothing.
 
   For example, if we have the following in the Apache configuration file
   [...]/apache/conf/httpsd.conf:

  [...]
  Port 80
  Listen 80
  Listen 443

  SSLEnable

  
  SSLRequireSSL
  
  [...]

   The entire htdoc tree requires SSL, not just the htdocs/manual.
   By this we mean that if we access a file using "http://..." the brower
   reports that the document contains no data, whereas if we access the
   same file via "https://..." the document is fully accessible.

   In contrast, if the file contains:

  SSLDisable

   then no documents require the use of SSL, and all are accessible via the
   "http://..." URL convention.

If someone would be willing to make some rapid interations on this with us by
email or phone (our call) we would be highy grateful.

Thanks in advance for any help...

Cheerio, 
   Rick Rodgers ([EMAIL PROTECTED])
   Kelley Hu Kelley Hu ([EMAIL PROTECTED])

 U.S. National Library of Medicine, Computer Science Branch
 Bethesda, MD
 (301) 435-3205  [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Build non MONOLITH applications

[Aniceto Perez]

Hi
I have tried to build individual applications with the "old 
SSLeay" instructions
 
# It is worth noting that all the applications are built into 
the one# program, ssleay, which is then has links from the other 
programs# names to it.# The applicatons can be built by themselves, just 
don't define the# 'MONOLITH' flag.  So to build the 'enc' program stand 
alone,gcc -O2 -Iinclude apps/enc.c apps/apps.c libcrypto.a   

 
but it doesn't work with openssl. Does anybody know how to 
build them now?
 
Thanks
 
Aniceto Perez ([EMAIL PROTECTED])

BEGIN:VCARD
VERSION:2.1
N:Perez y Madrid;Aniceto
FN:Aniceto Perez y Madrid
ORG:Espartaria Virtual
TITLE:Director Gerente
TEL;WORK;VOICE:+34 914 111 457
TEL;CELL;VOICE:+34 607 537 115
TEL;WORK;FAX:+34 915 630 704
ADR;WORK:;;Av. Concha Espina, 65;MADRID;;E-28016;ESPAÑA
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Av. Concha Espina, 65=0D=0AMADRID E-28016=0D=0AESPA=D1A
ADR;HOME:;;;MAJADAHONDA;;E-28220
LABEL;HOME:MAJADAHONDA E-28220
X-WAB-GENDER:2
URL:http://www.espv.com/~aperez
URL:http://www.espv.com
KEY;X509;ENCODING=BASE64:
MIICHDCCAYWgAwIBAgICGi4wDQYJKoZIhvcNAQEEBQAwVjELMAkGA1UEBhMCRVMxDzANBgNV
BAgTBk1hZHJpZDEMMAoGA1UEChMDQUNFMRAwDgYDVQQLEwdDbGFzZSAxMRYwFAYDVQQDEw1B
Q0UgQ2xpZW50ZXMxMB4XDTk5MDQyODA4MzgwMVoXDTAwMDQyNzA4MzgwMVowgZQxCzAJBgNV
BAYTAkVTMQ8wDQYDVQQIEwZNYWRyaWQxDzANBgNVBAcTBk1hZHJpZDEhMB8GA1UEChMYRXNw
YXJ0YXJpYSBWaXJ0dWFsLCBTLkwuMSAwHgYDVQQDExdBbmljZXRvICBQZXJleiB5IE1hZHJp
ZDEeMBwGCSqGSIb3DQEJARYPYXBlcmV6QGVzcHYuY29tMFwwDQYJKoZIhvcNAQEBBQADSwAw
SAJBAK7i/skTmITg63DTgmpNUX8xnC8UEnIR71yN7urk05pBTsZonA3wz/bdsTFFNnKGVHoa
JsRP5coeTb40Uz+jZ2ECAwEAATANBgkqhkiG9w0BAQQFAAOBgQAna8EzyL8I4JgnTR+eVVoa
JDGM4zev+l9u6df1QEBPUnYwfweujEsYEZcB9BKEzzRzHJ8HIrSquN+Z3iwYM/JiEkMzC99g
X0jbztrnV/fcJQ/HGv6lHhCQoQYXzRKQNGgid2bcZAOtCYNoBFG8LzSjV/qcxNXEuiHEsJ/o
FseQWm==


EMAIL;INTERNET:[EMAIL PROTECTED]
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:19990611T115214Z
END:VCARD

Re: I've modify CA.pl

[ssl]

One more point :
"Key manager" accepts DER format when importing the openssl-signed cert.

On Fri, 11 Jun 1999, Raul Gutierrez wrote:

> Plasma:
> 
> > Raul, and those who's interested ,
> >
> > If you want to import certificate in IIS, here is the instructions I used,
> >
> > 1. Generate certificate request using Certificate Manager with IIS,
> > 2. Sign the certificate request using openssl, or CA.pl -sign,
> > 3. Do a little translation (all in one line),
> >
> > openssl x509 -in newcert.pem -outform PEM | perl -e "while (<>) { print if
> > !/^-.*CERTIFICATE-$/; }" > iiscert.pem
> >
> > (Sorry, I only know Perl syntax.  Maybe someone can modify it to use grep
> or
> > something.)
> >
> >   Or you may just use an editor to keep those BASE64 codes
> > between -BEGIN CERTIFICATE- and -END CERTIFICATE- (those 2
> > lines will NOT keep).
> >
> > 4. Import iiscert.pem using Certifcate Manager, close Certificate Manager
> to
> > confirm changes, then restart WWW service to make your newly imported
> > certificate work.
> >
> > On my NT workstation with IIS 4, it imports ok. ^_^
> 
> I do it on my NT server with IIS4 and instaled a certificate create by my
> Test CA. But when i conect to my IIS-SSL page, my IE5 dont show the
> Certificate issues by my TestCA, it seems that my IIS dont send the Test CA
> Certificate to my IE 5, what can i do so that it send it? i did all that  i
> read in IIS Help , but dont work :((
> 
> Any hint is welcome.
> 
> Thanks in advances
> Raul Gutierrez
> 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: I've modify CA.pl

[ssl]

My experience :
to let iis allow ie show your testCA during connection, you should do 
something in iis :
- get your CA cert ready in pem format
- in your NT, double click the above cert file to let certmgr appears
- install certificate
- Place the cert into by yourself at :
- Show physical stores, expand Trusted Root Certification Authorities,
  select "Local Computer"
- ok,ok,ok
- and a reboot !!! don't forget - spended me lots of time :(


Besides, I know I can get a cert req in iis and sign it by openssl,
but anyone knows how to import a keyset into iis ?
It'll asked me a key file and a cert file. I've tried several format
but failed.


On Fri, 11 Jun 1999, Raul Gutierrez wrote:

> Plasma:
> 
> > Raul, and those who's interested ,
> >
> > If you want to import certificate in IIS, here is the instructions I used,
> >
> > 1. Generate certificate request using Certificate Manager with IIS,
> > 2. Sign the certificate request using openssl, or CA.pl -sign,
> > 3. Do a little translation (all in one line),
> >
> > openssl x509 -in newcert.pem -outform PEM | perl -e "while (<>) { print if
> > !/^-.*CERTIFICATE-$/; }" > iiscert.pem
> >
> > (Sorry, I only know Perl syntax.  Maybe someone can modify it to use grep
> or
> > something.)
> >
> >   Or you may just use an editor to keep those BASE64 codes
> > between -BEGIN CERTIFICATE- and -END CERTIFICATE- (those 2
> > lines will NOT keep).
> >
> > 4. Import iiscert.pem using Certifcate Manager, close Certificate Manager
> to
> > confirm changes, then restart WWW service to make your newly imported
> > certificate work.
> >
> > On my NT workstation with IIS 4, it imports ok. ^_^
> 
> I do it on my NT server with IIS4 and instaled a certificate create by my
> Test CA. But when i conect to my IIS-SSL page, my IE5 dont show the
> Certificate issues by my TestCA, it seems that my IIS dont send the Test CA
> Certificate to my IE 5, what can i do so that it send it? i did all that  i
> read in IIS Help , but dont work :((
> 
> Any hint is welcome.
> 
> Thanks in advances
> Raul Gutierrez
> 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: What's an rfc822Name, anyway? (was RE: How to add a new x509 extension?)

[Pierre De Boeck]

An Rfc822Name is just an Internet e-mail address and is
formally defined in the Rfc 822. In simple terms, it has the 
form name@domain.

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Wade L. Scholine
> Sent: Friday, June 11, 1999 3:59 PM
> To: '[EMAIL PROTECTED]'
> Subject: What's an rfc822Name, anyway? (was RE: How to add a new x509
> extension?)
> 
> 
> What's the format of an rfc822Name? Is it name@fqdn, or something else?
> The X.509 doc doesn't seem to say.
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, June 10, 1999 11:52 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: How to add a new x509 extension?
> > 
> > 
> > For your needs, you can use the "standard" extension
> > 
> > id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
> > 
> > which enables to give alernative names to the subject. The names
> > can be in various forms (rfc822,directory,...) including an "other"
> > form which can be anything.
> > 
> > To add the extension, the easiest way is through a "conf"
> > file. See the documentiation in /doc/Openssl.txt.
> > 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]]On Behalf Of Little Stone
> > > Sent: Thursday, June 10, 1999 3:59 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: How to add a new x509 extension?
> > > 
> > > 
> > > Hi:
> > > 
> > > I want to ask a question about how to add a new x509 extersion to
> > > a certificate. For example, I want to add a "username" field to a
> > > x509 certificate. The type of the "username" is string.
> > > 
> > > What I must do? How to use "X509v3_add_extension"?
> > > I need to do some change to openssl source code? Or I just need to
> > > change something in openssl.cnf file?
> > > 
> > > Thanks in advance :)
> > > 
> > > Wu Hui
> > > 
> > > 
> > > __
> > > Get Your Private, Free Email at http://www.hotmail.com
> > > 
> > __
> > > OpenSSL Project 
> http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> > 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: What's an rfc822Name, anyway? (was RE: How to add a new x509 exte nsion?)

[Ben Laurie]

Wade L. Scholine wrote:
> 
> What's the format of an rfc822Name? Is it name@fqdn, or something else?
> The X.509 doc doesn't seem to say.

This may be too obvious, but how about looking at RFC 822?

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
 - Indira Gandhi
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

What's an rfc822Name, anyway? (was RE: How to add a new x509 extension?)

[Wade L. Scholine]

What's the format of an rfc822Name? Is it name@fqdn, or something else?
The X.509 doc doesn't seem to say.

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 10, 1999 11:52 AM
> To: [EMAIL PROTECTED]
> Subject: RE: How to add a new x509 extension?
> 
> 
> For your needs, you can use the "standard" extension
> 
> id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }
> 
> which enables to give alernative names to the subject. The names
> can be in various forms (rfc822,directory,...) including an "other"
> form which can be anything.
> 
> To add the extension, the easiest way is through a "conf"
> file. See the documentiation in /doc/Openssl.txt.
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Little Stone
> > Sent: Thursday, June 10, 1999 3:59 PM
> > To: [EMAIL PROTECTED]
> > Subject: How to add a new x509 extension?
> > 
> > 
> > Hi:
> > 
> > I want to ask a question about how to add a new x509 extersion to
> > a certificate. For example, I want to add a "username" field to a
> > x509 certificate. The type of the "username" is string.
> > 
> > What I must do? How to use "X509v3_add_extension"?
> > I need to do some change to openssl source code? Or I just need to
> > change something in openssl.cnf file?
> > 
> > Thanks in advance :)
> > 
> > Wu Hui
> > 
> > 
> > __
> > Get Your Private, Free Email at http://www.hotmail.com
> > 
> __
> > OpenSSL Project 
http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: I've modify CA.pl

[Raul Gutierrez]

Plasma:

> Raul, and those who's interested ,
>
> If you want to import certificate in IIS, here is the instructions I used,
>
> 1. Generate certificate request using Certificate Manager with IIS,
> 2. Sign the certificate request using openssl, or CA.pl -sign,
> 3. Do a little translation (all in one line),
>
> openssl x509 -in newcert.pem -outform PEM | perl -e "while (<>) { print if
> !/^-.*CERTIFICATE-$/; }" > iiscert.pem
>
> (Sorry, I only know Perl syntax.  Maybe someone can modify it to use grep
or
> something.)
>
>   Or you may just use an editor to keep those BASE64 codes
> between -BEGIN CERTIFICATE- and -END CERTIFICATE- (those 2
> lines will NOT keep).
>
> 4. Import iiscert.pem using Certifcate Manager, close Certificate Manager
to
> confirm changes, then restart WWW service to make your newly imported
> certificate work.
>
> On my NT workstation with IIS 4, it imports ok. ^_^

I do it on my NT server with IIS4 and instaled a certificate create by my
Test CA. But when i conect to my IIS-SSL page, my IE5 dont show the
Certificate issues by my TestCA, it seems that my IIS dont send the Test CA
Certificate to my IE 5, what can i do so that it send it? i did all that  i
read in IIS Help , but dont work :((

Any hint is welcome.

Thanks in advances
Raul Gutierrez



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Missing MINFO in OpenSSL-0.9.3?

[Dr Stephen Henson]

Jan Tomasek wrote:
> 
> Hello,
> I'm new to this list, my names is Jan Tomasek I study on Czech Technical
> university in Prague. I'm working on interface to OpenSSL libraries for
> Delphi.
> 
> I try to compile new version 0.9.3a, but nt.mak and ntdll.mak are
> missing. I try to create them by ./util/mk1mf.pl but this program
> need MINFO, but this file is missing. I try to use file MINFO from
> 0.9.2b version but it isn't working.
> 
> I try to search CHANGES, INSTALL.W32 and openssl-user mail archive
> but I didn't found any information.
> 

In INSTALL.W32, OpenSSL 0.9.3a :

> Visual C++
> --
> 
> Firstly you should run Configure and build the Win32 Makefiles:
> 
> > perl Configure VC-WIN32
> > ms\do_ms
> 

If you do this it will build MINFO and the relevant Makefiles. These
files are no longer in the distribution because they are now auto
generated.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: rm -f openssl

[Bodo Moeller]

On Fri, Jun 11, 1999 at 08:54:24AM +0200, Stéphane CORNOU wrote:

> I can't understand why the Makefile in apps/ do a 
>   rm -f openssl
> So, when i do a 'make install' after the 'make all', i have to rebuilt
> openssl. 
> My hp-ux takes 1 hour to build this latter. 
> 'Make clean' directive seems to be the rigth way to remove old files !?

$(RM) $(PROGRAM) (aka rm -f openssl) happens only when make has
determined that the openssl application has to be rebuilt.
What does "make -n install" print after you have run a complete
"make"?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: apache with ssl

[Ralf S. Engelschall]

In article <[EMAIL PROTECTED]> you wrote:
> 
> my question is:
> Is openssl 0.9.2b compatible with apache 1.3.3 ?

Don't know what exactly you mean, sorry.  OpenSSL is always compatible to
Apache because it has nothing directly to do with Apache ;) What you perhaps
mean is whether you can use Apache 1.3.3 plus some SSL solution like
Apache-SSL, mod_ssl, etc. in conjunction with OpenSSL as the driving horse for
SSL. Here the questions is yes, of course. But you should nevertheless use
newer versions of both Apache and OpenSSL...

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Missing MINFO in OpenSSL-0.9.3?

[Jan Tomasek]

Hello,
I'm new to this list, my names is Jan Tomasek I study on Czech Technical
university in Prague. I'm working on interface to OpenSSL libraries for
Delphi. 

I try to compile new version 0.9.3a, but nt.mak and ntdll.mak are
missing. I try to create them by ./util/mk1mf.pl but this program 
need MINFO, but this file is missing. I try to use file MINFO from
0.9.2b version but it isn't working.

I try to search CHANGES, INSTALL.W32 and openssl-user mail archive
but I didn't found any information. 

Please have some one here info about making 0.9.3 on Win32? Write me,
please.

Thanks

Jan Tomasek,  student FEL-CVUT
~~
e-mail: [EMAIL PROTECTED]
www: http://mujweb.cz/web/tomasek/
~~

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: I've modify CA.pl

[³¯«Â§»]

Raul, and those who's interested ,

If you want to import certificate in IIS, here is the instructions I used,

1. Generate certificate request using Certificate Manager with IIS,
2. Sign the certificate request using openssl, or CA.pl -sign,
3. Do a little translation (all in one line),

openssl x509 -in newcert.pem -outform PEM | perl -e "while (<>) { print if
!/^-.*CERTIFICATE-$/; }" > iiscert.pem

(Sorry, I only know Perl syntax.  Maybe someone can modify it to use grep or
something.)

  Or you may just use an editor to keep those BASE64 codes
between -BEGIN CERTIFICATE- and -END CERTIFICATE- (those 2
lines will NOT keep).

4. Import iiscert.pem using Certifcate Manager, close Certificate Manager to
confirm changes, then restart WWW service to make your newly imported
certificate work.

On my NT workstation with IIS 4, it imports ok. ^_^

Now you can setup your directory with SSL enabled, and use https:// to test
SSL function.  For I sign my request with experimental CA, MSIE5 complains
about untrusted CA.  Netscape 4.5 will ask many questions, and works fine. I
think it's OK.

ps. Who will ever think about strip those 2 lines out to make it works?  ^_^

> It is:
>
>openssl x509  | grep \\- > outfile
>
> Or in other words: not inertnal to openssl ;-)
>
> Raul Gutierrez schrieb:
> >
> > Pierre:
> >
> > > IIs is very limited in its supported format of
> > > certificates: the imported certificate must be B64-encoded,
> > > without the PEM header!!! Any other format, like the useful
> > > PKCS7 one does not work.
> > >
> >
> > Whay is the comand in openssl used for create a certificate in
B64-encode
> > without the PEM Header
> >
> > Thanks in advances.
> >
> > Raul Gutierrez
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
>
> --
> Holger Reif  Tel.: +49 361 74707-0
> SmartRing GmbH   Fax.: +49 361 7470720
> Europaplatz 5 [EMAIL PROTECTED]
> D-99091 ErfurtWWW.SmartRing.de
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: compile problem on hpux 10.20

[Lutz Jaenicke]

On Fri, Jun 11, 1999 at 12:55:05AM -0700, Little Stone wrote:
> >As noted in the current Configure, gcc 2.8.1 is broken on HPUX.  That's
> >the symptom, as I recall.  Are you using 2.8.1 or is there another
> >version of gcc that's broken, too?
> 
> Yes I use gcc 2.8.1, but It works good when I complie ssleay0.9.0
> on the same hpux box. What I shold do? Useing another version of gcc?

If you have it, use the unbundled HP ANSI C compiler. OpenSSL compiles
fine with it (I have it on the latest patchlevel, don't know about
older patchlevels).
Ah, and I would recommend you to not use the "+O4" optimization. It might
give you the best optimization, but the time required is normally
unacceptable. +O3 sometimes also tends to hang in loops. My notes for
OpenSSL say: use +O2.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Client-server authentication.

[Holger Reif]

Have a look at apps/s_{server,client} that should give you
a starting point.

Carles Xavier Munyoz Baldó schrieb:
> 
> Hello,
> 
> I have an SSL client-server application in which the server
> authenticates to the client sending its certificate in the SSL handsake,
> but the client doesn't authenticates to the server.
> Fo my SSL client-server aplication, I need that both authenticates each
> other.
> 
> How can I do this ?
> How can I make the server request the client certificate and validates
> it ?
> I've done lot of testing but get nothing ... :(
> 
> May anyone help me ?
> ---
> CTV-JET
> Carles Xavier Munyoz Baldó / [EMAIL PROTECTED]
> http://www.ctv.es/USERS/carles
> Dpto. Sistemas / System Department
> Clave pública PGP / PGP public KEY
> http://www.ctv.es/PGP-STAFF/carles.html
> Tel: +34 96 584 52 91 - Fax: +34 96 584 48 96
> ---
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Holger Reif  Tel.: +49 361 74707-0
SmartRing GmbH   Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 ErfurtWWW.SmartRing.de
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RSA encrypt/decrypt

[Holger Reif]

HAv a look into the archives (what you anyway should have done
before). There was a thread just one or two days ago that
answered your question. 

In short: you can't do this! (And you even would not want to encrypt
large buffers with RSA for performance reasons.)

©I©KA Július schrieb:
> 
>Hello,
> 
>   how can I simply RSA encrypt buffer (its length may be greater than
> RSA_size()) ?
> If I use: RSA_public_encrypt(1, from, to, rsa, RSA_PKCS1_PADDING) with
> key
> with modulo length small enough (e.g. 4096) I am not able correctly decrypt
> to buffer. Can somebody help ?
> 
> With best regards,
> Julius Siska
> <[EMAIL PROTECTED]>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Holger Reif  Tel.: +49 361 74707-0
SmartRing GmbH   Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 ErfurtWWW.SmartRing.de
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates and Pass Phrases.

[Holger Reif]

David A. Lee wrote:
> 
> For example, IIS Server and IE and Netscape clients never ask me for
> pass phrases when using certificates.  Does this mean as I suspect
> that those products are not really secure ? Or have they found another
> method to protect certificates from copying without requiring pass phrases ?

You can protect client certs (at least with netscape)
with a pass phrase (this is the re-translation from german.
Don't know wetjher they are completely correct.
Communicator->Security information->passwords

About IE I never cared ;-)

For stand alone applications that automatically start up like 
webservers you must trust the file protection mechanism to 
not give out the key to the wrong person...

-- 
Holger Reif  Tel.: +49 361 74707-0
SmartRing GmbH   Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 ErfurtWWW.SmartRing.de
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: compile problem on hpux 10.20

[Little Stone]

lcs Mixmaster Remailer wrote:

>As noted in the current Configure, gcc 2.8.1 is broken on HPUX.  That's
>the symptom, as I recall.  Are you using 2.8.1 or is there another
>version of gcc that's broken, too?

Yes I use gcc 2.8.1, but It works good when I complie ssleay0.9.0
on the same hpux box. What I shold do? Useing another version of gcc?

Wu Hui


__
Get Your Private, Free Email at http://www.hotmail.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Client-server authentication.

[Carles Xavier Munyoz Baldó]

Hello,

I have an SSL client-server application in which the server
authenticates to the client sending its certificate in the SSL handsake,
but the client doesn't authenticates to the server.
Fo my SSL client-server aplication, I need that both authenticates each
other.

How can I do this ?
How can I make the server request the client certificate and validates
it ?
I've done lot of testing but get nothing ... :(

May anyone help me ?
---
CTV-JET
Carles Xavier Munyoz Baldó / [EMAIL PROTECTED]
http://www.ctv.es/USERS/carles
Dpto. Sistemas / System Department
Clave pública PGP / PGP public KEY
http://www.ctv.es/PGP-STAFF/carles.html
Tel: +34 96 584 52 91 - Fax: +34 96 584 48 96
---
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Inmortal certificate.

[Holger Reif]

Carles Xavier Munyoz Baldó schrieb:
> 
> Hello,
> 
> Wiht this command I make a CSR (Certificate Signing Request) valid only
> for 365 days:
> openssl req -new -days 365 -key server.key -out server.csr

Havn't you forgot the option -x509?

This forces the req utility to issue a (selfsigned x509) certificate 
instead of a CSR (that a CA would sign).

A CSR itsself has no time information in it. Try generating
one with 

openssl req -new 

and then have a look at the actual request with 

openssl req -noout -text 

> How could I make a CSR for a cetificate that never expires ?

You can't make a non expiring cert. But you can make it
valid long enough (e.g. until 2020) although I don'T
know what the reason for this should be.

 
> Greetings.
> ---
> CTV-JET
> Carles Xavier Munyoz Baldó / [EMAIL PROTECTED]
> http://www.ctv.es/USERS/carles
> Dpto. Sistemas / System Department
> Clave pública PGP / PGP public KEY
> http://www.ctv.es/PGP-STAFF/carles.html
> Tel: +34 96 584 52 91 - Fax: +34 96 584 48 96
> ---
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Holger Reif  Tel.: +49 361 74707-0
SmartRing GmbH   Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 ErfurtWWW.SmartRing.de
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]