OpenSSL+Mail
Dear All, How can I use mail with openssl like pgp (pine+pgp) Thank You, -Nop __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa_oaep_test
Hemant Jain schrieb:
>
> Holger,
> Here is the stack trace, if that helps:
> error:0407106B::lib(4) : func(113) : reason(107)
> error:04065072::lib(4) : func(101) : reason(114)
This means padding check failed (reason 107) in function
private decrypt (func 101) because of wrong block type
(reason 107) in function padding check (func 113).
I can't guess what went wrong, it would be necessary to
examine the key itsself. Try to test the key with the
little test program in the appendix. (Wouldn't it be a
good idea to include it as "openssl rsa -verify"?)
BTW at least during debugging you should load the
erro srtings to make this error messages easier to
understand. You can do this with ERR_load_crypto_strings();
Holger
-snip
#include
#include
#include
#include
#include
#include "/usr/local/ssl/include/err.h"
#include "/usr/local/ssl/include/rsa.h"
#include "/usr/local/ssl/include/bn.h"
#ifdef min
#undef min
#endif
#define min(a,b) ((a) < (b)? (a) : (b))
int BN_write(FILE *fp, BIGNUM *a);
int
main(int argc, char **argv)
{
char *filename;
FILE *f;
char b1[1024], b2[1024], b3[1024];
int b1len, b2len, b3len;
RSA *rsa;
unsigned long ERR_no;
BIGNUM *bn;
char *pcTemp;
memset(b1, 0, sizeof(b1));
memset(b2, 0, sizeof(b2));
memset(b3, 0, sizeof(b3));
if (argc != 2)
{
printf("usage: %s filename\n", argv[0]);
exit(-1);
}
filename = argv[1];
ERR_load_crypto_strings();
if (!(rsa = RSA_new()))
{
printf("RSA_new rsa failed\n");
while ((ERR_no = ERR_get_error()))
printf("%s\n", ERR_error_string(ERR_no, NULL));
return(-1);
}
if (!(bn = BN_new()))
{
printf("BN_new bn failed\n");
while ((ERR_no = ERR_get_error()))
printf("%s\n", ERR_error_string(ERR_no, NULL));
return(-1);
}
f = fopen(filename, "r");
if (f == NULL)
{
perror("fopen:");
return(-1);
}
/* insert here your code to read the key from a file */
printf("RSA Key (%i Bits)\n", BN_num_bits(rsa->n));
printf("MODULUS\n");
pcTemp = BN_bn2hex(rsa->n);
printf("%s\n", pcTemp);
free(pcTemp);
printf("PRIVATE EXPONENT\n");
pcTemp = BN_bn2hex(rsa->d);
printf("%s\n", pcTemp);
free(pcTemp);
printf("PUBLIC EXPONENT\n");
pcTemp = BN_bn2hex(rsa->e);
printf("%s\n", pcTemp);
free(pcTemp);
/* generate test value */
if (BN_rshift(bn, rsa->n, 8) != 1)
{
printf("BN_rshift1 rsa failed\n");
while ((ERR_no = ERR_get_error()))
printf("%s\n", ERR_error_string(ERR_no, NULL));
return(-1);
}
b1len = BN_bn2bin(bn, b1);
/* make the padding with leading zero */
memmove(b1+1, b1, b1len);
b1[0] = 0;
b1len++;
/* compute signature */
b2len = RSA_private_encrypt(b1len, b1, b2, rsa, RSA_NO_PADDING);
if (b2len == -1)
{
printf("RSA_private_encrypt failed\n");
while ((ERR_no = ERR_get_error()))
printf("%s\n", ERR_error_string(ERR_no, NULL));
return(-1);
}
/* check signature */
if ((b3len = RSA_public_decrypt(b2len, b2, b3, rsa, RSA_NO_PADDING))
== -1)
{
printf("RSA_public_decrypt failed\n");
while ((ERR_no = ERR_get_error()))
printf("%s\n", ERR_error_string(ERR_no, NULL));
return(-1);
}
if (!(bn = BN_bin2bn((unsigned char*) b3, b3len, NULL)))
{
printf("BN_bin2bn failed\n");
while ((ERR_no = ERR_get_error()))
printf("%s\n", ERR_error_string(ERR_no, NULL));
return(-1);
}
/* verify the result */
if (BN_rshift(rsa->n, rsa->n, 8) != 1)
{
printf("BN_rshift1 rsa failed\n");
while ((ERR_no = ERR_get_error()))
printf("%s\n", ERR_error_string(ERR_no, NULL));
return(-1);
}
if (BN_cmp(rsa->n, bn) == 0)
{
printf("Test passed\n");
}
else
{
printf("Test not passed\n");
}
return(0);
}
---snip-
> Hemant
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Holger Reif
> Sent: Wednesday, June 23, 1999 11:48 PM
> To: [EMAIL PROTECTED]
> Subject: Re: rsa_oaep_test
>
> Which error occured? I suppose you read all the erros from
> the error stack and know what exactly happend.
>
> Hemant Jain schrieb:
> >
> > Hi All,
> >
> > I read the private key/public key from my store and copied its contents
> > to variables n,e,d,etc. in the rsa_oaep_test.c as another key (key4).
> > While the test program works fine for encryption and
> > decryption for key1, key2 and key3, I get an error while
> > decrypting with my private key.
--
Holger Reif Tel.: +49 361 74707-0
SmartRing GmbH Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 ErfurtWWW.SmartRing.de
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: no shared cipher?
Not: This is a mod_ssl related question. You should use modssl users list to ask this question! Anyway most probably you have restricted the cipherlist to contain only high grade ciphers and you try to connect with an export grade browser. What doesn openssl ciphers -v tell you? What have you set for SSLCipherSuite in httpd.conf? jesse hirsh schrieb: > > hi, i got this error after setting up an httpd server. > my web client is netscape 4-7 for linux. > any clues why i got this error? > > [Mon Jun 28 10:22:05 1999] [notice] Apache/1.3.6 (Unix) PHP/3.0.10 > mod_ssl/2.3.5 OpenSSL/0.9.3 configured -- resuming normal operations > [Mon Jun 28 10:25:15 1999] [error] mod_ssl: SSL handshake failed (client > 198.96.117.181, server jah.tao.ca:443) (OpenSSL library error follows) > [Mon Jun 28 10:25:15 1999] [error] OpenSSL: error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing external certs with local CA
Dmitry Morozovsky schrieb: > > Now i've starring at the very special problem: when user already have > personal cert from one of master CA, it seems to be "Right Thing" to use > this cert for authorization instead of making another local user > certificate. As I understand, the best way to use it -- sign existing cert > with local CA. Am I wrong at this stage? ... > 3. sign cert. this is problem point. trying to > x509 -x509toreq -signkey marck.crt -in marck.crt -out new.pem > leads to: > Getting request Private Key > unable to load Private Key A request is alway signed with the private key of the requestor which you don'T have. (Therefore the error) If you would like to recertify you must use the openssl x509 utility. But before you invest more time into this you should be warned that this newly generated cert can't be put back into the browsers easily (at least true for older versions) because they complain "I already have a cert for this key". BTW why do you think it's wrong to issue completely new certs for your users that already have other certs? Don't you have more than one oficial id document like passport, drivers licence etc. If you want to rely on other's CA work you should make some restrictions with SSLRequire directive. -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[FWD] Question for openssl-0.9.3a problems
- Forwarded message from Ae Ja Jo <[EMAIL PROTECTED]> - From: Ae Ja Jo <[EMAIL PROTECTED]> Reply-To: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Question for openssl-0.9.3a problems Date: Tue, 29 Jun 1999 16:52:00 +0900 Importance: Normal Hi ! Let me introduce to you. I am a programmer and interested in openssl-library. I have some problems in working openssl-0.9.3a. 1. My working environments are following - OS : HP-UX 10.10 - H/W: 9000/821 2. Problem - I had an error when I executed makefile. Error's contents are following. SIGNAL(11) is caught internally. So apps/openssl can't created. I retried make in gcc and succeeded. Why can't I compile in cc ? I wish I receive your reply. I regret my english is poor. I hope you understand my mail. Bye. - End forwarded message - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL+Mail
This is not possible. Albeit there is some rudimentary support for S/MIME (used by eg. Messenger and Outlook) there is no integration into an email package known. Mr. Nopadon Sae-Han schrieb: > > Dear All, > How can I use mail with openssl like pgp (pine+pgp) > > Thank You, > -Nop > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing external certs with local CA
Dmitry Morozovsky wrote: > Now i've starring at the very special problem: when user already have > personal cert from one of master CA, it seems to be "Right Thing" to use > this cert for authorization instead of making another local user > certificate. As I understand, the best way to use it -- sign existing cert > with local CA. Am I wrong at this stage? As far as I know an X.509 certificate can only be signed by one CA. So although you could substitute a different signature it would then be a different certificate that would have to be loaded into the user's browser separately. This would defeat the object really. If you wanted you could set your server to trust the CA that originally issued that user's certificate. Then, of course, you would have to have a table that says which people are permitted to use your system, rather than this being implicit in the fact that a user possesses a certificate. (It is often said that certificates should only be used to vouch for identity and not as a basis for access control decisions. Of course in practice people do not always keep to this.) --- Pete Chown, email [EMAIL PROTECTED], phone +44 (0) 181 680 8393, fax+44 (0) 181 688 8013, mobile +44 (0) 468 765 645, post 58 Foss Avenue, Croydon, CR0 4EU, England __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: error when compile openssl
On Tue, Jun 29, 1999 at 10:00:57AM +0800, Sun JunXu wrote: > [...] there was an error, I captured it in .jpg in attached file [...] ^ What's that nonsense for? About all errors show in pure ASCII, which makes them readable, grep-able, bandwidth-saving, etc. Neither do I want to receive 134 KB JPEGs with errors that most likely could be described in less than 1 KB nor will I bother to look at them. (The same applies to MPEGs of the make process, just it case it's not obvious.) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems when reusing sessions
On Wed, Jul 28, 1999 at 06:32:56PM +0100, David J. Palaitis wrote: > i had a problem with session ID reuse and openSSL0.9.2b > i set the verify flags to > SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_FAIL_IF_NO_PEER_CERT > but sessions weren't being reused,... [...] > SSL_set_session_id_context(fb->ssl,(UCHAR *)"dave",(UINT)4); [...] > it worked ! > > something tells me that args 2 and 3 to SSL_set_session_id_context > are not correct. > does anyone know what type of info should go in there ? You can use whatever you want (a pointer to the first element of an unsigned char array as second argument, the array's length as third argument). If your program uses multiple SSL_CTX's with different client verification criteria, then they must have different session ID contexts (note that you can use SSL_CTX_set_session_id_context and don't usually have to set the context for each individual SSL): Session IDs are used to decide whether reuse of a session is acceptable on a specific connection. This is really an issue only if you use an external cache, because otherwise each SSL_CTX has its own separate cache, but the check is always done (otherwise if a program that uses an external cache forgets to set the session ID context, chances of noticing this error by testing are minimal because most sessions would typically be in the per-SSL_CTX cache). __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CA list for client
Hi there, is there somebody who can briefly describe how to configure a OpenSSL server program in that way that it sends a list of acceptible ca's to the client? I'm using client authentication and would like to decide on the client side that the client has the proper certificates for the server. I already used SSL_CTX_load_verify_loactions(...) to check the client certificate, hoping that this would set up this information but it seems not to be the proper way: On the client side my program tells me that there is no ca-accept-list. Is there a special function to create this list? Thanks in advance! Oliver __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Interesting Handshake behaviour
Bodo Moeller wrote:
>
> So the callbacks that you mentioned are callbacks on an other level of
> the program, not callbacks set inside the OpenSSL library, right?
Yep this is correct.
> I thought at first that you were using callbacks inside the BIO
> sub-library.
>
> > A little more info... [snip]
>
> Note that SSL_write does not always just want to write data, sometimes
> select() for readable data is called for (during a handshake, which
> the peer can request at any time [renegotiation]). SSL_get_error is
> one possibility to find out what to do -- see apps/s_client.c, for
> example. Similarly, SSL_accept does not always just want to read (but
> the written data won't be so much that a blocking write would really
> have to be expected).
>
> And I finally found the cause of your problem: You call
> BIO_sock_should_retry with the return value of SSL_accept. You should
> not do that, the BIO library already has done that when BIO_read and
> BIO_write were called by the SSL library. The result is stored inside
> the BIO structure, from where the SSL library can obtain it (through
> the BIO_should_read/write macros) when SSL_get_error is called; and
> SSL_get_error is what you should use in your program.
Thanks for your help, I'd love to report this was the problem, but
unfortunately not. Here's the code I've added:
if (!ssl->in_handshake)
{
int acceptval=SSL_accept(ssl);
switch (SSL_get_error(ssl,acceptval))
{
case SSL_ERROR_NONE:
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_CONNECT:
case SSL_ERROR_WANT_X509_LOOKUP:
// need to do the accept again, so return
// to the eventloop,
break;
case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL:
case SSL_ERROR_ZERO_RETURN:
// handshake failed, drop connection and print SSL error
break;
}
}
I also used SSL_do_handshake() in the place of SSL_accept to see if this
made any difference, but alas no.
I still have to parts to the handshake, the first generates an
SSL_ERROR_WANT_READ, we return back to the eventloop, when a read event
happens SSL_accept is caused again, this generates SSL_ERROR_SSL, when
looking at this with ERR_reason_error_string(ERR_get_error()) I get the
now familiar message "digest check failed".
This is the behaviour I experienced when using BIO_should_retry().
I've included at the end of this message the debug output I get from
running the s_client in debug mode (again everything is fine when the
socket is blocking), I'm not sure if this is any help at all.
Thanks for the help, it's much appreciated
Sarah
ssleay s_client -connect exeter:5336 -debug
CONNECTED(0004)
write to 001281E8 [0012A600] (109 bytes => 109 (0x6D))
- 80 6b 01 03 00 00 42 00-00 00 20 00 00 05 00 00 .kB...
.
0010 - 04 00 00 16 00 00 13 00-00 0a 00 00 07 00 00 15
0020 - 00 00 12 00 00 09 08 00-80 07 00 c0 06 00 40 05
..@.
0030 - 00 80 03 00 80 01 00 80-00 00 14 00 00 11 00 00
0040 - 08 00 00 06 00 00 03 04-00 80 02 00 80 b0 98 4a
...J
0050 - 54 ab 23 3e f1 2a 32 63-38 1a 99 3f a1 3a d1 93
T.#>.*2c8..?.:..
0060 - e4 75 00 29 d7 7f 2c 3f-2c ff a6 76 79.u.)..,?,..vy
read from 001281E8 [0012FB60] (7 bytes => 7 (0x7))
- 16 03 00 00 4a 02 J.
0007 -
read from 001281E8 [0012FB67] (72 bytes => 72 (0x48))
- 00 46 03 00 37 78 af fb-63 9b 54 27 54 8c 5d 0e
.F..7x..c.T'T.].
0010 - 49 ab 9b 9c 98 90 60 8c-38 f4 b8 7c a0 1a 45 09
I.`.8..|..E.
0020 - dc 73 d4 58 20 07 37 56-25 e2 f6 e1 bc 66 1e 68 .s.X
.7V%f.h
0030 - 78 6b 82 e5 76 c0 d2 38-1d 4b 60 2f c5 93 3b ff
xk..v..8.K`/..;.
0040 - 73 0a a1 ea 16 00 03 s..
0048 -
read from 001281E8 [0012FB60] (5 bytes => 5 (0x5))
- 16 03 00 02 b0.
read from 001281E8 [0012FB65] (688 bytes => 688 (0x2B0))
- 0b 00 02 ac 00 02 a9 00-02 a6 30 82 02 a2 30 82
..0...0.
0010 - 02 0b a0 03 02 01 02 02-02 01 7f 30 0d 06 09 2a
...0...*
0020 - 86 48 86 f7 0d 01 01 04-05 00 30 81 94 31 0b 30
H0..1.0
0030 - 09 06 03 55 04 06 13 02-47 42 31 17 30 15 06 03
...UGB1.0...
0040 - 55 04 08 13 0e 43 61 6d-62 72 69 64 67 65 73 68
UCambridgesh
0050 - 69 72 65 31 12 30 10 06-03 55 04 07 13 09 43 61
ire1.0...UCa
0060 - 6d 62 72 69 64 67 65 31-0c 30 0a 06 03 55 04 0a
mbridge1.0...U..
0070 - 13 03 53 43 4f 31 0c 30-0a 06 03 55 04 0b 13 03
..SCO1.0...U
0080 - 43 49 44 31 1d 30 1b 06-03 55 04 03 13 14 53 61
CID1.0...USa
0090 - 72 61 68 27 73 20 55 4e-43 48 41 49 4e 45 44 20 rah's UNCHAINED
00a0 - 43 41 31 1d 30 1b 06 09-2a 86 48 86 f7 0d 01 09
CA1.0...*.H.
00b0 - 01 16 0e 73 61 72 61 68-67 40 73 63 6f 2e 63 6f
[EMAIL PROTECTED]
00c0 - 6d 30 1e 17 0d 39 39 30-36 32 31 31 36 34 37 35
m0...99062116475
00d0 - 33 5a 17 0d 30 31 30 32-31 30 31 36 34 37 35 33
3Z..
Re: Signing external certs with local CA
On Tue, 29 Jun 1999, Holger Reif wrote: [skip] > BTW why do you think it's wrong to issue completely > new certs for your users that already have other > certs? Don't you have more than one oficial id > document like passport, drivers licence etc. Well, at least i prefer to minimize cases when clients could be disturbed by "stupid" questions like "what cert do you want to use with this site" Or did I miss something? > If you want to rely on other's CA work you should > make some restrictions with SSLRequire directive. Surely, I've already did it -- or esle how could I get existing client cert and verify it's not a fake? ;-) Sincerely, D.Marck [DM5020, DM268-RIPE, DM3-RIPN] *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- [EMAIL PROTECTED] *** __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Signing external certs with local CA
Dmitry Morozovsky schrieb:
>
> On Tue, 29 Jun 1999, Holger Reif wrote:
>
> [skip]
>
> > BTW why do you think it's wrong to issue completely
> > new certs for your users that already have other
> > certs? Don't you have more than one oficial id
> > document like passport, drivers licence etc.
>
> Well, at least i prefer to minimize cases when clients could be disturbed by
> "stupid" questions like "what cert do you want to use with this site"
>
> Or did I miss something?
You missed the SSLCACertificate{Path|File} ;-)
It's just a matter of configuring only your own ClientCa here.
If they don't have a client cert from your CA you most
probably don't need to care about their problems.
> > If you want to rely on other's CA work you should
> > make some restrictions with SSLRequire directive.
>
> Surely, I've already did it -- or esle how could I get existing client cert
> and verify it's not a fake? ;-)
Of course, but that becomes tricky, if you have big
base of clients. Putting them all into SSLRequire is
not very handy...
--
Holger Reif Tel.: +49 361 74707-0
SmartRing GmbH Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 ErfurtWWW.SmartRing.de
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: rsa_oaep_test
Holger Reif wrote: > > Hemant Jain schrieb: > > > > Holger, > > Here is the stack trace, if that helps: > > error:0407106B::lib(4) : func(113) : reason(107) > > error:04065072::lib(4) : func(101) : reason(114) > > This means padding check failed (reason 107) in function > private decrypt (func 101) because of wrong block type > (reason 107) in function padding check (func 113). > > I can't guess what went wrong, it would be necessary to > examine the key itsself. Try to test the key with the > little test program in the appendix. (Wouldn't it be a > good idea to include it as "openssl rsa -verify"?) > Hmmm I was thinking of something analagous for some time but never got round to it. There should be an RSA_check() function that will validate an RSA private key: check p, q for primality then verify all the other parameters and a -check parameter to the rsa utility. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Compiling OpenSSL on Win32 (again)
Users, I am having some trouble compiling on Win32's. I think the root of my problem is not having the right utilities to do the job (and/or knowledge!). I got the following tips about installing on Win32 from a previous note to the list... (scan down if this is familiar) >BTW: How tough was it to compile openssl in Win32? I've tried several >times but since I'm not a c or make file guru I could not. Could you pass >along some info as to how you did it? What changes to the make files did >you have to make? What platform did you compile it on? Not really difficult at all. openssl-0.9.3a directly from openssl.org Windows 98 build 4.10.1998 MS Visual C++ 6.0 (also works in 5.0) This will need VCVARS32.BAT added to your AUTOEXEC.BAT. You will probably have to increase your environment space through CONFIG.SYS You will need activeperl from the URL given in INSTALL.W32. This installed with no problems. Follow the instructions in INSTALL.W32 inside the openssl tarball These commands will have to be run in a Dos Shell VM with an expanded environment space to work. Create a shortcut to COMMAND.COM on your desktop and change the property 'memory->initial environment' (mine's set to 4096). All should compile and test ok with the exception of s_server and s_client which seem to have problems with socket handling on Windows. My problem is that OpenSSL wont compile on Win95 or WinNT with the nmake utility that is available on these systems. I believe that the problem is that Visual C++ is out of date or not even installed (one system has a downloaded nmake utility that shipped with MS VC++ 2.x). How can I tell what version of MS Visual C++ is installed? Is there a free make utility that will compile OpenSSL or do we need to buy VC++ 5 or 6 for each system? Or is this even the problem? Also, I thought I read that one compile problem I am having relates to running in a DOS window. Can someone verify this? For fun, here are my compile errors... Any help is appreciated. Thanks! Ed This error on WinNT - nmake version 1.62.7022 (Vis C++ version???) NMAKE : warning U4004: Too many rules for target 'out32.dll' NMAKE : warning U4004: Too many rules for target 'out32.dll' ml /Cp /coff /c /Cx /Forcrypto\md5\asm\m5-win32.obj .\crypto\md5\asm\m5-win32.asm The name specified is not recognized as an internal or external command, operable program or batch file. NMAKE : fatal error U1077: 'ml' : return code '0x1' Stop. This error on Win95 - nmake version 1.50 (downloaded utility ships with Visual C++ 2.X) C:\My Downloads\openssl-0.9.3a>nmake -f ms\ntdll.mak Microsoft (R) Program Maintenance Utility Version 1.50 Copyright (c) Microsoft Corp 1988-94. All rights reserved. cl /Fotmp32dll\cryptlib.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN /Fdout32dll / GD -D_WINDLL -D_DLL -c .\crypto\cryptlib.c NMAKE : fatal error U1081: 'cl' : program not found Stop. Another error: OpenSSL-0.9.1c on Win95 - nmake version 1.50 NMAKE : warning U4004: too many rules for target 'out32dll' NMAKE : warning U4004: too many rules for target 'out32dll' gcc -Fo tmp32dll\cryptlib.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O 2 /Ob2 /Gs0 /GF /Gy /nologo -DWIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DBN_ASM -D MD5_ASM -DSHA1_ASM -DRMD160_ASM /Fdout32dll /GD -D_WINDLL -D_DLL -c .\crypto\cr yptlib.c gcc.exe: tmp32dll\cryptlib.obj: No such file or directory gcc.exe: /MD: No such file or directory gcc.exe: /W3: No such file or directory gcc.exe: /WX: No such file or directory gcc.exe: /G5: No such file or directory gcc.exe: /Ox: No such file or directory gcc.exe: /O2: No such file or directory gcc.exe: /Ob2: No such file or directory gcc.exe: /Gs0: No such file or directory gcc.exe: /GF: No such file or directory gcc.exe: /Gy: No such file or directory gcc.exe: /nologo: No such file or directory gcc.exe: /Fdout32dll: No such file or directory gcc.exe: /GD: No such file or directory gcc.exe: unrecognized option `-Fo' NMAKE : fatal error U1077: 'GCC' : return code '0x1' Stop. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CA list for client
On Tue, Jun 29, 1999 at 12:51:40PM +0200, Oliver Floericke wrote:
> is there somebody who can briefly describe how to configure a OpenSSL server
> program in that way that it sends a list of acceptible ca's to the client?
> I'm using client authentication and would like to decide on the client side
> that the client has the proper certificates for the server.
>
> I already used SSL_CTX_load_verify_loactions(...) to check the client
> certificate, [...]
That function sets only the certificates to be used for verification
purposes (and can be used both for servers and for clients). To also
set the list of names you need SSL_CTX_set_client_CA_list. Example
code (tdef points to a structure holding the configuration
information, tls_output_OpenSSL_errors is a program-defined function
that outputs the OpenSSL error stack together with some additional
strings and, in case the error stack is empty, an alternative error
message):
SSL_CTX_set_verify(tdef->server_ssl_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
(int (*)(int, X509_STORE_CTX *)) 0);
r = SSL_CTX_set_session_id_context(tdef->server_ssl_ctx,
(void *) &context_num,
(unsigned int)
sizeof context_num);
if (!r) {
tls_output_OpenSSL_errors("", "", "", NULL);
return 1;
}
context_num++;
r = SSL_CTX_load_verify_locations(tdef->server_ssl_ctx,
tdef->client_ca_certificates,
NULL /* no CA-directory */);
if (!r) {
tls_output_OpenSSL_errors(" while processing certificate file ",
tdef->client_ca_certificates,
0, NULL);
return 1;
}
SSL_CTX_set_client_CA_list(tdef->server_ssl_ctx,
SSL_load_client_CA_file(tdef->client_ca_certificates));
/* We could also create an empty stack ourselves and add subjects
* by using SSL_add_file_cert_subjects_to_stack, which could
* be used for cases where SSL_load_client_CA_file is not enough.
* Note that SSL_load_client_CA_file is a misnomer, it actually
* just collects the list of subjects and has nothing to do with
* whether those are CAs or what. */
if (SSL_CTX_get_client_CA_list(tdef->server_ssl_ctx) == NULL) {
/* The ..._set_... function does not have a return value. */
fprintf(stderr, "%s: Could not set the client CA list from "
"\"%s\".\n", Myname, tdef->client_ca_certificates);
return 1;
}
assert(tdef->client_verify_depth_s == HAS_BEEN_SET);
SSL_CTX_set_verify_depth(tdef->server_ssl_ctx,
tdef->client_verify_depth);
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: rsa_oaep_test
Dr Stephen Henson schrieb: > > Holger Reif wrote: > > > > Wouldn't it be a > > good idea to include it as "openssl rsa -verify"? > > > > Hmmm I was thinking of something analagous for some time but never got > round to it. There should be an RSA_check() function that will validate > an RSA private key: check p, q for primality then verify all the other > parameters and a -check parameter to the rsa utility. In case p and q are not available, my solution would be the best one can try, wouldn't it. When I used the test programm only e, d and (and the euler coefficient) were available and the only possible check I came to was the one I sent. I don't claim it's complete but at least a starter. -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Programmatically exporing private key from Netscape
I'd like to programmatically export a user's private key from Navigator. I know the user can export it as a PKCS12 file, but I'd like to make it a little simpler for the user. I know that the private keys are stored in key3.db, which is in Berkeley DB 1.85 format. I suspect that the data is encrypted with 3DES (based on what I've read), although I'm not sure how they'd do it for the international version...maybe they use some "known" key bits. I also know the general format of cert7.db thanks to Dr. Stephen Henson (http://www.drh-consultancy.demon.co.uk). What I don't know (or have the slightest idea how to find out) is: 1. How the encryption key is derived from the password. 2. What format the private key is in after decrtyped. Another option would be to get Java or Javascript to export the private key somehow. I've heard someone say this is possible. Any help anyone could provide would be greatly appreciated! Thanks, Allen -- Allen Hadden [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Interesting Handshake behaviour
On Tue, Jun 29, 1999 at 12:42:38PM +0100, Sarah Bateman wrote: >> And I finally found the cause of your problem: You call >> BIO_sock_should_retry with the return value of SSL_accept. You should >> not do that, the BIO library already has done that when BIO_read and >> BIO_write were called by the SSL library. The result is stored inside >> the BIO structure, from where the SSL library can obtain it (through >> the BIO_should_read/write macros) when SSL_get_error is called; and >> SSL_get_error is what you should use in your program. > Thanks for your help, I'd love to report this was the problem, but > unfortunately not. Um ... well, it would have become a problem if the rest had worked. So maybe it's a problem of that library version, possibly it gets confused under some conditions when a recv returns early (the client key exchange message is too large to fit into a single TCP packet of usual size, so there's a difference between blocking and non-blocking I/O). __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
