Not read: RSA License + U.S. comercial u
__ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Archive / FAQ
Hi Holger: I kept getting a blank page there too. Finally, I tried to view the document source in netscape, there was all the text! I didn't bother to try to find any HTML mistake, but it must be the problem. HTH Pat Holger Reif wrote: > > I want to check www.openssl.org/support/ > I want to check www.openssl.org/support/ > I want to check www.openssl.org/support/ > ... > > Michael Slass schrieb: > > > > Where is the OpenSSL FAQ, or at least a searchable archive of this > > mailing list? > > -- > Holger Reif Tel.: +49 361 74707-0 > SmartRing GmbH Fax.: +49 361 7470720 > Europaplatz 5 [EMAIL PROTECTED] > D-99091 ErfurtWWW.SmartRing.de > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MSIE certificate expiration problem
On Fri, 16 Jul 1999, Stefan Kelm wrote: > Holger, > > > > Here, server cert: > > > > > > > > Validity > > > > > Not Before: Jul 13 14:36:12 1999 GMT > > > > > Not After : Jul 12 14:36:12 2000 GMT > > > > > > But the problem is solved. But don't ask me how I have done it :-))) > > > (maybe the -msie_hack option to ca program) > > > > I guess the problem has been solved overnight ;-) > > It could be possible that MSIE didn'T realized > > yesterday that "Jul 13 14:36:12 1999 GMT" is past. > > But today, Jul 14th, MSIE knows for sure this cert > > entered it's own validity period ;-) > > > > No, I'm not kidding, some reports have shown, this > > is reality. > > This is true, I'm afraid. There are a couple of different browsers > (some Netscape browsers are vulnerable as well) that do not accept > certificates as valid on the very same day as the validity period > of the cert starts. Well It's not exactly related to the DAY of the start of the certificate, but to the DAY and TIME... To check this, just change your time to some hours in the future, and check. I did that for my certificates (I had the exact same problem as you), and putting my PC clock 1 hour in the future solved the problem... Please note that I live in Paris, which is GMT+1... I think there's a lot of products unable to deal with TimeZones... -- Erwann ABALEA System and Development Engineer - Certplus SA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems building openssl 0.9.3a on Solaris 2.5.1 (and also NetBSD 1.3.3 x86)
Here's my output: read_pwd.c: In function `des_read_pw': read_pwd.c:267: warning: implicit declaration of function `fileno' read_pwd.c: In function `pushsig': read_pwd.c:387: storage size of `sa' isn't known read_pwd.c:404: warning: implicit declaration of function `sigaction' read_pwd.c:404: invalid use of undefined type `struct sigaction' read_pwd.c:387: warning: unused variable `sa' read_pwd.c: In function `popsig': read_pwd.c:430: invalid use of undefined type `struct sigaction' read_pwd.c: At top level: read_pwd.c:188: storage size of `savsig' isn't known *** Error code 1 Stop. *** Error code 1 Stop. *** Error code 1 Stop. mail# cd /usr/include mail# grep fileno *.h dirent.h:#defined_ino d_fileno/* backward compatibility */ pcap.h:int pcap_fileno(pcap_t *); stdio.h:short _file; /* fileno, if Unix descriptor, else -1 */ stdio.h:int fileno __P((FILE *)); stdio.h:#define __sfileno(p)((p)->_file) stdio.h:#define fileno(p) __sfileno(p) zlib.h: fileno (in the file has been previously opened with fopen). - Original Message - From: Bodo Moeller <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 16, 1999 4:01 AM Subject: Re: Problems building openssl 0.9.3a on Solaris 2.5.1 (and also NetBSD 1.3.3 x86) > On Thu, Jul 15, 1999 at 06:00:03PM -0700, James Webster wrote: > > >>> read_pwd.c:267: warning: implicit declaration of function `fileno' > >>> read_pwd.c:404: warning: implicit declaration of function `sigaction' > >>> read_pwd.c:404: invalid use of undefined type `struct sigaction' > > >> If you look in read_pwd.c, you'll see that this should work without > >> having struct sigcation etc. (but apparently Solaris 2.5.1 defines > >> _POSIX_SOURCE without really supporting POSIX, so some #if conditions > >> would have to be changed) -- but why is fileno not available? It > >> should be declared in , which is #include'd. What does > >> "man fileno" say? > > > Was there ever a resolution on this (I wasn't on the list when it > > was sent)? I'm seeing the same thing on i586-whatever-netbsd. > > I don't think the problem was resolved. You say you see the same -- > does your NetBSD really not provide a declaration of fileno in ? > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help with openssl + imap.
Try the following URL. It works for me with all versions of stunnel... http://www.dtcc.edu/cs/admin/notes/ssl/ On Thu, 15 Jul 1999, John Castillo wrote: > Hello All, > > Argghh.. where did my hair go! > > I have been trying to configure SSL for use with my current imap server (Cyrus). I >found a couple or reference pages which point to SSLeay (openssl) and stunnel which >would allow me to configure an SSL environment for Cyrus. If you could please help >with some suggestions or explanation of the error messages I'm getting, you're >awesome (because the key/cert/SSL part is stumping me). This is what I've done so >far. > > built SSLeay0.8.1b > built stunnel3.4a with RSAglue library > added the proper entry in /etc/inetd.conf > -namely simap stream tcp nowait cyrus /usr/local/sbin/stunnel -D 7 -l >/usr/cyrus/bin/imapd imapd > > Everything looks good but now I get this error everytime one of my clients (outlook >express or Netscape messenger) tries > to connect to the SSL secure IMAP server... > > > Jul 15 17:45:20 phoenix stunnel[12524]: Wrong permissions on /usr/local/ssl/cert > s/stunnel.pem > Jul 15 17:45:20 phoenix stunnel[12524]: Could not load DH parameters from /usr/l > ocal/ssl/certs/stunnel.pem > Jul 15 17:45:20 phoenix stunnel[12524]: Diffie-Hellman initialization failed > Jul 15 17:45:20 phoenix stunnel[12524]: stunnel 3.4a on i686-pc-linux-gnu PTHREA > D+LIBWRAP > Jul 15 17:45:20 phoenix stunnel[12524]: 7 connected from 172.16.0.227:3679 > > It seems to WORK though.. I'm just wondering what all the DH errors are all about. > > John C. > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MSIE certificate expiration problem
Holger, > > Here, server cert: > > > > > > Validity > > > > Not Before: Jul 13 14:36:12 1999 GMT > > > > Not After : Jul 12 14:36:12 2000 GMT > > > > But the problem is solved. But don't ask me how I have done it :-))) > > (maybe the -msie_hack option to ca program) > > I guess the problem has been solved overnight ;-) > It could be possible that MSIE didn'T realized > yesterday that "Jul 13 14:36:12 1999 GMT" is past. > But today, Jul 14th, MSIE knows for sure this cert > entered it's own validity period ;-) > > No, I'm not kidding, some reports have shown, this > is reality. This is true, I'm afraid. There are a couple of different browsers (some Netscape browsers are vulnerable as well) that do not accept certificates as valid on the very same day as the validity period of the cert starts. Mad but true. Cheers, Stefan. __ Stefan KelmPGP key: "finger [EMAIL PROTECTED]" or via key server DFN-PCA <[EMAIL PROTECTED]> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl don't support pkcs7/dec.c don't support encrypt+sign message??
NortonNg wrote: > > > i am using crypto/pkcs7/dec.c to decrypt the smime.p7m that outlook > express5 generated( encrypted and sign message), but i found that > dec.c just generate the result below, no plain text was generated. > Anyone can help me?? > > //--- > Content-Type: application/x-pkcs7-mime; name=smime.p7m; smime-type=signed-data > Content-Transfer-Encoding: base64 > Content-Disposition: attachment; filename=smime.p7m > > MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEBEZyb20E > AjogBAEiBAhOb3J0b25OZwQBIgQCIDwEFWprbmdAY3NpZS5uY3R1LmVkdS50dwQBPgQCDQoEAlRv > BAI6IAQBIgQITm9ydG9uTmcEASIEAiA8BBVqa25nQGNzaWUubmN0dS5lZHUudHcEAT4EAg0KBAdT > dWJqZWN0BAI6IAQOZW5jcnlwdCAmIHNpZ24EAg0KBAREYXRlBAI6IAQfRnJpLCAxNiBKdWwgMTk5 > OSAxNjozMTowOCArMDgwMAQCDQoEDENvbnRlbnQtVHlwZQQCOiAEFW11bHRpcGFydC9hbHRlcm5h > dGl2ZQQEOw0KCQQIYm91bmRhcnkEAT0EASIEKS0tLS09X05leHRQYXJ0XzAw > . Its working fine: you've just missed a step out. When most S/MIME clients "sign and encrypt" they take the message, sign it into a MIME object then take this signed MIME object as the input to the encryption process. That is encrypt(sign(data)). So what you've done is to decrypt the data and you are left with the innner signed content. I'd guess you've set it to use opaque signing otherwise it would be a multipart/signed document. Now you can use the crypto/pkcs7/verify program to verify the result and send the content to standard output. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificates and export
Olga Antropova wrote: > > Hi, > > I am in US and have to deal with export regulations on the encryption level. > Does anyone know how the private/public key length is affected by those? > Should the keys be 512 bits? > Disclaimer: I'm no expert on this (not being in the US) but... I believe (?) this has been increased to 1024 bits. Signature only keys have no restrictions at all. > The private key is encrypted (using DES - right?). Do the export regulations on > DES key length apply here? > > If private key is encrypted using strong encryption will the application that > only runs the export cipher cuite be able to unlock such private key? > Private keys can be encrypted using a variety of algorithms. Usually triple DES is the default with OpenSSL. This cannot be exported from the US for general use. However it seems like it is permissible to export 3DES if it is only used to protect private keys, rather than general data encryption. Both Netscape and MS use 3DES to protect their private keys in PKCS#12 files in export versions of their software. "single" DES (56 bits) is not considered adequate for private key protection. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Passing user data to password callbacks
Ben Laurie wrote: > > Holger Reif wrote: > > > > There has been a discussion on this recently. The conclusion was > > it should be changed. I think it was even aggred on how to do > > this. But I think nobody took the task of actually implementing > > it. (Please correct me if I'm wrong!) > > You are right. Not sure we entirely got to the end of "do we break > everything or do it upwards compatibly?", though. Upwards compatibility > is easy, so why not, I say... > Well I did some changes which make this kind of thing much easier to do. All the PEM routines are now made from macros: changing the macros automatically changes all the routines. I think the consensus was slightly in favour of "break everything" but it was pretty much equal. Since the fix to broken code is trivial (add an extra NULL and ignore an extra parameter in the callback) it shouldn't be too painful. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl pkcs7 object incompatible with outlook,netscape??
NortonNg wrote: > > hello all, > i wonder if the openssl pkcs7 object is compatible with outlook > express5 and netscape messager. Because i have success to decrypt > the smime.p7m produced by outlook express5 to plaintext(smime.txt) > by command > dec -k server.pem smime.p7m (of course i and the -BEGIN PKCS7--- and > -END PKCS7- to smime.p7m file.) > but, unfortunately, when i try to encrypt the smime.txt to smime2.p7m > ,i found that smime2.p7m is not equal to smime.p7m. but both can > generate the same plaintext by dec.c. And if i replace the smime.p7m file > to smime2.p7m , then outlook express or netscape messager does not > recognize it! (invalid encryption!!) Why? > Heres some more info. When you encrypt a message with enc it generates a random encryption key and includes it encrypted with the recipients public key. This is one reason why the output is different each time: it wouldn't be very secure if it always used the same key! Now your two messages. The one from MS Outlook is encrypted using weak 40 bit RC2. The one you generated uses triple DES. Export versions of software cannot decrypt triple DES which is probably the problem. Check what the security window says when you click on the invalid encryption icon. So you have two options. Either patch your software to use strong encryption (using fortify or the MS domestic security patch) or just change the encryption used: there is a -c option to enc.c which allows an alternative cipher to be used. If you use -c RC2-40-CBC then it will use 40 bit RC2 as well. BTW if the security window says something about invalid DER data or something like that then this is usually a problem with the MIME headers. If you use the output of, for example, Messenger as a template and substitute your own data at the end then you should be OK. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: verify callbacks, error reporting, CA-lists? (newbie) (long)
On Fri, Jul 16, 1999 at 11:54:31AM +0200, Jesper Trägårdh wrote: > Bodo Moeller wrote: >> Actually it's not just one error, there's a list of them. >> You call ERR_get_error again and again until it returns 0. >> Sometimes in error situations the error quere can even be empty, >> and somtimes it might contain more than one item. > Ok, is there some "algoritm" to filter out the "most important error" - > for example to decide what action to take? Well, no. All such errors are real errors, i.e. usually fatal; unlike with errno, there's no EWOULDBLOCK or so in the OpenSSL error queue, because the non-errors for non-blocking I/O are handled by other means. >> You can use SSL[_CTX]_set_verify_depth (unless you are using OpenSSL >> 0.9.2b or earlier, which you include filenames suggest). Then you >> don't have to define a verification callback just to limit chain >> depth (but unfortunately the internal verification function does not >> produce X509_V_ERR_CERT_CHAIN_TOO_LONG when this depth is exceeded, >> instead it tries to verify the truncated chain, which will result >> in some other error code). > Ok. Say that I will use my callback-function to produce a > X509_V_ERR_CERT_CHAIN_TOO_LONG - how do I get a hold of the value set > with SSL_set_verify_depth (or the CTX-function) so I can compare it with > the X509_STORE_CTX_get_error_depth(X509_STORE_CTX *) function? There's SSL_get_verify_depth, and ssl_verify_cert_chain sets a pointer to the SSL structure by using X509_STORE_CTX_set_ex_data. For details on how to do this, presumably you'll have to read the sources (ssl/ssl_cert.c, crypto/x509/x509_vfy.h, crypto/x509/x509_vfy.c). Actually, X509_verify_cert and internal_verify (in x509_vfy.c) both should largely be rewritten because they make assumptions about uniqueness of names that are not warranted, and don't know about X.509 v3 extensions. >> This does not work. SSL_pending never reads data from the network, it >> just looks if there are leftovers from previous SSL_read's buffered >> internally. You always have to use SSL_read to get something done; >> if you want to avoid blocking, you have to set the underlying sockets >> into non-blocking mode. > Ok. But if use non-blocking I/O I must handle that the SSL_read() might > return 0 althought the select()-call (or similar) said that data was > available (maybe the data couldn't be decrypted or something like that) > - am I right? SSL_read will return 0 only if the connection was closed, and -1 in case of errors or EWOULDBLOCK and the like. Use SSL_get_error to interpret the return value. > s = SSL_pending() just says that "your next call to read will return at > least s bytes without blocking" or rather could be used in this kind of > loop: > > numbytes = SSL_read(...); > while (SSL_pending() != 0) { > numbytes = SSL_read(...); // append to buffer > } > > to read all data currently available (plus what have might come in extra > due to each SSL_read-call), right? Yes, I think so. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems building openssl 0.9.3a on Solaris 2.5.1 (and also NetBSD 1.3.3 x86)
On Thu, Jul 15, 1999 at 06:00:03PM -0700, James Webster wrote: >>> read_pwd.c:267: warning: implicit declaration of function `fileno' >>> read_pwd.c:404: warning: implicit declaration of function `sigaction' >>> read_pwd.c:404: invalid use of undefined type `struct sigaction' >> If you look in read_pwd.c, you'll see that this should work without >> having struct sigcation etc. (but apparently Solaris 2.5.1 defines >> _POSIX_SOURCE without really supporting POSIX, so some #if conditions >> would have to be changed) -- but why is fileno not available? It >> should be declared in , which is #include'd. What does >> "man fileno" say? > Was there ever a resolution on this (I wasn't on the list when it > was sent)? I'm seeing the same thing on i586-whatever-netbsd. I don't think the problem was resolved. You say you see the same -- does your NetBSD really not provide a declaration of fileno in ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
Is it possible to build openssl as Win32 .lib for usage in another prog, e.g. a GUI wrapper ? Daniel __ The OpenSA Project www.opensa.de User Support Mailing List[EMAIL PROTECTED] Project Information [EMAIL PROTECTED] Ask the Developers [EMAIL PROTECTED] __ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: verify callbacks, error reporting, CA-lists? (newbie) (long)
Bodo Moeller wrote: First. Thank you very much for your answers. :) > > * Error reporting? > > > > There seem to be several way to check for errors. > > There is the ERR_get_error() (does this clear the error?) > > Actually it's not just one error, there's a list of them. > You call ERR_get_error again and again until it returns 0. > Sometimes in error situations the error quere can even be empty, > and somtimes it might contain more than one item. Ok, is there some "algoritm" to filter out the "most important error" - for example to decide what action to take? > > If I change the list of preferred ciphers so that the client and the > > server has no common cipher (the server is an export version of MS > > IIS) then SSL_connect() returns -1, SSL_get_verify_result() returns 0 > > (reasonable - there has been no cert verification yet) but > > ERR_get_error() returns 0 (isn't that supposed to be the code for > > OK?). > No, it does not mean "no error". It just means that the error stack > is empty. SSL_read and SSL_write don't usually write something on the > error stack (although this can happen under certain circumstances); > SSL_get_error tells you that something went wrong, and then details > *may* be available via ERR_get_error(). > > > SSL_get_error() returns 6. Where do I look for a #define to > > match that error? (the only thing I can see in ssl.h is > > SSL_ERROR_ZERO_RETURN and that seems pretty confusing). > > SSL_ERROR_ZERO_RETURN can happen only if the return value passed to > SSL_get_error is 0 (see ssl_lib.c). It means that the connection was > closed. I thought about this and probably MS IIS just close the connection if no common ciphers are available. > You can use SSL[_CTX]_set_verify_depth (unless you are using OpenSSL > 0.9.2b or earlier, which you include filenames suggest). Then you > don't have to define a verification callback just to limit chain > depth (but unfortunately the internal verification function does not > produce X509_V_ERR_CERT_CHAIN_TOO_LONG when this depth is exceeded, > instead it tries to verify the truncated chain, which will result > in some other error code). Ok. Say that I will use my callback-function to produce a X509_V_ERR_CERT_CHAIN_TOO_LONG - how do I get a hold of the value set with SSL_set_verify_depth (or the CTX-function) so I can compare it with the X509_STORE_CTX_get_error_depth(X509_STORE_CTX *) function? > This does not work. SSL_pending never reads data from the network, it > just looks if there are leftovers from previous SSL_read's buffered > internally. You always have to use SSL_read to get something done; > if you want to avoid blocking, you have to set the underlying sockets > into non-blocking mode. Ok. But if use non-blocking I/O I must handle that the SSL_read() might return 0 althought the select()-call (or similar) said that data was available (maybe the data couldn't be decrypted or something like that) - am I right? s = SSL_pending() just says that "your next call to read will return at least s bytes without blocking" or rather could be used in this kind of loop: numbytes = SSL_read(...); while (SSL_pending() != 0) { numbytes = SSL_read(...); // append to buffer } to read all data currently available (plus what have might come in extra due to each SSL_read-call), right? Regards Jesper __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Passing user data to password callbacks
Holger Reif wrote: > > There has been a discussion on this recently. The conclusion was > it should be changed. I think it was even aggred on how to do > this. But I think nobody took the task of actually implementing > it. (Please correct me if I'm wrong!) You are right. Not sure we entirely got to the end of "do we break everything or do it upwards compatibly?", though. Upwards compatibility is easy, so why not, I say... Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: RE: How to choose and reduce the size of openssl library
[EMAIL PROTECTED] wrote: > > -- > >Von: jhkwon / unix, mime > >"On a side note: Disabling line editing in 'bash' saves >100k, but I > >really like that feature... :-(" > > > >I suppose that bash is another unix shell. > > Correct. A freeware clone of the famous Bourne Shell. Hardly. It does far more than the Bourne Shell ever did. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl pkcs7 object incompatible with outlook,netscape??
hello all, i wonder if the openssl pkcs7 object is compatible with outlook express5 and netscape messager. Because i have success to decrypt the smime.p7m produced by outlook express5 to plaintext(smime.txt) by command dec -k server.pem smime.p7m (of course i and the -BEGIN PKCS7--- and -END PKCS7- to smime.p7m file.) but, unfortunately, when i try to encrypt the smime.txt to smime2.p7m ,i found that smime2.p7m is not equal to smime.p7m. but both can generate the same plaintext by dec.c. And if i replace the smime.p7m file to smime2.p7m , then outlook express or netscape messager does not recognize it! (invalid encryption!!) Why? //the below file is server.pem subject=/O=British Telecommunications plc/OU=BT Trustwise - Class 1 Individual CA/OU=www.trustwise.com/repository/RP Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 - Netscape/CN=Norton [EMAIL PROTECTED] issuer= /O=British Telecommunications plc/OU=BT Trustwise - Class 1 Individual CA Certificate: Data: Version: 3 (0x2) Serial Number: 7e:28:27:28:a9:15:c0:04:cc:3e:d1:72:0a:38:d8:a9 Signature Algorithm: md5WithRSAEncryption Issuer: O=British Telecommunications plc, OU=BT Trustwise - Class 1 Individual CA Validity Not Before: Jul 6 00:00:00 1999 GMT Not After : Sep 4 23:59:59 1999 GMT Subject: O=British Telecommunications plc, OU=BT Trustwise - Class 1 Individual CA, OU=www.trustwise.com/repository/RP Incorp. by Ref.,LIAB.LTD(c)98, OU=Persona Not Validated, OU=Digital ID Class 1 - Netscape, CN=Norton [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:c4:8f:65:7d:e2:bf:e8:90:a4:6c:77:c1:cb:ed: 41:2d:47:e7:9f:a4:6a:45:da:f4:77:08:84:17:2a: 07:2e:a0:2c:04:53:d6:61:dc:3d:69:88:39:09:a9: d2:22:94:4b:7b:7b:90:43:ac:0e:01:5e:6d:0f:f0: 24:b0:ef:71:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: 0. Netscape Cert Type: 2.16.840.1.113733.1.6.3: .vd4652bd63f2047029298763c9d2f275069c7359bed1b059da75bc4bc9701747da5c1e3141beadb2bd2e89206bd68f1d711489ca0bb45f8f3ea45db Signature Algorithm: md5WithRSAEncryption 90:93:ae:cf:d5:8f:9b:53:d5:d3:44:32:1b:66:54:98:f0:f0: b3:b1:e1:70:b0:ad:c0:f2:5b:2b:94:11:13:0e:bf:a8:4a:b5: e3:1e:78:82:f0:10:a4:7f:5b:19:c4:b1:89:88:59:ff:7c:13: fa:dd:1d:2a:6b:cf:e2:9a:8f:16:e3:e1:89:6c:7c:62:09:eb: a8:28:ff:7f:54:b7:0a:9b:cf:75:8a:63:d9:a2:14:dc:70:70: 61:5a:06:51:33:50:af:a4:cf:90:6c:7e:5e:28:5d:88:22:d2: 4c:58:42:bc:2c:c3:a8:ca:04:57:03:21:f3:6b:66:82:2e:66: ff:d7 -BEGIN CERTIFICATE- MIIDaDCCAtGgAwIBAgIQfignKKkVwATMPtFyCjjYqTANBgkqhkiG9w0BAQQFADBY MScwJQYDVQQKEx5Ccml0aXNoIFRlbGVjb21tdW5pY2F0aW9ucyBwbGMxLTArBgNV BAsTJEJUIFRydXN0d2lzZSAtIENsYXNzIDEgSW5kaXZpZHVhbCBDQTAeFw05OTA3 MDYwMDAwMDBaFw05OTA5MDQyMzU5NTlaMIIBIjEnMCUGA1UEChMeQnJpdGlzaCBU ZWxlY29tbXVuaWNhdGlvbnMgcGxjMS0wKwYDVQQLEyRCVCBUcnVzdHdpc2UgLSBD bGFzcyAxIEluZGl2aWR1YWwgQ0ExRjBEBgNVBAsTPXd3dy50cnVzdHdpc2UuY29t L3JlcG9zaXRvcnkvUlAgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAc BgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDEmMCQGA1UECxMdRGlnaXRhbCBJ RCBDbGFzcyAxIC0gTmV0c2NhcGUxEjAQBgNVBAMTCU5vcnRvbiBOZzEkMCIGCSqG SIb3DQEJARYVamtuZ0Bjc2llLm5jdHUuZWR1LnR3MFwwDQYJKoZIhvcNAQEBBQAD SwAwSAJBAMSPZX3iv+iQpGx3wcvtQS1H55+kakXa9HcIhBcqBy6gLART1mHcPWmI OQmp0iKUS3t7kEOsDgFebQ/wJLDvcQ0CAwEAAaOBqjCBpzAJBgNVHRMEAjAAMBEG CWCGSAGG+EIBAQQEAwIHgDCBhgYKYIZIAYb4RQEGAwR4FnZkNDY1MmJkNjNmMjA0 NzAyOTI5ODc2M2M5ZDJmMjc1MDY5YzczNTliZWQxYjA1OWRhNzViYzRiYzk3MDE3 NDdkYTVjMWUzMTQxYmVhZGIyYmQyZTg5MjA2YmQ2OGYxZDcxMTQ4OWNhMGJiNDVm OGYzZWE0NWRiMA0GCSqGSIb3DQEBBAUAA4GBAJCTrs/Vj5tT1dNEMhtmVJjw8LOx 4XCwrcDyWyuUERMOv6hKteMeeILwEKR/WxnEsYmIWf98E/rdHSprz+Kajxbj4Yls fGIJ66go/39Utwqbz3WKY9miFNxwcGFaBlEzUK+kz5Bsfl4oXYgi0kxYQrwsw6jK BFcDIfNrZoIuZv/X -END CERTIFICATE- -BEGIN RSA PRIVATE KEY- MIIBOQIBAAJBAMSPZX3iv+iQpGx3wcvtQS1H55+kakXa9HcIhBcqBy6gLART1mHc PWmIOQmp0iKUS3t7kEOsDgFebQ/wJLDvcQ0CAwEAAQJAYaPFy7nWkMVBGCyJFS7f AIpGcdPvgpHYfES7sPIMrUi9wohXHRfkGG3f+grHc4QEKfDwrfW/tMshEA6j9bKt QQIhAPSXjzCnrQr92siGvqBVrH/xvw+rR3ko97ZOe/uABwo9AiEAzbpVhYO2i0Ti 8r3LqFWQRIcoADz/o4nEMJfTe8ep/xECIENn5TlGbGTkEsBCihRLqA9Wgw4BaOAW DzY5qOdloAsNAiBvzkGmQxPVEoYIiE+DV6UFKTL7FiuUlE20Xv8HeVaREQIgRrV7 BW9gd3K6Uf5NhdP8d2pUQOtB+f5fE1qL98zDECA= -END RSA PRIVATE KEY- //the file below is generated by outlook express5. smime.p7m (encrypt only) -BEGIN PKCS7- MIAGCSqGSIb3DQEHA6CAMIACAQAxggGKMIHCAgEAMGwwWDEnMCUGA1UEChMeQnJpdGlzaCBUZWxl
openssl don't support pkcs7/dec.c don't support encrypt+sign message??
i am using crypto/pkcs7/dec.c to decrypt the smime.p7m that outlook express5 generated( encrypted and sign message), but i found that dec.c just generate the result below, no plain text was generated. Anyone can help me?? //--- Content-Type: application/x-pkcs7-mime; name=smime.p7m; smime-type=signed-data Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEBEZyb20E AjogBAEiBAhOb3J0b25OZwQBIgQCIDwEFWprbmdAY3NpZS5uY3R1LmVkdS50dwQBPgQCDQoEAlRv BAI6IAQBIgQITm9ydG9uTmcEASIEAiA8BBVqa25nQGNzaWUubmN0dS5lZHUudHcEAT4EAg0KBAdT dWJqZWN0BAI6IAQOZW5jcnlwdCAmIHNpZ24EAg0KBAREYXRlBAI6IAQfRnJpLCAxNiBKdWwgMTk5 OSAxNjozMTowOCArMDgwMAQCDQoEDENvbnRlbnQtVHlwZQQCOiAEFW11bHRpcGFydC9hbHRlcm5h dGl2ZQQEOw0KCQQIYm91bmRhcnkEAT0EASIEKS0tLS09X05leHRQYXJ0XzAw . __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Passing user data to password callbacks
There has been a discussion on this recently. The conclusion was it should be changed. I think it was even aggred on how to do this. But I think nobody took the task of actually implementing it. (Please correct me if I'm wrong!) AFAIR it was the idea to do it the same you you did, only the additional parameter would be void* instead of char*. YOu can do the change and submit a patch to this dev list for inclusion into further versions. Please keep in mind that some apps (like rsa, x509) are using this callback and need changes as well. Damien Miller schrieb: > > I want to add the facility to pass user data to password callback > functions. e.g. > > RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x, pem_password_cb *cb) > > becomes > > RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x, pem_password_cb *cb, char >*user_data) > > and > > typedef int pem_password_cb(char *buf, int size, int rwflag); > > becomes > > typedef int pem_password_cb(char *buf, int size, int rwflag, char *user_data); > > IMO this feature is essential. Currently if password callbacks need to > access external data (GUI elements for example) they must refer to > global variables. This (again IMO) is ugly and can be dangerous in a > threaded enviornment. > > I don't want to break all the apps which depend on the current API. Can > one of the developers suggest a nice way this feature can be presented? > > Regards, > Damien Miller > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.ilogic.com.au/~dmiller > | Email: [EMAIL PROTECTED] (home) -or- [EMAIL PROTECTED] (work) > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and Apache
VORISJ schrieb: > > I need some help on installing a key received from Verisign on a > Server running Apache 1.3.6 and OpenSSL 0.9.2b. Specifically the > syntax once I have the key. (1) You are on the openssl list. Depending on the package you use you should either go to modssl-users@... oder apache-ssl@... (2) This *is* a FAQ for both packages. Please check the FAQs that are online for both packages. -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Archive / FAQ
I want to check www.openssl.org/support/ I want to check www.openssl.org/support/ I want to check www.openssl.org/support/ ... Michael Slass schrieb: > > Where is the OpenSSL FAQ, or at least a searchable archive of this > mailing list? -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: RE: How to choose and reduce the size of openssl library
-- >Von: jhkwon / unix, mime >"On a side note: Disabling line editing in 'bash' saves >100k, but I >really like that feature... :-(" > >I suppose that bash is another unix shell. Correct. A freeware clone of the famous Bourne Shell. >But I don't know the meaning of Disabling line editing in bash. On most unix shells you have the abilty to edit the comman line and command history quiet comfortably. If you don't compile those features, you obiously save space. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]