SSL without RSA?
is it possible to do SSL (client side) without using RSA? I've checked into the faq's from RSA, openssl.org (well, mailing list archives), rsaref, etc. but am not sure of the answer. I think the ssl handshake uses a patented key exchange algorithm, is that true? I think that is the only obstacle, because after exchanging keys, it isn't mandatory to use RC2, RC4, etc, it is possible to use some other algorithm. Thanks! (sorry, this msg not specific to openssl, but Tia for any assistance) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CA and Certificates
At 04:39 AM 8/19/99 -0400, Patrick Brewer wrote: > > If I get a certificate from a CA can I then become a CA and create >certificates for machines in my domain? Or for virtual hosted domains? > The certificate you receive is 'branded' to the site name in the request, and can only be used on the named site. This establishes your traceability for a 'trust' relationship between your server and SSL enabled browsers that ALSO truse YOUR certificate origin. Becoming a CA is a different matter, .. involving YOUR issuance of certificated. IMLK, being a CA has nothing to do WITH getting a certificate FROM a CA. (What we do is described above.) If you are a CA issuing certificates, the certificates you issue are installed on the client machines, and you both have a trust relationship (i.e. the client trusts you, and you know the client's identity via the certificate you have issued them.) Each method is completely independent, .. the first involves *MUTUAL* trust of a public CA, .. the second involved a bi-directional trust between YOUR CA and identify-proven clients. >If so how can I create a certificate at other than compile time? I gather >that it is possible to create a certificate using openssl (the command), but I >can't find it documented anywhere. (I'm running from a binary RPM, from >Mandrake.) I would hate to have to compile a new copy of apache, each time I >wanted a new certificate. > Compile time has nothing to do with it. A self-created certificate is usable in either case above, though for the first case the client will get a few screens (four in NN) asking if they trust the issuer of the cert (i.e. you). If so, SSL is permitted. >When I get a real certificate from a CA, can I just copy it over the old >dummy certificate currently being used by my apache server? > Yes, assuming the names match. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
What's My Brain Damage?
OK I'm running Slackware 4.0 kernel 2.2.6 and I've got apache_1.3.6 apache_1.3.6+ssl_1.36 openssl-0.9.4.tar.gz I've followed the directions in both the readme's and the book (2nd edition): 1. compiled openssl-0.9.4 without errors 2. untar apache_1.3.6 3. untar apache_1.3.6+ssl_1.36 in the apache_1.3.6 directory 4. run .FixPatch 5. run .configure 6. cd into src and run make but I get the following: ===> modules/ssl gcc -c -I../../os/unix -I../../include -I/usr/local/openssl-0.9.4/include -DLINUX=2 -DTARGET=\"httpsd\" -DUSE_HSREGEX -DAPACHE_SSL `../../apaci` apache_ssl.c apache_ssl.c: In function `GetPrivateKey': apache_ssl.c:1162: too few arguments to function `PEM_read_RSAPrivateKey' apache_ssl.c: In function `GetCertificateAndKey': apache_ssl.c:1268: too few arguments to function `PEM_read_X509' make[2]: *** [apache_ssl.o] Error 1 make[1]: *** [all] Error 1 make: *** [subdirs] Error 1 What am I doing wrong? *** Dave D. Cawley| Where a social revolution is pending and, The Internet Cafe | for whatever reason, is not accomplished, Scranton, PA | reaction is the alternative. (717) 344-1969| [EMAIL PROTECTED] | -Daniel De Leon *** URL => http://www.scranton.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Generating a server certificate for Fixed Diffie-Hellman
Gerald Pattillo wrote: > > I am trying to set up a secure connection using royalty-free protocols. > Since I will own both ends, I can choose the ciphersuite to use, which > will be DH_DSS_DES_192_CBC3_SHA. I now have the RSA version > working, but in order to be avoid RSA royalties, I need to know how to > generate a certificate with DH parameters, signed with DSA. Can I use > the openssl tool for this??? Thanks for any help. > You don't need the parameters signed with DSA. You need some DH parameters, a DSA private key and a DSA certificate. You can generate DH parameters with openssl gendh, for example: openssl gendh -out dhparam.pem 1024 Theres a technique for generating DSA certificates outlined at the end of my PKCS#12 FAQ (see homepage), you can ignore the stuff about ca-fix. This is just one of several different ways to generate DSA CAs and certificates. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is it a standard private key structure?
You received you private key from the CA??? You published your private key? Um, your certificate has not essentially been made useless, you realize, from a security perspective? Your private key is something you never never ever give out, and you keep it under lock and key! Further, you don't encrypt data with your private key, because the public in your cert that you presumably publish (server, etc.) means that ANYONE can decrypt it. You will typically encrypt the message with the recipient's public key, so that only they can encrypt it with their own private key. Unforutnately, if someone now encrypts a message with your public key (in your cert), you have now given anyone the ability to decrypt the message with the private key. I have generalized the above statements a bit - I suggest you read up on some security books and sources that are better than what I can provide here, and then go back and order another certificate. NortonNg wrote: > > hello, > > Recently, i get a certificate and my private key from > a CA. The certificate file can be read by openssl, but > the private key file can't be read. I wonder what is the private key > file format it was. The below private key was encoded by base64. > Can anyone can help me to find out how to read it using openssl. > I want to use it to encrypt message. > thanks. > > NortonNg. > > > o5d/mTw2vJqCX4DCHKSnlCtl9IAPw2o3TOwI3dK9ujrhVoKvrZ0O2krtp7cBUcRv > rhlV6qgoPURwOFs9+HSAdqsbw1Im5Y0CTq2r14ZbEU3rF4df35sMp0GMdpyK2M07 > GncX0qGRn/NugBfahiSqbAsXJ1XvThQK25bZBf6W+pLhjZ09gLGgFR/BH5axMfoN > XRVT/f14oFEVmDsy9m3lVZT+vji+HkjNHt5eXGx598ZGhdYklKv3+IBWhQhN1uPZ > 6qyeyP+RbUZN9RnA1XU62fkMkK4gkTaeGEAV8ll3CkSXYrrzeB13asmHNCq7Wn4C > OtXJH8dCtpigXqOdDcHmiRSQJqNNW8u8thmIHF7iVNm2Te/4xbA6cAxjhK+CYbrq > fApjxClh+AxzxNxJB5BtLKwkNzlmN0ZV91Ro3GIl836D/+NhVH05d8Jf/QxpDx/3 > 8o+KLw4db2JAD7DW6SfQtivA4y0FzaA3ZCD/u3zkDEDUkGQtTtiN9RR4t/sy30iE > W9rCjiapEYTNo8w2VGscvlZnqsI5rN4LgghAox1myo1vlwwD4w4Tt5kc6mBsC800 > H+UPotq5vIoMFmyt1PqS4uXfnNwikgg0r82I68wZE7AWJtUGc6CUYhAqfPFsraVP > aIJGLQA2Y1fYUPE0uClXa5tiwdhOt0Ae8PZSp28jQEXiWv/AnMn+kCkIm7Fg5uuZ > mljijR5K/JMkhcxqftgHRCyKbvPyipp9MFpUdG7uYLGMENzfuY0rlAJ6oX8dZ4aZ > bLu0jNJx44oeHKK55N2Y1H4w9QMDUTUBes2r5wcv9w8TvZ4TwHsIgLpW+dImHjeB > SgoYSb/PYJ8= > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Thomas ReinkeTel: (416) 460-7021 Director of Technology Fax: (416) 598-2319 E-Soft Inc. http://www.e-softinc.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Is it a standard private key structure?
hello, Recently, i get a certificate and my private key from a CA. The certificate file can be read by openssl, but the private key file can't be read. I wonder what is the private key file format it was. The below private key was encoded by base64. Can anyone can help me to find out how to read it using openssl. I want to use it to encrypt message. thanks. NortonNg. o5d/mTw2vJqCX4DCHKSnlCtl9IAPw2o3TOwI3dK9ujrhVoKvrZ0O2krtp7cBUcRv rhlV6qgoPURwOFs9+HSAdqsbw1Im5Y0CTq2r14ZbEU3rF4df35sMp0GMdpyK2M07 GncX0qGRn/NugBfahiSqbAsXJ1XvThQK25bZBf6W+pLhjZ09gLGgFR/BH5axMfoN XRVT/f14oFEVmDsy9m3lVZT+vji+HkjNHt5eXGx598ZGhdYklKv3+IBWhQhN1uPZ 6qyeyP+RbUZN9RnA1XU62fkMkK4gkTaeGEAV8ll3CkSXYrrzeB13asmHNCq7Wn4C OtXJH8dCtpigXqOdDcHmiRSQJqNNW8u8thmIHF7iVNm2Te/4xbA6cAxjhK+CYbrq fApjxClh+AxzxNxJB5BtLKwkNzlmN0ZV91Ro3GIl836D/+NhVH05d8Jf/QxpDx/3 8o+KLw4db2JAD7DW6SfQtivA4y0FzaA3ZCD/u3zkDEDUkGQtTtiN9RR4t/sy30iE W9rCjiapEYTNo8w2VGscvlZnqsI5rN4LgghAox1myo1vlwwD4w4Tt5kc6mBsC800 H+UPotq5vIoMFmyt1PqS4uXfnNwikgg0r82I68wZE7AWJtUGc6CUYhAqfPFsraVP aIJGLQA2Y1fYUPE0uClXa5tiwdhOt0Ae8PZSp28jQEXiWv/AnMn+kCkIm7Fg5uuZ mljijR5K/JMkhcxqftgHRCyKbvPyipp9MFpUdG7uYLGMENzfuY0rlAJ6oX8dZ4aZ bLu0jNJx44oeHKK55N2Y1H4w9QMDUTUBes2r5wcv9w8TvZ4TwHsIgLpW+dImHjeB SgoYSb/PYJ8= __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Generating a server certificate for Fixed Diffie-Hellman
I am trying to set up a secure connection using royalty-free protocols. Since I will own both ends, I can choose the ciphersuite to use, which will be DH_DSS_DES_192_CBC3_SHA. I now have the RSA version working, but in order to be avoid RSA royalties, I need to know how to generate a certificate with DH parameters, signed with DSA. Can I use the openssl tool for this??? Thanks for any help. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: The Export-US cryptography.
How do i do it? Which flag? Which header? Looked in the FAQ, mod_ssl docs, but hard enough, maybe. Apache 1.3.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.2b HTTP_USER_AGENT = Mozilla/4.61 SSL_CIPHER = EXP-RC4-MD5 SSL_CIPHER_ALGKEYSIZE = 128 SSL_CIPHER_EXPORT = true SSL_CIPHER_USEKEYSIZE = 40 SSL_PROTOCOL = SSLv3 SSL_SERVER_A_KEY = rsaEncryption SSL_SERVER_A_SIG = md5WithRSAEncryption I tried to exclude the 40 bit ciphers in the NS prefs but then - no connection Is it not possible with above config? Hans Ben Laurie wrote: > Emmanuel Anne wrote: > > > > Until recently Ns and MSIE international browsers were limited to an > > exp-40 cryptography... Here is the info given by netscape : > > > > This is a secure document that uses a medium-grade encryption key suited > > for U.S. export (RC4-40, 128 bit with 40 secret). > > > > Well, I heard that now they have published a 56 bit international > > version (what a deal !). Anyway, apparently there is no way to use this > > new cryptography with openssl (even version 0.9.4)... is there ? > > Yes, there is. They are currently disabled by default, but there's a > flag in one of the ssl headers to switch them on. BTW, this also gives > you 1024 bit ephemeral RSA keys instead of 512. > > Which version of the browser supports the new ciphersuites? > > Cheers, > > Ben. > > -- > http://www.apache-ssl.org/ben.html > > "My grandfather once told me that there are two kinds of people: those > who work and those who take the credit. He told me to try to be in the > first group; there was less competition there." > - Indira Gandhi > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Hans Lohmander -- Sigma Exallon Information AB Internet & Intranet solutions Talkto:+46 (0)40 247636 Faxto:+46 (0)40 24 99 50 Mobile# +46 (0)709-898636 mailto:[EMAIL PROTECTED] http://www.ei.sigma.se/ ICQ# 9319123 _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ begin:vcard n:Lohmander;Hans tel;cell:+46 0709 898636 tel;fax:+46 40 249950 tel;work:+46 40 247636 x-mozilla-html:FALSE url:http://www.ei.sigma.se/ org:Sigma Exallon Information AB;Internet / Intranet adr:;;Stortorget 9;Malmö;;S-211 22;Sweden version:2.1 email;internet:[EMAIL PROTECTED] title:Konsult x-mozilla-cpt:;1 fn:Hans Lohmander end:vcard
Re: More: Anybody can help?
Roberto Lopez Navarro wrote: > > You were deadly right!! > > Thaks a lot. > > But why can't i do something like ca -cert_type [client, server, CA]? > > I think that openssl.cnf is designed to work like this, but it seems that ca > doesn't care about it, or, more probably, I don't know how to make it work. > > The people at OpenCA has developed a patch to ca that enables this behavior, > but there is no oficial 0.9.4 patch :-( > > Well. No much time for investigating so I will have to live with this > You can put an environment variable in a config file anywhere and handle things that way: the format is $ENV::name if I recall. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: More: Anybody can help?
You were deadly right!! Thaks a lot. But why can't i do something like ca -cert_type [client, server, CA]? I think that openssl.cnf is designed to work like this, but it seems that ca doesn't care about it, or, more probably, I don't know how to make it work. The people at OpenCA has developed a patch to ca that enables this behavior, but there is no oficial 0.9.4 patch :-( Well. No much time for investigating so I will have to live with this Thanxs again Roberto López Navarro [mailto:[EMAIL PROTECTED]] SGI Soluciones Globales Internet [http://www.esegi.es] Tel. +34 91 806 46 40 Fax. +34 91 806 46 41 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: binary version of openssl for window nt
Hi! You can find a binary version of openssl-0.9.4 (openssl.exe + DLLs) for win32 on ftp.replay.com (presently in /pub/crypto/incoming, will be shifted to /pub/crypto/crypto/OpenSSL). If you intend to develop your own SSL-based apps you can use the accompanying develop-version (binaries + headers + static libs) in the same directory. The port was done using the MingW32/GCC 2.95 development kit. Cheers, Joern __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]