Client certificate-problem
Hi, I have created a client certificate with my CA using openssl as openssl ca -in client.csr Then converted it into DER encoded format and trying to import it into browser. But it is not listing the certificate in any catagory of certificates. Even it is not listing it in certificates list when I tried to connect to Apache SSL server with client authentication option enabled. How to solve this? Is it the correct procedure of creating client certificates? I just uncommented the SSLVerifyClient require line in httpd.conf file. In which section I have to specify if I want different access permissions for a particular directory or URL? (I am working on WindowsNT 4.0). Thanks and Regards, Hari. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL and Outlook Express
Hi, I'm working on SSL wrapper for SMTP, POP3, IMAP (based on OpenSSL 0.9.4) and I have some problems with Outlook Express. Everything works well until I turn on peer certificate verification (client must have a certificate) on server. I examined server logs and I discovered that Outlook Express did not send any client certificate and connection failed. (OE says: Error 0x800CCC1A) I have tried Outlook Express 4 and 5 and result was the same. Then I verified SSL layer on server by Internet Explorer (HTTPS) and all was ok. IE offered dialog box with list of client certificates, sent certificate and SSL connection was established. It seems that SSL server and certificates are ok. When I use Netscape, it works without problems. Does anybody know why Outlook Express do not send client certificates? Thanks. Michal Otoupalik <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA_public_encrypt routine
Hello everyone I am doing a project about security using the SSLeay but i have some troubles in handling certificates and keys. I need to extract the public key from a "certificate.pem" and convert it in a *rsa type to pass it as the fourth argument of RSA_public_encrypt routine. Can anyone help me? Thanks in advance Regards Marco Nardelli __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
stunnel use of openssl problem?
Good Day, I have just built openssl and stunnel on a Sparc Solaris 2.6 machine. When I test stunnel, based on the INSTALL instructions if fails on startup. The command and error follow: ./stunnel -f -d 993 -r imap LOG3[6564:1]:SSL_CTX_use_certificate_file:error:0200100D:system library:fopen:ASN1 lib I built the server certificate with the following commands. It is a bit of a mix from the Makefile and man page. openssl req -new -nodes -x509 -days 365 -config \ stunnel.cnf -out stunnel.pem -keyout stunnel.pem openssl gendh -rand `test -c /dev/random && echo /dev/random` \ 512 >> stunnel.pem openssl x509 -subject -dates -fingerprint -noout \ -in stunnel.pem Any thoughts as to what is wrong and how to fix it? Thanks in advance, Otto -- Otto L. Miller [EMAIL PROTECTED] SSDS Suite 400 2751 Prosperity Avenue Fairfax, VA 22031-4308 703-289-2271 Voice 703-208-1791 Fax begin:vcard n:Miller;Otto tel;fax:703-208-1791 tel;work:703-208-1770 x-mozilla-html:TRUE url:www.ssds.com org:SSDS, Inc. version:2.1 email;internet:[EMAIL PROTECTED] title:Network Architect adr;quoted-printable:;;Suite 400=0D=0A2751 Prosperity Avenue;Fairfax;VA;22031-4308;USA fn:Otto L. Miller end:vcard
Re: Using Netscape CA certs.
Hi Ricardo, Do you have openssl built? Ricardo Stella wrote: > > Please redirect me to a more appropiate group if needed... > > How can I generate private keys and certs from my Netscape Cert Server so > I can use it with stunnel or sslwrap ? (ie in pem format ?) > > TIA. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL and Outlook Express
On Wed, Dec 15, 1999 at 03:35:31PM +0100, Michal Otoupalik wrote: > I'm working on SSL wrapper for SMTP, POP3, IMAP (based on OpenSSL 0.9.4) and I have > some problems with Outlook Express. > Everything works well until I turn on peer certificate verification (client must >have a certificate) > on server. I examined server logs and I discovered that Outlook Express did not send > any client certificate and connection failed. (OE says: Error 0x800CCC1A) > I have tried Outlook Express 4 and 5 and result was the same. > Then I verified SSL layer on server by Internet Explorer (HTTPS) and all was ok. > IE offered dialog box with list of client certificates, sent certificate and SSL > connection was established. It seems that SSL server and certificates are ok. > When I use Netscape, it works without problems. > Does anybody know why Outlook Express do not send client certificates? Hi, as far as I could find out during my work on Postfix/TLS (STARTTLS extension to the postfix SMTA), Outlook Express simply does not present client certificates. For the why: >From digging around in the Knowledge Base I came to the conclusion, that MS Exchange server does not authenticate by client certificates, so the Outlook Express client does not support it. That would match the natural MicroS*t way to see it. Best regards, Lutz PS. I would love to hear that I am wrong and there is a solution... -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate Revocation
Mario Fabiano wrote: > > I have just a remark and a question: > > openssl ca -revoke does not give back a return code, which should very > useful when you invoke the command from a script. Sure, if no one if going to patch this I can do it (as I wrote this part!) it should not take long. > openssl ca -revoke asks for the CA key protection password, but the CA > key should be needed only to issue the CRL thst must be signed. > NO. As the CA, from now on will consider the certificate REVOKED and in every CRL issued will mark it as R. Only the CA operator who knows the ca key passwd should be able do revoke certificates. C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: Using Netscape CA certs.
Yes... I saw a des_chop perl script but apparently it's made to take in a der format certificate or key. Netscape has them in .db format... BTW, someone recently posted some tools to extract this but only working under Linux. I'm on solaris platform... TIA... "William J. Sproule" wrote: > > Hi Ricardo, > > Do you have openssl built? > > Ricardo Stella wrote: > > > > Please redirect me to a more appropiate group if needed... > > > > How can I generate private keys and certs from my Netscape Cert Server so > > I can use it with stunnel or sslwrap ? (ie in pem format ?) > > > > TIA. > > begin:vcard adr;dom:;;;Lawrenceville;NJ;08648; adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648; n:Stella;Ricardo tel;fax:1-609-219-4994 tel;work:1-609-896-5000 x7436 x-mozilla-html:FALSE url:http://poseidon.rider.edu org:Rider University;O.I.T. version:2.1 title:Manager x-mozilla-cpt:;-9584 fn:Ricardo Stella end:vcard
OpenSSL CA as trusted CA in Netscape browser - help
I'm using OpenSSL to make a CA and eventually generate a object-signing certificate to sign objects using Netscape's signtool. I am unable to get the CA certifcate installed in the Netscape as a trusted signer. Has anyone come across a similar problem? -Rabindra begin:vcard n:Basak;Rabindra tel;fax:919-462-1933 tel;work:919-462-1900 x238 x-mozilla-html:FALSE org:CELOTEK Corporation adr:;;PO BOX 14285,;Research Triangle Park,;NC;27709;USA version:2.1 email;internet:[EMAIL PROTECTED] x-mozilla-cpt:;-5568 fn:Rabindra Basak end:vcard
RE: keys and certificates stored in netscape communicator db
> Documentation (very minimal) and source code are at the > following address > http://spsl.security.unisa.it > Did you port db 1.85 on Win 32bit systems? Regards Rene -- --- Rene G. Eberhard Mail : [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
asking for help about S/MIME clients
Hi everyone, I am trying to build an S/MIME client with openssl. the messages I received have a digital envelope (bulk + signature are encrypted together) and a certificate but no recursivity (in the sense that there no encrypted message within the first encrypted one). This client would replace a MIME-client in a fully automated management system; it needs both ends - the actual sending/recieving is done by Unix sendmail (HP-UX and Solaris). I have two questions: * has anybody written some script based on the command openssl (or a mix C-code/script-wrapper) that I could use as a starting point? * has anybody some sample code (using lib openssl) that could be of help in that matter? advice on the matter would be very welcomed - I mean: is building a S/MIME client really tough (in the sense that the routines of the library are really low-level) or can i manage getting a first approximation in say 5-10 pages of code? addresses on the web would be also welcomed Thanks in advance stephan @(sent to: [EMAIL PROTECTED]) @@ @Stephan G. TITARD @ @@ @ Telefonica I+D | Tel(s):+34 913379083@ @ Emilio Vargas 6 | +34 913374786@ @ 28043 Madrid (Spain) | Movil: +34 630545970@ @ Despacho: S 324 | Fax.: +34 913374222@ @ (sotano oeste) | @ @@ @ e-mail(s): [EMAIL PROTECTED]@ @@ . __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL CA as trusted CA in Netscape browser - help
Rabindra Basak wrote: > > I'm using OpenSSL to make a CA and eventually generate a object-signing > certificate to sign objects using Netscape's signtool. I am unable to > get the CA certifcate installed in the Netscape as a trusted signer. > > Has anyone come across a similar problem? > > -Rabindra I have used the following v3 extensions: nsCertType = critical, objsign, objCA. The test certificate generated using signtool has the sam extension and shows up as one of the signers in Netscape. The OpenSSL CA cert does not show up as a signer. - Rabindra begin:vcard n:Basak;Rabindra tel;fax:919-462-1933 tel;work:919-462-1900 x238 x-mozilla-html:FALSE org:CELOTEK Corporation adr:;;PO BOX 14285,;Research Triangle Park,;NC;27709;USA version:2.1 email;internet:[EMAIL PROTECTED] x-mozilla-cpt:;-5568 fn:Rabindra Basak end:vcard
Re: asking for help about S/MIME clients
TITARD wrote: > > Hi everyone, > > I am trying to build an S/MIME client with openssl. > the messages I received have a digital envelope (bulk + signature > are encrypted together) and a certificate but > no recursivity (in the sense that there no encrypted message within the > first encrypted one). This client would replace a MIME-client in a fully > automated management system; it needs both ends - the actual sending/recieving > is done by Unix sendmail (HP-UX and Solaris). > > I have two questions: > > * has anybody written some script based on the command openssl (or a mix > C-code/script-wrapper) that I could use as a starting point? > > * has anybody some sample code (using lib openssl) that could be of help in > that matter? > > advice on the matter would be very welcomed - I mean: > is building a S/MIME client really tough (in the sense that the routines of > the library are really low-level) or can i manage getting a first approximation > in say 5-10 pages of code? > OpenSSL 0.9.5 will have a simplified high level S/MIME API and a command line 'smime' utility as part of the 'openssl' command line tool. This makes it possible to write a minimal S/MIME client in 5-10 *lines* of code. It doesn't (yet) automatically maintain a user certificate database or do clever stuff like working out the encryption certificate if its not the same as the signers, or working out the supported ciphers. I suggest you download the latest snapshot, read the 'smime' utility docs and see what (if anything) is missing. You can do similar stuff in 0.9.4 but you need to handle lots of yucky low level stuff and to the MIME parsing yourself. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL CA as trusted CA in Netscape browser - help
Rabindra Basak wrote: > > I'm using OpenSSL to make a CA and eventually generate a object-signing > certificate to sign objects using Netscape's signtool. I am unable to > get the CA certifcate installed in the Netscape as a trusted signer. Present the cert with MIME type: application/x-x509-ca-cert And Netscape will ask if you want to add it to the CA Store. -- QUI ME AMET, CANEM MEUM ETIAM AMET __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
grep error in compiling OpenSSL-0.9.4
Can anyone give me a fix? The config identifies my system as: i586-whatever-linux2 and uses linux-elf for the config run. When running make, I get a grep error. Anyone know what to do? $ make making all in crypto... make[1]: Entering directory `/usr/home/pursuitwatch/ssl/openssl-0.9.4/crypto' ( echo "#ifndef MK1MF_BUILD"; \ echo " /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; \ echo " #define CFLAGS \"gcc -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fom it-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM\""; \ echo " #define PLATFORM \"linux-elf\""; \ echo " #define DATE \"`date`\""; \ echo "#endif" ) >buildinf.h gcc -I. -I../include -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fomit-f rame -pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -c cryptlib.c -o cryptl ib.o grep: illegal option -- I usage: grep [-[[AB] ]] [-[CEFGVchilnqsvwx]] [-[ef]] [] grep: illegal option -- I usage: grep [-[[AB] ]] [-[CEFGVchilnqsvwx]] [-[ef]] [] grep: illegal option -- I usage: grep [-[[AB] ]] [-[CEFGVchilnqsvwx]] [-[ef]] [] grep: illegal option -- I (grep error continues...) thanks, Ken Kuwahara __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
