Re: Generating CSR for Netscape Certificate Server based CA (fwd)
Hello, On 29 Jan 00, at 19:48, Merton Campbell Crockett wrote: To date, I have not been able to generate a CSR that is acceptable to the Netscape Certificate Server. All requests are rejected with a "bad DER encoding" error. I had the same error message from Navigator with a certificate that included an underscore in the CN. greetings Nico -- Nicolás Aragón [EMAIL PROTECTED] Departamento de Industria y Servicios Software AG España __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_read problem
hi. when I run SSL_read on a socket (as the client), where the server is down, SSL_read returns with 0 - as there where no bytes to read from socket. This is not true - the server is down and there will never be something to read from server. Because the SSL_read command is non blocking and is in a loop until the buffer is read - the resault is endless loop. Can anyone suggest a methood to check whether the SSL_read returns 0 because there is nothing to read or because socket is broken? Tring to write into the socket would do (the 'regular' write returns with signal SIGPIPE and return value of EPIPE) - but I don't want to write into the socket. What can I do? Thanks in advance, Amir Amit __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: HTTP-Post and OpenSSL
Hi, I had no problems using LWP::UserAgent and Crypt::SSLeay for HTTPS-Post. You just have to apply a small patch to LWP if you have to use a proxy for your https connection but then everything works fine. The only thing I did not (yet) get to work is SSL with client authentication using client certificates. Regards, Reiner. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Alexander Wanke Sent: Friday, January 28, 2000 6:25 PM To: [EMAIL PROTECTED] Subject: HTTP-Post and OpenSSL Hi there, I've tried to install Crypt::SSLeay and also Net:SSleay - both attempts failed. Is it possible at all to use them together with the latest version of openssl? I wanted to use them to generate HTTPS-POST-messages. Are there other solutions available? TIA! Regards, Alexander Wanke -- . . . Integra Deutschland . Alexander Wanke . [EMAIL PROTECTED] . Tel.: +49/6172/6726-00 . Kaiser-Friedrich-Promenade 87 . D-61348 Bad Homburg . http://www.integra-europe.de smime.p7s
R: Automatic certs import into Netscape
Thanks Ivan, it may be very useful form my work, but I can't reach the page: anything down with your server? Bye, Stefano Bergamasco -Messaggio Originale- Da: Ivan Visconti [EMAIL PROTECTED] A: [EMAIL PROTECTED] Data invio: Friday, January 28, 2000 2:17 PM Oggetto: Re: Automatic certs import into Netscape Hi, a have developed a library (MOZ2I) and a tool (MOZ2PEM) to extract the certificates stored in netscape communicator db (along with the correpsonding private keys). I think that isn't difficult to add a function that inserts keys and certificates in the db. Documentation (very minimal) and source code are at the following address http://spsl.security.unisa.it -- --- Ivan Visconti --- Universita' di Salerno --- e-mail: [EMAIL PROTECTED] --- www: http://www.security.unisa.it/~visiva __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Generating CSR for Netscape Certificate Server based CA (fwd)
Nicolas Aragon wrote: Hello, On 29 Jan 00, at 19:48, Merton Campbell Crockett wrote: To date, I have not been able to generate a CSR that is acceptable to the Netscape Certificate Server. All requests are rejected with a "bad DER encoding" error. I had the same error message from Navigator with a certificate that included an underscore in the CN. Yes thats another potential problem. You should keep to the PrintableString character set[1] (except in emailAddress) if at all possible. Netscape has problems with some characters but this is hard to track down: I've known '' give trouble. Anything before the latest snapshot of OpenSSL also got the type of string wrong in anything other then commonName if characters other than the PrintableString set got used. [1] PrintableString character set: A, B, ..., Z a, b, ..., z 0, 1, ..., 9 (space) ' ( ) + , - . / : = ? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Success message after installing netscape certificate?
Hi, I managed to get certificates installed in Netscape Browsers by sending them with MIME type application/x-x509-user-cert but Netscape seems to give no kind of a success message. Is it possible to get such a message or popup window? I tried to send the certificate and a success page as parts of a MIME multipart/x-mixed-replace server push sequence but the browser seems to ignore the application/x-x509-user-cert content when wrapped in a multipart/x-mixed-replace structure. Is there another way to do this? Regards, Reiner Buehl __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Requesting browser (client) certificates
I would like to set up a script that will generate client certificates from within the browser and send the csr files to me for signing. How would I go about telling the browser to generate a key pair, and what kind of output would it give me. Also, although I beleive it should not be necessary to perform the above, is there any way that I can feed certificate information into openssl (such as CN DN O, etc) from the command line so that requests (let's say for server cert requests) can be sent to openssl from a script? S/MIME Cryptographic Signature
Re: SSL_read problem
On Mon, 31 Jan 2000, Amir Amit wrote: hi. when I run SSL_read on a socket (as the client), where the server is down, SSL_read returns with 0 - as there where no bytes to read from socket. This is not true - the server is down and there will never be something to read from server. Because the SSL_read command is non blocking and is in a loop until the buffer is read - the resault is endless loop. Can anyone suggest a methood to check whether the SSL_read returns 0 because there is nothing to read or because socket is broken? Tring to write into the socket would do (the 'regular' write returns with signal SIGPIPE and return value of EPIPE) - but I don't want to write into the socket. What can I do? If a select statement indicates the socket is readable, but a subsequent read operation on the socket returns zero bytes, this indicates the socket has been closed. I don't know if that's the "pure" way but it works. The other thing to check; "man getsockopt", the option you might be interested in is "SO_ERROR" (see "man 7 socket"). However, whether this maps to SSL_read or not I can't say ... it certainly works for reads on the socket itself. (Eg. your problem might be that some data *is* actually read from the socket by the SSL but was an incomplete packet - so no decrypted data can be read out of the SSL until more data arrives on the socket). Have you looked through apps/s_client.c and the associated s_***.[ch] files? Regards, Geoff -- Geoff ThorpeEmail: [EMAIL PROTECTED] Cryptographic Software Engineer, C2Net Europehttp://www.int.c2.net -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Browsers don't like my certificates?
I couldn't find an FAQ anywhere which might explain this problem. We're developing a CA of our own to issue server and client certificates for internal applications. I've been working on the Web application which allows users to apply for certs -- naturally, this is an SSL server itself. (Oh, and the Web server is apache+mod_ssl-1.3.9+2.4.2 compiled against openssl-0.9.4, both from the FreeBSD ports collection.) A few months ago, with OpenSSL and mod_ssl current at that time, I managed to make everything work (at least using Netscape 4.08). Now, I'm getting the dreaded ``The server's certificate has an invalid signature'' dialog from Netscape, and the analogue from Internet Exploder. (To save you the effort of decoding the PEM below I'll append the text interpretation of the relevant certificates at the end of this mesage.) This does not appear to be server-specific, since I can easily reproduce it with `openssl s_server': bash# openssl s_server -CApath ssl.crt -key ssl.key/server.key -cert ssl.crt/server.crt -state -www -cipher HIGH -bugs Using default temp DH parameters ACCEPT SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL3 alert read:fatal:bad certificate SSL_accept:failed in SSLv3 read client certificate A 32989:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:774:SSL alert number 42 32989:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:173: Moreover, connecting with the simple client succeeds: wollman@khavrinen(622)$ openssl s_client -connect ca.lcs.mit.edu:4433 -CAfile server-bundle.pem -ssl3 CONNECTED(0003) depth=2 /C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Computer Resource Services/CN=Master [EMAIL PROTECTED] verify return:1 depth=1 /C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Secure Servers/CN=LCS Certificate [EMAIL PROTECTED] verify return:1 depth=0 /C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Secure Servers/CN=ca.lcs.mit.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Secure Servers/CN=ca.lcs.mit.edu i:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Secure Servers/CN=LCS Certificate [EMAIL PROTECTED] 1 s:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Secure Servers/CN=LCS Certificate [EMAIL PROTECTED] i:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Computer Resource Services/CN=Master [EMAIL PROTECTED] 2 s:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Computer Resource Services/CN=Master [EMAIL PROTECTED] i:/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Computer Resource Services/CN=Master [EMAIL PROTECTED] --- Server certificate -BEGIN CERTIFICATE- MIIEUTCCA76gAwIBAgIBBzAJBgUrDgMCDwUAMIHVMQswCQYDVQQGEwJVUzEWMBQG A1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMSwwKgYDVQQK EyNNSVQgTGFib3JhdG9yeSBmb3IgQ29tcHV0ZXIgU2NpZW5jZTEXMBUGA1UECxMO U2VjdXJlIFNlcnZlcnMxIjAgBgNVBAMTGUxDUyBDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkxLzAtBgkqhkiG9w0BCQEWIGJ1Zy1sY3MtY2VydGlmaWNhdGVzQGxjcy5taXQu ZWR1MB4XDTAwMDEyNzIxMDY1OFoXDTAxMDEyNjIxMDY1OFowgZkxCzAJBgNVBAYT AlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMRIwEAYDVQQHEwlDYW1icmlkZ2Ux LDAqBgNVBAoTI01JVCBMYWJvcmF0b3J5IGZvciBDb21wdXRlciBTY2llbmNlMRcw FQYDVQQLEw5TZWN1cmUgU2VydmVyczEXMBUGA1UEAxMOY2EubGNzLm1pdC5lZHUw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOMK0HSUTZQ5/zRLTES5Vt1yrq/8 OsnnNOA3XK0hEHqWOxfJ0GOaaHpclXlfta0C7UztiOCVbNxs1x165Fo3yWFR4Yct vd5Swypu41w0pilx44i+E+wW00rMFnRBmFSsR8S/DFw/mjgyxMxdQe/Sf9N7z8LV LMmyp9mKnY7kfF6ZAgMBAAGjggFxMIIBbTARBglghkgBhvhCAQEEBAMCBkAwHQYD VR0OBBYEFN+dlXWt2yOTdrG0PzvTCxrME64TMIH0BgNVHSMEgewwgemAFFjqcdKz XI/+JBegSFFVhYCl0FdqoYHNpIHKMIHHMQswCQYDVQQGEwJVUzEWMBQGA1UECBMN TWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMSwwKgYDVQQKEyNNSVQg TGFib3JhdG9yeSBmb3IgQ29tcHV0ZXIgU2NpZW5jZTEjMCEGA1UECxMaQ29tcHV0 ZXIgUmVzb3VyY2UgU2VydmljZXMxEjAQBgNVBAMTCU1hc3RlciBDQTElMCMGCSqG SIb3DQEJARYWYnVnLWxjcy1jYUBsY3MubWl0LmVkdYIBAjAJBgNVHRIEAjAAMDcG CWCGSAGG+EIBCAQqFihodHRwOi8vY2EubGNzLm1pdC5lZHUvcG9saWN5L3NlcnZl ci5odG1sMAkGBSsOAwIPBQADgYEACg5UWBvRTiLNZUhmQIBwCEx5eZ1T6SEU4fgE BSnYo/HW35gGe+j9UcA4T2ylEmpfluv2ghiU44dG0+v47kSO3znKDsQ/mfswHvtV tUwtafsBk3h3wzqnqnMA6oaLbvvh9lm+q9Los0irBMFMooY89GmQL9dH8mSj5KfK /RME4xE= -END CERTIFICATE- subject=/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Secure Servers/CN=ca.lcs.mit.edu issuer=/C=US/ST=Massachusetts/L=Cambridge/O=MIT Laboratory for Computer Science/OU=Secure Servers/CN=LCS Certificate [EMAIL PROTECTED]
how to use SSL
Dear sir: I am newbie, I want to know how to use the SSL in my program. I want to stup this concept in my mind. Can you tell me something about this? Or can you tell some websites or books about thids? Thanks Qing __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error: bad command or file name
Hi, I am newbie, I am trying setup SSL on my system. My system is windows 98 and VC++6.0 has been setup on my machine. I tried following steps: 1. openssl-0.9.4perl Configure VC-Win32 2. openssl-0.9.4ms\do_ms 3. openssl-0.9.4nmake -f ms\ntdll.mak the first two steps are successful. But I got error message: "bad command or file name". Why? And how can I solve this problem. Another question is" what's the meaning of "from the VC++ environment at a prompt"? How can I do with it? Thanks a lot! Qing __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Bug report: primality testing algorithm.
Greetings. I'm implementing elliptic curve software on top of OpenSSL Bignum library. When testing it on NIST's standard curves, I found a problem that seems not to be in my code: Bignum reports that NIST's 384-bit prime is not prime! I've checked the value with MIRACL and Java (which in turn uses Colin Plumb's Bnlib), and both say that P384 is indeed prime, as expected. If anyone would like to check it, here's a test program that reveals the error: #include stdio.h #include stdlib.h #include "bn.h" void main(void) { BN_CTX *ctx; BIGNUM *q; int isPrime; if ((ctx = BN_CTX_new()) == NULL) { exit(EXIT_FAILURE); } q = BN_new(); /* load NIST's 384-bit prime: */ BN_dec2bn(q, "394020061963944792122790401001436138050797392704654466679482934042457217714 96870329047266088258938001861606973112319"); /* BN_hex2bn(q, "fffe000 0"); */ isPrime = BN_is_prime(q, 50, NULL, ctx, NULL); printf("Is P384 prime? %s.\n", isPrime ? "Yes" : "No"); BN_free(q); BN_CTX_free(ctx); } __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: error: bad command or file name
Qing Huo wrote: Hi, I am newbie, I am trying setup SSL on my system. My system is windows 98 and VC++6.0 has been setup on my machine. I tried following steps: 1. openssl-0.9.4perl Configure VC-Win32 2. openssl-0.9.4ms\do_ms 3. openssl-0.9.4nmake -f ms\ntdll.mak the first two steps are successful. But I got error message: "bad command or file name". Why? And how can I solve this problem. Another question is" what's the meaning of "from the VC++ environment at a prompt"? How can I do with it? When VC++ installs it creates a batch file calles vcvars32.bat or something similar typically in: C:\Program Files\Microsoft Visual Studio\VC98\Bin\vcvars32.bat It just sets up some environment variables and adds a few directorites to the path. You need to run this batch file as: vcvars32.bat x86 for a *86 box first. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bug report: primality testing algorithm.
Paulo S. L. M. Barreto wrote: Greetings. I'm implementing elliptic curve software on top of OpenSSL Bignum library. Interesting. Will you be making the code public? When testing it on NIST's standard curves, I found a problem that seems not to be in my code: Bignum reports that NIST's 384-bit prime is not prime! Do you have a URL referencing these NIST standard curves? I've checked the value with MIRACL and Java (which in turn uses Colin Plumb's Bnlib), and both say that P384 is indeed prime, as expected. I'll have a look if I have time. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Where can I find info on how to use openssl-0.9.4?
Where can I find info on how to use openssl-0.9.4? Is there any documentation for this API? Thanks, Will Bradley Software Engineer/Intern Anark Communications http://www.anark.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bug report: primality testing algorithm.
Dr Stephen Henson wrote: When testing it on NIST's standard curves, I found a problem that seems not to be in my code: Bignum reports that NIST's 384-bit prime is not prime! Do you have a URL referencing these NIST standard curves? Ignore that. I've found the URL. On NISTs site oddly enough :-) -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Setting up OpenSSL
Word on the street is that HEIN Martin said: Unfortunately I cannot find any documentation on how to set up OpenSSL appropriately, i.e. configuring both the global and user-specific *.cnf-files, as well as creating public and private keys. This site helped me get going: http://www.columbia.edu/~ariel/ssleay/ And, how about compatibility or interoperability of OpenSSL certificates with other servers or SSL-solutions (commercial ones, e.g. Netscape, Oracle, ...)? As far as I know the PEM format is pretty much universal. Skye __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read problem
Word on the street is that Amir Amit said: when I run SSL_read on a socket (as the client), where the server is down, SSL_read returns with 0 - as there where no bytes to read from socket. This is not true - the server is down and there will never be something to read from server. Because the SSL_read command is non blocking and is in a loop until the buffer is read - the resault is endless loop. Can anyone suggest a methood to check whether the SSL_read returns 0 because there is nothing to read or because socket is broken? Look at apps/s_client.c - I think what you're looking for is SSL_get_error Skye __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: urgenttly need help
Word on the street is that Yossapon Sutharattanachaiporn said: I got an error around ssl_connect/ssl_accept line. this is my code. Do i miss any step? Yes, you're missing the step where you check the return value and if the call fails, print out the reason with ERR_print_errors() Check apps/s_client.c if you're not sure how to do that. Skye __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bug report: primality testing algorithm.
"Paulo S. L. M. Barreto" wrote: Greetings. I'm implementing elliptic curve software on top of OpenSSL Bignum library. When testing it on NIST's standard curves, I found a problem that seems not to be in my code: Bignum reports that NIST's 384-bit prime is not prime! I've checked the value with MIRACL and Java (which in turn uses Colin Plumb's Bnlib), and both say that P384 is indeed prime, as expected. If anyone would like to check it, here's a test program that reveals the error: The short answer, amazingly, is that BN_div() is broken! A quick fix is to set the "#if 0" to "#if 1" at the top of crypto/bn/bn_div.c. In a way, I'm glad this bug was there, coz it made me (finally) figure out the prime testing. It uses Fermat's test, which seems a little strange to me, since it is known to fail to diagnose some composite numbers. It also uses a home-brewed mod_exp function (essentially, that's what witness() is) which is, presumably, slower than the "real" thing. Anyway, I'm too tired now to diagnose BN_div(), I'm going back to bed. I suspect we should switch to Miller-Rabin or some other popular prime tester, though. Not that that will fix this bug. Cheers, Ben. -- SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm http://www.apache-ssl.org/ben.html Y19100 no-prize winner! http://www.ntk.net/index.cgi?back=2000/now0121.txt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]