Re: Problem with SSL Netscape: ...no common encryption algorithm...??
After installing a Verisign test certificate; when testing with ./openssl s_client -connect www.takeitnow.nl:443 and GET / HTTP/1.0 everything seems to work; the HTTP GET is recorded in the server logging. But when accessing the server with Netscape (4.5) I get a popup box 'Netscape and this server cannot communicate securely because they have no common encryption algorithms'. Possibly the server only supports strong encryption or has been configured to only support strong encryption and you are using an export grade browser? That's right! Now we've created a certificate with the option -newkey rsa:512. Great, it works. But, is it possible to offer users with 'strong browsers' the strong encryption while offering poor European users the weak encryption? Now they all use the same weak encryption. I can't find anything about this in the docs. Btw which docs ;) Jon Petersen __ OpenSSL Projecthttp://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rc2 encryption with 128 bit key
Check your browser, it might be an older 'international' version and not capable of handling 128 bit encryption. vijay karthik wrote: Hi! I selected the "RC2/RC4 encryption with 128 bit key" cipher for SSL connection from my browser. I tried to connect to the apache listener(with openssl), and it fails to connect. whereas RC2/RC4 with 40bit key succeeds. Does this mean the apache server is a 40 bit server ? Is there anything i should do during the Build, to get a 128 bit apache-openssl server ? Is there a way of finding out if the server i am using is a 40 bit or 128 bit one ? thanks Vijay __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Patrick Dubois ``Windows: 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company, that can't stand 1 bit of competition.'' -- Unknown ~ Got something to say that you don't want said in public? Ask me for my PGP key! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Netscape: ...no common encryption algorithm...??
Steve, The server is WN 2.3.3 (see also http://www.wnserver.org). It works with both 'strong' and 'weak' browsers, but I can't figure out if it uses strong encryption where possible (e.g. strong browsers). Jon Dr Stephen Henson wrote: [EMAIL PROTECTED] wrote: That's right! Now we've created a certificate with the option -newkey rsa:512. Great, it works. But, is it possible to offer users with 'strong browsers' the strong encryption while offering poor European users the weak encryption? Now they all use the same weak encryption. I can't find anything about this in the docs. Btw which docs ;) The server should work with export ciphers even if the key is larger than 512 bits by using an RSA temporary key. Which server is it BTW? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
More on Cisco IPSEC
Here's what I've accomplished so far.. I've set up a CA, fairly easy and standard. I've gotten the CA's cert into the cisco router for use for known-CA verification. I've gotten the router to make a certificate signing request, but it's making the request in a PKCS7 format. But since I'm less than savvy when it comes to quite a bit of this stuff, I can't seem to figure out which part of the PKCS7 object I'm to sign, and exactly how to sign it. This URL contains quite a bit of information that someone with more knowledge than I do could make some sense of, and may be able to figure out what needs to be done. The PKCS7 object is at the bottom of this message as well. http://www.cisco.com/warp/public/cc/cisco/mkt/security/tech/scep_wp.htm I'm having a feeling that the solution is going to require me writing a program to tear apart the PKCS7 object and do something with it. So, if anyone has a pointer to an introduction to programming with OpenSSL (and a good technical explanation of encryption and what not), or has the time and patience to give me a quick start, it'd be muchly appreciated. Thanks! Matt Burgoon ([EMAIL PROTECTED]) -BEGIN PKCS7- MIAGCSqGSIb3DQEHAqCAMIIGXQIBATEOMAwGCCqGSIb3DQIFBQAwgAYJKoZIhvcN AQcBoIAEggK9MIAGCSqGSIb3DQEHA6CAMIACAQAxgDCBoAIBADBKMEUxCzAJBgNV BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQCAQAwDQYJKoZIhvcNAQEBBQAEQBeR5798VAuNs0yQAXXZ HdAfc+KcW3HwALOfYt5gflTSD2Lgsvy9MgOJlPjl/25pcp0BpHSTHqSALH4SrDji Nd4AADCABgkqhkiG9w0BBwEwEQYFKw4DAgcECIN5MCh/m0zfoIAEggHIOHdKxdNc zitQrcX3Mnv3k6PliGPFJg0+N/ndEcLVAcHGW4ooIM7MenARASyTZ4Q+QuzmVa1W HJIx28VZq6/z3dFtfsgKjqQMzF3qjzNSIoyLRZx6s8HhDKubYkrg7mpMxub7/T3X srLT8RdMIPHuSFsgzBeKPkElLYetgj1ClYTiWIVg80IDafFqoJ9w/AH6IumMj0+P JNh6ImPjKcnheyyVfOhCJWPEnVTjZ2Bh9ao9iCntEtUnuOE50CeE8j1SdWmiqOb7 CNoSKykad9tdisJKFyR7d4UX8Q+uORWPL71SKLm3+WZ2MuYV0oeoJE+EO06P4s+0 RE0+LZfoD226ivencSWRQitKKttyJaY4ObP5Np0+tM7caoqHC8B/YvcNW6lYBbFj BoFBEm3FGy96Qx47bynaf2KnkmbotJU3FmthstQBNb2P/4a+phxzPC6ir/aNx6+Q sCi4CXpTIYpJ0kqtuKdkUhSDsDNE/3DX3na0hr0GIEikDLHi2dHmfdRfVJmQiM74 BeHC3PZYlaChXZqmJX5GmMgJRGzTHkXppipn0hu+FJvenSCVbPl3b0814wf7kDAG D+BYJsZlv+PqOoWT2hxYy5GYBAjBc01xJtbP6AAAoIIB2DCC AdQwggE9AiAxREIyRkU1MUMyRjVGQTk1QkE4QjI3RERGQ0JEM0Y1NTANBgkqhkiG 9w0BAQQFADAjMSEwHwYJKoZIhvcNAQkCFhJibGFja2hvbGUua3VpdC5jb20wHhcN OTMwMzAxMDAwMDI3WhcNMDMwMjI3MDAwMDI3WjAjMSEwHwYJKoZIhvcNAQkCFhJi bGFja2hvbGUua3VpdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMr6 /afJUSWqSiSU2YEJXL2/W3QBUdBwoZ4/YDA8NhPMhKsq4cejoF/aINsGI0pfrFQ8 gZ+9mclEgqwnCOJGn1QzYiQ3aJ5fSvgvXpK/ovQB8IjaHtloeNHOoM+W27G0syK6 AsD1WqBuzH88PweeAxQCJ8b5U+1F/GZKw5EJM7Y/AgMBAAEwDQYJKoZIhvcNAQEE BQADgYEAoqg+vGYC5bvNN+Hee2f8PULZ18T+FO1Oj/mTkHy/OOIKLh9WK2r3plg7 +f1I3zWyuF2NDMDUNL+8Tg2AzSE7XSuA2gV9viNsPzxJHxDUVVTtveCgndej7+AJ mz+HBd2YjyDe/RExYyYOZgZG7zh7Ilyg/tMYO0qShed4fs0JUy0xggGWMIIBkgIB ATBHMCMxITAfBgkqhkiG9w0BCQIWEmJsYWNraG9sZS5rdWl0LmNvbQIgMURCMkZF NTFDMkY1RkE5NUJBOEIyN0RERkNCRDNGNTUwDAYIKoZIhvcNAgUFAKCBozASBgpg hkgBhvhFAQkCMQQTAjE5MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZI hvcNAQkEMRIEEOIoImSR4FHDhQyU8GHN/fowIAYKYIZIAYb4RQEJBTESBBDYOIOH 1m3VzrN7q/jEypd3MDAGCmCGSAGG+EUBCQcxIhMgMTY1Q0JCOUU0QTE1Rjg3QjY3 MDU5QkVGRDlBMzc1QkYwDQYJKoZIhvcNAQEBBQAEgYBWRXZJq+L56lHqfDPb/g9n q0UCVju4lEjQVd9Bq33tpf1D/O4QqU80WPJ2sGrrWe9g6KiNA6+jW5GL+RSCQc8j NeN22NYptqiY/ABI0CvdBHqTgF7oHKGFkBnHOWef16ipesCC5p/+Ru+UB85grzlb rZLk0vbzU9KBRpW1fwUHpQA= -END PKCS7- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how to convert Netscape's cert7.db to PEM?
Hello, How can I convert Netscape's cert7.db file into PEM format? I need one particular CA root certificate contained in this file for Apache. Greets, Jean-Marc __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL's cryptolib and SET
Ulf Möller [EMAIL PROTECTED]: - RSA, OAEP DES and CDMF encryption/decryption - SHA-1 digest computation - Basic X.509 Certificate Management (Disk storage, CRL look-up, ...) I'd just like to know which of the previous tasks can be done using the OpenSSL. CDMF doesn't ring a bell, so I guess OpenSSL doesn't support that. "Commercial Data Masking Facility", IBM's patented DES-based 40-bit symmetric cipher. (They refuse to call it "encryption" because of the short key length, hence the term "data masking".) This should be obsolete given the current US export rules. CDMF should be straight-forward to implement based on the existing DES implementation, the description is available in some issue of the IBM research journal. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how to convert Netscape's cert7.db to PEM?
Try the file http://www.e-softinc.com/cacerts.txt It contains a list of certs that were found in the mod_ssl package, and were supplemented with certs found in the cert7.db file. Thomas Jean-Marc Beroud wrote: Hello, How can I convert Netscape's cert7.db file into PEM format? I need one particular CA root certificate contained in this file for Apache. Greets, Jean-Marc __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Thomas ReinkeTel: (905) 331-2260 Director of Technology Fax: (905) 331-2504 E-Soft Inc. http://www.e-softinc.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: expecting an asn1 sequence error - HELP!
I got a similar error once and it apparently related to the format of the key/cert file I had downloaded in win/dos, and it was saved as one big lineI edited it to add the newlines, and then it worked fine. Jim Warren Connecting America [EMAIL PROTECTED]www.coam.net Phone: 702-648-0390 Fax: 702-631-3303 Direct: 648-2712 On Wed, 16 Feb 2000, Sergio Salvi wrote: Date: Wed, 16 Feb 2000 21:43:52 -0200 From: Sergio Salvi [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: "expecting an asn1 sequence" error - HELP! Hi guys! I'm having the following problem when trying to start apache 1.3.11 with mod_ssl 2.5.0 and openssl 0.9.4: mod_ssl: Init: Unable to read server certificate from file /usr/local/ssl/certs/compras.uol.com.br.gid (OpenSSL library error follows) OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence In my apache conf file: --- SSLEnable SSLCertificateFile /usr/local/ssl/certs/server.gid SSLCertificateKeyFile /usr/local/ssl/private/server.key SSLCertificateChainFile /usr/local/ssl/certs/verisign.chain SSLLogLevel trace --- Where server.gid is a base64 pem encoded global id certificate and "verisign.chain" is the chain file that I've got from Verisign. I can do a "openssl verify verisign.chain" but when I try a "openssl verify server.gid" I got the error: server.gid: unable to load certificate file 927:error:0D0A2007:asn1 encoding routines:d2i_X509_CINF:expecting an asn1 sequence:x_cinf.c:106:address=1131914 offset=0 927:error:0D09F004:asn1 encoding routines:d2i_X509:nested asn1 error:x_x509.c:99:address=1131912 offset=2 927:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:239: Anyone who had this problem solved it ? I hope so :) But how ? Thanks in advance! Sergio Salvi. Sao Paulo/SP/Brazil. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
expecting an asn1 sequence error - SOLVED :)
Thanks to Dr Stephen, the solution was convert the certificate file to PEM format (it was in PCKS#7): First change the "BEGIN CERTIFICATE" and "END CERTIFICATE" lines to "BEGIN PKCS7"/"END PKCS7" and then run "openssl pkcs7 -in server.gid -out certs.pem -print_certs". []s, Sergio Salvi. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: installation problem
MARTIN Guy CNET/DMI/LAN [EMAIL PROTECTED]: just begining to use OpenSSL (or trying...), I have got some undefined references at compile time. gcc -o cli cli.o -L/usr/local/ssl/lib -lcrypto -lssl Change the compiler options from "-lcrypto -lssl" to "-lssl -lcrypto". __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to prevent memory leak in dll.
zheng xiangyang [EMAIL PROTECTED]: [...] Call EVP_cleanup() to free those data structures. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Multiple threads handling one connection
Oliver King [EMAIL PROTECTED]: [...] Does OpenSSL support reading from a connection on one thread and writing to the same connection on another thread? Has anyone tried this, or is it not supported? I would not recommend trying, there is no locking done on the structures, so the two threads could interfere with each other in unpredicatable ways. In the initialization of threaded OpenSSL applications you'll notice that the application has to provide a number of mutex locks; however all of these are global locks and there are no per-object locks, so locking during all SSL I/O functions would be very inefficient. If your application has its own locking to ensure that never two threads will try to use the same SSL connection at the same time, then there should be no problem. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rc2 encryption with 128 bit key
Hi, Sure the browser exports all export ciphers in the client_hello. But only if they have been enabled in the browser. It would be an empty list if only strong(non-exportable) ciphers were enabled and others (exportable) were disabled in the browser. And I think that is the scenario vijay is having problems with. :) Amit. Pluto wrote: On Thu, 17 Feb 2000, Amit wrote: Hi, I think the problem lies with the browser. The browser seems to be an export version so strong encryption algorithms have been disabled. This means that in the client_hello the browser's list of available ciphers will be null and so the connection fails. What you could do is run openssl tool s_server in the debug mode and actually find out the cipher list that the browser sends to the server. It can't be null. The export versions offer all the algos that are marked EXP. Yours -- Pluto - SysAdmin of Hades Free information! Freedom through knowledge. Wisdom for all!! =:-) PGP 1024/7261AACD 1996/09/10 1F3F EA94 D056 A686 4D19 C456 6CF9 4344 Phone: +49-173-4814739 eCash(DB): 129429938818 Q3T: js-Pluto The reasonable man adapts himself to the world; the unreasonable man persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with SSL Netscape: ...no common encryption algorithm...??
Hi The browsers send a prioritised list of ciphers to the server for selection, strong first, followed by the weaker ones. The server selects the first cipher that matches. So the server should typically select the strongest possible common cipher. :) Amit. [EMAIL PROTECTED] wrote: Steve, The server is WN 2.3.3 (see also http://www.wnserver.org). It works with both 'strong' and 'weak' browsers, but I can't figure out if it uses strong encryption where possible (e.g. strong browsers). __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]