Re: how to download a certificate to browser?

2000-02-25 Thread Jochen . Klein 





I set up my own CA and sign client certificates.
I can use the program of perl provided by F.J Hirsch
in his paper" Introducing SSL and Certificates using
SSLeay" to download  certificate to netscape browser.
But I can not use my C program to do the work.

[...]
And this is my C program:

ifstream in("/usr/local/ssl/certs/cert.result");
cout"Content-Type: application/x-x509-user-cert\n"  endl;
  ^^ ^^
here you have two new lines, which terminate the header, so
Content-Length will be read as part of the body.
Remove the \n, endl does all you want here.

Jochen


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem whith PKCS12 and DSA

2000-02-25 Thread Xavier Gonzalez 


 Maybe but probably not in OpenSSL. DSA private keys in PKCS#8 (which
 PKCS#12 uses) have a standard format defined in PKCS#11 but this is well
 hidden.
 
 As a result vendors have often made up their own "standard". There are
 currently three different formats which are in use. Maybe yours is
 another form.
 
 Try the latest OpenSSL snapshot and see if that works: it has support
 for all three forms. If it doesn't then please send me a test file and
 password and I'll see if I can add support for another broken DSA
 format.
 
 Steve.
 --
 Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
 Personal Email: [EMAIL PROTECTED]
 Senior crypto engineer, Celo Communications: http://www.celocom.com/
 Core developer of the   OpenSSL project: http://www.openssl.org/
 Business Email: [EMAIL PROTECTED] PGP key: via homepage.
 __


I tried again whith the first beta release of OpenSSL 0.9.5, and I had
the same error.

Here comes the PKCS12 file test. It was created whith Baltimore Toolkit
"PKI-plus".

Password is : matranet

Thanks for all.
 AutoSign_1024_DSA.p12

Re: how to download a certificate to browser?

2000-02-25 Thread alohaz 

Thanks a lot to Robert,Mike and Massimiliano for your help.

I got a some suggestion form Hirsch as  following:

I believe the problem is that the join can take multiple lines (if the cert is over 
multiple lines, and make them into one string), but the C++ code is including the 
newlines. 
I am not familiar with getline, I think fgets includes the newline. 
So my suggestion is check that you are not incorporating newlines in your 
concatenation. 


So I modified my program as:

char result[2000],ch;
int i=0;
CERT=fopen("/usr/local/ssl/certs/cert.result");
printf(Content-Type: application/x-x509-user-cert\n\n");
while( ((ch=getc(CERT))!= EOF)  ((ch=getc(CERT))!= '\n') )
  result[i++] = ch;
fclose(CERT);
printf ("%s",result);

I can only use 
  print "Content-Type: application/x-x509-user-cert\n\n"; 
in perl to have the certificate installed in browser.  

print "Content-Length: $len\n\n"; 
is not necessary.

But I still can not get certificate at browser although it has been signed by CA. 
What's more,
strlen(result) is not equal to i. For example, i is 834 but strlen(result) is 30. I do 
not know the reason.

Can you offer any help? Thanks!

Karl
 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificates and authorities.

2000-02-25 Thread Massimiliano Pala 

winterlion wrote:
 
 Okay, I'm trying to get a test WWW-server setup.
 And am not ready yet to pick up official cert...
 
 Is it possible to run a test-cert for a short period (and how to limit
 period) that at least netscape 4 will accept (though maybe with a
 warning)?

You could simple use a certificate expiring after 30 days. If you still
want to use it, simply renew it...

C'you,

Massimiliano Pala ([EMAIL PROTECTED])
 S/MIME Cryptographic Signature

RE: Problem importing Certs in Netscape windows.

2000-02-25 Thread Francisco Javier Martínez Martínez 

Thanks a lot, but I had done what you suggest me, and  the browsers saids
the same, that the certificate is not valid or may  be corrupted (only in
windows).:-(
Note: I had installed in the browser the signer´s certificate.
Any help, please?
Thanks in advance.

- Original Message -
From: Barnes, Michael L. [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, February 24, 2000 5:53 PM
Subject: RE: Problem importing Certs in Netscape windows.


 that is how I do it, except I export the p12 with the -name "Some name"
 field.  I thought
 that was required for all netscape p12s but apparently not if it works
under
 linux.

 Mike

 -Original Message-
 From: Francisco Javier Martínez Martínez [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 24, 2000 4:36 AM
 To: [EMAIL PROTECTED]
 Subject: Problem importing Certs in Netscape windows.



 Hello.
 Recently I had setup a test CA.
 I had created and signed a few certificates with openssl, whichs can be
 imperted in PKCS12 format without problems into Linux Netscape, I had
tested
 encripted and signed emails succefully, but when I had tried to import the
 same certificates into Windows Netscape the system says: 'it can´t be
 imported because they are no valids certificates or may be corrupted'.
Some
 time ago I read that this could be something related with the headers of
the
 certificate in 'PEM' format that it expects that start with or without
 something.
 Anyone can told what I should to do or what is wrong.
 In outlook works fine.

 To generate the cliebnt certificates:

  1. Genering private keys.

 # openssl genrsa -rand ./private/.rand.dat -des3 1024

 xxkey.pem

 2. Genering CSR
 # openssl req -new -config openssl.cnf -key xxkey.pem
 -out xxreq.pem

  3. Signing the CSR.

 # openssl ca -config openssl.cnf -in xxreq.pem -out
 xxcert.pem

  4.1. Exporting in Netscape PKCS12 format.

 # openssl pkcs12 -export -in xxcert.pem -inkey
xxkey.pem
 -out xx.p12

  4.2. Exporting MS Ootlook PKCS12 format.

 # openssl pkcs12 -export -in xxcert.pem -inkey
xxkey.pem
 -keysig -keyex -out xx.pfx


 Thanks in advance.

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [ANNOUNCE] OpenSSL 0.9.5 beta1 available

2000-02-25 Thread Franz Sirl 

At 18:45 24.02.00 , Ulf Moeller wrote:
The first beta release of OpenSSL 0.9.5 is now available from the
OpenSSL FTP site URL: ftp://ftp.openssl.org/source/.

The release of OpenSSL 0.9.5 is scheduled for next Monday.  To make
sure that it will work correctly, please test this version (especially
on less common platforms), and report any problems to
[EMAIL PROTECTED].

Built and tested OK on Linux/PPC, glibc-2.1.3, gcc-2.95.2:

OpenSSL 0.9.5beta1 24 Feb 2000
built on: Fri Feb 25 05:55:53 MST 2000
platform: linux-ppc
options:  bn(64,32) md2(int) rc4(ptr,int) des(idx,cisc,4,long) idea(int) 
blowfish(idx)
compiler: gcc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall


Just one minor nit, please incorporate this patch, cause gcc knows about 
longlong:

diff -u Configure.~1~ Configure
--- Configure.~1~   Wed Feb 23 15:45:22 2000
+++ Configure   Fri Feb 25 05:53:17 2000
@@ -270,7 +270,7 @@
  "debug-linux-elf","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG 
-DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence:BN_LLONG 
$x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
  "linux-aout",  "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 
-Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm",
  "linux-mips",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer 
-Wall::(unknown)::BN_LLONG:::",
-"linux-ppc","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer 
-Wall::(unknown)",
+"linux-ppc","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer 
-Wall::(unknown)::BN_LLONG:::",
  "NetBSD-sparc","gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall 
-DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
  "NetBSD-m68",  "gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall 
-DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
  "NetBSD-x86",  "gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 
-Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:",

Thanks,
Franz.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Installing as Root into NS and MSIE

2000-02-25 Thread Michael Sierchio 

drew wrote:

 does anyone have information about getting ones CA cert installed into
 Microsoft and Netscapes Browsers, ie becoming a fully qualified CA

I think a few hundred thousand dollars (US) would do it.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Confused: RSA - DH - Keys - Certificates authentication?

2000-02-25 Thread Michael Sierchio 

"Grebelsky, Konstantin" wrote:

 I have the following problem: I have a server and client application. All I
 want to do is to secure (encrypt) the link (TCP/IP) between the
 applications. I want to be able to authenticate both parties upon connection
 using public key. I don't want to use certificates. The idea is that I'd
 authenticate the remote party using just public key.

But authentication is done with private keys...

 As far as I understood from different sources this is not possible without
 RSA since with DH we can not get public keys (limitations of SSLeay)? Thus
 either I have to pay RSA or I have to create or obtain certificates to use
 with DH because then I will be able to authenticate client and server
 without need to get and save actual public keys? 

DH public keys include the public DH parameters, which may be shared
among a group of users.  There are profiles for embedding DH parameters
in X.509 certs,  and while DH cannot be used to create digital
signatures (i.e. an authenticator which may be verified by any
third party),  there are methods of proof-of-possession of the
private key corresponding to a cert.  So, for pairwise auth or
encryption, you can use DH.

I have no idea how to do this in OpenSSL.

You still should sign certs with DSA or RSAwithMD5 or some such.

For using unsigned Diffie-Hellman certs, and the certificate discovery
protocol used in SKIP, see http://www.skip-vpn.org/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate management tools

2000-02-25 Thread Andy Moskoff 

On Thu, 24 Feb 2000, Mike Hoegeman wrote:

 Andy Moskoff wrote:
 
 andy, you rule. send me a copy.. 
 
 -mike
 

Sure. Its attached. Remember -- its still pretty basic and may
have some bugs (in fact, it probably does). The only thing I ask
is that you send me any changes you make (diff -c or the whole
thing). I decided to keep the tcl code very basic as I didn't
know what version people were building their expectk with.

---
Andy Moskoffe-mail: [EMAIL PROTECTED]
Senior Software Engineer
Symark Software

-BEGIN GEEK CODE BLOCK-
Version: 3.12
GCS d- s: a+ C UL+++ P++ L++ E--- W N++ o-- K- w--- 
O- M- V- PS PE Y PGP- t++ 5- X+ R- tv b+ DI++ D 
G-- e++ h+ r y+ 
--END GEEK CODE BLOCK--


#!/bin/sh
#\
exec expectk -f "$0" ${1+"$@"}

# Copyright (c) 2000 Symark Software. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 
# 1. Redistributions of source code must retain the above copyright
#notice, this list of conditions and the following disclaimer. 
# 
# 2. Redistributions in binary form must reproduce the above copyright
#notice, this list of conditions and the following disclaimer in
#the documentation and/or other materials provided with the
#distribution.
# 
# 3. All advertising materials mentioning features or use of this
#software must display the following acknowledgment:
#"This product includes software developed by Symark Software 
#for use in the OpenSSL Toolkit. (http://www.symark.com/)"
# 
# 4. Redistributions of any form whatsoever must retain the following
#acknowledgment:
#   "This product includes software developed by Symark Software 
#   for use in the OpenSSL Toolkit (http://www.symark.com/)"
# 
# THIS SOFTWARE IS PROVIDED BY SYMARK SOFTWARE ``AS IS'' AND ANY
# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL SYMARK SOFTWARE OR
# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
# OF THE POSSIBILITY OF SUCH DAMAGE.

#
# Show error to user
#
proc showerror { msg reason } {

catch {destroy .dialog}
tk_dialog .dialog "Certificate Utility Error" \
   "$msg: \n$reason" error 0 OK
}

#
# Show informational message
#
proc showinfo { msg } {

catch {destroy .dialog}
tk_dialog .dialog "Certificate Utility Message" $msg info 0 OK
}

#
# Procedure to create panel for new certificate requests
#
proc newreq { w m } {
global tkca_newreq
global tkca

# Set the following values then generate the request
#   Country Name (2 letter code) [AU]:
#   State or Province Name (full name) [Some-State]:
#   Locality Name (eg, city) []:
#   Organization Name (eg, company) [Internet Widgits Pty Ltd]:
#   Organizational Unit Name (eg, section) []:
#   Common Name (eg, YOUR name) []:
#   Email Address []:

# Remove existing window if any...
catch "destroy [winfo children $w]"
catch "destroy [winfo children $m]"

# Enable Pass Phrase Option
.main.menubar.options.menu entryconfigure 0 -state normal
set tkca(passphrase) 1

# Set defaults 
set tkca(title) "Generate a Certificate Request"
set tkca_newreq(cc) US
set tkca_newreq(st) California
set tkca_newreq(ln) "Westlake Village"
set tkca_newreq(org) "Symark Software"
set tkca_newreq(ou) Engineering
set tkca_newreq(cn) Symark
set tkca_newreq(email) [EMAIL PROTECTED]
set tkca_newreq(passphrase) {} 
set tkca_newreq(newreq) newreq.pem 
set tkca_newreq(days) 10 

# New request panel 
label $w.l_cc -text "Country Code"
entry $w.e_cc -width 3 -textvariable tkca_newreq(cc)
label $w.l_st -text "State or Province Name"
entry $w.e_st -width 25 -textvariable tkca_newreq(st)
label $w.l_ln -text "Locality Name"
entry $w.e_ln -width 25 -textvariable tkca_newreq(ln)
label $w.l_org -text "Organization Name"
entry $w.e_org -width 25 -textvariable tkca_newreq(org)
label $w.l_ou -text "Organization Unit"
entry $w.e_ou -width 25 -textvariable tkca_newreq(ou)
label $w.l_cn -text "Common Name"
entry $w.e_cn -width 25 -textvariable

Re: Confused: RSA - DH - Keys - Certificates authentication?

2000-02-25 Thread Dr Stephen Henson 

Michael Sierchio wrote:
 
 "Grebelsky, Konstantin" wrote:
 
 
  As far as I understood from different sources this is not possible without
  RSA since with DH we can not get public keys (limitations of SSLeay)? Thus
  either I have to pay RSA or I have to create or obtain certificates to use
  with DH because then I will be able to authenticate client and server
  without need to get and save actual public keys?
 
 DH public keys include the public DH parameters, which may be shared
 among a group of users.  There are profiles for embedding DH parameters
 in X.509 certs,  and while DH cannot be used to create digital
 signatures (i.e. an authenticator which may be verified by any
 third party),  there are methods of proof-of-possession of the
 private key corresponding to a cert.  So, for pairwise auth or
 encryption, you can use DH.
 
 I have no idea how to do this in OpenSSL.
 

OpenSSL doesn't support DH certificates though it may in future. 

My queries about test vectors for DH X9.42 parameter generation in lots
of places (including S/MIME v3 where it is supposed to be a mandatory
algorithm) have resulted in zero replies. Conclusions about the
popularity of X9.42 are left as an exercise for the reader...

Anyway back to the original posters query:

 
 "Grebelsky, Konstantin" wrote:
 
  I have the following problem: I have a server and client application. All I
  want to do is to secure (encrypt) the link (TCP/IP) between the
  applications. I want to be able to authenticate both parties upon connection
  using public key. I don't want to use certificates. The idea is that I'd
  authenticate the remote party using just public key.
 


Whats wrong with using certificates? You can have client and server use
DSA self signed certificates and uses SSL without RSA. You then wont
have problems with either the RSA patent or getting a CA to issue
certificates.

Alternatively if you insist on not using certificates then you can use
anonymous DH and authenticate using whatever method you wish. External
authentication is advisable because without it anon DH is vulnerable to
a man in the middle attack.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problems compiling on Solaris x86 (7)

2000-02-25 Thread Aaron Gray 

I am trying to compile OpenSSL on my solaris x86 box and I receive the error
message below.
can anyone help?

make[2]: Entering directory `/usr/agray/openssl-0.9.4/crypto/sha'
gcc -I.. -I../../include -DTHREADS -D_REENTRANT -O3 -fomit-frame-pointer
-m486 -Wall -DL_ENDIAN -DSHA1_ASM -DMD5_ASM -DRMD160_ASM   -c sha_dgst.c -o
sha_dgst.o
Assembler: sha_dgst.c
aline 274   : Illegal mnemonic
aline 274   : syntax error
aline 279   : Illegal mnemonic
aline 279   : syntax error
aline 284   : Illegal mnemonic
aline 284   : syntax error
aline 289   : Illegal mnemonic
aline 289   : syntax error
aline 472   : Illegal mnemonic
aline 472   : syntax error
aline 477   : Illegal mnemonic
aline 477   : syntax error
aline 482   : Illegal mnemonic
aline 482   : syntax error
aline 487   : Illegal mnemonic
aline 487   : syntax error
make[2]: *** [sha_dgst.o] Error 1
make[2]: Leaving directory `/usr/agray/openssl-0.9.4/crypto/sha'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory `/usr/agray/openssl-0.9.4/crypto'
make: *** [all] Error 1
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problem found when upgrade to openssl-0.9.5

2000-02-25 Thread Dennis Xu 



When I upgrade my applications by using openssl-0.9.5 beta1 to 
replace openssl-0.9.4, at running time I found:
"error:02001003:system library:fopen:BN 
lib" when function called 
at:SSL_CTX_load_verify_locations(ssl,caPath,caFile);

I compile and run both version in the same environment. What 
is wrong?

Dennis

Compile Problems With .94

2000-02-25 Thread Tom Schaefer 


OK, what am I doing wrong.
I've been successful on some systems, but it fails on others, and I
really have no clue as to why.
I run everything the way you show in the docs, but it fails. Now it
seems to be failing more than not, and I don't know what's missing from
my system, i.e. some sort of lib file or what in order to make your software
compile properly.
I invoked:
fw:/usr/src/openssl-0.9.4 # make -I/usr/src/openssl-0.9.4/include/openssl
It seems to make it all the way through, but towards the end, we this:
make[1]: Entering directory `/usr/src/openssl-0.9.4/apps'
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c verify.c -o verify.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c asn1pars.c -o asn1pars.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c req.c -o req.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c dgst.c -o dgst.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c dh.c -o dh.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c enc.c -o enc.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c gendh.c -o gendh.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c errstr.c -o errstr.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c ca.c -o ca.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c pkcs7.c -o pkcs7.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c crl2p7.c -o crl2p7.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c crl.c -o crl.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c rsa.c -o rsa.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c dsa.c -o dsa.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c dsaparam.c -o dsaparam.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c x509.c -o x509.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c genrsa.c -o genrsa.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c gendsa.c -o gendsa.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c s_server.c -o s_server.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c s_client.c -o s_client.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c speed.c -o speed.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c s_time.c -o s_time.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c apps.c -o apps.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c s_cb.c -o s_cb.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c s_socket.c -o s_socket.o
gcc -DMONOLITH -I../include -DTHREADS -D_REENTRANT
-DREF_CHECK -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -c version.c -o

make mycert.crt

2000-02-25 Thread Osvaldo Brito 

Hi,

I want to sign a certificate to my server with a self signed CA. I' ve
done this,

openssl ca -config openssl.cnf -in server.csr -out server.crt

and i've got this error message:

CA ceertificate and CA private key do not match
2946:error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch:x509_cmp.c:264:

Anyone?

Thanks in advance.

Osvaldo Brito

  [EMAIL PROTECTED] 
  [EMAIL PROTECTED]   


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

making a server certificate problem

2000-02-25 Thread Osvaldo Brito 

Hi, 

I want to generate a server certificate. For that have to sign my
server.csr file with my self signed CA. I used this:

openssl ca -config openssl.cnf -md md5 -keyfile ca.key -cert ca.crt -in
server.csr -out mycert.crt 

and i've got this error message:

wrong number of fields on line  1 (looking for field 6, got 1, '' left)


What's the problem?

Thanks in advance.

Osvaldo Brito

  [EMAIL PROTECTED] 
  [EMAIL PROTECTED]   


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]