error 20 at 0 depth lookup:unable to get local issuer certificate
Hi, I'm having trouble with openssl. I guess this is a typical newbie-problem, but I'm unable to find any help in the online manual or the man pages distributed with openssl. When I run a program which uses SSL (mico; www.mico.org) I get the following error message: SSL verify error: unable to get local issuer certificate SSL verify error: certificate not trusted SSL verify error: unable to verify the first certificate When I try openssl validate cert name I get: pelle: /C=AU/ST=QLD/O=Mincom Pty. Ltd./OU=\x09/CN=PelleMell error 20 at 0 depth lookup:unable to get local issuer certificate I have generated this certificate by isuing the following commands from the command line (much stolen from the mod_ssl help page): openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl ca -infiles server.csr I've tried to use the demoCA distributed with openssl. I've moved that directory to /usr/local/ssl and the relevant(?) openssl.conf lines read: [ CA_default ] dir = /usr/local/ssl/demoCA # Where everything is kept certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database= $dir/index.txt# database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem # The private key RANDFILE= $dir/private/.rand# private random number file Does anyone know what's going wrong here? Very thankful for any advices. Best Regards Per Mellstrand [EMAIL PROTECTED] Software Engineering Student at the University of Karlskrona/Ronneby __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Explanation needed of bio, etc...
Hi, Could someone please explain the following to me: 1) Is bio blocking i/o. If so why and when do you use it. 2) When do you use straight SSL_read/SSL_write and is this non-blocking? 3) If 2 is non-blocking, can I use select to read/write? 4) Say I want to write an SSL client that will communicate with a webserver. How do I know that I have received all the data for the page? So SSL_READ until I've received what or is there some state information somewhere? 5) This app in 4 will do a lot of small transactions to the same web server and will also be called from a php script. It will have to do validation of the server certificate too... How can I make this SSL connection persistent so that I don't need to verify the certificate every time? 6) Where can I get some decent documentation on the functions in the openssl library? The manpages doesn't quite cut it if you don't know what you must combine in what order to achieve your goal... Thank you Alwyn Schoeman PGP signature
elliptic curve crytography advice needed
Hello ALL, I am working on writing an SSL Client. My client code just supports the elliptic curve algorithm( no RSA ).I have not used openssl for writing this client but have used a third party library.Unfortunately, there is no support for RSA in the client. I need a pop/smtp/imap SSL server that supports ECC(elliptic cryptogram) for testing?Most servers I know support ONLY RSA . Is there an openssl server that I can download to test my code? Does this server support elliptic cryptogram algorithm? Please could you advice if you know of any other servers I can test my client against? Thanking you. Sincerely, Sagar. Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Free CA
Richard Levitte - VMS Whacker wrote: Oh, what a beautiful mixup I did there between server and client certs! Even got myself confused :-). However, the fact still remains, there's no trust path of value to me, the value of certer certs in themselves is more or less none, except to give the server and my browser a chance to start an encrypted session, which is probably fine for most people. And from that point of view you're absolutely right, the warning about an unknown CA is just an annoyance. But hey, it would be possible for someone to get a perfectly legal CA cert signed by, Thawte, and then use it to sign a cert presumably for, oh say, Amazon, and thereby fool a whole bunch of people. And in that case, a *silent* browser is a bit more scary to me. Setting up a secure channel is nice enough, but authentication is a different matter, and depending on your level of paranoia, quite a difficult one at that. People just don't have that clue yet... Or maybe I'm just overly paranoid... Paranoia is essential for crypto work :-) I reckon this kind of issue is likely to become more important as more CAs get added to browsers. A corrupt CA or one which can be forcibly persuaded (e.g. by government security agencies) to issue bogus certificates can reak havoc with typical browser or S/MIME client behaviour. For example if some country wants to monitor all traffic to a certain secure site it issues a bogus certificate from its trusted CA and then performs a man in the middle attack on its gateways. S/MIME can be handled because many pieces of software will silently replace a certificate with a new one. So sending a signed message with the fake ID to the 'victim' allows all traffic from then on to be read. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Advice about encrypting short strings
Hi! I was wondering if someone could help me out on a crypto-related question; I want to encrypt short strings (passwords, actually) and be able to decrypt them later. I only have access to Perl, and its MD5 and crypt (3des?), and do not want to rely on any non-standard Perl modules. To just use the passphrase and create a md5 digest, and XOR that with the cleartext strings would work, I guess, but it feels like that would introduce some waknesses... I guess I could make a digest out of the first digest and so on until I have a long enough string to XOR all the short strings, but I need random access to the strings Could a salt help? Anyone done this before? TIA /magnus S/MIME Cryptographic Signature
RE: Problem generating RSA keys using 64-bit compile on IRIX
Hi Philip
Just searched the archives and found your message. I had the same problem,
and submitted a patch, not long ago. I also have another 64 bit related
patch. Both are included below
--
Karsten Spang
Senior Software Developer, Ph.D.
Belle Systems A/S
Tel.: +45 59 44 25 00
Fax.: +45 59 44 25 88
E-mail: [EMAIL PROTECTED]
Web:http://www.bellesystems.com/
Defining the Future of IP Services
*** rsa_gen.c.dist Sat Feb 5 15:17:30 2000
--- rsa_gen.c Mon May 29 15:19:31 2000
***
*** 95,101
* unsigned long can be larger */
for (i=0; isizeof(unsigned long)*8; i++)
{
! if (e_value (1i))
BN_set_bit(rsa-e,i);
}
#else
--- 95,101
* unsigned long can be larger */
for (i=0; isizeof(unsigned long)*8; i++)
{
! if (e_value (1ULi))
BN_set_bit(rsa-e,i);
}
#else
*** s3_clnt.c.dist Mon Mar 27 23:28:27 2000
--- s3_clnt.c Thu May 25 13:36:57 2000
***
*** 466,472
p=s-s3-client_random;
Time=time(NULL);/* Time */
l2n(Time,p);
! RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
/* Do the message type and length last */
d=p= (buf[4]);
--- 466,472
p=s-s3-client_random;
Time=time(NULL);/* Time */
l2n(Time,p);
! RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
/* Do the message type and length last */
d=p= (buf[4]);
*** s3_srvr.c.dist Mon Mar 27 23:28:28 2000
--- s3_srvr.c Thu May 25 13:36:04 2000
***
*** 837,843
p=s-s3-server_random;
Time=time(NULL);/* Time */
l2n(Time,p);
! RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
/* Do the message type and length last */
d=p= (buf[4]);
--- 837,843
p=s-s3-server_random;
Time=time(NULL);/* Time */
l2n(Time,p);
! RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
/* Do the message type and length last */
d=p= (buf[4]);
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
PLEASE HELP ME...............................!!!!
hi, You know that OpenSSL supports DES for encryption of data.So if you want to establish a communication link between client server then you must use a secret key. Now my question is,What the certificate contains? I mean what public keys it contains for what purpose they can be used? Could anybody tell me,before encryption of actual data using secret key, what are the necessary steps that could be performed to share the secret key? ThanX --Radha __ Do You Yahoo!? Yahoo! Photos -- now, 100 FREE prints! http://photos.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Free CA
On Mon, 12 Jun 2000, Yuji Shinozaki wrote: I think the problem is multi-leveled: snip 4. At the practical and everyday level, we can be pretty sure that the certs delivered with Netscape and IE are OK. If we go to some fairly well-traversed public site using one of these certs, some red flags will go up when the you get signature mis-matches... That will tip you off that your cert list has been compromised. Besides you could say: "What am I risking? I take a no less a risk when I give my credit card to the cashier, or when I order that L.L. Bean hunting jacket over the phone. Don't bother me with your paranoia." There in lies part of the problem and also part of the answer on how CA's should be structured. The market niche for CA's needs to be defined more clearly. Internet credit card commerce did not start to take off until last Christmas season when banks generally agreed that a web or internet credit card transaction classified as a "card not present" transaction, the same as a mail order telephone transaction. The card card holder is not liable for misuse or loss. The risk of loss is totally with the bank and the merchant. An interesting question is "What less of loss is the bank willing to absorb before it becomes economically viable for the bank consortiums that run Mastercard and Visa to begin issuing and mandating the use of the bank issued cert for transactions?" Implementing or mandating the use I believe just as big a marketing problem as a technical problem. Bank 1 : "More secure" Bank 2 : "Less hassle" Refrain with apologies to the beer industry. ;-) Compared to the total volume, credit card usage Internet usage is still a tiny fraction. With Internet time however, I don't wouldn't want to guess a product life cycle time here. This leaves 999 (at least) other uses for CA's. Time needs to spent on how to define these market niche, scale economies and implementation issues. Cheers: -arc Arley Carter[EMAIL PROTECTED] Tradewinds Technologies, Inc. www.twinds.com Winston-Salem, NC USA Network Engineering Security __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ftps:// ??
Is it possible to connect to a FTP server using a ftps://server.ftp.org URL for netscape or explorer? It will be a good chance to connect to our file server (ftps:[EMAIL PROTECTED]) We use linux servers with ssl ssh telnet. What package my I install? Please, reply to [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ftps:// ??
From: Emili Sanroma - RI [EMAIL PROTECTED] Emili.Sanroma Is it possible to connect to a FTP server using a Emili.Sanroma ftps://server.ftp.org URL for netscape or explorer? Emili.Sanroma It will be a good chance to connect to our file server Emili.Sanroma (ftps:[EMAIL PROTECTED]) As far as I know, there's no "ftps:" protocol designator. In any case, using SSL in that manner has proved to be an unnessecary overuse of port numbers, and not really adequate for all the possible uses. Instead, protocols like HTTP, SMTP and FTP are getting added commands or options to switch to SSL during a session. I don't currently recall the drafts and RFC's describing this, but I'm sure that you can find them all in the Security Area of IETF (http://www.ietf.org). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PLEASE HELP ME...............................!!!!
Hi, in short: using SSL you have two parts of encryption: first a public/secret key system (asymmetric cryptographie) is used to establish a connection and to agree for a common secret key. When both parties have agreed to that common secret key (which is, in short, encrypted with the public keys (very short, this is) ) the common secret key is used for the encrypting of the exchanged data. So, for agreement for a common secret key, asymmetric cryptographie is used. To be sure you use the true public key of your partie (so nobody elses key, maybe that of an man-in-the-middle) you get a certificate. Why a certificate? Because chances are high that you do not know all keys of all people/server you want to correspond with. So you get a certificate which is signed by a CA (certificate authority) that you know and that you can trust. More to find in literature. Hops this helps Doris On Tue, 13 Jun 2000, Pamu Radhakrishna wrote: hi, You know that OpenSSL supports DES for encryption of data.So if you want to establish a communication link between client server then you must use a secret key. Now my question is,What the certificate contains? I mean what public keys it contains for what purpose they can be used? Could anybody tell me,before encryption of actual data using secret key, what are the necessary steps that could be performed to share the secret key? ThanX --Radha __ Do You Yahoo!? Yahoo! Photos -- now, 100 FREE prints! http://photos.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ftps:// ??
On Tue, Jun 13, 2000 at 04:01:50PM +0200, Richard Levitte - VMS Whacker wrote: I don't currently recall the drafts and RFC's describing this, but I'm sure that you can find them all in the Security Area of IETF (http://www.ietf.org). The relevant document is http://search.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-05.txt I am unaware of any free client implementation -- there was an implentation based on SSLeay, which I assume is obsolete. Prove me wrong, folks :) Windows Kermit95 now ships with an SSLified FTP client. Check back a month or so back in the archive of this mailing list -- there was a discussion about secure FTP, why merely SSLifying certain sockets is undesirable, the protocol's position in the standards process etc, which it seems a little redundant to repeat... -- --- Ooh, it's 'orrible being in love when you're eight and a half. I've got your picture on my wall and your name upon my scarf. --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Free CA
Hello! 4. At the practical and everyday level, we can be pretty sure that the certs delivered with Netscape and IE are OK. If we go to some fairly well-traversed public site using one of these certs, some red flags will go up when the you get signature mis-matches... That will tip you off that your cert list has been compromised. Besides you could say: "What am I risking? I take a no less a risk when I give my credit card to the cashier, or when I order that L.L. Bean hunting jacket over the phone. Don't bother me with your paranoia." There in lies part of the problem and also part of the answer on how CA's should be structured. The market niche for CA's needs to be defined more clearly. Internet credit card commerce did not start to take off until last Christmas season when banks generally agreed that a web or internet credit card transaction classified as a "card not present" transaction, the same as a mail order telephone transaction. The card card holder is not liable for misuse or loss. The risk of loss is totally with the bank and the merchant. What you are saying is that I am free to buy stuff on the internet, sending the seller my creditcard number, and then tell the Bank it was not me. Given the following attack scenario I cant believe that is the case: 1) I use my own creditcard to by software on the internet using some free of charge provider of space and email. Then I go to the nearest internet-cafe with my zip disk and download the software. I never use the free space or email again. In this way I can get ANY information for free virtually without any risk of being caught. 2) Imagine what this means when/if selling of information (eg software) on the net grows (which is not unrealistic given high performance connections). Anybody can use my creditcard number to get software for free. Note that this is NOT the case with the traditional postal order companies (see above) (or pizza delivery :-) since in that case somebody needs to physically be present when recieving the merchandise (since the merchandise is of physical nature). It is hard for the Bank to argue that I recieved something sent to a total stranger, and it involves some work for the stranger to cover his tracks if the fraud is large. The possible gain of the adversary is much larger in the electronic world than in the real world (the scenario described above by somebody else). 3) Note that everytime you shop in any store or go to a restaurant somebody sees your card number. Thus it DOES NOT help to use a special "internet" creditcard/paycard on the internet that wont allow large payments. 4) If one is paranoid the only way today is to use either a cash-card, plain old cash, or to be billed ofcourse. 5) We could fix all this with "physically secure" smartcards, and infrastructure for using them ofcourse. An interesting question is "What less of loss is the bank willing to absorb before it becomes economically viable for the bank consortiums that run Mastercard and Visa to begin issuing and mandating the use of the bank issued cert for transactions?" Implementing or mandating the use I believe just as big a marketing problem as a technical problem. I agree, this is not a tech problem. -- -- Douglas Wikström [EMAIL PROTECTED] -- Yes, God created Man before Woman, but one always makes a draft before the masterpiece. -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_free
Hi to all, Do I have to use the SSL_free (SSL *s) routine after every call to SSL_new (SSL *s) which allocates memory for the SSL structure upon every connection ? If I use the SSL_free routine it seems to free the session context and I can't do reuse in the next connection. I tried to use the s-method-ssl_free(SSL *s) but it seems that there are memory leaks (it doesn't free all the mallocs). Which routine should I use in order to clean after every SSL connection, and also if SSL_accept fails. please help since this is a very important issue. Itai Levy, Algorithmic Research. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
S/MIME doesn't work; it is NOT the famous nsCertType problem
Hello and thanks for reading this: I use OpenSSL 0.9.5a, Red Hat Linux 6.2, Intel platform. I'm trying to produce PKCS#12 files to be able to keep the all generation process under my control and to distribute only one file (BTW: why is it taken for such a security bug?). I do it the following way: First I generate the certificate request openssl req -new -out certreq.pem -keyout certreq-privkey.pem -outform PEM ...then I sign it... openssl x509 -req -CA cacert.pem -CAkey private/cakey.pem -CAcreateserial -in /usr/local/ssl/certreq.pem -outform pem -out newcert.pem ...and then I try to export it in PKCS#12 format openssl pkcs12 -export -inkey certreq-privkey.pem -certfile cacert.pem -in newcert.pem -out pkcs12cert.p12 My openssl.cnf contains in its default section: x509_extensions = usr_cert and my [ usr_cert ] section contains only basicConstraints=CA:FALSE I've also tried to uncomment nsCertType = client, email When I test source PEMs for pkcs12 with x509 -purpose, it says they can be used for S/MIME signing and encryption. BUT: whenever I import this PKCS#12 file to Netscape Communicator 4.73 (what works smoothly) and try to send a signed e-mail, it says that I don't have an e-mail certificate. My experimental certificate authority obviously works ok, because when I generate a request from Netscape Communicator using KEYGEN, then format it into C= ... ST= ... ... SPKAC=... file, sign it with openssl ca -spkac req.raw -out ucert and download this file with small script as x-x509-user-cert to Netscape, I CAN send signed e-mail. What's wrong with my PKCS#12 file? Any idea, what else could be wrong? === Thanks in advance! === Ivan Dolezal __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Free CA
On Tue, 13 Jun 2000, Douglas [iso-8859-1] Wikström wrote: What you are saying is that I am free to buy stuff on the internet, sending the seller my creditcard number, and then tell the Bank it was not me. Given the following attack scenario I cant believe that is the case: Yup. If you are using a stolen credit card number it happens every day in the physical world. If you use your own credit card number and say you didn't get the merchandise, then the merchant can track the delivery receipt through the courier. This would land you in an upcoming edition of "Dumb crook news". ;-) If what you bought was bytes of intellectual property, then the marginal cost to the merchant is zero below a certain percentage of loss before it threatens the foundation of the economic payment system. Bottom line, at a certain level of pain one of two scenarios will happen: 1. Banks will swallow the cost of implementing certs because it is economically profitable to do so. 2. The current model of Web commerce with credit cards will collapse, to be replaced by some other model. The market for CA's is not and never will be a one size fits all market. What markets do others on the list think will become a viable market for CA's in the near term, 1-2 years, and medium term, 5 years? Cheers: -arc Arley Carter[EMAIL PROTECTED] Tradewinds Technologies, Inc. www.twinds.com Winston-Salem, NC USA Network Engineering Security __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
multithreaded crypto functions
Hi, My application calls directly the following functions in OpenSSL: * EVP_CipherInit/Update/Final, etc.. * PEM_read_PrivateKey, PEM_read_X509, etc... In a multithreaded context, do these calls need to be encapsulated by calls to CRYPTO_lock? I happen to have transient failures: * EVP_DecryptFinal: Bad Decrypt * PEM_do_header: Bad Decrypt Thanks.. Richard Dykiel www.adero.com 978-287-5560 x289 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: S/MIME doesn't work; it is NOT the famous nsCertType problem
[EMAIL PROTECTED] wrote: Hello and thanks for reading this: I use OpenSSL 0.9.5a, Red Hat Linux 6.2, Intel platform. I'm trying to produce PKCS#12 files to be able to keep the all generation process under my control and to distribute only one file (BTW: why is it taken for such a security bug?). I do it the following way: The reason this is frowned upon is that the certificate authority then has a copy of the users private key and can read any encrypted mail or forge their signature. Other techniques like KEYGEN generate the private key on the browser and never reveal it to the CA. BUT: whenever I import this PKCS#12 file to Netscape Communicator 4.73 (what works smoothly) and try to send a signed e-mail, it says that I don't have an e-mail certificate. Check security-messenger and select the certificate (assuming it is listed there) its security-applications-messenger under PSM. Even if you have only one certificate and it looks like its selected click on the listbox and select it anyway. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: S/MIME doesn't work; it is NOT the famous nsCertType problem
On Tue, 13 Jun 2000, Dr Stephen Henson wrote: [EMAIL PROTECTED] wrote: Hello and thanks for reading this: I use OpenSSL 0.9.5a, Red Hat Linux 6.2, Intel platform. I'm trying to produce PKCS#12 files to be able to keep the all generation process under my control and to distribute only one file (BTW: why is it taken for such a security bug?). I do it the following way: The reason this is frowned upon is that the certificate authority then has a copy of the users private key and can read any encrypted mail or forge their signature. Other techniques like KEYGEN generate the private key on the browser and never reveal it to the CA. Another reason is that the private key in the PKCS12 is symmetrically encrypted, so you run into the traditional key exchange problems when trying to deliver the PKCS12 to the end user: How do you get the symmetric key to the end user securely? The public key mechanism avoids this problem. yuji Yuji Shinozaki Computer Systems Senior Engineer [EMAIL PROTECTED] Advanced Technologies Group (804)924-7171 Information Technology Communication http://www.people.virginia.edu/~ys2nUniversity of Virginia __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_free
If you are talking abt reusing SSL structures, you can do SSL_clear(sslp) and SSL_set_session(sslp, NULL) to try and reuse the old session. This way, you need not free(). It worked for me. Same holds for SSL_accept. The only caveat is that you need to use the same method (SSLv23, SSLv3 etc.) as before. Arun. -Original Message- From: Levy itai [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Date: Tuesday, June 13, 2000 7:45 AM Subject: SSL_free Hi to all, Do I have to use the SSL_free (SSL *s) routine after every call to SSL_new (SSL *s) which allocates memory for the SSL structure upon every connection ? If I use the SSL_free routine it seems to free the session context and I can't do reuse in the next connection. I tried to use the s-method-ssl_free(SSL *s) but it seems that there are memory leaks (it doesn't free all the mallocs). Which routine should I use in order to clean after every SSL connection, and also if SSL_accept fails. please help since this is a very important issue. Itai Levy, Algorithmic Research. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Iaik and Openssl
Does anybody now how to make openSSL read certificates and keys created by IAIK? I think they might implement different OIDs. Please Help? Derek DeMoroChief Technical OfficerBallotDirect(650) 799-8490
Re: Free CA
At 03:09 PM 6/12/00, you wrote: Interesting... I don't quite understand what the preloaded root certs have as extra value. The ONLY reason for e-commerce folks to sign up with a Root Cert CA (like Verisign or Thawte) is to prevent the nasty messages when a user initiates an SSL connection. Other than that, I, for one, will continue to use our self-generated certs g. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Free CA
"Leland V. Lammert" [EMAIL PROTECTED] writes: At 03:09 PM 6/12/00, you wrote: Interesting... I don't quite understand what the preloaded root certs have as extra value. The ONLY reason for e-commerce folks to sign up with a Root Cert CA (like Verisign or Thawte) is to prevent the nasty messages when a user initiates an SSL connection. Other than that, I, for one, will continue to use our self-generated certs g. This message confirms something I've long believed: The messages that the browser puts up to warn you of errors in certificate verification are worthless because users don't understand what they mean and will blithely click through them. If users accept certificates without some independent way of verifying the identity of the signer, then this obviates the entire point of certificates, which is to prevent active attack on the connection. The vast majority of the complexity of SSL is there to prevent active attack. By choosing to use unauthenticated certificates, you are opening the door to a broad class of attacks. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Free CA
If users accept certificates without some independent way of verifying the identity of the signer, then this obviates the entire point of certificates, which is to prevent active attack on the connection. The vast majority of the complexity of SSL is there to prevent active attack. By choosing to use unauthenticated certificates, you are opening the door to a broad class of attacks. I agree completely. Imagine this: I have just connected to a server which I BELIEVE to be a well known e-commerce site. There may or may not be some network hanky-panky going on (DNS spoofing, man-in-the-middle...). What assurance do I have that I'm really connected to the right server? At least, with the preloaded roots, I have some assurance that a responsible party has verified the servers identity. It's not a perfect system, but it puts enough blocks up to make breaking it a non-trivial exercise. __ Do You Yahoo!? Yahoo! Photos -- now, 100 FREE prints! http://photos.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
segfault when using crypto library inside netscape plugin (Solaris 2.6/Sparc/openssl-0.9.5a)
We're having a
really strange problem with the openssl crypto library -- it keeps segfaulting
down in SHA1_Update when called from an NSAPI plugin (running in NES 3.6).
I've tried building
the library with optimizations off and all that fun stuff, and have run the test
suite which it passes with flying colors. I've also written various pieces
of test code which drive the crypto lib with both static and dynamic linking,
all works fine. However, every time we run it inside NES, it
crashes.
I've reduced it down
to a simple piece of test code which promptly crashes the web server when
invoked.
#include stdio.h#include
stdlib.h#include string.h#include
time.h#include nsapi.h
NSAPI_PUBLIC intopenssl_test( pblock *param, Session *sn,
Request *rq ){ char seed[] = "somearbitrary data to seed the random
numbergenerator";
printf ( "seeding..." );
RAND_seed( seed, sizeof seed- 1); // Probably don't need the-1, butI'm
getting paranoid :) printf ( "done\n" ); return
REQ_PROCEED;}
To build (assuming
you have openssl and netscape libs in appropriate
places...):
gcc -G -o
test_plugin.so test_plugin.c-lcrypto -lnsl -lsocket -DUNIX -DXP_UNIX
-D_REENTRANT
Add to the server's
obj.conf:
Init
fn="load-modules" funcs="openssl_test"
shlib="wherever_you_put_your_library"
Init
fn="openssl_test"
Interestingly,if I link against the old SSLeay
crypto library it works fine! (ok...I have an old binary, not quite sure how
it was built...maybe something in the build options...probably not since all the
tests pass fine?).
Any and all help is
greatly appreciated :)
Re: segfault when using crypto library inside netscape plugin (Solaris 2.6/Sparc/openssl-0.9.5a)
"Steve Bazyl" [EMAIL PROTECTED] writes:
[1 text/plain; iso-8859-1 (7bit)]
We're having a really strange problem with the openssl crypto library -- it
keeps segfaulting down in SHA1_Update when called from an NSAPI plugin
(running in NES 3.6).
I've tried building the library with optimizations off and all that fun
stuff, and have run the test suite which it passes with flying colors. I've
also written various pieces of test code which drive the crypto lib with
both static and dynamic linking, all works fine. However, every time we run
it inside NES, it crashes.
I've reduced it down to a simple piece of test code which promptly crashes
the web server when invoked.
#include stdio.h
#include stdlib.h
#include string.h
#include time.h
#include nsapi.h
NSAPI_PUBLIC int openssl_test( pblock *param, Session *sn, Request *rq )
{
char seed[] = "some arbitrary data to seed the random number generator";
printf ( "seeding..." );
RAND_seed( seed, sizeof seed - 1); // Probably don't need the -1, but I'm
getting paranoid :)
printf ( "done\n" );
return REQ_PROCEED;
}
Steve,
I'd guess the problem is that Netscape already has a SHA1_Update()
function and that you're getting that called instead of the
OpenSSL SHA1_Update() function.
I don't have an NES on hand, but Navigator certainly has a SHA1_Update()
function already.
As for why it worked with SSLeay? That's puzzling, I admit. Perhaps
the function name changed or was only recently exposed to dynamic
linkage or something.
Try #defining SHA1_Update() to something else in the OpenSSL build
and see if that fixes the problem.
-Ekr
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
howto get IE Netscape to accept CA?
Does anyone have the URL for how Netsape and/or MSIE validate or test then accept a CA for inclusion in their web browsers? I tried a lot of combinations on some search engines and hit a blank I am thinking about trying the phone and calling Redmond Washington and California to ask, but expect that will be difficult and at least an hour or more on the phone as well. I saw some emails on the list that mentioned that maybe the CA would pay a big fee and then have to pass an evaluation. I know that the RSA patent is expiring sept21 in the US and I expect that a lot more CA's will pop up like the www.equifax.com With OpenSSL and some scripts like at www.openca.org and then proving your company is reputable and then somehow paying or begging the web browsers to include them as a CA then a lot of CAs could be popping up by the end of the year. Why not some of us? FYI, on the website for equifax: EQUIFAX SECURE ANNOUNCES A STRATEGIC AGREEMENT WITH C2NET TO BUNDLE EQUIFAX SERVER CERTIFICATES WITH THE NEW STRONGHOLD 3 SERVER PRODUCT ATLANTA (June 13, 2000 ) -- Equifax Secure, a unit of Equifax Inc., today announced that C2Net Software, Inc., has selected Equifax Secure to be the exclusive server-certificate provider for the latest version of its secure web server software, Stronghold 3. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: segfault when using crypto library inside netscape plugin (Solaris 2.6/Sparc/openssl-0.9.5a)
One
more thing...I also tried adding lock callbacks to make sure its not a threadingproblem. Made no
difference (was getting lock requests asI should, and only from a single
thread as expected).
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of Steve BazylSent: Tuesday, June 13, 2000 7:41
PMTo: [EMAIL PROTECTED]Subject: segfault when
using crypto library inside netscape plugin (Solaris
2.6/Sparc/openssl-0.9.5a)
We're having a
really strange problem with the openssl crypto library -- it keeps segfaulting
down in SHA1_Update when called from an NSAPI plugin (running in NES
3.6).
I've tried
building the library with optimizations off and all that fun stuff, and have
run the test suite which it passes with flying colors. I've also written
various pieces of test code which drive the crypto lib with both static and
dynamic linking, all works fine. However, every time we run it inside
NES, it crashes.
I've reduced it
down to a simple piece of test code which promptly crashes the web server when
invoked.
#include stdio.h#include
stdlib.h#include string.h#include
time.h#include nsapi.h
NSAPI_PUBLIC intopenssl_test( pblock *param, Session *sn,
Request *rq ){ char seed[] = "somearbitrary data to seed the random
numbergenerator";
printf ( "seeding..." );
RAND_seed( seed, sizeof seed-
1); // Probably don't need the-1,
butI'm getting paranoid :) printf ( "done\n"
); return REQ_PROCEED;}
To build (assuming
you have openssl and netscape libs in appropriate
places...):
gcc -G -o
test_plugin.so test_plugin.c-lcrypto -lnsl -lsocket -DUNIX -DXP_UNIX
-D_REENTRANT
Add to the
server's obj.conf:
Init
fn="load-modules" funcs="openssl_test"
shlib="wherever_you_put_your_library"
Init
fn="openssl_test"
Interestingly,if I link against the old SSLeay
crypto library it works fine! (ok...I have an old binary, not quite sure
how it was built...maybe something in the build options...probably not since
all the tests pass fine?).
Any and all help
is greatly appreciated :)
No Subject
Does anybody now how to make openSSL read certificates and keys created =by IAIK?I think they might implement different OIDs. OpenSSL cannot seem to recognize my Iaik Private Key. Please Help? Derek DeMoroChief Technical OfficerBallotDirect(650) 799-8490
