Re: Cert passphrase
Hi Richard, > It still generates the proper certificates, but, when processing the > "openssl req" line, it immediately prompts me for a pass phrase. How > can I set up my openssl.cnf file in such a way as to avoid it asking for > the pass phrase? [...] > I'm not an active member of the list, but, after exhausting all > resources (previous places of employment, backups that didn't go back > far enough, on-line FAQ, etc), I thought I would try sending this in to > the list.. I'm sure it is a simple flag somewhere, but I'm giving > myself a headache trying to remember what it was I took a quick glance at the web docs, and I see password configuration options documented in the CONFIGURATION FILE FORMAT section of the req(1) man page. Did you try that already? -Lewis Lewis McCarthy [EMAIL PROTECTED] 1-650-694-6813 Software EngineerCritical Path Inc. L.A.S.E.R. See how thought travels at http://www.criticalpath.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: The rsaref library
> Remo Inverardi <[EMAIL PROTECTED]> queried the List: > > > > After reading about the rsaref library, several questions came to > > mind: > > > > a) Is the rsaref library the same as Bsafe? Or is it a part of > >Bsafe? No and No. RSAref has never even shared a common code base with BSAFE SSL-C, nor with BSAFE Crypto-C -- nor with any of the seven other RSA BSAFE crypto toolkits. Michael Sierchio <[EMAIL PROTECTED]> replied: >The RSAREF library, which is no longer supported or made available >by RSA Security (nee RSA Data Security), was released under a >non-commercial license with instructions to contact RSA for >a commercial RSAREF license if you had that sort of application >in mind. No such license agreement ever actually existed, and >if you contacted RSA requesting such a license agreement, they >would try to get you to purchase a BSAFE (now Crypto-C) license -- >at about $100,000 + 4% of royalties. (I think something like a $60k royalty prepayment, on a 2 percent royalty, is far more common for Crypto-C -- but BSAFE OEM licenses vary considerably in price and payment schemes.) RSA uses what I call a "piece of the pie" pricing strategy. The price of an OEM license for BSAFE code varies according to how important their RSApkc crypto is to the service or product that it is to be implemented and sold in: i.e., how much of the final product *is* RSApkc. RSA uses several categories in this analysis -- and within each category, the cost and payment scheme options varies according to a proportional inverse scale: the relative size of the upfront cash, the "pre-payment," raises or lowers the percentage used to set the per-product royalty claim. Big prepayment; tiny royalties. (There are also special deals, like those for OEM startups, in which royalty prepayments are not demanded. Enterprise-oriented BSAFE licenses -- what a corporation which is integrating crypto into its homebrew apps needs -- are also priced differently.) This forum isn't the most objective source of information on RSA's pricing or services -- and neither Mr. Sierchio nor I is a particularly unbiased source -- so direct contact with RSA is probably advisable if you are seriously exploring using RSA's crypto in a commercial environment. It usually isn't as difficult as Mr. Inverardi reports; RSA is not adverse to taking your money. (For some, it may not even be as traumatic as readers might expect from the out-of-context price-quotes that regularly float across this List on a tide of venomous comment. While I hesitate to suggest it here, there may be *some* reason RSA continues to sell BSAFE licenses, in the US and abroad, at the rate of something like a deal a day;-) RSAref itself is something of a relic. It may give you a sense of its antiquity to point out that RSA hoped that RSAref would introduce academic and corporate researchers to the concept of Message Digests (Rivest's MD4 and MD5), digital sigs, and prep them for cert-based Privacy Enhanced Mail (PEM). RSAref was originally developed in the early 1990s as a non-commercial reference implementation for public key crypto. It was something of a brilliant hack. As I noted, RSAref was not allowed to draw upon the more trusted and robust BSAFE (Crypto-C) codebase that RSADSI had been refining since the mid-'80s -- but then, RSAref was never expected to carry the weight of a production environment, either. RSAref was distributed under pretty onerous license restrictions, notably a requirement that the user could only access RSAref's underlying crypto through the specific and limited APIs that RSAref made available. (Since SSL had not yet been developed, it is perhaps not surprising that those APIs were not designed to permit SSL support.) Needless to say, RSAref quickly escaped the market niche RSA hoped and expected to confine it to. Perhaps, in hindsight, that was a good thing, since RSAref was unexpectedly used to justify, within the US, the widespread use of -- PGP, SSH, and SSLeay (predecessor to OpenSSL), and several other RSApkc-based freeware apps. Perhaps inadvertently, RSA's mass-market oriented marketing strategy brushed aside many of the hands-on crypto developers and garage shops in its concentration on persuading OEMs to crypto-enable their products or services with BSAFE code. Meanwhile, RSAref gave a generation or two of American developers a free RSA crypto suite to play with and study. (For current context: There are over a half-billion BSAFE implementations in the field; somewhere between a third and a half of them now in SSL-enabled browsers. BSAFE is licensed to about 1,000 OEMs, and is integrated into thousands of distinct products. RSA's OEM focus was not, sadly, a strategy designed to wins the hearts and minds of this List, but it did result in
Cert passphrase
I've done this before, but for the life of me I can't remember the right options in the openssl.cnf file.. And, unfortuntely, when I upgaded to openssl 0.9.5a a while back, it over wrote my openssl.cnf file.. of course, I didn't discover this until today. :( I used to generate my certificates via the following script: #!/bin/sh if [ "x$1" = "x" ]; then echo echo "Usage: $0 " echo exit; fi ssldir=/usr/bin conf=/etc/openssl.cnf certs_dir=/etc/ssl/certs cert=$1 $ssldir/openssl req -new -x509 -days 365 -config $conf \ -out $certs_dir/$cert -keyout $certs_dir/$cert $ssldir/openssl gendh -rand \ `test -c /dev/urandom && echo /dev/urandom` 512 >> $certs_dir/$cert $ssldir/openssl x509 -subject -dates -fingerprint -noout \ -in $certs_dir/$cert chmod 600 $certs_dir/$cert It still generates the proper certificates, but, when processing the "openssl req" line, it immediately prompts me for a pass phrase. How can I set up my openssl.cnf file in such a way as to avoid it asking for the pass phrase? The certificates I am currently using don't have the passphrase requirement (thankfully) specifically because these certificates are being served from a server. I'm using them with apps like stunnel to wrap IMAP and POP, as wel as with apache to allow for HTTPS... I'm not an active member of the list, but, after exhausting all resources (previous places of employment, backups that didn't go back far enough, on-line FAQ, etc), I thought I would try sending this in to the list.. I'm sure it is a simple flag somewhere, but I'm giving myself a headache trying to remember what it was Thanks for your help! -Rich -- Richard Westmailto:[EMAIL PROTECTED] Sr. Systems Administrator DivaTV Systems - Princeton, NJ http://www.divatv.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl for windows
In Article <001501bff8b1$04439120$4c3e36d5@pac> "ukoeppe" <[EMAIL PROTECTED]> writes: > - Original Message - > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, July 28, 2000 6:50 PM > Subject: openssl for windows > > > > Anybody know where I can get openssl already compiled for WIndows? I > don't > > have perl installed, have no interest in having it installed, so I can't > > compile the source for Windows. > > Wow, a kindred spirit . > There is some version (I think from May 1999) at > http://mail-archive.cashcow.dk/msg00114.html , look for openssl.zip. Tell > you what, if you know where to put the openssl.cnf let me know, OK? If I figure it out, I'll let you know. --- WebBBS Pro v1.19 : Genesis ( http://www.webbbs.org/ ) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Optimizing sample server
Hi, I'm trying to optimize a sample server I've got going in C++ on linux using OpenSSL 0.9.5a, but am having no luck. For one thing, the executable increased by a factor of more than 10. Even with the optimize flag in compilation. Is this normal? Here's the basic structure of my server: SSL_library_init() create new context SSL_CTX_use_certificate_file() SSL_CTX_use_PrivateKey_file() SSL_CTX_check_private_key() bind, listen, ... SSL_new() SSL_accept() SSL_read/write() This is running around 30% slower than a regular non-encrypting server, but I can't find any consistency in the actual runtime. This is if I run x number of clients each sending and receiving huge chunks of data (16k/32k). However, if I run 2*x clients doing 1/2 the data each (but total data remains the same), the time is greatly shortened. Shouldn't it be approximately the same time? Any particular reason why? Also, any suggestions to optimize this to get it under 30%? I've tried reducing the key sizes in the files from 1024 to 512 bits. Also, I tried different client/server methods: v2, v3, v23. None of that helps. Thanks, Bhavin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl for windows
- Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, July 28, 2000 6:50 PM Subject: openssl for windows > Anybody know where I can get openssl already compiled for WIndows? I don't > have perl installed, have no interest in having it installed, so I can't > compile the source for Windows. Wow, a kindred spirit . There is some version (I think from May 1999) at http://mail-archive.cashcow.dk/msg00114.html , look for openssl.zip. Tell you what, if you know where to put the openssl.cnf let me know, OK? Uli Koeppe mailto [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Configuring Apache with SSL
Hi, I think you need to read the documentation and see where you configure the gcache. It needs a connection and that is usually specified in the httpd.conf. You are obviously using Ben's apache-ssl patch kit and not mod_ssl. I ran into the same problem in the past. BTW I just brought up a new apache with mod_ssl over at a client site and it is working like a charm. The cache mechanism was set up properly by default. For the past several years I have been using Ben's patch kit (thank you very mucho Ben!:), but I think I will switch over to mod_ssl for all future installations. In the past mod_ssl looked like a bug-a-minute project. It seems to have settled down for now. good luck :) sergio wrote: > > Hi, > > I'm installing Apache with openssl-9.0.5a and after many hours trying to > make it work, I can't see the certificate. Netscape says there is an > error in the TCP connection, and in the error_log appear these lines: > > Failed to connect to socket: /usr/local/apache/logs/gcache_port > connect: Conexion rehusada > httpsd: gcacheclient.c:118: OpenServer: La declaracion `I "couldn't > connect to socket "' no se cumple. > [ Fri Jul 28 12:22:22 2000 ] [notice] child pid 2228 exit signal Aborted > (6) > > I've been trying many things, but I'm not keen on this and need some > help... > > Thank you... > > Sergio. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- Craig Shaver, Productivity Group POB 60458 Sunnyvale, CA 94088 (650)390-0654 http://www.progroup.com/ mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl for windows
Anybody know where I can get openssl already compiled for WIndows? I don't have perl installed, have no interest in having it installed, so I can't compile the source for Windows. --- WebBBS Pro v1.19 : Genesis ( http://www.webbbs.org/ ) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using Memory BIO
> No, the record payload can be smaller than 16 KB and the record won't > be padded (except as far as necessary for the cipher). But each > record has a record header, and if you use smaller records, then a > larger percentage of network traffic will be record headers. A, my naivete shows. But I am learning. Thanks a lot. This thread has been extremely informative. I undertand the BIO mechanisms (fairly) well. I have to now code it right. Regards, Amit. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL3_GET_RECORD:bad mac decode
On Thu, Jul 27, 2000 at 02:43:45PM +0200, Konstantin Agouros wrote: > I am writing a client-site application using OSSL 0.9.5a. > It works for most websites but https://homebanking2.sskm.de/banking.html > There I get a SSL3_GET_RECORD:bad mac decode That site uses a buggy server -- it does not support TLS 1.0 and does not properly handle protocol version negotation: s_client can connect if '-ssl3' or '-no_tls1' is used. When using '-tls1' (TLSv1_server_method), then the server just hangs (no response to the client hello). If you cannot cannot using SSLv23_method, then it can be a good idea to try again with the SSL_OP_NO_TLSv1 option set. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using Memory BIO
On Fri, Jul 28, 2000 at 12:04:06PM +0530, Amit Chopra wrote: >> SSL_write will send the data passed to it in a single record unless >> unless the request is too large for one record. So for efficiency, >> avoid repeated calls to SSL_write with small (less than 16 KB) >> payloads if you can; if you buffer the data until you have 16 KB, then >> some network overhead will be avoided. > The SSLPlainText record, the SSLCompressed record and the SSLCipherText > record all have a length field. Then what does it mean to say that the > record size is 16 KB ? and which of the the above 3 records is > it? > > Lets say a server wants to write plaintext of just 1 KB ? Must OpenSSL > then, somehow buffer/encrypt this data to become 16 KB (becasue as > pointed out SSL_read won't return until it has a complete record)? No, the record payload can be smaller than 16 KB and the record won't be padded (except as far as necessary for the cipher). But each record has a record header, and if you use smaller records, then a larger percentage of network traffic will be record headers. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RC5 question
On Fri, Jul 28, 2000, Jeff Hamilton wrote: > Does anyone have an idea as to what release of Openssl first contained RC5? It is in all versions of OpenSSL, and in some releases of SSLeay. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RC5 question
Does anyone have an idea as to what release of Openssl first contained RC5? Thanks, -Jeff Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Specifying seprate Document roots for SSL VirtualHosts
They work just fine, and I've been running them for months. The ONLY thing that does not resolve correctly are the certificates, and I have a few ideas as to how to correct that without any changes to the apache-ssl or openssl code..Be patient. "Leland V. Lammert" wrote: > Tom, > > The virtual hosts you have configured will not work. You must have a unique IP/Port >combination for EACH SSL server. Use a separate IP for your hosts [or port] and >everything will be copasetic. > > Lee > > At 01:03 PM 7/27/00, you wrote: > >I can be more specific: > > > >Here's how I have it set for several virtual hosts: > > > > > >SSLEnable > >SSLCertificateFile /usr/local/apache/certificate_location server1.pem > > > > > > > >SSLEnable > >SSLCertificateFile /usr/local/apache/certificate_location server2.pem > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Configuring Apache with SSL
Hi, I'm installing Apache with openssl-9.0.5a and after many hours trying to make it work, I can't see the certificate. Netscape says there is an error in the TCP connection, and in the error_log appear these lines: Failed to connect to socket: /usr/local/apache/logs/gcache_port connect: Conexion rehusada httpsd: gcacheclient.c:118: OpenServer: La declaracion `I "couldn't connect to socket "' no se cumple. [ Fri Jul 28 12:22:22 2000 ] [notice] child pid 2228 exit signal Aborted (6) I've been trying many things, but I'm not keen on this and need some help... Thank you... Sergio. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to use openssl for key and cert management?
On Fri, Jul 28, 2000 at 08:52:44AM +0200, Gerd Schering wrote: > are there tools that come with OpenSSL, suitable to achieve a rudimentary form > of key and certificate management? OpenSSL comes with the "CA.pl" script that allows for some basic functionality of a "demoCA". If you want more, there are pyCA and OpenCA. The complexity of setting up and running these programs increases with their functionality. > What I mean is this: > -how can I ensure that a special key does not get certified twice or for > another purpose? What do you mean with "key"? You probably won't ever see the private key, the certificate request only contains the public key. So you want to make sure that the same request (the public key with the DN-info to be certified) is not certified twice? The OpenSSL demoCA with CA.pl does some checks in that regard. > -how/where have certs and eventually keys to be kept? The demoCA will keep copies of the certificates issued, sorted by serial number. The private keys are normally not known to the CA. [Here at BTU the CA also offers to generate the key-pair for users that don't know how, but that is another point. The normal way is that I generate my keypair myself (genrsa), then generate my certificate request with the public key and the certificate information (e.g. CN=emserv1.ee.tu-berlin.de) in it and hand it to you for certification.] Best regards, Lutz(also known as [EMAIL PROTECTED]) -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]