openssl and IE5.0 on MacOS
Hi all, can anyone pass me some url's to servers running openssl-0.9.5a, as I suspect that IE5.0 on Mac may be incompatible with this openssl version and NOT with f.i. 0.9.3a. Also does anybody know why https://www.modssl.org is running openssl-0.9.3a ?? kind regards, nick. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ATT: Robert Sandilands! (was Re: client authentication)
Hi Albert,
On Mon, 31 Jul 2000, Albert Serra wrote:
>
> a) The functions with "verify" in them is there to tell the server or
> client where the public keys and the CA's public keys are for verifying
> the other's keys. Those keys and the symbolic links associated with them
> is pretty important.
"directory-based" lookup method of Openssl use symbolic links
constructed as a hash of subject name from certificate or
issuer name from CRL. Any reason to name this a callback?
> b) verifiy is a callback function
>
> For example:
>
> int verify(int ok,X509_STORE_CTX *ctx)
> {
> printf ("Verify called\n");
> return 1;
> }
This callback will always return "Happy with the certificate in question",
no matter what. Good for debugging.
> c) int verify_callback(int ok, X509_STORE_CTX *ctx)
> {
>
> char buf[256];
> X509 *err_cert;
> int err,depth;
>
> err_cert=X509_STORE_CTX_get_current_cert(ctx);
> err=X509_STORE_CTX_get_error(ctx);
> depth= X509_STORE_CTX_get_error_depth(ctx);
>
> return ok;
>
> }
This callback can be used to print notes on certificate to-be-evaluated.
> According to answer a) what I have to add in the verify function. I use b)
> and for me it works, but I don't know if it does what it has to do.
Do you need to reject some certificates presented?
Expired, issued by another one CA, having something unexpected in
subject's name for example.
hope this helps,
Vadim
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: openssl and IE5.0 on MacOS
On Tue, Aug 01, 2000 at 10:11:57AM +0200, Nick De Roeck wrote: > can anyone pass me some url's to servers running openssl-0.9.5a, as I > suspect that IE5.0 on Mac may be incompatible with this openssl > version and NOT with f.i. 0.9.3a. Try mine. https://www.aet.tu-cottbus.de Server Version: Apache/1.3.12 (Unix) PHP/4.0.0 mod_ssl/2.6.5 OpenSSL/0.9.5a I have to look into IE5.0 on Mac vs. Postfix/TLS with openssl-0.9.5a anyway (works nearly fine, just some spurious re-connections). Best, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Piping into PEM pass phrase!!!
The pass phrase input routine reads from the consol not from the standard input. I gess that it is more secure than reading from stdin. Under Windows I managed to write the password to to the console. It works but it is quite complicated and I don't know if it is possible to do the same with unix. There might be simpler ways... Nicolas Roumiantzeff. -Message d'origine- De : Markus Wagner <[EMAIL PROTECTED]> À : [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date : lundi 31 juillet 2000 22:00 Objet : Piping into PEM pass phrase!!! >Hello, > >I am building a CA frontend in C/C++ and need to automatically provide >input for the PEM pass phrase dialog when signing CSRs. > >I open three pipes for stdin/stdout/stderr, fork to openssl and write >the pwd into stdin. But openssl doesnt read my input. > >The thing is: I already did this in Perl using IPC::Open3 and it worked >fine. > >Could anybody tell me why OpenSSL doesn't read my input and how to do >it? >How do I have to dup the descriptors? What's wrong?? > >Thanks very much, > >Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl and IE5.0 on MacOS
> >Try mine. https://www.aet.tu-cottbus.de >Server Version: Apache/1.3.12 (Unix) PHP/4.0.0 mod_ssl/2.6.5 OpenSSL/0.9.5a > Tnx for the URL, and yep ... it seems to work (sih...I thought I found the solution to my problem). I fear I'm falling into the trap of the 'cascading' problems, so very typical when dealing with software (and even hardware). Meaning: I got a problem A: I have very well working, self-written http server on MacOS. But I need to add user/password control to it. For this mechanism to make any sense a all (and not sending cleartext or base64 passwords around) I have to make sure that the communication between browser and server is somehow encrypted. * my solution to problem A -> use https, this will do the trick. openSSL seems to be a valid option here, but causing two new problems B1 and B2: problem B1: openssl isn't fully ported to the mac problem B2: openssl uses something called certificates, which I don't need but which openssl apperantly does * my solution to problem B1: do the necessary extra porting work myself, which I have done and seems to work (=compile and also the server works fine when contacted by every browser on any platform except the Mac IE5.0). * my solution to problem B2: use a basic as possible certficate so I don't encounter to much problems and can bypass this as much as possible now my question to you experts (which I think most of you will be ;-)): 1. Is there a way I can get rid of those certifcates at all and still use openssl, this would give me the advantage that I don't implement stuff in our software that we don't need nor use and hence cannot cause bugs or support problems. 2. Does anyone already experimented a lot with openssl on MacOS ? Can this person please contact me, I'm dying for some feedback here, maybe something compiled but isn't quite acting as it should. Or maybe there's a programmatic fix to allow the strange MacOS IE5.0 behaviour (=more or less tolerate the buggy behaviour). anyway, many greetings and sorry if I bother you too much with my problems. nick. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[OT] OpenSA
Hi all Well since the OpenSA web site seems to be down (and perhaps the future of the project is open to question?) I've set up a mailing list to discuss OpenSA as the main OpenSA mailing lists are currently down :( If you have an interest in OpenSA, please join at: http://www.ecs.soton.ac.uk/~lcr299/opensa/ Thanks, Luke __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
HTTPS via proxy...
Hi, Is it possible to use openssl to connect to a HTTPS web server via a proxy? There are defined macros for setting proxy parameters in bio.h, but none of the BIO types seems to deal with the information. How should connection via a proxy be handled? joe. begin:vcard n:Manning;Joe tel;cell:+46-70-5262695 tel;work:+46-8-568 61695 x-mozilla-html:FALSE version:2.1 email;internet:[EMAIL PROTECTED] org;quoted-printable:Ericsson Data;=C4L/BCT/I/OKU adr;quoted-printable:;;G=F6talandsv=E4gen 230=0D=0A125 82 StockholmSweden x-mozilla-cpt:;24296 fn:Joe Manning end:vcard
Re: openssl and IE5.0 on MacOS
Hi, > 1. Is there a way I can get rid of those certifcates at all and still > use openssl, this would give me the advantage that I don't implement > stuff in our software that we don't need nor use and hence cannot > cause bugs or support problems. You can use anonymous ciphers, that don't require certificates, but then they are not really secure. Someone listening to the handshake can break your encoding. Therefore I'd advise against it. Using server certificates doesn't require much doing, and most of that certificate code is internal to the OpenSSL library which is quite stable. So you really needn't lose much sleep on the bugs front. Regards, Amit. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl and IE5.0 on MacOS
> 1. Is there a way I can get rid of those certifcates at all and still > use openssl, this would give me the advantage that I don't implement > stuff in our software that we don't need nor use and hence cannot > cause bugs or support problems. I assume you wish to create a secure (but unauthenicated) channel to your server with https and then let the admin of the server send his pwd over this channel thereby establishing a secure and authenticated channel between the server and the admin. To me it sounds like all you have to do is: 1a) if writing your own client, create a root-cert and include it with the client. Then create a server-cert signed by the pkey in the root-cert. 1b) if using abrowser buy a server-cert from verisign (or similar). 1c) if using a browser and having few admin-clients, let them install your own root-cert into their browser (they download it from the server and verify the fingerprint ofband, ie compare it with a piece of paper posted to them). (root-cert created like in 1a). 2) use openssl on the server (and in 1a on the client) - side to create the secure but unauthenicated https channel. 3) implement the pwd system you want on the server side. Not many certs are involved, a root-cert + a server cert for each server to be administrated. using anonymous https is pointless, since it jeopardizes (how do you spell this? :-) the admin-pwds. sorry, dont know mac-ish issues. -- -- Douglas Wikström <[EMAIL PROTECTED]> -- Yes, God created Man before Woman, but one always makes a draft before the masterpiece. -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Verification of Certificates
Hi, I am trying to implement a client-site application that should be able to veri- fy the CA-Certificates of the servers it contacts. I would like to specify a directory with the CA-certificates I like. For this I use SSL_CTX_load_verify_locations(ctx, NULL, path-to-dir); In the directory I have installed some testcertificates with filenames that are the output of x509 -hash and the extension .0. Using truss (I work on solaris) I saw that he tried to open the correct file but after that the application also tried to open the same file with the extension .1. I also get an 'unable to get local issuer certificate' error. Since I really want to understand this could someone provide me with: a) a quick solution b) a piece of text that is not necessary C where I find an explanation of what happens c) if a) and b) fail a hook on where to start in the source code of openssl to understand, what happens. Thanks, Konstantin -- Konstantin Agouros - NetAge Solutions, Dingolfinger Str. 6, 81673 Muenchen Tel.: 089 666584-0, Fax: 089 666584-11, Email: [EMAIL PROTECTED] -- Black holes are, where god devided by zero. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl and IE5.0 on MacOS
Yes.. we're seeing the same thing.. both with Macs and the Palm.net service (the service that Palm VIIs use to connect to sites). I'll eMail you a link off-line. Frank -- Frank Martini Voice: 713/621-1917 Cadence Development FAX: 713/621-1960 5075 Westheimer, Ste. 1266[EMAIL PROTECTED] Houston, Texas 77056 http://www.CadenceDevelopment.com/ > From: Nick De Roeck <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Tue, 1 Aug 2000 10:11:57 +0200 > To: [EMAIL PROTECTED] > Subject: openssl and IE5.0 on MacOS > > Hi all, > > can anyone pass me some url's to servers running openssl-0.9.5a, as I > suspect that IE5.0 on Mac may be incompatible with this openssl > version and NOT with f.i. 0.9.3a. > > Also does anybody know why https://www.modssl.org is running openssl-0.9.3a ?? > > kind regards, > > nick. > __ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: The rsaref library
Vin McLellan wrote: > Despite Mr. Sierchio's insistence that it is not true, there > actually were (and are today, paid up to date) commercial RSAref licenses. I challenge you on this: RSA's legal counsel has flatly said that there is no such license agreement. I inquired as recently as last November, went I left the company to pursue another opportunity. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl and IE5.0 on MacOS
We also found this to be a problem. When we called Apple, they confirmed it is a MICROSOFT PROBLEM. Netscape works okay. We tested IE 4.5 and up on IMACS and it doesn't know how to handle certificates at all. We tried RSA, Verisign, attempts to go to https://americanexpress.com resulted in all kinds of errors. Now, if you wonder why all this is, I believe it's because Apple and Microsoft have been competitors for years...you know, the old Bill/Steve crap. Frank Martini wrote: Yes.. we're seeing the same thing.. both with Macs and the Palm.net service (the service that Palm VIIs use to connect to sites). I'll eMail you a link off-line. Frank -- Frank Martini Voice: 713/621-1917 Cadence Development FAX: 713/621-1960 5075 Westheimer, Ste. 1266 [EMAIL PROTECTED] Houston, Texas 77056 http://www.CadenceDevelopment.com/ > From: Nick De Roeck <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Tue, 1 Aug 2000 10:11:57 +0200 > To: [EMAIL PROTECTED] > Subject: openssl and IE5.0 on MacOS > > Hi all, > > can anyone pass me some url's to servers running openssl-0.9.5a, as I > suspect that IE5.0 on Mac may be incompatible with this openssl > version and NOT with f.i. 0.9.3a. > > Also does anybody know why https://www.modssl.org is running openssl-0.9.3a ?? > > kind regards, > > nick. > __ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl and IE5.0 on MacOS
Yes, this is what Palm.net said also (they use Microsoft code too). Does anyone know if there's a way to reconfigure the server to get around this? Perhaps going to a previous version??? After living w/ this problem for months, I"m to the point where I'll try anything. (We even licensed both Verisign and Thawte certs hoping that somehow switching would help, to no avail.) Frank -- Frank Martini Voice: 713/621-1917 Cadence Development FAX: 713/621-1960 5075 Westheimer, Ste. 1266[EMAIL PROTECTED] Houston, Texas 77056 http://www.CadenceDevelopment.com/ > From: Tom Nichols <[EMAIL PROTECTED]> > Organization: CitX Corporation > Reply-To: [EMAIL PROTECTED] > Date: Tue, 01 Aug 2000 10:33:33 -0400 > To: [EMAIL PROTECTED] > Subject: Re: openssl and IE5.0 on MacOS > > We also found this to be a problem. When we called Apple, they confirmed it is > a > MICROSOFT PROBLEM. Netscape works okay. > > We tested IE 4.5 and up on IMACS and it doesn't know how to handle > certificates at > all. We tried RSA, Verisign, attempts to go to > https://americanexpress.com resulted in all kinds of errors. > > Now, if you wonder why all this is, I believe it's because Apple and Microsoft > have > been competitors for years...you know, the old Bill/Steve crap. > > Frank Martini wrote: > >> Yes.. we're seeing the same thing.. both with Macs and the Palm.net service >> (the service that Palm VIIs use to connect to sites). I'll eMail you a link >> off-line. >> >> Frank >> >> -- >> Frank Martini Voice: 713/621-1917 >> Cadence Development FAX: 713/621-1960 >> 5075 Westheimer, Ste. 1266[EMAIL PROTECTED] >> Houston, Texas 77056 http://www.CadenceDevelopment.com/ >> >>> From: Nick De Roeck <[EMAIL PROTECTED]> >>> Reply-To: [EMAIL PROTECTED] >>> Date: Tue, 1 Aug 2000 10:11:57 +0200 >>> To: [EMAIL PROTECTED] >>> Subject: openssl and IE5.0 on MacOS >>> >>> Hi all, >>> >>> can anyone pass me some url's to servers running openssl-0.9.5a, as I >>> suspect that IE5.0 on Mac may be incompatible with this openssl >>> version and NOT with f.i. 0.9.3a. >>> >>> Also does anybody know why https://www.modssl.org is running openssl-0.9.3a >>> ?? >>> >>> kind regards, >>> >>> nick. >>> __ >>> OpenSSL Project http://www.openssl.org >>> Development Mailing List [EMAIL PROTECTED] >>> Automated List Manager [EMAIL PROTECTED] >>> __ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List[EMAIL PROTECTED] >>> Automated List Manager [EMAIL PROTECTED] >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List[EMAIL PROTECTED] >> Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl and IE5.0 on MacOS
>After living w/ this problem >for months, I"m to the point where I'll try anything. Me too. nick. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
