RE: I'm still so very confused about certificates
-Original Message- From: Eric Murray [mailto:[EMAIL PROTECTED]] Sent: Friday, August 25, 2000 10:04 PM To: [EMAIL PROTECTED] Subject: Re: I'm still so very confused about certificates The certificate has no effect on the type of symmetric encryption that SSL negotiates. Funny... I was just about to post a question concerning the same matter :-) I know how SSL works and that the certificate does'nt affect the symmetric encryption used after authentication but I'm still confused. I intend to get a signed certificate from Verisign but if I understand correctly (their web pages) they are actually selling certificates for 40 bit and for 128 bit encryption... how can this be? The 40 bit certificate is said to use 40 bit encryption with export-version browsers and 128 with domestic ones. The 128 bit certificate is said to always form a 128 bit enc. How can it be possible that with the 128 bit certificate one wound'nt have the ability of using 40 bit session keys? Thanks You for answering -- I'd be happy to hear that I have misunderstood something :-) Yours Ville __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: I'm still so very confused about certificates
Hi, We have two keys: RSA key for certificate and key for data encryption. When you read Verisign's pages you read about RSA key length (certificate). It is possible to use any combinations of key lengths for RSA and symmetric algorithm, e.g. 40 bit certificate and RC4-MD5 (128 bit) data encryption. Regards Yuriy Stul, Tashilon Ltd., Core Technology Division Manager mailto:[EMAIL PROTECTED] http://www.tashilon.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wirta, Ville Sent: Monday, August 28, 2000 8:15 AM To: '[EMAIL PROTECTED]' Subject: RE: I'm still so very confused about certificates -Original Message- From: Eric Murray [mailto:[EMAIL PROTECTED]] Sent: Friday, August 25, 2000 10:04 PM To: [EMAIL PROTECTED] Subject: Re: I'm still so very confused about certificates The certificate has no effect on the type of symmetric encryption that SSL negotiates. Funny... I was just about to post a question concerning the same matter :-) I know how SSL works and that the certificate does'nt affect the symmetric encryption used after authentication but I'm still confused. I intend to get a signed certificate from Verisign but if I understand correctly (their web pages) they are actually selling certificates for 40 bit and for 128 bit encryption... how can this be? The 40 bit certificate is said to use 40 bit encryption with export-version browsers and 128 with domestic ones. The 128 bit certificate is said to always form a 128 bit enc. How can it be possible that with the 128 bit certificate one wound'nt have the ability of using 40 bit session keys? Thanks You for answering -- I'd be happy to hear that I have misunderstood something :-) Yours Ville __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: I'm still so very confused about certificates
Hmmm I'm not sure if I understand You correctly. Do you really mean that Verisign wound be talking about RSA key lengths? That those keys were 40 or 128 bit long? That cannot be since RSA is a public key algorithm and usually nowadays at least 1024 bits long. My humble question is still in the air: why is Verisign selling two different(?) type of certificates? Yours Ville -Original Message- From: Yuriy Stul [mailto:[EMAIL PROTECTED]] Sent: Monday, August 28, 2000 10:34 AM To: [EMAIL PROTECTED] Subject: RE: I'm still so very confused about certificates Hi, We have two keys: RSA key for certificate and key for data encryption. When you read Verisign's pages you read about RSA key length (certificate). It is possible to use any combinations of key lengths for RSA and symmetric algorithm, e.g. 40 bit certificate and RC4-MD5 (128 bit) data encryption. Regards Yuriy Stul, Tashilon Ltd., Core Technology Division Manager mailto:[EMAIL PROTECTED] http://www.tashilon.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wirta, Ville Sent: Monday, August 28, 2000 8:15 AM To: '[EMAIL PROTECTED]' Subject: RE: I'm still so very confused about certificates -Original Message- From: Eric Murray [mailto:[EMAIL PROTECTED]] Sent: Friday, August 25, 2000 10:04 PM To: [EMAIL PROTECTED] Subject: Re: I'm still so very confused about certificates The certificate has no effect on the type of symmetric encryption that SSL negotiates. Funny... I was just about to post a question concerning the same matter :-) I know how SSL works and that the certificate does'nt affect the symmetric encryption used after authentication but I'm still confused. I intend to get a signed certificate from Verisign but if I understand correctly (their web pages) they are actually selling certificates for 40 bit and for 128 bit encryption... how can this be? The 40 bit certificate is said to use 40 bit encryption with export-version browsers and 128 with domestic ones. The 128 bit certificate is said to always form a 128 bit enc. How can it be possible that with the 128 bit certificate one wound'nt have the ability of using 40 bit session keys? Thanks You for answering -- I'd be happy to hear that I have misunderstood something :-) Yours Ville __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: HELP NEEDED: Persist connection
Actuall, my server is apache 1.3. The KeepAlive is on. By default, It should be persistent connection without asking for Keep-Alive. However, it does not work with either SSL(port 443) or without SSL (port 80). I tested this with telnet: - telnet host 80 GET / HTTP1.1 This always closes the connection - telnet host 80 GET / HTTP1.1 Connection: Keep-Alive This does not close the connection - telnet host 443 GET / HTTP1.1 This always closes the connection - telnet host 443 GET / HTTP1.1 Connection: Keep-Alive This always closes the connection Is this a bug? any comments? Thanks, Miha -Original Message- From: Arun Venkataraman [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 24, 2000 9:57 AM To: [EMAIL PROTECTED] Cc: Miha Wang Subject: Re: HELP NEEDED: Persist connection [Moved to openssl-users] AFAIK, SSL_RECEIVED_SHUTDOWN means the **other side** (ie. the server) sent you a shutdown. This could be because you are using HTTP/1.0 and not asking for a Keep-Alive connection in your request. All such connections are required to be shut-down by the protocol. In any case, even if you received a shutdown, you can always do the handshake all over again and continue from there. Arun. "If you torture data long enough, it will admit anything you want.." This message is for the named person(s) use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please immediately delete it and all copies of it from your system, destroy any hard copies of it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. SPEEDERA NETWORKS, INC. reserves the right to monitor all e-mail communications through its network. -Original Message- From: Miha Wang [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Cc: Miha Wang [EMAIL PROTECTED] Date: Thursday, August 24, 2000 1:27 AM Subject: HELP NEEDED: Persist connection Basically, I want to write a client that uses persist connection created by SSL_new() for repeat SSL_write() and SSL_read() calls. However, after the first successful write/read, the subsequent SSL_read() with no data. After looking into the SSL_read() code, I found out SSL_RECEIVED_SHUTDOWN was set in the connection handle (s-shutdown), although I did not explicitly set in the program. I did not call any of the shutdown functions. I think it was set internally upon finishing the first read. Is anything need to be set during the connection? My client is to connect to the HTTPS server (Netscape SSL). Actually, the program is very similar to the s_time.c in openSSL except not making connection everytime. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to install OpenSSL in SunOS 2.6
Hi, You need some random numbers! Solaris does not come with /dev/urandom, get it here. http://www.cosy.sbg.ac.at/~andi/ works for me siva kumaran wrote: hi, I faced a problem when i was loading OpenSSL in SunOS 2.6.I have installed the OpenSSL in the system ,but the commands were not working.It is giving the error, "not seeded enough".I saw the FAQ and found that,if a patch file was installed, these can be solved,but even after installing that i get the same problem.Can any one help me in these problem.It is urgent please. thank u siva _ Get Your Free Email At, http://www.rediffmail.com Partcipate in crazy Re.1 auctions at http://www.rediff.com/auctions __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Craig Shaver, Productivity Group POB 60458 Sunnyvale, CA 94088 (650)390-0654 http://www.progroup.com/ mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: how do i know the version how to start https
hi arne, yes, u've been a great help. how do u write the script that gives password? i've tried to look for pp-filter(stated in modssl guide)-unfortunately i can't find it. can u give me a sample pls? thanks. tk It will the ask for the private key protection password if mod_ssl uses the "builtin" feature for that. Some folks do not use a password though, to prevent mod_ssl from asking. However, I created a script that gives the password so the key remains protected. You must then protect the key AND the script, of course. As Apache chroots after = 0Oo~~:o) Smile! You'r Alive!!! Q:What's peacefulness? A:What's confusion? Peacefulness is the end of confusion. o.0.Oo.o May there be peace in every step we take :o):tk __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
openssl usage
Hi, We (Intelesoft Technologies Ltd.) are a software development company in india. We are providing software solutions to both indian as well as intenational clients. We are implementing e-commerce for few of our clients. The project is being developed using Apache webserver version 1.3.12. Now we have to implement SSL for secure transactions. We have downloaded and installed "openSSL" including Apache-SSL patch. But we have not been able to use it. What we want to know is, how to use openSSL. We searched for user manual but couldn't find it. So, please tell us how to use openSSL for our clients. Thanks Jatin (Intelesoft Technologies Limited) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: openssl usage
Hi, I'd prefer mod_ssl over Apache-SSL patch. For an inside view how to use SSL with Apache and mod_ssl see the mod_ssl manual or some helpful links at Apache.org. Cheers, Arne -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Jatin Kochhar Gesendet: Montag, 28. August 2000 10:57 An: [EMAIL PROTECTED] Betreff: openssl usage Hi, We (Intelesoft Technologies Ltd.) are a software development company in india. We are providing software solutions to both indian as well as intenational clients. We are implementing e-commerce for few of our clients. The project is being developed using Apache webserver version 1.3.12. Now we have to implement SSL for secure transactions. We have downloaded and installed "openSSL" including Apache-SSL patch. But we have not been able to use it. What we want to know is, how to use openSSL. We searched for user manual but couldn't find it. So, please tell us how to use openSSL for our clients. Thanks Jatin (Intelesoft Technologies Limited) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I change libssl.a into libssl.so?
You need to do a little more reading... Sure you can 'rename' it, but that won't do you any good... Anything with a '.so' extension is a shared library, and must be compiled as such. My .02... Howard wrote: ÄãºÃ£¡ I find "libssl.a" and "libcrypto.a" in the path "/usr/local/ssl/lib/". I cannot find "libssl.so" ,there is only "libcrypto.so" in "/usr/lib/"? Oh... what shall I do? PS: My OS is "RedHat Linux 6.2". Ö Àñ£¡ Howard [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- -- Ricardo Stella O.I.T. (609)896-5000 x7436 _suAve_ Rider University *** Remove 'no-spam' from e-mail address before replying. *** begin:vcard adr;dom:;;;Lawrenceville;NJ;08648; adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648; n:Stella;Ricardo tel;fax:1-609-219-4994 tel;work:1-609-896-5000 x7436 x-mozilla-html:FALSE url:http://poseidon.rider.edu org:Rider University;O.I.T. version:2.1 title:Manager x-mozilla-cpt:;-9584 fn:Ricardo Stella end:vcard
RE: HELP NEEDED: Persist connection
-Original Message- From: Miha Wang [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 24, 2000 12:55 PM Actuall, my server is apache 1.3. The KeepAlive is on. By default, It should be persistent connection without asking for Keep-Alive. However, it does not work with either SSL(port 443) or without SSL (port 80). I tested this with telnet: - telnet host 80 GET / HTTP1.1 This always closes the connection Well, for one thing, this isn't a legal request. See RFC 2616. Off the top of my head, I note that: 1. The HTTP-Version component of the Request-Line MUST be of the form "HTTP" "/" version-major "." version-minor ie. "HTTP/1.1". 2. HTTP/1.1 Request-Lines that don't have a fully-qualified URL MUST be followed by a Host: header somewhere in the request. 3. Are you sure your client (your telnet client, in this case) is correctly terminating each line of the request with CRLF, and terminating the whole request with an additional CRLF? But the main problem here is that you don't understand the HTTP/1.1 Persistent Connection mechanism. The server MUST close the connection after sending the response if the client did not include a valid Keep-alive header requesting a persistent connection. (The server MAY close the connection after returning the response even if the client did request a persistent connection; it's not bound by the client's request.) This isn't a OpenSSL problem. Michael Wojcik [EMAIL PROTECTED] MERANT Department of English, Miami University __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I'm still so very confused about certificates
On Mon, Aug 28, 2000 at 09:15:25AM +0300, Wirta, Ville wrote: -Original Message- From: Eric Murray [mailto:[EMAIL PROTECTED]] Sent: Friday, August 25, 2000 10:04 PM To: [EMAIL PROTECTED] Subject: Re: I'm still so very confused about certificates The certificate has no effect on the type of symmetric encryption that SSL negotiates. Funny... I was just about to post a question concerning the same matter :-) I know how SSL works and that the certificate does'nt affect the symmetric encryption used after authentication but I'm still confused. I intend to get a signed certificate from Verisign but if I understand correctly (their web pages) they are actually selling certificates for 40 bit and for 128 bit encryption... how can this be? The Verisign site is a masterful display of obfuscation in the name of making cryptography easier to understand. The "128-bit" certificates have X.509v3 extensions for "Server Gated Crypto" or "Step-up" that Netscape and Microsoft browsers recognize. This extension (it has nothing to do with the public key) when present, lets certain browsers which have code that recognizes the extension to use strong non-export ciphersuites when talking to a server that sends an SGC cert. As far as I know, there's no difference in the actual key size (and thus the strength) of Verisign's "40-bit" and "128-bit" certs. The "40-bit" certs should still allow stong crypto SSL/TLS sessions with non-export browsers... which is what all browsers should be soon, with the latest rev of the US export regs. However, my previous statement is incorrect- it should have been "the server public key has no effect on the strength of symmetric encryption that SSL negotiates", as the presence of the SGC extension can allow an "export" browser to connect using a less insecure ciphersuite. The 40 bit certificate is said to use 40 bit encryption with export-version browsers and 128 with domestic ones. The 128 bit certificate is said to always form a 128 bit enc. No, they say that the "128-bit" certs ENABLE 128-bit connections. (http://www.verisign.com/site/ssl.html#Difference) They just WANT you to think that it always makes a 128-bit ciphersuite. It appears that other than the SGC extension, the purpose of the "128-bit" cert is to enable the removal of an extra $549 from the server operator's wallet. -- Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5 Consulting Security Architect __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
transferring digital cert.
Quick question. We are getting ready to do some major upgrades on our network, thus moving everything off the old. How would I go about transfering our digital certificates, ect. from one server to another? The reason I ask is that we use Verisign and I've heard from "unreliable" sources that we would have purchase another certificate? -William Scates begin:vcard n:Scates;William x-mozilla-html:FALSE org:ConnectOK;IT Dept. adr:;;200 E. Britton Road ;Oklahoma City;Oklahoma;73114;USA version:2.1 email;internet:[EMAIL PROTECTED] title:Systems Administrator x-mozilla-cpt:;-24384 fn:William Scates end:vcard
Re: How can I change libssl.a into libssl.so?
I think you could try this: Extract *.o files in the static library with ar -x libssl.a Then link them again with: ld -rpath "/usr/local/ssl" -shared -o libssl.so *.o The command "file libssl.so" reports then: libssl.so: ELF 32-bit LSB shared object, Intel 80386, version 1, not stripped so I think this is correct. But ther is a compiler option in the makefiles to compile as shared libs directly. -Original Message- From: Ricardo Stella [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: lunes 28 de agosto de 2000 14:57 Subject: Re: How can I change "libssl.a" into "libssl.so"? You need to do a little more reading... Sure you can 'rename' it, but that won't do you any good... Anything with a '.so' extension is a shared library, and must be compiled as such. My .02... Howard wrote: ÄãºÃ£¡ I find "libssl.a" and "libcrypto.a" in the path "/usr/local/ssl/lib/". I cannot find "libssl.so" ,there is only "libcrypto.so" in "/usr/lib/"? Oh... what shall I do? PS: My OS is "RedHat Linux 6.2". Ö Àñ£¡ Howard [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- -- Ricardo Stella O.I.T. (609)896-5000 x7436 _suAve_ Rider University *** Remove 'no-spam' from e-mail address before replying. *** __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: transferring digital cert.
At 10:37 AM 8/28/00 -0500, you wrote: Quick question. We are getting ready to do some major upgrades on our network, thus moving everything off the old. How would I go about transfering our digital certificates, ect. from one server to another? The reason I ask is that we use Verisign and I've heard from "unreliable" sources that we would have purchase another certificate? -William Scates As long as the server name is the same, .. you should be OK. Of course Verisign wants you to purchase a new certificate! The certificate itself is just a file, put it in the proper directory on the new server and point your config to it. Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: transferring digital cert.
Ah, great! I was hoping that it would that simple and cost effective! :) - Will "Leland V. Lammert" wrote: At 10:37 AM 8/28/00 -0500, you wrote: Quick question. We are getting ready to do some major upgrades on our network, thus moving everything off the old. How would I go about transfering our digital certificates, ect. from one server to another? The reason I ask is that we use Verisign and I've heard from "unreliable" sources that we would have purchase another certificate? -William Scates As long as the server name is the same, .. you should be OK. Of course Verisign wants you to purchase a new certificate! The certificate itself is just a file, put it in the proper directory on the new server and point your config to it. Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] begin:vcard n:Scates;William x-mozilla-html:FALSE org:ConnectOK;IT Dept. adr:;;200 E. Britton Road ;Oklahoma City;Oklahoma;73114;USA version:2.1 email;internet:[EMAIL PROTECTED] title:Systems Administrator x-mozilla-cpt:;-24384 fn:William Scates end:vcard
Re: I'm still so very confused about certificates
The certificate has no effect on the type of symmetric encryption that SSL negotiates. Except that if you have to support older "export-strength crypto" browsers, then you can only have a 512bit key. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: learning PRNG state on startup
Another one problem exists: the very first run of PRNG use only half of that hash that cuts the search space half. That is, even properly seed PRNG(several hundreds of bytes) will output first MD_DIGEST_LENGTH/2 bytes subject to search-it-all attack with search space MD_DIGEST_LENGTH/2 bytes. Solution is simple: output and forget first N*1023 bytes from PRNG. Please take a look at the 'stirred_pool' variable in crypto/rand/md_rand.c in OpenSSL snapshots. The minimum number of entropy-bits is 128 (=16bytes), which is also retrieved from /dev/urandom, if no other seeding was done. Compared to a key-size of 128bits (RC4-MD5) or even 168bits (3DES) and considering that bytes from the random pool may be used for other items, I would recommend to increase the mininum amount of seed to either 32 bytes. or even 48bytes with respect to the size of the premaster secret (#define SSL3_MASTER_SECRET_SIZE 48). The minimum amount of seed is currently 20 bytes (snapshot versions), i.e. the size of one DSA secret. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Challenge: creating certificate
I was under the impression that the signature is the public key signed by my private key. So, am I wrong about the signature or does the CA actually do both? --Moses -Original Message- From: Rodrigo Coronado [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 22, 2000 1:54 PM To: [EMAIL PROTECTED] Subject: Re: Challenge: creating certificate Is to prove (to the CA) that you actually own the private key corresponding to the public key that you're sending in the request for certification. You send the challenge and the signed challenge, and the CA verifies the signature with your public key. If it match, everything's ok. Does it answer your question? Rodrigo. "Chan, Moses" wrote: Does anyone know what is the purpose of having to fill the "challenge" for when creating a signing request or certificate? Thanks in advance. --Moses __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- "Se que crees que entiendes lo que piensas que yo dije, pero no estoy seguro de que te des cuenta de que lo que escuchaste no es lo que yo quise decir" Richard Nixon (y yo) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Memory BIOs size grows indefinitely
On Wed, Aug 23, 2000 at 10:03:42AM +0530, Amit Chopra wrote: Steve mentioned that the size of the memory BIO can grow indefinitely until memory allocations fail. I assume what he is referring to is that when BIO_write is called a reallocation is done if the data to be written is more than the current size of the BIO buffer. Yes. If you don't like this, forget about memory BIOs and use BIO pairs instead. See example code in ssl/ssltest.c or in Postfix-TLS. BIO pairs do buffer allocation only once. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Challenge: creating certificate
Two common cert request formats are PKCS#10 and Netscape's SPKAC, which is the "Signed public key and challenge." The challenge is primarily to support completion of an enrollment/certification process when the cert is retrieved OOB (cf. Verisign's enrollment process in which the binding of the e-mail address in the cert is verified by sending mail to that address with the URL where the cert may be retrieved, and the challenge phrase is used as a passphrase in order to get the cert). The self-signed object is required to ensure proof-of-possession of the private key associated with the public key to be bound to the identity in the cert. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I'm still so very confused about certificates
Rich Salz [EMAIL PROTECTED] writes: The certificate has no effect on the type of symmetric encryption that SSL negotiates. Except that if you have to support older "export-strength crypto" browsers, then you can only have a 512bit key. Only REALLY REALLY old browsers that only support SSLv2. SSLv3 has a an ephemeral RSA scheme that lets you authenticate a 512-bit key with your 1024 bit signing key. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how commercial browser clients seed PRNG
I'm curious if anyone knows how commercial browser clients (IE, Netscape, Opera, etc.) seed their PRNGs? Anyone know or have any guesses? Thanks, Glenn __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Importing Certificate Problem.
I don't know what CA.pl -pkcs12 does nor what it does expect. Anyway, if you simply need to create a PKCS12 file to import in netscape you need at least the file containing the private key (say for example newkey.pem) and the one with your certificate (say newcert.pem). If you also have your CA certificate file in, say, cacert.pem you can put in one PKCS12 file altogether by doing: $openssl pkcs12 -export -out mycerts.p12 -in newcert.pem -inkey newkey.pem -certfile cacert.pem you will be asked for the private key encryption passphrase first, and then for a new passphrase to protect the PKCS12 package. It will create the file mycerts.p12 containing all the things you need. Switch to netscape and import everything selecting mycerts.p12. You will be asked the passphrase protecting the package and the one protecting netscape's key repository, I don't remember in whitch order at the moment, pay attention to message boxes title. Netscape will import your certificate and private key and, more, your CA certificate. Remember to grant rights to your CA to let it verify your client certificate. It seems difficult but it's not so. bye Pietro Hi, can you help me ? I have created the certificate using openssl.0.9.5a by the following commands. CA.pl -newreq CA.pl -signreq I have converted in to pkcs12 format by doing the following I have copied the private key from the file newreq.pem in to newcert.pem cacert.pem is in ./demoCA After that I have given the command CA.pl -pkcs12 "My Certificate" I have got the newcert.p12 I couldn't import my certificate (newcert.p12) in Netscape 4.7 I have got the following message after entering the passphrase Unable to import certificates.The file specified is either corrupt or is not a valid file. Regards Vimalan.G __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Importing Certificate Problem.
Thanks It's working fine "[EMAIL PROTECTED]" wrote: I don't know what CA.pl -pkcs12 does nor what it does expect. Anyway, if you simply need to create a PKCS12 file to import in netscape you need at least the file containing the private key (say for example newkey.pem) and the one with your certificate (say newcert.pem). If you also have your CA certificate file in, say, cacert.pem you can put in one PKCS12 file altogether by doing: $openssl pkcs12 -export -out mycerts.p12 -in newcert.pem -inkey newkey.pem -certfile cacert.pem you will be asked for the private key encryption passphrase first, and then for a new passphrase to protect the PKCS12 package. It will create the file mycerts.p12 containing all the things you need. Switch to netscape and import everything selecting mycerts.p12. You will be asked the passphrase protecting the package and the one protecting netscape's key repository, I don't remember in whitch order at the moment, pay attention to message boxes title. Netscape will import your certificate and private key and, more, your CA certificate. Remember to grant rights to your CA to let it verify your client certificate. It seems difficult but it's not so. bye Pietro Hi, can you help me ? I have created the certificate using openssl.0.9.5a by the following commands. CA.pl -newreq CA.pl -signreq I have converted in to pkcs12 format by doing the following I have copied the private key from the file newreq.pem in to newcert.pem cacert.pem is in ./demoCA After that I have given the command CA.pl -pkcs12 "My Certificate" I have got the newcert.p12 I couldn't import my certificate (newcert.p12) in Netscape 4.7 I have got the following message after entering the passphrase Unable to import certificates.The file specified is either corrupt or is not a valid file. Regards Vimalan.G __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] begin:vcard n:Govindaraj;Vimalan tel;work:91-80-286-3394 - 96 Extn.1718 x-mozilla-html:FALSE org:Hewlett - Packard ISO version:2.1 email;internet:[EMAIL PROTECTED] title:Project Trainee adr;quoted-printable:;;Hewlett-Packard,=0D=0A Indian Express Building,=0D=0ADr.B.R.Ambedkar Road,=0D=0A;Bangalore;Karnataka;560 001;India fn:VIMALAN.G end:vcard S/MIME Cryptographic Signature
Re: I'm still so very confused about certificates
there has been a generation of browsers supporting SSLv3 AND USA export restrictions as well: they where able to generate RSA keys limited to 512 bit length and simmetric key up to 40 bits (upgraded to 56 recently). Using such a netscape for example you were able to import a PKCS12 file containing an externally generated RSA 1024 bit (or grater) key pair and use it to establish an SSLv3 session but it only creates 40 or 56 session keys for encryption. pietro Rich Salz [EMAIL PROTECTED] writes: The certificate has no effect on the type of symmetric encryption that SSL negotiates. Except that if you have to support older "export-strength crypto" browsers, then you can only have a 512bit key. Only REALLY REALLY old browsers that only support SSLv2. SSLv3 has a an ephemeral RSA scheme that lets you authenticate a 512-bit key with your 1024 bit signing key. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I'm still so very confused about certificates
"[EMAIL PROTECTED]"[EMAIL PROTECTED] writes: there has been a generation of browsers supporting SSLv3 AND USA export restrictions as well: they where able to generate RSA keys limited to 512 bit length and simmetric key up to 40 bits (upgraded to 56 recently). Using such a netscape for example you were able to import a PKCS12 file containing an externally generated RSA 1024 bit (or grater) key pair and use it to establish an SSLv3 session but it only creates 40 or 56 session keys for encryption. The size of the RSA keys in the browser is irrelevant because that key isn't used for confidentiality. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I'm still so very confused about certificates
Your are right, anyway export restrictions have been almost removed or heavy modified and maybe we are going off topic :-) Pietro "[EMAIL PROTECTED]"[EMAIL PROTECTED] writes: there has been a generation of browsers supporting SSLv3 AND USA export restrictions as well: they where able to generate RSA keys limited to 512 bit length and simmetric key up to 40 bits (upgraded to 56 recently). Using such a netscape for example you were able to import a PKCS12 file containing an externally generated RSA 1024 bit (or grater) key pair and use it to establish an SSLv3 session but it only creates 40 or 56 session keys for encryption. The size of the RSA keys in the browser is irrelevant because that key isn't used for confidentiality. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how commercial browser clients seed PRNG
On Mon, Aug 28, 2000 at 04:04:00PM -0500, Glenn Carr wrote: I'm curious if anyone knows how commercial browser clients (IE, Netscape, Opera, etc.) seed their PRNGs? Anyone know or have any guesses? The code that Netscape developed to seed their PRNG after their Great Random Number Debacle in '96 was posted to the cypherpunks list. The archives move; a web search should find them. Newer versions might be in the Mozilla open-source project. -- Eric Murray http://www.lne.com/ericm ericm at lne.com PGP keyid:E03F65E5 Consulting Security Architect __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate Chains server vs client/server authentication
Hello Everyone, I have a chain of version 1 certificates. "Root CA" signs "Intermediate CA", which signs "client1" and "server1" certificates. I also have two example client/server pairs. The first example only does server authentication. The other example does both client and server authentication. The server authentication example works just fine, but the client/server authentication fails when trying to verify the server1 certificate chain. Here's the actual example (this is the client with the info callback tracking the progress) before/connect initialization before/connect initialization SSLv2/v3 write client hello A SSLv3 read server hello A SSLv3 read server certificate B SSLv3 read server certificate B SSLv3 read server certificate B Here is the error stack. 1068:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:.\ssl\s3_clnt.c:764: As stated before, this same certificate chain gets verified just fine when doing server authentication only. I have debugged into the library and know the following additional information: - In x509_vrfy.c:check_chain_purpose(), in the server auth. only example, ctx-last_trusted is set to 1, while for my client and server authentication example, it is set to 2. The function is dying on my intermediate certificate. if last_trusted == 1. it just checks the validity of the server certificate, but when last_trusted==2, it assumes that my intermediate certificate is also untrusted, this causes X509_check_purpose() to return 1 which then sets ctx-error to X509_V_ERR_INVALID_CA. Also, I do use load_verify_locations to load a trusted certificates file which contains both the root and intermediate CA certificates. Any help would greatly appreciated. Thanks, Mike Zeoli __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Extracting data from a DSA structure
Hello: I'm new to OpenSSL, I've started playing with the functions in the Crypto library and the DSA signature functions. My question is how do you extract the private and public keys from a DSA structure?. Thanks, Darío __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]