Help with error codes needed...
Hi. I am having problems with an OpenSSL enabled application.
Unfortunatley I'm not the author of the app. and don't know much about SSL
programming. What I am trying to do is modify the code to produced more
useful error messages.
The client is failing on the call to SSL_connect and the server is failing
on the call to SSL_accept.
Can someone show me an example of calling these functions complete with
inspection and human readable printing of the error messages?
For example, this is how SSL_connect is currently implemented:
if( SSL_connect( ssl ) < 0 )
{
syslog( LOG_DEBUG, "SSL_connect() failed." );
return( NULL );
}
Not verbose on error is it.
Thanks.
-Todd
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
help with CA utilities
Hi. I've been trying to figure out how to use the various openssl apps to manage certificates. I've had some success, but have had a devil of a time figuring out where it is putting various files, which files it is using as defaults, what is being created, what exactly is needed and so on. I'm wondering if someone can point me at a document, book, FAQ or anything which gives 1) a general overview of the CA process 2) specific instructions (examples) of doing this with the openssl ca utilities. 3) What I am trying to accomplish is to generate/verify client certificates for an "in house" application. It is desireable, though not strictly required that the server be verified by a well known CA like verisign. So useful info on doing that. Thanks in advance. roger __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Réf. : Réf. : Re: signed & encrypted email to IE
Uli and all, I've found the problem, I hope my solution will help in the future. If you want to send signed & encrypted email to outlook or messenger, you have to sign THEN encrypt the all message. As far as I've seen encrypting THEN signing isn't a good solution since in that case two icons appears in messenger, one "signed" and one "encrypted". So one icon says that your email was encrypted but not signed, and the other one says it was signed but not encrypted... Very strange. The problem was that at the end of the input I gave to the smime -sign utility, there were two LF. If only one LF is at the end of my MIME encoded content, the email is all well in outlook and messenger. A valid file (with attached file) you could give to the smime -sign utility is : Content-Type: multipart/mixed; boundary="X.506.481.970048768.734.506" Il s'agit d'un message multivolet au format MIME. --X.506.481.970048768.734.506 Content-type: text/plain Content-Transfer-Encoding: 7bit Body --X.506.481.970048768.734.506 Content-Type: text/plain; name="attach" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="attach" Attach --X.506.481.970048768.734.506-- ONLY ONE LF HERE. I think that, once the email is decrypted, outlook change "on the fly" the signed part because he doesn't like the way the "boundary" appears, so the signed part isn't valid anymore. Messenger doesn't have to change the signed part so it's still valid. Sorry for the poor english. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: keys?
Hi, Steve ... On Wed, 27 Sep 2000, Steve Wang wrote: > I am trying to set up a SSL server, using the "openssl s_server". It > has an argument, "-key keyfile". What format should be the key in? try PEM format. i always got useful results with it. Alfe -- / _|__ __ __ __| __ __ SECURE INTERNET TECHNOLOGIES `/ | (__) / | | | | ) /__\ http://www.xtradyne.com / \ | | (__| \._| (__| | | \._, Alexander Fetke, Project Manager 'Technologies AG --'[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SMTP server with SSL
Hi all this question may sound strange... Does anyone know about some SMTP server that relies on SSL ??? Thanks a lot Rosario
Re: SMTP server with SSL
Yes: it's an obscure and esoteric tool called sendmail... Look for version 8.11 - Original Message - From: Rosario Riccio To: ML openssl-users Sent: Thursday, September 28, 2000 1:32 PM Subject: SMTP server with SSL Hi all this question may sound strange... Does anyone know about some SMTP server that relies on SSL ??? Thanks a lot Rosario
Re: SMTP server with SSL
On Thu, Sep 28, 2000 at 01:32:43PM +0200, Rosario Riccio wrote: > Hi all > > this question may sound strange... > Does anyone know about some SMTP server that relies on SSL ??? You can have TLS/SSL support for postfix, qmail, sendmail, zmailer, for the first two there are patchkits available, the last two have TLS/SSL support already built in. (TLS support will become standard part of postfix in a later revision.) Please check out http://www.aet.TU-Cottbus.DE/personen/jaenicke/postfix_tls/ for links. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Session caching
Hello. Apparently server side caching is not optional. At least IE5 fails with my server when validating the client if caching is not enabled. However, would someone please explain to me the function of SSL_CTX_set_session_id_context function call??? I hate to use functions which I have no idea what they do. I've searched all over the documents, the sources etc. but just don't get it. The passed const char * thing is just copied around in the sources and compared. What are the proper values for it? Right now i'm using it like s_server does it, passing an integer with value "1". It seems to work that way, but I really need to understand this better. Please. Someone out there must know the purpose of this strange function. One easy question at the end: are CApath and CAfile just different ways to give the same information (ie in directory with hashed files, or all in the same file) ? If not, what's the difference. With regards, Ari __ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SMTP server with SSL
Lutz Jaenicke wrote: > > On Thu, Sep 28, 2000 at 01:32:43PM +0200, Rosario Riccio wrote: > > Hi all > > > > this question may sound strange... > > Does anyone know about some SMTP server that relies on SSL ??? I've installed sendmail 8.11 with TLS/SSL support on a Solaris7/64 box and it's ok ! Then using some ssltunnel application you can also give a imap or pop service over TLS/SSL support to your users. The only trick is about some packages that you must compile to obtain the server compilation... Good Luck ! -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Browser's signature function
Title: Browser's signature function Hi, As we know, SSL protocol do not support signature function. But Netscape does it by signtext javascript function call. How about IE? Does IE support signature function? If IE does not, is it possible that writing a Microsoft Crypto API ActiveX which access the IE key/cert db and sign the text? Is this idea working? Any one has that kind of experience? Thanks! kevub
RE: key values mismatch
> I think from doing some searching on the net that my private > key and my certificate don't match. What do I need to do to > make them match? Replace the key file that Apache generated with the one from which you created the certificate request that you sent to the CA to get the certificate. It goes in /conf/ssl.key/ - I can't tell you the file name since I don't have root access to our Apache installation here so I can't look in the directory, but I expect you will find there is only one file in there. If you don't still have the key file you generated the certificate request from, you are going to have to create a new key and get a new certificate for it. Look at the openssl command line tool, specifically commands genrsa and req --Roger Dearnaley <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Session caching
On Thu, Sep 28, 2000 at 09:27:23AM -0400, Ari Pirinen wrote: > However, would someone please explain to me the function of > SSL_CTX_set_session_id_context function call??? I hate to > use functions which I have no idea what they do. I've searched all over the > documents, the sources etc. but just don't get it. The passed const char * > thing is just copied around in the sources and compared. What are the proper > values for it? Right now i'm using it like s_server does it, passing an > integer with value "1". It seems to work that way, but I really need to > understand this better. The actual value is of no importance. It is use to distinguish different services. On the same server you may have SMTP-TLS, https, IMAP/TLS etc running. Some of these may share sessions (e.g. SMTP and IMAP service), some do not belong to this group. If e.g. SMTP and IMAP share the same session cache, the context id may be used for synchronization. (At least, this is how I understood it :-) > One easy question at the end: are CApath and CAfile just different ways to > give the same information (ie in directory with hashed files, or all in the > same file) ? If not, what's the difference. Please find attached my draft for the man-page which I just wrote yesterday evening. I did not yet submit it for inclusion into OpenSSL because I first wanted to add the *_client_CA_list* functions... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 diff -r -c --new-file openssl-SNAP-2926-vanilla/doc/ssl/SSL_CTX_load_verify_locations.pod openssl-SNAP-2926/doc/ssl/SSL_CTX_load_verify_locations.pod *** openssl-SNAP-2926-vanilla/doc/ssl/SSL_CTX_load_verify_locations.pod Thu Jan 1 01:00:00 1970 --- openssl-SNAP-2926/doc/ssl/SSL_CTX_load_verify_locations.pod Wed Sep 27 23:23:01 2000 *** *** 0 --- 1,91 + =pod + + =head1 NAME + + SSL_CTX_load_verify_locations - set default locations for trusted CA + certificates + + =head1 SYNOPSIS + + #include + + int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, +const char *CApath); + + =head1 DESCRIPTION + + SSL_CTX_load_verify_locations() specifies the locations for B, at + which CA certificates for verification purposes are located. The certificates + available via B and B are trusted. + + =head1 NOTES + + If B is not NULL, it points to a file of CA certificates in PEM + format. The file can contain several CA certificates identified by + + -BEGIN CERTIFICATE- + ... (CA certificate in base64 encoding) ... + -END CERTIFICATE- + + sequences. Before, between, and after the certificates text is allowed + which can be used e.g. for descriptions of the certificates. + + The B is processed on execution of the SSL_CTX_load_verify_locations() + function. + + If on an TLS/SSL server no special setting is perfomed using *client_CA_list() + functions, the certificates contained in B are listed to the client + as available CAs during the TLS/SSL handshake. + + If B is not NULL, it points to a directory containing CA certificates + in PEM format. The files each contain one CA certificate. The files are + looked up by the CA subject name hash value, which must hence be available. + Use the B utility to create the necessary links. + + The certificates in B are only looked up when required, e.g. when + building the certificate chain or when actually performing the verification + of a peer certificate. + + On a server, the certificates in B are not listed as available + CA certificates to a client during a TLS/SSL handshake. + + =head1 EXAMPLES + + Generate a CA certificate file with descriptive text from the CA certificates + ca1.pem ca2.pem ca3.pem: + + #!/bin/sh + rm CAfile.pem + for i in ca1.pem ca2.pem ca3.pem ; do +openssl x509 -in $i -text >> CAfile.pem + done + + Prepare the directory /some/where/certs containing several CA certificates + for use as B: + + cd /some/where/certs + c_rehash + + =head1 RETURN VALUES + + The following return values can occur: + + =over 4 + + =item 0 + + The operation failed because B and B are NULL or the + processing at one of the locations specified failed. Check the error + stack to find out the reason. + + =item 1 + + The operation succeeded. + + =back + + =head1 SEE ALSO + + L + + =cut diff -r -c --new-file openssl-SNAP-2926-vanilla/doc/ssl/ssl.pod openssl-SNAP-2926/doc/ssl/ssl.pod *** openssl-SNAP-2926-vanilla/doc/ssl/ssl.pod Sat Sep 23 10:00:31 2000 --- openssl-SNAP-2926/doc/ssl/ssl.pod Wed Sep 27 23:24:55 2000 *** *** 625,631 L, L, L, L, ! L, L, L, L, L, L, --- 625,633 L, L, L, L, !
Certificate problems?
OpenSSL experts, I am running Apache 1.3.12 on an AIX4.3 system. I installed the mod_sll along with openssl according to the Apache instructions. The dummy certificates work fine after doing a make certificate. Naturally, I wanted my on self authorized certificates. So I followed the mod_sll instructions. At first it appeared it was working, but when I came in the next day I discovered that nearly all of my computers except for one could not connect to a secure https link. The Apache error_log reports: [Thu Sep 28 11:14:50 2000] [error] mod_ssl: SSL handshake failed (server beloit. edu:443, client 144.89.40.43) (OpenSSL library error follows) [Thu Sep 28 11:14:50 2000] [error] OpenSSL: error:14094412:SSL routines:SSL3_REA D_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] I should also mention that I did get errors when trying to sign the server.csr file to create the server.crt file: # ./sign.sh server.csr CA signing: server.csr -> server.crt: Using configuration from ca.config unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Wisconsin' localityName :PRINTABLE:'Beloit' organizationName :PRINTABLE:'Beloit College' organizationalUnitName:PRINTABLE:'ITS' commonName:PRINTABLE:'beloit.edu' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Sep 28 16:01:16 2001 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: /C=US/ST=Wisconsin/L=Beloit/O=Beloit College/OU=ITS/CN=beloit.edu/Em [EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate /C=US/ST=Wisconsin/L=Beloit/O=Beloit College/OU=ITS/CN=beloit.edu/Email=webadmin @beloit.edu error 7 at 0 depth lookup:certificate signature failure Can anyone tell me what I might be doing wrong or give me any suggestions? Why did it work at first at least with some clients, but fail today? -Thanks! Tim Tim Tyler Network Engineer - Beloit College [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL and Threads
Many thanks to all who guided me on several Win32 issues I had last week. I have yet another trivial question that has probably been asked many times but with some context. I am trying to understand the general idea of having multi-threaded access to the OpenSSL API. In a very simple SSL client program, I have partitioned the calling such that I call the following functions in main() SSLeay_add_ssl_algorithms SSLv3_client_method SSL_load_error_strings and the following in each thread SSL_CTX_new SSL_new SSL_write SSL_read SSL_shutdown SSL_free SSL_CTX_free The threads are worker-pool threads. Is this a good model to follow ? I am guessing that this can be optimized by not doing the SSL_CTX_new and SSL_CTX_free once per thread as opposed to once per iteration of the thread. Is this a valid approach ? Will it result in any leaks ? Based on any known bugs, should I serialize access to any function(s) in particular to avoid these issues ? Any other issues that you can think of, which I haven't asked :-? Thanks in advance, Robert _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Why So Much Smart Money Is So High on Read-Rite !!
Link to article below: http://www.thestreet.com/comment/herbonthestreet/1096812.html Commentary: Herb on TheStreet.com Why So Much Smart Money Is So High on Read-Rite By Herb Greenberg Senior Columnist 9/26/00 6:30 AM ET Read-Rite(symbol= RDRT) Feeling benevolent, so let's get bullish: Reading right: As I've written in RealMoney.com's Columnist Conversation, the one stock quite a few of my smartest sources are yapping about is Read-Rite (RDRT:Nasdaq - news - boards), the (until very recently) long-forgotten maker of heads for disk drives. The only reason I take it seriously is because of the variety of investors in the stock (from seasoned and savvy traders to some of the most-dogged researchers I know). Most of the sizzle surrounding the company in recent weeks has been tied to the launch of a new division called Scion Photonics, which is developing optical wafers for use in the fiber-optic networks, and which was initially funded with $25 mil from Tyco Ventures and Roger McNamee's Integral Capital, which got a quarter of the company in return. But that's only part of the story: According to Scott Turkel of TCM Partners, who has had his share of hits and misses in this column, and who also happens to be the only on-the-record holder among my sources, the company without Scion is worth about where it trades today, $10.50, or around 1 times sales. "They're completely sold out in their core business in the fourth quarter," he says, "and for the first time, they have pricing power." (One reason is that disk drives are no longer sold mostly for PCs; they've become a staple in storage networks.) Scion, meanwhile, is currently valued at around $100 million (based on Tyco/Integral's 25% stake). "Chump change," says Turkel. That's because the valuation is without even having a marketable product; the first wafer isn't expected to hit the market until next year (which, I should point out, is why some skeptics are, uh, skeptical). But another very sharp manager I know, who is often short stocks, said he saw Read-Rite at several recent conferences, and "I thought the story got better between Salomon Smith Barney and Banc of America, both on the optics side and on their base business. They actually showed a slide of the optical wafer prototype they had made; they said they are sampling product with several customers. They said, Our customers have said, 'If you can make them, we'll buy them.' In other words, the move to optical is less theoretical than it was a month ago." What's more, according to this money manger, who is great at spotting nuances, "They went from saying, 'We'll be break-even cash flow in Q-4 from core businesses,' to saying, 'We are on allocation and we may actually make money in Q4' from the core business.' " Based on that, Turkel (who first bought the stock when it was $4 not long ago) thinks he now owns a $10 stock that is worth $25. P.S.: Read-Rite recently paid the first installment of interest on a convertible bond with cash, rather than stock, which was an alternative. (The cash came from the State of Wisconsin Investment Board, already a large Read-Rite investor.) Translation to some investors: The only reason the state paid with cash is because it thinks the stock is going higher. Or, put another way, Wisconsin, which already owns a 20% stake, wouldn't have sunk in even more cash if it didn't think it would make a decent return. (Did I really write something that glowing? Must be some kind of a market top!) (Voluntary Disclosure: Position- Long) Read-Rite CEO gets into growth By Janet Haney, CBS.MarketWatch.com Last Update: [Timestamp]NewsWatch Latest headlines SAN FRANCISCO (CBS.MW) -- Read-Rite Chief Executive Officer Alan Lowe waxed positive about the future growth prospects for the magnetic-recording-head supplier. Lowe told a crowd of investors and analysts during a presentation at the Banc of America Securities Investment Conference in San Francisco on Thursday that he expects huge unit growth potential for Read-Rite's (RDRT: news, msgs) December quarter, as well as the possibility of profitability. Lowe added that the company is hiring people as fast as it can for its wafer fabrication facility. For the September quarter, the CEO said Read-Rite has a "lot of product to ship in the last 10 days of the quarter." Additionally, Lowe talked about Read-Rite's recent formation of an independent fiber optic company called Scion Photonics which he said hopes to go public. Scion received funding from Tyco, which will make a presentation at the conference later Thursday. Janet Haney is a reporter for CBS.MarketWatch.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED]
Re: Browser's signature function
> ¾G¹ÅÂ× wrote: > > Hi, > > As we know, SSL protocol do not support signature function. > But Netscape does it by signtext javascript function call. > How about IE? Does IE support signature function? > If IE does not, is it possible that writing a Microsoft Crypto API > ActiveX which > access the IE key/cert db and sign the text? > Is this idea working? Any one has that kind of experience? > Thanks! > > kevub One more question. Has anybody been able to decrypt Netscape signtext method signature using Openssl? The format should be PKCS#7 version 1.5 with signature and data put in different files. -- Mario __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Digital Signature
I need to get a persons name from a certificate. I can currently get the user's email address very easily. Can anyone tell me how to do this? Thanks, Sean Walker AtPac BEGIN:VCARD VERSION:2.1 N:Walker;Sean FN:Sean Walker EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:2901T203920Z END:VCARD
Nescape certificate Problem
Hi, I have a question on the Nescape certificate. I've signed the SPKI request from Netscape and then I put the signed certificate back to the client browser.However, I found that there is a problem in verifying this certificate in Netscape browser. When I click "Verify" button in Netscape browser(security section), an error occurred: "Certificate Signature Invalid". I am sure that I've installed the CA root certificate properly as there is no error in verifying CA root certificate in Netscape. Then, I've exported the "installed certificate" to .p12 file from Netscape browser and then I installed the .p12 file into IE browser. I found that this time everything goes fine. That is, IE can recognize my certificate properly. I wonder if there is a trick in generating client certificate for fitting Netscape browser. Many Thks for your help Best regards, Peter __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
