Re: certificates setup: OpenSSL with imap-2000
Hello Lutz, * Lutz Jaenicke ([EMAIL PROTECTED]) [20001129 14:36] thus spake: [much elition] > > Please do a openssl rsa -in privkey.pem -text > If the data is listed without password, you'r done. If not, the PEM pass > phrase wanted is the old one needed to decrypt the private key... woah! That worked! I can now use mutt/uw-imap-2000/openssl with cram-md5 authentication! So far I have mutt-1.3.9i on Linux and irix working. Mutt-1.2.5i does not seem to like cram-md5 authentication and pine-4.30 (compiled with openssl-0.9.6) complains about "[unable to get local issuer certificate...] Thanks a million! jf > > Best regards, > Lutz > -- > Lutz Jaenicke [EMAIL PROTECTED] > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- "I haven't lost my mind...it's backed up on tape" __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Key genration in IE
"Tridib, Mumbai" wrote: > > Hi all, > Please help me. My problems are as follows: > > 1. I have generated key pair in Netscape (at client side) and then subsequently I >have created Certificate (at server side) using -SPKAC option of "ca" command i.e >signing the request with root private key. This works fine. My problem is how can I >generate the key pair in IE and then create certificate using openssl like what I >have done in Netscape. > > Has any one done this? Please help me. I need your help despaerately - I tried a lot >using actiovex etc. take a look at this page on microsoft's site: http://msdn.microsoft.com/library/psdk/certsrv/xen_abus_0elw.htm > 2. In case of signing a text in Netscape, there is no problem- crypto.signText() of >Java Script works fine and the output is PKCS#7 object. I can also verify at the >server using "verify" command of OpenCA. > > Could You please tell me how can I sign a text in the IE such that ouput will be >PKCS#7 object? currently, ie doesn't support signing text from certs in the cert store. however, my company has developed an activex control that will allow you to do so. i don't believe anyone else has developed one yet, but i could be wrong. we haven't decided what to do with regards to if/how we plan on making it available. contact me privately for more details. otherwise, you'll have to build the activex control yourself. > 3. If I have a crypto API which can generate a hash of a data and then sign it using >the private key of the certificate, then is it possible to output a PKCS#7 >signed-object?If yes, How it can be done. i'm don't believe openssl can build a pkcs7 signed object at this point in time, but it can parse one. you might want to look at another sdk. C SDK: http://www.mozilla.org/projects/security/pki/nss/ Java SDK: http://www.rtfm.com/puretls/ http://jcewww.iaik.tu-graz.ac.at/ http://security.dstc.edu.au/projects/java/jcsi.html others: http://www.timberlinetechnologies.com/products/devkit.html some are free, some are commercial. again, you could also learn asn.1, etc. and write your own pkcs7 builder... -brahm __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
cipher suite issue?
Hello, I'm having a weird problem. Here's my situation: My server is set up to do both DSA and RSA. The DSA works fine. No questions there. To accomplish this, I've set the cipher suite list in my httpd.conf file to be: SSLCipherSuite 3DES:!ADH:!SSLv2 which evaluates, using the opnessl ciphers -v '3DES:!ADH:!SSLv2', to: EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 the DSS cipher is for my DSA operations, and the other two for my RSA operations. The EDH-RSA cipher works fine from all clients (openssl-based apps, java apps, s_client), no problems there. If I use my java client with the DES-CBC3-SHA cipher, everything works fine. It's when I use that cipher with any openssl-based apps (including s_client) that things don't work. If I run this: openssl s_client -connect myserver:443 -cert /tmp/s_client.crt -key /tmp/s_client.key -CAfile /tmp/s_clientCA.crt -tls1 -cipher DES-CBC3-SHA -state I get the following output: . . . GET /servlets/TestServlet HTTP/1.0 (I type this) SSL_connect:SSL renegotiate ciphers SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL3 alert write:fatal:illegal parameter SSL_connect:error in SSLv3 read server key exchange A 27309:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size:s3_both.c:302: and the following shows up in my ssl_request_log: [04/Dec/2000:18:55:07 -0500] ipaddress TLSv1 (NONE) "GET /servlets/TestServlet HTTP/1.0" 289 Notice the missing (NONE) cipher suite. If I run the same test but use EDH-RSA-DES-CBC3-SHA as the cipher, it works fine. Again, my java client works fine when using the same certs/keys/server and DES-CBC3-SHA. Can anyne tell me what might be going wrong? Thanks, Jeff P.S. One more data point is that EDH-RSA-DES-BC3-SHA works with and without client authentication being done. The DES-CBC3-SHA cipher only works if client authentication is off. __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Java can't read an unmodified OpenSSL X.509 certificate?
Mark Swanson wrote: > > Hello, > > I've generated DSA and RSA certificates with openssl-0.9.6 and JDK1.3 > can't seem to read them. No matter what I do I get this: > > ./certTest > Exception in thread "main" java.security.spec.InvalidKeySpecException: > Inappropriate key specification: invalid key format >at > sun.security.provider.DSAKeyFactory.engineGeneratePublic(DSAKeyFactory.java:70) >at java.security.KeyFactory.generatePublic(KeyFactory.java:186) >at com.tfn.autex.analysis.security.CertTest.main(CertTest.java:39) > > To generate my DSA key I do: > > > openssl dsaparam -inform PEM -outform PEM -rand random-bits -out > dsaparam.out 1024 > > openssl gendsa -out ca.key -rand random-bits dsaparam.out > > openssl req -new -x509 -days 3650 -config $CONFIG -key ca.key -out ca.crt > > The resulting ca.crt just isn't understood by java. > I can make this work perfectly: just cut all the text that openssl > placed above the "-BEGIN CER..." line. > > Should I be calling different Java libraries? Why can't the default > JDK1.3 java.security.cert.* classes handle the "stuff?" that openssl > places at the beginning of an X.509 certificate? > Eh? That command shouldn't put anything before the BEGIN line. Other commands can place some info before that line but its only informational. The certificate is the stuff between the BEGIN and END lines so anything else isn't necessary. Its quite possible that some libraries wont tolerate this. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Does -des3 do RSA
Osama Al-Dosary wrote: > > Thank you for the reply. > > But can an attacker decrypt the output without the corresponding private > key? > Realistically, no. They need the private key to decrypt the 3DES key and they need the 3DES key to decrypt the encrypted content. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Java can't read an unmodified OpenSSL X.509 certificate?
Hello, I've generated DSA and RSA certificates with openssl-0.9.6 and JDK1.3 can't seem to read them. No matter what I do I get this: ./certTest Exception in thread "main" java.security.spec.InvalidKeySpecException: Inappropriate key specification: invalid key format at sun.security.provider.DSAKeyFactory.engineGeneratePublic(DSAKeyFactory.java:70) at java.security.KeyFactory.generatePublic(KeyFactory.java:186) at com.tfn.autex.analysis.security.CertTest.main(CertTest.java:39) To generate my DSA key I do: > openssl dsaparam -inform PEM -outform PEM -rand random-bits -out dsaparam.out 1024 > openssl gendsa -out ca.key -rand random-bits dsaparam.out > openssl req -new -x509 -days 3650 -config $CONFIG -key ca.key -out ca.crt The resulting ca.crt just isn't understood by java. I can make this work perfectly: just cut all the text that openssl placed above the "-BEGIN CER..." line. Should I be calling different Java libraries? Why can't the default JDK1.3 java.security.cert.* classes handle the "stuff?" that openssl places at the beginning of an X.509 certificate? Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error at the installation
hi, I tried to install openssl-0.9.6. on solaris 2.6 I modified the file config to put a line PERL="/usr/local/bin/perl" (perl is my executable file) And I modified the file Configure at the line $perl="/usr/local/bin/perl"; With that modification I can run ./config without error and run make with out error. But when I run make test I received test BN_exprunning bcsh: perl: not found*** Error code 1make: Fatal error: Command failed for target `test_bn'Current working directory /export/home/scripts/autosign/openssl/openssl-0.9.6/test*** Error code 1make: Fatal error: Command failed for target `tests' Could you help me. Thanks Côme Chaput, ing. VPN Tech inc.
Right Shift test failed on IRIX
I have tried compiling the OpenSSL on IRIX 6.5.9 as well as Linux. It worked fine on Linux but on IRIX I get lots of warnings of the "variable not used" variety. In addition, when I run the "make test" command it fails at this point: test BN_rshift Right shift test failed! *** Error code 1 *** Error code 1 Does anyone have any suggestions? ~ Kevin B. Walker Systems Engineering Simulator pager = (281) 527 - 2150 office = (281) 244 - 5012 [EMAIL PROTECTED] ~. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Does -des3 do RSA
Thank you for the reply. But can an attacker decrypt the output without the corresponding private key? Thank you, -Osama On Thu, 30 Nov 2000, Dr S N Henson wrote: > Osama Al-Dosary wrote: > > > > Hello, > > > > I'd like to encrypt a message. But I want the encryption to be > > Public-key. > > > > Does this do the trick? > > > > "openssl smime -encrypt -in signedFile.msg \ > > -out encryptedFile.msg \ > > -des3 recipientCert.pem" > > > > I was figuring that since the certificate had the Public-key, openssl > > generates a key for des3. Then it encrypts the message with that des3 key, > > and encrypts the des3 key with the Public-key using RSA. > > > > Is this the case? > > > > Yes. It packages the lot up in a PKCS#7 signedData structure and outputs > the result in MIME format. > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Celo Communications: http://www.celocom.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Net::SSLeay - Openssl make test - 5 test failed
How do you know that your OPenSSL installation was succsesful? -blue0ne http://www.digitz.org On Mon, 4 Dec 2000, Volker Duerr wrote: > Hi everybody, > I have got a problem with openssl and the Perl module Net:SSLeay. After > installing openssl (installation seemed o.k), I tried to install > Net:SSLeay, but the make test failed. I am runing a i686 linux, > kernel-2.2.16, gcc 2.95.2, perl 5.005_03 and glibc-2.1. I tried a > installation with Net::SSLeay 1.04 and 0.9.3a and 1.05 and 0.9.5a. Later > I changed Net:SSLeay and openssl. > > Make test generates always the following errors: > Spawning a test server port 1212, pid=6478 > Your vendor hast not defined SSLeay macro sslcat at examples/sslcat.pl > line 14 > ***not ok 3 > > Your vendor has not defined SSLeay macro randomize at > examples/minicli.pl line 8 > ***not ok 4 > > connect: Connection refused (Verbindungsaufbau abgelehnt) at > examples/callback line 28 > ***not ok 5 > > Sending 1 MB over localhost, may take a while (and some VM) > connect: connection refused at example/bulk.pl line 18 > *** not ok 6 > > Sending 1 MB over pipes, may take a while > Your vendor has not defined SSLeay macro set_server_and_key at > examples/stdio_bulk.pl line 16 > **not ok 7 > > I don't know what I have to do to avoid these errors. I would appreciate > any hint or information to solve this problems. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problem passing cert info to DLL
Hi, I'm trying to write my first application with openssl and I am stuck on what must be a simple problem. I have a certificate in memory and can use the following code to access it. X509 *cert = NULL; X509_NAME *name = NULL; SSLeay_add_all_algorithms(); ERR_load_crypto_strings(); cert = d2i_X509(NULL, (unsigned char **)&vtrCertsStatus[0].cs_entityCert.b_data, (long)vtrCertsStatus[0].cs_entityCert.b_size ); X509_free(cert); However when I pass the vtrCertsStatus structure to a DLL and try to perform the above cert is always = NULL. Should I be using some other function instead of the d2i_X509 if passing between programs/DLL? Any help much appreciated. /colin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Alternative solutions to OpenSSL & 40 bit keys
On Mon, 4 Dec 2000 [EMAIL PROTECTED] wrote: > A developer among our team has informed us that OpenSSL > cannot generate 40 bit keys (48 bit is the bare minimum). > Is this true? Which exactly algorithm do you mean? An example: freeswan (.org) choose to drop support for the weak cipher (DES) completely at price breaking specifications. > We need a good library for SSL communications under VC6. OpenSSL is good enough to buld applications featuring strong protocols and siphers, if the team mentioned interested exactly in this instead of VC6 as primary goal. > I haven't spent too much time with OpenSSL myself but from > the looks of it, the documentation is poor. I don't want to bother > wasting my time trying to gather the information that I (and the > rest of our team) needs. Our company has no objection in > purchasing something that will ease our development. Using 40-bit keys for major symmetric algoritms is exactly waste of time and fooling customers. > Would any among you recommend a suitable alternative to OpenSSL > and state the reasons why the recommendation. > Would any among you say that OpenSSL is the best solution > (if the statement on my first line above is not true). 40 bits for RSA is nonsence. > Many thanks, > > Angelo please think twice, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Alternative solutions to OpenSSL & 40 bit keys
A developer among our team has informed us that OpenSSL cannot generate 40 bit keys (48 bit is the bare minimum). Is this true? We need a good library for SSL communications under VC6. I haven't spent too much time with OpenSSL myself but from the looks of it, the documentation is poor. I don't want to bother wasting my time trying to gather the information that I (and the rest of our team) needs. Our company has no objection in purchasing something that will ease our development. Would any among you recommend a suitable alternative to OpenSSL and state the reasons why the recommendation. Would any among you say that OpenSSL is the best solution (if the statement on my first line above is not true). Many thanks, Angelo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]