Re: Looking for ASN.1 specification for PKCS7
download the pkcs7 documentation. also, look in the PKIX documentation. when we did the early IPsec work we found there were some missing pieces, I believe RSA eventually published all of it somewhere. At 11:56 AM 1/12/01 -0800, John Gebbie wrote: >Hello, > >I'm trying to locate a *complete* ASN.1 specification for PKCS7. The RSA >website has posted a file called pkcs7.asn that is incomplete (many of the >ASN.1 objects are left blank). Our goal is to use the cryptix library in >our software, but to use the PKCS7 data structures we need to generate those >classes from the ASN.1 specification using an ASN.1 compiler supplied by >cryptix. Any ideas??? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
overflow caused by memcpy()
Dec 29 00:52:41 libsafe.so[16322]: detected an attempt to write across stack boundary. Dec 29 00:52:41 libsafe.so[16322]: terminating /home/jamesb/src/openssl-0.9.6/apps/openssl Dec 29 00:52:41 libsafe.so[16322]: overflow caused by memcpy() Has anyone who has gotten this problem been able to overcome it? I have attempted to build 0.9.6 on Mandrake 7.2, but it fails with 'make test'. -dave __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: netscape/iplanet server certificate and root with openssl
Rodney Thayer wrote: > > I want to create a root certificate and a server certificate > with openssl. These will be used with iPlanet Web Server 4.1 > > I created the root, using CA.pl. I then created a certificate > request with the web server, signed and installed the root > and the server certificate. > > This doesn't work. The web server refuses to start. I see these > problems: > > in the log it claims there is a missing attribute field in the server > sert (errors.log for the web server) > > in the certificate management area of the web server the root shows up as a > 'client root', whatever that means. > > So what fields must be set in a root? I might be missing some. > What fields must be set in a server certificate? > > I tried looking in the email archives but none of the searchable > archives helped much looking for this. Pardon me if this has been > answered before. Note: there's no "download the archive as one > big slab of text" archive, so I couldn't do extreme search techniques... > This sounds like a Netscape error and it doesn't like something about the server cert. Perhaps a field is present in the request and not in the server cert and it checks for that? The 'ca' program which is what does the signing with CA.pl silently deletes any fields no present in the relevant policy section of the configuration file. You can try messing around with that or using the preserve option to keep all the fields (see ca manual page). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using embedded certificates
Greg Stark wrote: > > I want my SSL client to load its trusted root certificates from memory, not > from a file. Ideally, I'd like an equivalent to > > SSL_CTX_load_verify_locations( ctx, FileName, NULL) > > but instead of FileName takes something like a STACK_OF(X509) or whatever. I > don't have any problem getting the certs into memory, it is getting them > into the right spots in the SSL_CTX that I am having trouble with. I traced > through the SSL_CTX_load_verify_locations() code a little ways and > immediately was confronted with X509_LOOKUP methods and other > horrors. I found some possibly relevant bits of code in verify.c, but > perhaps someone has already solved this problem. > Try extracting the X509_STORE structure from the SSL_CTX using SSL_CTX_get_cert_store() then add certificates using X509_STORE_add_cert(). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using embedded certificates
I want my SSL client to load its trusted root certificates from memory, not from a file. Ideally, I'd like an equivalent to SSL_CTX_load_verify_locations( ctx, FileName, NULL) but instead of FileName takes something like a STACK_OF(X509) or whatever. I don't have any problem getting the certs into memory, it is getting them into the right spots in the SSL_CTX that I am having trouble with. I traced through the SSL_CTX_load_verify_locations() code a little ways and immediately was confronted with X509_LOOKUP methods and other horrors. I found some possibly relevant bits of code in verify.c, but perhaps someone has already solved this problem. Greg Stark, [EMAIL PROTECTED] Ethentica, Inc. www.ethentica.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: localhost certificate (no, really!)
the host name would not resolve uniquely. the host name wouldn't represent the business. other parts of the DN (state, organization, etc.) would be unique, but the common name wouldn't. IMO your application should be able to handle multiple hosts, or not care what host if it's the security of the SSL connection. At 05:39 PM 1/12/01 +, Andrew Cooke wrote: >Hi, > >Is it possible to buy a "localhost" certificate from any of the major >suppliers? Is there any reason why it wouldn't work? > >(It's for an application that will run on arbitrary machines that needs >a web browser to make a local connection as part of a sequence of secure >connections - supplying a certificate will stop any security warning >from the browser telling the user that they are insecure...) > >Thanks, >Andrew >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
netscape/iplanet server certificate and root with openssl
I want to create a root certificate and a server certificate with openssl. These will be used with iPlanet Web Server 4.1 I created the root, using CA.pl. I then created a certificate request with the web server, signed and installed the root and the server certificate. This doesn't work. The web server refuses to start. I see these problems: in the log it claims there is a missing attribute field in the server sert (errors.log for the web server) in the certificate management area of the web server the root shows up as a 'client root', whatever that means. So what fields must be set in a root? I might be missing some. What fields must be set in a server certificate? I tried looking in the email archives but none of the searchable archives helped much looking for this. Pardon me if this has been answered before. Note: there's no "download the archive as one big slab of text" archive, so I couldn't do extreme search techniques... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how create certificate without header?
Hello openssl-users, i want to create certificates without the text headers, so that there is only a -BEGIN CERTIFICATE- ... -END CERTIFICATE- without the certificate informations like this: Certificate: Data: Version: 1 (0x0) Serial Number: 4 (0x4) Signature Algorithm: md5WithRSAEncryption Is there any parameter with the openssl command for it? Sorry for my question I am new with this topic. -- Boris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: -verify option for s_client
On Fri, Jan 12, 2001 at 02:19:09PM -0800, Auteria Wally Winzer Jr. wrote: > Can someone provide an example of the -verify depth option > for s_client. I'm trying to verify the cert/key and don't know > what arg for the depth to use. This is what I have so far: > > openssl s_client -connect localhost:993 -verify Use a depth that is longer than the longest chain you are expecting. In real world I already met chains with a length of 4, so to be safe choose "9". There is no security or other risk in choosing a high number. Best, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: -verify option for s_client
The depth should be greater than or equal to the depth of the CA chain. i.e. if you have: Certificate Intermediate CA 1 Intermediate CA 2 Root CA ... you need a depth of 4. More specifically if the Root CA is not found within your verify depth, then the verification will fail. There is a more extensive discussion of this issue recently in the past so just check out the archive. G. "Auteria Wally Winzer Jr." <[EMAIL PROTECTED]> on 12/01/2001 22:19:09 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: George Shaw/EMEA/Viewlocity) Subject: -verify option for s_client Can someone provide an example of the -verify depth option for s_client. I'm trying to verify the cert/key and don't know what arg for the depth to use. This is what I have so far: openssl s_client -connect localhost:993 -verify Thanks. - Wally Winzer Jr. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS12
On Fri, Jan 12, 2001 at 04:08:31PM -0800, Auteria Wally Winzer Jr. wrote: > Can someone on this list provide instructions > on converting a cert (i.e. myfoobar.pem) into > PKCS12 format? This is necessary in order > to import keys within Netscape. http://www.drh-consultancy.demon.co.uk/pkcs12faq.html I personally do it with: serv01 23: cat make_p12 openssl pkcs12 -export -in newcert.pem -inkey newkey.pem \ -certfile /usr/local/Host/localhost/ssl/certs/AET-CA.pem\ -name "$1" -out newcert.p12 (The path to your CA certificates may vary.) Then make_p12 "Name of Person" Do not forget the "Name of Person", because otherwise Netscape will offer you a certificate without name, so you cannot grab it from the list or delete it! Best, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]