Re: Certificate renewal
Thanks So I need to keep request files as I keep cert files... I think renewal is interesting because we don't think the validity period of certs is determined by their weakness but by an internal policy of users and CRL management. In an organisation delivering certificates to its members, we don't know how long they will stay there and so can't deliver long-time certs. So the renewal has some long-term benefits for users (e.g when using secure mail). Regards. Maxime Maxime Dubois wrote: I generate user certificates with IE and Netscape by using Xenroll dll and Keygen, I want to know if I can renew a certificate: revoke the old one but generate a new certificate for the SAME key pair. If you store the certificate requests (SPKAC in case of Netscape Navigator or PKCS#10 in case of M$ IE) you can issue new certificates for the same key pair later. But think again if certificate renewals make sense. It depends on your security considerations. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate renewal
Maxime Dubois wrote: So I need to keep request files as I keep cert files... Maybe you can also try to generate a new request from an expired cert. openssl x509 -x509toreq I think renewal is interesting because [...] It's always a matter of your local policy. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HP-UX Apache+Mod_SSL+OpenSSL Installation Error
On Fri, Jan 26, 2001 at 05:58:28PM -, Martin S. Marshall wrote: ./apachectl sslstart /usr/lib/dld.sl: Unresolved symbol: __eprintf (code) from /usr/local/ssl/lib/libcrypto.sl.0.9.7 /usr/lib/dld.sl: Unresolved symbol: __umoddi3 (code) from /usr/local/ssl/lib/libcrypto.sl.0.9.7 Syntax error on line 210 of /common/apache/conf/httpd.conf: Cannot load /common/apache/libexec/libssl.so into server: Unresolved external ./apachectl sslstart: httpd could not be started Hardware Operating system: HP-UX 11.00 Server: HP A-Class A500 Compiler: gcc-2.95.2 Software Apache: apache-1.3.14 OpenSSL: openssl-0.9.6 Mod_SSL: mod_ssl-2.7.1-1.3.14 I don't know what is causing your problem. From what it seems, your setup is as follows: - you have openssl 0.9.7 in /usr/local/ssl/lib, even though you write you would have 0.9.6. 0.9.7 is a development version that i would not recommend for daily use (even though this is probably not the reason of your problem). - the messages displayed __eprintf() and especially __umoddi3 indicate that your version of OpenSSL was compiled with gcc and must be linked against libgcc. My first idea would be, that you are using HPs cc for the final build of apache, you however write that you are already using gcc, so this should not apply, as gcc should link against libgcc.a automatically. Please let me recommend you to use openssl 0.9.6. You might also consider compiling OpenSSL with HP's compiler, so that you are not forced to deal with libgcc when building applications. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Error: expecting an asn1 sequence
Hi OpenSSL Users, After replacing the self-signed certificate by a real Verisign certificate I get the following error message in ssl_engine_log: [29/Jan/2001 10:30:46 05379] [error] Init: Unable to read server certificate frm file /usr/local/apache_t3.1/conf/ssl.crt/server.crt (OpenSSL library error follows) [29/Jan/2001 10:30:46 05379] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Used packages are: Apache 1.3.12 OpenSSL 0.9.5a mod_ssl 2.6.6.-1.3.12 Operating System is Linux RH6.1 Thank you for your help in advance best regards, Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Need Help with DES !
Hi, The first 8 bytes of my decrypted ciphertext are garbage. The rest is OK. I encrypt 12220 bytes in one pass with des_ede3_cbc_encrypt(...) Are the any prerequisites which are necessary for encrypting/decrypting with DES ? Thanks, Niels __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Solved problem with EVP_Sign
Just to say I've at last found the problem in my signing implementation. I was using EVP_MAX_MD_SIZE as limit for my signature array, and that was of course completely wrong; I see now I should have used EVP_PKEY_size(pkey) instead. Pedro. -- Pedro Miller Rabinovitch Gerente Geral de Tecnologia Cipher Technology www.cipher.com.br __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need Help with DES !
Hi, your problem is that you are decrypting with a different initialization vector than the one you are encrypting with. Before decryption, you must set the ivec to the same value it had before encryption. The relevant parameter of des_ede3_cbc_encrypt() for this is "des_cblock *ivec". Try for example this: des_cblock ivec; memset((void *)ivec,0,8); des_ede3_cbc_encrypt(...,(des_cblock *)ivec,...) for encryption AND decryption. Then it should work. People smarter than me generally recommend however that you use a different value of ivec for each pair of encryption/decryption operation (e.g. timestamp or something random)- that's what it is there for: to make the result of different encryption operations look different, even if the same plaintext is encrypted with the same keys. Remember though that you will need the value for decryption. Hope this helps, Steve [EMAIL PROTECTED] wrote: Hi, The first 8 bytes of my decrypted ciphertext are garbage. The rest is OK. I encrypt 12220 bytes in one pass with des_ede3_cbc_encrypt(...) Are the any prerequisites which are necessary for encrypting/decrypting with DES ? Thanks, Niels __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need Help with DES !
[EMAIL PROTECTED] wrote: Hi, The first 8 bytes of my decrypted ciphertext are garbage. The rest is OK. I encrypt 12220 bytes in one pass with des_ede3_cbc_encrypt(...) Are the any prerequisites which are necessary for encrypting/decrypting with DES ? Use of des_ede3_cbc_encrypt() is not advisable unless you have a good reason for doing so. You should use EVP_Encrypt*() and EVP_Decrypt*(). Anyway your problem looks like IV trouble. When you start encrypting you should supply a random IV parameter, it contains one block (8 bytes for 3DES) of data. When you decrypt you have to supply the *same* IV. If you don't then the first block is corrupted in CBC mode. The IV data is not sensitive and some protocols (such as S/MIME) include a plain text copy of the IV in the relevant encoded structure. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Intermediate CA Revocation?
1. How can I revoke an intermediate CA? Is It Possible? Yes it is possible. Just have the parent CA issue a CRL that includes the intermediate. 2. Is there a list/index of all the sub-CAs signed by a root CA? No. Not unless the CA makes a special effort to do this, such as by publishing everything in a directory. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ssl_library_init();
Hi, This function is used to set the cipher suites and in my client and server test which does both TLSv1 and SSLv3 it always picks DES-CBC3-SHA. Is this the best chiper suite avialable? If i was to pick another would it be through the use of SSL_set_cipher_list(SSL *,const char *);? As always help is appriciated. StOo ___ FSmail - Get your free web-based email from Freeserve: www.fsmail.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Intermediate CA Revocation?
Hello and thanks for your help, 1. How can I revoke an intermediate CA? Is It Possible? Yes it is possible. Just have the parent CA issue a CRL that includes the intermediate. Do you mean that the parent CA's CRL must include the intermediate CA's CRL? I'm not sure I really understand your answer. Perhaps the question was not clear. What I wanted to know is: How does a root CA say it does not trust anymore a sub-CA it has signed before? Is it what you suggested? Regards Maxime. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl on Win32 (help!)
- Original Message - From: "Kenneth R. Robinette" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 27, 2001 1:32 AM Subject: Re: Openssl on Win32 (help!) From: stuart hodgkinson [EMAIL PROTECTED] Subject:Re: Openssl on Win32 (help!) To: [EMAIL PROTECTED] Date sent: Fri, 26 Jan 2001 23:11:35 + (GMT+00:00) Send reply to: [EMAIL PROTECTED] Stuart I think you are trying a little to hard. And, although the documentation is not the best, you do have to at least try to read it. As for examples, the entire apps directory can be used as examples. You even have a complete server and complete client as well as openssl which uses a large majority of the functions. Have you even tried running openssl with s_server and s_client? On the winsock issue, why should you care. If you use the normal OpenSSL functions you have no need for socket calls. Perhaps I don't understand what you mean by examples. Ken Finally i have compilled s_client.c into a visual c++ project named SSLClient. It is attached here. But... it seems doesn't work at all. Why? In the debug mode BIO_printf() function cause a ntdll.dll memory exception: "Unhandled exception in SSLCliet.exe (NTDLL.DLL): 0x005: Access Violation" . The bio_err extern pointer seems to be incorrect. Can anyone help me? I am using a openssl dlls compiled by me on a nt 4 workstation sp6. SSLClient.zip
Re: Intermediate CA Revocation?
Maxime Dubois wrote: What I wanted to know is: How does a root CA say it does not trust anymore a sub-CA it has signed before? By revoking the certificate of the sub CA. Revoking means putting it into the root CA's CRL. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
about pkcs#7 available development libraries
Hello, I am trying to develop a security module for signing (pkcs#7 format) Adobe PDF files as a plug-in. Moreover I would need to access some of the security functions using a COM interface. Can I easily do this work using OpenSsl? How? Do you know of any other security package that I can use? Preferably freeware if possible? Thanks, Ald Brenma Do You Yahoo!? Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk or your free @yahoo.ie address at http://mail.yahoo.ie __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ssl_library_init();
It is a very secure cipher suite. You might also want to examine RC4-SHA and RC4-MD5 because they are much faster. Other ciphersuites that offer excellent security include DES-CBC3-MD5 IDEA-CBC-SHA RC4-SHA RC4-MD5 IDEA-CBC-MD5 RC2-CBC-MD5 You can specify which ciphers your client wants to negotiate by the function you mentioned and playing arounf with the openssl ciphers command. For example, try SSL_set_cipher_list( ..., "RC4-SHA:RC4-MD5"); and see what happens. I take NO responsibilty for any comments or opinions on legal issues that may be present in this e-mail. I am not a lawyer, so you don't rely on anything I write. Stop reading now. I mean it, stop NOW. BEGIN LEGAL COMMENTS idea is patented in various places and offers no advantages so I would avoid it. RC2 and RC4 are trademarks of RSA Security Inc., so while it should be OK to use the algorithms you must obey trademark law (in the U.S. at any rate) if you use their trademarks. I have seen folks try to refer to the algorithm as ARCFOUR in an attempt to evade trademark issues, but I don't know if that really works. END LEGAL COMMENTS _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "stuart hodgkinson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 29, 2001 9:56 AM Subject: ssl_library_init(); Hi, This function is used to set the cipher suites and in my client and server test which does both TLSv1 and SSLv3 it always picks DES-CBC3-SHA. Is this the best chiper suite avialable? If i was to pick another would it be through the use of SSL_set_cipher_list(SSL *,const char *);? As always help is appriciated. StOo ___ FSmail - Get your free web-based email from Freeserve: www.fsmail.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
renegotiation question
OK, I understand how V2 backwards compatibility works - clients send a V2-style ClientHello with a version of 3.0 or 3.1. (It's a seriously ugly aberration, too, but let's not go there right now.) I saw in Appendix E that "Requests to resume an SSL 3.0 session should use an SSL 3.0 client hello." But I looked over the 3.0 spec and also RFC2246 and I didn't see anything about V2 compatibility mode for renegotiations (or re-handshakes, as Eric calls them in his book). I would assume that once the original negotiation established that the client and server are using SSL V3 or TLS V1, that the client would no longer send out V2-style ClientHello messages, therefore on renegotiation it would use a V3 or newer ClientHello message format This assumption is grounded on the quote above from Appendix E, even though it speaks only to resuming a session, not to renegotiating. But I try not to assume, so I was wondering if anybody knows for certain. Tom Biggs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL works on LAN computer but not on a remote computer?
Hello, I am running Linux RedHat 7.0 with apache and openssl. I use a cable modem/router configuration, so I have my router set up to distribute out IPs and to forward all port 80 and port 443 requests to my Linux box. When I am on the LAN I use the 192.168.1.101 address to talk to the web server, when I am off the LAN, I use the router IP to talk to the web server. When I use a computer on my LAN to talk to my web server, I get a warning window that says the name on the certificate does not match the name on the site, I select ok and it lets me into the web page. When I use a remote computer, which is not on the LAN, I get the same error, but then the page does not display? Any ideas? Also, I can see the pages if I just use http for local and remote. Where do I specify the NAME of the site? Is that the domain name, the title of the page? Thanks ~Shea~ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl on Win32 (help!)
From: "lucian" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Openssl on Win32 (help!) Date sent: Mon, 29 Jan 2001 17:49:54 +0200 Send reply to: [EMAIL PROTECTED] Take a look at the .bat file you used when you compiled the OpenSSL .dll's. You must use the same options in VC 6.0 when you compile within your project. The most common problem is the type of executable you are creating in VC, multithreaded dll, etc. Ken - Original Message - From: "Kenneth R. Robinette" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 27, 2001 1:32 AM Subject: Re: Openssl on Win32 (help!) From: stuart hodgkinson [EMAIL PROTECTED] Subject:Re: Openssl on Win32 (help!) To: [EMAIL PROTECTED] Date sent: Fri, 26 Jan 2001 23:11:35 + (GMT+00:00) Send reply to: [EMAIL PROTECTED] Stuart I think you are trying a little to hard. And, although the documentation is not the best, you do have to at least try to read it. As for examples, the entire apps directory can be used as examples. You even have a complete server and complete client as well as openssl which uses a large majority of the functions. Have you even tried running openssl with s_server and s_client? On the winsock issue, why should you care. If you use the normal OpenSSL functions you have no need for socket calls. Perhaps I don't understand what you mean by examples. Ken Finally i have compilled s_client.c into a visual c++ project named SSLClient. It is attached here. But... it seems doesn't work at all. Why? In the debug mode BIO_printf() function cause a ntdll.dll memory exception: "Unhandled exception in SSLCliet.exe (NTDLL.DLL): 0x005: Access Violation" . The bio_err extern pointer seems to be incorrect. Can anyone help me? I am using a openssl dlls compiled by me on a nt 4 workstation sp6. __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]