Re: Compiling OpenSSH w/OpenSSL & KerberosIV

2001-02-07 Thread Richard Levitte - VMS Whacker 

From: "Kenneth R. Robinette" <[EMAIL PROTECTED]>

That was a serious case of not reading the subject line, wouldn't you
say, Ken?

Matt, could you show us a log of your attempt to compile OpenSSH, so
we may see what's actually giong wrong?

support> How are you getting the Kerberos headers in the OpenSSL build?  
support> What version of openssl are you trying to compile, the production 
support> version or one of the snapshots with the new kerberos stuff?
support> 
support> Ken
support> 
support> OpenSSL Folks (sorry about crosspost),
support> 
support> It seems that the des.h header in OpenSSL is incompatible with my MIT
support> kerberos des.h, at least on Linux.  I'm seeing various conflicting types
support> (bit_64, des_key_sched, &c).
support> 
support> I'm using a VALinux/Redhat 7 system with KerbIV and KerbV libraries
support> installed, using the des.h in /usr/kerberos/include/kerberosIV.
support> 
support> I was wondering if anyone on the list had looked into the problem, and had
support> an idea how difficult it should be to resolve it.
support> 
support> What is the likely direction these headers should be taken?  Which library
support> should change?  Is there any plausible way to isolate them?
support> 
support> 
support> Matt

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

MSIE-5 can't connect to a secured server, but Netscape-4.x can

2001-02-07 Thread maxi_hui 

Hello,

I am indeed using Apache 1.3.12 with openssl 0.9.6.  Here summarize what I did
after the compilation of Apache with openssl :

(1) Generate CA' certificate :
# CA.pl -newca
Making CA certificate ...
Using configuration from /usr/local/openssl/openssl.cnf
Generating a 1024 bit RSA private key
++
.++
writing new private key to './demoCA/private/cakey.pem'
-
..

(2)Generate a private key/certificate rquest pair :
# openssl req -new -nodes -keyout sitekey.pem -out sitereq.pem -days 3650
Using configuration from /usr/local/openssl/openssl.cnf
Generating a 1024 bit RSA private key
++
...+
+
writing new private key to 'sitekey.pem'
-
.

(3)CA sign the certificate :
# openssl ca -policy policy_anything -out cert.pem -infiles sitereq.pem
Using configuration from /usr/local/openssl/openssl.cnf
Check that the request matches the signature
Signature ok
.

(4)Concatenate the signed certificate and key to become server certicate :
# cat cert.pem sitekey.pem > sitecert.pem

(5)Prepare Root CA certificate to be distributed to NS-4.x and MSIE-5 :
# cp cacert.pem cacert.cacert
# openssl x509 -inform pem -in cacert.pem -outform der -out cacert.der

(6)Installation of Root CA certificate to browser NS and MSIE is successful.

(7)Update httpsd.conf of the Apache server :
.
Listen 192.168.1.32:443
Listen 192.168.1.32:8080
Port 443
User webadm
Group webgp
ServerName www2..com
NameVirtualHost 192.168.1.32:443
NameVirtualHost 192.168.1.32:8080
SSLVerifyClient 0
SSLVerifyDepth 10
SSLCacheServerPort 1234
SSLCacheServerPath /usr/local/apache/bin/gcache
SSLSessionCacheTimeout 15
SSLCertificateFile /usr/local/openssl/demoCA/certs/sitecert.pem
SSLCertificateKeyFile /usr/local/openssl/demoCA/certs/sitekey.pem
.

Port 8080
SSLDisable
ServerAdmin webmaster@mail
DocumentRoot /usr/local/apache/htdocs/www2
ServerName www2
ServerAlias www2..com
ErrorLog logs/www2-error_log
TransferLog logs/www2-access_log

.

Port 443
SSLEnable
SSLVerifyClient 0
SSLVerifyDepth 10
SSLCertificateFile /usr/local/openssl/demoCA/certs/sitecert.pem
SSLCertificateKeyFile /usr/local/openssl/demoCA/certs/sitekey.pem
ServerAdmin webmaster@mail
DocumentRoot /usr/local/apache/htdocs/www2-ssl
ServerName www2-ssl
ServerAlias www2-ssl..com
ErrorLog logs/www2-ssl-error_log
TransferLog logs/www2-ssl-access_log


Question 1 :

While I am using Netscape to connect to the secure server, for instance,
https://www-ssl , everything is fine.  However, MSIE-5 returns error "The Page
cannot be dispayed".  Could it be solved anyway?

Question 2 :

While I am using Verisign Test CA and server certificate, there is no problem to
browse the same secure server.  What are the differences between the openssl
Demo CA and Verisign Test CA, which result in such problem in MSIE-5?

Question 3 :

Is there any free-of-charge CA generating server certificate? I just want it for
intranet.

Regards,
[EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Adding root ca to Communicator

2001-02-07 Thread dm 

Steve,
  > You need to send the certificate as MIME type
> application/x-x509-ca-cert
> see:
How do you convert the certificate (PEM format) to
this format? 
> 
>
http://home.netscape.com/eng/security/comm4-cert-download.html
Thanks,
   Mohan
--- Dr S N Henson <[EMAIL PROTECTED]> wrote:
> dm wrote:
> > 
> > Hi,
> >Is it possible to add a Root CA certificate to
> > Netscape Communicator browser?
> > I am the root ca in this case and what I want is
> that
> > Communicator should validate the server cert
> issued by
> > me (without any warnings it should validate
> through
> > the root CA cert). How can I do it?
> > I could manage to do it in IE 55 easily. But I am
> not
> > able to do it in Communicator.
> > Any help will be greatly appreciated.
> 
> You need to send the certificate as MIME type
> application/x-x509-ca-cert
> see:
> 
>
http://home.netscape.com/eng/security/comm4-cert-download.html
> 
> Steve.
> -- 
> Dr Stephen N. Henson.  
> http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED] 
> Senior crypto engineer, Celo Communications:
> http://www.celocom.com/
> Core developer of the   OpenSSL project:
> http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via
> homepage.
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Unable to extract the downloaded tar

2001-02-07 Thread Daniel Cunningham 

Hi Sumanta:

No, John is right.  WinZip 8.0 will not handle it.  It's too darn "smart".
(Darn falutin' software!!! )  For a Win32 platform, you should use 
WinZip 7.0.

Step #2 (be forewarned, you're going to groan!!!) You're simply missing
the "z" flag in your tar command, e.g.:

  mkdir ~/tmp
  cf ~/tmp
  tar xzvf /usr/local/openSSL/openssl-0.9.6.tar.gz 

...In other words, you need to use the z=zip flag.  Good luck!

-- Daniel

At 04:05 PM 2/7/01 -0500, you wrote:
>Thanks for the response. I tried with WinZip 8.0, assuming its downward
>compatible, but doesn't work. How can I do it under Sun Sparc OS v5.6. I
>tried with "tar xvf". Again, could you please redirect me to any instruction
>site for OpenSSL setup.
>
>Regards,
>Sumanta
>
>> -Original Message-
>> From:John T. Salyer [SMTP:[EMAIL PROTECTED]]
>> Sent:Wednesday, February 07, 2001 12:54 PM
>> To:  [EMAIL PROTECTED]
>> Subject: RE: Unable to extract the downloaded tar
>> 
>> You can extract it with Winzip 7.0
>> 
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of Dutta, Sumanta
>> Sent: Wednesday, February 07, 2001 9:35 AM
>> To: '[EMAIL PROTECTED]'
>> Subject: Unable to extract the downloaded tar
>> 
>> 
>> Hi,
>> 
>> Could anyone please tell me or at least redirect me to a place where I can
>> find step by step setup instructions. I downloaded the latest tar
>> "openssl-0_9_6_tar.tar", but unable to extract the contents, and don't
>> know
>> how to proceed thereafter.
>> 
>> Thanks,
>> Sumanta.
>> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

client authentication

2001-02-07 Thread dm 

Hi,
   I am working on doing client authentication. I
could successfully import the certificate in the
browser and could authenticate the client. 
My question is: How does the browser get the private
key? Shouldn't it be needing that for authentication? 
Isn't that there is some challenge thrown by the
server based on client public key?
Maybe I am missing some fundamental concept.
Thanks,
   mohan

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Error code 1 during "make test"

2001-02-07 Thread Nelson Henry Eric 

Got the following error during "make test."  Does that mean I should
not install openssl until the issue is solved?  The build itself seemed
to finish without any errors or warnings.

-- begin error message --
./randtest
assertion "md_c[1] == md_count[1]" failed: file "md_rand.c", line 298
*** Signal 6

Stop.
*** Error code 1

Stop.
-- end error message --

I am building openssl-0.9.6 on NetBSD/sparc 1.5.  Made no modifications
before the build: simply "./config -lcompat", then, "make".  It seems that
core files were dumped:
% find ./ -name "*.core" -print
.//certs/openssl.core
.//test/randtest.core

Thanks for any advice.  (Please cc if possible since not a regular member
of the list.)

henry nelson
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Compiling problems on Windows NT

2001-02-07 Thread Ian Cain 

To Whom Ever Cares,
I just finished compiling openssl 0.9.6 on win2k server and NT 4.0 server
No problems. Used ml.exe assembler and Visual Studio 6.0

Heres what I did:
1a) downloaded openssl-0.9.6.tar.gz. Double clicked the file and used
winzip 7.0 to extract the file in the c:\openssl-0.9.6 directory

1) installed Visual Studio 6.0 with command line executables enabled.
the install program will ask you during the install. There is also
a way to enable it after you have installed Studio.

2) downloaded the ml.exe assembler from
http://www.pbq.com.au/home/hutch/masm.htm
unzip'ed and ran the install program.

3) copied c:\masm32\ml.exe to a directory in my PATH

4) downloaded and installed ActiveState perl from activestate.com

5) followed the INSTALL.W32 read me file instructions for Visual Studio.

6) opened a command prompt (start->run) type in cmd and press return.

7) typed "c:\cd openssl-0.9.6

 Visual C++
 --
root_path> = c:\openssl-0.9.6\

 Firstly you should run Configure:
 root_path> perl Configure VC-WIN32

 Next you need to build the Makefiles and optionally the assembly language
 files:

 - If you are using MASM then run: ( *which I am :)
root_path>ms\do_masm

   ( I have done some internal testing and the assembly version runs
   *significantly faster)
 - If you don't want to use the assembly language files at all then run:
   root_path> ms\do_ms

 Then from the VC++ environment at a prompt do:
   root_path> nmake -f ms\ntdll.mak

 If all is well it should compile and you will have some DLLs and
executables
 in out32dll. If you want to try the tests then do:
 
 root_path> cd out32dll
 root_path> ..\ms\test

Everything compiled GREAT and I had no problems what so ever.

--ian


-Original Message-
From: Mark Swarbrick [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 07, 2001 2:12 PM
To: [EMAIL PROTECTED]
Subject: Re: Compiling problems on Windows NT


Lots of luck to you - I tried to get it to compile on NT - spent weeks on
it. Couldn't get it to work and couldn't find anyone with an answer. I
finally gave up and compiled it on Linux and it works perfect on that
platform.

Julie Ruiz wrote:

> Please could someone help me with the problem when I am compiling de
> OpenSSL, it is urgent
> What I am doing wrong???
> Can you help me with the installation???
>
>  I am trying to install the OpenSSL but it
> fails.
> I am working on Windows NT Workstation 4.0 so I installed the Mingw32
> package. GNU make and  Perl for Win32
>
> I followed the intructions for the win32 platform working with the GNU C
>
> (Mingw32) but when I try to compile the OpenSSL it fails and apears the
> following messages:
>
> D:\openssl-0.9.6\ms>mingw32
> D:\openssl-0.9.6\ms>perl Configure Mingw32
> Configuring for Mingw32
> IsWindows=1
> unable to read opensslv.h:No such file or directory
> Generating x86 for GNU assember
> Bignum
> Can't locate x86asm.pl in @INC (@INC contains: D:/Perl/lib
> D:/Perl/site/lib . perlasm ../../perlasm)
>  at x86.pl line 4.
> DES
> Can't open perl script "des-586.pl": No such file or directory
> crypt
> Can't open perl script "crypt586.pl": No such file or directory
> Blowfish
> Can't locate x86asm.pl in @INC (@INC contains: D:/Perl/lib
> D:/Perl/site/lib . perlasm ../../perlasm)
>  at bf-586.pl line 4.
> CAST5
> Can't locate x86asm.pl in @INC (@INC contains: D:/Perl/lib
> D:/Perl/site/lib . perlasm ../../perlasm)
>  at cast-586.pl line 7.
> RC4
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "rc4-586.pl": No such file or directory
> MD5
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "md5-586.pl": No such file or directory
> SHA1
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "sha1-586.pl": No such file or directory
> RIPEMD160
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "rmd-586.pl": No such file or directory
> RC5\32
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "rc5-586.pl": No such file or directory
> Generating makefile
> Can't open perl script "util\mkfiles.pl": No such file or directory
> El sistema no ha encontrado la ruta de acceso especificada.
> El sistema no ha encontrado la ruta de acceso especificada.
> Generating DLL definition files
> El sistema no ha encontrado la ruta de acceso especificada.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTE

Re: Adding root ca to Communicator

2001-02-07 Thread Dr S N Henson 

dm wrote:
> 
> Hi,
>Is it possible to add a Root CA certificate to
> Netscape Communicator browser?
> I am the root ca in this case and what I want is that
> Communicator should validate the server cert issued by
> me (without any warnings it should validate through
> the root CA cert). How can I do it?
> I could manage to do it in IE 55 easily. But I am not
> able to do it in Communicator.
> Any help will be greatly appreciated.

You need to send the certificate as MIME type application/x-x509-ca-cert
see:

http://home.netscape.com/eng/security/comm4-cert-download.html

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Cipher suite

2001-02-07 Thread Dr S N Henson 

Patrick Li wrote:
> 
> Hi,
> 
> I am trying to match the cipher suite supported by OpenSSL (listed out by
> the command openssl ciphers -tlsv1) to the cipher suite specified in the TLS
> Protocol version 1 IETF RFC 2246.  But they seemed to be using different
> naming conventions.   The cipher suite name used in OpenSSL is not following
> the naming convention (Authentication algorithn name + Key Exchange +
> Encryption + Digest) which is used in RFC 2246.
> 
> My question is
> 
> - Is there a 1 to 1 mapping between the cipher suites between OpenSSL and
> RFC 2246.  I think it is not the case.  Please confirm.
> 

Not all ciphersuites in RFC2246 are supported by OpenSSL in particular
the static DH ciphersuites are not due to the lack of DH certificate
support and no one else seems to be using them anyway.

> What does RC4-MD5 (in OpenSSL) map to in RFC 2246?  As there are a few
> cipher suites supported RC4 encryption and MD5 digest.
> 

Read the 'ciphers' manual page for a complete description of the mapping
and cipher listing usage. In there you will find:
SSL_RSA_WITH_RC4_128_MD5  is the same as RC4-MD5.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Compiling OpenSSH w/OpenSSL & KerberosIV

2001-02-07 Thread Kenneth R. Robinette 

From:   [EMAIL PROTECTED]
Date sent:  Wed, 7 Feb 2001 19:58:24 -0500 (EST)
To: <[EMAIL PROTECTED]>
Copies to:  <[EMAIL PROTECTED]>
Subject:Compiling OpenSSH w/OpenSSL & KerberosIV
Send reply to:  [EMAIL PROTECTED]

How are you getting the Kerberos headers in the OpenSSL build?  
What version of openssl are you trying to compile, the production 
version or one of the snapshots with the new kerberos stuff?

Ken

OpenSSL Folks (sorry about crosspost),

It seems that the des.h header in OpenSSL is incompatible with my MIT
kerberos des.h, at least on Linux.  I'm seeing various conflicting types
(bit_64, des_key_sched, &c).

I'm using a VALinux/Redhat 7 system with KerbIV and KerbV libraries
installed, using the des.h in /usr/kerberos/include/kerberosIV.

I was wondering if anyone on the list had looked into the problem, and had
an idea how difficult it should be to resolve it.

What is the likely direction these headers should be taken?  Which library
should change?  Is there any plausible way to isolate them?


Matt


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
Support
InterSoft International, Inc.
Voice: 888-823-1541, International 281-398-7060
Fax: 888-823-1542, International 281-560-9170
[EMAIL PROTECTED]
http://www.securenetterm.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problem becoming a CA/signing my own Cert's

2001-02-07 Thread Steve Williams 

Hi,

I am trying to get sendmail STARTTLS working, and have gotten to the
point where I need a certificate.

This is completely new to me, and I have followed three different sets
of directions, and always come up with the same error message when I 
finally go to sign my own certificate.  ( I am just being my own CA 
for testing purposes ).

I am running on OpenBSD 2.7, with OpenSSL 0.9.5a Apr 2000

I have tried using the openssl commands directly, and using the CA.pl
script.

Under all circumstances, I get to the final step ( sign ), and I get
an error message:

Using configuration from /etc/ssl/openssl.cnf
variable lookup failed for ca::default_ca

and it won't continue.  Does anyone have any idea???

I have followed the manual steps @ 
http://www.sendmail.org/~ca/email/other/cagreg.html

where it walks through the manual openssl commands, and arrived at exactly
the same error message.  

I am sure it's something stupid, but I've searched all over for that 
error message, and I can't find a hint of what it means!

Here is a sample script of a session:
( using a modified CA.pl to add -nodes on the -newcert and -newreq )
( following directions from: 
  http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/doc/myownca.html )

THANKS!
===
# CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
++
...++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [CA]:
State or Province Name (full name) [AB]:
Locality Name (eg, city) [Calgary]:
Organization Name (eg, company) [Acme Tools]:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:Acme Tools CA
Email Address []:[EMAIL PROTECTED]
#
===
# CA.pl -newreq
Using configuration from /etc/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.++
++
writing new private key to 'newreq.pem'
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [CA]:
State or Province Name (full name) [AB]:
Locality Name (eg, city) [Calgary]:
Organization Name (eg, company) [Acme Tools]:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:acmetools.com
Email Address []:[EMAIL PROTECTED]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
#
===
# CA_cert.pl -sign
Using configuration from /etc/ssl/openssl.cnf
variable lookup failed for ca::default_ca
#


-- 
Steve Williams, Calgary, Alberta, Canada
Genie Computer Systems Inc.
[EMAIL PROTECTED]

"A man doesn't begin to attain wisdom until he recognizes that he is 
 no longer indispensable."
- Admiral Richard E. Byrd ( 1888-1957 )
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Direct read of RSA public key

2001-02-07 Thread Reddie, Steven 

An RSA private key, in addition to containing the private key components,
contains the components of the associated RSA public key.  A public key
consists of the following components:
n, e
A private key consists of the following components:
n, e, d, p, q, dmpq, dmq1, iqmp
So, when you read in your RSA private key and get an EVP_PKEY, you can use
that same EVP_PKEY as both a private and a public key.

Regards,

Steven
--
Steven Reddie <[EMAIL PROTECTED]>
Senior Software Engineer
Computer Associates Pty Ltd (Australia)

> -Original Message-
> From: chris luchini [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, February 07, 2001 11:55 AM
> To:   [EMAIL PROTECTED]
> Subject:  Direct read of RSA public key
> 
> 1) what I'd _like_ to do is generate an RSA private/public key pair and
> then read them in directly, without having to generate a certificate,
> x509 object
> etc. 
> 
> demos/sign/sign.c uses PEM_read_PrivateKey, but there doesn't appear to
> be
> a corresponding PEM_read_PublicKey. The read of the private key works
> fine, but
> I get a 
> 13451:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:662:Expecting: CERTIFICATE
> when it pass it a publickey.pem generated using the openssl rsa ...
> command. 
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Compiling OpenSSH w/OpenSSL & KerberosIV

2001-02-07 Thread gcc 


OpenSSL Folks (sorry about crosspost),

It seems that the des.h header in OpenSSL is incompatible with my MIT
kerberos des.h, at least on Linux.  I'm seeing various conflicting types
(bit_64, des_key_sched, &c).

I'm using a VALinux/Redhat 7 system with KerbIV and KerbV libraries
installed, using the des.h in /usr/kerberos/include/kerberosIV.

I was wondering if anyone on the list had looked into the problem, and had
an idea how difficult it should be to resolve it.

What is the likely direction these headers should be taken?  Which library
should change?  Is there any plausible way to isolate them?


Matt


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Cipher suite

2001-02-07 Thread Patrick Li 

Hi,

I am trying to match the cipher suite supported by OpenSSL (listed out by
the command openssl ciphers -tlsv1) to the cipher suite specified in the TLS
Protocol version 1 IETF RFC 2246.  But they seemed to be using different
naming conventions.   The cipher suite name used in OpenSSL is not following
the naming convention (Authentication algorithn name + Key Exchange +
Encryption + Digest) which is used in RFC 2246.

My question is

- Is there a 1 to 1 mapping between the cipher suites between OpenSSL and
RFC 2246.  I think it is not the case.  Please confirm.

What does RC4-MD5 (in OpenSSL) map to in RFC 2246?  As there are a few
cipher suites supported RC4 encryption and MD5 digest.

Thanks
Patrick


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Adding root ca to Communicator

2001-02-07 Thread dm 

Hi,
   Is it possible to add a Root CA certificate to
Netscape Communicator browser? 
I am the root ca in this case and what I want is that
Communicator should validate the server cert issued by
me (without any warnings it should validate through
the root CA cert). How can I do it?
I could manage to do it in IE 55 easily. But I am not
able to do it in Communicator.
Any help will be greatly appreciated.
Thanks,
Mohan

__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Compiling problems on Windows NT

2001-02-07 Thread Dr S N Henson 

Mark Swarbrick wrote:
> 
> Lots of luck to you - I tried to get it to compile on NT - spent weeks on
> it. Couldn't get it to work and couldn't find anyone with an answer. I
> finally gave up and compiled it on Linux and it works perfect on that
> platform.
> 

That's strange. I can only find one query from you in openssl-users and
I replied to that almost immediately.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Compiling problems on Windows NT

2001-02-07 Thread Mark Swarbrick 

Lots of luck to you - I tried to get it to compile on NT - spent weeks on
it. Couldn't get it to work and couldn't find anyone with an answer. I
finally gave up and compiled it on Linux and it works perfect on that
platform.

Julie Ruiz wrote:

> Please could someone help me with the problem when I am compiling de
> OpenSSL, it is urgent
> What I am doing wrong???
> Can you help me with the installation???
>
>  I am trying to install the OpenSSL but it
> fails.
> I am working on Windows NT Workstation 4.0 so I installed the Mingw32
> package. GNU make and  Perl for Win32
>
> I followed the intructions for the win32 platform working with the GNU C
>
> (Mingw32) but when I try to compile the OpenSSL it fails and apears the
> following messages:
>
> D:\openssl-0.9.6\ms>mingw32
> D:\openssl-0.9.6\ms>perl Configure Mingw32
> Configuring for Mingw32
> IsWindows=1
> unable to read opensslv.h:No such file or directory
> Generating x86 for GNU assember
> Bignum
> Can't locate x86asm.pl in @INC (@INC contains: D:/Perl/lib
> D:/Perl/site/lib . perlasm ../../perlasm)
>  at x86.pl line 4.
> DES
> Can't open perl script "des-586.pl": No such file or directory
> crypt
> Can't open perl script "crypt586.pl": No such file or directory
> Blowfish
> Can't locate x86asm.pl in @INC (@INC contains: D:/Perl/lib
> D:/Perl/site/lib . perlasm ../../perlasm)
>  at bf-586.pl line 4.
> CAST5
> Can't locate x86asm.pl in @INC (@INC contains: D:/Perl/lib
> D:/Perl/site/lib . perlasm ../../perlasm)
>  at cast-586.pl line 7.
> RC4
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "rc4-586.pl": No such file or directory
> MD5
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "md5-586.pl": No such file or directory
> SHA1
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "sha1-586.pl": No such file or directory
> RIPEMD160
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "rmd-586.pl": No such file or directory
> RC5\32
> El sistema no ha encontrado la ruta de acceso especificada.
> Can't open perl script "rc5-586.pl": No such file or directory
> Generating makefile
> Can't open perl script "util\mkfiles.pl": No such file or directory
> El sistema no ha encontrado la ruta de acceso especificada.
> El sistema no ha encontrado la ruta de acceso especificada.
> Generating DLL definition files
> El sistema no ha encontrado la ruta de acceso especificada.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Unable to extract the downloaded tar

2001-02-07 Thread Dutta, Sumanta 

Yes, this exactly what happened. I renamed the filename, and tried with
WinZip, and it worked. Anyway I was using GNU tar, but there also the name
was the problem.

Thanks,
Sumanta.

> -Original Message-
> From: Hudson, Henrik H. [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, February 07, 2001 4:26 PM
> To:   '[EMAIL PROTECTED]'
> Subject:  RE: Unable to extract the downloaded tar
> 
> Hello-
> 
> A) Your OS absolutely destroyed the file name (let me guess, IE or
> Netscape
> on M$?). Rename the file to 
> what it is supposed to be:  openssl-0.9.6.tar.gz  
> 
> B) Winzip should work if it is renamed to the right name. If it still
> doesn't work..then on Solaris, if the tar you are using is not GNU tar you
> may need to install gtar to make it work. Of course this depend s with
> what
> versions of tar it was tarred with, but I would guess GNU tar.
> 
> 
> 
> ---
> Henrik Hudson
> 
> Microsoft: "Where would you like to go to today"
> Linux: "Where would you like to go tomorrow"
> FreeBSD: "Hey, when are you guys going to catch up"
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Dutta, Sumanta
> Sent: Wednesday, February 07, 2001 15:06
> To: '[EMAIL PROTECTED]'
> Subject: RE: Unable to extract the downloaded tar
> 
> 
> Thanks for the response. I tried with WinZip 8.0, assuming its downward
> compatible, but doesn't work. How can I do it under Sun Sparc OS v5.6. I
> tried with "tar xvf". Again, could you please redirect me to any
> instruction
> site for OpenSSL setup.
> 
> Regards,
> Sumanta
> 
> > -Original Message-
> > From:   John T. Salyer [SMTP:[EMAIL PROTECTED]]
> > Sent:   Wednesday, February 07, 2001 12:54 PM
> > To: [EMAIL PROTECTED]
> > Subject:RE: Unable to extract the downloaded tar
> > 
> > You can extract it with Winzip 7.0
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Dutta, Sumanta
> > Sent: Wednesday, February 07, 2001 9:35 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: Unable to extract the downloaded tar
> > 
> > 
> > Hi,
> > 
> > Could anyone please tell me or at least redirect me to a place where I
> can
> > find step by step setup instructions. I downloaded the latest tar
> > "openssl-0_9_6_tar.tar", but unable to extract the contents, and don't
> > know
> > how to proceed thereafter.
> > 
> > Thanks,
> > Sumanta.
> > 
> > 
> > 
> >
> --
> > --
> > --
> > This message is intended only for the personal and confidential use of
> the
> > designated recipient(s) named above.  If you are not the intended
> > recipient
> > of this message you are hereby notified that any review, dissemination,
> > distribution or copying of this message is strictly prohibited.  This
> > communication is for information purposes only and should not be
> regarded
> > as
> > an offer to sell or as a solicitation of an offer to buy any financial
> > product, an official confirmation of any transaction, or as an official
> > statement of Lehman Brothers Inc.  Email transmission cannot be
> guaranteed
> > to be secure or error-free.  Therefore, we do not represent that this
> > information is complete or accurate and it should not be relied upon as
> > such.  All information is subject to change without notice.
> > 
> > 
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> > 
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> 
> 
> --
> --
> --
> 
> [INFO] -- Access Manager:
> This message is intended only for the personal and confidential use of the
> designated recipient(s) named above.  If you are not the intended
> recipient
> of this message you are hereby notified that any review, dissemination,
> distribution or copying of this message is strictly prohibited.  This
> communication is for information purposes only and should not be regarded
> as
> an offer to sell or as a solicitation of an offer to buy any financial
> product, an official confirmation of any transaction, or as an official
> statement of Lehman Brothers Inc.  Email transmission cannot be guaranteed
> to be secure or error-free.  Therefore, we do not represent that this
> information is complete or accurate and it should not be relied upon as
> such.  All information is subject to change without notice.
> 
> 
> __
> OpenSSL Proj

RE: Unable to extract the downloaded tar

2001-02-07 Thread Hudson, Henrik H. 

Hello-

A) Your OS absolutely destroyed the file name (let me guess, IE or Netscape
on M$?). Rename the file to 
what it is supposed to be:  openssl-0.9.6.tar.gz  

B) Winzip should work if it is renamed to the right name. If it still
doesn't work..then on Solaris, if the tar you are using is not GNU tar you
may need to install gtar to make it work. Of course this depend s with what
versions of tar it was tarred with, but I would guess GNU tar.



---
Henrik Hudson

Microsoft: "Where would you like to go to today"
Linux: "Where would you like to go tomorrow"
FreeBSD: "Hey, when are you guys going to catch up"


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Dutta, Sumanta
Sent: Wednesday, February 07, 2001 15:06
To: '[EMAIL PROTECTED]'
Subject: RE: Unable to extract the downloaded tar


Thanks for the response. I tried with WinZip 8.0, assuming its downward
compatible, but doesn't work. How can I do it under Sun Sparc OS v5.6. I
tried with "tar xvf". Again, could you please redirect me to any instruction
site for OpenSSL setup.

Regards,
Sumanta

> -Original Message-
> From: John T. Salyer [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, February 07, 2001 12:54 PM
> To:   [EMAIL PROTECTED]
> Subject:  RE: Unable to extract the downloaded tar
> 
> You can extract it with Winzip 7.0
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Dutta, Sumanta
> Sent: Wednesday, February 07, 2001 9:35 AM
> To: '[EMAIL PROTECTED]'
> Subject: Unable to extract the downloaded tar
> 
> 
> Hi,
> 
> Could anyone please tell me or at least redirect me to a place where I can
> find step by step setup instructions. I downloaded the latest tar
> "openssl-0_9_6_tar.tar", but unable to extract the contents, and don't
> know
> how to proceed thereafter.
> 
> Thanks,
> Sumanta.
> 
> 
> 
> --
> --
> --
> This message is intended only for the personal and confidential use of the
> designated recipient(s) named above.  If you are not the intended
> recipient
> of this message you are hereby notified that any review, dissemination,
> distribution or copying of this message is strictly prohibited.  This
> communication is for information purposes only and should not be regarded
> as
> an offer to sell or as a solicitation of an offer to buy any financial
> product, an official confirmation of any transaction, or as an official
> statement of Lehman Brothers Inc.  Email transmission cannot be guaranteed
> to be secure or error-free.  Therefore, we do not represent that this
> information is complete or accurate and it should not be relied upon as
> such.  All information is subject to change without notice.
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]



--

[INFO] -- Access Manager:
This message is intended only for the personal and confidential use of the
designated recipient(s) named above.  If you are not the intended recipient
of this message you are hereby notified that any review, dissemination,
distribution or copying of this message is strictly prohibited.  This
communication is for information purposes only and should not be regarded as
an offer to sell or as a solicitation of an offer to buy any financial
product, an official confirmation of any transaction, or as an official
statement of Lehman Brothers Inc.  Email transmission cannot be guaranteed
to be secure or error-free.  Therefore, we do not represent that this
information is complete or accurate and it should not be relied upon as
such.  All information is subject to change without notice.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Unable to extract the downloaded tar

2001-02-07 Thread Patrick Li 

I thought the tar file should be called openssl-0_9_6_tar.gz if you
downloaded it from the openssl site.

On unix you can extract the file using these commands.

gunzip openssl-0_9_6_tar.gz
tar -xvf openssl-0_9_6_tar

Hope this help

- Original Message -
From: Dutta, Sumanta <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 07, 2001 1:05 PM
Subject: RE: Unable to extract the downloaded tar


> Thanks for the response. I tried with WinZip 8.0, assuming its downward
> compatible, but doesn't work. How can I do it under Sun Sparc OS v5.6. I
> tried with "tar xvf". Again, could you please redirect me to any
instruction
> site for OpenSSL setup.
>
> Regards,
> Sumanta
>
> > -Original Message-
> > From: John T. Salyer [SMTP:[EMAIL PROTECTED]]
> > Sent: Wednesday, February 07, 2001 12:54 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Unable to extract the downloaded tar
> >
> > You can extract it with Winzip 7.0
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Dutta, Sumanta
> > Sent: Wednesday, February 07, 2001 9:35 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: Unable to extract the downloaded tar
> >
> >
> > Hi,
> >
> > Could anyone please tell me or at least redirect me to a place where I
can
> > find step by step setup instructions. I downloaded the latest tar
> > "openssl-0_9_6_tar.tar", but unable to extract the contents, and don't
> > know
> > how to proceed thereafter.
> >
> > Thanks,
> > Sumanta.
> >
> >
> >
>
> --
> > --
> > --
> > This message is intended only for the personal and confidential use of
the
> > designated recipient(s) named above.  If you are not the intended
> > recipient
> > of this message you are hereby notified that any review, dissemination,
> > distribution or copying of this message is strictly prohibited.  This
> > communication is for information purposes only and should not be
regarded
> > as
> > an offer to sell or as a solicitation of an offer to buy any financial
> > product, an official confirmation of any transaction, or as an official
> > statement of Lehman Brothers Inc.  Email transmission cannot be
guaranteed
> > to be secure or error-free.  Therefore, we do not represent that this
> > information is complete or accurate and it should not be relied upon as
> > such.  All information is subject to change without notice.
> >
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
>
>
> --

>
> [INFO] -- Access Manager:
> This message is intended only for the personal and confidential use of the
designated recipient(s) named above.  If you are not the intended recipient
of this message you are hereby notified that any review, dissemination,
distribution or copying of this message is strictly prohibited.  This
communication is for information purposes only and should not be regarded as
an offer to sell or as a solicitation of an offer to buy any financial
product, an official confirmation of any transaction, or as an official
statement of Lehman Brothers Inc.  Email transmission cannot be guaranteed
to be secure or error-free.  Therefore, we do not represent that this
information is complete or accurate and it should not be relied upon as
such.  All information is subject to change without notice.
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Unable to extract the downloaded tar

2001-02-07 Thread Dutta, Sumanta 

Thanks for the response. I tried with WinZip 8.0, assuming its downward
compatible, but doesn't work. How can I do it under Sun Sparc OS v5.6. I
tried with "tar xvf". Again, could you please redirect me to any instruction
site for OpenSSL setup.

Regards,
Sumanta

> -Original Message-
> From: John T. Salyer [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, February 07, 2001 12:54 PM
> To:   [EMAIL PROTECTED]
> Subject:  RE: Unable to extract the downloaded tar
> 
> You can extract it with Winzip 7.0
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Dutta, Sumanta
> Sent: Wednesday, February 07, 2001 9:35 AM
> To: '[EMAIL PROTECTED]'
> Subject: Unable to extract the downloaded tar
> 
> 
> Hi,
> 
> Could anyone please tell me or at least redirect me to a place where I can
> find step by step setup instructions. I downloaded the latest tar
> "openssl-0_9_6_tar.tar", but unable to extract the contents, and don't
> know
> how to proceed thereafter.
> 
> Thanks,
> Sumanta.
> 
> 
> 
> --
> --
> --
> This message is intended only for the personal and confidential use of the
> designated recipient(s) named above.  If you are not the intended
> recipient
> of this message you are hereby notified that any review, dissemination,
> distribution or copying of this message is strictly prohibited.  This
> communication is for information purposes only and should not be regarded
> as
> an offer to sell or as a solicitation of an offer to buy any financial
> product, an official confirmation of any transaction, or as an official
> statement of Lehman Brothers Inc.  Email transmission cannot be guaranteed
> to be secure or error-free.  Therefore, we do not represent that this
> information is complete or accurate and it should not be relied upon as
> such.  All information is subject to change without notice.
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


--

[INFO] -- Access Manager:
This message is intended only for the personal and confidential use of the designated 
recipient(s) named above.  If you are not the intended recipient of this message you 
are hereby notified that any review, dissemination, distribution or copying of this 
message is strictly prohibited.  This communication is for information purposes only 
and should not be regarded as an offer to sell or as a solicitation of an offer to buy 
any financial product, an official confirmation of any transaction, or as an official 
statement of Lehman Brothers Inc.  Email transmission cannot be guaranteed to be 
secure or error-free.  Therefore, we do not represent that this information is 
complete or accurate and it should not be relied upon as such.  All information is 
subject to change without notice.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Compiling problems on Windows NT

2001-02-07 Thread Dr S N Henson 

Julie Ruiz wrote:
> 
> Please could someone help me with the problem when I am compiling de
> OpenSSL, it is urgent
> What I am doing wrong???
> Can you help me with the installation???
> 
>  I am trying to install the OpenSSL but it
> fails.
> I am working on Windows NT Workstation 4.0 so I installed the Mingw32
> package. GNU make and  Perl for Win32
> 
> I followed the intructions for the win32 platform working with the GNU C
> 

Err no you haven't.

> (Mingw32) but when I try to compile the OpenSSL it fails and apears the
> following messages:
> 
> D:\openssl-0.9.6\ms>mingw32

It looks like you've done:

cd ms
mingw32

Whereas the instructions say you do:

ms\mingw32

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate Renewal

2001-02-07 Thread John Douglass 


On Wed, 7 Feb 2001, John Douglass wrote:

> Is anyone playing around with certificate renewals?
> 
> I'm trying to figure out how to accomplish this given:
> 
> 1) Certificate is installed in the browser already
> 2) I have the certificate (SPKAC) file on the CA
> 3) I have the signed public key on the CA
> 
> In order to "renew" do I:
> 
> A) Need to "resign" the SPKAC request 
> 
> or 
> 
> B) Apply modification of the signed public key (with the appropriate
>   commands, then cat to the browser) and update the "index.txt" 
>   file that OpenSSL uses?
> 
> I was originally attempting to revoke, resign the SPKAC file
> faking the "serial" number,  but OpenSSL didn't like that.
> 
> >:)

I think I figured it out. I just need to resign the SPKAC
file and then cat that to netscape. It does the pairing
up with the private key. Netscape automatically selects the
latest certificate associated with the key. However the browser
does have record of the OLD signed key (which you can view/delete
at will). There is a new serialnumber associated with the certificate
but the old serial will be expired soon at any rate.

Since we're not doing Digital Signature or S/MIME with our certs,
this will probably work for us. I'll have to test the
S/MIME behaviour at a later date to see if this method of renewal
still allows for the encrypted info to be read.

If anyone has a better suggestion or more experience than I, I'd
love the correction in my implementation.

- JohnD, Georgia Tech

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: 20 Million Fresh E-Mail Addresses

2001-02-07 Thread Boris 

Hello Luke2,

** this message is generated automatically **

your email is rated as SPAM. We have reported your SPAM activity and
we reported your spam to several antispam-companies to protect them
against you.

This process is done automatically. Do not try to reply to this
message, you are banned to our network.

We do not accept any spam messages and we are not spamming our
business partners as you do.

If the message comes in error or because of a misunderstanding, ignore
it. Your spam will be checked by some known organisations, they decide
to protect/filter you or not.

Your spam has not been read by any human, your action was useless.


Wednesday, February 07, 2001, 10:32:39 AM, you wrote:

L> TO BE REMOVED FROM FUTURE MAILINGS, SIMPLY REPLY TO THIS 
L> MESSAGE AND PUT
L> "REMOVE" IN THE SUBJECT.


L>20  MILLION
L>  E-MAIL ADDRESSES
L>   FOR ONLY $249
L>  **Over Night International Shipping Included** 


L> Many Call This "The "Perfect E-Mail List"

L> Over 20-Million Of The Best E-Mail Addresses Available

L> _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/

L> Our research has found that many people have tried one or more of
L> the following...

L> Free Classifieds? (Don't work anymore)
L> Web Site? (Takes thousands of visitors)
L> Banners? (Expensive and losing their punch)
L> E-Zine? (Hope they have a *huge* subscriber list)
L> Search Engines? (Forget it, unless you're in the top 20)

L>  S O   W H A T   W I L L   W O R K ?

L> Although often misunderstood, there is one method that has proven
L> to succeed time-after-time.

L>  E - M A I L   M A R K E T I N G ! !

L> IT'S A FACT... If you're not using your computer to generate
L> income,  GOOD income,  you're leaving money on the table.

L> Here's what the experts have to say about E-Mail Marketing:

L> "E-mail is an incredible lead generation tool"
L> -Crains Magazine

L> "A gold mine for those who can take advantage of
L> bulk e-mail programs" - The New York Times

L> "Blows away traditional Mailing" - Advertising Age

L> Here's an example of your potential earnings if you have a
L> product or service that brings you a profit of around $30.
L> Remember, on the Internet, you can make money 7 days a week, 24
L> hours a day... even while you sleep, orders come from all over
L> the world!

L> Orders
L> Per DayWeekly  Monthly  Yearly

L>1   $  210  $   840  $ 10,080
L>2  4201,68020,160
L>3  6302,52030,240
L>51,0504,20050,400
L>   102,1008,400   100,000
L>   153,150   12,600   151,200

L> THE QUESTION IS... how do you generate those orders?

L> The least expensive and fastest way is through E-Mail Marketing.



L>   You want to make some money?

L>   I can put you in touch with over 20 million people at virtually no cost.

L>   Can you make one cent from each of theses names?

L> If you can you have a profit of over $200,000.00


L>   That's right, I have over 20 Million  Fresh  email

L> addresses that I will sell for only $249. These are all

L> fresh addresses that include almost every English person

L> on the Internet today, with no duplications. They are

L> all sorted and ready to be mailed.  That is the best

L> deal anywhere today!  


L>   Don't believe it? People are making that kind of

L> money right now by doing the same thing, that is

L> why you get so much email from people selling you

L> their productit works! 


L>   These 20 Million email addresses are 

L> yours to keep, so you can use them over and

L> over. 


L>   This offer is not for everyone. If you can not

L> see just how excellent the risk / reward ratio

L> in this offer is then there is nothing I can do

L> for you.  To make money you must stop dreaming

L> and TAKE ACTION.



L> Over the past 2 years, we have gained a reputation for having the
L> cleanest, most responsive e-mail address lists in the industry.
L> No one has gone to the work it takes to produce an e-mail address
L> list of this quality.

L> Here's how we prepare our e-mail lists:

L> 1. We clean and eliminate all duplicates.

L> 2. Next, we use a filter list of 400+ words/phrases to clean even
L> more. No address with inappropriate or profane wording survives!

L> 3. Then we use our private database of thousands of known
L> Internet "extremists", those opposed to any kind of commercial
L> e-mail, and kicked off every one we could find.

L> 4. All domains were verified to insure they're valid.

L> 5. And finally, we sorted the list into easy-to-manage packets of
L> 20,000 addresses in simple text (.txt) format that will work with
L> any computer operating system.

L> **
L> It is time to order!

L> Shipping is not an issue. 

L> **FedEx next day world wide shipping included  

L> As soon as we receive payment we will FedEx your e-mail list via 

L>

Server Certificate verification

2001-02-07 Thread Frank Roeding 



Hi everybody,
 
 
my english is not so good, but i try to explain my 
problem.
i connect to a server with my client-application. 
All works fine
if i set had verification off. 
if i set the verification, the servercertificat was 
bad (verification-
error 19). i think 
the problem is that i have the wrong CA. How can i 
get the 
CA of the servercertificate or how can i set 
this.
At the time i had exported the CA of my own 
certificate and
set it with SSL_CTX_load_verify_locations(). it 
is
from verisign class 1. the servercertificate is 
from verisign too 
but a class 3. 
 
  SSLeay_add_all_algorithms(); SSL_load_error_strings(); ERR_load_crypto_strings(); meth=SSLv3_client_method(); ctx 
= SSL_CTX_new 
(meth);    
 CHK_NULL(ctx); CHK_SSL(err); int rc = WSAStartup( 2, 
&wsadata ); sd = socket (AF_INET, SOCK_STREAM, 0);  if 
(sd==INVALID_SOCKET ){  int 
lastE=WSAGetLastError();  ERR_print_errors_fp(stderr); } 
 
 sprintf(server,"www.aserver.de"); memset (&sa, '\0', 
sizeof(sa)); unsigned long naddr; naddr = inet_addr( server 
); if ( naddr != INADDR_NONE 
) {  sa.sin_addr.s_addr = 
naddr; } else {  PHOSTENT phe = 
gethostbyname( server );  if ( phe == NULL 
)   CHK_ERR( 1, "gethostbyname" 
);  sa.sin_addr.s_addr = *( (unsigned long *) (phe->h_addr) 
);  memcpy( (char *) &sa.sin_addr, phe->h_addr, 
phe->h_length ); }
 
 sa.sin_family  = 
AF_INET; sa.sin_port    = 
htons 
((short)443);   err 
= connect(sd, (struct sockaddr*) 
&sa, sizeof(sa)); CHK_ERR(err, "connect");
 
//Load my own clientcert from a 
p12-file  FILE *fp; EVP_PKEY *pkey; X509 
*cert; STACK_OF(X509) *ca = NULL; PKCS12 *p12;
 
 if (!(fp = fopen("mycert.p12", "r"))) 
{  fprintf(stderr, "Error opening file mycert.p12 
\n"); }
 
 p12 = d2i_PKCS12_fp(fp, 
NULL); fclose (fp); if (!p12) {  printf("Error 
reading PKCS#12 
file\n");  ERR_print_errors_fp(stderr);  exit 
(1); }
 
 if (!PKCS12_parse(p12, "akey", &pkey, 
&cert, &ca)) {  printf("Error parsing PKCS#12 
file\n");  ERR_print_errors_fp(stderr);  exit 
(1); }
 
 PKCS12_free(p12); 
 SSL_CTX_set_options(ctx,SSL_OP_ALL|SSL_CTX_get_options(ctx)); SSL_CTX_set_info_callback(ctx,(void 
(__cdecl*)(void))&client_info_callback); err=SSL_CTX_use_certificate(ctx, 
cert); err=SSL_CTX_use_PrivateKey(ctx,pkey); err=SSL_CTX_set_cipher_list(ctx,SSL3_TXT_RSA_RC4_128_MD5) 
; SSL_CTX_set_verify(ctx, 
SSL_VERIFY_PEER,&verify_callback); if((!SSL_CTX_load_verify_locations(ctx,"myCa","d:\\mypath")) 
||  (!SSL_CTX_set_default_verify_paths(ctx))){  exit(-1); }
   int connErr=0; ssl = 
SSL_new (ctx); SSL_set_connect_state(ssl); err=SSL_set_fd (ssl, sd); if 
(!checkError(ssl,err)) {   exit(-1); } err 
= SSL_connect (ssl);
...
 
 
Please help?
 
Best regards 
Frank

Compiling problems on Windows NT

2001-02-07 Thread Julie Ruiz 

Please could someone help me with the problem when I am compiling de
OpenSSL, it is urgent
What I am doing wrong???
Can you help me with the installation???

 I am trying to install the OpenSSL but it
fails.
I am working on Windows NT Workstation 4.0 so I installed the Mingw32
package. GNU make and  Perl for Win32

I followed the intructions for the win32 platform working with the GNU C

(Mingw32) but when I try to compile the OpenSSL it fails and apears the
following messages:

D:\openssl-0.9.6\ms>mingw32
D:\openssl-0.9.6\ms>perl Configure Mingw32
Configuring for Mingw32
IsWindows=1
unable to read opensslv.h:No such file or directory
Generating x86 for GNU assember
Bignum
Can't locate x86asm.pl in @INC (@INC contains: D:/Perl/lib
D:/Perl/site/lib . perlasm ../../perlasm)
 at x86.pl line 4.
DES
Can't open perl script "des-586.pl": No such file or directory
crypt
Can't open perl script "crypt586.pl": No such file or directory
Blowfish
Can't locate x86asm.pl in @INC (@INC contains: D:/Perl/lib
D:/Perl/site/lib . perlasm ../../perlasm)
 at bf-586.pl line 4.
CAST5
Can't locate x86asm.pl in @INC (@INC contains: D:/Perl/lib
D:/Perl/site/lib . perlasm ../../perlasm)
 at cast-586.pl line 7.
RC4
El sistema no ha encontrado la ruta de acceso especificada.
Can't open perl script "rc4-586.pl": No such file or directory
MD5
El sistema no ha encontrado la ruta de acceso especificada.
Can't open perl script "md5-586.pl": No such file or directory
SHA1
El sistema no ha encontrado la ruta de acceso especificada.
Can't open perl script "sha1-586.pl": No such file or directory
RIPEMD160
El sistema no ha encontrado la ruta de acceso especificada.
Can't open perl script "rmd-586.pl": No such file or directory
RC5\32
El sistema no ha encontrado la ruta de acceso especificada.
Can't open perl script "rc5-586.pl": No such file or directory
Generating makefile
Can't open perl script "util\mkfiles.pl": No such file or directory
El sistema no ha encontrado la ruta de acceso especificada.
El sistema no ha encontrado la ruta de acceso especificada.
Generating DLL definition files
El sistema no ha encontrado la ruta de acceso especificada.






__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: can I obtain certificate expiry dates using openssl?

2001-02-07 Thread Dicks, Gareth M 

Hi Greg,

Many thanks, you seem to have a good handle on this and have explained well.
I'll give this a whirl but watch your inbox for more help!!

Regards,
Gareth

-Original Message-
From: Greg Stark [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 06, 2001 7:25 PM
To: Dicks, Gareth M; [EMAIL PROTECTED]
Subject: Re: can I obtain certificate expiry dates using openssl?


Yes, openssl can help here. When you build the openssl package a number of
useful utilities are also built along with the libraries. One of these is
called openssl. If cert.pem is a certificate in PEM format, then

openssl x509 -in cert.pem -dates -noout

will give you two dates, the second of which you are interested in. For
example,

openssl x509 -in thawte_server.cer -dates -noout
notBefore=Aug  1 00:00:00 1996 GMT
notAfter=Dec 31 23:59:59 2020 GMT

A more interesting  x509 option is the -checkend option, which sounds like
exactly what you are looking for. It answer the question "Does this
certificate expire within the next s seconds?",  and returns 1 if it does
expire, or otherwise.

so maybe something like (i forget how to do arithmetic in shells these days)

secs=days*24*3600
if openssl x509 -in cert.pem -checkend ${secs} -noout; then
echo "It will son expire"
else
   echo "plenty of time"
fi

_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_



- Original Message -
From: "Dicks, Gareth M" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; "Dicks, Gareth M"
<[EMAIL PROTECTED]>
Sent: Tuesday, February 06, 2001 1:26 PM
Subject: can I obtain certificate expiry dates using openssl?


> Hi,
>
> I'm after some advice and tips please!
>
> I want to write a simple script (ksh?) that interrogates the SSL
> certificates on our Web servers (NES 3.6) and automatically alerts via
> unicentre when the certificates are close to expiring.
>
> I've been told that openssl can provide the tools to obtain the date info
> from the cert.. Can anyone offer any help on how to do this?
>
> Some details that may prove useful
>
> * O/S - Solaris 2.6
> * Netscape Enterprise Server 3.6
> * Certs issued by VeriSign
> * openssl 0.9.6 installed
>
> Many thanks
> Gareth
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Client certificate from perl script

2001-02-07 Thread Knut Olav Bøhmer 

Hi

I wonder if it is possible to make the following script use my client
sertificate, or do I have to do it in some other way? I have tryed to read
the examples, doc's and man pages, but I don't understand them 100%. 

I got some files with X509 certificates, that i am suppose to use, but i
am not sure if it is on the correct format. Is it possible to convert
certificate files from one format to another?

--
use Net::SSLeay;
Net::SSLeay::SSLeay_add_ssl_algorithms();

my $port = "xxx";
my $host = "xxx.xx.xx";
my $path="/serverscript.cgi";  

my ($page, $result, %headers) = &Net::SSLeay::get_https($host, $port,$path);
print $page;
--



-- 
 _   _   
   / /  (_)__  __   __   
  / /__/ / _ \/ // /\ \/ /  ... The choice of a  
 //_/_//_/\.,_/ /_/\.\ GNU generation


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: PERL and secure Sockets

2001-02-07 Thread Bill Stennett 

The Crypt::SSLeay works OK.  Unfortunately Activestate don't seem to have a
version of IO-Socket-SSL for the WIN32 platform (only linux and solaris) so
I think we may have to look at something other than PERL.

Thanks for your help

Bill Stennett


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Fisher, James
Sent: Tuesday, February 06, 2001 3:55 PM
To: '[EMAIL PROTECTED]'
Subject: RE: PERL and secure Sockets


Install CRYPT::SSLeay

how to
-   Open dos prompt
-   type ppm
-   type "install Crypt::SSLeay"
-   type "y"
-   done

Then you can just use a normal LWP request and just put an s on the end of
https.

If you need lower level functionality you will have to get the io-socket-ssl
module.  Since you were having issues with ppm, you could just go to CPAN
and download the tar and install it or go to www.activestate.com/packages I
think or its /modules.

-Original Message-
From: Bill Stennett [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 06, 2001 7:44 AM
To: [EMAIL PROTECTED]
Subject: RE: PERL and secure Sockets


Thanks Thomas

We are indeed using the activstate version of PERL.  I don't seem to be able
to access the io-socket-ssl module though.  I changed (I think) the PPM
repository to point to http://www.ActiveState.com/PPMPackages/5.6plus/ but
PPM will not list / install the modules. I'll keep plugging away at it.

One question though: do you know if the
http://www.ActiveState.com/PPMPackages/5.6plus/ directory requrires a
particular version of PERL etc.  I just wounder why the modules are in this
directory and not in the standard repositiory?

Also, I have searched high and low for examples of how this module shopuld
be used  but to no avail.  If anyone has any examples of using IO-Socket-SSL
it would be very intersesting

Thanks

Bill

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Thomas Bätzler
Sent: Tuesday, February 06, 2001 10:41 AM
To: '[EMAIL PROTECTED]'
Subject: RE: PERL and secure Sockets


Hi,

> Bill Stennett [SMTP:[EMAIL PROTECTED]] asked:
> Does anyone have any experience of using PERL to communicate over a secure
> socket?  To make matters worse we need to run PERL on a Windows NT
> platform.
>
I haven't tried this (yet), but a quick CPAN search would suggest
that the Perl module IO::Socket::SSL has what you need. See
http://search.cpan.org/doc/ASPA/IO-Socket-SSL-0.77/lib/IO/Socket/SSL.pm
for a description of the module.

Now if you're on NT, it's almost certain you'd want to use the
ActiveState Perl port (http://www.activestate.com). However, the
IO::Socket::SSL module is not in their standard repository. You
will have to add http://www.ActiveState.com/PPMPackages/5.6plus/
to the list of repositories to search in ppm, their Perl Package
manager.

HTH,
Thomas
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

my posts for help getting DSO and mod_blah running

2001-02-07 Thread terr 

DUe to a malformed lib.so it didn't work.  in apache_1.3.14+openssl_1.42 it appears 
the apxs script gets broken.

I have it running now.  

I also have a sample script from a friend who helped me and I'll start going thru ot 
tomorrow.

... still don't know why apxs broke.  I'll look into that too.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

猎星人事信息快递--个人版

2001-02-07 Thread news 
Title: Untitled Document





   

   

  
   


  
   

  ÁÔÐÇÈËÊÂÐÅÏ¢¿ìµÝ£º2001Äê2ÔÂ7ÈÕ
Èȵ㹤×÷ 
| ÈËÊÂÐÂÎÅ 
| ÇóÖ°°Ù¿Æ 
| ÈËÊ°¸Àý

  
   
  
  

  Èȵ㹤×÷ 
 TOP 5 


ÏúÊÛ´ú±í---£¨Èô¸É£©ÃÀ¹ú°¬¿Ë¹ú¼Ê¹«Ë¾¡£±¾¿Æ£¬¾ßÓÐ3ÄêÒÔÉÏITÏúÊÛ¾­Ñé¡£
µç»°ÐÐÏúÔ±---£¨Èô¸É£©ÃÀ¹ú°¬¿Ë¹ú¼Ê¹«Ë¾¡£´óרѧÀú£¬21-25Ë꣬ÉùÒôÌðÃÀ£¬Ë¼Î¬Ãô½Ý¡£
ϵͳ¹¤³Ìʦ---£¨1Ãû£©ÊÀ»¯Íø¡£ÊìϤÊý¾Ý¿â¹ÜÀíºÍ¾ÖÓòÍøµÄ½¨Á¢Óëά»¤¡£
Ò³ÃæÖÆ×÷---£¨1Ãû£©·¿ÎÝÔÚÏß¡£´óרÒÔÉÏѧÀú£¬¼ÆËã»úÏà¹Øרҵ£¬ÊìϤDreamweaver, Firework, Flash¡£
ý½éÖ÷¹Ü---£¨1Ãû£©±±¾©Í¾½õÆóÒµ¹ÜÀíÑо¿Ëù¡£±¾¿ÆÒÔÉÏѧÀú£¬Á½ÄêÒÔÉϹã¸æÐÐÒµÆó»®¹¤×÷¾­Ñé¡£
  

 
  

  

  


  ÈËÊÂÐÂÎÅ 
 CIWÈÏÖ¤£ºÎª»¥ÁªÍøÑ¡°ÎÈ˲Š 

ÈÕÇ°£¬¹úÄÚµÚÒ»ÅúCIWÈÏÖ¤ÍøÂ簲ȫר¼ÒÔÚ±±¾©ÅµÑÇ˼ÍøÂ翪·¢ÓÐÏÞ¹«Ë¾µÄCIWÈÏÖ¤¿¼³¡µ®Éú¡£Õ⼸λÖйúÍøÂçÏÈ·æÈ«¶¼À´×ÔÆóÒµÍøÂ簲ȫ½â¾ö·½°¸ÌṩÉÌ¡ª¡ª±±¾©ÖÐÁªÂÌÃËÐÅÏ¢¼¼Êõ¹«Ë¾¡£ ¾­¹ý75·ÖÖÓ½ôÕŵĿ¼ÊÔ£¬ÖÐÁªÂÌÃËÐÅÏ¢¼¼Êõ¹«Ë¾×ܾ­ÀíÖúÀí³Âº£ÎÀµÈ4ÈË˳Àûͨ¹ýÁËCIW Security Professional£¨CIW°²È«×¨¼ÒÈÏÖ¤£©¿¼ÊÔ¡£³Âº£ÎÀ˵£¬60µÀÌâÄ¿¸²¸ÇÁ˼ÆËã»úÍøÂ簲ȫÁìÓòµÄ¼¸ºõËùÓз½ÃæµÄ֪ʶ£¬×ÜÌåÉϽ²¸üÇãÏòÓÚ¸ÅÄîÐÔºÍÀíÂÛÐÔ£¬µ«Í¬Ê±Ò²½ÏºÃµØ¼æ¹ËÁË°²È«¼¼ÊõµÄʵÓÃÐÔ¡£ºÍ¹úÄÚÍâÆäËû¼ÆËã»úÈÏÖ¤Ö¤Ê鿼ÊÔÏà±È£¬CIWÈÏ֤֪ʶ¸²¸ÇÃæ¹ã£¬¼¼ÊõÄѶȸߣ¬×¨ÒµÐÔÇ¿£¬Ö÷Òª²àÖØÓÚ°²È«¼¼ÊõÁìÓòµÄÕûÌ塢ȫÃæµÄ¸ÅÄîºÍÀíÂÛ£¬ÔÚʵÓÃÐÔ·½ÃæÒ²²»´í¡£
È«ÇòÁ½´ó¿¼ÊÔ»ú¹¹VUEºÍPrometricÌṩµÄ×ÊÁϱíÃ÷£¬CIWÈÏÖ¤ÔÚÃÀ¹úÒÑλ¾Ó¿¼ÊÔÁ¿µÚ¶þ룬½ö´ÎÓÚMicrosoft¡£CIWÊÇÒ»ÖÖ»ùÓÚ»¥ÁªÍøרҵ¼¼ÄܵÄÅàѵÈÏÖ¤£¬ÊʺϴÓÊ»¥ÁªÍøµÄÉè¼Æ¡¢¿ª·¢¡¢¹ÜÀí¡¢°²È«·À»¤¡¢¼¼ÊõÖ§³Ö¼°ÆóÒµÍøÏà¹ØÒµÎñµÄÈËÊ¿¡£CIWÅàѵÌṩÁËѧϰ¡¢Õ¹Ê¾¡¢Ö¤Ã÷ÍøÂç¼¼ÊõʵÁ¦µÄÁ¼»ú£¬¿ÉÒÔʹÆóÒµÔÚÍøÂçÉÌÒµ»·¾³ÖÐÌá¸ßÊг¡¾ºÕùÄÜÁ¦¡£CIWÅàѵ×ÅÖØÓÚ¼¼ÊõˮƽµÄÌá¸ßºÍÉÌҵʵ¼ùµÄ¾ßÌåÔËÓá£

 
  ÐÂΞ«Ñ¡£º
  
  
  ÉϺ£½«Óñ£ÕÏ´Ù¾ÍÒµ  
  ¹¤Ð½½×²ã¸öÈËËùµÃ˰Ӧϵ÷ 
  ÍøÂç´´ÔìÐÂÖ°Òµ
  
  
  
  ר¼Ò·ÖÎö½ñºó¼¸Äê¾ÍÒµÐÎÊÆ
  
  ÖÐɽÎ÷·Êг¡¶þÔ·ÝÕÐƸԤ¸æ  
  ±±¾©ÕÐƸ»áÐÅÏ¢´óÈ«  
  
  
  

 
  

  

  


  ÇóÖ°°Ù¿Æ 
 ÍâÆóÕÐƸ³ÌÐò½ÒÃÜ£¨¶þ£© 

µÚÁù²½£¬Í¨³£ÎªÃæÊÔ£¬ÃæÊÔÊÇÒ»ÖÖ×îΪÆÕ±éʹÓõÄÕçÑ¡ÊֶΡ£ÅóÓÑÃÇ¿ÉÒÔ»ØÒäÒ»ÏÂ×Ô¼ºÒÔÍùµÄÇóÖ°¹ý³Ì£¬ÊDz»ÊǼ¸ºõÿһ´ÎÇóÖ°¶¼¾­¹ýÁËÒ»´Î»ò¼¸´ÎµÄÃæÊÔ¡£ÈËÁ¦×ÊÔ´¹ÜÀíÕßÔÚÓëÇóÖ°ÕßÃæ̸֮ǰ£¬Ò»°ãÇé¿ö϶¼¶ÔÃæ̸½øÐÐÁ˺ܺõÄÉè¼ÆºÍ°²ÅÅ£¬ÕâÑùÊǶԻñµÃÕýÈ·ÕçÑ¡½á¹ûµÄÒ»ÖÖ±£ÕÏ¡£ µ«ÊÇ£¬¹úÄÚÓÐЩÈËÁ¦×ÊÔ´¹ÜÀíÕߣ¬ÓÈÆäÊÇÖÐС¹«Ë¾£¬ÍùÍùºÜÉÙ¶ÔÃæ̸½øÐÐÉè¼Æ£¬Í¨³£ÊÇÔÚÃæ̸ÖжÔÇóÖ°Õß½øÐÐËæ»úÌáÎÊ£¬ÕâÑùÍùÍù´ï²»µ½Ñ¡Ôñ³öºÏ¸ñºòÑ¡È˵ÄÄ¿µÄ¡£µ«¿É±¯µÄÊÇ£¬ËûÃÇ×Ô¼º²¢Ã»ÓÐÒâʶµ½ÕâÒ»µã¡£
ÔÚÕâÀïÎÒÃÇ»¹ÒªÏòÇóÖ°ÕßÌá³ö¼¸¸öÖҸ棺ÔÚÃæ̸ǰҪÓÐÏêϸµÄ×¼±¸£¬×îºÃ¶àÁ˽âһϹ«Ë¾µÄ±³¾°£»×¢ÒâÃæ̸ÖÐͶÐÅÏ¢µÄ´ÎÐò£»Ò»¶¨ÒªÓÐÒ»¸öºÃµÄÃæ̸¿ªÊ¼£»ÒªÁ¦ÕùµÃµ½×Ô¼ºÐèÒªÖªµÀµÄÐÅÏ¢£¬µ±È»Òª×¢Òâ·½·¨¡£
Ò²ÐíÎÒÃÇÔÚ·½±ãµÄʱºò¿ÉÒÔΪÇóÖ°ÕßÌṩһƪָµ¼ÇóÖ°µÄÎÄÕ¡£
µÚÎå²½ºÍµÚÁù²½µÄ˳Ðò¿ÉÄܵߵ¹£¬ÕâÓÐÈËÁ¦×ÊÔ´¹ÜÀíÕ߸ù¾ÝְλҪÇóºÍ¹«Ë¾Ï°¹ß¶øÈ·¶¨¡£ÃæÊԺͱÊÊÔ¿ÉÄܲ»Ö»Ò»´Î£¬ÓÐʱ½»²æ½øÐС£
µÚÆß²½£¬ÈËÁ¦×ÊÔ´¹ÜÀíÕ߶ԺòÑ¡È˵ÄÉêÇë×ÊÁϽøÐкËʵ£¬Í¨³£ÕâÊÇһЩ´ó¹«Ë¾µÄ×ö·¨¡£ÓÐÏ൱´ó±ÈÀýµÄÇóÖ°Õ߶ÔËûÃǾÍÒµÈÕÆÚ¡¢Ö°Îñ¡¢¹ýÈ¥µÄн½ðºÍÀëÖ°Ô­ÒòÐðÊö²»×¼¡£½«ÕâЩӲÐÔ×ÊÁϽøÐк˶ԣ¬ÊÇÒ»ÖÖÓÐÒâÒåµÄÐÐΪ¡£
µÚ°Ë²½£¬½øÐÐÌå¸ñ¼ì²é¡£Ò»°ãÇé¿öÏ£¬Ìå¸ñ¼ì²éÊÇΪ½øÐн¡¿µ±£ÏÕ¶ø×÷µÄ£¬¹ÜÀíÕßÒª¼õÉÙ¶Ô¹ÍÔ±ÔÚÊܹÍÇ°É˲¡µÄ±£ÏÕ¿ªÖ§¡£ 
µÚ¾Å²½£¬Ç©¶¨¹ÍÓ¶ºÏͬ¡£Ç©¶¨¹ÍÓ¶ºÏͬӦÊÇÔÚÊܹÍÕß¿ªÊ¼ÀͶ¯Ö®Ç°£¬»ò¿ªÊ¼ÀͶ¯µÄÒ»ÖÜÖ®ÄÚ¡£´óÐÍÆóÒµµÄÀͶ¯ºÏͬͨ³£ÊÇÒ»·ÝÓÉÈËÁ¦×ÊÔ´¹ÜÀí²¿ÃÅÖƶ¨µÄ¹æ·¶ºÏͬ£¬ÇóÖ°ÕßÒ»°ãûÓÐʲôÌÖ¼Û»¹¼ÛµÄÓàµØ¡£µ«Èç¹ûÊÇÓë¹ÜÀí²»ºÜ¹æ·¶µÄС¹«Ë¾Ç©¶¨ºÏͬʱ£¬ÇóÖ°Õß¾ÍҪСÐÄά»¤×Ô¼ºµÄȨÀûÁË¡£ 
ÒÔÉϾÍÊÇÒ»·Ý±È½ÏÍêÕûµÄÕÐƸ¹ý³Ì£¬ÔÚʵ¼ÊµÄÕÐƸ¹ý³ÌÖУ¬¿ÉÄܲ»»áÈç´ËµØ¹æ·¶£¬ÓÈÆäÊǶÔÓÚÖÐС¹«Ë¾À´Ëµ¡£±ÈÈ磬ÒòΪҵÎñµÄÍØÕ¹Ôö¼ÓÐÂְλ²»¿ÉÄÜÔÚÄê³õµÄÈËÁ¦×ÊÔ´¹ÜÀí¹æ»®ÖÐÌåÏÖ³öÀ´¡£


  ÏÂÆÚÔ¤¸æ£ºÇ¡µ±Ñ¡ÔñÕÐƸ»á
  

 
  

  

  


  ÈËÊ°¸Àý 
 ±ÏÒµÉú¿É·ñÓÐÒ»Äê¼ûÏ°ÆÚ 
¡¶ÀͶ¯·¨¡·µÚ¶þÌõ¹æ¶¨£º"ÔÚÖлªÈËÃñ¹²ºÍ¹ú¾³ÄÚµÄÆóÒµ¡¢¸öÌå¾­¼Ã×éÖ¯£¨ÒÔÏÂͳ³ÆÓÃÈ˵¥Î»£©ºÍÓëÖ®ÐγÉÀͶ¯¹ØϵµÄÀͶ¯Õߣ¬ÊÊÓñ¾·¨¡£¹ú¼Ò»ú¹Ø¡¢ÊÂÒµ×éÖ¯¡¢Éç»áÍÅÌåºÍÓëÖ®½¨Á¢ÀͶ¯ºÏͬ¹ØϵµÄÀͶ¯Õߣ¬ÒÀÕÕ±¾·¨Ö´ÐС£"Ö®ºó£¬ÓÖÏà¼Ì³ǫ̈ÁË¡¶ÈËÊÂÕùÒé´¦ÀíÌõÀý¡·ÒÔ¼°ÉϺ£Êеġ¶È˲ÅÁ÷¶¯ÌõÀý¡·¡¢¡¶ÉϺ£ÊÐÊÂÒµµ¥Î»ÊµÊ©Æ¸ÓúÏͬÔÝÐа취¡·µÈ·¨¹æºÍ¹æÕ¡£ÀͶ¯ÕùÒéÓëÈËÊÂÕùÒé×÷ΪÁ½ÖÖ²»Í¬µÄÕùÒé±»¹æ·¶ÏÂÀ´£¬ËüÃÇÊÊÓõĶÔÏó¡¢´¦Àí·½·¨¼°ÊÊÓõĺó¹û¾ùÓÐËù²»Í¬¡£ÀͶ¯ÕùÒéÊÊÓÃÓÚÆóÒµ¡¢¸öÌå¾­¼Ã×éÖ¯µÈÓÃÈ˵¥Î»ºÍÓëÖ®ÐγÉÀͶ¯¹ØϵµÄÀͶ¯ÕßÖ®¼ä·¢ÉúµÄÕùÒ飻ÈËÊÂÕùÒéÔòÊÊÓÃÓÚ¹ú¼ÒÐÐÕþ»ú¹Ø¡¢ÊÂÒµµ¥Î»Ó빤×÷ÈËÔ±Ö®¼äÒòƸÓúÏͬ¶ø·¢ÉúµÄÕùÒé¡£ÀͶ¯ÕùÒéͨ¹ýÀͶ¯Öٲýâ¾ö£¬ÈËÊÂÕùÒéͨ¹ýÈËÊÂÖٲýâ¾ö¡£µ±ÊÂÈ˶ÔÀͶ¯Öٲò»·þ¿ÉÏò·¨ÔºÌáÆðËßËÏ£¬¶ÔÓÚÈËʲþö£¬µ±ÊÂÈËÔò¿ÉÒÔÉêÇ븴Òé¡£¾Ý´Ë£¬±ÏÒµÉú¿ÉÈ·¶¨·¢ÉúÕùÒéʱ£¬ÊÇÉêÇëÀͶ¯Öٲû¹ÊÇÈËÊÂÖٲᣠ µ¥¾ÍÊÔÓÃÆÚÀ´¿´£¬°´ÕÕ¡¶ÉϺ£ÊÐÊÂÒµµ¥Î»ÊµÊ©Æ¸ÓúÏͬÔÝÐа취¡·¹æ¶¨£¬Ó

Re: Resources about setting up CA?

2001-02-07 Thread terr 

Raymond.

We may be doing similar things and it may be useful to sahre knowledge.

On Wed, Feb 07, 2001 at 09:08:16AM +0100, Elisee NGAN TAMBA wrote:
> 
>   Go to http://www.openca.org
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of LI CHEUK FAI
> Sent: Wednesday, February 07, 2001 8:41 AM
> To: [EMAIL PROTECTED]
> Subject: Resources about setting up CA?
> 
> 
> Hello,
> 
> I have worked with Openssl to do various tasks like self cert signing by
> setting up simple CA with script sign.sh came with modssl.
> 
> 
> But if I am going to setup a formal CA for my company's internal use, I
> think I may need more preparation. For instance, I have to setup a LDAP
> server for CRL publishing. I have to setup a web server and related CGI so
> that cert application could be done through browser. And I have to plan
> the hiarchy of the CAs and RAs.
> 
> 
> All of these would be a big task. Are there any Internet resources about
> setting up a CA with open-source software? I think Openssl could do the
> core work. But I would still need more for the a full-function CA.
> 
> 
> Besides, it seems that Openssl is not GPL. Would there be any concerns in
> building a CA with it?
> 
> 
> Yours,
> 
> Raymond
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]