Certificate migration
Hi, I am using the openssl with Apache server. My clients work with Verisign and Entrust CA, and have a key and certificate for IIS web server. Does the openssl have a command that migrate the key and/or certificate form IIS to Apache? Thank you Gil Schindler Development Team Leader Application server group Radware Ltd. Tel: 972-3-7668971 Fax: 972-3-6485641 Enail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] This message and any attachments contains privileged/confidential information of RADWARE LTD, and may not be disclosed, used, copied, or transmitted in any form or by any means without prior written permission from RADWARE. If you are not the intended recipient, delete the message and any attachments from your system without reading or copying it, and kindly notify sender by e-mail. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ASN.1 example
Hi all!
I'm novice with OpenSSL and I want make a ASN.1 structure, for
example:
SEQUENCE {
a PrintableString,
b PrintableString,
};
After, I want to get the DER encoding of this sequence
Has anybody any example, please?
I need an example for see how do it.
Thanks in advance.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
compiling problems on NT 4.0
I run Win NT 4.0 SP5 and installed gcc-2.95.2-msvcrt.exe, make-3.76.1.exe (which means I just unzipped the files in a directory, or do I have to "install" them somehow?) and ActivePerl 5.6.0.623. When I start compiling openssl the following errors come up and the compilations stops. I hope that anyone can help me. Thanx! Heiko Generating makefile Generating DLL definition files Building OpenSSL mkdir outinc\openssl copy .\crypto\buildinf.h tmp\buildinf.h 1 Datei(en) kopiert. copy .\crypto\opensslconf.h outinc\openssl\opensslconf.h 1 Datei(en) kopiert. gcc -o tmp\cryptlib.o -Ioutinc -Itmp -O3 -fomit-frame-pointer -DDSO_WIN32 -c . \crypto\cryptlib.c gcc: .cryptocryptlib.c: No such file or directory gcc: No input files make: *** [tmp\cryptlib.o] Error 1 You can ignore the error messages above 1 Datei(en) kopiert. Building the libraries Building OpenSSL gmkdir outinc/openssl process_begin: CreateProcess((null), gmkdir outinc/openssl, ...) failed. make (e=2): Das System kann die angegebene Datei nicht finden. (system can't find the file) make: *** [outinc/openssl] Error 2 C:\openssl-0.9.6 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
please help apache-ssl
Hello all i am new on this list. linux machine redhat 6.2. i compiled openssl-0.9.6. then patch and compiled apache-1.3.14 with no problems. after that i have make certs with the following commands: cd /usr/local/ssl/private openssl genrsa -des3 -out MyCA.key openssl genrsa -des3 -out ServerCA.key openssl genrsa -des3 -out ClientCA.key cd ../certs openssl req -new x509 -days 90 -key ../private/MyCA.key -out MyCA.crt openssl req -new -key ../private/ServerCA.key -out ServerCA.csr openssl req -new -key ../privateClientCA.key -out ClientCA.csr openssl ca -cert MyCA.crt -in ServerCA.csr -keyfile ../private/MyCA.key -out ServerCA.crt openssl ca -cert MyCA.crt -in ClientCA.csr -keyfile ../private/MyCA.key -out ClientCA.crt openssl pkcs12 -export -in MyCA.crt -inkey ../private/MyCA.key -out MyCA.pfx in httpd.conf: SSLCACertificatePath /usr/local/ssl/certs SSLCACertificateFile /usr/local/ssl/certs/ClientCA.crt SSLCertificateFile /usr/local/ssl/certs/ServerCA.crt SSLCertificateKeyFile /usr/local/ssl/private/ServerCA.key SSLVerifyClient 1 SSLVerifyDepth 1 with SSLVerifyClient0 there is no problem with SSLVerifyClient 1, i cant cennoct to the server in the error_log is the following message: [Tue Feb 20 16:01:14 2001] /usr/local/src/apache_1.3.14/src/modules/ssl/gcache started[Tue Feb 20 16:01:14 2001] [debug] apache_ssl.c(369): Random input /dev/urandom(1024) - 1024[Tue Feb 20 16:01:14 2001] [info] created shared memory segment #118657[Tue Feb 20 16:01:14 2001] /usr/local/src/apache_1.3.14/src/modules/ssl/gcache started[Tue Feb 20 16:01:14 2001] [notice] Apache/1.3.14 Ben-SSL/1.42 (Unix) configured-- resuming normal operations[Tue Feb 20 16:01:14 2001] [info] Server built: Feb 16 2001 16:46:27[Tue Feb 20 16:01:27 2001] [debug] apache_ssl.c(369): Random input /dev/urandom(1024) - 1024[Tue Feb 20 16:01:29 2001] [error] SSL_accept failed[Tue Feb 20 16:01:29 2001] [error] error:140890B0:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificates returned what is wrong? i use netscape 4.75 please help christoph hubmann
Xenroll and OpenSSL
Back in 1997, there was a discussion with Dr Henson on the use of Xenroll.dll with MSIE and (then SSLeay) OpenSSL. http://remus.prakinf.tu-ilmenau.de/ssl-users/archive22/0040.html Could someone tell me anything about the following two issues : 1. Xenroll uses ActiveX that is by default disabled in IE5.5 for reasons of security. Is there anything new from MS that doesnt use ActiveX and will work on the client without specially installing software for this purpose ? 2. Does anyone know of some URL where I can learn how to use Xenroll ? With OpenSSL ? That can then be processed by openssl with req (if required) and ca ? I have found some resources at MS and over Google, but nothing comprehensive. Regards, Sandipan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help apache-ssl
I dont know much about modssl, but If you set SSLVerifyClient to 1 you are telling the server to authenticate its clients (criptographically verify the clients identity). An entitity (lets say somebody connecting to your server) needs a certificate in order to be athenticated, but hardly any web user has his own certificate (You have to buy it or make your own certification authority and make the server trust it). And thats is your error message: your browser does not have a certificate. Just dont set SSLVerifyClient to 1, if you want usual people (99% of web users) to be able to get into your web. Christoph Hubmann wrote: in httpd.conf:SSLCACertificatePath /usr/local/ssl/certsSSLCACertificateFile /usr/local/ssl/certs/ClientCA.crtSSLCertificateFile /usr/local/ssl/certs/ServerCA.crtSSLCertificateKeyFile /usr/local/ssl/private/ServerCA.keySSLVerifyClient 1SSLVerifyDepth 1 with SSLVerifyClient 0 there is no problemwith SSLVerifyClient 1, i cant cennoct to the server in the error_log is the following message:[Tue Feb 20 16:01:14 2001] /usr/local/src/apache_1.3.14/src/modules/ssl/gcache s tarted [Tue Feb 20 16:01:14 2001] [debug] apache_ssl.c(369): Random input /dev/urandom( 1024) - 1024 [Tue Feb 20 16:01:14 2001] [info] created shared memory segment #118657 [Tue Feb 20 16:01:14 2001] /usr/local/src/apache_1.3.14/src/modules/ssl/gcache s tarted [Tue Feb 20 16:01:14 2001] [notice] Apache/1.3.14 Ben-SSL/1.42 (Unix) configured -- resuming normal operations [Tue Feb 20 16:01:14 2001] [info] Server built: Feb 16 2001 16:46:27 [Tue Feb 20 16:01:27 2001] [debug] apache_ssl.c(369): Random input /dev/urandom( 1024) - 1024 [Tue Feb 20 16:01:29 2001] [error] SSL_accept failed [Tue Feb 20 16:01:29 2001] [error] error:140890B0:SSL routines:SSL3_GET_CLIENT_C ERTIFICATE:no certificates returned what is wrong? i use netscape 4.75 please help christoph hubmann -- Jorge Olmos Fors __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PKCS12
The changing of keystore.type in java.security won't work alone. You got to have the right provider available. Sun provides a PKCS#12 keystore provider in their new JSSE1.0.2. Install that. You can now create a PKCS#12 type keystore using the API, though the keytool still fails, at least that happened with me. You could also extract the DER certificate (or PEM certificate using -rfc option of keytool) from standard JKS type keystore and use the openssl's pkcs12 utility to convert to PKCS#12 type certificate. You may require the privatekey as input. Get that from the store using API. I had done this, and it works. Hope this helps... Sumanta. -Original Message- From: Julie Ruiz [SMTP:[EMAIL PROTECTED]] Sent: Monday, February 19, 2001 11:32 AM To: [EMAIL PROTECTED] Subject: PKCS12 Importance: High Hi, Tomcat use SSL directly, I use the keytool of the JDK to generate the key pair and a self certificate. I need to generate certificates for clients but the browser says that if have to be in the format PKCS12. For the keytool I specify a keystore type at the command line, via the -storetype option and I put that uses the pkcs12, but it not function, also I changed the value of the keystore.type property specified in the security properties file " java.security", that resides in the JDK security properties directory, java.home\lib\security and also didnt function. How can I generate a certificate with the pkcs12 format using the keytool of the JDK?? Julie. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- This message is intended only for the personal and confidential use of the designated recipient(s) named above. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product, an official confirmation of any transaction, or as an official statement of Lehman Brothers Inc. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Xenroll and OpenSSL
Sandipan , I do not know in what sense ActiveX is disabled in IE5.5. Perhaps for unsigned downloaded controls? In any event, Xenroll.dll houses the Certificate Enrollment Control. It is documented in the Platform SDK, the MSDN library, and the MSDN Online library. Look under PlatformSDK - Security - Certificate Services and Components - Certificate Enrollment Control. If you want to run it from IE, pay particular attention to the VBscript examples. You can find the online documentation at http://msdn.microsoft.com/library/psdk/certsrv/crtsvnode_intro_8f3n.htm I can also provide you with a few examples. When you ask how can Xenroll work with OpenSSL, do you want use Xenroll to generate the certificate requests and use openssl to sign them? This can certainly be done. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Begin Original Message - From: "Sandipan Gangopadhyay" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 20, 2001 9:14 AM Subject: Xenroll and OpenSSL Back in 1997, there was a discussion with Dr Henson on the use of Xenroll.dll with MSIE and (then SSLeay) OpenSSL. http://remus.prakinf.tu-ilmenau.de/ssl-users/archive22/0040.html Could someone tell me anything about the following two issues : 1. Xenroll uses ActiveX that is by default disabled in IE5.5 for reasons of security. Is there anything new from MS that doesnt use ActiveX and will work on the client without specially installing software for this purpose ? 2. Does anyone know of some URL where I can learn how to use Xenroll ? With OpenSSL ? That can then be processed by openssl with req (if required) and ca ? I have found some resources at MS and over Google, but nothing comprehensive. Regards, Sandipan - End Original Message - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
Hello, We want to build the following configuration: BROWSER ===SSL=== PROXY === SSL === SERVER 1/ The BROWSER runs on a Windows system 2/ The PROXY is an Apache server running on a Solaris system; it is configured as a reverse proxy 3/ The SERVER is an Apache Web Server under Solaris Concerning the 2 SSL connections: 1/ The SSL connection between BROWSER and PROXY (as the arrow suggests) provides one-way authentication. There is a server certificate at the side of the PROXY machine and no client certificate 2/ The SSL connection between PROXY and SERVER (as the arrows suggest) is a bi-lateral SSL connection. There is a server certificate at the side of SERVER and a client certificate at the side of PROXY I have 2 problems related to the PROXY-SERVER connection: 1/ How to generate a client SSL certificate for the PROXY? How to install it in the PROXY? 2/ The PROXY needs a CA certificate in order to be able to check the SERVER certificate. A CA certificate is very easy to install in the browser, but how to install this CA certificate in the PROXY? Could you help us? Thank you Herman De Taeye
To 'no-idea' or not to 'no-idea' in the US ?
Dumb FAQ probably... Now that the RSA patent expired, we can use compile without rsaref. But should we still compile with 'no-idea' here in the US ? TIA... -- -- Ricardo Stella O.I.T. (609)896-5000 x7436 _suAve_ Rider University *** SPAM will not be tolerated *** begin:vcard adr;dom:;;;Lawrenceville;NJ;08648; adr:;;2083 Lawreceville Road;Lawrenceville;NJ;08648; n:Stella;Ricardo tel;fax:1-609-219-4994 tel;work:1-609-896-5000 x7436 x-mozilla-html:FALSE url:http://poseidon.rider.edu org:Rider University;O.I.T. version:2.1 title:Manager x-mozilla-cpt:;-9584 fn:Ricardo Stella end:vcard
IBM SSL Version
BDY.RTF Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group.
--
Title: Untitled Document ÁÔÐÇÈËÊÂÐÅÏ¢¿ìµÝ£º2001Äê2ÔÂ21ÈÕ Èȵ㹤×÷ | ÈËÊÂÐÂÎÅ | ÇóÖ°°Ù¿Æ | ÈËÊ°¸Àý Èȵ㹤×÷ TOP 5 ¸ß¼¶³ÌÐòÔ±---£¨Èô¸É£©Ä£·¶»·ÑÇÊг¡µ÷ÑÐÉ绦°ì¡£¼ÆËã»ú±¾¿Æ£¬¶þÄêÏà¹Ø¹¤×÷¾Ñé¡£ µ÷ÑÐÖúÀí---£¨1Ãû£©Ä£·¶»·ÑÇÊг¡µ÷ÑÐÉ绦°ì¡£ÓªÏúרҵ£¬Ó¢ÓïÁ÷Àû¡£ ÍøÒ³ÖÆ×÷-£¨2Ãû£©ÉϺ£Î¢ÐÀ¹¤Ã³ÓÐÏÞ¹«Ë¾¡£ÊìÁ·ÕÆÎÕHTML¡¢CSS¡¢JavaScript¡£ Èí¼þ¹¤³Ìʦ---£¨Èô¸É£©¼ÓÄôóÉÌÒµ2000×ÊÔ´ÓÐÏÞ¹«Ë¾¡£ÓйãµçÁìÓò»ò¿íƵÍøÂç²úÆ·µÄÏúÊÛ¾Ñé¡£ ÏúÊÛÈËÔ±---£¨Èô¸É£©NEW DISCOVERYÔÓÖ¾¡£´óרÒÔÉÏѧÀú¡£ ÈËÊÂÐÂÎÅ ±¾¿ÆÒÔÉϱÏÒµÉú°²»Õ¶¼½ÓÄÉ Á¬ÈÕÀ´£¬°²»ÕÏȺó³É¹¦µØÔÚ°ö²º¡¢ÎߺþÁ½µØ¾Ù°ìÁËÁ½´Î¸ßУ±ÏÒµÉú¾ÍҵǢ̸»á£¬ÕâÊǸÃÊ¡Ê״ΰÑÊ¡¼¶±ÏÒµÉú¾ÍҵǢ̸»á°ì³öÊ¡»áºÏ·Ê¡£¸ù¾Ý°²»Õʡί¡¢Ê¡Õþ¸®µÄÒªÇ󣬴ӽñÄêÆ𣬸ÃÊ¡¿ª±ÙÁËÒý½øÈ˲ŵġ°ÂÌɫͨµÀ¡±£¬¶Ô×ÔÔ¸À´°²»Õ¹¤×÷µÄ´óѧ±¾¿ÆÒÔÉϱÏÒµÉúÈ«²¿·Å¿ª½ÓÄÉ£¬ÔÝδÂäʵ¹¤×÷µ¥Î»µÄ£¬ÊµÐС°ÏÈÂ仧¡¢ºóÕÒ¹¤×÷¡±£¬ÓÉÏØÒÔÉÏÕþ¸®ÈËʲ¿ÃÅËùÊôÈ˲ŷþÎñ»ú¹¹ÊµÐÐÈËÊ´úÀí£¬²¢°ïÖúËûÃÇͨ¹ýÊг¡Ë«ÏòÑ¡Ôñ¾ÍÒµ¡£È«Ê¡Æó¡¢ÊÂÒµµ¥Î»»ò·Ç¹úÓе¥Î»½ÓÊյĸ÷Àà´óרÒÔÉϱÏÒµÉú£¬Æ¾±¾ÈËÓÐЧ֤¼þºÍÓëÓÃÈ˵¥Î»Ç©¶©µÄƸÓÃÀͶ¯ºÏͬ»òÏØÒÔÉÏÕþ¸®ÈËʲ¿ÃŵĽÓÊÕº¯£¬Ö±½Óµ½¹¤×÷µ¥Î»ËùÔڵذìÀíÂ仧¼°ÐÐÕþ¡¢¹¤×ʵȹØϵ£¬ÃâÊÕ³ÇÊÐÔöÈݵȷÑÓᣠ(À´×Ô ¡¶Öйú½ÌÓý±¨¡· ) ÐÂΞ«Ñ¡£º ÉϺ£º½¿Õ¹«Ë¾Õб¾¿ÆÉúÒý·¢ÕùÒé ¸¶3ÍòÔª¿¼¹ú¼Ê»á¼Æʦ Ê×Åú30ÃûÓ¢ÓïÖ¾Ô¸Õß½Ìʦ³ÖÖ¤ÉÏ¸Ú ¹ã¶«½Ìʦ¹¤×ÊÓ¦Ïò¹«ÎñÔ±¿´Æë ÄϺ½ÎªË¶Ê¿±ÏÒµÉúÌṩ100¸öְλ ½ñºóÖ°³ÆÍâÓÊÔ²»ÔÙ²¹±¨ ÇóÖ°°Ù¿Æ дÇóÖ°Ðŵļ¸¸ö×¢ÒâÊÂÏî дÇóÖ°Ðŵļ¸¸ö×¢ÒâÊÂÏîÊÖдһ·âÇóÖ°ÐÅÊÇÄ¿Ç°´óѧÉúÕÒ¹¤×÷¹ý³ÌÖеij£¼û×ö·¨£¬Õâ±ãÓÚÒýÆðÓÃÈ˵¥Î»µÄ×¢Òâ¡£µ«ÊÇ£¬Èç¹ûÇóÖ°ÐÅд×÷²»µ±£¬×÷ÓûáÊʵÃÆä·´¡£Ð´ÇóÖ°ÐÅʱӦעÒâÒÔϼ¸µã£ºÒ»¡¢²»Òª¡°¼¢²»Ôñʳ¡±¡£ÓеÄѧÉúÁÙ½ü±ÏÒµ£¬ÕÒ¹¤×÷ÐÄÇУ¬ÓÚÊÇÕÒÀ´Ò»±¾µç»°ºÅÂë²¾»òÆóҵͨѶ¼£¬´ÓÖÐËæ±ãÕÒһЩµ¥Î»¾Í´Ò´Ò·¢³öÇóÖ°ÐÅ¡£ÕâÖÖ¡°¼¢²»Ôñʳ¡±µÄ×ö·¨£¬Ò»ÊÇʹÊÕµ½ÇóÖ°Ðŵĵ¥Î»Ã»ÓÐÈκÎ×¼±¸£¬ÎÞ·¨ÔÚ¶ÌÆÚÄÚ¶ÔÄãÓÐËù¿¼²é¶ø½«ÐŽ«ÒÉ£»¶þÊÇÄã¶Ôµ¥Î»Ò²²»ÊǺÜÁ˽⣬¹¤×÷Ö®ºó²Å·¢ÏÖ²»ÀíÏ룬»ÚÖ®ÍíÒÓ¡£¶þ¡¢±ÜÃâ¼òдÒýÆçÒå¡£ÓëÅóÓÑ̸»°Ê±ÈËÃÇÏ°¹ß¼ò³Æ×Ô¼ºµÄѧУ»òÕßËùÐÞרҵ£¬µ«ÔÚÇóÖ°ÖÐÓ¦¸Ã±ÜÃâÕâÑù×ö¡£Óüòд´ÊÓïÒ»ÊÇÏÔµÃËæ±ã¡¢²»¹»×¯ÖØ£¬¿ÉÄÜ»áÒýÆð¶ÁÐÅÈ˵ķ´¸Ð£»¶þÊÇһЩ¼ò³ÆÖ»ÓÐÔÚÌض¨µÄµØ·½¡¢Ìض¨µÄ½»Íù·¶Î§ÖвÅÄܱ»×¼È·µØÀí½â£¬³¬³öÕâÒ»·¶Î§ÈËÃÇ¿ÉÄܾͻ᲻֪ËùÑÔ£¬ÉõÖÁ²úÉúÎó½â¡£±ÈÈç¡°Öд󡱣¬Ôڹ㶫ÈËÃǶ¼»áÃ÷°×ËüÊÇÖ¸ÖÐɽ´óѧ£¬µ«ÊÇÔڹ㶫ÒÔÍâµÄµØ·½£¬ºÜÉÙÓÐÈËÃ÷°×ËüµÄÒâ˼¡£¡°È˴󡱡¢¡°»ªÊ¦¡±¡¢¡°Õþ¾¡±µÈ´Ê¶¼ºÜÈÝÒ×±»Îó½â£¬×îºÃ²»Óá£Èý¡¢²»ÄÜüëºú×ÓÒ»°Ñ×¥¡£ÓеÄÇóְОÍÏñ¼ÇÁ÷Ë®ÕË£¬Ïëµ½ÄÄÀï¾Íдµ½ÄÄÀ¼ÈûÓÐÂß¼ÐÔ£¬×¥²»×¡ÒªÁ죬ÓÖûÓÐÕë¶ÔÐÔ£¬ÏÔµÃÌõÀí²»Çå¡£Õâ²»½öÌåÏÖ³öÒ»¸öÈËÎÄ×Ö¹¦Á¦²î£¬¶øÇÒҲʹÇóÖ°Ðű¾ÉíʧȥÁËЧÓá£ÓïÑÔ±í´ïµÄÂß¼ÐÔ¡¢ÌõÀíÐÔ¡¢Ã÷È·ÐÔÊÇдÇóÖ°ÐŵÄ×îÆðÂëµÄÒªÇó¡£ËÄ¡¢ÇóÖ°ÊÇÒ»¸ö×ÔÎÒÍÆÏúµÄ¹ý³Ì£¬Ð´ÇóÖ°ÐÅ£¬Ö»Äܸ㡰ÊʶÈÍÆÏú¡±£¬¾ø²»¿É¿ä´óÆä´Ê¡£ÔÚÇóÖ°ÐÅÖÐÓ¦¾¡Á¿±ÜÃâʹÓá°Ò»¶¨¡±¡¢¡°¿Ï¶¨¡±¡¢¡°×îºÃ¡±¡¢¡°µÚÒ»¡±¡¢¡°¾ø¶Ô¡±¡¢¡°ÍêÈ«¿ÉÒÔ¡±¡¢¡°±£Ö¤¡±µÈ´Ê£¬ÒÔ¼°ÀàËÆ¡°ÓкÜÇ¿µÄ×éÖ¯ÄÜÁ¦¡±¡¢¡°ÓкÜÇ¿µÄ»î¶¯ÄÜÁ¦¡±Ö®ÀàµÄÓï¾ä¡£È»¶ø£¬ÓеÄÇóÖ°ÕßΩ¿Ö¶Ô·½²»ÓÃ×Ô¼º¶øһζµØ´µÐê¡¢ìÅÒ«×Ô¼º²©Ñ§¶à²Å£¬ÉõÖÁ±áµÍ±ðÈË£¬Ì§¸ß×Ô¼º£¬Ëƺõ²»Â¼ÓÃËû£¬¶Ô·½¾Í»áÔâÊܲ»¿ÉÃÖ²¹µÄËðʧ£¬ÕâÖÖ×ö·¨ÊÇÊ®·Ö´íÎóµÄ¡£Îå¡¢³ÆºôҪǡµ±£¬È粻ǡµ±»áÏÔµÃË×Æø¡£ÓÐһλŮÖÐרҵ±ÏÒµÉúÔÚд¸øijְҵ½éÉÜÖÐÐŤ×÷ÈËÔ±µÄÐÅÖеijƺôÊÇ¡°ÊåÊå¡¢°¢ÒÌ¡±¡£»¹ÓÐһλŮ´óѧÉúд¸øijµ¥Î»ÈËÊ´¦¹¤×÷ÈËÔ±µÄÇóÖ°ÐŵijƺôÊÇ¡°´ó¸ç¡¢´ó½ã¡±£¬ÕâÑùµÄ³ÆºôÊDz»Ç¡µ±µÄ£¬ÇóÖ°ÐŵijƺôÓ¦¸ÃÕýʽ¡¢¹æ·¶¡£ ÏÂÆÚÔ¤¸æ£ºÈçºÎÔÚ¼òÀúÖбÜÃâ²»ÀûÒòËØ ÈËÊ°¸Àý ¹«Ë¾ÄÜ·ñÒªÇóÔ±¹¤±ØÐë±£ÏÕ Ä³ÃñÓª¸ß¿Æ¼¼¹«Ë¾£¬½ü¼¸Äê¾Óª×´¿öÒ»Ö±²»´í¡£ÀÏ°åΪÁ˼¤ÀøÔ±¹¤Îª¹«Ë¾ºÃºÃ¸É£¬Ìá¸ß¹«Ë¾µÄÄý¾ÛÁ¦£¬ÎªÈ«ÌåÔ±¹¤½ÉÄÉÁËÑøÀÏ¡¢Ê§Òµ¡¢´ó²¡Ò½ÁƵÈÉç»á±£ÏÕ£¬½â³ýÁËÔ±¹¤µÄºó¹ËÖ®ÓÇ£»Í¬Ê±Ã¿Ô¸øÔ±¹¤ÓÖÔö·¢ÁËÖ°Îñ²¹Ìù¡¢¸Úλ²¹Ìù¡¢½»Í¨²¹Ìù¡¢»ïʳ²¹ÌùµÈ£¬Ê¹Ô±¹¤µÄÊÕÈëÓÐÁ˽ϴóµÄÔö¼Ó¡£ÕâÑùÒ»À´£¬Ô±¹¤ÃǸö¸öÐÄÇéÊ泩£¬¸ÉÆð»îÀ´ÌرðÂô¾¢¶ù£¬Äêµ×³¬¶îÍê³ÉÁËÉú²úÈÎÎñ¡£
RE: HTTPS
Title: RE: HTTPS http://sourceforge.net/projects/aphid/ http://www.apachetoolbox.com/ http://www.delouw.ch/linux/apache.phtml If you're using a Unix based system, try to use one of those tools above. I used apachetoolbox, and it didn't done the entire job for me, but it helped a lot (it downloads the required packages automatically!), and helped in some configuration steps. After that, you'll need to make a production certificate, and aply it... I hope this helps you (it's working for me :) ), now you're on your own ! Nelson Portugal -Original Message- From: Paulo Ricardo Trainini [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 20, 2001 5:24 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: HTTPS I need to accept requests HTTPS in apache. So I tried install /usr/port/www/apache13-mod_ssl. It said that require the OpenSSL. So I tried install /usr/ports/security/openssl. But it said that the OpenSSL is already installed in base system. The version of my system is FreeBSD 4.1. During the instalation, I don't installed the crypto collection. Maybe this is the cause of my problem, but I don't know right. What I do to install apache13-mod_sll to do apache accept https requests? Thank you Paulo --- Paulo Ricardo Trainini Consultor Tel.: (51) 338.7284 - [EMAIL PROTECTED] FORTNET - Soluções para Redes de Computadores __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
LDAP over SSL
Has anyone successfully got the Netscape LDAP SDK to talk to an SSL
server written using openssl.
On my server I have done...
SOCKET sock;
m_pSSLContext = SSL_CTX_new( SSLv23_client_method());
m_pSSL = SSL_new(m_pSSLContext))
SSL_set_fd(m_pSSL, sock);
SSL_accept(m_pSSL);
On my client...
ldapssl_client_init("c://temp//cert7.db", NULL);
pSession = ldapssl_init(HOST, SPORT, 1);
ldap_simple_bind_s(pSession, pszUserID, pszPassword);
However, my server call to SSL_accept() falls over, I know that the
certificates probably don't match but is there something more
fundamental I am missing out?
The docs aren't much help...
Tat.
begin:vcard
n:Kong;Tat Sing
tel;fax:+44 (0)161 833 3636
tel;work:+44 (0)161 833 3777
x-mozilla-html:FALSE
url:www.consegna.co.uk
org:Consegna Advanced Technlogies Ltd
version:2.1
email;internet:[EMAIL PROTECTED]
title:Senior Technical Architect
adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER;
fn:Tat Sing Kong
end:vcard
Re: problems on AIX
On Fri, 16 Feb 2001, Lutz Jaenicke wrote: Hi Lutz, While you have compiled with "-g" you still did not extract the line number information. Did you strip (ld -s option) the executable? If you have compiled with debugging support and not stripped, you should receive a backtrace with line numbers in it. Hmm, I'm looking around the Makefile but don't see anything related to stripping. I added the -g to the CFLAG line. Do you know where I can find the strip option? Thanks Ben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Xenroll and OpenSSL
- Original Message - From: "Greg Stark" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 20, 2001 8:34 PM Subject: Re: Xenroll and OpenSSL Sandipan , I do not know in what sense ActiveX is disabled in IE5.5. Perhaps for unsigned downloaded controls? On IE, If we look at Tools | Internet Options | Security Tab | Zones, There are 4 zones: Internet - ActiveX disabled by default Intranet - ActiveX disabled by default Trusted sites - ActiveX enabled by default Restricted sites - ActiveX disabled by default This has been carried out by MSIE on account of the many ActiveX based viruses in 2000. (This modification in default settings was also distributed in IE5.01 and lower security updates last year) This effect carries over to Outlook Express as well, BTW. Xenroll.dll is on the harddisk, and I dont know how IE5.5 will deal with that. I tried the sample page at http://www.informatik.fh-hamburg.de/pub/nt-service/sp6a-en.ext/ceenroll.asp and my IE said this page contains ActiveX and did not allow it to be invoked. If you have IE5.5, and have the same settings as above, do you get an activeX warning ? I assumed it invokes Xenroll on windows\system\xenroll.dll (ie, local storage). In any event, Xenroll.dll houses the Certificate Enrollment Control. It is documented in the Platform SDK, the MSDN library, and the MSDN Online library. Look under PlatformSDK - Security - Certificate Services and Components - Certificate Enrollment Control. If you want to run it from IE, pay particular attention to the VBscript examples. Thanks a lot. I was simply unable to find this through MS Search engine. I shall use these pages to come up the curve on Xenroll now. You can find the online documentation at http://msdn.microsoft.com/library/psdk/certsrv/crtsvnode_intro_8f3n.htm I can also provide you with a few examples. When you ask how can Xenroll work with OpenSSL, do you want use Xenroll to generate the certificate requests and use openssl to sign them? This can certainly be done. Thats exactly what I want. I shall have some CGI based script or OpenCA or pyCA to handle the server end. Any samples will be really helpful. Regards, Sandipan _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Begin Original Message - From: "Sandipan Gangopadhyay" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 20, 2001 9:14 AM Subject: Xenroll and OpenSSL Back in 1997, there was a discussion with Dr Henson on the use of Xenroll.dll with MSIE and (then SSLeay) OpenSSL. http://remus.prakinf.tu-ilmenau.de/ssl-users/archive22/0040.html Could someone tell me anything about the following two issues : 1. Xenroll uses ActiveX that is by default disabled in IE5.5 for reasons of security. Is there anything new from MS that doesnt use ActiveX and will work on the client without specially installing software for this purpose ? 2. Does anyone know of some URL where I can learn how to use Xenroll ? With OpenSSL ? That can then be processed by openssl with req (if required) and ca ? I have found some resources at MS and over Google, but nothing comprehensive. Regards, Sandipan - End Original Message - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problems on AIX
On Tue, Feb 20, 2001 at 11:23:46AM -0700, Benjamin Collar wrote: On Fri, 16 Feb 2001, Lutz Jaenicke wrote: While you have compiled with "-g" you still did not extract the line number information. Did you strip (ld -s option) the executable? If you have compiled with debugging support and not stripped, you should receive a backtrace with line numbers in it. Hmm, I'm looking around the Makefile but don't see anything related to stripping. I added the -g to the CFLAG line. Do you know where I can find the strip option? Puh, I man not that familiar with AIX (my last experience was with 3.x several years ago and I didn't like it :-) Stripping may appear * during link stage (ld is called with the -s option) * by explicitly using the "strip" program * during install (install is called with the -s option) You should also take care that your CFLAGS are used in the command performing the link... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Symbol referencing errors. on solaris2.7
Hi
I got the following config.log error message with gcc:
-
configure:4428: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/opt
-L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R
configure: In function `main':
configure:4422: warning: implicit declaration of function `RAND_add'
configure:4423: warning: implicit declaration of function `RAND_status'
Undefined first referenced
symbol in file
RAND_add/var/tmp/ccTiRxaM.o
RAND_status /var/tmp/ccTiRxaM.o
ld: fatal: Symbol referencing errors. No output written to conftest
collect2: ld returned 1 exit status
configure: failed program was:
#line 4414 "configure"
#include "confdefs.h"
#include string.h
#include openssl/rand.h
int main(void)
{
char a[2048];
memset(a, 0, sizeof(a));
RAND_add(a, sizeof(a), sizeof(a));
return(RAND_status() = 0);
}
-
with cc:
-
configure:4428: cc -o conftest -g -I/usr/local/include -I/opt -L/usr/local/lib
-R/usr/local/lib -L/usr/ucblib -R/usr/ucblib
"configure", line 4417: cannot find include file: openssl/rand.h
cc: acomp failed for conftest.c
configure: failed program was:
#line 4414 "configure"
#include "confdefs.h"
#include string.h
#include openssl/rand.h
int main(void)
{
char a[2048];
memset(a, 0, sizeof(a));
RAND_add(a, sizeof(a), sizeof(a));
return(RAND_status() = 0);
}
-
The file rand.h:
-rw-r--r-- 1 root other4701 Sep 25 13:09
/usr/local/lib/include/openssl/rand.h
Additionally the option
--with-ssl-dir
has no effect at all.
cu
Alexander
--
Alexander Elgert
Public Group
System Administration GroupTU Darmstadt
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
