Re: Intermittent "Data Encryption Error" on IE or "Network IO Error" on Netscape

[John Kestner]

[EMAIL PROTECTED] writes:
>I'm using apache 1.3.17, mod_ssl 2.8.0-1.3.17 and openssl 0.9.6
>The server is a G4 running MacOS X Server 1.2.  The certificate is from
>VeriSign
>
>What we are observing is that 90-95% of the requests to https return with
>"Data Encryption Error" on IE or "Network IO Error" on Netscape.  If
>there's
>going to be an error, the response is immediate.

Mark, look back a few weeks in the archive. I have the same configuration
and was experiencing the same problems, but found I had to add another
line to the config file (in addition to what the FAQ suggests). I think it
was:

SSLProtocol all -SSLv3

...but check back to be sure.

John

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: was Re: Apologies, now is 'no-idea'

[Greg Stark]

IDEA is patented in the U.S. I believe the patent holders have made it
available royalty-free for *some* uses, but you need to check with them
(http://www.media-crypt.com/).

_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_



- Original Message -
From: "Ricardo Stella" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 21, 2001 11:33 AM
Subject: was Re: Apologies, now is 'no-idea'


>
> So, this is not spam... :)
>
> Now, to make sure it's not spam, I'll ask again:
>
> In the US, should we compile with 'no-idea' or not ?
>
> TIA.
>
> "Leland V. Lammert" wrote:
> >
> > Sorry folks, I meant to direct the previous message directly to the
> > miscreant that does not know how to use a mailing list.
> >
> >  Lee
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
>
> --
> --
>  Ricardo Stella  O.I.T.
>  (609)896-5000 x7436   _suAve_   Rider University
>  *** SPAM will not be tolerated  ***
>
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ASN.1 INTEGER

[Götz Babin-Ebell]

Antonio Ruiz Martínez wrote:
> 
> Hello!
> 
> I'm a problem with ASN.1. Can anybody help me?

RTFM

> I've got a code that it creates an integer encoded in DER but I
> can't decode well the object.
> Where's the problem?
> My code is:
 
>  ASN1_INTEGER *version=NULL;
>  unsigned char *der=NULL;
> 
>  version=ASN1_INTEGER_new();
> 
>  ASN1_INTEGER_set(version,1243);
> 
>  long pp=ASN1_INTEGER_get(version);
>  printf("Integer: %d\n",pp);
> 
>  int londer=i2d_ASN1_INTEGER(version,NULL);
>  der=(unsigned char *)OPENSSL_malloc(londer);
unsigned char *der_tmp = der;

>  londer= i2d_ASN1_INTEGER(version,&der);
must be:
londer = i2d_ASN1_INTEGER(version,&der_tmp);
der_tmp will point after the DER data !
(RTFM)

>  ASN1_INTEGER *version2=NULL;
>
der_tmp = der;
>  version2=d2i_ASN1_INTEGER(NULL,&der,londer);
version2=d2i_ASN1_INTEGER(NULL,&der_tmp,londer);

>  pp=ASN1_INTEGER_get(version2);
>  printf("Integer: %d\n",pp);

> This last printf says that the Integer is 0 but the integer is
> 1234.
> Why?

You ever tested the value of version2 ?
schould be a null pointer...

By

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126
 S/MIME Cryptographic Signature

Re: SSL_read buffering problem?

[gshaw]

Thanks Lutz,

And further reading on the archive and google has also enlightened me on this.
I'm actually almost surprised that this has worked at all, but I guess it
depends on the relative sizes of the SSL block and my 8k block.

I don't want to sound too ignorant of SSL (although I am), but what is the block
size in the SSL buffering layer?  It could make a difference to the way I want
to change our code.  If the block size is not much larger than 8k, then I guess
I could do an SSL_pending() and read the remainder.  If it is much larger then I
could change the loop construct to include both real read events from select()
and virtual read events from SSL_pending().

In our application the WANT_READ, etc. is handled locally by re-calling SSL_read
(or SSL_write, or ...) until the condition ends.  I guess this is safe?

G.





Lutz Jaenicke <[EMAIL PROTECTED]> on 2001-02-21 15:14:20

Please respond to [EMAIL PROTECTED]

To:   [EMAIL PROTECTED]
cc:(bcc: George Shaw/EMEA/Viewlocity)

Subject:  Re: SSL_read buffering problem?



On Wed, Feb 21, 2001 at 01:25:08PM -0500, [EMAIL PROTECTED] wrote:
> Does the SSL layer have its own read buffering?

Since the data come in in blocks (encrypted, with checksum etc) internal
buffering occurs that may not fall together with your 8kB boundary.

> Our application has a standard non-blocking socket loop where we wait for a
read
> event, read 8k, and go back to wait for more.  If we have more than 8k then we
> have multiple events until the data is complete.
>
> On extending the application to use OpenSSL, this seemed to work OK during
> testing, replacing the socket read with SSL_read.  But now I have a case
where,
> from the debug output, it seems that the SSL_read reads all available data,
but
> only returns the 8k requested.  As a result when we return to wait, there is
no
> read event to trigger any further calls to SSL_read, as all the data has
already
> been read.

Use SSL_pending() to see, whether there are still data available inside
the SSL and/or underlying BIO. Only try to select() on the read (write) event
if the call to SSL_read()/SSL_get_error() returns the WANT_READ or WANT_WRITE
condition.

Best regards,
 Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]






__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: REMOVE

[Leland V. Lammert]

At 06:24 PM 2/21/01 +0600, you wrote:
>REMOVE

Hey dufus,

THIS IS SPAM! It is NOT polite, .. nor it is appreciated by the rest of us. 
There are a lot of folks out here that see enough email at the present 
time, .. please do NOT bother us with YOUR problems. There is ABSOLUTELY NO 
BENEFIT to trashing the list in this way, to you or anyone else. ONLY YOU 
can unsubscribe, as YOU MUST acknowledge the request.

If YOU did not bother to save the instructions when YOU joined the list, 
Here they are again:

=

Welcome to the openssl-users mailing list!

Please save this message for future reference.  Thank you.

If you ever want to remove yourself from this mailing list,
you can send mail to <[EMAIL PROTECTED]> with the following
command in the body of your email message:

 unsubscribe openssl-users

or from another account, besides :

 unsubscribe openssl-users 

If you ever need to get in contact with the owner of the list,
(if you have trouble unsubscribing, or have questions about the
list itself) send email to <[EMAIL PROTECTED]> .
This is the general rule for most mailing lists when you need
to contact a human.

  Here's the general information for the list you've subscribed to,
  in case you don't already have it:

This open mailing list is used for discussions between
the OpenSSL users. Everyone can post.

OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Continuing adventures of LDAP over SSL

[Tat Sing Kong]

Using my SSL server, I have connected to it using the Netscape LDAP
SDK.  Here is the console:

SSL_accept:before SSL initalisation
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL3 alert read:fatal:bad certificate
SSL_accept:failed in SSLv3 read client certificate A

I haven't asked for a client certificate, so I don't know why it's
reading a "bad" client cert.

I changed my client code so that it does send a certificate, but the
console still complains about the same things.

Does anyone have any ideas?

Thanks in advance,

Tat.

begin:vcard 
n:Kong;Tat Sing
tel;fax:+44 (0)161 833 3636
tel;work:+44 (0)161 833 3777
x-mozilla-html:FALSE
url:www.consegna.co.uk
org:Consegna Advanced Technlogies Ltd
version:2.1
email;internet:[EMAIL PROTECTED]
title:Senior Technical Architect
adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER;
fn:Tat Sing Kong
end:vcard

Net::SSLeay.pm problem on NT

[Dan Stefura]

Hello,

I've been wrestling with a problem we have been having, which I believe to
be to be related to OpenSSL.

It's quite the scenerio - I'll attempt to describe it.

We are using a COM object on NT, to allow a web server (IIS) to use a
bunch of Perl modules, which in turn uses OpenSSL.

The COM object was made using scriptlets where the scripting language is
Perlscript.   When then object is created, it calls an init() method,
which will create an SSL socket.

Everything works perfect the first time the object is created.  The SSL
socket is created and everything works great.

After the COM object is destroyed, and a new one is created - it fails to
recreate it.

After much tedious debugging, it appears to fail during the call to
add_all_algorithms().  Note that this only happens after the first object
was created and destroyed.   It always works the first time.

Our crypto guru here suggested to make sure we are using
CRYPTO_set_mem_functions to ensure memory allocation was being done
right in the Perl side of things.

After adding a block of code to the SSLeay.xs to do this, we still get the
same behaviour.   Here's that code:
--
static void sslmem_init();
static void * ssl_malloc(size_t size);
static void * ssl_calloc(size_t number, size_t size);
static void * ssl_realloc(void *ptr, size_t size);
static void ssl_free(void *ptr);

static
void
sslmem_init()
{
CRYPTO_set_mem_functions(
ssl_malloc,
ssl_realloc,
ssl_free);

OpenSSL_add_all_algorithms();
SSL_load_error_strings();
BIO_sock_init();

#ifdef WIN32
RAND_screen();
#endif
}

static
void *
ssl_malloc(size_t size)
{
   void *new_ptr;
   New(1, new_ptr, size, char);
   return (new_ptr);
}

static
void *
ssl_calloc(size_t number, size_t size)
{
   void *new_ptr;
   Newz(1, new_ptr, (number*size), char);
   return (new_ptr);
}

static
void *
ssl_realloc(void *ptr, size_t size)
{
   Renew(ptr, size, char);
   return (ptr);
}

static
void
ssl_free(void *ptr)
{
   Safefree(ptr);
}

and we call that in there by using:

BOOT:
sslmem_init();


The sslmem_init method is getting called, as I had some debugging
statements to see where it dies.   Again, it fails when it calls
add_all_algorithms().

If I put some code to only call add_all_algorithms once, and don't call it
in the future the socket fails to be created properly.

Has anyone encountered something like this before?   Of course everything
works perfectly when this application is used on Linux with Apache.   It's
the NT side of things that are giving us the most trouble.

- dan




__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SHA1

[Greg Stark]

Can you give a reference? All I can find is FIPS PUB 180-1
(http://www.itl.nist.gov/fipspubs/fip180-1.htm) and it has only three
examples, none of which match yours.

_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_



- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 21, 2001 1:52 AM
Subject: SHA1


> Hi,
>
> I'm trying to verify the Openssl SHA1 implementation uses test vectors
> and their known answers
> published by Nist.  When I run the test I'm not getting the expected
> results.
> Specifically, the SHA1 hash of
>
> the following eight bytes
>  0x00, 0x00, 0xFF, 0x00, 0x00, 0xFF,  0x00, 0x00
> is supposed to be (according to NIST)
> "3CDF2936DA2FC556BFA533AB1EB59CE710AC80E5",
>
> I'm getting something very different on a Windows platform.
>
> Thanks,
>  Dave
>
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> Development Mailing List   [EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Apologies

[Leland V. Lammert]

Sorry folks, I meant to direct the previous message directly to the 
miscreant that does not know how to use a mailing list.

 Lee

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: passin/passout fd

[Dr S N Henson]

Mike Schiraldi wrote:
> 
> Under "PASS PHRASE ARGUMENTS", the manual says:
> 
> file:pathname
>   the first line of pathname is the password. If
>   the same pathname argument is supplied to
>   -passin and -passout arguments then the first
>   line will be used for the input password and the
>   next line for the output password.
> 
> However, fd:number doesn't say anything about what happens when you pass
> the same fd to -passin and -passout. I assumed it behaved the same way
> as file:pathname, and so i'm trying to pass both passwords through the
> same fd, but i'm having problems. Before i wade too deeply into the
> debugging, i have to ask: Is this supposed to work?
> 

I don't think I've ever tested this but looking at the code (in
apps/apps.c) it *should* work for file: fd: and stdin versions.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: AW: Converting privatekey from DER to NET fails

[Dr S N Henson]

[EMAIL PROTECTED] wrote:
> 
> Thanks for the suggestion. But now the error message is different.
> 
> 
> C:\certs>openssl rsa -inform DER -in private.der -outform NET -out
> privatekey.net
> read RSA key
> unable to load key
> 276:error:0D080071:asn1 encoding routines:d2i_ASN1_INTEGER:expecting an
> integer:
> a_int.c:204:
> 276:error:0D09D082:asn1 encoding
> routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116:
> 
> When I open the private key with a text editor the content looks like
> this:
> ...
> ~aKfSj
4s f$0?K
> t.qc(c)Ni3=h*g'p~*?QE34/?ds
> ...
> 
> I doubt that this is a normal private key, isn't it? Does anything went
> wrong during
> the generation of the key (note: I didn't generate the key with
> openSSL)?
> 

Try this:

openssl pkcs8 -inform DER -in private.der -out private.pem

if that fails try:

openssl pkcs8 -nocrypt -inform DER -in private.der -out private.pem

After that you will have a PEM encoded private key which you can then
feed to the rsa utility.

If that doesn't work see what the output of:

openssl asn1parse -inform DER -in private.der

produces. Some private key formats are undocumented and look just like
random data, without some documentation as to the format used there's
not much that can be done.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: CONF_VALUE inconsistencies?

[Dr S N Henson]

Peter 'Luna' Runestig wrote:
> 
> From: "Dr S N Henson" <[EMAIL PROTECTED]>:
> > The internal decoded structures are the "machine readable" versions of
> > extensions.
> 
> Yes. I tried to figure out a way to build an extention from scratch, but
> got lost in the OpenSSL code maze (trying to figure out the internals)
> and used X509V3_EXT_conf() instead.
> 

It isn't too hard once you get the idea but it isn't too well documented
at present. OpenSSL 0.9.7 will have a clever high level function to add
extensions from structures but for now you have to do things in several
stages.

If you just want to copy extensions from one place to another then this
is pretty easy.

Otherwise you need to create the internal structure, create an
X509_EXTENSION structure using X509V3_EXT_i2d() then add it to the
certificate/crl/whatever using the relevant function.

Is there some specific extension you are having problems with or just
extensions in general? The internal structures used are in x509v3.h and
it isn't too hard to see how the structure maps to the extension in most
cases.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: DH_generate_parameters and primes

[Greg Stark]

Josh,

Sorry for assuming you meant to use bigger primes.

There are a couple of possibilities for what you are seeing. My guess is
that you aren't allocating memory for the answer from DH_compute_key(), but
it could be other things. Here is a short example that I think comes close
to your example. Hope it helps.


int do_DH_toy()
{
 DH *dh_struct;
 int dh_error;
 unsigned char *dh_secret;
 BIGNUM *client_key;

 client_key = BN_new();
 BN_set_word ( client_key, 0X84F5A8 );

 dh_struct = DH_generate_parameters ( 64, 5, NULL, NULL );
 DH_check ( dh_struct, &dh_error );
 DH_generate_key ( dh_struct );
 dh_secret = malloc ( DH_size( dh_struct ) );
 DH_compute_key ( dh_secret, client_key, dh_struct );


 free ( dh_secret );
 BN_free ( client_key );
 DH_free ( dh_struct );
 return (0);
}

_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_



- Original Message -
From: "Josh Howlett" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 21, 2001 7:54 AM
Subject: Re: DH_generate_parameters and primes


> > The first param to DH_generate_parameters() is supposed to be the
> number of
> > *bits* in the prime, not bytes (see
> > http://www.openssl.org/docs/crypto/DH_generate_parameters.html#). My
guess
> > is you really want 64*8 for that parameter.
>
> I was using a small prime to keep things speedy.  Presumably, a small
> prime doesn't adversly affect key generation?  I've tried it with
> larger primes, but the same problem occurs (just more slowly).
>
> > Also, DH_generate_parameters()  creates the DH structure for you. Your
first
> > call to DH_new() doesn't do anything except create a memory leak.
DH_check()
> > returns its answer in the integer *pointed* to by the second parameter.
So,
> > if dh_error is an int then you need to pass &dh_error to DH_check().
>
> Ok, I've fixed these, but DH_compute_key is still failing.  DH_check
> doesn't report any errors.  Should I test that the public key from the
> client is valid...could this be tripping it up?  If so, how can I go
> about testing the validity of the key?
>
> Here's an example exchange:
>
> 1) Client:
>public_key = 0X84F5A8
>
> 2) Server:
>shared secret = 0XFFFDFA0
>p = 0X8053198
>public_key = 0X8052168
>
> 3) Client:
>crashes!
>
> Thanks,
>
> josh.
>
> > - Original Message -
> > From: "Josh Howlett" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, February 19, 2001 1:17 PM
> > Subject: DH_generate_parameters and primes
> >
> >
> > > Hi,
> > >
> > > When I call DH_compute_key(), I get a core dump.  If I run DH_check
> > > over the parameters passed to DH_compute_key() I get bit 1 set, which
> > > according to dh.h means that number generated is not prime;
presumably,
> > > this is causing DH_compute_key() to croak.
> > >
> > > This is a short excerpt:
> > >
> > > unsigned char *client_key;
> > > BIGNUM client_key;
> > > DH *dh_struct;
> > >
> > > dh_struct= DH_new();
> > > dh_struct= DH_generate_parameters(64, 5, NULL, NULL);
> > > DH_check(dh_struct, dh_error);
> > > DH_generate_key(dh_struct);
> > > DH_compute_key(dh_secret, &client_key, dh_struct);
> > >
> > > I do this to generate the keys once for the server, and once for the
> > > client; it works fine on the client, but not on the server (the code
is
> > > essentially the same for both of them).
> > >
> > > Am I passing the correct parameters to DH_generate_parameters?  Any
> > > ideas?
> > >
> > > josh.
> > >
> > > ---
> > > Josh Howlett, Network Supervisor,
> > > Networking and Digital Communications,
> > > Information Services.
> > > [EMAIL PROTECTED] | 0117 9546895
> > >
> > >


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

(no subject)

[lqiu]

remove

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

decrypt private key?

[Bruenner, Joerg]

Hi,

I'm trying to decrypt a private key someone else generated it with
genrsa. I have the password for it. I'd like to use it with some
Java program. It can't import encrypted keys.
The enc command returned "bad magic number" what does it mean?

Thanks a lot
Joerg

-- 

/*
   Joerg Bruenner
   Commerzbank AG, ZIT D E-Commerce
   Hafenstrasse 51, D-60327 Frankfurt am Main
   Tel.: +49 (0)69 136 28289, Fax: +49 (0)69 136 28252
   eMail: [EMAIL PROTECTED]
  */
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

win98 bc32 make error

[jj]

Hi,

I cannot get the makefile for bc32 to work, it always quits with the
following error. Does anyone know how i could rectify the problem.

Regards
Jacob Rhoden

1 file(s) copied
copy .\ssl\tls1.h inc32\openssl\tls1.h
1 file(s) copied
copy .\rsaref\rsaref.h inc32\openssl\rsaref.h
1 file(s) copied
bcc32 -otmp32\cryptlib.obj -Iinc32 -Itmp32 -DWIN32_LEAN_AND_MEAN
-q -w-a
us -w-par -w-inl -c -tWC -tWM -DWINDOWS -DWIN32 -DL_ENDIAN -DDSO_WIN32 -O2
-ff -
fp  -c .\crypto\cryptlib.c
Fatal: Command arguments too long




___
"Have a nice day..  unless, you have planned otherwise"
   System Administrator / Web Developer / Programmer
 Jacob Rhoden - [EMAIL PROTECTED] - 0403 788 386   



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SV: How to make a CA signed certificate (in code)

[Vadim Fedukovich]

On Wed, 21 Feb 2001, Hellan,Kim KHE wrote:

> Hi Vadim
>
> Maybe this is a stupid question, but to make a CA signed certificate do you
> then first have to make a selfsigned certificate and then get the CA to sign
> that certificate?

To sign something, a private (rsa) key is required only and X509_sign()
will do that. One should fill details into cert_info of X509 before
signing and specify hash algorithm.

> As far as I can see, this is how certify_cert() works.

One can pickup subject's public key and name from the self-signed
certificate as an option.

> But anyway, do you have any hints about what I should do to get from X.509
> "parts" I already have loaded to a self-signed or CA-signed certificate.

The difference is issuer name and private key used for signing

regards,
Vadim

>
> Any help appreciated!
>
> TIA
> Kim Hellan
>
> Fra: Vadim Fedukovich [mailto:[EMAIL PROTECTED]]
> Emne: Re: How to make a CA signed certificate (in code)
>
> since X.509 certificate is somethingToBeSigned and signature over that
> once can use X509_sign() to do it. Probably you mean certify_cert()
> and, yes, lots of parameters there to specify certificate content.
>



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Open SSL 0.9.6 / Crypt::SSLeay problems connection to Oracle / Spyglass webserver

[Dave Henriksen]

I am having trouble connecting to an Oracle 
webserver
using Openssl 0.9.6, but I seam to be able to 
connect
to any other server using https.  I am using 
Crypt::SSLeay 22,
but the problem seems to be openssl related rather 
that 
Crypt related (I have problems within s_client 
also).
 
Having suspected ssl version connect problems, I 
have played 
around with specifying an initial ssl version of 
both 3, and 2
in SSL.pm.  Ultimately, the same error gets 
produced no matter
what the setting is.  There are basically two 
unique things
about the server I can't connect to, they 
are:
 
1) The public key length is 512 Bits.
2) The server software is ver old.  It is 
using the 
Oracle webserver version 2.1.1.  This is 
mainly because 
versions 3.x and 4.x were terrible releases that 
never should
have gone into production, OWS 2.1.1 is mush more 
robust,
and faster.  Version 2.1 of the Oracle 
webserver is based
on Spyglass.
 
The error that I am getting is :
 
[dhenriks@www2 imc]$ perl getit.plssl_version 
23SSL_connect:before/connect initializationSSL_connect:SSLv2/v3 write 
client hello ASSL_connect:SSLv2 read server hello ASSL_connect:SSLv2 
write client master key ASSL_connect:SSLv2 client start 
encryptionSSL_connect:SSLv2 write client finished ASSL_connect:failed in 
SSLv2 read server verify Assl_version 3SSL_connect:before/connect 
initializationSSL_connect:SSLv3 write client hello ASSL_connect:failed 
in SSLv3 read server hello Assl_version 2SSL_connect:before/connect 
initializationSSL_connect:SSLv2 write client hello ASSL_connect:SSLv2 
read server hello ASSL_connect:SSLv2 write client master key 
ASSL_connect:SSLv2 client start encryptionSSL_connect:SSLv2 write client 
finished ASSL_connect:failed in SSLv2 read server verify ACan't call 
method "request" on an undefined value at 
/usr/lib/perl5/site_perl/5.005/LWP/UserAgent.pm line 227.
 
Any ideas ?  In a message in some other list I 
saw something
about setting SSL_VERIFY_NONE as a possible remedy, 
but
I'm not sure how to do this from within 
Crypt::SSLeay.
 
Thanks,
 
Dave 
Henriksen

passin/passout fd

[Mike Schiraldi]

Under "PASS PHRASE ARGUMENTS", the manual says:

file:pathname
  the first line of pathname is the password. If
  the same pathname argument is supplied to
  -passin and -passout arguments then the first
  line will be used for the input password and the
  next line for the output password.

However, fd:number doesn't say anything about what happens when you pass
the same fd to -passin and -passout. I assumed it behaved the same way
as file:pathname, and so i'm trying to pass both passwords through the
same fd, but i'm having problems. Before i wade too deeply into the
debugging, i have to ask: Is this supposed to work?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Solaris 2.7,CryptoSwift accelerator board

[lgazis]

1) csdiag -a 0
2) Run your test.
3) csdiag -a 0

If the interrupts haven't gone up by more than a couple, then the card isn't
being accessed (in which case, I'd suggest following John Airey's advice
about SSL_EXPERIMENTAL and SSLCryptoDevice, or you can email
[EMAIL PROTECTED] for help).

Lynn Gazis

-Original Message-
From: adrien mistretta [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 21, 2001 5:29 AM
To: [EMAIL PROTECTED]; De Taeye, Herman
Subject: Re: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17
Solaris 2.7,CryptoSwift accelerator board


> 3. How can I really test that the board is used and not the internal
> engine?

you can use the csdiag command to see if request are made to the crypto
card, 
but I don't remember the option.

Adrien
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

ASN.1 INTEGER

[Antonio Ruiz Martínez]

Hello!
    I'm a problem with ASN.1. Can anybody help me?
    I've got a code that it creates an integer encoded
in DER but I can't decode well the object.
Where's the problem?
My code is:
 
 ASN1_INTEGER *version=NULL;
 unsigned char *der=NULL;
 version=ASN1_INTEGER_new();
 ASN1_INTEGER_set(version,1243);
 
 long pp=ASN1_INTEGER_get(version);
 printf("Integer: %d\n",pp);
 int londer=i2d_ASN1_INTEGER(version,NULL);
 der=(unsigned char *)OPENSSL_malloc(londer);
 londer= i2d_ASN1_INTEGER(version,&der);
 ASN1_INTEGER *version2=NULL;
 version2=d2i_ASN1_INTEGER(NULL,&der,londer);
 pp=ASN1_INTEGER_get(version2);
 printf("Integer: %d\n",pp);
    This last printf says that the Integer is 0 but the
integer is 1234.
Why?
 
--
-
Antonio Ruiz Martínez
Facultad de Informática-Universidad de Murcia
30001 Murcia - España (Spain)
Telf: +34-968-364644
-
 

REMOVE

[Andrey S.Petrov]

REMOVE


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

remove

[kvkm]

remove

Re: Certificates renewal

[Peter Sylvester]

looking into the latest snapshot it seems that in apps/x509.c
there should be one line added (the last one), or at least
putting the test inside the following if (ok) 'then'  branch.

static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
{
int err;
X509 *err_cert;

/* it is ok to use a self signed certificate
 * This case will catch both the initial ok == 0 and the
 * final ok == 1 calls to this function */
err=X509_STORE_CTX_get_error(ctx);
if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
return 1;

/* BAD we should have gotten an error.  Normally if everything
 * worked X509_STORE_CTX_get_error(ctx) will still be set to
 * DEPTH_ZERO_SELF_ */
if (err == X509_V_OK) return 1;

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

When is threadsupport actually needed for openssl ???

[nl89071]

Hi,

I am making a client-server applicationin C++ on AIX. I have recently
implemented the openssl RSA_encrypt functions in a thread.

I would like to know when I should implement the CRYPTO thread mutexlocks
functions  and stuff.

I am using ONE RSA instance in ONE thread.
Do I need to setup openssl-thread support in my application ?(OpenSSL is
configured for threadsupport)
In other words do I need to implement callback functions and set mutex
locks and stuff ??

I want to know this because the RSA_public_encrypt() function is hanging
while in the thread.


With kind regards,

Thijs Volders


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Apache_1.3.17, Openssl-engine-0.9.6, mod_ssl-2.8.0-1.3.17 Solaris 2.7,CryptoSwift accelerator board

[adrien mistretta]

> 3. How can I really test that the board is used and not the internal
> engine?

you can use the csdiag command to see if request are made to the crypto card, 
but I don't remember the option.

Adrien
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL_read buffering problem?

[gshaw]

Hi,

Does the SSL layer have its own read buffering?

Our application has a standard non-blocking socket loop where we wait for a read
event, read 8k, and go back to wait for more.  If we have more than 8k then we
have multiple events until the data is complete.

On extending the application to use OpenSSL, this seemed to work OK during
testing, replacing the socket read with SSL_read.  But now I have a case where,
from the debug output, it seems that the SSL_read reads all available data, but
only returns the 8k requested.  As a result when we return to wait, there is no
read event to trigger any further calls to SSL_read, as all the data has already
been read.

This only seems to be the case on NT (so far), and in certain (unclear)
circumstances.

This is not mentioned in the SSL_read man page as ar as I can see.

Thanks for any help,

G.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: CONF_VALUE inconsistencies?

[Dr S N Henson]

Peter 'Luna' Runestig wrote:
> 
> Hi all!
> 
> I have a X509v3 subjectAltName with an "IP address" extention. If I'm
> using i2v_GENERAL_NAME() to get the human readable representation of it,
> like in X509V3_EXT_print(), I get the value string "IP Address:a.b.c.d".
> But if I want to create such an extention using X509V3_EXT_conf_nid(),
> it expects a value string of "IP:a.b.c.d". This is a problem for me,
> since there isn't a way, within OpenSSL, to convert between the value
> names "IP" and "IP Address". Doing that conversion "on the side" in my
> application isn't hard, of course, but isn't very neat. Is there any
> changes to expect in this area? I haven't checked the latest code, I'm
> talking about 0.9.6 here.
> 
> BTW, the same goes for "RID" and "Registered ID".
> 

Why do you want to do that? The human readable version of the extension
(and indeed human readable versions of things like certificates)
shouldn't really be parsed by an application since there's no guarantees
they will not change in future. There are much bigger differences in
things like the certificate policies extension.

The internal decoded structures are the "machine readable" versions of
extensions.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Converting privatekey from DER to NET fails

[Dr S N Henson]

[EMAIL PROTECTED] wrote:
> 
> I want to convert my privatekey from DER to NET format.
> But the openSSL toolkit can't load the key.
> Is there anything wrong with my key? I created it with
> a programm from webMethods. it's called "Certificate Toolkit".
> This toolkit does not provide an option to convert the key in a
> different format. So I have to use the openSSL toolkit.
> 
> Thanks for your help!
> 
> This is the command I use and the error code which openSSL returned
> 
> C:\certs>openssl rsa -in privatekey.der -outform NET -out privatekey.net
> read RSA key
> unable to load key
> 339:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:662:Expecti
> ng: ANY PRIVATE KEY

By default that expects PEM format so you at least need -inform DER 

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Invalid DER Encoded Cert. Request

[Kleinschmidt, James S Mr Signal Corp]

Thank you Dr. Henson,

Adding NEW to the Begin and End Request statements took care of the problem.


James Kleinschmidt
Sr. Analyst, Signal Corporation
IM/IT Specialist, CDMRP
1077 Patchel Street
Ft. Detrick, MD 21702-5024
 (301) 619-7048
[EMAIL PROTECTED]


 -Original Message-
From:   Dr S N Henson [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, February 20, 2001 6:16 PM
To: [EMAIL PROTECTED]
Subject:Re: Invalid DER Encoded Cert. Request





"Kleinschmidt, James S Mr Signal Corp" wrote:
>
> Hello all,
>
> I created a csr.pem file using openssl in the NT
> environment.  I then attempted to submit it to the DoD Certification
> Processing Center.  The Center's web-site rejected the request do to
> "Invalid DER Encode" information.
>
> Any suggestions?
>

Maybe its the NEW header issue. Some CAs need NEW in the header (i.e.
BEGIN NEW CERTIFICATE REQUEST and similarly for END). You can try
editing the PEM file or using the -newhdr option.

Steve.
--
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: install openssl in win98?

[manjunath gv]

hello

 hey yes openssl can be installed on win98 and
u check file install.w32 for help

bye
--- qianz <[EMAIL PROTECTED]> wrote: > Does the
openssl can be install in win98?
> If yew,how to install?
> 
> Thanks.
> 
> Tony Cheung
> 
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]



Do You Yahoo!?
Get your free @yahoo.co.in address at http://mail.yahoo.co.in
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openSSL library for windowsNT

[Vita]

Hello, 
I am porting some code written for Linux and using openSSL library to
WindowsNT, so I would like to know if there is version of openSSL
library for WindowsNT and where I can find it.

Thank you,
Victoria Preskovsky
Software developer
Aduva Inc.
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]