Build openssl on HP with support for Standard C++ library

[Janne Blomqvist]

Hi,

We are using openssl 0.9.6 on HP-UX 10.20.
The two compilers that can be used is cc and gcc.
I would like to use aCC (01.27) with the new standard c++ library (with
switches -AA -D_RWSTD_MULTI_THREAD)
I have succeded in building everything with gcc, but the libraries
wouldn't be compatible with our other libraries.
Code compiled without -AA is incompatible with code compiled with -AA.

Is there a solution for this? Have you built openssl with aCC?


Regards,

Jan-Erik Blomqvist

--
Jan-Erik Blomqvist, [EMAIL PROTECTED]
Enea Business Software AB   Work: +46 (0)8 50714691
Healthcare SolutionsFax:  +46 (0)8 6585790
Hornsgatan 166  Cellular: +46 (0)70 9714691
S-117 28 Stockholm  www.enea.se

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Non-blocking BIO

[Wirta, Ville]

You are misinterpreting the meaning of BIO_should_retry(). What it is
telling you is that you should wait until a certain condition is
satisfied on the underlying transport (SOCKET in this case) before you
retry. You can retry immediately but that is likely to be inefficient.

Is it harmful if try immediately again?

In the first case the I/O special is probably telling you that you
should wait until the SOCKET has connected.

Ahhh... these are just the kind of advices I wanted to hear, but how
do I do it? What would be the best way to see if connection is ready? I
guess Sleep(1000) and connect again isn't the best method available? :-)
Though it works...

After that BIO_should_read() is saying you should wait until the SOCKET
has data available before retrying. It isn't telling you to just call
BIO_read()!

Okay. That's good to know. I thought it was a commad for me to make
a read attempt.

Your select() call is also waiting to see when data can be read *or*
written. Therefore it will probably return immediately telling you its
OK to write data. What you should actually be doing is waiting until the
relevant condition is satisfied: is it wants to read then wait until
data is available etc.

And that is done with select? And write mask being NULL?

Thank you!   VW
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Obj. : Crypt::SSLeay

[Frédéric Donnat]

 
Marcus Carey a écrit :

Can
someone explain the following warning? Client-SSL-Warning:
Peer certificate not verified ActivePerl
623Windows IIS 5.0Windows
2000 ServerCrypt-SSLeay
from Activestate repository Marcus

Hi !
This should be a warning due to the verification of the Server Certificate
Chain!
I mean that your clent receive a certificate chain and must verify
it in order to trust the server (peer).
So if there is an error appearing during this verification it throws
an error or a warning, it depends of the importance of the error !
You'll find more in the Netscape draft for SSL.
Bets Regards
Fred


 Signature cryptographique S/MIME

Re: Server Certificate Verification

[Graeme English]

Thanks Lutz,

I'm incorporating OpenSSL into a web browser and what I'm really after is a behavior 
similar to the other browsers around i.e. when an untrusted site is visited the user 
is warned but also gets the option to 'install' the received server certificate so 
that the next time the site is visited the warning is not displayed (I should have 
mentioned this before, sorry)

As you say if I the peer sends the certificate chain then the verify error changes to 
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but I don't think this is the behavior I need 
(also its up to the web server whether it sends the chain, I believe)

Should I be storing these 'installed' web server certificates in a different file from 
the CA list and when I receive a peer certificate which cannot be verified against the 
CA list, then manually search through the other file to try and match the certificates 
that way ? If so what's the best way to accomplish this ?

Graeme

>>> [EMAIL PROTECTED] 03/04/01 17:25:21 >>>
On Tue, Apr 03, 2001 at 04:38:27PM +0100, Graeme English wrote:
> I now want to choose to trust this server so I thought I could do something like 
>this - 
> 
> X509 *server_cert;
> BIO  *cout;
>   cout = BIO_new(BIO_s_file());
> if (BIO_append_filename(cout, (void *)CERT_STORE) <= 0) {
>//
> }
> server_cert = SSL_get_peer_certificate (_ssl);
> X509_print(cout, server_cert);
> PEM_write_bio_X509(cout, server_cert);
> X509_free(server_cert);
> BIO_free(cout);
> 
> so that next time the servers certificate would be found, but I still get the 
>X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This is presumably because it is the 
>issuer (CA) of the received server certificate that being searched for.
> 
> How do I set things up to trust the server certificate ?

X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY means that the verification
routined could not get the issuer certificate by any means, it was not
included in the certificate chain sent _and_ it was not available locally.
(It is ok for the chain to leave out the toplevel CA, because when it is
trusted, it is available locally anyway.)
Therefore you cannot access the missing CA cert as it is missing :-)
Make sure that the peer sends the complete chain. You will see that
the chain is complete, when the verification error becomes
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED] 
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/ 
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org 
User Support Mailing List[EMAIL PROTECTED] 
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Server Certificate Verification

[Lutz Jaenicke]

On Wed, Apr 04, 2001 at 10:03:27AM +0100, Graeme English wrote:
> I'm incorporating OpenSSL into a web browser and what I'm really after is a behavior 
>similar to the other browsers around i.e. when an untrusted site is visited the user 
>is warned but also gets the option to 'install' the received server certificate so 
>that the next time the site is visited the warning is not displayed (I should have 
>mentioned this before, sorry)

I more or less anticipated that you wanted to do something like this...


> As you say if I the peer sends the certificate chain then the verify error changes 
>to X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but I don't think this is the behavior I 
>need (also its up to the web server whether it sends the chain, I believe)

No, it is not up to the web server. The server must send the complete chain
except for the root certificate. From RFC2246, 7.4.2:
   certificate_list
   This is a sequence (chain) of X.509v3 certificates. The sender's
   certificate must come first in the list. Each following
   certificate must directly certify the one preceding it. Because
   certificate validation requires that root keys be distributed
   independently, the self-signed certificate which specifies the
   root certificate authority may optionally be omitted from the
   chain, under the assumption that the remote end must already
   possess it in order to validate it in any case.

> Should I be storing these 'installed' web server certificates in a different file 
>from the CA list and when I receive a peer certificate which cannot be verified 
>against the CA list, then manually search through the other file to try and match the 
>certificates that way ? If so what's the best way to accomplish this ?

I am not sure about the best way to handle it this way. The built-in
certificate verification routine will do precisely what is described
in the RFC, it will only approve a chain, of which the root CA certificate
is found locally. For a root CA certificate it is a necessary condition
to be self signed, so the built-in procedure will fail even if you put
an intermediate CA or server certificate to the certificate store.

Therefore you need to store the server certificates seperately and
might then compare the certificate sent with the certificates in the
seperate store. You can use the X509_cmp() function for this purpose.

When realizing this functionality, please check out the old bugtraq
messages. There were quite some subtle things with certificates being
accepted for a wrong server name by the user once but then the non-matching
certificate suddenly became valid for all server names (if memory serves
me right)... It is not necessary to fall into the same pitfalls again :-)

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Build openssl on HP with support for Standard C++ library

[Lutz Jaenicke]

On Wed, Apr 04, 2001 at 10:45:24AM +0200, Janne Blomqvist wrote:
> We are using openssl 0.9.6 on HP-UX 10.20.
> The two compilers that can be used is cc and gcc.
> I would like to use aCC (01.27) with the new standard c++ library (with
> switches -AA -D_RWSTD_MULTI_THREAD)
> I have succeded in building everything with gcc, but the libraries
> wouldn't be compatible with our other libraries.
> Code compiled without -AA is incompatible with code compiled with -AA.
> 
> Is there a solution for this? Have you built openssl with aCC?

Ok, let's see:
ws01 84: uname -a
HP-UX ws01 B.10.20 A 9000/780 2016288732 two-user license
ws01 85: what /opt/aCC/bin/aCC
/opt/aCC/bin/aCC:
HP aC++ B3910B A.01.23
HP aC++ B3910B A.01.19.02 Language Support Library
My manual page does not state anything about a -AA switch, only -Aa
is being listed.
Having this said: it accepts a -AA switch without a word and produces:
aCC -I. -I../include -DTHREADS -D_REENTRANT -DDSO_DL -D_REENTRANT -O 
+DAportable -AA -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -c mem_dbg.c
Error 212: "mem_dbg.c", line 321 # Argument type 'unsigned long
(app_mem_info_st *)' does not match expected parameter type 'unsigned long
(*)()'.
if ((amih=lh_new(app_info_hash,app_info_cmp)) == NU
[More error messages to come.]
I would say, it would probably take some time massaging everything to be
acceptable for aCC (if doable at all). The same errors occur with the
documented -Aa switch.

Sorry, no better news,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Useful newbie document

[Tat Sing Kong]

I've written a document as part of my own openSSL notes that describes
how to code  an SSL client and server using the openSSL libraries.  It's
a bit noddy but it does the job.

These might be useful for people just starting (I know I was looking for
such a document when I started), so if you want a copy then email me
personally.  Put "SSL doc request" in the subject header.

Tat.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

How to create a certificate revokation request

[Ulrich Ackermann]

Hi all,
are there openssl commands to generate a certificate revokation request?

Is the command
openssl x509 -x509toreq -signkey  key.pem -in cert.pem -out
cert.req
a possible candidate?

Has a certificate revokation request a given format? Where is that
described? Where can I get additional Information on CRRs (RFCs?
PKCS#XX?)

TIA, Ulrich

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Build openssl on HP with support for Standard C++ library

[Richard Levitte - VMS Whacker]

From: Janne Blomqvist <[EMAIL PROTECTED]>

jebl> We are using openssl 0.9.6 on HP-UX 10.20.
jebl> The two compilers that can be used is cc and gcc.
jebl> I would like to use aCC (01.27) with the new standard c++ library (with
jebl> switches -AA -D_RWSTD_MULTI_THREAD)
jebl> I have succeded in building everything with gcc, but the libraries
jebl> wouldn't be compatible with our other libraries.
jebl> Code compiled without -AA is incompatible with code compiled with -AA.
jebl> 
jebl> Is there a solution for this? Have you built openssl with aCC?

I've never heard of aCC before, so I haven't tried it, and it hasn't
been reported here that I can remember.  I'm curious to know what
exactly -AA does that makes those object files different...

Anyhow, what you want to do is to fiddle a bit in Configure to begin
with (as in: add an entry for the combination HP/UX and aCC).  If you
get some good results, we would appreciate a patch...

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Build openssl on HP with support for Standard C++ library

[Lutz Jaenicke]

On Wed, Apr 04, 2001 at 12:14:48PM +0200, Richard Levitte - VMS Whacker wrote:
> I've never heard of aCC before, so I haven't tried it, and it hasn't
> been reported here that I can remember.  I'm curious to know what
> exactly -AA does that makes those object files different...

Many years ago HP shipped a cfrong based C++ compiler called "CC".
Some years ago after standardization of C++ they released a new compiler
called aCC. CC is no longer supported, aCC is the way to go.
I don't know much about C++, so I cannot tell you about how conformant
the compiler is or what the special points are.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Build openssl on HP with support for Standard C++ library

[Janne Blomqvist]

Hi,

aCC or aC++ is HP's C++ compiler. The RogueWave Standard C++ Library 2.2.1 is
bundled with HP aC++ 01.27. To use it you have to specify -AA, include paths are
changed to include_std and libraries are libstd_v2 and libCsup_v2. The macro
-D_RWSTD_MULTI_THREAD is used instead of -D_THREAD_SAFE when using threadsafe
version of libstd_v2.

Unfortunately objects and libraries compiled with -AA are binary incompatible
with objects and libraries compiled without -AA.
I've edited the Configure script and added an option for aCC. Some files compiles
successfully while others results in this:

Error 212: "mem_dbg.c", line 305 # Argument type 'unsigned long (app_mem_info_st
*)' does not match expected parameter type
'unsigned long (*)()'.
if ((amih=lh_new(app_info_hash,app_info_cmp)) == NULL)

It seems to be the same error that Lutz got.

Thanks,

Jan-Erik Blomqvist


Richard Levitte - VMS Whacker wrote:

> From: Janne Blomqvist <[EMAIL PROTECTED]>
>
> jebl> We are using openssl 0.9.6 on HP-UX 10.20.
> jebl> The two compilers that can be used is cc and gcc.
> jebl> I would like to use aCC (01.27) with the new standard c++ library (with
> jebl> switches -AA -D_RWSTD_MULTI_THREAD)
> jebl> I have succeded in building everything with gcc, but the libraries
> jebl> wouldn't be compatible with our other libraries.
> jebl> Code compiled without -AA is incompatible with code compiled with -AA.
> jebl>
> jebl> Is there a solution for this? Have you built openssl with aCC?
>
> I've never heard of aCC before, so I haven't tried it, and it hasn't
> been reported here that I can remember.  I'm curious to know what
> exactly -AA does that makes those object files different...
>
> Anyhow, what you want to do is to fiddle a bit in Configure to begin
> with (as in: add an entry for the combination HP/UX and aCC).  If you
> get some good results, we would appreciate a patch...
>
> --
> Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
> Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
> Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
> Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
> Member of the OpenSSL development team: http://www.openssl.org/
> Software Engineer, Celo Communications: http://www.celocom.com/
>
> Unsolicited commercial email is subject to an archival fee of $400.
> See  for more info.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

--
Jan-Erik Blomqvist, [EMAIL PROTECTED]
Enea Business Software AB   Work: +46 (0)8 50714691
Healthcare SolutionsFax:  +46 (0)8 6585790
Hornsgatan 166  Cellular: +46 (0)70 9714691
S-117 28 Stockholm  www.enea.se


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Build openssl on HP with support for Standard C++ library

[Richard Levitte - VMS Whacker]

From: Janne Blomqvist <[EMAIL PROTECTED]>

jebl> aCC or aC++ is HP's C++ compiler. The RogueWave Standard C++
jebl> Library 2.2.1 is bundled with HP aC++ 01.27. To use it you have
jebl> to specify -AA, include paths are changed to include_std and
jebl> libraries are libstd_v2 and libCsup_v2. The macro
jebl> -D_RWSTD_MULTI_THREAD is used instead of -D_THREAD_SAFE when
jebl> using threadsafe version of libstd_v2.

Aha.  I'm guessing that -AA also causes name-mangling (which is the
only known way to keep type info as part of the symbol, which is
needed when linking C++ programs, or function overloading would be
impossible).

jebl> Unfortunately objects and libraries compiled with -AA are binary
jebl> incompatible with objects and libraries compiled without -AA.

Name mangling...

jebl> I've edited the Configure script and added an option for
jebl> aCC. Some files compiles successfully while others results in
jebl> this:
jebl> 
jebl> Error 212: "mem_dbg.c", line 305 # Argument type 'unsigned long (app_mem_info_st
jebl> *)' does not match expected parameter type
jebl> 'unsigned long (*)()'.
jebl> if ((amih=lh_new(app_info_hash,app_info_cmp)) == NULL)

You probably want to look at snapshots of 0.9.7-dev, that version has
a large number of changes having to do with exactly that problem.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Certificate checking domain name

[Greg Stark]

Tat,

Well, did you write the client and put such a check in?

That is what clients such as IE and Netscape do. These clients check the CN
of the cert (and maybe the subjectAltDNSName??) to verify that it matches
exactly what the user typed in. For example, if I type into IE
https://www.verisign.com IE will check the server cert and discover that the
hostname matches and load the page without complaint. If I type instead
https://205.139.94.60 it will rightly complain.

There are some exceptions to this rule for wildcarded domain names, but I am
not sure what the exact rules are.

_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_



- Original Message -
From: "Tat Sing Kong" <[EMAIL PROTECTED]>
To: "openssl" <[EMAIL PROTECTED]>
Sent: Tuesday, April 03, 2001 12:20 PM
Subject: Certificate checking domain name


>
> All,
>
> I heard somewhere that sometimes the client checks the machine/domain
> name in the server cert matches the actual machine/domain name it has
> contacted.  Is this true?  How do I set up such a cert?
>
> My handshaking is dumping me out, I can only guess that this is the
> reason.
>
> Tat.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Build openssl on HP with support for Standard C++ library

[Lutz Jaenicke]

On Wed, Apr 04, 2001 at 01:36:21PM +0200, Richard Levitte - VMS Whacker wrote:
> From: Janne Blomqvist <[EMAIL PROTECTED]>
> 
> jebl> aCC or aC++ is HP's C++ compiler. The RogueWave Standard C++
> jebl> Library 2.2.1 is bundled with HP aC++ 01.27. To use it you have
> jebl> to specify -AA, include paths are changed to include_std and
> jebl> libraries are libstd_v2 and libCsup_v2. The macro
> jebl> -D_RWSTD_MULTI_THREAD is used instead of -D_THREAD_SAFE when
> jebl> using threadsafe version of libstd_v2.
> 
> Aha.  I'm guessing that -AA also causes name-mangling (which is the
> only known way to keep type info as part of the symbol, which is
> needed when linking C++ programs, or function overloading would be
> impossible).
> 
> jebl> Unfortunately objects and libraries compiled with -AA are binary
> jebl> incompatible with objects and libraries compiled without -AA.
> 
> Name mangling...
> 
> jebl> I've edited the Configure script and added an option for
> jebl> aCC. Some files compiles successfully while others results in
> jebl> this:
> jebl> 
> jebl> Error 212: "mem_dbg.c", line 305 # Argument type 'unsigned long 
>(app_mem_info_st
> jebl> *)' does not match expected parameter type
> jebl> 'unsigned long (*)()'.
> jebl> if ((amih=lh_new(app_info_hash,app_info_cmp)) == NULL)
> 
> You probably want to look at snapshots of 0.9.7-dev, that version has
> a large number of changes having to do with exactly that problem.

I have just done some research on docs.hp.com. They do offer some
compatibility statements.
With respect to
  http://docs.hp.com/hpux/onlinedocs/dev/aCC/a_01_27/otherlangs.htm
it should be no problem to interface aCC programs (no special flags
are listed, so it should be valid for -AA, too) to ANSI-C programs.

I just tried with 0.9.7-dev and ran into:
aCC -I. -I.. -I../include +Z -DOPENSSL_THREADS -D_REENTRANT -DDSO_DL 
-DOPENSSL_NO_KRB5 -D_REENTRANT +DAportable -AA +ESlit -DB_ENDIAN -DBN_DIV2W 
-DMD32_XARRAY -c ex_data.c
Error 212: "ex_data.c", line 145 # Argument type 'void *' does not match
expected parameter type 'char *'.
sk_set(ad->sk,idx,val);
  ^^^  
Error 203: "ex_data.c", line 176 # Cannot assign 'char *' with 'void *'.
from_d=CRYPTO_get_ex_data(from,i);
   ^^ 
So I would say, there is at least some way to go before OpenSSL can be
compiled with aCC.

I would rather say it seems to be more promising to compile OpenSSL
with a generic ANSI compiler (the original poster said that he has
at least gcc, I recommend HP's compiler because the problem of needing
libgcc does not arise) and try to sort out incompatibilities in the
interfacing...

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

How to create a certificate revokation request

[Ulrich Ackermann]

Hi all,
are there openssl commands to generate a certificate revokation request?

Is the command
openssl x509 -x509toreq -signkey  key.pem -in cert.pem -out
cert.req
a possible candidate?

Has a certificate revokation request a given format? Where is that
described? Where can I get additional Information on CRRs (RFCs?
PKCS#XX?)

TIA, Ulrich

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to create a certificate revokation request

[Ulrich Ackermann]

Sorry,
didn't want to post twice ...


Ulrich

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

bad mac decode error

[Tat Sing Kong]

I have got an LDAP client talking to an LDAP server using SSL no
problems.  I am now using the openssl s_client program to talk to the
LDAP server using the name security certs etc.  However, after the
ChangeCipherSpec mesages I get

bad mac decode

So I guess something has gone very wrong somewhere.  I thought there was
only one SSL protocol, if it works for one SSL server/client, it should
work for all clients, servers etc?

Any ideas?

Tat.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: bad mac decode error

[Shaw, George]

What version of SSL is the client using using?  I've had this problem
before, and there are other mails in the archive which describe this error,
when a "broken" server cannot perform SSL version negotiation properly, i.e
if your client is using SSL version 23.  Hardcoding the version to 2 or 3
usually works.

G.

-Original Message-
From: Tat Sing Kong [mailto:[EMAIL PROTECTED]]
Sent: 04 April 2001 15:08
To: openssl
Subject: bad mac decode error



I have got an LDAP client talking to an LDAP server using SSL no
problems.  I am now using the openssl s_client program to talk to the
LDAP server using the name security certs etc.  However, after the
ChangeCipherSpec mesages I get

bad mac decode

So I guess something has gone very wrong somewhere.  I thought there was
only one SSL protocol, if it works for one SSL server/client, it should
work for all clients, servers etc?

Any ideas?

Tat.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How to create a certificate revokation request

[Martin Szotkowski]

try look at CMC (RFC ) and CMP/CRMF (RFC 2510 / 2511)

Martin

> Hi all,
> are there openssl commands to generate a certificate revokation request?
>
> Is the command
> openssl x509 -x509toreq -signkey  key.pem -in cert.pem -out
> cert.req
> a possible candidate?
>
> Has a certificate revokation request a given format? Where is that
> described? Where can I get additional Information on CRRs (RFCs?
> PKCS#XX?)
>
> TIA, Ulrich
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Server Certificate Verification

[Graeme English]

>>> [EMAIL PROTECTED] 04/04/01 10:32:37 >>>
>> As you say if I the peer sends the certificate chain then the verify error changes 
>to X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but I don't think this is the behavior I 
>need (also its up to the web server whether it sends the chain, I believe)

>No, it is not up to the web server. The server must send the complete chain
except for the root certificate. From RFC2246, 7.4.2:
   certificate_list
   This is a sequence (chain) of X.509v3 certificates. The sender's
   certificate must come first in the list. Each following
   certificate must directly certify the one preceding it. Because
   certificate validation requires that root keys be distributed
   independently, the self-signed certificate which specifies the
   root certificate authority may optionally be omitted from the
   chain, under the assumption that the remote end must already
   possess it in order to validate it in any case.

I mentioned this since previously I had not defined SSLCertificateChainFile in my 
httpd.conf (apache , mod_perl) and when I did the following (excuse the hack!)
STACK_OF(X509) *cert_chain = (struct stack_st 
*)SSL_get_peer_cert_chain(_ssl);
while ((server_cert = (struct x509_st *)sk_pop(cert_chain)) != NULL) {
X509_print(cout, server_cert);
PEM_write_bio_X509(cout, server_cert);
X509_free(server_cert);
}
I only got the server certificate back. On defining SSLCertificateChainFile (and 
putting the CA cert in it) I got both certificates back ! I also tried pointing my 
browser at https://amazon.co.uk and similarly only got the server certificate !



>When realizing this functionality, please check out the old bugtraq
messages. There were quite some subtle things with certificates being
accepted for a wrong server name by the user once but then the non-matching
certificate suddenly became valid for all server names (if memory serves
me right)... It is not necessary to fall into the same pitfalls again :-)


I've just spent a couple of hours trawling through the mailing list archives without 
much luck. Was this what you meant by 'bugtaq'. If so, can you offer any other hints 
;-) or let me know how to get the 'bugtraq' messages ?


Thanks,
 Graeme



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Open SSL server side in Windows

[Filipe Contente]

Hi!!

I'm trying to implement a Open SSL server in windows with c++, 
and i'm with problems when i try to get te client certificate!!
Does anyone have already implement a server side in Windows???

All the examples i saw was in Linux, i've never heard of one example
that
works with Windows. The Client side works ok!!

I'm generating the certificates in Linux and i use them in windows,
there is any problem
with this??
The c_rehash have any effect in windows??

Thank,  Filipe Contente
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

PBKDF2 & HMAC sha 1

[Jeeva Chelladhurai]

Hi,

I am new to crypto.

I have to support PBKDF2 of PKCS #5 v2.0 in one of my projects. Would I be able
to get free implementation for the same?

Is SHA_1 is different from HMAC with SHA_1?

Could somebody guide me how to use SHA_1 of openssl?

Is there any pointer that would through some light about all the above?

Thanks in advance.

Jeeva.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Server Certificate Verification

[Lutz Jaenicke]

On Wed, Apr 04, 2001 at 02:37:23PM +0100, Graeme English wrote:
> I mentioned this since previously I had not defined SSLCertificateChainFile in my 
>httpd.conf (apache , mod_perl) and when I did the following (excuse the hack!)
> STACK_OF(X509) *cert_chain = (struct stack_st 
>*)SSL_get_peer_cert_chain(_ssl);
> while ((server_cert = (struct x509_st *)sk_pop(cert_chain)) != NULL) 
>{
> X509_print(cout, server_cert);
> PEM_write_bio_X509(cout, server_cert);
> X509_free(server_cert);
> }
> I only got the server certificate back. On defining SSLCertificateChainFile (and 
>putting the CA cert in it) I got both certificates back ! I also tried pointing my 
>browser at https://amazon.co.uk and similarly only got the server certificate !

It is valid to omit the root CA certificate. If you chain only contains the
server cert and the CA cert, only the server cert needs to be sent. Therefore
the result you have seen is valid (even though I would find it more
practical to always have the complete chain sent).
An OpenSSL based server without SSLCertificateChainFile set, will still
try to complete its chain from the trusted CA store. So if you have the
certificate of your CA in SSLCACertificatePath or SSLCACertificateFile
(mod_ssl syntax), you will still see the complete chain.

> >When realizing this functionality, please check out the old bugtraq
> messages. There were quite some subtle things with certificates being
> accepted for a wrong server name by the user once but then the non-matching
> certificate suddenly became valid for all server names (if memory serves
> me right)... It is not necessary to fall into the same pitfalls again :-)
> 
> 
> I've just spent a couple of hours trawling through the mailing list archives without 
>much luck. Was this what you meant by 'bugtaq'. If so, can you offer any other hints 
>;-) or let me know how to get the 'bugtraq' messages ?

http://marc.theaimsgroup.com/?l=bugtraq&r=1&w=2

A search for "netscape certificate" gave

http://marc.theaimsgroup.com/?l=bugtraq&m=95797566730807&w=2

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Open SSL server side in Windows

[Tat Sing Kong]

Filipe,

I have successfully implemented some opensSSL with Windows NT.  The
problem you are describing could be due to:

1) The client rejecting the server cert because it does not trust it.
2) The server not sending the client a list of recommended CA's
3) The server cert not having the same name as the machine it comes from
(see an earlier question I posted the other day)
4) Problems with ssl2/3 - hardcode version 2 or 3.  I just had the same
problem.

The best thing to try is the openssl s_server/s_client program as it
prints out lots of debug.

Tat.

Filipe Contente wrote:
> 
> Hi!!
> 
> I'm trying to implement a Open SSL server in windows with c++,
> and i'm with problems when i try to get te client certificate!!
> Does anyone have already implement a server side in Windows???
> 
> All the examples i saw was in Linux, i've never heard of one example
> that
> works with Windows. The Client side works ok!!
> 
> I'm generating the certificates in Linux and i use them in windows,
> there is any problem
> with this??
> The c_rehash have any effect in windows??
> 
> Thank,  Filipe Contente
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
+---
| Tat Sing Kong Bsc(Hons)   
| Senior Technical Architect
| Consegna Advanced Technologies Ltd
| 1st Floor, 30-32 Thomas Street
| Manchester, M4 1ER, United Kingdom 
| http://www.consegna.co.uk   
| Tel : +44 (0)161 833 3777
| Fax : +44 (0)161 833 3636
| Email : [EMAIL PROTECTED]  

+

 This e-mail is from Consegna Advanced Technologies. The information in
 this e-mail and any files transmitted with it are confidential and may
 be legally privileged. It is intended solely for the stated recipient.
 Access to this e-mail by anyone else is unauthorised. If you are not
 the intended recipient, any disclosure, copying, distribution or any
 action taken or omitted to be taken in reliance on it, is prohibited
 and may be unlawful.
 
 If you have received this e-mail in error please notify
 [EMAIL PROTECTED] or telephone +44 (0)161 833 3777. Views or opinions
 expressed by an individual within this e-mail may not necessarily
 reflect the views of Consegna Advanced Technologies.
+-

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL doc request

[Vincent Lue]

At 10:47 AM 4/4/01 +0100, you wrote:

>I've written a document as part of my own openSSL notes that describes
>how to code  an SSL client and server using the openSSL libraries.  It's
>a bit noddy but it does the job.
>
>These might be useful for people just starting (I know I was looking for
>such a document when I started), so if you want a copy then email me
>personally.  Put "SSL doc request" in the subject header.
>
>Tat.
>
>__
>OpenSSL Project http://www.openssl.org
>User Support Mailing List[EMAIL PROTECTED]
>Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl req is ignoring the DN in the config file

[Sandipan Gangopadhyay]

opensslreq
   -in pkcs10receivedfromclient.csr
   -config configfilewithDN.cnf
   -out pkcs10withNewDN.csr

is ignoring the DN in the config file.

The pkcs10receivedfromclient.csr has "DC=COM"

and configfilewithDN.cnf has
[ req ]
...
distinguished_name  = req_distinguished_name
[ req_distinguished_name ]
DC   = COM
O  = CAer
OU = Root CA Services
CN = userX

My intention is to obtain the public key from the PKCS10 received from the
client, but supply/modify the DN at the openssl server. Can anyone suggest
how I can achieve this ? Anyhow ?

Please help !

Regards,

Sandipan

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: simple ssl implementation?

[Khamba Staring]

> The only problem is that the last couple of bytes which should be
> transmitted are not; an error occurs. My `server' log shows:
> 
> error while reading SSL socket from 127.0.0.1: error:1408F10B:SSL routines:SS
L3_GET_RECORD:wrong version number
> reached sclose() with SSL
> 
> The `client', openssl, shows this:
> 
> 61789:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt
.c:279:

I found the problem; the last few bytes were written with a normal
write() instead of SSL_write().. Sorry to have bothered the list with
this..


Kind regards,

-- Khamba Staring
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Name Collision w/VC6 (modulus/list)

[Bruce Bailey]

Hi

I am trying to use the openssl product in an application I am writing using
MS VC6.  I am also using the stl.

When I try to compile my project, I get the following errors:

d:\openssl-0.9.5a\inc32\openssl\bn.h(411) : error C2955: 'modulus' : use of
class template requires template argument list
c:\program files\microsoft visual studio\vc98\include\functional(57)
: see declaration of 'modulus'
d:\openssl-0.9.5a\inc32\openssl\ssl.h(1079) : error C2955: 'list' : use of
class template requires template argument list
c:\program files\microsoft visual studio\vc98\include\list(415) :
see declaration of 'list'
d:\openssl-0.9.5a\inc32\openssl\ssl.h(1080) : error C2955: 'list' : use of
class template requires template argument list
c:\program files\microsoft visual studio\vc98\include\list(415) :
see declaration of 'list'

When I go to the offending lines (e.g. bn.h, line 411), I see :

int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *modulus,BN_CTX *ctx);

The apparent name collision is with the modulus parameter in this case.  I
have tried everything I could think of (reordering 'include' files, various
permutations of 'namespace' directive, etc.), but to no avail.

Has anybody else seen and maybe solved this problem?

Thanks in advance, 

Bruce

> Bruce Bailey
> ADP Dealer Services Group
> Suite 450
> 2525 SW First Avenue
> Portland, OR 97201
> 
> 503 294-4206
> [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Crypt::SSLeay

[Joshua Chamas]

> Marcus Carey wrote:
> 
> Can someone explain the following warning?
> 
> Client-SSL-Warning: Peer certificate not verified
> 
> ActivePerl 623
> Windows IIS 5.0
> Windows 2000 Server
> Crypt-SSLeay from Activestate repository
> 

Sorry for not getting back sooner, but its been a hard
week.  I'm the maintainer of Crypt::SSLeay, and I don't have
a good answer for you.  Its my guess that if 

  SSL_get_verify_result()

where called at some point, that cert verfication would be
established, and this warning would go away.  By not doing
so, I guess, you don't really know that you are talking 
to the true owner of that SSL domain, even though a 
secure connection has been established.

This seems to be an important feature, and if desired,
I could probably get this set up as a config option 
for Crypt::SSLeay's Net::SSL, and make sure it seems
to do the right thing when operating under perl's LWP.

--Josh
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PBKDF2 & HMAC sha 1

[Dr S N Henson]

Jeeva Chelladhurai wrote:
> 
> Hi,
> 
> I am new to crypto.
> 
> I have to support PBKDF2 of PKCS #5 v2.0 in one of my projects. Would I be able
> to get free implementation for the same?
> 

PKCS#5 v2.0 is supported by OpenSSL, indeed it was used to generate the
test vectors using on RSAs site. Check out crypto/evp/p5_crpt2.c
in the function

PKCS5_PBKDF2_HMAC_SHA1()

> Is SHA_1 is different from HMAC with SHA_1?
> 

Yes. OpenSSL supports both. See the HMAC manual page and RFC2104 for
more info.

> Could somebody guide me how to use SHA_1 of openssl?
> 
> Is there any pointer that would through some light about all the above?
> 

man EVP_DigestInit for the preferred API or man SHA for the low level
API.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

a question about install

[luckpeople]

Hi,all
 before i comple the openssl,i use the vcvars32.bat in the directory D:\Program 
Files\Microsoft Visual Studio\VC98\Bin
but it tell me that out of the environment space,what shoud i do !And another question 
,i want to know how I.E support ssl.Do i need make any changes about  I.E?
thank you 
__

===
ÐÂÀËÃâ·Ñµç×ÓÓÊÏä (http://mail.sina.com.cn)
ÍøÀïÑ°Ëýǧ°Ù¶È!ûÓÐ"ÁÄÓÑËÙÅä",ÔõÄÜ"³ÉË«³É¶Ô"? (http://newchat.sina.com.cn)
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

ASN1_UTCTIME & time_t

[Aslam]

Hi,

I was looking for some function like following;
time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
and I found that this function is in #if 0 /* */ #endif
The reason is specified there, but its not clear.
Can someone give a better idea of this.

And which functions I use for following needs:
1. time_t => ASN1_UTCTIME
2. ASN1_UTCTIME => time_t
3. time_t comparision
4. ASN1_UTCTIME comparision

Thanks
Aslam

 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]