Re: scripting s_server
If not, you should be able to script it using expect. The expect tool can be used do script execution of any text based program. autoexpect -p -f start_s_server openssl s_server -key [type password when prompted] [make s_server exit normally, NOT control-c. kill from another window is fine] The above should provide a start_s_server script that can be used to start s_server with the encrypted key. -- Henrik Nordstrom MARA Systems Patrick Li wrote: Hi Lutz, I think I will just remove the encryption on the private key file using the command suggest by Henrik. openssl rsa -in key.pem -out key_unprotected.pem I wrote a SSL client program and want to use s_server for testing. That'll help me to automate the testing without typing in the passphrase interactively. Thanks! Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.6a
From: Torsten Howard [EMAIL PROTECTED] torsten This library fails when doing torsten make linux-shared torsten openssl-0.9.6a The way to build shared libraries has changed a bit. Exactly in what way did it fail, and exactly how did you configure? Basically, you have to configure with the keyword shared as argument, or shared library support will definitely fail. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificate validity
Thera are 2 ways. 1) Write a script that sets up tha correct values and than pass them to the command line 2) Patch tha ca command I've chosen the last one. I sent the patch on this list some weeks ago. Search for Useful CA patch subject in the archive. [EMAIL PROTECTED] wrote: I'm using openssl 09.5.a For making a new CA, I specify validity of 1000 days and I also want my certs to be valid , by default (i.e. if no end date is specified), to be valid for as long as the CA. For this I specified the following in openssl.cnf default_days = 1000 # how long to certify for But by doing this the certs become valid for 1000 days from the system date. Now if I configure my CA today (valid till 1000 days from now) and then sign a cert tommorow (for 1000 days), its end date is one day more than the end date of my CA. Thus all the certs I sign are invalid. When I click a .der, it shown invalid and a msg is displayed...The validity period of this certificate exceeds that of its certification authority. Even if put default_days = 365, my certs shall begin to go invalid one year before my CA expires!! ?? Is there any way to ensure that my certs are valid for as long as my CA is ?? What setting do I need to make?? Thanx in advance Shobhit - This email message and files transmitted with it are confidential, proprietary and legally privileged. If the message that is received is an error, or if there is any mistransmission, the originator must be notified immediately as the unauthorized use, dissemination, publication, transfer or any other use of the message by unauthorized person is strictly forbidden by law and prohibited. If anybody commits violation then he would be legally liable and punishable under the relevant law. The intended recipient can be rest assured that the confidentiality and privilege is not waived or lost by any such mistransmission. Internet communications are not secure unless it is protected by using strong cryptography. TCS does not accept any responsibility whatsoever for changes in the nature of modifications, additions, deletions made to the message once it is sent. TCS reserves the right to monitor all e-mail communications through its network. - Tata Consultancy Services www.tcs.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- FERDINANDO RICCHIUTI Research Development CSP s.c. a r.l. Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] e-mail [EMAIL PROTECTED] mob +39 (0)348 6023959 tel +39 (0)11 3165401 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
i need some help
hello users, I have already installed OpenSSL and now what should i do for the functional apache with ssl support. regards, Kalpesh
Set Serial Number Option with OPENSSL REQ X509
Hi there, Is there anybody out there how could solve the set serial number option problem with the openssl req x059 command? What I like to do is to create a self-signed root cert with a supplied serial number (i.e. not the default 00). Is the option provided in the latests release or one of the latests snapshots? I could not find anything in the release notes (may be I did not seach good enough). Thanks for your help, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
certificate validity
I'm using openssl 09.5.a For making a new CA, I specify validity of 1000 days and I also want my certs to be valid , by default (i.e. if no end date is specified), to be valid for as long as the CA. For this I specified the following in openssl.cnf default_days = 1000 # how long to certify for But by doing this the certs become valid for 1000 days from the system date. Now if I configure my CA today (valid till 1000 days from now) and then sign a cert tommorow (for 1000 days), its end date is one day more than the end date of my CA. Thus all the certs I sign are invalid. When I click a .der, it shown invalid and a msg is displayed...The validity period of this certificate exceeds that of its certification authority. Even if put default_days = 365, my certs shall begin to go invalid one year before my CA expires!! ?? Is there any way to ensure that my certs are valid for as long as my CA is ?? What setting do I need to make?? Thanx in advance Shobhit - This email message and files transmitted with it are confidential, proprietary and legally privileged. If the message that is received is an error, or if there is any mistransmission, the originator must be notified immediately as the unauthorized use, dissemination, publication, transfer or any other use of the message by unauthorized person is strictly forbidden by law and prohibited. If anybody commits violation then he would be legally liable and punishable under the relevant law. The intended recipient can be rest assured that the confidentiality and privilege is not waived or lost by any such mistransmission. Internet communications are not secure unless it is protected by using strong cryptography. TCS does not accept any responsibility whatsoever for changes in the nature of modifications, additions, deletions made to the message once it is sent. TCS reserves the right to monitor all e-mail communications through its network. - Tata Consultancy Services www.tcs.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
Hi, How do you work with openssl and PKCS11 SmartCard readers? Can we export a a PKCS11 certificate with the command line tool? I can only see a pkcs12 command. Thanks Regards Maxime DUBOIS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client authentication
Hi, I have the following certificates: root.cert - self signed CA node1root.cert - issued by root node2root.cert - issued by root daemon.cert - issued by node1root client1.cert - issued by node2root I have an SSL server which use the daaemon.cert and has root.cert and node1.cert in its certificateChain. I want to accept and authenticate clients issued by node2root. Not all 'children' to root.cert. My question is what do I put in SSL_CTX_add_client_CA() to make my CA list, and what should I put in the file SSL_CTX_load_verify_locations() loads? In the end I want to this without any file loading., but then I have be sure of how these things work. I've been through the archive and can't really find anything matching my question. Many thanks Peter __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MacOS X OpenSSL Compilation
Matthew Watkins wrote: I wonder if anyone can help me with a quick question. I've been attempting to build OpenSSL on Mac OS X, and appear to have hit a brick wall. Indeed, it is a brick wall. But if you remove some stones, it leaves a gap wide enough to slip through... :-) BTW, it was a concrete wall with Mac OS X Public Beta. Stupid frameworks... After trying several options, I decided the following commands would be most suitable to compile from source: ./Configure no-threads no-asm no-dso rhapsody-ppc-cc make Both patches mentioned below add auto-recognition of Darwin. I get a reasonable way through, but the compile stops with undefined symbols while running through the apps directory. Any ideas what might be going wrong? Okay, I'll try to explain. The fundamental problem is that a) Apple ships shared libraries built from OpenSSL 0.9.5a, b) they don't ship the associated headers so the libraries are useless for compiling apps on your own and c) the linker always prefers shared libraries, even when there is a static library in a directory listed earlier in the search path. There are several ways out of this misery: Alternative 1: Remove the symlinks /usr/lib/libssl.dylib and /usr/lib/libcrypto.dylib. Then the linker won't find these libraries while linking. Existing executables will still run because the look for libssl.0.9.dylib and libcrypto.0.9.dylib directly. This is a hack and will only get you static OpenSSL libraries. Alternative 2: Try to use Apple's patch or, more accurately, Apple's patched version of OpenSSL. You can get it from the Darwin CVS repository, see http://www.opensource.apple.com/. I'm not sure which version it is. Also, Apple has a funny way of integrating packages into their overall build system, http://www.darwinfo.org/ is of help here. IIRC, they let OpenSSL build static libraries and afterwards create shared ones from that (side note: this is possible on Darwin because all code is PIC by default). So this may or may not solve your problems. Alternative 3: Try to use the patch that I composed for Fink (http://fink.sourceforge.net), an add-on distribution of Unix software for Mac OS X. That patch solves the problems by adding Darwin shared library support directly to OpenSSL 0.9.6 and making sure the libraries are built before the openssl executable is linked (SHLIB_MARK1 and SHLIB_MARK2). You can get the patch from the CVS repository, http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/fink/packages/dists/stable/crypto/finkinfo/openssl-0.9.6-1.patch (Apply with patch -p1 inside the OpenSSL source directory.) Note that in all three cases you must add -DUSE_TOD to the compiler flags because Mac OS X ships with a header file for ftime(), but not with an implementation. :-( Hope this helps, chrisp -- chrisp a.k.a. Christoph Pfisterer If that makes any sense [EMAIL PROTECTED] - http://chrisp.de to you, you have a big PGP key geek code availableproblem. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client authentication
On Tue, Apr 24, 2001 at 12:27:28PM +0200, Peter Lindsäth wrote: I have the following certificates: root.cert - self signed CA node1root.cert - issued by root node2root.cert - issued by root daemon.cert - issued by node1root client1.cert - issued by node2root I have an SSL server which use the daaemon.cert and has root.cert and node1.cert in its certificateChain. I want to accept and authenticate clients issued by node2root. Not all 'children' to root.cert. My question is what do I put in SSL_CTX_add_client_CA() to make my CA list, and what should I put in the file SSL_CTX_load_verify_locations() loads? Disclaimer: I haven't tested any of the following ideas! 1 You put node2root.cert into SSL_CTX_add_client_CA(). Therefore you advertise that you trust node2root.cert. (You could also add root.cert instead, it must be filtered out in step 3 anyway.) 2 You put root.cert to SSL_CTX_load_verify_locations(). When a client certificate is presented, it will undergo the complete check of the OpenSSL library including certificate purpose etc. If it fails in any regard, further checks can be omitted anyway. (When the root cert is not found, the error message appearing will depend on the certificate chain sent (with/without root cert), so catching this special condition may be difficult. Also, the certificate chain verification has been carefully crafted by Steve Henson and I would rather trust this verificatin routine and only later apply an additional check than trying to hack something together myself.) 3 After establishing the connection, you call SSL_get_peer_cert_chain() and examine the chain. If node2root.cert is not part of the chain (use X509_cmp() to compare certificates), close the connection immediately and remove the session, as it became invalid. 3a Step 3 can be modified in a way, that the verification already takes place in the verify_callback. If you always know for sure, that node2root.cert is issued by root.cert (level 1), you can check at level 1 whether node2root.cert is matched and flag failure if not. This may however become tricky later when you change your structure and want to change your CA structure. You have forgotten about this special restriction (level 1 checking) and spend weeks finding out why it fails with your new structure... Therefore the corresponding checks in verify_callback() must be carefully crafted to be flexible enough. Maybe set a flag when the trusted CA was found at any level and then on the last level, when OK is found, check whether the trusted flag is set and only then let the OK pass and change to fail otherwise I personally would tend to version 3a on the long run... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client authentication
Lutz Jaenicke wrote: On Tue, Apr 24, 2001 at 12:27:28PM +0200, Peter Lindsäth wrote: I have the following certificates: root.cert - self signed CA node1root.cert - issued by root node2root.cert - issued by root daemon.cert - issued by node1root client1.cert - issued by node2root I have an SSL server which use the daaemon.cert and has root.cert and node1.cert in its certificateChain. I want to accept and authenticate clients issued by node2root. Not all 'children' to root.cert. My question is what do I put in SSL_CTX_add_client_CA() to make my CA list, and what should I put in the file SSL_CTX_load_verify_locations() loads? Disclaimer: I haven't tested any of the following ideas! 1 You put node2root.cert into SSL_CTX_add_client_CA(). Therefore you advertise that you trust node2root.cert. (You could also add root.cert instead, it must be filtered out in step 3 anyway.) 2 You put root.cert to SSL_CTX_load_verify_locations(). When a client certificate is presented, it will undergo the complete check of the OpenSSL library including certificate purpose etc. If it fails in any regard, further checks can be omitted anyway. (When the root cert is not found, the error message appearing will depend on the certificate chain sent (with/without root cert), so catching this special condition may be difficult. Also, the certificate chain verification has been carefully crafted by Steve Henson and I would rather trust this verificatin routine and only later apply an additional check than trying to hack something together myself.) 3 After establishing the connection, you call SSL_get_peer_cert_chain() and examine the chain. If node2root.cert is not part of the chain (use X509_cmp() to compare certificates), close the connection immediately and remove the session, as it became invalid. 3a Step 3 can be modified in a way, that the verification already takes place in the verify_callback. If you always know for sure, that node2root.cert is issued by root.cert (level 1), you can check at level 1 whether node2root.cert is matched and flag failure if not. This may however become tricky later when you change your structure and want to change your CA structure. You have forgotten about this special restriction (level 1 checking) and spend weeks finding out why it fails with your new structure... Therefore the corresponding checks in verify_callback() must be carefully crafted to be flexible enough. Maybe set a flag when the trusted CA was found at any level and then on the last level, when OK is found, check whether the trusted flag is set and only then let the OK pass and change to fail otherwise I personally would tend to version 3a on the long run... Best regards, Lutz Thanks for the tip. Well, now there seems to be a problem making a intermediate CA using the self signed CA. I've been trying some different approaches but I don't seem to get it right. The most commonly proposed method, in the mail-archive, would be using the following line: openssl x509 -req -in node2root.req -CA root.cert -CAkey root.key -out node2root.cert -CAcreateserial This, however, doesn't seem work if you trust the output of 'openssl x509 -in node2root.cert -noout -text'. And by using the cert with my application X509_V_ERR_INVALID_CA is received. I guess the line 'CA:TRUE' is missing in the 'X509v3 Basic Constraints', but how do I fix that? Ever so thankful /Peter __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Password only with CallBack Func ?
Excuse for my above silly question : you can specify a password in the call PEM_XX_READ ? Hausermann Laurent wrote: Hi all, I am writing an JAVA Wrapper for OpenSSL , and I want to use the PEM_read_foobar functions..The problem is I can't use callback function. Is-there anyway in the API to decrypt after reading the PEM through the BIO ? Thanks Laurent __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Computing the PEM write size
Hi all, I wanting to use the PEM_write_bio_PrivateKey function into a memory bio... I have to create a new BIO with sufficient memory space, but how can I know the size of the PEM data before calling the writing function ? Thanks in advance. Laurent PS : i wanted to do that for communication between JAVA and libcrypto. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Computing the PEM write size
The memory BIO will grow itself as needed to hold data written into it. You do not need to size it in advance. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: Hausermann Laurent [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 24, 2001 10:01 AM Subject: Computing the PEM write size Hi all, I wanting to use the PEM_write_bio_PrivateKey function into a memory bio... I have to create a new BIO with sufficient memory space, but how can I know the size of the PEM data before calling the writing function ? Thanks in advance. Laurent PS : i wanted to do that for communication between JAVA and libcrypto. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: tracing SSL handshake?
Also you might find the ssldump tool useful. Please see www.rtfm.com/ssldump. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 23, 2001 7:07 PM Subject: Re: tracing SSL handshake? On Mon, Apr 23, 2001 at 04:45:13PM -0400, George Lind wrote: -Original Message- From: George Lind Sent: Monday, April 23, 2001 2:23 PM To: '[EMAIL PROTECTED]' Subject: tracing SSL handshake? I would like my server program to be able to trace all the data that is being passed back and forth during the handshake. How do I do this? grep for bio_dump_cb in openssl/apps/*.c Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client authentication
On Tue, Apr 24, 2001 at 03:41:58PM +0200, Peter Lindsäth wrote: Well, now there seems to be a problem making a intermediate CA using the self signed CA. I've been trying some different approaches but I don't seem to get it right. The most commonly proposed method, in the mail-archive, would be using the following line: openssl x509 -req -in node2root.req -CA root.cert -CAkey root.key -out node2root.cert -CAcreateserial This, however, doesn't seem work if you trust the output of 'openssl x509 -in node2root.cert -noout -text'. And by using the cert with my application X509_V_ERR_INVALID_CA is received. I guess the line 'CA:TRUE' is missing in the 'X509v3 Basic Constraints', but how do I fix that? If your node2root shall be an intermediate CA, you need to add something like -extensions v3_ca. This way, a new intermediate CA that can issue certificates is created. Have a look into openssl.cnf and create your own section v3_ca_sslclient and restrict the CA to be just sslCA. (Maybe even just a ssl-client CA, if possible.) I am not an expert on this topic, but I am sure this discussion gave you enough keywords to query your favorite search engine... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
Hello Maxime, You can find out more about the pkcs11 standard here: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/ When Smart Card manufacturers say their cards are PKCS11 compliant, correct me if I'm wrong, I take this to mean that the card is designed for x509 certificates and it has the ability to generate keys securely on the token. There are ways you can call this function from Netscape and MSIE. After keys are generated on the token the certificate request/public componant is sent to the CA for signing. You can use openssl to sign the certificate request and convert the signed request into a structure that can then be installed back on to the smartcard - the signed certificate and root certificate etc. You can also import pkcs12 files onto pkcs11 compliant smart cards using Netscape. On another note I am able to answer my own question on the ibutton. You can't buy it, the token is licenced to you on an annual basis. Which to me sounds problematic as I don't know what happens if you stop paying them. Bye, Oliver - Original Message - From: Maxime Dubois [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 07, 2001 8:06 PM Subject: Re: Smart Card Readers Hi, How do you work with openssl and PKCS11 SmartCard readers? Can we export a a PKCS11 certificate with the command line tool? I can only see a pkcs12 command. Thanks Regards Maxime DUBOIS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
client continues after server fails
My server is doing client authentication. My client is also using verify peer. When the client attempts to connect it gets a certificate from the server and continues on. The server is not recieving a certificate from the client so it is failing. The client attempts to write to the server but the SSL_write fails because the server has failed. How can I stop the client before attempting to write to the server. Shouldn't the client fail on its connect if the handshake is not successful on both ends. Thanks, George __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate from PKCS#7
Hello! I've got (received) a PKCS#7 signed and enveloped How I can get the certificate from the signer? Thanks in advance, Antonio. -- -- Antonio Ruiz Martínez Facultad de Informática-Universidad de Murcia 30001 Murcia - España (Spain) Telf: +34-968-364644 e-mail: [EMAIL PROTECTED] -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
From: Oliver Bode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Smart Card Readers Date sent: Wed, 25 Apr 2001 01:17:18 +1000 Send reply to: [EMAIL PROTECTED] Oliver You should forget that the Java iButton even exists. I wish I had. It has a lot of problems, such as a very slow transfer rate (about 150- 300 characters per second), has serious problems with USB delivery, is very slow (takes about 7 minutes to generate a 1024 bit RSA key onboard), is only about 2% PKCS-11 compliant, and on and on and on. I would only recommend the Java iButton to my worst enemies, and even then I would think long and hard before doing so. Ken Hello Maxime, You can find out more about the pkcs11 standard here: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/ When Smart Card manufacturers say their cards are PKCS11 compliant, correct me if I'm wrong, I take this to mean that the card is designed for x509 certificates and it has the ability to generate keys securely on the token. There are ways you can call this function from Netscape and MSIE. After keys are generated on the token the certificate request/public componant is sent to the CA for signing. You can use openssl to sign the certificate request and convert the signed request into a structure that can then be installed back on to the smartcard - the signed certificate and root certificate etc. You can also import pkcs12 files onto pkcs11 compliant smart cards using Netscape. On another note I am able to answer my own question on the ibutton. You can't buy it, the token is licenced to you on an annual basis. Which to me sounds problematic as I don't know what happens if you stop paying them. Bye, Oliver - Original Message - From: Maxime Dubois [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 07, 2001 8:06 PM Subject: Re: Smart Card Readers Hi, How do you work with openssl and PKCS11 SmartCard readers? Can we export a a PKCS11 certificate with the command line tool? I can only see a pkcs12 command. Thanks Regards Maxime DUBOIS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
US export
Hi, netscape had two different versions of browser for US and non-US? IE seems like doesnt have different versions for US and non-US. How does it differentiate whether its running in US or outside? or does it differentiate at all? any help would be appreciated. Thanks, Dave __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
Hi Ken, After testing a few products and looking into this area in more detail I do think the IKey is the best value around. I'm still waiting to find out if the towitoko sign and crypt pack will do the job http://www.towitoko.com/deutsch/eng/prp.htm I will take your word for it on the ibutton. It did strike me as odd a semi conductor company was making this. The licence thing is really bizzare. What happens to your private key when the licence runs out? I really liked the jewlery concept though. Thanks, Oliver - Original Message - From: Kenneth R. Robinette [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 25, 2001 1:30 AM Subject: Re: Smart Card Readers From: Oliver Bode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Smart Card Readers Date sent: Wed, 25 Apr 2001 01:17:18 +1000 Send reply to: [EMAIL PROTECTED] Oliver You should forget that the Java iButton even exists. I wish I had. It has a lot of problems, such as a very slow transfer rate (about 150- 300 characters per second), has serious problems with USB delivery, is very slow (takes about 7 minutes to generate a 1024 bit RSA key onboard), is only about 2% PKCS-11 compliant, and on and on and on. I would only recommend the Java iButton to my worst enemies, and even then I would think long and hard before doing so. Ken Hello Maxime, You can find out more about the pkcs11 standard here: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/ When Smart Card manufacturers say their cards are PKCS11 compliant, correct me if I'm wrong, I take this to mean that the card is designed for x509 certificates and it has the ability to generate keys securely on the token. There are ways you can call this function from Netscape and MSIE. After keys are generated on the token the certificate request/public componant is sent to the CA for signing. You can use openssl to sign the certificate request and convert the signed request into a structure that can then be installed back on to the smartcard - the signed certificate and root certificate etc. You can also import pkcs12 files onto pkcs11 compliant smart cards using Netscape. On another note I am able to answer my own question on the ibutton. You can't buy it, the token is licenced to you on an annual basis. Which to me sounds problematic as I don't know what happens if you stop paying them. Bye, Oliver - Original Message - From: Maxime Dubois [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 07, 2001 8:06 PM Subject: Re: Smart Card Readers Hi, How do you work with openssl and PKCS11 SmartCard readers? Can we export a a PKCS11 certificate with the command line tool? I can only see a pkcs12 command. Thanks Regards Maxime DUBOIS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
installation error of perl module related to SSLeay.so
Hi, this is my problem: when i run 'make install' in for install a perl module "Net_SSLeay.pm-1.05" i get this: ===cut here= # make installmkdir blibmkdir blib/libmkdir blib/lib/Netmkdir blib/archmkdir blib/arch/automkdir blib/arch/auto/Netmkdir blib/arch/auto/Net/SSLeaymkdir blib/lib/automkdir blib/lib/auto/Netmkdir blib/lib/auto/Net/SSLeaymkdir blib/man3cp SSLeay.pm blib/lib/Net/SSLeay.pmAutoSplitting blib/lib/Net/SSLeay.pm (blib/lib/auto/Net/SSLeay)blib/lib/Net/SSLeay.pm: some names are not unique when truncated to 8 characters:directory blib/lib/auto/Net/SSLeay: ssl_read_all.al, ssl_read_until.al, ssl_read_CRLF.al truncate to ssl_read ssl_write_all.al, ssl_write_CRLF.al truncate to ssl_writ/usr/bin/perl -I/usr/perl5/5.00503/sun4-solaris -I/usr/perl5/5.00503 /usr/perl5/5.00503/ExtUtils/xsubpp -typemap /usr/perl5/5.00503/ExtUtils/typemap -typemap typemap SSLeay.xs xstmp.c mv xstmp.c SSLeay.ccc -c -I/usr/local/ssl/include -xO3 -xdepend -DVERSION=\"1.05\" -DXS_VERSION=\"1.05\" -KPIC -I/usr/perl5/5.00503/sun4-solaris/CORE SSLeay.ccc: unrecognized option `-KPIC'cc: language depend not recognizedcc: SSLeay.c: linker input file unused since linking not doneRunning Mkbootstrap for Net::SSLeay ()chmod 644 SSLeay.bsLD_RUN_PATH="/usr/local/ssl/lib" cc -o blib/arch/auto/Net/SSLeay/SSLeay.so -R/usr/local/ssl/lib -G SSLeay.o -L/usr/local/ssl -L/usr/local/ssl/lib -lssl -lcrypto cc: SSLeay.o: No such file or directory*** Error code 1make: Fatal error: Command failed for target `blib/arch/auto/Net/SSLeay/SSLeay.so' ===cut here= what is this? i'm wrong in something related to the installation of openssl shared libraries? helpme... from now, thanks Sergio.-
Sending client certificate
Hi, I've read through the email list and documentation to find out how to set up the server side to request client certificates. What I haven't found is what do I need to do on the client side to submit the client's certificate. What APIs do I need to use to do this? Thanks, Rob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie Q: using RSA for copy protection?
If this has been discussed (I didn't see it in the archives) then could someone direct me to the right place? I've been tasked with locking a piece of linux software to a given MAC address, possibly with an expiration time. My thought was to write a license generator which would take a date string and the MAC address, encrypt it with our private key, and write it to a file we would put on the machine. Then, at run time, the machine would decrypt this file with our public key (stored on the machine), and compare against the MAC address and date. My question is: Has anyone already done this using the OpenSSL libs? If so, can you point me to it? If not, are there any good examples from which I could work? I've tried to hack one together from rsa_test.c but I don't really undertsand what I'm doing.. thanks very much, dave. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Sending client certificate
On Tue, Apr 24, 2001 at 10:09:45AM -0700, Rob Aulwes wrote: I've read through the email list and documentation to find out how to set up the server side to request client certificates. What I haven't found is what do I need to do on the client side to submit the client's certificate. What APIs do I need to use to do this? The same as for the server side. You provide a certificate and a key and an openssl-based client will send it when requested. Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: client continues after server fails
George, On the server side, in your call to SSL_CTX_set_verify(), you have two choices if you want to enable client authentication: 1) SSL_VERIFY_PEER, and 2) SSL_VERIFY_FAIL_IF_NO_PEER_CERT. The first politely asks the client if it will please authenticate, but the handshake will succeed even if the client doesn't authenticate. With the second option, the client must authenticate or the handshake fails. Are you perhaps using option #1? _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: George Lind [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 24, 2001 11:44 AM Subject: client continues after server fails My server is doing client authentication. My client is also using verify peer. When the client attempts to connect it gets a certificate from the server and continues on. The server is not recieving a certificate from the client so it is failing. The client attempts to write to the server but the SSL_write fails because the server has failed. How can I stop the client before attempting to write to the server. Shouldn't the client fail on its connect if the handshake is not successful on both ends. Thanks, George __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: US export
The US regulations used to require companies to have export and domestic versions. It is no longer necessary (although a review is required.) /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie Q: using RSA for copy protection?
I've been tasked with locking a piece of linux software to a given MAC address, possibly with an expiration time. How about making the license be a cert, where the MAC address appears as the subject DN and the expiration time appears in the validity period? /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
From: Oliver Bode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Smart Card Readers Date sent: Wed, 25 Apr 2001 03:07:45 +1000 Send reply to: [EMAIL PROTECTED] Oliver Your concern on the license has been answered by DS on their newsgroup. They switched policy some time ago and decided that once you purchase the Java iButton, the license is good as long as you want to use it. But no problem, if you order one, and try it out, you will not have to worry about the license. You will have given it to your kids to play with way before a year is up. We still have several other tokens to test, but for now the Rainbow remains the best. The GemSAFE package is not bad, but a little expensive compared to the Rainbow and the Rainbow 2032 has much more memory (32K). I guess if USB is not an option, then perhaps I would consider the GemSAFE package. Both the GemSAFE and Rainbow have very good PKCS-11 support and everything works as advertised. I can import/export SSH public/private keys and certs with no problem, and both work well with OpenSSL (thanks to all the excellent help from Dr. Henson). Ken Hi Ken, After testing a few products and looking into this area in more detail I do think the IKey is the best value around. I'm still waiting to find out if the towitoko sign and crypt pack will do the job http://www.towitoko.com/deutsch/eng/prp.htm I will take your word for it on the ibutton. It did strike me as odd a semi conductor company was making this. The licence thing is really bizzare. What happens to your private key when the licence runs out? I really liked the jewlery concept though. Thanks, Oliver - Original Message - From: Kenneth R. Robinette [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 25, 2001 1:30 AM Subject: Re: Smart Card Readers From: Oliver Bode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Smart Card Readers Date sent: Wed, 25 Apr 2001 01:17:18 +1000 Send reply to: [EMAIL PROTECTED] Oliver You should forget that the Java iButton even exists. I wish I had. It has a lot of problems, such as a very slow transfer rate (about 150- 300 characters per second), has serious problems with USB delivery, is very slow (takes about 7 minutes to generate a 1024 bit RSA key onboard), is only about 2% PKCS-11 compliant, and on and on and on. I would only recommend the Java iButton to my worst enemies, and even then I would think long and hard before doing so. Ken Hello Maxime, You can find out more about the pkcs11 standard here: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/ When Smart Card manufacturers say their cards are PKCS11 compliant, correct me if I'm wrong, I take this to mean that the card is designed for x509 certificates and it has the ability to generate keys securely on the token. There are ways you can call this function from Netscape and MSIE. After keys are generated on the token the certificate request/public componant is sent to the CA for signing. You can use openssl to sign the certificate request and convert the signed request into a structure that can then be installed back on to the smartcard - the signed certificate and root certificate etc. You can also import pkcs12 files onto pkcs11 compliant smart cards using Netscape. On another note I am able to answer my own question on the ibutton. You can't buy it, the token is licenced to you on an annual basis. Which to me sounds problematic as I don't know what happens if you stop paying them. Bye, Oliver - Original Message - From: Maxime Dubois [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 07, 2001 8:06 PM Subject: Re: Smart Card Readers Hi, How do you work with openssl and PKCS11 SmartCard readers? Can we export a a PKCS11 certificate with the command line tool? I can only see a pkcs12 command. Thanks Regards Maxime DUBOIS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing
[Crypt::SSLeay] compile problems on HP-UX 10.20
in the make step I am getting. ld: Invalid loader fixup for symbol $002B0009. *** Error exit code 1 Stop. Any help would be appreciated. Thanks. - Rob
Cetificate Chain..
Hi, I have got a DER encoded certificate chain, and I wanna enumerate each certificate in the given DER encoded certificate chain. So how do i do this using the X509 funcions in OpenSSL. Any help would be much more appriciated.. Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie Q: using RSA for copy protection?
Ok, that sort-of make sense, I think Still, does there exist a good guide or example for creating verifying a certificate using the libcrypto out of the OpenSSL package? I think I'm getting tripped up in basics like data formats, etc that an example or tutorial would probably clear up. thanks very much, dave. Rich Salz wrote: I've been tasked with locking a piece of linux software to a given MAC address, possibly with an expiration time. How about making the license be a cert, where the MAC address appears as the subject DN and the expiration time appears in the validity period? /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.6a
On Tue, Apr 24, 2001 at 09:13:56AM +0200, Richard Levitte - VMS Whacker wrote: ... The way to build shared libraries has changed a bit. Exactly in what way did it fail, and exactly how did you configure? Basically, you have to configure with the keyword shared as argument, or shared library support will definitely fail. yeuk. for a change like that, I would expect at least a minor revnum change, not just tacking on an 'a' to the end. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
Kenneth R. Robinette wrote: But no problem, if you order one, and try it out, you will not have to worry about the license. You will have given it to your kids to play with way before a year is up. This said if you are successful in using the iButton with the pkcs#11, you can be confident you have a program that can work with any pkcs#11 library that is able to work with Netscape, no matter how bad the interface is implemented. The only way to get it working is to do the same things as Netscape, in the same order, with the same values in the arguments. Any deviation from that means failure. Both the GemSAFE and Rainbow have very good PKCS-11 support and everything works as advertised. I can import/export SSH public/private keys and certs with no problem, and both work well with OpenSSL (thanks to all the excellent help from Dr. Henson). Hum, import/export SSH public/private keys ? I know the Gemsafe cards allows you to import RSA private keys from PKCS#12. Not sure if this is a great idea or not :-) It is convenient in some cases. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [Crypt::SSLeay]problems access https 128 bit
[EMAIL PROTECTED] wrote: I've got a web client using LWP working quite well. I've installed CryptSSLeay and Open SSL. I'm getting SSL access to secure sites at 40 bit without problems. I would like to connect to sites at 128 bit using the SSLv3 protocol. In this case I'm getting an error 403.5. I'm looking for any information how to go about this. Anyone got any ideas? I don't know what the problem is, but if you give me a URL, I can check it out see if I can get my Crypt::SSLeay LWP to connect to it. --Josh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [Crypt::SSLeay] compile problems on HP-UX 10.20
On Tue, Apr 24, 2001 at 02:05:17PM -0400, [EMAIL PROTECTED] wrote: in the make step I am getting. ld: Invalid loader fixup for symbol $002B0009. *** Error exit code 1 This error indicates that you are trying to use a object file created for static linking for shared library use. Object files to be used with shared libraries must be compiled with the +z/+Z (or -fpic/-fPIC for gcc) compiler options. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Crypt::SSLeay compile/test problem
Arin Komins wrote: Hi there, I'm trying to install Crypt::SSLeay on a Solaris 7 machine. When I get to the make test: PERL_DL_NONLAZY=1 /opt/bin/perl -Iblib/arch -Iblib/lib -I/opt/pkgs/perl5-5.005_02/lib/5.00502/sun4-solaris -I/opt/pkgs/perl5-5.005_02/lib/5.00502 -e 'use Test::Harness qw(runtests $verbose); $verbose=0; runtests @ARGV;' t/*.t t/ssl_context...Can't load 'blib/arch/auto/Crypt/SSLeay/SSLeay.so' for module Crypt::SSLeay: ld.so.1: /opt/bin/perl: fatal: relocation error: file blib/arch/auto/Crypt/SSLeay/SSLeay.so: symbol EVP_PKEY_size: referenced symbol not found at /opt/pkgs/perl5-5.005_02/lib/5.00502/sun4-solaris/DynaLoader.pm line 168. Generally, I would recommend using gcc if you are not, as the sun compilers seem quirky. Also make sure your LD_LIBRARY_PATH env variable includes the location of your openssl libs, as my experience on Solaris 2.6 makes me guess that symbol not found errors are often this. If you do find out how to fix this problem, it would be great if you could post the solution to the list for future generations. :) -- Josh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
Date sent: Tue, 24 Apr 2001 20:47:13 +0200 From: Jean-Marc Desperrier [EMAIL PROTECTED] Organization: Certplus To: [EMAIL PROTECTED] Subject:Re: Smart Card Readers Send reply to: [EMAIL PROTECTED] True about Netscape, but this assumes that all you want to do is what Netscape can do. Have you ever tried putting a public key on the iButton using PKCS-11 other than by C_GenerateKeyPair? I did, and it does not work. Why? Because DS said it was not desiged to do so. They also state they wrote the PKCS-11 interface to do the bare minimum required by Netscape. Now of course you can write straight APDU code and do it, but who wants to write custom software for every device on the market? But the real killer is the speed. Who in their right mind would pay more for a device which takes ~7 minutes to do a simple operation that any of the other devices will do in ~15 seconds. And to add insult to injury, it costs you more money for the honor to wait the 7 minutes. I don't think very many of us common folk will tolerate a device that takes 3- 7 minutes to sign every email we send. On the ability to export private keys, that feature is of course controlled by the sensitive flag and is under complete control of whatever/whoever placed the data on the device. Once it is set, nothing can retrieve the data (private key or whatever) off the device. GemSAFE goes one additional step and requires all private keys to be sensitive no matter what. And for extreme security that is probably a good idea as long as you always remember that once placed on the card, a private key can never be removed. That implies that if someone other than you placed it there, like most of the commercial CA's do, you do not have a backup of that key and obtaining a duplicate of that key is next to impossible. And remember, these devices have internal power that do die, and if you are unlucky, one will fail a couple of months after your have placed it in production. We have had several iButtons fail in a period of a few months. But, if you want to use the iButton, have at it. Ken Kenneth R. Robinette wrote: But no problem, if you order one, and try it out, you will not have to worry about the license. You will have given it to your kids to play with way before a year is up. This said if you are successful in using the iButton with the pkcs#11, you can be confident you have a program that can work with any pkcs#11 library that is able to work with Netscape, no matter how bad the interface is implemented. The only way to get it working is to do the same things as Netscape, in the same order, with the same values in the arguments. Any deviation from that means failure. Both the GemSAFE and Rainbow have very good PKCS-11 support and everything works as advertised. I can import/export SSH public/private keys and certs with no problem, and both work well with OpenSSL (thanks to all the excellent help from Dr. Henson). Hum, import/export SSH public/private keys ? I know the Gemsafe cards allows you to import RSA private keys from PKCS#12. Not sure if this is a great idea or not :-) It is convenient in some cases. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Memory leaks
Hi, I've created a program that connects to a https server and I've noticed some memory leaks. after a while I guessed it was on openSSL. I'm running OpenSSL 0.9.6 on a Windows 2000, Visual C++ 6.0 (SP5) Does anyone knows why is this happening? Thanks a lot --- #include stdio.h #include stdlib.h #include ssl.h #include err.h int main(int argc, char* argv[]) { SSLeay_add_ssl_algorithms(); return 0; } -- Detected memory leaks! Dumping objects - {117} normal block at 0x00885930, 12 bytes long. Data: X N` w D8 58 88 00 00 00 00 00 4E 60 84 77 {116} normal block at 0x008858D8, 16 bytes long. Data: @ L L 01 00 00 00 00 80 00 00 40 C1 4C 00 0C C1 4C 00 {115} normal block at 0x00885890, 12 bytes long. Data: 8X a38 58 88 00 00 00 00 00 61 EC C2 14 {114} normal block at 0x00885838, 16 bytes long. Data: L L L 01 00 00 00 00 80 00 00 4C C1 4C 00 0C C1 4C 00 {113} normal block at 0x008857F0, 12 bytes long. Data: W P= 98 57 88 00 00 00 00 00 8A 50 3D 92 {112} normal block at 0x00885798, 16 bytes long. Data: L M 01 00 00 00 00 00 00 00 FC C0 4C 00 18 9E 4D 00 {111} normal block at 0x00885750, 12 bytes long. Data: V J F8 56 88 00 00 00 00 00 C8 4A 9A 01 {110} normal block at 0x008856F8, 16 bytes long. Data: L M 01 00 00 00 00 00 00 00 0C C1 4C 00 18 9E 4D 00 {109} normal block at 0x008856B0, 12 bytes long. Data: XV Mf 58 56 88 00 00 00 00 00 B4 4D 66 A0 {108} normal block at 0x00885658, 16 bytes long. Data: rL rL 01 00 00 00 00 80 00 00 14 72 4C 00 20 72 4C 00 {107} normal block at 0x00885610, 12 bytes long. Data: U n B8 55 88 00 00 00 00 00 F5 82 CC 6E {106} normal block at 0x008855B8, 16 bytes long. Data: L rL 01 00 00 00 00 80 00 00 D0 C6 4C 00 20 72 4C 00 {105} normal block at 0x00885570, 12 bytes long. Data: U hH 18 55 88 00 00 00 00 00 EB 68 48 10 {104} normal block at 0x00885518, 16 bytes long. Data: L rL 01 00 00 00 00 80 00 00 E8 C6 4C 00 20 72 4C 00 {103} normal block at 0x008854D0, 12 bytes long. Data: xT C IT 78 54 88 00 00 00 00 00 43 E6 49 54 {102} normal block at 0x00885478, 16 bytes long. Data: L X M 01 00 00 00 00 00 00 00 F4 C6 4C 00 58 9E 4D 00 {101} normal block at 0x00885430, 12 bytes long. Data: S X qF D8 53 88 00 90 58 88 00 71 46 D1 F6 {100} normal block at 0x008853D8, 16 bytes long. Data: rL X M 01 00 00 00 00 00 00 00 20 72 4C 00 58 9E 4D 00 {99} normal block at 0x00885390, 12 bytes long. Data: 8S 0T 1 IR 38 53 88 00 30 54 88 00 31 E7 49 52 {98} normal block at 0x00885338, 16 bytes long. Data: (rL @rL 01 00 00 00 00 80 00 00 28 72 4C 00 40 72 4C 00 {97} normal block at 0x008852F0, 12 bytes long. Data: R PW X98 52 88 00 50 57 88 00 58 9D 14 03 {96} normal block at 0x00885298, 16 bytes long. Data: 4rL @rL 01 00 00 00 00 80 00 00 34 72 4C 00 40 72 4C 00 {95} normal block at 0x00885250, 12 bytes long. Data: Q OA F8 51 88 00 D0 4F 88 00 0B D3 41 1C {94} normal block at 0x008851F8, 16 bytes long. Data: d L @rL 01 00 00 00 00 80 00 00 64 CB 4C 00 40 72 4C 00 {93} normal block at 0x008851B0, 12 bytes long. Data: XQ W( 58 51 88 00 F0 57 88 00 0A 9A 28 EF {92} normal block at 0x00885158, 16 bytes long. Data: | L @rL 01 00 00 00 00 80 00 00 7C CB 4C 00 40 72 4C 00 {91} normal block at 0x00885110, 12 bytes long. Data: P V $P B8 50 88 00 B0 56 88 00 24 50 9D 08 {90} normal block at 0x008850B8, 16 bytes long. Data: L M 01 00 00 00 00 00 00 00 B8 CB 4C 00 98 9E 4D 00 {89} normal block at 0x00885070, 12 bytes long. Data: P V K 3 18 50 88 00 10 56 88 00 F5 4B 0D 33 {88} normal block at 0x00885018, 16 bytes long. Data: @rL M 01 00 00 00 00 00 00 00 40 72 4C 00 98 9E 4D 00 {87} normal block at 0x00884FD0, 12 bytes long. Data: xO I [ O 78 4F 88 00 90 49 88 00 5B BE 3C 4F {86} normal block at 0x00884F78, 16 bytes long. Data: L L 01 00 00 00 00 80 00 00 84 CB 4C 00 C0 CB 4C 00 {85} normal block at 0x00884F30, 12 bytes long. Data: N u D8 4E 88 00 00 00 00 00 AC 75 D2 C6 {84} normal block at 0x00884ED8, 16 bytes long. Data: L L 01 00 00 00 00 80 00 00 9C CB 4C 00 C0 CB 4C 00 {83} normal block at 0x00884E90, 12 bytes long. Data: 8N I % 38 4E 88 00 00 00 00 00 49 00 CE 25 {82} normal block at 0x00884E38, 16 bytes long. Data: L M 01 00 00 00 00 00 00 00 BC CB 4C 00 D8 9E 4D 00 {81} normal block at 0x00884DF0, 12 bytes long. Data: M 98 4D 88 00 00 00 00 00 0F F4 C6 C1 {80} normal block at 0x00884D98, 16 bytes long. Data: L M 01 00 00 00 00 00 00 00 C0 CB 4C 00 D8 9E 4D 00 {79} normal block at 0x00884D50, 12 bytes long. Data: L L L F8 4C 88 00 10 4C 88 00 CD 4C F7 EA {78} normal block at 0x00884CF8, 16 bytes long. Data: @ L M 02 00 00 00 00 00 00 00 40 C9 4C 00 18 9F 4D 00 {77} normal block at 0x00884CB0, 12 bytes long.
Re: client continues after server fails
I am oring these two constants together in my call to SSL_CTX_set_verify(). It still doesn't prevent the client from continuing. Do you have any other suggestions? Thanks, George George, On the server side, in your call to SSL_CTX_set_verify(), you have two choices if you want to enable client authentication: 1) SSL_VERIFY_PEER, and 2) SSL_VERIFY_FAIL_IF_NO_PEER_CERT. The first politely asks the client if it will please authenticate, but the handshake will succeed even if the client doesn't authenticate. With the second option, the client must authenticate or the handshake fails. Are you perhaps using option #1? _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: George Lind [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 24, 2001 11:44 AM Subject: client continues after server fails My server is doing client authentication. My client is also using verify peer. When the client attempts to connect it gets a certificate from the server and continues on. The server is not recieving a certificate from the client so it is failing. The client attempts to write to the server but the SSL_write fails because the server has failed. How can I stop the client before attempting to write to the server. Shouldn't the client fail on its connect if the handshake is not successful on both ends. Thanks, George __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] [prev in list ?l=openssl-usersm=98813104427885w=2] [next in list ?l=openssl-usersm=98813225632063w=2] [prev in thread ?l=openssl-usersm=98812881919237w=2] [next in thread] Log in / Log out ?q=login About MARC ?q=about We're Hiring! http://theaimsgroup.com/index.cgi?AIMS_Employment Want to add a list? Tell us about it mailto:[EMAIL PROTECTED]?subject=Add a list to MARC. The AIMS Group http://www.theaimsgroup.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]