how do you generate a CRL?

[George Lind]

How do you generate a CRL with the openssl tool?

Thanks,
George

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

win32 verifry_callback error

[robert]

Hi
Has anyone seen this error before.
I'm compiling on nt4 with ms visual C++ 5/6

The method that i call:

int X509CTX_verify_callback(int ok, X509_STORE_CTX *ctx)
{;}


The Call:

   SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|
 SSL_VERIFY_FAIL_IF_NO_PEER_CERT, X509CTX_verify_callback);


The Error:

SSLClient.cpp
G:\Program Files\PhoneCard\SSLClient.cpp(599)
: error C2664: 'SSL_CTX_set_verify'
: cannot convert parameter 3
from 'int (int,struct x509_store_ctx_st *)' to 'int (__cdecl *)(int,struct
x509_store_ctx_st *)'

Thanx
robert

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Verify Callback

[Antonio Ruiz Martínez]

Hello!

I'm some questions

1)
int verify_callback(int ok, X509_STORE_CTX *ctx);

Does this function make the verification of the certificate received
with the certificate of the his CA?

2) How I can generate a store of certificates?

Thanks in advance,
Regards,
Antonio.

--
--
Antonio Ruiz Martínez
Facultad de Informática-Universidad de Murcia
30001 Murcia - España (Spain)
Telf: +34-968-364644 e-mail: [EMAIL PROTECTED]
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Client certificates on smart card ?

[Rainer Kaufmann]

Hello,

I have a question using certificates when using client authentication on
server side.
Normally the client's X509 certificate is stored on the local harddisk and
SSL_CTX_use_certificate_file is used to tell the library were it can be
found, is that right ?
Is it possible to 'forward' an authentication request to the client side
somehow into a smart card ?
What I searching is something like a callback function which is in the
context 'server wants you to authenticate and sent data .Fill struct
 with your answer or simply SSL_write()'.

Thanks, Rainer

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von George Lind
Gesendet: Mittwoch, 2. Mai 2001 16:54
An: '[EMAIL PROTECTED]'
Betreff: how do you generate a CRL?


How do you generate a CRL with the openssl tool?

Thanks,
George

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Ttimeout when trying to connect to an non-SSL port ?

[Rainer Kaufmann]

Hi,

me again :-) I'm running into serious problems when trying to connect to a
server which does know nothing about SSL.
I.e. connecting to a telnet server with the following code snippet seems to
run into an infinite loop.

---
  SSL_METHOD* pSSLMeth;
  X509* pcrtCertificate;

  // Should timeout by itself
  if(connect(m_hSocket, psa, sizeof(SOCKADDR)) == SOCKET_ERROR)
  {
throw "CSSLSocket::Connect";
  }
  pSSLMeth = SSLv3_client_method();
  m_psscContext = SSL_CTX_new (pSSLMeth);

  // Set timeout according connect timeout ???
  SSL_CTX_set_timeout(m_psscContext, 1);//(ANSWER_TIMEOUT_TIME / 1000) + 4);

  // Create context and connect file descriptor(handle)
  m_pSSL = SSL_new (m_psscContext);
  ASSERT(m_pSSL != NULL);
  SSL_set_fd(m_pSSL, m_hSocket);
  SSL_connect(m_pSSL);

SSL_connect never returns, using SSL_CTX_set_timeout did have to effect.
Please help..

Thanks, Rainer


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [FAQ?] PRNGD and OpenSSL on Solaris 8

[Lutz Jaenicke]

On Wed, May 02, 2001 at 04:28:39PM +0200, Ed Voncken wrote:
> My question is:
> 
> - How do I configure OpenSSL for PRNGD (either UNIX or TCP socket)
> 
> I could not find a ./Configure option to specify an interface to PRNGD;
> I assume that it is a compile-time issue.

As of now (OpenSSL 0.9.6a), the problem must be solved at the application
level. The application must query the EGD socket (or port) or at least
call RAND_egd() with the name of the socket. A lot of applications allow
to specify the path to a EGD-style socket by parameter.
(If you have an application that does not support such an option,
like UW-imap, put a RAND_egd("/var/run/egd-pool"); into the startup
routine.)
Starting with OpenSSL 0.9.7, the OpenSSL library will automatically
query the locations "/var/run/egd-pool", "/dev/egd-pool", "/etc/egd-pool",
"/etc/entropy".

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Where are the low-level crypto functions implemented?

[Gila Sheftel]

Hi Steve!

It's good to hear from you (and reassuring to have you in the family)!

A GPK card (for example) can handle PKCS#1 operations, at least it says
so in the documentation, but I haven't been able to find any local
experts who advocate doing anything aside from Private key decrypt,
sign, and unwrap with it. That's all our local PKCS#11 API does, and it
satisfies the GemSafe and most other developmental needs.

Apparently using the card's processor for anything more becomes too
time-consuming.

I am working under Linux, so the Gemplus libraries at my disposal are
limited to David Corcoran's PCSC port (called MUSCLE) and the gp-core
libraries. All the work I've done so far with the card have involved
sending my own APDUs, but my teammate plans to steal some of the PKCS#11
API calls from the windows guys. 

Where and how we want to intercept those operations is exactly what
we're trying to decide, and making OpenSSL smartcard-compatible is our
ultimate goal -- I've got little mock-up demos of hacked SSH code
working with a smartcard (adding a ssh -S option to replace the call for
reading the private DSA key from the file and redirecting it to an
address in memory read directly from the card) and the purpose of those
was to demonstrate the usefulness of the smartcard to most OpenSSL-based
applications.

I've only recently heard about the OpenSSL Engine and the convenient
hardware-based encryption support. It looks like this is the perfect
place to start in order to offer smartcard support, but we've got a lot
of learning to do before we decide where to add what --

If you have any suggestions or if there's any way that we can combine
some of our efforts, then we'd be thrilled to help -- up
until now our plan was to offer an patch to openssl-0.9.6a
which included a modified libcrypto which was able to make calls to a
card on a serial port.

If we can somehow manage a smoother, more graceful solution, we'd be
singing...

And if we can manage getting us kids sent out to Europe to see you, hey,
who'd complain? 

Looking forward to hearing from you,
Gila. (And Benoit)
 
Dr S N Henson wrote:
 
> Hello,
> 
> My name is Stephen Henson, I'm one of the OpenSSL core developers who
> works for Celo and thus Gemplus.
> 
> What kind of facilities does the smartcard provide? Does it do high
> level PKCS#1 operations or just the raw 'private key operation'.
> 
> You can intercept both operations but how and where you do this depends
> on exactly what you want to do.
> 
> Which particular Gemplus libraries are you using? I'm myself getting up
> to speed on the Gemplus smart card side of things so maybe we could help
> each other here.
> 
> One possible project I'm considering for OpenSSL would be to provide
> support for smartcards (and thus Gemplus smartcards) in the core source
> code. The current ENGINE architecture for OpenSSL should help with this
> but I think it needs some additional support to make it as smart card
> friendly as possible.
> 
> Steve.
> --
> Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the   OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

 
--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
Gila Monstre  [EMAIL PROTECTED] 
Fearless Geek(514)732-2459
Advanced Projects Group   Gemplus Software

We are the total of our longings.  -- Guy Gavriel Kay
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Cryto Laws

[Darryl Wagoner]

Greetings,

I am working on a program that will be used in every country.  The application
will NOT use any encryption and just use crypto libraries for digital
signatures.
It has been suggested that we use RSA for digital signatures.  Is this a good
idea?  What is the state of the world in regard to crypt laws?  Can we
use RSA without fear of locking out some countries?  Can we use DSA
without locking out some countries?

Thanks!
--
Darryl Wagoner - WA1GON

"Evil triumphs when good men do nothing."  - Edmund Burke [1729-1797]

Join the TrustedQSL mailing list.  An Open Source solution.
Post message: [EMAIL PROTECTED]
Subscribe:  [EMAIL PROTECTED]
List owner:  [EMAIL PROTECTED]
http://www.trustedQSL.org>


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Where are the low-level crypto functions implemented?

[Gila Sheftel]

Ahem. Apologies for that, again that was an e-mail intended for Dr.
Henson only and not intended to spam everyone else on the list.

What are the chances that we can get that "reply-to" field changed?

--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
Gila Monstre  [EMAIL PROTECTED] 
Fearless Geek(514)732-2459
Advanced Projects Group   Gemplus Software

A long memory is the most subversive idea in America.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Ttimeout when trying to connect to an non-SSL port ?

[Greg Stark]

The SSL_CTX_set_timeout() function does not do what you want. It sets the
lifetime of an SSL session, which is the period during which you can reuse
the pre-master secret and avoid expensive public key crypto ops.

_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_



- Original Message -
From: "Rainer Kaufmann" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 02, 2001 11:34 AM
Subject: Ttimeout when trying to connect to an non-SSL port ?


> Hi,
>
> me again :-) I'm running into serious problems when trying to connect to a
> server which does know nothing about SSL.
> I.e. connecting to a telnet server with the following code snippet seems
to
> run into an infinite loop.
>
> ---
>   SSL_METHOD* pSSLMeth;
>   X509* pcrtCertificate;
>
>   // Should timeout by itself
>   if(connect(m_hSocket, psa, sizeof(SOCKADDR)) == SOCKET_ERROR)
>   {
> throw "CSSLSocket::Connect";
>   }
>   pSSLMeth = SSLv3_client_method();
>   m_psscContext = SSL_CTX_new (pSSLMeth);
>
>   // Set timeout according connect timeout ???
>   SSL_CTX_set_timeout(m_psscContext, 1);//(ANSWER_TIMEOUT_TIME / 1000) +
4);
>
>   // Create context and connect file descriptor(handle)
>   m_pSSL = SSL_new (m_psscContext);
>   ASSERT(m_pSSL != NULL);
>   SSL_set_fd(m_pSSL, m_hSocket);
>   SSL_connect(m_pSSL);
> 
> SSL_connect never returns, using SSL_CTX_set_timeout did have to effect.
> Please help..
>
> Thanks, Rainer
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Crypto API / OpenSSL Interoperability

[Mark . Berchem]

I have been able to successfully implement the following sequence of events
when:

a) Both the Client and the Server are using the MS Crypto API.
b) Both the Client and the Server are using OpenSLL.

On the Client:

1) Generate a Public/Private Key Pair.
2) Export the Public Key.
3) Transmit the Public Key to the Server.

On the Server:

1) Import the Public Key
2) Generate a Session Key for Triple DES Encryption.
3) Export the Session Key using the Public Key for Session Key Encryption.
4) Transmit the Encrypted Session Key to the Client.

On the Client:

1) Import the Encrypted Session Key using the Private Key for Session Key
Decryption.

Now that both sides have the Session Key, begin using it for Triple DES
message encryption/decryption.

The problem: I have not been able to process with the MS Crypto API on the
Client and OpenSSL on the Server.

I am accepting a Crypto API Public Key BLOB in the OpenSSL Server Code and
trying to generate (on the Server) a Crypto API Simple Key BLOB (containing
the Session Key) for the Client to import the encrypted Session Key.

Has anyone been able to get something like this to work?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Crypto API / OpenSSL Interoperability

[Glenn Horton]

My guess is that you have a big-endian/little-endian 
problem. When I wanted to get CAPI to interoperate with the
encryption functions provided by RSA's Crypto-C toolkit I had
to byteswap the key values before the could be imported into
the other API. 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 02, 2001 12:57 PM
> To: [EMAIL PROTECTED]
> Subject: Crypto API / OpenSSL Interoperability
> 
> 
> I have been able to successfully implement the following 
> sequence of events
> when:
> 
> a) Both the Client and the Server are using the MS Crypto API.
> b) Both the Client and the Server are using OpenSLL.
> 
> On the Client:
> 
> 1) Generate a Public/Private Key Pair.
> 2) Export the Public Key.
> 3) Transmit the Public Key to the Server.
> 
> On the Server:
> 
> 1) Import the Public Key
> 2) Generate a Session Key for Triple DES Encryption.
> 3) Export the Session Key using the Public Key for Session 
> Key Encryption.
> 4) Transmit the Encrypted Session Key to the Client.
> 
> On the Client:
> 
> 1) Import the Encrypted Session Key using the Private Key for 
> Session Key
> Decryption.
> 
> Now that both sides have the Session Key, begin using it for 
> Triple DES
> message encryption/decryption.
> 
> The problem: I have not been able to process with the MS 
> Crypto API on the
> Client and OpenSSL on the Server.
> 
> I am accepting a Crypto API Public Key BLOB in the OpenSSL 
> Server Code and
> trying to generate (on the Server) a Crypto API Simple Key 
> BLOB (containing
> the Session Key) for the Client to import the encrypted Session Key.
> 
> Has anyone been able to get something like this to work?
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Cryto Laws

[Ulf Leichsenring]

> idea?  What is the state of the world in regard to crypt laws?  Can we

For a good overview of international crypto laws take a look at
http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm

Regards
Ulf

Ulf Leichsenring
Lufthansa Systems AS GmbH
Schützenwall 1
D-22844 Norderstedt

Tel.: +49-40-5070-7859
Fax:  +49-40-5070-7880
mailto:[EMAIL PROTECTED]
Internet: http://www.lhsystemsas.de


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Getting private key corresponding to a certificate installed in Internet Explorer..

[Greg Stark]

Yes, that is exactly what you need to do, unless you plan to reverse
engineer Microsoft's proprietary private key storage encryption mechanism.
_
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_



- Original Message -
From: "Aslam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 02, 2001 10:44 AM
Subject: Getting private key corresponding to a certificate installed in
Internet Explorer..


> Hi,
>
> I have to perform some PKCS#7 sign operation on some message, and I have
to
> use the certificates in MY store of Windows 2000/IE.
> In order to use the openssl pkcs7 stuff I need the private key, so how do
i
> get it from the Microsoft CSP.. Do I have to export the certificate in
> pkcs12 format with the private key..??
>
> Any help is much more appriciated...
>
> Thanks
> Aslam
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [FAQ?] PRNGD and OpenSSL on Solaris 8

[Bradley W. McNamara]

Ed,

I'd try this freeware package:

http://www.cosy.sbg.ac.at/~andi/

It works great and it delivers better entropy than the typical entropy seed
file needed without it.  I've built a couple of packages ready for install,
which can be downloaded at:

ftp://ftp.zama6.net/pub/support/pkg/ANDIrand-0.6-sparc.tar.gz
ftp://ftp.zama6.net/pub/support/pkg/ANDIrand-0.6-intel.tar.gz

Brad McNamara
ZAMA Networks, Inc.

Ed Voncken wrote:

> Hello,
>
> I'm currently working on the implementation of OpenSSL on our Solaris
> servers.
>
> During tests on Solaris 8, I've encountered a "Not enough entropy in
> RNG" error. We came to the conclusion that we needed a /dev/random
> device or an entropy gathering device to supply a limitless source of
> random data.
>
> Three alternatives appear to be available:
> - SUNWski patch from Sun
> - EGD
> - PRNGD
>
> My inquiry with Sun has resulted in confusion; they were under the
> impression that SUNWski was a standard part of Solaris 8, but they could
> not find it themselves. Therefore I assume that SUNWski is not available
> and supported on Sun Solaris 8.
>
> After comparing EGD and PRNGD, I decided to implement PRNGD since it
> appears to be a non-blocking, and unlimited source of random data.
>
> My question is:
>
> - How do I configure OpenSSL for PRNGD (either UNIX or TCP socket)
>
> I could not find a ./Configure option to specify an interface to PRNGD;
> I assume that it is a compile-time issue.
>
> Other thoughts are also welcome.
>
> --
> Greetings,
>   Ed Voncken
>   Consultant UNIX
>
>** Not speaking on behalf of current or any previous employer **
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Generating certificate with large public key expoent value

[Bodo Moeller]

Jamshid Shoghli <[EMAIL PROTECTED]> in epsilon.openssl.dev:

> I am trying to generate certificates with public exponent of the public key
> with value 244 or higher,
>  
>RSA_generate_key(bits, exp, NULL, NULL);
> where bits is 1024, and exp is 244.
>  
> But this call never comes back. I tried with exp value of 3 or 5 and it
> comes back after a few seconds. Is there a limitation on the exp value? Is
> there a solution for this? exp of 244 or higher is a requirement for my
> certificates.

RSA moduli must be odd numbers.  65537 is a usual choice.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

sample server problem

[Misha Viner-Bykovskiy]

I'm trying to write a sample server under VMS using OpenSSL.
The client is in Phaos' SSLava on a Solaris machine.
My server program is sort of stuck in SSL_accept function: it returns
WANTS_READ code. The client is waiting.

Any thoughts?

I've already tried OpenSSL s_server: it works but (!) only if I use
"-www" switch (in which case SSL_accept function is not being used as
far as I can see from the source code).

Michael

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Is the ip address stored in an x509 certificate?

[Greg Stark]

The CN of the certificate must match the hostname you entered into Outlook
and OE's imap configuration. In other words, if you told Outlook the name of
the IMAP server is imap.blahblah.com, then the cert must have a CN of
imap.blahblah.com. If you put 1.2.3.4 in Outlook, the the CN must say
1.2.3.4.

Greg Stark
[EMAIL PROTECTED]


- Original Message -
From: "Joe Julian" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 01, 2001 3:53 PM
Subject: Is the ip address stored in an x509 certificate?


> I have Cyrus imap set up with openssl, and everything seems to be
> working... but... MS Outlook (and express) complains that "The server
> you are connected to is using a security certificate that does not
> match it's Internet address."
>
> I think this might be due to the fact that this machine has 3 NICs,
> thus three IP addresses. Reverse ip lookups, though, all show the
> same domain name, and CN is set to that domain name.
>
> __
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: several ip addresses

[Greg Stark]

You can add the second CN in the config file, something like
1.CN=CN#1
1.CN_default=127.0.0.1
2.CN=CN#2
2.CN_default=localhost


Greg Stark
[EMAIL PROTECTED]


- Original Message -
From: "Olivier Wegria" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 23, 2001 1:21 PM
Subject: RE: several ip addresses


> Thank you but how do I had a second CN? I usually use:
>
>  openssl req -new -nodes -x509 -out /var/key.pem -keyout
/var/key.pem -days
> 365
>
> it then asks a few questions and only once for CN. I tried CN, CN but it
> doesn't work.
>
> Thank you for any help
>
> Olivier
>
>
>
> -Message d'origine-
> De : [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]De la part de Greg Stark
> Envoyé : lundi 26 mars 2001 22:47
> À : [EMAIL PROTECTED]
> Objet : Re: several ip addresses
>
>
> add another CN with the second IP address.
> _
> Greg Stark
> Ethentica, Inc.
> [EMAIL PROTECTED]
> _
>
>
>
> - Original Message -
> From: "Olivier Wegria" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, March 26, 2001 7:36 AM
> Subject: several ip addresses
>
>
> > Hi there,
> >
> > I installed OpenSSL on my linux RH7 box and it works fine with
> > Cyrus. I created a self signed certificate to enable encryption between
> > MSoutlook and cyrus on our local network. I would like to access my mail
> > server through another gateway but then, my server is reachable via
> > another ip address. Therefore, I have a message saying that the
> > certificate doesn't match the address.
> > How can I create a valid certificate with 2 ip addresses? (I
> > don't have DNS)
> >
> > Thanks for any help
> >
> > Olivier
> >
> >
> >
> >
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

DSA with greater than 1024 bits

[Andy Adler]

I note that openssl supports DSA with more than 1024
bits. I've also seen several other vendors who claim
2048 bit DSA support.

This leads me to wonder:
1) Since the DSS specifies 512-1024 bits, how are 
these extentions calculated? And are the various
vendor implementations interoperable?

I took a look at the output of dsaparam, and
noted that parameters P,G are calculated at the full
length and Q is still 160 bits. I read somewhere
(I can't find the reference right now) that
the size of Q needs to be increased as P exceeds
1024 bits. This implies that a new hash instead
of SHA1 needs to be used - I've seen some web sites
talk about a SHA-2 hash.

Next Questions:
2) It is true that you need a bigger hash function
for DSA > 1024 bit? Does openssl implement this?
Does anyone implement it?


Thanks

Andy Adler | AiT | (613)722-2070 | [EMAIL PROTECTED] 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

AES support in crypto Library ..

[imran badr]

I donot see AES support in the crypto library. Are we going to have that
soon ?

Thanks,
Imran Badr.



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RC4 doesn't always encrypt/decrypt the same way twice

[CGenrich]

If I use the code below to encrypt and decrypt it doesn't always produce the 
same results.  The majority of the time it works but I can't find anything 
explaining why it doesn't work 100% of the time.

void EnDe(unsigned char *buf)
{
RC4_KEY key;
unsigned char keys[17] = "s1fuk8wfe4hj9ksi";

RC4_set_key(&key,keys[0],&(keys[1]));

RC4(&key,strlen((const char *)buf), buf, buf);

}
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

perl -cw warning on Net::SSLeay::randomize

[Xeno Campanoli]

Not like this is a deadly sin, but it would be nice if the following bug
were fixed.  The "$rnsf" variable yields a warning from perl -w on the
following line, when a  blank
or false $rn_seed_file is passed:

unless ($rnsf || -r $Net::SSLeay::random_device || $seed || || -S
$egd_path) {


-- 
Email:  [EMAIL PROTECTED] (home home page: 
http://www.aa.net/~xeno)
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RC4 doesn't always encrypt/decrypt the same way twice

[Jason Aras]

On Wed, 2 May 2001 [EMAIL PROTECTED] wrote:

> If I use the code below to encrypt and decrypt it doesn't always produce the 
> same results.  The majority of the time it works but I can't find anything 
> explaining why it doesn't work 100% of the time.
> 
> void EnDe(unsigned char *buf)
> {
> RC4_KEY key;
> unsigned char keys[17] = "s1fuk8wfe4hj9ksi";
> 
> RC4_set_key(&key,keys[0],&(keys[1]));
> 

I have not used RC4 routines before, just the RSA but strlen() wont work
on encrypted data because it can have null's now I am not sure if this is
the case or not w/ RC4 or not.  Its ok to encrypt w/ strlen() because you
are in theory encrypting text (or not?).

-jay

> RC4(&key,strlen((const char *)buf), buf, buf);
> 
> }
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [FAQ?] PRNGD and OpenSSL on Solaris 8

[phil]

On Wed, May 02, 2001 at 04:28:39PM +0200, Ed Voncken wrote:
> ...
> My inquiry with Sun has resulted in confusion; they were under the
> impression that SUNWski was a standard part of Solaris 8, but they could
> not find it themselves. Therefore I assume that SUNWski is not available
> and supported on Sun Solaris 8.

go to sunsolve.sun.com
go to "search patches"
search for SUNWski

You will turn up a patch that is rather large, for the webserver or
something silly, but one component is the SUNWski package.
install it with pkgadd.


(then do  ln -s /dev/random /dev/urandom)

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Query for Joshua Chamas...

[Mark S. Blamey]

Hello:

Best of the evening to you.

How can we get detailed instructions on how to install Open SSL?  We
would appreciate any assistance that can be made available.  We were
told that this would work only on a unix box, but apparently not looking
at your page
http://theoryx5.uwinnipeg.ca/CPAN/data/Crypt-SSLeay/SSLeay.html.

What caught my eye is that you've installed this on a WinNT SP6
platform, x86, and Perl 5.00502, which is exactly our configuration.
Please advise how we might gain some assistance.

Regards, Mark

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

dsaparam and gendsa

[Vivian Cancio]

In the 'dsaparam' manual the following parameter is described ...
   numbits
   this option specifies that a parameter set should be
   generated of size numbits. It must be the last option.
   If this option is included then the input file (if
   any) is ignored.

In the 'gendsa' manual the following parameter is described ...
   paramfile
   This option specifies the DSA parameter file to use.
   The parameters in this file determine the size of the
   private key. DSA parameters can be generated and
   examined using the openssl dsaparam command.

How do I determine the 'numbits' prameter so that I can get the correct DSA
private key size when using 'gendsa'.

Thanks

Vivian Cancio



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Capturing a Certificate

[Thompson, Andrew]

I've inherited an application built on openssl at work. It uses openssl to
create client ssl connections to web servers. To do this it needs the server
certificate to load to make the connection. Currently that certificate has
the issuer and subject followed by the begin and end certificate for the
server. However when our code (shown below) tries to find the key it fails.

   if (cert_file != NULL) {
  if (SSL_CTX_use_certificate_file(ctx,cert_file, SSL_FILETYPE_PEM) <=
0) {
 WriteLog("Unable to get certificate from '%s'\n", cert_file);
 SSL_error("SSL_CTX_use_cert_file\n");
 return(EXIT_FAILURE);
  }

  if (SSL_CTX_use_PrivateKey_file(ctx,key_file, SSL_FILETYPE_PEM) <= 0)
{
 WriteLog("Unable to get private key from '%s'\n", key_file);
 SSL_error("SSL_CTX_use_key_file\n");
 return(EXIT_FAILURE);
  }

  if (!SSL_CTX_check_private_key(ctx)) {
 WriteLog("Private key does not match the certificate public
key\n");
 return(EXIT_FAILURE);
  }

This and some of the other code gives us the following error message:

37 Unable to get private key from 'certs/server.pem'
37 SSL_CTX_use_key_file
: error:0906D06C:PEM routines:PEM_read_bio:no start line
37 Error setting up certificate
38 Unable to get private key from 'certs/server.pem'
38 SSL_CTX_use_key_file
: error:0906D06C:PEM routines:PEM_read_bio:no start line
38 Error setting up certificate
38 SSL_accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher

Thus far I've gotten the certificate from internet exporer and using the
openssl utility but there's no private key that I can capture thus far. Does
it have to have a private key in the certificate? If so can openssl create a
complete certificate file?

Andrew Thompson
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: dsaparam and gendsa

[Eric Rescorla]

Vivian Cancio <[EMAIL PROTECTED]> writes:

> In the 'dsaparam' manual the following parameter is described ...
>numbits
>this option specifies that a parameter set should be
>generated of size numbits. It must be the last option.
>If this option is included then the input file (if
>any) is ignored.
> 
> In the 'gendsa' manual the following parameter is described ...
>paramfile
>This option specifies the DSA parameter file to use.
>The parameters in this file determine the size of the
>private key. DSA parameters can be generated and
>examined using the openssl dsaparam command.
> 
> How do I determine the 'numbits' prameter so that I can get the correct DSA
> private key size when using 'gendsa'.
DSA private keys are a constant size: 160 bits. The only adjustable
parameter is the size of the group, which is what you specify when
you use dsaparam. I recommend 1024 bits.

-Ekr
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: AES support in crypto Library ..

[Richard Levitte - VMS Whacker]

From: "imran badr" <[EMAIL PROTECTED]>

imran.badr> I donot see AES support in the crypto library. Are we
imran.badr> going to have that soon ?

It's in the development source, called Rijndael.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

MVS support

[Ravi Prakash B.V.]

Hi,

will Openssl work on S/390 with MVS ??
If so, give the pointers or link to download that code.

Thanks in advance,
Ravi




-- 
A man without a woman is like a statue without pigeons.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]