AW: n-cipher does not work with openssl-engine-0.9.6a

[Schwiete, Ralf]

Hello,

after I grep the whole include/ssl directory in the source-tree I had found
it.

Thankyou

 
 Use chil instead of ncipher.  The reason for this is that the
 interface used is called CHIL (C{something} Hardware Interface
 Library, IIRC, but nCipher folks will most probably have to correct
 me), which nCipher has tried to deploy as a standard interface for
 hadware access.
 
 -- 


-- 
Ralf Schwiete
Dresdner Global IT Services
Tel.:   +49 69 263 52224
e-Mail: [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

AW: Hanging in SSL_connect !

[Rainer Kaufmann]

Hi Marc,

thanks for your help ! The problem for me was to find a function which
switches the socket to nonblocking mode.
Found function ioctlsocket(m_hSocket, FIONBIO, ulArg); with ulArg  0.  :-)

Thank you !!!

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von Marc Sherman
Gesendet: Donnerstag, 3. Mai 2001 18:32
An: '[EMAIL PROTECTED]'
Betreff: RE: Hanging in SSL_connect !


How about setting m_hSocket to non-blocking mode. I think SSL_connect() will
return SSL_ERROR_WANT_READ in the case you describe.

Marc

 -Original Message-
 From: Rainer Kaufmann [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, May 03, 2001 11:12 AM
 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: Hanging in SSL_connect !


 Hi,

 has somebody an idea to avoid the SSL library to hang in
 SSL_connect when
 the other side does not respond ?
 Starting a timer and calling SSL_shutdown and closesocket on
 timeout, causes
 the SSL library to crash :-(
 I think the problem is the library waiting in socket::recv after
 ssl3_get_server_hello when there is nothing to read. A simple
 socket::select
 would solve this...

 Any ideas ?

 Thanks, Rainer


 -Ursprüngliche Nachricht-
 Von: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]Im Auftrag von Rainer Kaufmann
 Gesendet: Mittwoch, 2. Mai 2001 17:34
 An: [EMAIL PROTECTED]
 Betreff: Ttimeout when trying to connect to an non-SSL port ?


 Hi,

 me again :-) I'm running into serious problems when trying to
 connect to a
 server which does know nothing about SSL.
 Connecting to a telnet server with the following code snippet
 runs into an
 infinite loop.

 ---
   SSL_METHOD* pSSLMeth;
   X509* pcrtCertificate;

   // Should timeout by itself
   if(connect(m_hSocket, psa, sizeof(SOCKADDR)) == SOCKET_ERROR)
   {
 throw CSSLSocket::Connect;
   }
   pSSLMeth = SSLv3_client_method();
   m_psscContext = SSL_CTX_new (pSSLMeth);

   // Create context and connect file descriptor(handle)
   m_pSSL = SSL_new (m_psscContext);
   ASSERT(m_pSSL != NULL);
   SSL_set_fd(m_pSSL, m_hSocket);
   SSL_connect(m_pSSL);
 

 Thanks, Rainer


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

AW: Compiling on Solaris 2.6 gcc-2.95.2

[Schwiete, Ralf]

Hmmm...

I've compiled it with the same solaris-version and the same compiler. I also
have not the sys/bitypes.h and sys/cdefs.h. What development-packages from
SUN do you have installed? Do you use any flags with ./compile? 

Ralf Schwiete

-- 
Ralf Schwiete
Dresdner Global IT Services
Tel.:   +49 69 263 52224
e-Mail: [EMAIL PROTECTED]

 
 Compiling on Solaris 2.6 with gcc-2.95.2 from ftp.sunfreeware.com
 ./congif says: solaris-sparcv9-gcc
 
 I got the following errors:
 
 gcc -I.. -I../../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN
 -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall
 -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM   -c bss_fd.c -o bss_fd.o
 In file included from ../../include/openssl/e_os.h:354,
  from ../cryptlib.h:65,
  from bss_sock.c:64,
  from bss_fd.c:60:
 /usr/local/include/netdb.h:66: sys/bitypes.h: No such file or 
 directory
 /usr/local/include/netdb.h:68: sys/cdefs.h: No such file or directory
 
 anywhere in my filesystem I found these two files.
 
 Maybe this is more a gcc libraries question, buy I was wondering why
 these sys files were not included.
 
 Thanks for your help!
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Client not sending CA's certificate

[Siva]

Hi all,
 Can anyone help me where to find sample code for 
"client certificate verification"

regards,
Siva K

how to create CRL with openssl?

[George Lind]

How do you generate a CRL with the openssl tool?
Thanks,
George

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL in an embedded environment

[Gregg Gibson]

My plan is to use OpenSSL to provide crypto for ucd-snmp (which uses des, 
md5, and sha) and ssl for a web server (using rsa, 3des, and sha or md5).  I 
will also use it for certificate generation.

I'm going to do some code and makefile editing to get rid of everything else 
I can, which I think includes bf, dh, dsa, hmac, idea,  md2, md4, mdc2, 
pkcs7, rc2, rc4, rc5, and ripemd.

Does that sound reasonable?


From: Dr S N Henson Subject: Re: OpenSSL in embedded environment Date: Sat, 
28 Apr 2001 13:45:09 -0700

You may well have some 'fiddling' to substantially reduce the size of 
OpenSSL. It all depends on what you want to use it for and what support you 
need.

For example if you don't need PKCS#12 support you can delete everything in 
crypto/pkcs12.

Then the fiddling starts because it probably wont compile any more and 
you'll have to edit makefiles and source files that reference PKCS#12 code.

If you're just doing crypto without SSL or any ASN1 support you can 
probably delete almost everything.

Steve.
--
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] Senior crypto engineer, 
Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__




  - Original Message -
  From: Gregg Gibson [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Sent: Monday, April 30, 2001 8:59 AM
  Subject: Resending: OpenSSL in an embedded environment
 
 
   I apoligize for sending this question again.  The email account I was
  using
   has proved to be too unreliable, so I have switched to a different
  account.
  
   Has anyone had any experience with OpenSSL in an embedded environment?
I'm
   trying to trim libcrypto.a and libssl.a down to a reasonable size for 
an
   embedded project. I've turned off all but the few ciphers that I need,
and
   that only trimmed off about 200kB. (The ciphers that I kept are des,
rsa,
   md5, and sha.) I'd like to get both of those libraries to be much
smaller.
   Any suggestions?
  

_
Get your FREE download of MSN Explorer at http://explorer.msn.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: how to create CRL with openssl?

[RONDAN]

On Fri, 4 May 2001 08:32:26 -0400 
George Lind [EMAIL PROTECTED] wrote:

 How do you generate a CRL with the openssl tool?
 Thanks,
 George
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

 

$BO@CL!!!&!!#R#O#N#D#A#N(B   

$B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp
$BEE;R%a!<%k!'([EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL in an embedded environment

[RONDAN]

On Fri, 04 May 2001 08:52:13 -0400
"Gregg Gibson" [EMAIL PROTECTED] wrote:

 My plan is to use OpenSSL to provide crypto for ucd-snmp (which uses des, 
 md5, and sha) and ssl for a web server (using rsa, 3des, and sha or md5).  I 
 will also use it for certificate generation.
 
 I'm going to do some code and makefile editing to get rid of everything else 
 I can, which I think includes bf, dh, dsa, hmac, idea,  md2, md4, mdc2, 
 pkcs7, rc2, rc4, rc5, and ripemd.
 
 Does that sound reasonable?
 
 
 From: Dr S N Henson Subject: Re: OpenSSL in embedded environment Date: Sat, 
 28 Apr 2001 13:45:09 -0700
 
 You may well have some 'fiddling' to substantially reduce the size of 
 OpenSSL. It all depends on what you want to use it for and what support you 
 need.
 
 For example if you don't need PKCS#12 support you can delete everything in 
 crypto/pkcs12.
 
 Then the fiddling starts because it probably wont compile any more and 
 you'll have to edit makefiles and source files that reference PKCS#12 code.
 
 If you're just doing crypto without SSL or any ASN1 support you can 
 probably delete almost everything.
 
 Steve.
 --
 Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
 Personal Email: [EMAIL PROTECTED] Senior crypto engineer, 
 Celo Communications: http://www.celocom.com/
 Core developer of the   OpenSSL project: http://www.openssl.org/
 Business Email: [EMAIL PROTECTED] PGP key: via homepage.
 __
 
 
 
 
   - Original Message -
   From: "Gregg Gibson" [EMAIL PROTECTED]
   To: [EMAIL PROTECTED]
   Sent: Monday, April 30, 2001 8:59 AM
   Subject: Resending: OpenSSL in an embedded environment
  
  
I apoligize for sending this question again.  The email account I was
   using
has proved to be too unreliable, so I have switched to a different
   account.
   
Has anyone had any experience with OpenSSL in an embedded environment?
 I'm
trying to trim libcrypto.a and libssl.a down to a reasonable size for 
 an
embedded project. I've turned off all but the few ciphers that I need,
 and
that only trimmed off about 200kB. (The ciphers that I kept are des,
 rsa,
md5, and sha.) I'd like to get both of those libraries to be much
 smaller.
Any suggestions?
   
 
 _
 Get your FREE download of MSN Explorer at http://explorer.msn.com
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

 

$BO@CL!!!&!!#R#O#N#D#A#N(B   

$B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp
$BEE;R%a!<%k!'([EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: how to create CRL with openssl?

[RONDAN]

On Fri, 04 May 2001 21:55:21 +0900
RONDAN [EMAIL PROTECTED] wrote:

 
 On Fri, 4 May 2001 08:32:26 -0400 
 George Lind [EMAIL PROTECTED] wrote:
 
  How do you generate a CRL with the openssl tool?
  Thanks,
  George
  
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing List[EMAIL PROTECTED]
  Automated List Manager   [EMAIL PROTECTED]
  
 
  
 
 $BO@CL!!!&!!#R#O#N#D#A#N(B   
 
 $B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp
 $BEE;R%a!<%k!'([EMAIL PROTECTED]
 
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

 

$BO@CL!!!&!!#R#O#N#D#A#N(B   

$B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp
$BEE;R%a!<%k!'([EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: newbie question : Verification callback (SSL_CTX_set_verify, SSL_set_verify)

[RONDAN]

On Fri, 4 May 2001 14:56:33 +0200
"Robin Gorris" [EMAIL PROTECTED] wrote:

 Hi,
 
 I have some questions on the verification callback function. By the way, I'm
 using the SSL_VERIFY_PEER mode.
 
  1. Is it best practice to put all the certificate checks in this callback
 function?
  2. Is it so that the number of times this function is called is equal to
 the verification depth used?
  3. If so, how do I get to know the verification depth at runtime? I'll be
 more specific on this : if I wanted to add an extra check only for the last
 certificate in the chain (that of the client), how would I do this?
 
 Hope my questions make sense.
 
   Anyways, much thanx in advance,
   Robin
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

 

$BO@CL!!!&!!#R#O#N#D#A#N(B   

$B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp
$BEE;R%a!<%k!'([EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: how to create CRL with openssl?

[pawel . krupinski]

Title: RE: how to create CRL with openssl?





Hi,
 Very simply :
  openssl ca -gencrl -config config_file -out out_file
 Then if You want to change format to DER
  openssl crl -in in_file -outform DER -out out_file
 To first command You can add information about next update if You don't want to use information from OpenSSL config file.

Regards,


Pawel


-Original Message-
From: George Lind [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 04, 2001 1:32 PM
To: '[EMAIL PROTECTED]'
Subject: how to create CRL with openssl?



How do you generate a CRL with the openssl tool?
Thanks,
George


__
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]

Re: OpenSSL in an embedded environment

[Andreas Back]

I am also thinking about to port openssl to an embedded system and noticed the 
the discussion. 
What sizes have you come down to ? and does your embeded system have filestorage ? 
fopen() or is the certificates 
stored in char []?

The core question is what i takes to port it to an embeded system.

Best Regards

Andreas Bäck



 [EMAIL PROTECTED] 05/04/01 03:58PM 

On Fri, 04 May 2001 08:52:13 -0400
Gregg Gibson [EMAIL PROTECTED] wrote:

 My plan is to use OpenSSL to provide crypto for ucd-snmp (which uses des, 
 md5, and sha) and ssl for a web server (using rsa, 3des, and sha or md5).  I 
 will also use it for certificate generation.
 
 I'm going to do some code and makefile editing to get rid of everything else 
 I can, which I think includes bf, dh, dsa, hmac, idea,  md2, md4, mdc2, 
 pkcs7, rc2, rc4, rc5, and ripemd.
 
 Does that sound reasonable?
 
 
 From: Dr S N Henson Subject: Re: OpenSSL in embedded environment Date: Sat, 
 28 Apr 2001 13:45:09 -0700
 
 You may well have some 'fiddling' to substantially reduce the size of 
 OpenSSL. It all depends on what you want to use it for and what support you 
 need.
 
 For example if you don't need PKCS#12 support you can delete everything in 
 crypto/pkcs12.
 
 Then the fiddling starts because it probably wont compile any more and 
 you'll have to edit makefiles and source files that reference PKCS#12 code.
 
 If you're just doing crypto without SSL or any ASN1 support you can 
 probably delete almost everything.
 
 Steve.
 --
 Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/ 
 Personal Email: [EMAIL PROTECTED] Senior crypto engineer, 
 Celo Communications: http://www.celocom.com/ 
 Core developer of the   OpenSSL project: http://www.openssl.org/ 
 Business Email: [EMAIL PROTECTED] PGP key: via homepage.
 __
 
 
 
 
   - Original Message -
   From: Gregg Gibson [EMAIL PROTECTED]
   To: [EMAIL PROTECTED]
   Sent: Monday, April 30, 2001 8:59 AM
   Subject: Resending: OpenSSL in an embedded environment
  
  
I apoligize for sending this question again.  The email account I was
   using
has proved to be too unreliable, so I have switched to a different
   account.
   
Has anyone had any experience with OpenSSL in an embedded environment?
 I'm
trying to trim libcrypto.a and libssl.a down to a reasonable size for 
 an
embedded project. I've turned off all but the few ciphers that I need,
 and
that only trimmed off about 200kB. (The ciphers that I kept are des,
 rsa,
md5, and sha.) I'd like to get both of those libraries to be much
 smaller.
Any suggestions?
   
 
 _
 Get your FREE download of MSN Explorer at http://explorer.msn.com 
 
 __
 OpenSSL Project http://www.openssl.org 
 User Support Mailing List[EMAIL PROTECTED] 
 Automated List Manager   [EMAIL PROTECTED] 
 

 



http://www.rondan.co.jp 
[EMAIL PROTECTED] 



__
OpenSSL Project http://www.openssl.org 
User Support Mailing List[EMAIL PROTECTED] 
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL in an embedded environment

[RONDAN]

On Fri, 04 May 2001 21:58:44 +0900
RONDAN [EMAIL PROTECTED] wrote:

 
 On Fri, 04 May 2001 08:52:13 -0400
 "Gregg Gibson" [EMAIL PROTECTED] wrote:
 
  My plan is to use OpenSSL to provide crypto for ucd-snmp (which uses des, 
  md5, and sha) and ssl for a web server (using rsa, 3des, and sha or md5).  I 
  will also use it for certificate generation.
  
  I'm going to do some code and makefile editing to get rid of everything else 
  I can, which I think includes bf, dh, dsa, hmac, idea,  md2, md4, mdc2, 
  pkcs7, rc2, rc4, rc5, and ripemd.
  
  Does that sound reasonable?
  
  
  From: Dr S N Henson Subject: Re: OpenSSL in embedded environment Date: Sat, 
  28 Apr 2001 13:45:09 -0700
  
  You may well have some 'fiddling' to substantially reduce the size of 
  OpenSSL. It all depends on what you want to use it for and what support you 
  need.
  
  For example if you don't need PKCS#12 support you can delete everything in 
  crypto/pkcs12.
  
  Then the fiddling starts because it probably wont compile any more and 
  you'll have to edit makefiles and source files that reference PKCS#12 code.
  
  If you're just doing crypto without SSL or any ASN1 support you can 
  probably delete almost everything.
  
  Steve.
  --
  Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
  Personal Email: [EMAIL PROTECTED] Senior crypto engineer, 
  Celo Communications: http://www.celocom.com/
  Core developer of the   OpenSSL project: http://www.openssl.org/
  Business Email: [EMAIL PROTECTED] PGP key: via homepage.
  __
  
  
  
  
- Original Message -
From: "Gregg Gibson" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, April 30, 2001 8:59 AM
Subject: Resending: OpenSSL in an embedded environment
   
   
 I apoligize for sending this question again.  The email account I was
using
 has proved to be too unreliable, so I have switched to a different
account.

 Has anyone had any experience with OpenSSL in an embedded environment?
  I'm
 trying to trim libcrypto.a and libssl.a down to a reasonable size for 
  an
 embedded project. I've turned off all but the few ciphers that I need,
  and
 that only trimmed off about 200kB. (The ciphers that I kept are des,
  rsa,
 md5, and sha.) I'd like to get both of those libraries to be much
  smaller.
 Any suggestions?

  
  _
  Get your FREE download of MSN Explorer at http://explorer.msn.com
  
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing List[EMAIL PROTECTED]
  Automated List Manager   [EMAIL PROTECTED]
  
 
  
 
 $BO@CL!!!&!!#R#O#N#D#A#N(B   
 
 $B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp
 $BEE;R%a!<%k!'([EMAIL PROTECTED]
 
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

 

$BO@CL!!!&!!#R#O#N#D#A#N(B   

$B%[!<%`%Z!<%8!!!'(Bhttp://www.rondan.co.jp
$BEE;R%a!<%k!'([EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

How I can create a Cert STORE

[Antonio Ruiz Martínez]

Hello!

Like I say in the subject

How I can create a Cert Store?

Thanks in advance,
Regards,
Antonio.

--
--
Antonio Ruiz Martínez
Facultad de Informática-Universidad de Murcia
30001 Murcia - España (Spain)
Telf: +34-968-364644 e-mail: [EMAIL PROTECTED]
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL in an embedded environment

[Dilkie, Lee]

I have (possibly) a similar problem. But just for the sake of completeness, is anyone 
aware of a port to VxWorks? If I could hook up with the poor sod that's been through 
this before that would probably save my hair at least.

-lee
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

test vectors

[Frédéric Viollet]

Hello,

Could someone tell me where I could find some test 
vectors for a DES in CBC mode?

Thank you.

Info on keyEncipherment, dataEncipherment, keyUsage, keyAgreement

[Ravi Prakash B.V.]

Hi,

I am newbie to this group. I want to know more about keyEncipherment,
dataEncipherment, keyUsage, keyAgreement.

Can you please point to any documents or proper link to know the exact
definitions and usage.

Thanks in Advance.
Ravi

-- 
A man without a woman is like a statue without pigeons.

begin:vcard 
n:Venkata Ravi Prakash;Burlagadda
tel;home:08644 26681
tel;work:040 7814515/17/19 extn:387
x-mozilla-html:FALSE
org:Tata Consultancy Services;Advanced Technology Centre
version:2.1
email;internet:[EMAIL PROTECTED]
title:ASE
adr;quoted-printable:;;1-2-10, Coramandel House,=0D=0ASardar Patel Road;Secunderabad;AP;53;India
x-mozilla-cpt:;20384
fn:Burlagadda Venkata Ravi Prakash
end:vcard

Re: newbie question : Verification callback (SSL_CTX_set_verify, SSL_set_verify)

[Lutz Jaenicke]

On Fri, May 04, 2001 at 02:56:33PM +0200, Robin Gorris wrote:
 I have some questions on the verification callback function. By the way, I'm
 using the SSL_VERIFY_PEER mode.
 
  1. Is it best practice to put all the certificate checks in this callback
 function?
Yes, I would recommend doing so, as by the return value of the verification
callback you can decide whether you want to continue the handshake or
stop with a corresponding alert.

  2. Is it so that the number of times this function is called is equal to
 the verification depth used?
Yes and no.
Yes: If no error is encountered, the callback is called once for
each level with preverify_ok = 1, so that the callback has the last
word for each level.
No: If errors are encounterd, the verify callback is called
for each error found.

  3. If so, how do I get to know the verification depth at runtime? I'll be
 more specific on this : if I wanted to add an extra check only for the last
 certificate in the chain (that of the client), how would I do this?
The check is performed starting with the root CA, which has the highest
level count. The check is finished for the server (or client) certificate
at level 0.
My email server's certificate (serv01) was issued by our universities CA
(BTU CA), which was issued by the german research network's root CA
(DFN-PCA). The extended logs of a connection from Postfix/TLS look
like this:
...
May  4 15:51:15 ws01 postfix/smtp[22785]: Peer cert verify depth=2 /C=DE/O=Deutsches 
Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification 
[EMAIL PROTECTED]
May  4 15:51:15 ws01 postfix/smtp[22785]: verify return:1
May  4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=1 
/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet 
[EMAIL PROTECTED]
May  4 15:51:16 ws01 postfix/smtp[22785]: verify return:1
May  4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=0 
/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet 
Cottbus/OU=Allgemeine Elektrotechnik und Numerische 
[EMAIL PROTECTED]
May  4 15:51:16 ws01 postfix/smtp[22785]: verify return:1
...
Therefore you have to make the last check, when level 0 is reached (and
preverify_ok = 1).

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

3DES implementation in openssl

[ivarghis]

Hi

I have got a doubt regarding the 3DES-CBC implementation in openssl. Is it
implementing OUTER CBC or INNER CBC mode.

Thanks and Regards
Ivan


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Embedded SSL and randomness

[Lee Webber]

At 04:10 PM 5/4/01 +0300, Andreas Bäck wrote:

The core question is what [it] takes to port it to an embeded system.

FWIW: my number one worry about porting SSL to an embedded system is where
I get my entropy.  Because my company sells embedded OS's to end
developers, I need a general solution if possible.

So where does the randomness come from on startup?  No users, no mouse or
keyboard input, no unpredictable thread activity...  I can get a little
randomness from clock skew, if I'm willing to wait forever to gather it.  I
can get some more from arrival of network packets -- except that by the
time network packets start arriving I'd better already be seeded.

That leaves two possibilities, external sources (including unused sound
cards) and the Intel 81x chipset.  Both of these have the drawback that no
one solution is always available.

Finally, I can start the system out insecure, have it train up to
sufficient entropy, and then store the entropy for future use.

The above is all I've been able to find on the Internet.  Have I missed
anything?


**
This email, and any files transmitted with it, are confidential
and intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email
in error please advise [EMAIL PROTECTED]
**
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Embedded SSL and randomness

[Vadim Fedukovich]

Lee,

unpredictable random numbers required for ssl client to set
pre-master secret, client key exchange message, rsa mode.
One can run a reverse solution with SSL client on a web server.
Unfortunately this breaks HTTPS. However, you still have
a secure solution and a CA in business :)

would this fit your environment? gather initial entropy step?
please be cautious and think twice before actually going this route.

-vf

On Fri, 4 May 2001, Lee Webber wrote:

 At 04:10 PM 5/4/01 +0300, Andreas Bäck wrote:

 The core question is what [it] takes to port it to an embeded system.

 FWIW: my number one worry about porting SSL to an embedded system is where
 I get my entropy.  Because my company sells embedded OS's to end
 developers, I need a general solution if possible.

 So where does the randomness come from on startup?  No users, no mouse or
 keyboard input, no unpredictable thread activity...  I can get a little
 randomness from clock skew, if I'm willing to wait forever to gather it.  I
 can get some more from arrival of network packets -- except that by the
 time network packets start arriving I'd better already be seeded.

 That leaves two possibilities, external sources (including unused sound
 cards) and the Intel 81x chipset.  Both of these have the drawback that no
 one solution is always available.

 Finally, I can start the system out insecure, have it train up to
 sufficient entropy, and then store the entropy for future use.

 The above is all I've been able to find on the Internet.  Have I missed
 anything?


 **
 This email, and any files transmitted with it, are confidential
 and intended solely for the use of the individual or entity to
 whom they are addressed. If you have received this email
 in error please advise [EMAIL PROTECTED]
 **
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: test vectors

[Erwann ABALEA]

On Fri, 4 May 2001, Frédéric Viollet wrote:

  Hello,

 Could someone tell me where I could find some test vectors for a DES in CBC mode?

You could have looked for DES test vectors in a good web search engine,
such as Google. The second result gives you the URL:
http://csrc/nist.gov/cryptval/#46-2

The last one on the first page is also interesting:
http://grifter.hektik.org/Crypto/DESCRYPT.TXT
It was posted 11 years ago.

-- 
Erwann ABALEA
[EMAIL PROTECTED]
RSA PGP Key ID: 0x2D0EABD5
-
Time never started at all.  Chaos never died.  The Empire was
never founded.  We are not now  never have been slaves to the
past or hostages to the future. -Hakim Bey, /T.A.Z./

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Embedded SSL and randomness

[Dilkie, Lee]

It is critical to get the initial seed with as much entropy as possible and because 
you are the OS vendor I don't believe you can do it yourself. I think it's up to the 
end users to provide the seed. In the case of small embedded systems, it's a design 
issue, to provide the required level of security it may be necessary for the 
manufacturer to provide an initial random number in NV storage to each device. If the 
manufacture wants to provide rng h/w, all the better for a seed.

-another lee

-Original Message-
From: Vadim Fedukovich [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 04, 2001 10:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Embedded SSL and randomness


Lee,

unpredictable random numbers required for ssl client to set
pre-master secret, client key exchange message, rsa mode.
One can run a reverse solution with SSL client on a web server.
Unfortunately this breaks HTTPS. However, you still have
a secure solution and a CA in business :)

would this fit your environment? gather initial entropy step?
please be cautious and think twice before actually going this route.

-vf

On Fri, 4 May 2001, Lee Webber wrote:

 At 04:10 PM 5/4/01 +0300, Andreas Bäck wrote:

 The core question is what [it] takes to port it to an embeded system.

 FWIW: my number one worry about porting SSL to an embedded system is where
 I get my entropy.  Because my company sells embedded OS's to end
 developers, I need a general solution if possible.

 So where does the randomness come from on startup?  No users, no mouse or
 keyboard input, no unpredictable thread activity...  I can get a little
 randomness from clock skew, if I'm willing to wait forever to gather it.  I
 can get some more from arrival of network packets -- except that by the
 time network packets start arriving I'd better already be seeded.

 That leaves two possibilities, external sources (including unused sound
 cards) and the Intel 81x chipset.  Both of these have the drawback that no
 one solution is always available.

 Finally, I can start the system out insecure, have it train up to
 sufficient entropy, and then store the entropy for future use.

 The above is all I've been able to find on the Internet.  Have I missed
 anything?


 **
 This email, and any files transmitted with it, are confidential
 and intended solely for the use of the individual or entity to
 whom they are addressed. If you have received this email
 in error please advise [EMAIL PROTECTED]
 **
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: test vectors

[Frédéric Viollet]

- Original Message -
From: Erwann ABALEA [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 04, 2001 5:10 PM
Subject: Re: test vectors


 Could someone tell me where I could find some test vectors for a DES in
CBC mode?

The last one on the first page is also interesting:
http://grifter.hektik.org/Crypto/DESCRYPT.TXT
It was posted 11 years ago.

They don't talk about any initial vector. Does this mean that the IV is set
to 00h ?

Thanks

[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Embedded SSL and randomness

[Vadim Fedukovich]

On Fri, 4 May 2001, Dilkie, Lee wrote:

 It is critical to get the initial seed with as much entropy as possible

yes, it's traditional way to keep openssl' PRNG happy.
However, a random inside server hello is sent in clear
and it may be appropriate to use low-quality clock-based source here.
One can outsource SSL client role out of embedded system
to let the other party generate premaster secret.

-vf


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How I can create a Cert STORE

[Rabellino Sergio]

Antonio Ruiz Martínez wrote:
 
 Hello!
 
 Like I say in the subject
 
 How I can create a Cert Store?
 
 Thanks in advance,
 Regards,
 Antonio.
Are you thinking about the Java Keystore (and certs... also)?
-- 
Dott. Sergio Rabellino 

 Technical Staff
 Department of Computer Science
 University of Torino (Italy)
 Member of the Internet Society

http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How I can create a Cert STORE

[Antonio Ruiz Martínez]

Rabellino Sergio wrote:

 Antonio Ruiz Martínez wrote:
 
  Hello!
 
  Like I say in the subject
 
  How I can create a Cert Store?
 
  Thanks in advance,
  Regards,
  Antonio.
 Are you thinking about the Java Keystore (and certs... also)?

No, I'm thinking about the X509_STORE_CTX of OpenSSL


 --
 Dott. Sergio Rabellino

  Technical Staff
  Department of Computer Science
  University of Torino (Italy)
  Member of the Internet Society

 http://www.di.unito.it/~rabser
 Tel. +39-0116706701
 Fax. +39-011751603
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

--
--
Antonio Ruiz Martínez
Facultad de Informática-Universidad de Murcia
30001 Murcia - España (Spain)
Telf: +34-968-364644 e-mail: [EMAIL PROTECTED]
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: newbie question : Verification callback (SSL_CTX_set_verify, SSL_set_verify)

[Robin Gorris]

Thanx for your reply. But about question 3. : which API returns Peer cert
verify depth=2? Which function returns the depth or where can I find it?

 Once more TIA,
 Robin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Lutz Jaenicke
Sent: vrijdag 4 mei 2001 15:59
To: [EMAIL PROTECTED]
Subject: Re: newbie question : Verification callback
(SSL_CTX_set_verify, SSL_set_verify)


On Fri, May 04, 2001 at 02:56:33PM +0200, Robin Gorris wrote:
 I have some questions on the verification callback function. By the way,
I'm
 using the SSL_VERIFY_PEER mode.

  1. Is it best practice to put all the certificate checks in this callback
 function?
Yes, I would recommend doing so, as by the return value of the verification
callback you can decide whether you want to continue the handshake or
stop with a corresponding alert.

  2. Is it so that the number of times this function is called is equal to
 the verification depth used?
Yes and no.
Yes: If no error is encountered, the callback is called once for
each level with preverify_ok = 1, so that the callback has the last
word for each level.
No: If errors are encounterd, the verify callback is called
for each error found.

  3. If so, how do I get to know the verification depth at runtime? I'll be
 more specific on this : if I wanted to add an extra check only for the
last
 certificate in the chain (that of the client), how would I do this?
The check is performed starting with the root CA, which has the highest
level count. The check is finished for the server (or client) certificate
at level 0.
My email server's certificate (serv01) was issued by our universities CA
(BTU CA), which was issued by the german research network's root CA
(DFN-PCA). The extended logs of a connection from Postfix/TLS look
like this:
...
May  4 15:51:15 ws01 postfix/smtp[22785]: Peer cert verify depth=2
/C=DE/O=Deutsches Forschungsnetz/OU=DFN-PCA/CN=DFN Top Level Certification
[EMAIL PROTECTED]
May  4 15:51:15 ws01 postfix/smtp[22785]: verify return:1
May  4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=1
/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet
[EMAIL PROTECTED]
May  4 15:51:16 ws01 postfix/smtp[22785]: verify return:1
May  4 15:51:16 ws01 postfix/smtp[22785]: Peer cert verify depth=0
/C=DE/ST=Brandenburg/L=Cottbus/O=Brandenburgische Technische Universitaet
Cottbus/OU=Allgemeine Elektrotechnik und Numerische
[EMAIL PROTECTED]
e
May  4 15:51:16 ws01 postfix/smtp[22785]: verify return:1
...
Therefore you have to make the last check, when level 0 is reached (and
preverify_ok = 1).

Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: How I can create a Cert STORE

[Rabellino Sergio]

Antonio Ruiz Martínez wrote:
 
 Rabellino Sergio wrote:
 
  Antonio Ruiz Martínez wrote:
  
   Hello!
  
   Like I say in the subject
  
   How I can create a Cert Store?
  
   Thanks in advance,
   Regards,
   Antonio.
  Are you thinking about the Java Keystore (and certs... also)?
 
 No, I'm thinking about the X509_STORE_CTX of OpenSSL
 
I use the X509_STORE_CTX  __only__ in the verify_callback function
(merely copied from the apps dir of openssl...)

Maybe others in the list are more skilled about it.
-- 
Dott. Sergio Rabellino 

 Technical Staff
 Department of Computer Science
 University of Torino (Italy)
 Member of the Internet Society

http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

session manager

[Rob D]

Hi,
   Iam a newbie to openssl, trying to implement a
single threaded server and client. Does openssl come
with a default session manager? if not is there any
known implementation of session manager? My
requirement is to re use the session id's up to a
configurable time limit, ex: 10minutes.

Thanks,
Rob

__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]