pop3+ssl
Hi, I tried to install a pop3 server with ssl connection. I have made following: - I installed Openssl 0.9.6 - I generate the certificate request - chmod 600 key.pem - I sent the file req.pem to my CA and it sent back to my the certificate - I create the file (using an editor) /usr/local/ssl/certs/stunnel.pem, which contains the server ceriticate. - chmod 600 stunnel.pem stunnel -d 993 -p /usr/local/ssl/certs/stunnel.pem -r localhost:imap stunnel -d 995 -p /usr/local/ssl/certs/stunnel.pem -r localhost:pop Now...how I do to working pop3+ssl. Where I wrong ? Tanks, Gazi Altafin begin:vcard n:Gazi;Altafin tel;cell:(+40)93291846 tel;work:(+40)12012338 x-mozilla-html:FALSE org:UTI GRUP;IT adr:;;Baba Novac street 14, Bl. N2, Apt. 16 ;Bucharest;;72711;Romania version:2.1 email;internet:[EMAIL PROTECTED] title:network manager x-mozilla-cpt:193.231.228.210;2 fn:Altafin Gazi end:vcard
Re: [UPDATE] building v0.9.6b on MacOS X
Thanks for the patch, I've added it to my collection to be applied. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OpenSSL and IIS4
IIS4 can use 1024 RSA keys. We have several machines that are doing this already. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message-From: haikel [mailto:[EMAIL PROTECTED]]Sent: 19 July 2001 10:06To: [EMAIL PROTECTED]Subject: Re: OpenSSL and IIS4Slamou alycom, Verify that IIS 4 use keys with lenght higher than 512 bits, if not upgrade your version of IIS. Haikel MEJRI David a écrit : Hey, I am trying to setup https on IIS4 by using OpenSSL, I follow steps: 1. Create private key openssl genrsa -des3 holly.pem 2.Generate a CSR from your key openssl req -new -key holly.pem holly.csr 3. Generate a self-signed certificate openssl req -x509 -key holly.pem -in holly.csr holly.crt 4. From IIS4 key Manager select import key file: holly.pem and cert file:holly.crt. I got error: wrong password. I am sure that I use exactly the same password, so what real problem is? anyone has this experience. Thanks
PKCS#11 support for OpenSSL
Hi all, Anyone came across a requirement for a PKCS#11 support for Open SSL? Appreciate your comments... Ari __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_get_rfd() SSL_get_wfd()
The SSL_get_fd man page makes reference to two other functions, SSL_get_rfd() and SSL_get_wfd(). However, there is no trace of them in the source files. Do these functions still exist, or is the man page erroneous? Regards Jason __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_get_rfd() SSL_get_wfd()
On Thu, Jul 19, 2001 at 02:07:26PM +0200, Jason Armstrong wrote: The SSL_get_fd man page makes reference to two other functions, SSL_get_rfd() and SSL_get_wfd(). However, there is no trace of them in the source files. Do these functions still exist, or is the man page erroneous? Yes and no :-) When I wrote the manual page, I copied the sequence with SSL_set_rfd() and SSL_set_wfd() to the corresponding get functions without actually checking for their existance. This has already been noted several days ago and was immediatly corrected for the next release. At that time the functions will be there :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
notice from your webhost
This email is being sent to you on behalf of your current webspace provider. This message is not a spam or junk email, your email address was supplied to WebHosting.com You will not receive any more messages from WebHosting.com this is a one time special offer notice. WebHosting.com is offering a selected number of webhost's member's the following special offer. This offer is not available on our website at www.webhosting.com or anywhere else, this is a special offer and is valid only for a limitied time. Read on to learn more about this amazing offer. For only $6.25 (one time fee) you can get: 500mb webspace unlimited pop3 email addresses cgi-bin full ftp access php, ssi, my-sql, asp support mySQL database FREE DOMAIN REGISTRATION (.com .net .org) unlimited bandwidth miva merchant account secure server for transactions accept credit cards 24hour technical support You did read it right, all this will only cost you only $6.25. There are no monthly fees or any other costs. You are probably wondering how WebHosting.com can offer all this for the very low price of only $6.25, the answer is that WebHosting.com will make a lot of revenue from extra webspace charges - people wishing to have more than 500mb can pay $10 per 10mb per month. If you would like to receive this excellent offer all you have to do is send your details to the following email address and your username and password will be emailed to you within 5 business days. Then you will be able to login at the members area of WebHosting.com and configure your account (add domains, setup scripts etc.). Please send all of the following details: Your Full Name Your Full Address Your Phone Number Your Email Address Your Credit Card Number Your Credit Card Expiry Date Your Credit Card Type (eg. visa, mastercard etc.) Send all of the above to [EMAIL PROTECTED] Thank you and I hope you enjoy this very special offer John Simmons Head of Special Promotions, Webhosting.com - WebHosting.com is a member of the CNS International Internet Businesses Association __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Message received
Greetings from SBC's WebHosting.com, We have received your eMail regarding suspected abuse of our Acceptable Use Policy by one of our customers. If your issue involves unsolicited eMail (UBE or UCE), please send us a message that includes the entire unsolicited eMail you received along with complete headers of the offending message. Please limit your message to essential information that will help us with the investigation of the incident. Personal commentary may delay the processing of your request. Please be advised that we can only address abuse issues for our customers. It is common for SPAM and Usenet abuse to be generated with false or manipulated return addresses. SPAM and/or abuse by other customers should be reported to the Postmaster or Abuse address of the originating domain or service provider for proper handling and disposition. Please look at the full header information, including the information received, to determine the true origin of the eMail. For Usenet, you can use the 'NNTP posting host' IP address or hostname. Please note that due to the volume of eMails we receive, we are not able to respond personally to each message. We do investigate each incident brought to our attention and take corrective action when appropriate. Please feel free to review our Acceptable Use Policy: http://www.webhosting.com/pages/ab_policies.shtml. Thank you for bringing this matter to our attention. If you need additional assistance, feel free to contact us at [EMAIL PROTECTED] Again, thank you for providing us with this information. Many thanks, Abuse team - WebHosting.com www.webhosting.com 1-888-WEB-HOSTING (932-4678) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Message received
Greetings from SBC's WebHosting.com, We have received your eMail regarding suspected abuse of our Acceptable Use Policy by one of our customers. If your issue involves unsolicited eMail (UBE or UCE), please send us a message that includes the entire unsolicited eMail you received along with complete headers of the offending message. Please limit your message to essential information that will help us with the investigation of the incident. Personal commentary may delay the processing of your request. Please be advised that we can only address abuse issues for our customers. It is common for SPAM and Usenet abuse to be generated with false or manipulated return addresses. SPAM and/or abuse by other customers should be reported to the Postmaster or Abuse address of the originating domain or service provider for proper handling and disposition. Please look at the full header information, including the information received, to determine the true origin of the eMail. For Usenet, you can use the 'NNTP posting host' IP address or hostname. Please note that due to the volume of eMails we receive, we are not able to respond personally to each message. We do investigate each incident brought to our attention and take corrective action when appropriate. Please feel free to review our Acceptable Use Policy: http://www.webhosting.com/pages/ab_policies.shtml. Thank you for bringing this matter to our attention. If you need additional assistance, feel free to contact us at [EMAIL PROTECTED] Again, thank you for providing us with this information. Many thanks, Abuse team - WebHosting.com www.webhosting.com 1-888-WEB-HOSTING (932-4678) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how to determine the cached connection
hi! is it possible to determine between cached and non-cached SSL connection on the server side after the handshake is complete? arne __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: how to determine the cached connection
On Thu, Jul 19, 2001 at 07:14:42PM +0200, Arne Ansper wrote: is it possible to determine between cached and non-cached SSL connection on the server side after the handshake is complete? The (not yet documented) SSL_session_reused() macro should perform this. If it returns 0, a new session was negotiated, if it returns 1, an old session was successfully reused. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
I am in the process of porting OpenSSL to our platform that does not support Unix sockets and does not have a /dev/urandom entropy device. I am able to get the prngd daemon(to generate random numbers) to run on the localhost at a desired port, but don't know how to interface this with the OpenSSL functions that look for an egd socket in /var/run/egd-pool or /dev/egd-pool. Does anyone have an idea? Thanks Mani __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRT format certificate
Hi, I went to VeriSign site to get a trial certificate. They gave me .crt certificate file. When I use that file as an input to the function SSL_CTX_use_certificate_file What type should I give as a third parameter. I gave SSL_FILETYPE_PEM. But it does not work. Any hints... -- nilesh __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: message signing
On Thu, 19 Jul 2001, Judy Trent wrote: | Hi, | | This might seem like a very basic question but I'm wondering if openSSL does | message signing/message verification. If it does, does anyone know where I | can find some documentation? | You may want to look into smime program, try man smime. Regards, -- ___ ___ /|_ _ _ ___ __ /| [EMAIL PROTECTED] / _ \/ _` | \ /\ / / _ `| '__/ _` | 6501 E Belleview Avenue | __/| (_| |\ V V /| (_| | | | (_| | Englewood, CO 80111, US \___|\___,_| \_/\_/ \___,_|_| \___,_| Telephone: 720.489.6000 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: your mail
On Thu, Jul 19, 2001 at 01:38:17PM -0400, Sundaram, Mani wrote: I am in the process of porting OpenSSL to our platform that does not support Unix sockets and does not have a /dev/urandom entropy device. I am able to get the prngd daemon(to generate random numbers) to run on the localhost at a desired port, but don't know how to interface this with the OpenSSL functions that look for an egd socket in /var/run/egd-pool or /dev/egd-pool. Does anyone have an idea? Hmm. The difference should not be that large. In general, crypto/rand/rand_egd.c uses struct sockaddr_un addr; ... memset(addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; if (strlen(path) sizeof(addr.sun_path)) return (-1); strcpy(addr.sun_path,path); len = offsetof(struct sockaddr_un, sun_path) + strlen(path); fd = socket(AF_UNIX, SOCK_STREAM, 0); to setup things. The thing needed would be something like struct sockaddr_in sockin; memset(sockin, 0, sizeof(sockin)); sockin.sin_family = AF_INET; sockin.sin_port = htons(port); sockin.sin_addr.s_addr = inet_addr(127.0.0.1); len = sizeof(sockin); fd = socket(AF_INET, SOCK_STREAM, 0); ... So actually the change/extension to OpenSSL would be really small... With a syntax like tcp/localhost:port one could even keep the API unchanged... Thinking about it, waiting for input... Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS7 routines question
I am writing a block of code to generate a PKCS7 signature (data detached) using OpenSSL. I've been using the crypto\pkcs7\sign.c as an example. My question: Is it possible to generate a PKCS7 signature by specifying the signature, rather than using OpenSSL routines to digest and encrypt? I have a separate crypto library that generated the signature, and I want to use OpenSSL to package it in PKCS7. Thanks, Bryan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Looking for a Win64 port of open ssl code
Has any one ported it yet ? Thanks Asa --- Asa Ben-Tzur, email: [EMAIL PROTECTED] High Level Modeling Project Manager Phone: (408) 765-4014 Intel Corp. MS:SC12-601, Santa Clara --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Installation help
I'm trying to get ssl installed on a Solaris 2.5.1-Sparc. After reading the install instructions, I downloaded Perl 5.005 from Sunfreeware.com and installed using pkgadd. When I do ./config for ssl, it still says You need Perl 5. If I do a pkginfo, it does list LWperl. Am I missing something? Dan Tesch Chicago, IL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Question on remote server certificate verification
Hi, all.
To test my sample SSL client program, I created two different CA files
from two different linux machines.
One from the SSL server machine(With the CA.pl -newca command) - the
right one, and another one from the different machine(With the same
CA.pl -newca command) - the false on for the testing.
My purpose was to load these two different CA files into the remote
client program to see if the client code can determine there's an error
during the handshake when I ran the client code with the false one.
I used following two methods to verify the error:
if (!SSL_CTX_load_verify_locations(ctx,cacert.pem,.)) {
printf(Error, no verification for CA!\n);
exit(5);
}
if (!SSL_CTX_set_options(ctx,SSL_VERIFY_PEER)) {
printf(Error. CERT Error!\n);
exit(6);
}
But surprisingly this client code worked fine with either CA files-
whether it is the right one or false one. :(
Okay, so I tried different approach.
Instead, I used following command and tested again(my_callback function
used in SSL_CTX_set_verify is just my own callback function that prints
out error message):
if (!SSL_CTX_load_verify_locations(ctx,cacert.pem,.)) {
printf(Error, no verification for CA!\n);
exit(5);
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,my_callback);
printf(Error. CERT Error!\n);
exit(6);
}
At this time? Both of CA files caused to call 'my_callback' function
which shouldn't be called with the right CA file.
And error message was 'selfsigned certificate'.
Both of the CA files are causing same result!
Now it's very puzzling to me. What did I miss here?
I created CA files with the 'CA.pl -newca' command and didn't do any
other thing.
I'd very much appreicate it if you could help me on this.
Thanks in advance.
/Best Regards,
Sejin.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Trying to install it on Mac OS X
Hi there How can I install OpenSSL on Mac OS X ? Running config it tells it does not recognize the system ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Trying to install it on Mac OS X
Hi there How can I install OpenSSL on Mac OS X ? Running config it tells it does not recognize the system ? go here for some hints: http://www.macosxhints.com/search.php?query=opensslmode=searchdatestart=0dateend=0topic=0type=storiesautho=0 -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7 routines question
Bryan Parker wrote: I am writing a block of code to generate a PKCS7 signature (data detached) using OpenSSL. I've been using the crypto\pkcs7\sign.c as an example. My question: Is it possible to generate a PKCS7 signature by specifying the signature, rather than using OpenSSL routines to digest and encrypt? I have a separate crypto library that generated the signature, and I want to use OpenSSL to package it in PKCS7. crypto/pkcs7/sign.c is obsoleted by the new PKCS#7 API which you can see in apps/smime.c but no other documentation yet. If you want to use alternative digest code then you can write your own EVP_MD digest structure which should be similar to the SHA1 code except it sends the data to your external library. Similarly the public key code can be handled by writing your own RSA_METHOD (and maybe ENGINE). If you've got a signature precomputed then you can just fill in the PKCS7 structure with the relevant fields. There are two forms of PKCS#7 signature. The simplest (and not much used now) is just the signed digest of the data. The most common is the signature of the digest the DER encoding of a set of attributes which themselves include the digest of the message and additional data like the signing time and supported encryption algorithms. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PEM_read_bio_PrivateKey
Hello
I have a problem.
When I run this code ...
//---
BIO *bio = BIO_new_mem_buf(key, -1 );
EVP_PKEY *pEvpPKey = PEM_read_bio_PrivateKey(bio, NULL, NULL,
"wrong password");
if (pEvpPKey == NULL)
{
unsigned long err = ERR_GET_REASON(ERR_get_error());
}
BIO_free(bio);
//---
... where "wrong password" is realy wrong password,
the reason of error (variable err) is 100 = PEM_R_BAD_BASE64_DECODE.
Why the error has so strange reason?
When password is correct, error doesn't occur, so PEM isn't corrupted.
Thanks for help,
Lukasz Jazgar
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
OpenSSL and IIS4 - problem
Now I am able to install key generated by OpenSSL from IIS key manager by converting format to IIS format. (Thanks Lisle and John) Then I did follow steps. 1. Add my ip(203.1.1.1) and port(443) to keymanager and save changes. 2. Select a virtul directory (download) and update properties with Select 'Require Secure Channel' and 'Do not accept certificates' option 3. Restart IIS. Then when I try URL: http://203.76.4.111/download Error: it tell me not authorized *why? I did not select require client cert option. try another https://203.76.4.111/download Error: The page cannot be displayed *why? I already add my ip and port to key manager. I change option to 'Require Client Certificates' then try URL again, It still give me same error instead of popup a requre cert window. If I use this option, do I need to install the same cert into my browser in order to access my secure directory? What am I doing wrong here? Thanks. David David wrote: Hey, I am trying to setup https on IIS4 by using OpenSSL, I follow steps: 1. Create private key openssl genrsa -des3 > holly.pem 2.Generate a CSR from your key openssl req -new -key holly.pem > holly.csr 3. Generate a self-signed certificate openssl req -x509 -key holly.pem -in holly.csr > holly.crt 4. From IIS4 key Manager select import key file: holly.pem and cert file:holly.crt. I got error: wrong password. I am sure that I use exactly the same password, so what real problem is? anyone has this experience. Thanks
a question about encrypt and decrypt using EVP interface
hi,
I used EVP interface to encrypt and decrypt,but after I encrypted ,I
couldn't decrypt it . Why?
Any help is appreciated!
void do_cipher(char *pw, int operation,char * InBuf,int InLen,char *
OutBuf,int *OutBuflen)
{
//operation:0:DECRYPT
// 1:ENCRYPT
unsigned char iv[EVP_MAX_IV_LENGTH], key[EVP_MAX_KEY_LENGTH];
/* unsigned int ekeylen, net_ekeylen; */
EVP_CIPHER_CTX ectx;
memcpy(iv, 12345678, 8);
EVP_BytesToKey(EVP_idea_cbc(), EVP_md5(), salt, pw, strlen(pw), 1, key,
iv);
EVP_CipherInit(ectx, EVP_idea_cbc(), key, iv, operation);
EVP_CipherUpdate(ectx, OutBuf, OutBuflen, InBuf, InLen);
EVP_CipherFinal(ectx, OutBuf, OutBuflen);
}
void main(void)
{
char InBuf[512],OutBuf[512+8],OutBuf2[512+8];
int i,OutLen;
for(i=0;i8;i++) InBuf[i]=30+i;
do_cipher(test,1,InBuf,8,OutBuf,OutLen); //OutLen=8
do_cipher(test,0,OutBuf,8,OutBuf2,OutLen); //but now OutLen=0
}
_
Äú¿ÉÒÔÔÚ MSN Hotmail Õ¾µã http://www.hotmail.com/cn Ãâ·ÑÊÕ·¢µç×ÓÓʼþ
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
error:1408F10B wrong version number
Hai all, I am trying to communicate JSSE client(using JAVA) with Openssl server(using c). I am facing these problem ... In the Openssl server side i am getting this error .. 11961:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:290: In the JSSE client side i am getting this error .. java.net.SocketException: Socket closed when we get wrong version number .error. Please suggest me someway to fix that. Thank u, Prasad. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
