CRL error
Hi all, I have generated an empty CRL, added a cert ands signed the CRL using following commands. X509_CRL_new sk_X509_REVOKED_push X509_CRL_sign Yet trying to output a text form with openssl command line tool gives me following error : * OpenSSL crl -in signed_crl.pem -text unable to load CRL 1360:error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag:a_set.c:177: 1360:error:0D0A7004:asn1 encoding routines:d2i_X509_NAME:nested asn1 error:x_name.c:197:address=167878300 offset=2 1360:error:0D0A4004:asn1 encoding routines:d2i_X509_CRL_INFO:nested asn1 error:x_crl.c:167:address=167878283 offset=17 1360:error:0D0A3004:asn1 encoding routines:d2i_X509_CRL:nested asn1 error:x_crl.c:230:address=167878280 offset=3 1360:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: error in crl * I include the files signed_crl.pem, the signed CRL containing one cert cert.pem, the cert whose serial i added to the crl cacert.pem, the cert to use to verify the crl with (public key corresponding to private key used to sign the crl) Any help is welcome, thanks in advance Florian signed_crl.pem cert.pem cacert.pem - (on maileerie) signed_crl.pem a ete scanne et contient aucun virus. cert.pem a ete scanne et contient aucun virus. cacert.pem a ete scanne et contient aucun virus. -
RE: Socket hangs on SSL_read/SSL_write
Eric Rescorla wrote, The man page says: ^^^ Huh? Which platform? I'd be more impressed by POSIX chapter and verse, but even that's irrelevant because all it might or might not tell us is that many platforms aren't fully POSIX compliant. select() examines the I/O descriptor sets whose addresses are passed in readfds, writefds, and exceptfds to see if some of their descriptors are ready for reading, are ready for writing, or have an exceptional condition pending, respectively. won't block on read/write seems like a reasonable interpretation of ready for reading... Maybe reasonable, but wrong. Even if POSIX mandates the behaviour you're claiming, and even if we ignored the considerations David Schwartz raised, the most we could say is that the descriptor *was* readable/writable at the point at which it was examined by select. Any actual read/write occurs later, leaving a nice big window of opportunity for races (eg. another thread might consume all available input before the selecting thread gets a shot at it). Cheers, Miles -- Miles Sabin InterX Internet Systems Architect 27 Great West Road +44 (0)20 8817 4030 Middx, TW8 9AS, UK [EMAIL PROTECTED] http://www.interx.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: starting new ssl session on previous ssl socket
On 08/12/01 07:32 AM, Avery Fay sat at the `puter and typed: Hello, I've been given a task that a previous employee at our company was unable to accomplish. Before I start I would like to ask if it is even possible. What I need to do: 1.) start a ssl session 2.) send / receive some data 3.) stop that session but keep the tcp / ip connection open 4.) start a new ssl session using that tcp / ip connection 5.) send / receive more data 6.) close the connection Both sides of the connection will know when to start the new ssl session. The reason I need to do this is somewhat complicated, but a hard requirement is that I have to keep the tcp / ip connection open and I must start a new ssl session. Can this be done? Are there any problem areas that I may run into? Thanks for your time and please CC me because I am not subscribed to the list (but may be soon if this is possible). Avery Fay How about SSL_renegotiate()? Check the archives over the last week, Eric Rescorla dealt with a rehandshaking question recently, and mentioned an article he is working on for Linux Journal. If it can be done, I'd imagine that is the way to do it. HTH Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ We can defeat gravity. The problem is the paperwork involved. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl library API supports OCSP/CRL ?
Kok-Yong Leong wrote: hi I see that the openssl command line tool does support OCSP and CRL processing. Does the openssl library supports API that allows validation of certificate revocation status via OCSP or CRL ? OpenSSL 0.9.7 will support CRL processing by setting a flag in X509_STORE and having a valid CRL(s) in the trusted store. OCSP is not handled automatically, though it will be possible to supply a customised revocation checking callback, where such functionality can be added, if required. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRL error
Florian Delacroix wrote: Hi all, I have generated an empty CRL, added a cert ands signed the CRL using following commands. X509_CRL_new sk_X509_REVOKED_push X509_CRL_sign That's not enough. You have to set up a few other things as well. Specifically the CRL issuer name and lastUpdate. You don't have to set thisUpdate but it is recommended. I don't think there are any functions that actually do this at present so you'll have to access the X509_CRL structure directly: there's an example in apps/ca.c, just look for 'gencrl' and you should find it. This could be regarded as invalid ASN1 behaviour: it should really return an error if an attempt is made to encode a structure and some of the mandatory fields have not been initialized properly. The new ASN1 may fix this at some point. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
verifying certificate
Hi, I've signed my message with a netscape certificate. When I try to verify it, the following error occurs: 26: unsupported certificate purpose I set the ctx structure with X509_PURPOSE_SMIME_SIGN, like it's in verify.c. I tried setting the structure whith X509_PURPOSE_ANY, and it seems to work fine, but I don't know if it's correct to do this. If I use crypto/pkcs7/server.pem I don't have that problem ... but I need to use the other certificate! :-) Has anybody any idea what is happening? Thanks, Gisela -- Gisela Acosta Gerencia de Desarrollo de Sistemas Red Link S.A. Tel: (5411)4317-1400 INT 1516 http://www.redlink.com.ar -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
extracting alert codes
I am trying to get the SSL/TLS alert code for various errors but am having trouble doing so. Suppose I get the following error string: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher I know this is a handshake_failure alert number 40, but I'm having determining this information programmatically. I have been trying to access the warn_alert and/or fatal_alert fields of the ssl3_state_st structure to get at the code. However, when I access these fields they have been set to zero, presumably because upon failure a close_notify has been sent. Is there a function call I'm missing that returns the actual alert/warning that caused the premature close? Thanks in advance. Rob Pungello VisualAge Smalltalk Development Team [EMAIL PROTECTED] http://www.software.ibm.com/ad/smalltalk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: verifying certificate
Gisela Acosta wrote: Hi, I've signed my message with a netscape certificate. When I try to verify it, the following error occurs: 26: unsupported certificate purpose I set the ctx structure with X509_PURPOSE_SMIME_SIGN, like it's in verify.c. I tried setting the structure whith X509_PURPOSE_ANY, and it seems to work fine, but I don't know if it's correct to do this. If I use crypto/pkcs7/server.pem I don't have that problem ... but I need to use the other certificate! :-) Has anybody any idea what is happening? Its rejecting your certificate because it doesn't like something about it, such as it isn't certified for email or one of the CA certificates is invalid Without seeing the certificate chain its rejecting I can't be more specific. Could you post a signed message example that does this? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Creating certificates
Title: Creating certificates OpenSSL Ver: 0.9.6b OS: Solaris 8 CC: CC 5.2 I would like to be able to create certificates without using the openssl tool if possible. I don't like the idea of my program having to call an outside application to create certificates, and I was wondering if there was any documentation on this. OpenSSL.org's site is a little less than helpful for information. These certificates will be used with the ACE/TAO orb. Thanks for the help. - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
RSA Structure Enhancements
Will the functions: RSA_set_ex_data RSA_get_ex_data contained within OpenSSL version 0.9.6 remain valid in future versions of OpenSSL? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: extracting alert codes
On Thu, Aug 16, 2001 at 09:22:34AM -0400, Robert Pungello wrote: I am trying to get the SSL/TLS alert code for various errors but am having trouble doing so. Suppose I get the following error string: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher I know this is a handshake_failure alert number 40, but I'm having determining this information programmatically. I have been trying to access the warn_alert and/or fatal_alert fields of the ssl3_state_st structure to get at the code. However, when I access these fields they have been set to zero, presumably because upon failure a close_notify has been sent. Is there a function call I'm missing that returns the actual alert/warning that caused the premature close? Thanks in advance. The error message you are seeing says: * You are on the server side (because it happens in the SSL3_GET_CLIENT_HELLO stage; only the server _gets_ the client hello, the client sends it). * Your server has decided that there is no shared cipher in the client hello. See man SSL_CTX_set_cipher_list or better look up http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html as new information was added since the release of 0.9.6b. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: verifying certificate
Hi, Thanks for your answer. Your are right. The certificate that I've used isn't certified for email. It's Verisign Netscape Object Signing* Digital ID. I need to verify a signed file, not an email. Should I use X509_PURPOSE_SMIME_SIGN or another one? What is the puropose to check the purpose? What could the problem be if I'd use X509_PURPOSE_ANY? Here it's a signed message example: Thanks!! Gisela -BEGIN PKCS7- MIIGvAYJKoZIhvcNAQcCoIIGrTCCBqkCAQExCzAJBgUrDgMCGgUAMIGhBgkqhkiG 9w0BBwGggZMEgZBDdWl0PTI3MjE5MTg1ODkzDQpJbXBvcnRlPTEwMDA1DQpQZXJp b2RvLWZpc2NhbD0wNDIwMA0KRm9ybXVsYXJpbz0xMDANCkNvZC1zZWctc2FtPTAx DQpOcm8tdHJ4LXNhbT00MQ0KRGVzY3JpLWZvcm09MTAwDQpGZWNoYS1jYXB0dXJh PTAxLzAxLzAxDQqgggRpMIIEZTCCA86gAwIBAgIQG4SFGY2PeG6MG6Gv4kluQzAN BgkqhkiG9w0BAQIFADCByDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2ln bi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMp OTgxRDBCBgNVBAMTO1ZlcmlTaWduIENsYXNzIDMgQ0EgLSBDb21tZXJjaWFsIENv bnRlbnQvU29mdHdhcmUgUHVibGlzaGVyMB4XDTAxMDczMDAwMDAwMFoXDTAyMDcz MDIzNTk1OVowggEfMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMW VmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNv bS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5OTE1 MDMGA1UECxMsRGlnaXRhbCBJRCBDbGFzcyAzIC0gTmV0c2NhcGUgT2JqZWN0IFNp Z25pbmcxFjAUBgNVBAMUDVJlZCBMaW5rIFMuQS4xETAPBgNVBAsUCFNlY3VyaXR5 MRUwEwYDVQQHEwxCdWVub3MgQWlyZXMxFTATBgNVBAgTDEJ1ZW5vcyBBaXJlczEL MAkGA1UEBhMCQVIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL/2yfd0svQW lTaqOc/b04fMzCvRRXtDFq2ZwXozX6Rlz+OukZCX4kL6mr6//nOzd1QCqIB77Vtn ekxXViP+UxRuV5ys6/TpDbmM4t2LCdlBLG2qLVH9kqWAK0+H9+g7COaKs1MSUQ/I 2skmrsLENleIrc9wRvcgTg5KPcci53NDAgMBAAGjgfUwgfIwCQYDVR0TBAIwADAL BgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgQQMIGsBgNVHSAEgaQwgaEwgZ4G C2CGSAGG+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2ln bi5jb20vQ1BTMGIGCCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9 VmVyaVNpZ24ncyBDUFMgaW5jb3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAo Yyk5NyBWZXJpU2lnbjAWBgorBgEEAYI3AgEbBAgwBgEB/wEB/zANBgkqhkiG9w0B AQIFAAOBgQBsC1NU1vHt2zeXWUgN/Yag2KcqY6sSYBbO0HDgki+jC6F0H2VUV5uh cykJSv+uuVKoaD+tV6Ps/hekRb1c/su3MIhwGqGpIGuMCZaKU2SD4YL6xL+ZJFjN q9guXnU/1slEFFmOmXjWp9Dg0qPcT36GrhrzzyfpyjRGYXmBaB2zgjGCAYQwggGA AgEBMIHdMIHIMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODFEMEIG A1UEAxM7VmVyaVNpZ24gQ2xhc3MgMyBDQSAtIENvbW1lcmNpYWwgQ29udGVudC9T b2Z0d2FyZSBQdWJsaXNoZXICEBuEhRmNj3hujBuhr+JJbkMwCQYFKw4DAhoFADAN BgkqhkiG9w0BAQEFAASBgHBLoqNy+qlBcCHF3lW6/c+ofCmNCP8cjINPeBotwWUG GxMh8iCe9a2aCa+n5PmmZ+1zYZBY6BmHAgFXZPGyPtJJ24RHaAiyRjbgAXwTJdTt 9KHrSdL7Ps46Mkvb6z/GjasZx2NTdYgGaE0c+aa/N/5VrMQvngLwIvmIH1HkVY+a -END PKCS7- -- Gisela Acosta Gerencia de Desarrollo de Sistemas Red Link S.A. Tel: (5411)4317-1400 INT 1516 http://www.redlink.com.ar -- Dr S N Henson [EMAIL PROTECTED] on 16/08/2001 10:58:06 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: (bcc: Gisela Acosta/Red Link S.A.) Subject: Re: verifying certificate Gisela Acosta wrote: Hi, I've signed my message with a netscape certificate. When I try to verify it, the following error occurs: 26: unsupported certificate purpose I set the ctx structure with X509_PURPOSE_SMIME_SIGN, like it's in verify.c. I tried setting the structure whith X509_PURPOSE_ANY, and it seems to work fine, but I don't know if it's correct to do this. If I use crypto/pkcs7/server.pem I don't have that problem ... but I need to use the other certificate! :-) Has anybody any idea what is happening? Its rejecting your certificate because it doesn't like something about it, such as it isn't certified for email or one of the CA certificates is invalid Without seeing the certificate chain its rejecting I can't be more specific. Could you post a signed message example that does this? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications:
IE40 and windows NT Service Pack 5 or less on Windows NT platform give us error message.
Dear User support staff: When I access my server https://ofx.automatedfinancial.com I got login screen. after I enter userID and password. and click Login button. An error message pop up and I do not know what cause it . Internet Exploreer canneot open the Internet site https://ofx.automatedfinancial.com/cgi/online/absloginPage. An error occurred in the secure channel support. The cert and key I am using for this server is created at a different computer with different IP. it is 1024 bits. could it be a problem? Please let me know . thanks. jun __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: extracting alert codes
The error message you are seeing says: * You are on the server side (because it happens in the SSL3_GET_CLIENT_HELLO stage; only the server _gets_ the client hello, the client sends it). * Your server has decided that there is no shared cipher in the client hello. See man SSL_CTX_set_cipher_list or better look up http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html as new information was added since the release of 0.9.6b. Thanks for your response Lutz. In the short term, I was simply trying to get the alert code (40 in this case) so that I can map the error to one of the SSL/TLS alerts (close_notify = 0, unexpected_message = 10, etc.) Any suggestions? Rob Pungello VisualAge Smalltalk Development Team [EMAIL PROTECTED] http://www.software.ibm.com/ad/smalltalk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IE40 and windows NT Service Pack 5 or less on Windows NT platform give us error message.
Hello, Yes that is the problem, you have to install Microsoft High Encryption Update, available at www.microsoft.com. Without it, msExplorer can only use weak cyphers and passwords Japa Jun Wang wrote: Dear User support staff: When I access my server https://ofx.automatedfinancial.com I got login screen. after I enter userID and password. and click Login button. An error message pop up and I do not know what cause it . Internet Exploreer canneot open the Internet site https://ofx.automatedfinancial.com/cgi/online/absloginPage. An error occurred in the secure channel support. The cert and key I am using for this server is created at a different computer with different IP. it is 1024 bits. could it be a problem? Please let me know . thanks. jun __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: verifying certificate
Gisela Acosta wrote: Hi, Thanks for your answer. Your are right. The certificate that I've used isn't certified for email. It's Verisign Netscape Object Signing* Digital ID. I need to verify a signed file, not an email. Should I use X509_PURPOSE_SMIME_SIGN or another one? What is the puropose to check the purpose? What could the problem be if I'd use X509_PURPOSE_ANY? Purpose checking is a critical aspect of certificate security. It determines if CAs are valid and if a certificate is being used for an authorised purpose. Without it anyone could use their user certificate as a CA or one of those no checking freeware email for something like object signing. X509_PURPOSE_ANY actually does disable purpose checking and is a big security whole unless used with extreme caution: it's there because there are some highly broken CAs about which it is unfortunately occasionally necessary to tolerate. By default the verification routines for S/MIME will assume the certificate should be certified for S/MIME. Unfortunately there isn't an object signing purpose in OpenSSL at present: so you'd have to write a customised one. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: extracting alert codes
On Thu, Aug 16, 2001 at 11:24:48AM -0400, Robert Pungello wrote: The error message you are seeing says: * You are on the server side (because it happens in the SSL3_GET_CLIENT_HELLO stage; only the server _gets_ the client hello, the client sends it). * Your server has decided that there is no shared cipher in the client hello. See man SSL_CTX_set_cipher_list or better look up http://www.openssl.org/docs/ssl/SSL_CTX_set_cipher_list.html as new information was added since the release of 0.9.6b. Thanks for your response Lutz. In the short term, I was simply trying to get the alert code (40 in this case) so that I can map the error to one of the SSL/TLS alerts (close_notify = 0, unexpected_message = 10, etc.) Any suggestions? Hmm. The error messages and the corresponding alert are hardcoded into the SSL library, at the locations the problem occurs. There is no table or whatever from which you could find the alert sent from the error message you see. The only idea I could offer would be to use the info_callback to catch the alert sent to the peer... info_callback is not yet documented, but you should be able to read the functionality from the s_server example... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: trusted options in certificate OK and in certificate request ??
stef wrote: hi' could s.o. say to me why in the documentation of openssl in http://www.openssl.org/docs/crypto/pem.html there are _AUX method for certificate int PEM_write_X509_AUX(FILE *fp, X509 *x); X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u); but not for certificate request ? like X509_REQ_AUX do this methods exit or there is another way to write certificate request with trusted options ?? The point of trust settings is to allow certificates (currently root CAs) to have their usages modified by the user. So you can use the same certificate store and have it produce errors if attempts are made to use a certificate which chains to a root with an unauthorised purpose: so if you set things up properly you can't use an SSL server CA for SSL client use for example. Since certificate requests aren't used for certificate verification, there's no concept of a trusted certificate request and I'm not sure what one would be expected to do. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: verifying certificate
Ok, I wrote the functions to manage X509_PURPOSE_OBJ_SIGN, checking if the purpose is NS_OBJSIGN or NS_OBJSIGN_CA for CA certificates. It seems that the problem is solved. Thank you. Gisela -- Gisela Acosta Gerencia de Desarrollo de Sistemas Red Link S.A. Tel: (5411)4317-1400 INT 1516 http://www.redlink.com.ar -- Dr S N Henson [EMAIL PROTECTED] on 16/08/2001 13:43:08 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: (bcc: Gisela Acosta/Red Link S.A.) Subject: Re: verifying certificate Gisela Acosta wrote: Hi, Thanks for your answer. Your are right. The certificate that I've used isn't certified for email. It's Verisign Netscape Object Signing* Digital ID. I need to verify a signed file, not an email. Should I use X509_PURPOSE_SMIME_SIGN or another one? What is the puropose to check the purpose? What could the problem be if I'd use X509_PURPOSE_ANY? Purpose checking is a critical aspect of certificate security. It determines if CAs are valid and if a certificate is being used for an authorised purpose. Without it anyone could use their user certificate as a CA or one of those no checking freeware email for something like object signing. X509_PURPOSE_ANY actually does disable purpose checking and is a big security whole unless used with extreme caution: it's there because there are some highly broken CAs about which it is unfortunately occasionally necessary to tolerate. By default the verification routines for S/MIME will assume the certificate should be certified for S/MIME. Unfortunately there isn't an object signing purpose in OpenSSL at present: so you'd have to write a customised one. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Regarding read write buffer sizes : pls help
Hi All, I am very new to SSL.My knowledge says ,for each session the openssl by default sets the sizes of init_buf(for holding handshake data),rbuf(for reading data ),wbuf(for writing data) to 16k each. Is there any way I can dynamically adjust the sizes of the buffers, as and when my server receives the data . My concern is that if 48k(3*16k) is used by a given connection in the session, what happens if suppose 1000 simultanious connections are handled by the server. If I am not wrong, it takes (1000*48)k memory ?? So Can I avoid preallocating 16k for each buffer, since it is believed that it is very rare for a client to send the maximum aloowable 16k data to server. If anybody has any idea, please help me. I am not sure how correct is this my understanding. Thanks in advance, Rahul. __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
extracting the data contents from a sign PKCS7 message
Does anyone know how to extract the data contents from a PKCS7 * where it's just a signed message? I tried accessing the contents member (p7-d.sign-contents) but that did not seem to be it (or is it not in plain text?). I'm able to verify the signature just don't know how to get the plain text data out of it. Thanks, Frank __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
change PKCS12 password
Hi, all, I am a new user to Openssl, sorry for the naive question. What is the exact command used to change PKCS12 password using Openssl? Thanks. Kate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: extracting the data contents from a sign PKCS7 message
Found it. ((p7-d).sign)-contents-d.data-data. Is there a convenience function to do this anywhere, as this is ugly. Frank Geck wrote: Does anyone know how to extract the data contents from a PKCS7 * where it's just a signed message? I tried accessing the contents member (p7-d.sign-contents) but that did not seem to be it (or is it not in plain text?). I'm able to verify the signature just don't know how to get the plain text data out of it. Thanks, Frank __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Regarding read write buffer sizes : pls help
If I am not wrong, it takes (1000*48)k memory ?? So Can I avoid preallocating 16k for each buffer, since it is believed that it is very rare for a client to send the maximum aloowable 16k data to server. Dynamic allocation would be expensive as you would have to realloc buffers each and everytime it runs out of space. As far as 16k length is concerned, yes it is rarely possible that a client sends a buffer upto 16k length but only during ssl handshake ( unless it has a very long cert chain). But, believe me, application data could reach that level (server -client). So be careful when you change those max sizes. If you are planning to have 1000 or more simultaneous ssl connections then you might need to get some hardware accelerator. I haven't seen most of the software servers doing that other than if you have a very high end server. -Imran. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rahul S Sent: Thursday, August 16, 2001 11:35 AM To: [EMAIL PROTECTED] Subject: Regarding read write buffer sizes : pls help Hi All, I am very new to SSL.My knowledge says ,for each session the openssl by default sets the sizes of init_buf(for holding handshake data),rbuf(for reading data ),wbuf(for writing data) to 16k each. Is there any way I can dynamically adjust the sizes of the buffers, as and when my server receives the data . My concern is that if 48k(3*16k) is used by a given connection in the session, what happens if suppose 1000 simultanious connections are handled by the server. If anybody has any idea, please help me. I am not sure how correct is this my understanding. Thanks in advance, Rahul. __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client encrypt on SSL Web site
I have an Apache web server on Linux which is SSL-enabled. So far I have successfully created https pages which -- am I right? -- encrypts the page as it is downloaded to the client. Is there a simple example of having the client send something back to the server encrypted? Thanks, Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: change PKCS12 password
On Thu, 16 Aug 2001, Wang, Kate wrote: | | What is the exact command used to change PKCS12 password using Openssl? | | Thanks. | | Kate Well, I believe this should work: openssl pkcs12 -in old.p12 | openssl pkcs12 -export -out new.p12 Then, you should type in: 1. Old import password 2. PEM password 3. PEM password again 4. PEM password again twice 5. New export password -- ___ ___ /|_ _ _ ___ __ /| [EMAIL PROTECTED] / _ \/ _` | \ /\ / / _ `| '__/ _` | 6501 E Belleview Avenue | __/| (_| |\ V V /| (_| | | | (_| | Englewood, CO 80111, US \___|\___,_| \_/\_/ \___,_|_| \___,_| Telephone: 720.489.6000 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: change PKCS12 password
On Thu, 16 Aug 2001, Wang, Kate wrote: | What is the exact command used to change PKCS12 password using Openssl? | | Thanks. | Actually, if you don't want to type PEM password, then you can try this one instead: openssl pkcs12 -nodes -in old.p12 | openssl pkcs12 -export -out new.p12 Regards, -- ___ ___ /|_ _ _ ___ __ /| [EMAIL PROTECTED] / _ \/ _` | \ /\ / / _ `| '__/ _` | 6501 E Belleview Avenue | __/| (_| |\ V V /| (_| | | | (_| | Englewood, CO 80111, US \___|\___,_| \_/\_/ \___,_|_| \___,_| Telephone: 720.489.6000 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ENGINE and DSO under FreeBSD
My ENGINE is working now. While developing, I simply linked our support library in statically. I'm making changes to get it ready to release now. I converted it to programmatically link to a .so library at run-time, using the DSO routines, as the other hw_ modules do. It blew up with a NULL pointer fault. I was surprised to discover the reason - apparently, Configure assumes that FreeBSD and FreeBSD-elf don't have any support for dynamic shared libraries! The FreeBSD entries in Configure's $table don't appear to have any mention of DSO support. I couldn't see any reason why FreeBSD apps couldn't use DLFCN-style DSO, so I did a few temporary hacks to build in DLFCN support, such as -DDSO_DLFCN in CFLAGS. And it worked. Has DSO support been used/tested by anyone on FreeBSD? Is there some option I missed when I ran Configure (I only noticed 'no-dso')? Did I miss some other obvious step? Please don't tell me I have to hack Configure - I love Perl, but whoa, Configure is some seriously fuggly Perl... :-) Tom Biggs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems with SSL_set_verify
Hi, I'm having trouble with some code that tries to set a verify
callback. I've written a short program which demonstrates the problem.
The symptom is this: if I call SSL_set_verify(...) then the SSL_connect
call fails (but SSL_set_verify is not called!). If I call
SSL_CTX_set_verify(...) with the same function everything works as
expected.
Thanks for the help,
Erik
#include assert.h
#include errno.h
#include limits.h
#include stdio.h
#include stdlib.h
#include string.h
#include time.h
#include openssl/e_os.h
#include openssl/bio.h
#include openssl/crypto.h
#include openssl/evp.h
#include openssl/x509.h
#include openssl/ssl.h
#include openssl/err.h
#include openssl/rand.h
int my_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
printf(my_verify_callback\n);
return preverify_ok;
}
int main(void)
{
int len;
SSL *ssl;
BIO *bio, *out;
SSL_CTX *ctx;
char tmpbuf[1024];
SSL_library_init();
SSL_load_error_strings();
ERR_load_crypto_strings();
ERR_load_SSL_strings();
OpenSSL_add_all_algorithms();
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, my_verify_callback);
bio = BIO_new_ssl_connect(ctx);
BIO_get_ssl(bio, ssl);
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
/* comment out this line, and it will work */
SSL_set_verify(ssl, SSL_VERIFY_PEER, my_verify_callback);
BIO_set_conn_hostname(bio, www.amazon.com:https);
BIO_set_nbio(bio, 0);
SSL_connect(ssl);
out = BIO_new_fp(stdout, BIO_NOCLOSE);
BIO_puts(bio, GET / HTTP/1.0\n\n);
for(;;) {
len = BIO_read(bio, tmpbuf, 1024);
if(len = 0) break;
BIO_write(out, tmpbuf, len);
}
BIO_free_all(bio);
BIO_free(out);
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: Client encrypt on SSL Web site
all http requests from client to server ( in an ssl session) are encrypted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Knight Sent: Thursday, August 16, 2001 1:10 PM To: '[EMAIL PROTECTED]' Subject: Client encrypt on SSL Web site I have an Apache web server on Linux which is SSL-enabled. So far I have successfully created https pages which -- am I right? -- encrypts the page as it is downloaded to the client. Is there a simple example of having the client send something back to the server encrypted? Thanks, Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificates generation problems
Sorry the long e-mail, I'm trying to provise as much inormation as possible. Someone else from my company generated a CA root certificate, a private key and a certificate that was signed by the mentioned CA. We're using it in our test environment with weblogic server and it works fine. However, I'm trying to regenerate the certificates from scratch but I'm having problems when I try to start the server. I would like to tell you guys what am I doing and what kind of things are different from the current certificates. Maybe you could help me to figure out what's wrong. First, this is how I generate everything: 1. Create self signed root certificate /usr/local/ssl/bin/openssl req -x509 \ -newkey rsa:512 -keyout ./demoCA/private/cakey.pem \ -out ./demoCA/cacert.pem -days 365 2. Create private key /usr/local/ssl/bin/openssl genrsa -out skntKey.pem 512 3. Create certificate request /usr/local/ssl/bin/openssl req -new -key skntKey.pem \ -out skntReq.pem -verbose 4. Sign the certificate request /usr/local/ssl/bin/openssl ca -in skntReq.pem \ -out skntCert.pem -days 365 By the way, I have the ./demoCA directory and the necessary subdirectories and files (index.txt and serial) The certificates are generated but they don't work when I try to use them with my weblogic server (version 6.1). When I start the weblogic server with the current certificates (the certificates that work fine) I can see the following message: Aug 16, 2001 11:06:14 AM EDT Info WebLogicServer Certificate co ntents: 2 certificate(s): fingerprint = ee8dae1fa03669a4bfa6fbaf2aab7227, not before = Sun Sep 24 03:51:49 EDT 2000, not after = Mon Sep 24 03:51:49 EDT 2001, holde r = C=US SP=New York L=New York O=Sakonnet Technology, LLC CN=Alarik M yrin [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=Sa konnet Technology -- CA CN=Alarik Myrin [EMAIL PROTECTED] , key = modulus length=65 exponent length=3 fingerprint = c35822593edb68ae0b011ad6d97eddbd, not before = Sun Sep 24 03:51:15 EDT 2000, not after = Mon Sep 24 03:51:15 EDT 2001, holde r = C=US SP=New York L=New York O=Sakonnet Technology -- CA CN=Alarik Myrin [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=S akonnet Technology -- CA CN=Alarik Myrin [EMAIL PROTECTED] , key = modulus length=65 exponent length=3 One thing: I noticed that the organization in the first loaded certificate is different from the organization in the second certificate, which is the CA certificate. When I try to create my certificates, if I specify different organizations I have an error message. Now, when I try to start the server using the certificates that I generated following the steps presented above, I have the following message: Aug 16, 2001 11:21:58 AM EDT Alert WebLogicServer Inconsistent security configuration, java.lang.Exception: Problem with X509 certifi cate: fingerprint = 2fa1718d4242cf9ce8ccca47e6259877, not before = Thu Aug 16 12:24:32 EDT 2001, not after = Fri Aug 16 12:24:32 EDT 2002, h older = C=US SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technol ogy, LLC CN=PORKY [EMAIL PROTECTED] , issuer = C=US SP=New York L=N ew York O=Sakonnet Technology, CA OU=Sakonnet Technology, CA CN=Andre Mendonca [EMAIL PROTECTED] , key = modulus length=65 exponent leng th=3, java.lang.Exception: Certificate expired or not yet valid: finge rprint = 2fa1718d4242cf9ce8ccca47e6259877, not before = Thu Aug 16 12: 24:32 EDT 2001, not after = Fri Aug 16 12:24:32 EDT 2002, holder = C=U S SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technology, LLC CN =PORKY [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=S akonnet Technology, CA OU=Sakonnet Technology, CA CN=Andre Mendonca Em [EMAIL PROTECTED] , key = modulus length=65 exponent length=3 java.lang.Exception: Problem with X509 certificate: fingerprint = 2fa1 718d4242cf9ce8ccca47e6259877, not before = Thu Aug 16 12:24:32 EDT 200 1, not after = Fri Aug 16 12:24:32 EDT 2002, holder = C=US SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technology, LLC CN=PORKY Email= [EMAIL PROTECTED] , issuer = C=US SP=New York L=New York O=Sakonnet Techn ology, CA OU=Sakonnet Technology, CA CN=Andre Mendonca Email=andre@skn t.com , key = modulus length=65 exponent length=3, java.lang.Exceptio n: Certificate expired or not yet valid: fingerprint = 2fa1718d4242cf9 ce8ccca47e6259877, not before = Thu Aug 16 12:24:32 EDT 2001, not afte r = Fri Aug 16 12:24:32 EDT 2002, holder = C=US SP=New York O=Sakonnet Technology, CA OU=Sakonnet Technology, LLC CN=PORKY Email=andre@sknt. com , issuer = C=US SP=New York L=New York O=Sakonnet Technology, CA O U=Sakonnet Technology, CA CN=Andre Mendonca [EMAIL PROTECTED] , key = modulus length=65 exponent length=3 at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListe nThread.java:290) at weblogic.t3.srvr.SSLListenThread.init(SSLListenThread.jav a:414) at weblogic.t3.srvr.SSLListenThread.init(SSLListenThread.jav a:300) at
