Wierd behavior with SSL Session cache stats - client side.
Quick question about session handling from the client side. Here's my scenario: I have a client connecting to a server. The session info is being saved with a structure associated with the server. Hypothetically speaking, it is possible for more than one thread to be connecting at the same time, so they may be negotiating multiple sessions with the same server simultaneously. Does it matter which session is saved? I'd assume that if there were any issues at the server side, it would save the last one established. According to the session stats, it looks like they are all being saved somewhere. I assume this has something to do with my using SSL_get1_session() when putting it in my structure. Should I be using the SSL_get_session() version for client side session handling? Here's what I'm seeing in the session stats after a number of connections (some made concurrently) to a single server: SSL session cache stats: 13 items in the session cache. 14 client connects (SSL_connect()). 14 client connects that finished. 0 client renegotiatations requested. 1 session cache hits. 0 session cache misses. 0 session cache timeouts The client connections are correct, but I would expect the number of items in the cache to be 1. I could even understand if the hits were less than 10, but it should be more than one. Any ideas what I'm missing? Thanks all. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ The explanation requiring the fewest assumptions is the most likely to be correct. -- William of Occam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error when trying to use private key
When executing: ./openssl rsa -in www.server.com.key.bak -out www.server.com.key_new where www.server.com.key.bak is a copy of my private key, I am prompted for a pass phase (which is what should happen). When I enter the passphrase, however, I get the following error: When entered "correctly": 25217:error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing:d2i_r_pr.c:116: 25217:error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:89: 25217:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:290: which is what I don't understand (or know how to fix). When entered deliberately incorrectly I get: 25219:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:243: 25219:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:451: which would make sense as it indicates a failure of the pass phrase. Any help would be much appreciated. --cameron __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Better than Sex! Register your .Sex Domain! 58876
The latest domain name extension is here .SEX!!! It's the fresh ,new, exciting web address that is taking the world by storm. Who wants to be .com when you can now be .SEX Register your .SEX domain name today exclusively at: http://www.dotsex.com - To be taken off the mailing list please click below: http://195.178.213.33/unsubscribe.phtml __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Encrypt attached Documents using Certificate
Hi All, I got my personal certificate and use it to sign my emails with netscape messenger or Outlook. It works fine (Sign and Encryption). My question is: If I send an email with attached documents, are these attached documents encrypted when they fly? And how can I check if they are encrypted or not? Regards -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # Network Security Auditor (NSA) # e-fingerprint = 73B7 2559 2968 5094 3B95 5C70 4E85 5F94 6068 1DD8 # http://www.keyserver.net/en/ # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem running cswift on Linux
I haven't seen this particular error before, but I'd suggest contacting our tech support ([EMAIL PROTECTED]), and including information on the versions of OpenSSL, Apache, and CryptoSwift IK involved, just what load test is being run, and any errors that may appear in the Apache error log. Lynn Gazis Rainbow Technologies -Original Message- From: Andy Tsz Kwan Chan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 05, 2001 8:21 PM To: [EMAIL PROTECTED] Subject: Problem running cswift on Linux Hi, I am running cswift on Linux 2.2.17 using regular Apache. After a load test is over, I see the followings: 140 D abuser1700 1688 2 60 0- 1206 end19:52 ? 00:00:24ab-helper -f /USR/A/conf/httpd.conf This process stays in this state forever and it can not be killed. It seems to be waiting for a disk operation to be completed. When I do lsmod, I see something like: cspci5744x where x is the number of processes staying in the above state. Any idea why this is happening? Thanks. best regards, Andy __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Export Control
Hello, I'm using openssl 0.96b (in the EU/ US) and have a question regarding ciphers and current export controls. When I create two peers and establish a connection the cipher seems to be EXP1024-RC4-SHA with the actual strength at 56 bits. This seems to be export constrained somehow in the build/ configuration step. Can I build openssl so that is uses an actual strength of 128 bits? Is this allowable/ possible? regards, Michael. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: doubt regarding X509_verify_cert
Hi all and Hello Dr. Henson, please find attached files: cacert.pem - trusted certificate cakey.pem - trusted certificate's private key. selfcert.pem - certificate signed by the given trusted certificate. The following is the output when we try to use openssl verify utility: $ openssl verify -CApath /usr/local/lib/openscep/ -CAfile cacert.pem -verbose -issuer_checks tmp.pem tmp.pem: /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /unstructuredName=3.com error 29 at 0 depth lookup:subject issuer mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 31 at 0 depth lookup:authority and issuer serial number mismatch /C=CH/ST=Ticino/L=Bosco/Gurin/O=othello error 2 at 1 depth lookup:unable to get issuer certificate We could not make any progress with the OpenSSL verify utility as well. I request u to help us in this regard... Awaiting your valuable Response Regards Suram > I have a doubt regarding the x509_verify_cert(). When we have a TRUSTED > certificate with the authority-key-identifier extension, and when we are > trying to verify a SELF certificate using the function X509_verify_cert(), > the verification is failing. Upon a deeper look into the function, the function is failing as follows... When we call the X509_verify_cert() with the CTX, Before calling this function we are initializing the CTX->cert with the self-certificate, and we are adding the trusted-certificates in X509_STORE using the function X509_STORE_add_cert(). In the X509_verify_cert() 1. checks whether CTX->cert (self-certificate) is self-signed certificate or not by PUSHing the certificates into a chain. 2. It is looking for Trusted certificates whose subject name is same as the Issuer Name of CTX->cert(ie., self-certificate) and pushing the certificates into the chain in the CTX. Now we are checking the Trusted certificates are Self-signed or not by calling the function X509_check_issued( ). 3. We are passing the subject and issuer certificates the same Trusted Certificate. In this function we are checking the Serial Number of the Issuer certificate with the Serial number in the extension Authorithy Key Identifier of the Subject Certificate. Here we are facing problem. The problem is ASN1_INTEGER_cmp( ) is failing. The QUESTION is whether the Serial Number in the Trusted Certificate should be SAME as the Serial Number in the Authority Key Identifier extension? If the two need not be the same then we feel that there is a bug in the X509_check_issued ( ) function as we are using it to verify whether the certificate is self-signed or not. I would be thankful for any help regarding this question.. Regards Suram I've already responded to this in openssl-dev: Does this fail with the OpenSSL verify utility? If so what is the failure reason? Also try it with the -issuer_checks command line option. If that doesn't help much then if you could send me the certificate(s) causing the trouble I'll investigate further. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- -- Rama Krishna Prasad Chunduru Software engineer Intoto Software(I) Pvt Ltd Kharkhana Secundrabad selfcert.pem cacert.pem cakey.pem
Netscape Extension
Dear all, Let me ask that if I omit to specify the nsCertType extension, the certificate can be used for keyEncippherment even I specify the digitalSignature only in keyUsage? Does anyone knows that Netscape recognizes the keyUsage bit and limits the usage of the certificate? Regards, Kiyoshi, Kiyoshi WATANANBE Hitachi, Ltd. ---openssl.cnf-- # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # # # For an object signing certificate this would be used. # nsCertType = objsign # # For normal client use this is typical # nsCertType = client, email # # and for everything including object signing: # nsCertType = client, email, objsign #nsCertType = client #nsCertType = email #nsCertType = objsign #nsCertType = client, email # This is typical in keyUsage for a client certificate. keyUsage = nonRepudiation, digitalSignature, keyEncipherment __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: libssl.so: undefined symbol: sk_X509_NAME_value
[EMAIL PROTECTED] wrote: > > I have, for two days, been banging my head on trying to install this > apache server with mod_ssl. I keep having problems. I have tried > absolutely everything I can think of to try to fix this. I have searched > all of the postings and tried their "solutions". Nothing works. > > Here is my OS ... > > Linux host_name_omitted 2.2.16-22smp #1 SMP Tue Aug 22 16:39:21 EDT > 2000 i686 unknown > > Here is the error ... > > /apachectl startssl > Syntax error on line 243 of /usr/local/share/apachessl/conf/httpd.conf: > Cannot load /usr/local/share/apachessl/libexec/libssl.so into > server: /usr/local/share/apachessl/libexec/libssl.so: undefined > symbol: sk_X509_NAME_value > ./apachectl startssl: httpd could not be started > This is what may be happening: an earlier version of OpenSSL had a function called sk_X509_NAME_value, later versions have a macro instead. So somehow the old definition is being picked up when OpenSSL and/or mod_ssl is being compiled. I suspect that you may have some headers for an older version of OpenSSL on your system somewhere and those are being seen instead of the newer OpenSSL 0.9.6b ones. Do a search on your system for some of the header names (x509.h for example) and remove any old versions. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: libssl.so: undefined symbol: sk_X509_NAME_value
[EMAIL PROTECTED] wrote: > > I have, for two days, been banging my head on trying to install this > apache server with mod_ssl. I keep having problems. I have tried > absolutely everything I can think of to try to fix this. I have searched > all of the postings and tried their "solutions". Nothing works. > > Here is my OS ... > > Linux host_name_omitted 2.2.16-22smp #1 SMP Tue Aug 22 16:39:21 EDT > 2000 i686 unknown > > Here is the error ... > > /apachectl startssl > Syntax error on line 243 of /usr/local/share/apachessl/conf/httpd.conf: > Cannot load /usr/local/share/apachessl/libexec/libssl.so into > server: /usr/local/share/apachessl/libexec/libssl.so: undefined > symbol: sk_X509_NAME_value > ./apachectl startssl: httpd could not be started > > Here was my install process ... > > gtar xzvf src/openssl-0.9.6b.tar.gz > gtar xzvf src/apache_1.3.20.tar.gz > gtar xzvf src/mod_ssl-2.8.4-1.3.20.tar.gz > gtar xzvf src/mod_auth_ldap.tar.gz > gtar xzvf src/mod_put.tar.gz > > 1. install openssl > > # cd src/openssl-0.9.6b > # ./config > # make > # make install > > 2. Add authmodldap to the apache src > > # cp -pr modauthldap apache_1.3.20/src/modules/ldap > > 3. configure mod_ssl > > # ./configure --with-apache=/usr/src/apache_1.3.20/ > --prefix=/usr/local/share/apachessl > > 4. configure apache ( include modauthldap, mod_put, mod_ssl ) > > # SSL_BASE=/usr/local/ssl ./configure --enable-module=ssl > --enable-rule=EAPI --prefix=/usr/local/share/apachessl --enable-shared=max > --enable-module=all --add-module=../mod_put-1.3/mod_put.c > --activate-module=src/modules/ldap/mod_auth_ldap.c > # make > # make certificate TYPE=test > # make install > > 5. Edit /usr/local/share/apachessl/conf/httpd.conf > > 6. Should be done now start by using > > /usr/local/share/apachessl/bin/apachectl startssl > > This is where it totally bombs on me. I even tried "Upgrading with APXS" > > # ./configure --with-apxs=/usr/local/share/apachessl/bin/apxs > --with-ssl=/usr/local/ssl > > This still didn't work. Ah, didn't work, eh? That'll be because something went wrong. Or, to put it another way - details! Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: try to help me X509_get_version
On Thu, 6 Sep 2001, Zulkiffli Mohd Nur wrote:
>
> hello.
>
>
>
> i have a problem how to read version and serial number from certificate.
X509_get_version() will return a long that could be printed using %ld
specification.
>
> just now i have a certificate.
>
>
>
> the code like this
>
>
>
> #include
> #include
> #include
>
>
>
>
> main()
> {
>X509 *x;
>FILE *fp;
>EVP_PKEY * pkey;
>
>long version;
> char * s;
>
>
>
>
>if ((fp=fopen("C:\\CryptoWeb\\backup 492001\\Haizad.crt","r")) != NULL)
>{
> x=X509_new();
> if (PEM_read_X509(fp,&x,NULL,NULL)!=NULL)
> printf("\nReading success!\n");
>else
>
>{
> printf ("\nError reading certificate!");
>exit (1);
> }
> printf("\nCertificate value: %s",x);
> version = X509_NAME_oneline(X509_get_version(x), NULL,NULL);
> printf ("\nVersion: %s\n",version);
>
>
> s = X509_NAME_oneline(X509_get_subject_name(x),NULL,NULL);
> printf("\nSUBJECT NAME: %s\n",s);
> s = X509_NAME_oneline(X509_get_issuer_name(x),NULL,NULL);
> printf("\nISSUER NAME: %s\n",s);
>
>
>
> /* Get public key - eay */
> pkey=X509_get_pubkey(x);
> if (pkey == NULL) {
>printf ("\nPublic key error!");
>exit (1);
> }
>
> if (pkey == NULL) {
> printf ("\nPublic key is NULL!");
>exit (1);
> }
> else
>printf ("Public key found!");
>
>
>
> printf("\nPublic key:");
> RSA_print_fp(stdout,pkey->pkey.rsa,0);
>
>
>
> X509_free(x);
> fclose(fp);
>}
>else
> perror("ERROR, haizad.crt");
>
>
>
> }
>
> this code have some error.
>
> can you help me give any example.
>
> please reply as soon as possible.
>
> thank you
>
>
>
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
perm to raw convertion
Hi all, Is there a way to convert PEM keys to RAW keys or vice versa. Because i am facing compatibility problem between RSA-REF and cryptix.. thanks -- Nagas
RE: simple question about OpenSSL and HTTP
Dear Sean, Thanks for your help! and there's another problem. is mod_ssl designed closely with apache? 'cause i don't use apache as httpd code. are there other alternate methods? very thanks, Mars -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 06, 2001 5:06 PM To: [EMAIL PROTECTED] Subject: Re: simple question about OpenSSL and HTTP Mars, have a look at http://www.modssl.org/ cheers, Sean MARS.LIN ªL¨|¼w wrote: > > I have a simple question about OpenSSL and HTTP > I try to enhance httpd codes into secure one, such as httpsd. > could i simply combine openssl library with httpd codes for that? > are there any different between http and https except for the ssl > handshacking? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
try to help me X509_get_version
hello.
i have a
problem how to read version and serial number from certificate.
just now i
have a certificate.
the code
like this
#include
#include #include
main(){ X509
*x; FILE *fp; EVP_PKEY
* pkey; long
version; char * s;
if
((fp=fopen("C:\\CryptoWeb\\backup 492001\\Haizad.crt","r")) !=
NULL) {
x=X509_new(); if
(PEM_read_X509(fp,&x,NULL,NULL)!=NULL)
printf("\nReading success!\n"); else
{ printf ("\nError reading
certificate!"); exit
(1); } printf("\nCertificate value:
%s",x); version =
X509_NAME_oneline(X509_get_version(x), NULL,NULL);
printf ("\nVersion: %s\n",version);
s =
X509_NAME_oneline(X509_get_subject_name(x),NULL,NULL); printf("\nSUBJECT
NAME: %s\n",s); s =
X509_NAME_oneline(X509_get_issuer_name(x),NULL,NULL); printf("\nISSUER
NAME: %s\n",s);
/* Get public key - eay
*/ pkey=X509_get_pubkey(x); if (pkey == NULL)
{ printf ("\nPublic key error!"); exit
(1); }if (pkey == NULL)
{printf ("\nPublic key is
NULL!"); exit
(1); } else printf ("Public
key found!");
printf("\nPublic
key:"); RSA_print_fp(stdout,pkey->pkey.rsa,0);
X509_free(x); fclose(fp); }
else perror("ERROR,
haizad.crt");
}
this code
have some error.
can you
help me give any example.
please
reply as soon as possible.
thank
you
Re: simple question about OpenSSL and HTTP
Mars, have a look at http://www.modssl.org/ cheers, Sean MARS.LIN ªL¨|¼w wrote: > > I have a simple question about OpenSSL and HTTP > I try to enhance httpd codes into secure one, such as httpsd. > could i simply combine openssl library with httpd codes for that? > are there any different between http and https except for the ssl > handshacking? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
simple question about OpenSSL and HTTP
Hi folks, I have a simple question about OpenSSL and HTTP I try to enhance httpd codes into secure one, such as httpsd. could i simply combine openssl library with httpd codes for that? are there any different between http and https except for the ssl handshacking? best regards, Mars. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
