Re: Root CA signing an intermediate CA - problems solved
Louis LeBlanc wrote: Maybe OpenSSL does it this way when it encounters a cert without a pathlen specified, but as I mentioned in an earlier message on this thread, Netscape (4.76?) for Linux (running on FreeBSD) seems to have a problem. Adding the pathlen was the final trick that made it work. Without the pathlen, I got Certificate path length constraint is invalid. In a Netscape popup. Well if the certificate is correctly encoded and pathlen is absent then it should interpret it as unlimited. This is specified in a number of places including RFC2459. If Netscape is doing otherwise then its a bug. I haven't seen that popup you mention before. If this standard Netscape 4.76 or PSM? I'd like to reproduce it and report it at some point. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: HTTP Server and SSL (Newbie Q)
Now the next step is to use SSL. Followed the server code, s_server.c, so how would you go about creating the file without using RSA? (Trying to avoid issues using RC5 and RC4, so I did not compile it in). There's no reason to avoid RSA. In reading the README, there is no patent issues? Also, what about export issues? Also, since this is a device the url can change, so how is it possible to have the browser just use SSL without verifying the server? I'm trying to keep the connection simple. Due to embedded and no having a file system. In general it's a REALLY bad idea to try to use SSL without server authentication. This leaves you open to a number of active attacks. Agreed, but, isn't the name, http://name of site the name of site has to be fixed? What I'm saying, the client uses the name to do a certification lookup using another site? That said, if you want to operate without server auth you have two choices: (1) use DH. This has the advantage that you get perfect forward secrecy. (2) use RSA with a self-signed certificate. This has the advantage that it will work with most any browser, whereas anonymous DH support is less common. Help! I'm new to using OpenSSL what would be the commandline augments? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificate purpose
Wolfgang Marczy wrote: Hi everybody, I would like to know how to generate a certificate request for a certificate, which can be used as a server cert and client cert? I believe, it must be set somewhere in the conf file, but I do not know where. Server certs often have an extension (Netscape) that identifies them as such. Nothing here prevents you from using them as client certs. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: tru64 multi-threading needed
Per F. [EMAIL PROTECTED]: Is it really that simple? No. I'm asking because the Configure script told me that it configured without threads support, see the command output below. Isn't something like -threads or -D_REENTRANT needed in CFLAGS for thread support? Many systems need a definition like this. I don't know if Tru64 is one of them -- check the system documentation (and maybe look into system header files). In any case, multi-threaded applications will have to provide locking callbacks as described in the threads(3) manual page. See also the OpenSSL FAQ (question Is OpenSSL thread-safe?). __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
c_rehash script
I am having some trouble with a program trying to use the c_rehash script. It says it cannot find it in the current PATH but I know the file is located in /usr/loca/ssl/bin How can I change the current PATH to point to where the c_rehash script is located.
Does anyone know where the SSL v2.0 specifications are at?
Been doing some searching and cannot find the SSL v2.0 specification. I've found v3 and TLS v1 but I would like to get a copy of just SSL v2.0. Does anyone know where the SSL v2.0 specifications are at? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Refresh secured page causing problem
Hello, I am using apache_1.3.19 with modssl and openssl-0.96b.I have strange problem, when i hold the refresh button (F5) for about 1 minute to refresh the secured page then it throws memory exception. This problem is easily reproducible when we refresh the same secure page at same time from the 2 different machines connected to network. I am testing it on Win2k and I dont whether it happens on all operating systems. I don't know whether it is a common problem with apache+ssl or not. I will be very happy if somebody can help me with is Problem. with regards, soleti __ Do You Yahoo!? Get email alerts NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems with BIO_s_mem and BIO_s_file
Dear all,
I have an encrypted char *, to be decrypted using the private key read from
the PKCS12 protection file (which is done!!). Now the problem lies into the
BIO_s_mem and BIO_s_file (the encrypted char * is Base64 encoded)
I have run the two tests:
1. Store the char * into a file called temp.tmp, and write the following
code:
/* START **/
b64 = BIO_new(BIO_f_base64());
bio2 = BIO_new_file(temp.tmp, rb);
bio2 = BIO_push(b64, bio2);
if ((inlen2 = BIO_read(bio2, ecryptedData, 128)) = 0) {
printf(error 1);
exit(-1);
}
encryptedData[128] = '\0';
// decryption with the private key
if (EVP_PKEY_decrypt(decryptedData, encryptedData, 128, privKey) == -1) {
printf(error 2);
exit(-1);
}
/ END */
IT WORKS FINE!
2. Then I test the following code, by reading in the char * directly into a
BIO_s_mem:
/* START **/
b64 = BIO_new(BIO_f_base64());
bio2 = BIO_new(BIO_s_mem());
BIO_write(bio2, data, 128);
bio2 = BIO_push(b64, bio2);
if ((inlen2 = BIO_read(b64, encryptedData, 128)) = 0) {
printf(error 1);
exit(-1);
}
encryptedData[128] = '\0';
// decryption with the private key
if (EVP_PKEY_decrypt(decryptedData, encryptedData, 128, privKey) == -1) {
printf(error 2);
exit(-1);
}
/ END */
THE MESSAGE error 2 is printed.
What is the difference (of course there must be a difference, but I wish you
could help me)? Is there something wrong with the code 2? When I printed out
the encryptedData array as a string (printf(%s\n, encryptedData)), they
look the same. Please help. Thousand thanks.
Best regards,
Jordan Cheun Ngen, Chong
INF-4067 Universiteit Twente
Postbus 217
7500 AE Enschede
The Netherlands
Distributed and Embedded Systems (DIES)
Office Phone: +31 53 4894655
Web site: http://www.cs.utwente.nl/~chong
Email Add.: [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Does anyone know where the SSL v2.0 specifications are at?
[EMAIL PROTECTED] writes: Been doing some searching and cannot find the SSL v2.0 specification. I've found v3 and TLS v1 but I would like to get a copy of just SSL v2.0. Does anyone know where the SSL v2.0 specifications are at? http://www.netscape.com/eng/security/SSL_2.html -Ekr [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
More Questions about HTTP Server and SSL (Newbie Q)
Now the next step is to use SSL. Followed the server code, s_server.c, so how would you go about creating the file without using RSA? (Trying to avoid issues using RC5 and RC4, so I did not compile it in). There's no reason to avoid RSA. In reading the README, there is no patent issues? Also, what about export issues? Also, since this is a device the url can change, so how is it possible to have the browser just use SSL without verifying the server? I'm trying to keep the connection simple. Due to embedded and no having a file system. In general it's a REALLY bad idea to try to use SSL without server authentication. This leaves you open to a number of active attacks. Agreed, but, isn't the name, http://name of site the name of site has to be fixed? What I'm saying, the client uses the name to do a certification lookup using another site? That said, if you want to operate without server auth you have two choices: (1) use DH. This has the advantage that you get perfect forward secrecy. (2) use RSA with a self-signed certificate. This has the advantage that it will work with most any browser, whereas anonymous DH support is less common. Help! I'm new to using OpenSSL what would be the commandline augments? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ssl on port 80?
Hi Mike. Thanks. This may sound naive but where is the hosts file? Are you referring to /etc/hosts? -Caitlin. --- Mike Brandonisio [EMAIL PROTECTED] wrote: Hi, Check your hosts file. It sounds like Netscape is not resolving https://localhost into an IP address. You have an entry that looks like: 127.0.0.1 localhost Mike -- Mike Brandonisio *3D Modeling and Animation Tech One Illustration *Print Interactive Media mailto: [EMAIL PROTECTED]*Technical Illustration http://www.techone.org/*Web Database Systems Music For Your Mind http://www.mp3.com/metzgerscar/ on 9/23/01 6:43 PM, The_polymorph at [EMAIL PROTECTED] scribled: Hi. I seem to be experiencing a similar problem ( sortof ). When I start apache and try https://localhost, my browser attempts to connect to a search engine on netscape. Any advice? Thanks, -Caitlin. --- Michael H. Warfield [EMAIL PROTECTED] wrote: On Sat, Sep 22, 2001 at 06:53:54PM -0600, Mike Brandonisio wrote: Hi, I'm getting odd operations on those web sites that have ssl enabled. I have seemed to have crossed my ports and was wondering if anyone knows how to correct this. I have a lab server with apache and openssl on it. When I hit the server with http://192.168.0.60 I get an error saying that the I am trying to talk to the server in an ssl enabled port try https. I thought that http was port-80. So I try https and is gives me an error could not connect to host. I try https://192.168.0.60:80 it makes an ssl connection. Now here is the odd part I try http://192.168.0.60:443 and it makes non-secure connection. To summarize it looks like the server is talking ssl on port80 and plain talk on port443. How do I straighten this out? When look at the http.conf the only port call outs are in section 2 main server configuration. It has a line: Port 80 and then in the SSL Support section. It has lines: Ok... I already hear the heard of thundering keyboards about to jump on this... IfDefine SSL Listen 80 ^ Why did you do this? You just told your web server that if SSL was in effect to listen on that port. SSL should only be on 443, not 80. Listen 443 /IfDefine In addition I have 1 virtual host on 192.168.0.65. It can make connections on https://192.168.0.65:80 but not http://192.168.0.65:443. I can seem to figure out how this happened. It did exactly what you told it to. When in SSL mode, it's listening on port 80. Take out that line and try it again. Mike -- Mike Brandonisio *3D Modeling and Animation Tech One Illustration *Print Interactive Media mailto: [EMAIL PROTECTED]*Technical Illustration http://www.techone.org/*Web Database Systems Music For Your Mind http://www.mp3.com/metzgerscar/ Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] = __ Do You Yahoo!? Get email alerts NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] = __ Do You Yahoo!? Get email alerts NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: c_rehash script
Try this: ln -s /usr/local/ssl/bin/c_rehash /usr/local/bin/c_rehash (or where ever you want it to go in your path). You can say echo $PATH to check your current PATH. Good luck. -- chris ciotti stereo-link (http://www.stereo-link.com) Key fingerprint = B4B1 2888 6808 64FF 87FB D635 A483 F6DD 1BFB 36B6 Jason King wrote: I am having some trouble with a program trying to use the c_rehash script. It says it cannot find it in the current PATH but I know the file is located in /usr/loca/ssl/bin How can I change the current PATH to point to where the c_rehash script is located. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
libcrypto not a shared library
I'm trying to install licq, and the rpm installer says libcrypto.so.0 and libssl.so.0 are needed, even though they're there. So I look into a little further and apparently these two files are not shared library files or something like that. Anyone have any idea how i can fix this? I just compiled the latest version with the switch ./config shared and it still doesn't work. Any help would be appreciated. .arthur __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Root CA signing an intermediate CA - problems solved
On 09/24/01 01:38 PM, Dr S N Henson sat at the `puter and typed: Louis LeBlanc wrote: Maybe OpenSSL does it this way when it encounters a cert without a pathlen specified, but as I mentioned in an earlier message on this thread, Netscape (4.76?) for Linux (running on FreeBSD) seems to have a problem. Adding the pathlen was the final trick that made it work. Without the pathlen, I got Certificate path length constraint is invalid. In a Netscape popup. Well if the certificate is correctly encoded and pathlen is absent then it should interpret it as unlimited. This is specified in a number of places including RFC2459. If Netscape is doing otherwise then its a bug. I haven't seen that popup you mention before. If this standard Netscape 4.76 or PSM? I'd like to reproduce it and report it at some point. Uh, my bad. Actually, I am using Netscape Communicator 4.77. Not a big difference, but I know accuracy is important. I am using the Linux release on FreeBSD (Linux compat is installed). When I checked my original root cert, this is what I saw: # openssl x509 -in ca.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=Massachusetts, L=Woburn, O=Mirror Image Internet, OU=En gineering, CN=Louis [EMAIL PROTECTED] Validity Not Before: Oct 2 22:23:29 2000 GMT Not After : Feb 18 22:23:29 2028 GMT Subject: C=US, ST=Massachusetts, L=Woburn, O=Mirror Image Internet, OU=E ngineering, CN=Louis [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ac:46:35:27:20:15:fd:6d:a8:ce:bd:23:dd:77: e5:18:06:3e:87:0c:2f:b7:b9:f5:fb:5e:f8:76:1e: 4c:cc:2a:5a:a2:31:c9:65:eb:73:09:ae:56:43:68: 9c:08:7f:d7:9e:cd:4f:8c:3f:24:be:2d:94:a3:42: 25:e7:6d:64:48:e1:ad:f5:88:9c:45:dc:f4:37:c7: a9:c8:f9:56:6e:32:6a:d0:10:cc:a9:1e:12:b6:11: ca:96:6e:1c:eb:61:b9:db:af:f5:90:5d:10:3f:11: 4f:a5:05:2b:69:e3:cf:bb:7d:8c:61:1e:34:8d:ab: e9:4d:6f:9c:38:97:58:7f:2d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] X509v3 Basic Constraints: CA:TRUE, pathlen:0 Netscape Comment: mod_ssl generated custom CA certificate Netscape Cert Type: SSL CA Signature Algorithm: md5WithRSAEncryption 55:ed:b6:ae:d6:40:79:68:ab:8f:13:f9:cc:8c:bb:30:64:02: 15:11:45:09:dd:15:d6:9f:e8:84:a7:d4:9a:a8:09:27:a5:70: 6f:72:73:a0:36:ba:9b:ca:77:77:65:29:96:2a:86:44:f3:2f: 34:1b:67:2a:25:fe:c8:43:ea:37:0b:61:d9:f7:b3:35:71:f7: 80:fd:24:17:2c:d7:24:3d:c7:d0:da:34:6f:d8:24:cc:e3:d4: 9d:02:4c:3c:18:22:7b:8c:c8:44:ef:af:33:73:7b:cb:3e:af: 41:72:09:d9:08:1c:3b:d4:25:92:f6:5b:23:a6:f7:78:8c:57: ce:a0 Notice the X509v3 Basic Constraints. Quoting from openssl.txt: Basic constraints is a multi-valued extension that supports a CA and an optional pathlen option. The CA option takes the values true and false and pathlen takes an integer. Note if the CA option is false the pathlen option should be omitted. The pathlen parameter indicates the maximum number of CAs that can appear below this one in a chain. So if you have a CA with a pathlen of zero it can only be used to sign end user certificates and not further CAs. This all assumes that the software correctly interprets this extension of course. So according to this, it is behaving exactly as documented. Doesn't seem like a bug to me, just a bit obscure. I didn't see any description of expected behavior with CA:TRUE and the pathlen constraint ommitted. Maybe this is what you expected? If so, the reason I had trouble is that pathlen is not ommitted from a self signed cert by default. The above X509 description was a default selfsigned cert. I had to change the section in openssl.cnf to set it higher. I would be interested in knowing what behavior is expected/correct for the CA:TRUE/no pathlen situation, though. Seems to me as a matter of security, you'd want to default that to 0, not infinite. Thanks a bunch. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ File cabinet: A four drawer, manually activated trash compactor. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL
Re: ssl on port 80?
Hi Caitlin, Yes, it should be: /etc/hosts Mike -- Mike Brandonisio *3D Modeling and Animation Tech One Illustration *Print Interactive Media mailto: [EMAIL PROTECTED]*Technical Illustration http://www.techone.org/*Web Database Systems Music For Your Mind http://www.mp3.com/metzgerscar/ on 9/24/01 10:02 AM, The_polymorph at [EMAIL PROTECTED] scribled: Hi Mike. Thanks. This may sound naive but where is the hosts file? Are you referring to /etc/hosts? -Caitlin. --- Mike Brandonisio [EMAIL PROTECTED] wrote: Hi, Check your hosts file. It sounds like Netscape is not resolving https://localhost into an IP address. You have an entry that looks like: 127.0.0.1 localhost Mike -- Mike Brandonisio *3D Modeling and Animation Tech One Illustration *Print Interactive Media mailto: [EMAIL PROTECTED]*Technical Illustration http://www.techone.org/*Web Database Systems Music For Your Mind http://www.mp3.com/metzgerscar/ on 9/23/01 6:43 PM, The_polymorph at [EMAIL PROTECTED] scribled: Hi. I seem to be experiencing a similar problem ( sortof ). When I start apache and try https://localhost, my browser attempts to connect to a search engine on netscape. Any advice? Thanks, -Caitlin. --- Michael H. Warfield [EMAIL PROTECTED] wrote: On Sat, Sep 22, 2001 at 06:53:54PM -0600, Mike Brandonisio wrote: Hi, I'm getting odd operations on those web sites that have ssl enabled. I have seemed to have crossed my ports and was wondering if anyone knows how to correct this. I have a lab server with apache and openssl on it. When I hit the server with http://192.168.0.60 I get an error saying that the I am trying to talk to the server in an ssl enabled port try https. I thought that http was port-80. So I try https and is gives me an error could not connect to host. I try https://192.168.0.60:80 it makes an ssl connection. Now here is the odd part I try http://192.168.0.60:443 and it makes non-secure connection. To summarize it looks like the server is talking ssl on port80 and plain talk on port443. How do I straighten this out? When look at the http.conf the only port call outs are in section 2 main server configuration. It has a line: Port 80 and then in the SSL Support section. It has lines: Ok... I already hear the heard of thundering keyboards about to jump on this... IfDefine SSL Listen 80 ^ Why did you do this? You just told your web server that if SSL was in effect to listen on that port. SSL should only be on 443, not 80. Listen 443 /IfDefine In addition I have 1 virtual host on 192.168.0.65. It can make connections on https://192.168.0.65:80 but not http://192.168.0.65:443. I can seem to figure out how this happened. It did exactly what you told it to. When in SSL mode, it's listening on port 80. Take out that line and try it again. Mike -- Mike Brandonisio *3D Modeling and Animation Tech One Illustration *Print Interactive Media mailto: [EMAIL PROTECTED]*Technical Illustration http://www.techone.org/*Web Database Systems Music For Your Mind http://www.mp3.com/metzgerscar/ Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] = __ Do You Yahoo!? Get email alerts NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] = __ Do You Yahoo!? Get email alerts NEW webcam video instant messaging with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project
Re: Root CA signing an intermediate CA - problems solved
On 09/24/01 01:38 PM, Dr S N Henson sat at the `puter and typed: Well if the certificate is correctly encoded and pathlen is absent then it should interpret it as unlimited. This is specified in a number of places including RFC2459. If Netscape is doing otherwise then its a bug. I haven't seen that popup you mention before. If this standard Netscape 4.76 or PSM? I'd like to reproduce it and report it at some point. Ok, after a quick test, it appears that leaving the pathlen constraint out altogether will allow intermediate CAs in the chain (I only tested one so far). My problem arose because the *default* in the distributed openssl.cnf file specifies the pathlen as 0, meaning you can only sign server or user certs, not intermediate CAs. To be honest, it could be considered (as I mentioned in my previous post) to be somewhat of a security hole. Of course the signer should be deciding to sign a server cert or a CA explicitly, and should test it afterward, but there is an opening for some human error to be exploited at some point. Pretty thin, I know, but it should be considered. Looking at the root certs in ca-bundle.crt, distributed with mod_ssl, the following root CAs do define a pathlen: American Express Global Certificate Authority Deutsche Telekom AG GTE Corporation All of them define it to be 5. Interesting. Regards Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Any sufficiently advanced technology is indistinguishable from magic. -- Arthur C. Clarke __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTTP Server and SSL (Newbie Q)
On Mon, Sep 24, 2001 at 06:41:22AM -0700, Tim Michals wrote: Now the next step is to use SSL. Followed the server code, s_server.c, so how would you go about creating the file without using RSA? (Trying to avoid issues using RC5 and RC4, so I did not compile it in). There's no reason to avoid RSA. In reading the README, there is no patent issues? Also, what about export issues? The patent has expired many many moons ago. It's so dead, the corpse has finally grown cold. There are no export issues that would not affect any other crypto as well as RSA. For OpenSource software the export (from the US) issues are virtually non-existant as well. A notice to the BXA, a notice on your web site, and a little dab'll do'ya. Closed source proprietary software is a lot stickier. The only issue WAS the patent issue and that's long dead and buried. Also, since this is a device the url can change, so how is it possible to have the browser just use SSL without verifying the server? I'm trying to keep the connection simple. Due to embedded and no having a file system. In general it's a REALLY bad idea to try to use SSL without server authentication. This leaves you open to a number of active attacks. Agreed, but, isn't the name, http://name of site the name of site has to be fixed? What I'm saying, the client uses the name to do a certification lookup using another site? Not really. The common name in the cert has to match the name of site in the URL you specified and it has to be signed by a CA you recognize (yes, that's over simplified, I know). That said, if you want to operate without server auth you have two choices: (1) use DH. This has the advantage that you get perfect forward secrecy. (2) use RSA with a self-signed certificate. This has the advantage that it will work with most any browser, whereas anonymous DH support is less common. Help! I'm new to using OpenSSL what would be the commandline augments? Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Enconding of General Name and related
The General Name is defined in RFC 2459 as
GeneralName ::= CHOICE {
otherName [0] AnotherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName[5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID[8] OBJECT IDENTIFIER }
in a module with IMPLICIT encoding.
I checked the implementation in v3_genn.c and seems to me that all the alternatives
are encoded with the IMPLICIT tagging with the notable exception of
the option directoryName that is encoded as with EXPLICIT tagging.
What is the reason ? It is related to the definition of Name
that is in the ASN.1 module with EXPLICIT tagging in the same RFC ?
Moreover in the RFC 3161 I found the following definition
tsa [0] GeneralName OPTIONAL,
in a module that seems to me
with IMPLICIT tagging. Therefore I have this doubt: when I encode this value
if I use IMPLICIT tagging I'm modifying the tagging of the encoding of the
previous
CHOICE whit the (possible) conseguence of having an ambiguous encoding.
Is this correct or am I missing some important points ?
Thanks in advance for any suggestion and/or help,
MD
__
Abbonati a Tiscali!
Con VoceViva puoi anche ascoltare ed inviare email al telefono.
Chiama VoceViva all' 892 800http://voceviva.tiscali.it
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: Enconding of General Name and related
Yeah, I've come across this also. It seems that a CHOICE within a CHOICE is
encoded with an explicit tag even if it is in an implicit tag module. I
guess this is to avoid the ambiguity that you mention.
Steven
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, 25 September 2001 12:27 PM
To: [EMAIL PROTECTED]
Subject: Enconding of General Name and related
The General Name is defined in RFC 2459 as
GeneralName ::= CHOICE {
otherName [0] AnotherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName[5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID[8] OBJECT IDENTIFIER }
in a module with IMPLICIT encoding.
I checked the implementation in v3_genn.c and seems to me that all the
alternatives
are encoded with the IMPLICIT tagging with the notable exception of
the option directoryName that is encoded as with EXPLICIT tagging.
What is the reason ? It is related to the definition of Name
that is in the ASN.1 module with EXPLICIT tagging in the same RFC ?
Moreover in the RFC 3161 I found the following definition
tsa [0] GeneralName OPTIONAL,
in a module that seems to me
with IMPLICIT tagging. Therefore I have this doubt: when I encode this value
if I use IMPLICIT tagging I'm modifying the tagging of the encoding of the
previous
CHOICE whit the (possible) conseguence of having an ambiguous encoding.
Is this correct or am I missing some important points ?
Thanks in advance for any suggestion and/or help,
MD
__
Abbonati a Tiscali!
Con VoceViva puoi anche ascoltare ed inviare email al telefono.
Chiama VoceViva all' 892 800http://voceviva.tiscali.it
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
How do I uninstall openssl?????
Hi all I am trying to setup a mib testing environment using opensnmp . It has as its dependencied openssl . though openssl is configured on my box opensnmp does not recognize thge presence of openssl and asks for it's installation. How do I 1. Uninstall both ( opensnmp and openssl :: there is no make uninstall / make clean .). 2. next best thing: can anyone mail me as to what dir.s to rm -rf ? Thanx. Swaminathan [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
__ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
