OCSP module for Apache
Hello, We are working with a Engineering school to devellop a free OCSP module for Apache. Does somebody have some documentation how to start with this work ? Many Thanks, Sylvain Sylvain Maret Senior Security Engineer - Strategic Director e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED]
Re: free OCSP-responder
Hello Andre, You can also use www.openvalidation.org. It offer a nice OCSP Responder for test issue. In fact the product behind is from Sytrust. Sylvain Sylvain Maret Senior Security Engineer - Strategic Director e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] Andre Neumueller <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 26.09.2001 17:43 Please respond to openssl-users To: [EMAIL PROTECTED] cc: Subject: free OCSP-responder Hello openssl-team, within my diploma thesis I work with OCSP. I would like to test some client software (Netscape and Baltimore Mailsecure) supporting OCSP with some OCSP-Responder. As the ValiCert OCSP-Responder is not as cheap as I like it, I´d like to aks you if you know some free OCSP-Responder or some "free for noncommercial use" Responder. Andre -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED]
Re: Please help me!
Hello Ryan! Thank you very much. I have added the line in the Certificate Extensions section of my openssl.cnf file: crlDistributionPoints=URI:http://cert.vrn.ru/crl/main.crl and then I made some certificates with this extensions. Such certificates have the following value of CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://cert.vrn.ru/crl/main.crl I suppose it's ok at this step. But the next step... It's not clear for me. MS Outlook Express tries to check if the certificate has been revoked or not, but it says "The digital ID has not been revoked or revocation information for this certificate could not be determined." The CRL has been made with the following command: openssl ca -gencrl -out crl.pem -config openssl.cnf passin pass: Then I copied crl.pem file into appropriate directory of my web server and rename it(file) to main.crl I made certificate, then revoked it for testing, and then made a CRL as I wrote above. Have I made a mistake? Why MS Outlook Express does not say me that the certificate has been revoked? Yours sincerely, Valery E-mail: [EMAIL PROTECTED] - Original Message - From: "Ryan Hurst" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 26, 2001 10:15 PM Subject: RE: Please help me! > Valery -- > > This field in a certificate points to where the issuer will make its > certificate revocation list available. If you are using OpenSSL or OpenCA > (based off of OpenSSL) to issue your certificates you will want to probably > put up a web server or LDAP capable directory where you can make your > certificate revocation list available; refer to the absolute URL for this > list in this extension. You may also want to include an AIA > (authorityInformationAccess) extension as well, this can point to a OCSP > responder capable of responding with individual certificate statuses. > > The Microsoft platform implements its revocation handling in a library > called cryptnet.dll; this supports all the transports that WinInet supports > (http/s,ftp,ldap/s,file). When the CryptoAPI applications that use > revocation checking (Outlook can be configured to do this and in Office XP > it is the default behavior), cryptnet will attempt to retrieve the CRL > specified in this extension and use it for revocation checking. There are > also alternate revocation providers available windows that implement > additional protocols (OCSP, SCVP, CRL, CRLdp); ValiCert produces one such > provider. > > I hope this helps. > > Ryan > > -Original Message- > From: Valery [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 26, 2001 1:12 AM > To: [EMAIL PROTECTED] > Subject: Please help me! > > Hello! > I used the certificate extensions "crlDistributionPoints" in my openssl.cnf > file. > And I faced the following problem. > > What should I indicate in thihs field (crlDistributionPoints)? > > I need that MS Outlook Express checks if the certificate has been revoked or > not when it is on-line? What do I need to do? > > Yours faithfully, > Valery > E-mail: [EMAIL PROTECTED] > > > > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
keyUsage - Documentation
Hi everybody, I'm in search of a full description of the keyUsage-options (digitalSignature, nonRepudiation etc.). Who can help me ? Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Random number generation
Hi, I am looking for an powerful random number generation library for an application. Is open ssl has such library. ( not pseudo random generations ) Is anyone know ? Regards Ashada __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Random number generation
On Thu, Sep 27, 2001 at 03:18:49PM +0600, Ashada Karunaratna wrote: > I am looking for an powerful random number generation library for an > application. Is open ssl has such library. ( not pseudo random generations ) > Is anyone know ? If your under Unix, why not use /dev/random or /dev/urandom. Its true entropy. Crispin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Authentication Problem
Eric Rescorla wrote: > > Götz Babin-Ebell <[EMAIL PROTECTED]> writes: > > And how gets he the connection IP-Address <-> FQDN ? > > ->He uses DNS. > I think you need to reread his message since that's not > what he says. Hm: client authentication. After a successful SSL_accept() I have some logic that verifies that the Common Name in the client certificate matches the client's DNS name. This works just fine. However, if the It seems to me that if one private key becomes compromised, and I don't validate the DNS name in certificates then an attacker can pretend to be any system in the network until the CRL gets updated. So if I'm understanding things correctly, validation of the DNS name in certificates is quite important. I read this as: 1. client connects to his server 2. server extracts FQDN from cert 3. to be shure the client is really the client for the allowed tasks he does a DNS match for FQDN <-> IP and point 3 is only meaningfull for the client side: you must be shure the server is really the server you wanted to connect, so you know to which host the connection should go. Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 S/MIME Cryptographic Signature
Certificate Problem with Sendmail
Folks, I'm evaluating the use of Sendmail with TLS for a client. I'm using Sendmail 8.11.6 and openssl 0.9.6b, running under Solaris 2.6 I've created a CA, and a server certificate, apparently successfully. When I try and start Sendmail using these, though, I get the following errors in the log: Sep 27 09:26:37 cs72 sendmail[3719]: TLS: error: srv: SSL_CTX_use_PrivateKey_file(/usr/local/CA/private/CAkey.pem) failed Sep 27 09:26:37 cs72 sendmail[3719]: TLS: 3719:error:0906406D:PEM routines:DEF_CALLBACK:problems getting password:pem_lib.c:114: Sep 27 09:26:37 cs72 sendmail[3719]: TLS: 3719:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:430: Sep 27 09:26:37 cs72 sendmail[3719]: TLS: 3719:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:missing asn1 eos:ssl_rsa.c:707: I'm still learning my way round Openssl, so this is probably a novice type error - maybe even an FAQ (though I couldn't see anything there that looked like this) So I need some advice as to what I might have done wrong, please TIA, Dave __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
¶Ô»áÔ±µ¥Î»Ìṩ²ÎÕ¹²¹ÌùµÄ֪ͨ
¹ØÓڶԲμÓ"2001ÄêÖйú£¨Î人£©¹ú¼ÊÐÅÏ¢¼¼Êõ²©ÀÀ»á"µÄ»áÔ±µ¥Î»Ìṩ²ÎÕ¹²¹ÌùµÄ֪ͨ ÉîÛÚÊиßм¼Êõ²úҵлᣬ½«×éÖ¯ÉîÛÚÊеĸßм¼ÊõÆóÒµ³öϯ²Î¼Ó"2001ÄêÖйú£¨Î人£©¹ú¼ÊÐÅÏ¢¼¼Êõ²©ÀÀ»á" л᱾×ÅΪ¸÷»áÔ±µ¥Î»·þÎñµÄ×ÚÖ¼£¬ÎªÁËÀ©´óºÍ¼ÓÇ¿ÎÒÊиßм¼ÊõÆóÒµ¶ÔÍâµÄ½»Á÷ÓëºÏ×÷£¬´Ù½øÎÒÊиßм¼ÊõÆóÒµÍØÕ¹ÒµÎñ¡¢¿ª·¢Êг¡£¬±¾Ð»á¼Æ»®Ïò²Î¼Ó´Ë´ÎÕ¹»áµÄлá»áÔ±Ìṩ²¹Ìù£¬ÔÚչ뱨¼ÛµÄ»ù´¡ÉÏ£¬°´Ã¿¸ö±ê׼չ루9ƽ·½Ã×£©2000ÔªµÄ±ê×¼Ìṩ²¹Ìù¡££¨Ö»¶Ôͨ¹ý±¾Ð»á°ìÀí²ÎÕ¹ÊÖÐøµÄ»áÔ±µ¥Î»Ìṩ²¹Ìù£©£¨½ØÖ¹ÈÕÆÚ£º2001Äê10ÔÂ30ÈÕ£© Ò»¡¢Õ¹ÀÀ»áÃû³Æ£º2001ÄêÖйú£¨Î人£©¹ú¼ÊÐÅÏ¢¼¼Êõ²©ÀÀ»á ¶þ¡¢Ê±¼ä£º2001Äê11ÔÂ22ÈÕ-24ÈÕ Èý¡¢µØµã£ºÎ人¹ú¼Ê»áÕ¹ÖÐÐÄ ËÄ¡¢²ÎÕ¹·¶Î§£º¼ÆËã»úÖ÷»ú¡¢ÍøÂç¼¼Êõ¼°ÍⲿÉ豸¡¢Èí¼þ¿ª·¢¼°Ó¦Óü¼Êõ¡¢¹¤Òµ¼°°ì¹«×Ô¶¯»¯É豸¡¢ºÄ²Ä¡¢ÖÇÄÜÄ£Äâ¼¼Êõ¼°Ó¦Óà Îå¡¢Êշѱê×¼£º 1¡¢Õ¹Î»·Ñ£ºÃ¿±ê׼չ루9ƽ·½Ã×£©£º£¤5400£¬ÆäÖлáÔ±µ¥Î»¿É²¹Ìù£¤2000¡£ Áù¡¢±¨Ãû½ØÖ¹ÈÕÆÚ£º2001Äê10ÔÂ30ÈÕ ÁªÏµÈË£º²Ìâùºç ÁªÏµ·½Ê½£º0755-3223667¡¢3321490 ´«Õ棺0755-3326592 ÏêϸÇé¿ö¼û£º http://www.hi-tech.org.cn/NOTE26.HTM E-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help me!
Valery -- I am not sure if this is your problem also but I can not get http://cert.vrn.ru/crl/main.crl however I can get http://proxy.vrn.ru/crl/main.crl I would make your DP point to that. Ryan -Original Message- From: Valery [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 27, 2001 1:35 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Please help me! Hello Ryan! Thank you very much. I have added the line in the Certificate Extensions section of my openssl.cnf file: crlDistributionPoints=URI:http://cert.vrn.ru/crl/main.crl and then I made some certificates with this extensions. Such certificates have the following value of CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://cert.vrn.ru/crl/main.crl I suppose it's ok at this step. But the next step... It's not clear for me. MS Outlook Express tries to check if the certificate has been revoked or not, but it says "The digital ID has not been revoked or revocation information for this certificate could not be determined." The CRL has been made with the following command: openssl ca -gencrl -out crl.pem -config openssl.cnf passin pass: Then I copied crl.pem file into appropriate directory of my web server and rename it(file) to main.crl I made certificate, then revoked it for testing, and then made a CRL as I wrote above. Have I made a mistake? Why MS Outlook Express does not say me that the certificate has been revoked? Yours sincerely, Valery E-mail: [EMAIL PROTECTED] - Original Message - From: "Ryan Hurst" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 26, 2001 10:15 PM Subject: RE: Please help me! > Valery -- > > This field in a certificate points to where the issuer will make its > certificate revocation list available. If you are using OpenSSL or OpenCA > (based off of OpenSSL) to issue your certificates you will want to probably > put up a web server or LDAP capable directory where you can make your > certificate revocation list available; refer to the absolute URL for this > list in this extension. You may also want to include an AIA > (authorityInformationAccess) extension as well, this can point to a OCSP > responder capable of responding with individual certificate statuses. > > The Microsoft platform implements its revocation handling in a library > called cryptnet.dll; this supports all the transports that WinInet supports > (http/s,ftp,ldap/s,file). When the CryptoAPI applications that use > revocation checking (Outlook can be configured to do this and in Office XP > it is the default behavior), cryptnet will attempt to retrieve the CRL > specified in this extension and use it for revocation checking. There are > also alternate revocation providers available windows that implement > additional protocols (OCSP, SCVP, CRL, CRLdp); ValiCert produces one such > provider. > > I hope this helps. > > Ryan > > -Original Message- > From: Valery [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 26, 2001 1:12 AM > To: [EMAIL PROTECTED] > Subject: Please help me! > > Hello! > I used the certificate extensions "crlDistributionPoints" in my openssl.cnf > file. > And I faced the following problem. > > What should I indicate in thihs field (crlDistributionPoints)? > > I need that MS Outlook Express checks if the certificate has been revoked or > not when it is on-line? What do I need to do? > > Yours faithfully, > Valery > E-mail: [EMAIL PROTECTED] > > > > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Random number generation
If you are looking for a software based solution the OpenSSL PRNG library is good. There any many interesting software solutions for gathering seed for the PRNG as well, egd.pl will use a plethora of system information (on unix) to provide seed. However hardware based entropy solutions are a better bet, Intel chipsets (810 and greater) have a built in hardware random number generator. Many unix distributions have /dev/urandom or /dev/random as well. Ryan -Original Message- From: Ashada Karunaratna [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 27, 2001 2:19 AM To: [EMAIL PROTECTED] Subject: Random number generation Hi, I am looking for an powerful random number generation library for an application. Is open ssl has such library. ( not pseudo random generations ) Is anyone know ? Regards Ashada __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: keyUsage - Documentation
Patrick Hachenberg wrote: > > Hi everybody, > > I'm in search of a full description of the > keyUsage-options (digitalSignature, nonRepudiation > etc.). > > Who can help me ? > Try the FAQ. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP module for Apache
[EMAIL PROTECTED] wrote: > > Hello, > > We are working with a Engineering school to devellop a free OCSP > module for Apache. Does somebody have some documentation how to start > with this work ? > OpenSSL has a test OCSP responder already, the source to that (apps/ocsp.c) would be a good place to start. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
