can I log in openssl

2001-10-01 Thread yang yuanjie 



hi,
    In openssl, it seems not have log file. I 
can only find code like following, 
  SSLerr(SSL_F_SSL_CTX_NEW,SSL_R_NULL_SSL_METHOD_PASSED);
Can I log something like ("buffer is: %s", buffer); in 
logfile? I mean, is there log mechanism in openssl like mod_ssl.
Best Reguard
yyj

Re: pem_read_rsapublickey question

2001-10-01 Thread Dr S N Henson 

d p chang wrote:
> 
> Checking the user archives I haven't seen anyone address this sort of
> problem (v0.9.6b). 

Well it has been addressed before...

> I've generated the various keys w/ something liek
> this (from teh man page)
> 
> openssl genrsa -out priv.pem 1024
> openssl rsa -in priv.pem -pubout -out pub.pem
> 
> However, when trying to read in the public key w/
> pem_read_rsapublickey I get a pem_read_bio:'no start line' error. The
> public key file only has (-BEGIN PUBLIC KEY-) while the
> private key file has (-BEGIN RSA PRIVATE KEY-). Checking the
> source, the 'workaround' seems obvious...
> 

The actual header lines, in many (but not all) cases give an indication
of the type of data enclosed inside. So just changing them without
changing the enclosed data wont necessarily work.

> However, when I hand edit the public key file by adding the type (RSA)
> i get a new error:
> 
> lib(13 : asn1 encoding routines)
> func(280 : d2i_ASN1_UINTEGER)
> reason(113 : expecting an integer)
> 
> which is less clear how to 'fix' since I haven't dug around the
> internals too much.
> 

This error is due to the incompatibility in the enclosed data. Once is
an encoded PublicKeyInfo, the other an RSAPublicKey structure.

> Anyway, my questions are:
> 
> 1 - is this the right way to be going about this?
> 2 - is there some other incantation that I'm missing when
> generating the keys?
> 

All you're missing is that your reading in the public key using the
wrong function. You should use PEM_read_RSA_PUBKEY instead.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

pem_read_rsapublickey question

2001-10-01 Thread d p chang 

[ sorry, if this goes through twice, i had a typo in my first to line ]

Checking the user archives I haven't seen anyone address this sort of
problem (v0.9.6b). I've generated the various keys w/ something liek
this (from teh man page)

openssl genrsa -out priv.pem 1024
openssl rsa -in priv.pem -pubout -out pub.pem

However, when trying to read in the public key w/
pem_read_rsapublickey I get a pem_read_bio:'no start line' error. The
public key file only has (-BEGIN PUBLIC KEY-) while the
private key file has (-BEGIN RSA PRIVATE KEY-). Checking the
source, the 'workaround' seems obvious...

However, when I hand edit the public key file by adding the type (RSA)
i get a new error:

lib(13 : asn1 encoding routines) 
func(280 : d2i_ASN1_UINTEGER)
reason(113 : expecting an integer)

which is less clear how to 'fix' since I haven't dug around the
internals too much. 

Anyway, my questions are:

1 - is this the right way to be going about this?
2 - is there some other incantation that I'm missing when
generating the keys?

\p
---
God forbid that any books should be banned.  The practice is as
indefensible as infanticide. --- Dame Rebecca West

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

pem_read_rsapublickey question

2001-10-01 Thread d p chang 


Checking the user archives I haven't seen anyone address this sort of
problem (v0.9.6b). I've generated the various keys w/ something liek
this (from teh man page)

openssl genrsa -out priv.pem 1024
openssl rsa -in priv.pem -pubout -out pub.pem

However, when trying to read in the public key w/
pem_read_rsapublickey I get a pem_read_bio:'no start line' error. The
public key file only has (-BEGIN PUBLIC KEY-) while the
private key file has (-BEGIN RSA PRIVATE KEY-). Checking the
source, the 'workaround' seems obvious...

However, when I hand edit the public key file by adding the type (RSA)
i get a new error:

lib(13 : asn1 encoding routines) 
func(280 : d2i_ASN1_UINTEGER)
reason(113 : expecting an integer)

which is less clear how to 'fix' since I haven't dug around the
internals too much. 

Anyway, my questions are:

1 - is this the right way to be going about this?
2 - is there some other incantation that I'm missing when
generating the keys?

\p
---
You live and learn. At any rate, you live. --- Douglas Adams

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Webserver-side Tutorial Page

2001-10-01 Thread Jeremy Smith 

> Please assume that my function "SSL_Server_Socket" &
> "client_socket_descriptor" (called below) has
> SSL_library_init, SSL_CTX_new, SSL_new, SSL_set_fd. I
> am able to convert a socket to a SSL_socket not
> problem with that.
>
> Porblme is... in my program I want to know if I have
> to convert both server_socket and client_socket, to
> SSL_server_socket & SSL_client_socket ??
>
> Also, where to call SSL_accept()...? Should I pass
> Server_SSL to it or Client_SSL as parameter.

Sorry, I was wrong a bit... I was reading my code wrong.

First imagine we have a new socket for incoming connections. SOCKET sock.
This is listened to.

When we get an incoming connection, the listen() call finishes and then we
accept the connection. This is a new socket, SOCKET acceptit.

the SSL functions work on the *accepted* socket, "acceptit", *not* SOCKET
sock.

So... what I'm getting to is this:

The SSL socket you make with SSL_set_fd uses acceptit as its incoming and
outgoing socket (2nd paramter), and the 1st parameter to SSL_set_fd is the
new SSL-ised socket (which we will call ssl_server_socket).

Now, you can read and write to this socket, you do not have to SSL_set_fd
again. You only have to do it once!

You need to remove this chunk of code:

Create
SSL_Server_Socket(ssl,server_sock_descriptor);// made
server_scoket as an SSL_server_socket by calling
OpenSSL APIs

Your code should look like:

>>
Create a socket "sock";

server_sock_descriptor = sock_listen();//In
"sock_listen()", 'bind' and 'select' is done

while (true)
{
  if (sock_select())
  {
client_socket_descriptor = sock_accept();

//do the usual SSL_new, ssl_set_fd, and ssl_accept which is probably code
below
//please note, the only change in this code is change from
server_sock_descriptor below to client_sock_descriptor. not sure what to
do with server sock, but we don't need it for SSL.

//call- create
SSL_Client_Socket(SSL_client,client_sock_descriptor);

 new_web_page(client_socket_descriptor);

 new_thread(new_web_page); // create a thread
(which does read & write of HTTP/HTML) and goes back
to listen.
  }
}


I hope that's clear. You can read and write to the SSL socket as if you
were just using 1 socket, not 2. And that socket is client_sock_descriptor
and you read and write to SSL_client which is a socket.

Not sure what to do with the old socket (the one that is listened to), my
guess is just close it afterwards, but that's a sockets question and not
SSL.

Phew! Hope that helps.

Jeremy.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Webserver-side Tutorial Page

2001-10-01 Thread Ruby Cruiser 

Jeremy and others... 

Please assume that my function "SSL_Server_Socket" &
"client_socket_descriptor" (called below) has
SSL_library_init, SSL_CTX_new, SSL_new, SSL_set_fd. I
am able to convert a socket to a SSL_socket not
problem with that.

Porblme is... in my program I want to know if I have
to convert both server_socket and client_socket, to
SSL_server_socket & SSL_client_socket ??

Also, where to call SSL_accept()...? Should I pass
Server_SSL to it or Client_SSL as parameter.

My program is below... (bit modified to make it clear)



Create a socket "sock";
 
server_sock_descriptor = sock_listen();//In
"sock_listen()", 'bind' and 'select' is done

Create
SSL_Server_Socket(ssl,server_sock_descriptor);// made
server_scoket as an SSL_server_socket by calling
OpenSSL APIs
 
while (true)
{
  if (sock_select())
  {
client_socket_descriptor = sock_accept();

// Should client socket must also be an SSL
socket??
//If 'yes' then I will simply call- create
SSL_Client_Socket(SSL_client,client_sock_descriptor);
 
 /// line_mark2
 
 new_web_page(client_socket_descriptor);
 
 new_thread(new_web_page); // create a thread 
(which does read & write of HTTP/HTML) and goes back
to listen.
  }
}






Thanks a lot! 
- Ruby




--- Ruby Cruiser <[EMAIL PROTECTED]> wrote:
> Hi!!!
> 
> My company has a web server which is actaully
> implemented using the concept of sockets (socket
> program...). I am adding OpenSSL to it.
> 
> With the OpenSSL help and refering to your link
>
http://members.netscapeonline.co.uk/jeremyalansmith/ssltutorial/
> ,
> 
> Firstly, I followed the steps in creating the
> private
> key and the certificate. It was sucessful. 
> 
> Second step was also sucessful, that is
> "Initialising
> the SSL Socket".
> 
> However, for implementing 3rd step "Using the SSL
> Socket", I've few doubts... please clarify!
> 
> My program (simple web server) looks like this...
> 
> ...
> ...
> Create a socket "sock";
> 
> server_socket_descriptor = sock_listen(); //In
> "socket_listen()", 'bind' and 'select' is done
> 
> Create SSL_Server_Socket(ssl,
> server_socket_descriptor); // made server_scoket as
> an
> SSL_server_socket
> 
> /// line_mark1
> 
> while (true)
> {
>   if (socket_select())
>   {
> client_socket_descriptor = socket_accept();
> 
> // should I call SSL functions here also to make
> the client socket as SSL??
> // Should both client and server socket must be
> SSL_sockets??
> 
> /// line_mark2
> 
> new_web_page(client_socket_descriptor);
> 
> new_thread(new_web_page); // create a thread
> (which does read & write of HTTP/HTML) and goes back
> to listen.
> 
>   }
> }
> 
> 
> 
> 
> 
> Also in the above program, where do I call
> SSL_accept() & SSL_connect??
> 
> I tried to call SSL_accept() putting them in
> "line_mark1/2" respectivly but it results false
> (error:0005::lib(0) :func(0) :bad asn1 object
> header).
> 
> Anyone, please help me understand Thank you.
> 
> 
> 
> 
> --- Jeremy Smith
> <[EMAIL PROTECTED]> wrote:
> > Hi!
> > 
> > I've setup a page about how to get an SSL socket
> > working, from the webserver
> > side of things and on virtually any browser (well,
> > Netscape 2+ and IE3+ I
> > think). Should be okay for non-Windows users
> > (although Windows is the
> > platform I got it working on), it's a step-by-step
> > guide.
> > 
> >
>
http://members.netscapeonline.co.uk/jeremyalansmith/ssltutorial/
> > 
> > I hope it's okay putting the LIB and DLL files
> > there.
> > 
> > It's C-oriented, and all the code you need is in
> > , so it should be in
> > Courier font on your browser.
> > 
> > Hope this helps someone, please give me feedback.
> > 
> > Cheers,
> > 
> > Jeremy.
> > 
> >
>
__
> > OpenSSL Project
> > http://www.openssl.org
> > User Support Mailing List   
> > [EMAIL PROTECTED]
> > Automated List Manager  
> [EMAIL PROTECTED]
> 
> 
> __
> Do You Yahoo!?
> Listen to your Yahoo! Mail messages from any phone.
> http://phone.yahoo.com
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Webserver-side Tutorial Page

2001-10-01 Thread Jeremy Smith 

> My company has a web server which is actaully
> implemented using the concept of sockets (socket
> program...). I am adding OpenSSL to it.

> With the OpenSSL help and refering to your link
> http://members.netscapeonline.co.uk/jeremyalansmith/ssltutorial/
>
> Firstly, I followed the steps in creating the private
> key and the certificate. It was sucessful.
>
> Second step was also sucessful, that is "Initialising
> the SSL Socket".
>
> However, for implementing 3rd step "Using the SSL
> Socket", I've few doubts... please clarify!
>
> My program (simple web server) looks like this...
>
> ...
> ...
> Create socket "sock";
>
> server_socket_descriptor = socket_listen(); //In
> "socket_listen()", 'bind' and 'select' is done
>
> Create SSL_Server_Socket(ssl,
> server_socket_descriptor); // made server_scoket as an
> SSL_server_socket
>
> /// line_mark1
>
> while (true)
> {
>   if (socket_select())
>   {
> client_socket_descriptor = socket_accept();
>
> // should I call SSL functions here also to make
> the client socket as SSL??
> // Should both client and server socket must be
> SSL_sockets??

The SSL server socket is made from your client socket. The client stays as
it was, but you never refer to it again, only to close it. From now on,
SSL takes over the client socket. It reads in data from the socket,
decrypts it, and gives it to you in unencrypted form. It also takes your
data and encrypts it for the browser. You can read and write to the SSL
socket.

You now have the original socket which SSL works with, and then makes an
SSL socket which you access.

You need to do the following here. This line makes a new socket, "SSL
*server_socket" which is the socket you now use with SSL_read and
SSL_write (and SSL_accept). ssl_ctx is what you created with "ssl_ctx =
SSL_CTX_new( SSLv23_server_method() );"

server_socket = SSL_new( ssl_ctx );

This line now creates our SSL server socket.

SSL_set_fd( server_socket, client_socket_descriptor );

Finally, we accept it:

 if ( SSL_accept( server_socket ) == 0 )
 {
 exit( 1 );
 }

> /// line_mark2
>
> new_web_page(client_socket_descriptor);
>
> new_thread(new_web_page); // create a thread
> (which does read & write of HTTP/HTML) and goes back
> to listen.
>
>   }
> }
> 
> 
>
> Also in the above program, where do I call
> SSL_accept() & SSL_connect??
>
> I tried to call SSL_accept() putting them in
> "line_mark1/2" respectivly but it results false
> (error:0005::lib(0) :func(0) :bad asn1 object
> header).

You couldn't accept because you didn't (I don't think) do SSL_new and
SSL_set_fd.

> Anyone, please help me understand Thank you.
>

I hope it helps. I'm not an expert on it, but if you continue to have
problems, then post again and I'll try to help.

Cheers,

Jeremy.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: "error during security authorisation"

2001-10-01 Thread Jeremy Smith 

> Yes... please do put-up tutorial webpage and send the
> link, it will help a lot... specially for the beginner
> to openSSL.
>
> Thanks!

I wondered if anyone could link to my tutorial from a webpage? Assuming
it's good enough. It should be up there for a good while, Netscape
Online's free webspace never seems to get deleted. Anyone can feel free to
mirror the page, just as long as the authorship and (c) notice remains.

I'd put it on a search engine, but I don't have the time really, and they
never index my stuff anyway for some bizarre reason. Not enough graphics
probably.

Cheers,

Jeremy.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Webserver-side Tutorial Page

2001-10-01 Thread Ruby Cruiser 

Hi!!!

My company has a web server which is actaully
implemented using the concept of sockets (socket
program...). I am adding OpenSSL to it.

With the OpenSSL help and refering to your link
http://members.netscapeonline.co.uk/jeremyalansmith/ssltutorial/
,

Firstly, I followed the steps in creating the private
key and the certificate. It was sucessful. 

Second step was also sucessful, that is "Initialising
the SSL Socket".

However, for implementing 3rd step "Using the SSL
Socket", I've few doubts... please clarify!

My program (simple web server) looks like this...

...
...
Create socket "sock";

server_socket_descriptor = socket_listen(); //In
"socket_listen()", 'bind' and 'select' is done

Create SSL_Server_Socket(ssl,
server_socket_descriptor); // made server_scoket as an
SSL_server_socket

/// line_mark1

while (true)
{
  if (socket_select())
  {
client_socket_descriptor = socket_accept();

// should I call SSL functions here also to make
the client socket as SSL??
// Should both client and server socket must be
SSL_sockets??

/// line_mark2

new_web_page(client_socket_descriptor);

new_thread(new_web_page); // create a thread
(which does read & write of HTTP/HTML) and goes back
to listen.

  }
}





Also in the above program, where do I call
SSL_accept() & SSL_connect??

I tried to call SSL_accept() putting them in
"line_mark1/2" respectivly but it results false
(error:0005::lib(0) :func(0) :bad asn1 object
header).

Anyone, please help me understand Thank you.




--- Jeremy Smith
<[EMAIL PROTECTED]> wrote:
> Hi!
> 
> I've setup a page about how to get an SSL socket
> working, from the webserver
> side of things and on virtually any browser (well,
> Netscape 2+ and IE3+ I
> think). Should be okay for non-Windows users
> (although Windows is the
> platform I got it working on), it's a step-by-step
> guide.
> 
>
http://members.netscapeonline.co.uk/jeremyalansmith/ssltutorial/
> 
> I hope it's okay putting the LIB and DLL files
> there.
> 
> It's C-oriented, and all the code you need is in
> , so it should be in
> Courier font on your browser.
> 
> Hope this helps someone, please give me feedback.
> 
> Cheers,
> 
> Jeremy.
> 
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

test mail...

2001-10-01 Thread Ruby Cruiser 

My previous mail has not showed up still... hence testing.

__
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Encryption cards

2001-10-01 Thread Len 

Does anyone have suggenstions for encryption cards that are support by openssl?

THanks

len


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL Webserver-side Tutorial Page

2001-10-01 Thread Ruby Cruiser 

Thanks! This will help and lot.
WIll get back soon...

--- Jeremy Smith
<[EMAIL PROTECTED]> wrote:
> Hi!
> 
> I've setup a page about how to get an SSL socket
> working, from the webserver
> side of things and on virtually any browser (well,
> Netscape 2+ and IE3+ I
> think). Should be okay for non-Windows users
> (although Windows is the
> platform I got it working on), it's a step-by-step
> guide.
> 
>
http://members.netscapeonline.co.uk/jeremyalansmith/ssltutorial/
> 
> I hope it's okay putting the LIB and DLL files
> there.
> 
> It's C-oriented, and all the code you need is in
> , so it should be in
> Courier font on your browser.
> 
> Hope this helps someone, please give me feedback.
> 
> Cheers,
> 
> Jeremy.
> 
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: script to generate x509 certificate

2001-10-01 Thread Mads Toftum 

On Mon, Oct 01, 2001 at 06:26:42PM +0100, Laurent Jouannic wrote:
> Does someone have a good script to generate x509 certificates, because I
> have
> troubles whith mine:

Take a look at the cca.sh script in the mod_ssl tarball[1].

[1] see http://www.modssl-org/source/

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL Webserver-side Tutorial Page

2001-10-01 Thread Jeremy Smith 

Hi!

I've setup a page about how to get an SSL socket working, from the webserver
side of things and on virtually any browser (well, Netscape 2+ and IE3+ I
think). Should be okay for non-Windows users (although Windows is the
platform I got it working on), it's a step-by-step guide.

http://members.netscapeonline.co.uk/jeremyalansmith/ssltutorial/

I hope it's okay putting the LIB and DLL files there.

It's C-oriented, and all the code you need is in , so it should be in
Courier font on your browser.

Hope this helps someone, please give me feedback.

Cheers,

Jeremy.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: CRL format problem

2001-10-01 Thread Ryan Hurst 

Try converting it to DER,


openssl crl -in .\main.crl -out .\main.crl -inform pem -outform der

The url is not reachable so I could not look to see what other problems
there might be..

Ryan

-Original Message-
From: Valery [mailto:[EMAIL PROTECTED]] 
Sent: Monday, October 01, 2001 1:05 AM
To: [EMAIL PROTECTED]
Subject: CRL format problem


Hello!

I have a problem with checking CRL by MS Outlook Express.
When Outlook is on-line it tries to check if the certificate has been
revoked or not and says "The digital ID has not been revoked or revocation
information for this certificate could not be determined"

After that I tried to import my CRL into my IE5.5 it says: "This is an
invalid Certificate Revocation List file".

My CRL can be found at: http://proxy.vrn.ru/crl/main.crl


The CRL has been made with the following command:
openssl ca -gencrl -out crl.pem -config openssl.cnf passin pass:

I have added crlDistributionPoints=URI:http://proxy.vrn.ru/crl/main.crl
into my openssl.cnf file.

Where have I made a mistake?
Does Outlook Express 5.5
support crl file that was made with openssl-engine 0.9.6b.

Yours sincerely,
  Valery
E-mail: [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: DER formatted keys

2001-10-01 Thread Dr S N Henson 

Bill Rebey wrote:
> 
> In an effort to read a DER key, I have discovered that support for this
> feature appears to be missing from OpenSSL.
> 
> Am I missing someting or misusing the API?  I thought DER and PEM were both
> supported.  Any help woould be appreciated.
> 
> >From ssl_rsa.c, here is SSL_CTX_use_PrivateKey_file (...), which apparently
> only supports PEM files.
> 

Its not easy to work out what kind of key (encrypted, unencrypted,
PKCS#8 etc) is in a DER file so this isn't currently handled. You can
use the normal OpenSSL DER routines and get the key in an EVP_PKEY
structure and pass that to the SSL library.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

DER formatted keys

2001-10-01 Thread Bill Rebey 

In an effort to read a DER key, I have discovered that support for this
feature appears to be missing from OpenSSL.

Am I missing someting or misusing the API?  I thought DER and PEM were both
supported.  Any help woould be appreciated.  

>From ssl_rsa.c, here is SSL_CTX_use_PrivateKey_file (...), which apparently
only supports PEM files.

int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int
type)
{

<<<...non-pertinent code omitted>>>

if (type == SSL_FILETYPE_PEM)
{
j=ERR_R_PEM_LIB;
pkey=PEM_read_bio_PrivateKey(in,NULL,

ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
}
else  
{

SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE,SSL_R_BAD_SSL_FILETYPE);
goto end;
}
<<<...non-pertinent code omitted>>>

}

Thanks!

Bill Rebey

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

script to generate x509 certificate

2001-10-01 Thread Laurent Jouannic 



Does someone have a good script to generate x509 certificates, because I
have
troubles whith mine:


#!/bin/sh

if [ x$1 = x ]; then
  echo -e "\nUsage: $0 \n"
  exit;
fi;
if [ ! -e /etc/ssl/demoCA/cacert.pem ]; then
  echo "Creating new CA. "
  read $dummy
  cd /etc/ssl
  /usr/lib/ssl/misc/CA.sh -newca
fi;
if [ ! -e /etc/ssl/demoCA/newca.pem ]; then
  echo "Creating certificate with 1024 days validity. "
  read $dummy
  openssl x509 -out /etc/ssl/demoCA/newca.pem -days 1024 -in
/etc/ssl/demoCA/cacert.pem -signkey /etc/ssl/demoCA/private/cakey.pem
fi;

cd /etc/ssl
/usr/lib/ssl/misc/CA.sh -newreq
/usr/lib/ssl/misc/CA.sh -sign
openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -certfile
demoCA/newca.pem -out $1_key.p12
mv newcert.pem $1_cert.pem
mv newreq.pem $1_key.pem


Thanks.

Laurent.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL handshake failure

2001-10-01 Thread Costas Magos 

Hi to all,

I'm running an Apache server (1.3.19) with openssl 0.9.6b on Solaris 2.6 / 
SPARCclassic platform. Apache serves a site that accesses a database 
through various cgi-scripts or through a java applet for more specialized 
actions. The database is managed just fine with the cgi-scripts, but when I 
try to load the java applet to do some advanced configuration, the browser 
hangs at some point (while loading some classes) and the server produces 
the following error logs:

[info] [client xxx.xxx.xxx.xxx] SSL accept timeout timed out
[error] SSL_accept failed

and then

[debug] apache_ssl.c(1123): Generating 512 bit key
[debug] apache_ssl.c(287): SSL_accept returned 0
[debug] apache_ssl.c(291): error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[debug] apache_ssl.c(379): Random input /dev/random(1024) -> 1024
[debug] apache_ssl.c(1123): Generating 512 bit key
[debug] apache_ssl.c(287): SSL_accept returned 0
[debug] apache_ssl.c(291): error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[debug] apache_ssl.c(379): Random input /dev/random(1024) -> 1024
[debug] apache_ssl.c(1123): Generating 512 bit key
[debug] apache_ssl.c(287): SSL_accept returned 0
[debug] apache_ssl.c(291): error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[debug] apache_ssl.c(379): Random input /dev/random(1024) -> 1024
[debug] apache_ssl.c(1123): Generating 512 bit key
[debug] apache_ssl.c(287): SSL_accept returned 0
[debug] apache_ssl.c(291): error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
...
..
.

These 'handshake failure' logs continue for a while and then the browser 
seems to overcome the trouble. It confinues to load the classes and the 
server gives out a lot of the following logs:

[debug] buff.c(295): read returned 261 rwstate=1 state=3 rstate=240 cren=0 
aren=0 accept=4
[debug] buff.c(295): read returned 270 rwstate=1 state=3 rstate=240 cren=0 
aren=0 accept=4
[debug] buff.c(295): read returned 252 rwstate=1 state=3 rstate=240 cren=0 
aren=0 accept=4

But after that again, it hangs again, as it did in the beggining and a "Web 
Server I/O error" window appears.
The site has been tested with SSL disabled and runs without problems.

Does anynone knows what is going on? Any help would be much appreciated. 
Thanks in advance.

Respectfully,

~~
Costas Magos
Ariadne-t Network Operation Center,
~~
email: [EMAIL PROTECTED], [EMAIL PROTECTED]
tel.: +30 1 6544279,
+30 1 6503125
fax:  +30 1 6532910

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: "error during security authorisation"

2001-10-01 Thread Ruby Cruiser 

Yes... please do put-up tutorial webpage and send the
link, it will help a lot... specially for the beginner
to openSSL.

Thanks!


--- Jeremy Smith
<[EMAIL PROTECTED]> wrote:
> > I finally got my mini web server to support SSL.
> However, I get a bizarre
> > error which seems to be rare. It does this with
> Netscape 2.0 and Netscape
> > 4.7 (but not with IE 5 I think).
> >
> > It says "Error during security authorisation".
> 
> Well, it was my mistake, I was using an FD_READ
> callback on the socket (which
> means whenever the socket received data it called my
> routine) and the
> tete-a-tete between my SSL server and the browse
> client was confusing the
> part of the server that handles requests.
> 
> The browser wasn't getting any data after the SSL
> handshaking either, which
> didn't help.
> 
> Whoop! My first SSL server to client connection is
> done. :-)
> 
> I'll put together a small tutorial webpage for those
> interested. I learned
> bits of how to do it from the code for Minihttpd
> (which I highly recommend as
> a HTTP server tutorial, and of course I recommend it
> as a simple server),
> although I'm using windows not Unix or Linux (which
> minihttpd is for).
> 
> Cheers all,
> 
> Jeremy.
> 
> 
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: NO_BIO

2001-10-01 Thread Jeremy Smith 

My suggestion is to use some kind of RAM disk. Or rewrite BIO's file
functions to use RAM instead of files. It's not too difficult to write
custom versions of fseek, fopen, fget, etc.

For the password, you can either accept the password from the user
(either from a textbox in a window, a keyboard or a pen on the Palm OS,
etc) and/or use a fixed password. The code below will allow you to
bypass the necessity for a TTY keyboard input:

This function call does it:

SSL_CTX_set_default_passwd_cb(ssl_ctx,pem_passwd_cb);

ssl_ctx is your SSL context.

Then you define this routine:

   int pem_passwd_cb(char *buf, int size, int rwflag, void
*password)
   {
strncpy(buf, (char *)"password_goes_here", size);
buf[size - 1] = '\0';
return(strlen(buf));
   }
And your password goes in the strncpy.

Jeremy.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: NO_BIO

2001-10-01 Thread Liming Sun 
Title: NO_BIO



Tim, I 
did not try without hard drive.
 
/liming

  -Original Message-From: Tim Michals 
  [mailto:[EMAIL PROTECTED]]Sent: Saturday, September 29, 
  2001 12:27 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  NO_BIO 
  Liming,
   
  No 
  hard drive, we are using a primitive flash file system.  Just didn't what 
  to start reading and writing to flash a lot.  I also found the same 
  issue, it is hard to pull out some of the modules to make the library 
  smaller.
   
  Tim
  
-Original Message-From: Liming Sun 
[mailto:[EMAIL PROTECTED]]Sent: Friday, September 28, 2001 10:58 
AMTo: '[EMAIL PROTECTED]'Subject: RE: NO_BIO 

HI, Tim.  This morning, I tried to compile 
using NO_BIO and then found that there is really no easy way that I can get 
rid of BIO altogether. Examples, I would need to redefine BIO_flush, 
BIO_read(), BIO_write(), etc.
 
I 
do not know what you mean by an issue with have no File 
System.
 
Cheers
 
/liming 

  -Original Message-From: Tim Michals 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, September 28, 
  2001 8:24 AMTo: '[EMAIL PROTECTED]'Subject: 
  RE: NO_BIO 
  I've also ported to VxWorks, but I was having an issue with have no 
  File System, did you over come this issue?  I was compiling with 
  NO_BIO, NO_STDIO
   
  T
  
-Original Message-From: Liming Sun 
[mailto:[EMAIL PROTECTED]]Sent: Friday, September 28, 2001 
3:38 AMTo: '[EMAIL PROTECTED]'Cc: 
'[EMAIL PROTECTED]'Subject: NO_BIO 

Good day, all. 
(1) I compiled OpenSSL-0.9.6b in vxWorks.  When 
using it, a server receives clientHello from client and it looks 
ok.  But when the server flushes serverHello, Certificate, and 
KeyExchange, and serverHelloDone back to the client, the server crashes 
at sock_write(). I used SnifferPro to monitor traffic on the client side 
and found that client received most part of the data from server. When 
processing the received data, the client also crashes inside 
BIO_read().  Any suggestions?
(2) Because of (1), I am trying 
NOT to use BIO interface in OpenSSL. 
It appears that SSL_set_fd(SSL *s,int fd) allows me to 
connect socket directly to SSL object (without using BIO 
interface).  But a closer look at SSL_set_fd()implemenation tells 
me that BIO is still used between SSL layer and socket.  

So, how do I use the flag NO_BIO (does it really mean no 
BIO interface between socket and SSL)? 
Thank you very much for your suggestions and have a nice 
day. 
/liming 
 

From: Tim Michals Subject: 
Questions about NO_BIO and NO_STDIO Date: Mon, 
17 Sep 2001 06:03:27 -0700 
 

All, 
I'm trying to build the cryptolib without file 
access(fopen, fclose, etc) and general tty. The 
main reason for this, trying to use a small embedded OS, that is very primitive and does not have a Unix file system 
interface.  
The certificate file will be stored in non-volatile 
ram.  The applications I'm trying to use 
are LDAP (OpenLDAP) and web server (Goahead). So this helps limit issues with the test and example apps. 
 Noticed some defines NO_BIO and NO_STDIO but if 
these are defined it causes some errors during 
compile.  
Some of the issues:     - in the bio directory 
bss_file (it loads and manage the certificate files)  I can hack a fix but concerned about a reason if a 
file needs to be created?  What be the case 
for creating a file for ssl?     - in the crypto 
directory read_pwd.c uses tty to read the password. 
Any insight? 
Thanks

Panda Software Report: "100% Virus Free Companies"

2001-10-01 Thread Panda Software 
Title: Panda Antivirus PYME







Èç²»ÄÜÕý³£ä¯ÀÀweb·½Ê½µÄEmail, Çëµ¥»÷ ´Ë´¦. 



   
 
  
 
   

   
 
  
 

  100% Virus Free Companies: A Stitch in Time ... 

 
   ÈçºÎʵÏÖ£±£°£°£¥ÎÞ¶¾»·¾³£º¼°Ê±·ÀÖÎ...

  
    
   
  ... saves nine. 


  ÏÖÔÚÒ»ÌõÓÐÒæµÄ½¨ÒéÄܹ»Ê¹ÄãµÄ¹«Ë¾ÔÚ½«À´ÃâÊܸ÷ÖÖDZÔÚ¼ÆËã»ú²¡¶¾µÄÇÖº¦¡£ÐÜèÈí¼þÒѾ­ÔÚеÄ"£±£°£°£¥ÎÞ¶¾»·¾³"Ö¸ÄÏÖлã±àÁËËùÓеÄ×îºÃµÄ½¨Òé¡£ 
  ¡¡±£»¤ËùÓÐ×î¸ß»úÃÜ£¬ÎªÄãµÄ¹«Ë¾´´½¨ÎÞ¶¾µÄ»·¾³£¡
  ´Ó¸ù±¾ÉÏÁ˽ⲡ¶¾ÈëÇÖÄú¼ÆËã»úʱµÄËùÓÐÕæÏࣺ
ËüÃÇϲºÃµÄÈëÇÖ·½Ê½£¬»á²úÉúµÄΣº¦£¬×îºÃµÄ´¦Àí½â¾ö·½°¸...
ËùÓеÄÖîÈç´ËÀàµÄÏà¹ØÐÅÏ¢£¬Äú¶¼¿ÉÒÔ´Ó"£±£°£°£¥ÎÞ¶¾»·¾³"Ö¸ÄÏÖÐÃâ·Ñ»ñµÃ£¡ 

   
   
   
   

 

 

 
 

  

  

  

  
   
 
  
 

  
 
 
   
ÐÜèÈí¼þ×ðÖØÄúµÄÒþ˽¡£
  Èç²»ÏëÔÙÊÕµ½ÎÒÃÇÌṩµÄÐÅÏ¢Çëµ¥»÷  
  ´Ë´¦ . 
  

  

  





__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problem while compiling the fswcert patch x509 for freeswan

2001-10-01 Thread Richard Levitte - VMS Whacker 

From: Laurent Jouannic <[EMAIL PROTECTED]>

ljouannic> I put SSLDIR=/usr/local/openssl.0.9.6b in the Makefile
ljouannic> 
ljouannic> and I have the following error:
ljouannic> 
ljouannic> make
ljouannic> gcc -L/usr/local/openssl.0.9.6b/lib -o fswcert fswcert.o -lcrypto
ljouannic> /usr/bin/ld: cannot find -lcrypto
ljouannic> collect2: ld returned 1 exit status
ljouannic> make: *** [fswcert] Error 1

How come you don't ask the freeswan developpers?

[...]
ljouannic> /usr/local/ssl/lib
ljouannic> 
ljouannic> wich one is the good one?

The one I cite, most probably.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-733-72 88 11
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, GemPlus: http://www.gemplus.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: CRL format problem

2001-10-01 Thread Rabellino Sergio 

Valery wrote:
> 
> Hello!
> 
> I have a problem with checking CRL by MS Outlook Express.
> When Outlook is on-line it tries to check if the certificate has been
> revoked or not and says "The digital ID has not been revoked or revocation
> information for this certificate could not be determined"
> 
> After that I tried to import my CRL into my IE5.5 it says:
> "This is an invalid Certificate Revocation List file".
> 
> My CRL can be found at: http://proxy.vrn.ru/crl/main.crl
> 
> The CRL has been made with the following command:
> openssl ca -gencrl -out crl.pem -config openssl.cnf passin pass:
> 
> I have added crlDistributionPoints=URI:http://proxy.vrn.ru/crl/main.crl
> into my openssl.cnf file.
> 
> Where have I made a mistake?
> Does Outlook Express 5.5
> support crl file that was made with openssl-engine 0.9.6b.
> 
The mime-type reported by your web server is text/html and this is
incorrect, you must return an
"application/x-pkcs7-crl" document, so you must convert with openssl
your crl to the pkcs7 form DER encoded, then return this blob with the
correct mime type.

Bye.
-- 
Dott. Sergio Rabellino 

 Technical Staff
 Department of Computer Science
 University of Torino (Italy)
 Member of the Internet Society

http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

problem while compiling the fswcert patch x509 for freeswan

2001-10-01 Thread Laurent Jouannic 

Hi to the ML

to apply  the fswcert patch

I put SSLDIR=/usr/local/openssl.0.9.6b in the Makefile

and I have the following error:

make
gcc -L/usr/local/openssl.0.9.6b/lib -o fswcert fswcert.o -lcrypto
/usr/bin/ld: cannot find -lcrypto
collect2: ld returned 1 exit status
make: *** [fswcert] Error 1

the lib directory doesn't exist but I have these subdir

/usr/local/openssl.0.9.6b/crypto/asn1/lib
/usr/local/openssl.0.9.6b/crypto/bf/lib
/usr/local/openssl.0.9.6b/crypto/bio/lib
/usr/local/openssl.0.9.6b/crypto/bn/lib
/usr/local/openssl.0.9.6b/crypto/buffer/lib
/usr/local/openssl.0.9.6b/crypto/cast/lib
/usr/local/openssl.0.9.6b/crypto/comp/lib
/usr/local/openssl.0.9.6b/crypto/conf/lib
/usr/local/openssl.0.9.6b/crypto/des/lib
/usr/local/openssl.0.9.6b/crypto/dh/lib
/usr/local/openssl.0.9.6b/crypto/dsa/lib
/usr/local/openssl.0.9.6b/crypto/dso/lib
/usr/local/openssl.0.9.6b/crypto/engine/lib
/usr/local/openssl.0.9.6b/crypto/err/lib
/usr/local/openssl.0.9.6b/crypto/evp/lib
/usr/local/openssl.0.9.6b/crypto/hmac/lib
/usr/local/openssl.0.9.6b/crypto/idea/lib
/usr/local/openssl.0.9.6b/crypto/lhash/lib
/usr/local/openssl.0.9.6b/crypto/md2/lib
/usr/local/openssl.0.9.6b/crypto/md4/lib
/usr/local/openssl.0.9.6b/crypto/md5/lib
/usr/local/openssl.0.9.6b/crypto/mdc2/lib
/usr/local/openssl.0.9.6b/crypto/objects/lib
/usr/local/openssl.0.9.6b/crypto/pem/lib
/usr/local/openssl.0.9.6b/crypto/pkcs12/lib
/usr/local/openssl.0.9.6b/crypto/pkcs7/lib
/usr/local/openssl.0.9.6b/crypto/rand/lib
/usr/local/openssl.0.9.6b/crypto/rc2/lib
/usr/local/openssl.0.9.6b/crypto/rc4/lib
/usr/local/openssl.0.9.6b/crypto/rc5/lib
/usr/local/openssl.0.9.6b/crypto/ripemd/lib
/usr/local/openssl.0.9.6b/crypto/rsa/lib
/usr/local/openssl.0.9.6b/crypto/sha/lib
/usr/local/openssl.0.9.6b/crypto/stack/lib
/usr/local/openssl.0.9.6b/crypto/txt_db/lib
/usr/local/openssl.0.9.6b/crypto/x509/lib
/usr/local/openssl.0.9.6b/crypto/x509v3/lib
/usr/local/openssl.0.9.6b/crypto/lib
/usr/local/openssl.0.9.6b/rsaref/lib
/usr/local/openssl.0.9.6b/ssl/lib
/usr/local/ssl/lib

wich one is the good one?

Otherwise, is there a site where it could be possible to find all
question/answer about openssl?

Thanks.

Laurent.



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

CRL format problem

2001-10-01 Thread Valery 

Hello!

I have a problem with checking CRL by MS Outlook Express.
When Outlook is on-line it tries to check if the certificate has been
revoked or not and says "The digital ID has not been revoked or revocation
information for this certificate could not be determined"

After that I tried to import my CRL into my IE5.5 it says:
"This is an invalid Certificate Revocation List file".

My CRL can be found at: http://proxy.vrn.ru/crl/main.crl


The CRL has been made with the following command:
openssl ca -gencrl -out crl.pem -config openssl.cnf passin pass:

I have added crlDistributionPoints=URI:http://proxy.vrn.ru/crl/main.crl
into my openssl.cnf file.

Where have I made a mistake?
Does Outlook Express 5.5
support crl file that was made with openssl-engine 0.9.6b.

Yours sincerely,
  Valery
E-mail: [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]