Rejected Message
The attached mail message has been rejected for the following reason: Message contains attachments: um-root-ca.crt, um-umr-ca.crt Additional Information: This message was rejected because it contained unapproved attachments. If you feel that this message was rejected in error, please contact the MIS Help Desk.: ---BeginMessage--- It has probably not be signed as a CA certificate, just as a user certificate. OpenSSL rejects such certificates for security reasons. Yep, figured out how to solve that. The x509 utility shouldn't crash though, see if this happens in OpenSSL 0.9.6b. If it still does can you send me these two certificates and I'll analyse the cause. Appears to happen for any of these certs w/ 0.9.6. I've attached the two, but will check with 0.9.6b when I get a chance to upgrade. -- Nathan Nathan Neulinger EMail: [EMAIL PROTECTED] University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216 -BEGIN CERTIFICATE- MIIHJzCCBQ+gAwIBAgIQKiaNNwwOIoRD5xgkixWtvjANBgkqhkiG9w0BAQQFADCB xTEeMBwGCSqGSIb3DQEJARYPY2FAdW1zeXN0ZW0uZWR1MQswCQYDVQQGEwJVUzER MA8GA1UECBMITWlzc291cmkxETAPBgNVBAcTCENvbHVtYmlhMR8wHQYDVQQKExZV bml2ZXJzaXR5IG9mIE1pc3NvdXJpMR8wHQYDVQQLExZJbmZvcm1hdGlvbiBUZWNo bm9sb2d5MS4wLAYDVQQDEyVVbml2ZXJzaXR5IG9mIE1pc3NvdXJpIFJvb3QgQXV0 aG9yaXR5MB4XDTAxMDEwODE0NDUzN1oXDTI0MTIzMTE0NDUzN1owgcUxHjAcBgkq hkiG9w0BCQEWD2NhQHVtc3lzdGVtLmVkdTELMAkGA1UEBhMCVVMxETAPBgNVBAgT CE1pc3NvdXJpMREwDwYDVQQHEwhDb2x1bWJpYTEfMB0GA1UEChMWVW5pdmVyc2l0 eSBvZiBNaXNzb3VyaTEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEu MCwGA1UEAxMlVW5pdmVyc2l0eSBvZiBNaXNzb3VyaSBSb290IEF1dGhvcml0eTCC AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMwb2MmvDfxVSDzZKHnMQtO6 JIH3jCAe4K+K04nIPmZQJh6HVLggW1y6hJTVfjFakTHcQLrNFXeyFOu6hDsx2tO9 BooZTvxBvtbucUnZLUEFpYMQFiO69gCoiB5m5sTLg+PO8FQg2WpS1Mq0IZEy02SG YBCLwS/rG2fg4epjwmEeu7Sd1fyCVcnOhcw1lbvuZBfD7shvFo19hWbE/QL8x8cN rZVibEwT0uXUi35yweX7427xreRSmA0ZqihyRXILvMZM7xVBW23ZYyYHqYFdGqoZ s0YGWea1vvEf7Ayak+VXtl9m07GkW6wB5jM6QrfmXbzBqaEATjBFKgRu+EGU2S5r oy9tGSDqxFp1pLWOm7aDBAlPxGJhCUBCd48OjYP/dn1+g/nY6nkUqyfjmTZml8dV Df3FLJChnxquMh/G9XHmvhUQjLVqPe8neXfobsesry+0N1BUE8b0qfNTydFKoFUO A9rXc/M9lh+R/j98QbBuPlvMpfGmNkMP1mmgyPRSAfZpZiPiVHv6fQVAUoseB8zk tZRFKT8jIHNd9yoy3ciEVO/QazphUCtt1DaPHk1OIHWVvntVHvvPyOFaikZIJTKG 9liwQ/pRzdhb8faGRvWl5Xbm9Y/VAdX+akAiXavo8r9bQYWZhO1CnIJ/Vox80QBU bvVAt8tbAMvVIzgMWKLpAgMBAAGjggEPMIIBCzALBgNVHQ8EBAMCAcYwDwYDVR0T AQH/BAUwAwEB/zAdBgNVHQ4EFgQUwO70GpEuVvSDWVVeeBk+/hgTRcMwgbkGA1Ud HwSBsTCBrjBUoFKgUIZOaHR0cDovL3VtLXJvb3QtY2EvQ2VydEVucm9sbC9Vbml2 ZXJzaXR5JTIwb2YlMjBNaXNzb3VyaSUyMFJvb3QlMjBBdXRob3JpdHkuY3JsMFag VKBShlBmaWxlOi8vXFxVTS1ST09ULUNBXENlcnRFbnJvbGxcVW5pdmVyc2l0eSUy MG9mJTIwTWlzc291cmklMjBSb290JTIwQXV0aG9yaXR5LmNybDAQBgkrBgEEAYI3 FQEEAwIBADANBgkqhkiG9w0BAQQFAAOCAgEAt18ql0b8BeUk6vbzyfmqhh8uiBo/ U+Icd/ZKMPh/PZFO2rtlpoSk9I4T6A8IxNLuTtp1NNejU5JhiksKfpjaTY2L7Pfu PVVBieBLmOSG0owF+akb7v5oLsWmGySq3AvMJfOCnCukJAXfoB6QIz3wElvVJ6vF mnv3PP7mCqVhsYPN4FTXNEcAU4TFgBUSxGxRJ8IsKNzAdTF4uaY26asQBCdqR1pm viY7ga6was14K6Ki19zOWv+Gc1cWwyaJRPu40lDE+sHwi37K/Gs3s+SaWjRDEX9a geYe3JzQGjr8XzpNZZByU+am6hgoyl0D9u6feifkYWA4jbOjbXwQyny0+27PIVke CJ9gASpOfPrqMjwX8WeMxMf1GX5EdIore21Rd6jSLr8CUCJnyq5sv0WgoqJ7/SU8 v052kUJQvo/ltWi00uq/KkMoGa2yudDiReaOUAPVJ1DJ4Oqn79dz3zN9s7LcpHAN qjW2We2oxxnm/dCIpHZ+unjIPDlDofrpRjxUkzdNRv1thJDvrz9hOEkYbxyRJRjG rJqVj1xUTVyA1ViwtEe5Cfn40Uwnob7cqQpXp7EI4qTB1LS9STXTRhzgRPEWc/1E ReLPNszlFj3wkAGFN1dQJvKpQqHIwzjHodt1l5GX2o7Lc28ksfWlWn7bXb/0smoL 31K8WVMH7mVh6HY= -END CERTIFICATE- -BEGIN CERTIFICATE- MIILgjCCCWqgAwIBAgIKYVMrCwAABjANBgkqhkiG9w0BAQQFADCBxTEeMBwG CSqGSIb3DQEJARYPY2FAdW1zeXN0ZW0uZWR1MQswCQYDVQQGEwJVUzERMA8GA1UE CBMITWlzc291cmkxETAPBgNVBAcTCENvbHVtYmlhMR8wHQYDVQQKExZVbml2ZXJz aXR5IG9mIE1pc3NvdXJpMR8wHQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5 MS4wLAYDVQQDEyVVbml2ZXJzaXR5IG9mIE1pc3NvdXJpIFJvb3QgQXV0aG9yaXR5 MB4XDTAxMTAwMzIwMjcyNVoXDTExMTAwMzIwMzcyNVowgcgxHDAaBgkqhkiG9w0B CQEWDXVtcmNhQHVtci5lZHUxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaXNzb3Vy aTEOMAwGA1UEBxMFUm9sbGExJzAlBgNVBAoTHlVuaXZlcnNpdHkgb2YgTWlzc291 cmkgLSBSb2xsYTErMCkGA1UECxMiQ29tcHV0aW5nIGFuZCBJbmZvcm1hdGlvbiBT ZXJ2aWNlczEiMCAGA1UEAxMZVU1SIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAukUHwAAkh6EY9qOY9kbvAyJAP0HsRIbx vVieirlxZ6Rf+F/e7cDaiQb0JAILnrVyavv4G7l9zYlcRx/JDmnGHNOcRa0DFdE4 W+gvliauCfg3KxH1t8zPp0mzT8q1PFUmxlMYbg6s4iWFhkHupyeWtNm+Jk5X4Ly5 k+YrsxLqYAcCAwEAAaOCBvEwggbtMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQD AgHmMB0GA1UdDgQWBBQ/iCspBDvz7ujMuTWo8TG7yXbvKjCCAQEGA1UdIwSB+TCB 9oAUwO70GpEuVvSDWVVeeBk+/hgTRcOhgcukgcgwgcUxHjAcBgkqhkiG9w0BCQEW D2NhQHVtc3lzdGVtLmVkdTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE1pc3NvdXJp MREwDwYDVQQHEwhDb2x1bWJpYTEfMB0GA1UEChMWVW5pdmVyc2l0eSBvZiBNaXNz b3VyaTEfMB0GA1UECxMWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEuMCwGA1UEAxMl VW5pdmVyc2l0eSBvZiBNaXNzb3VyaSBSb290IEF1dGhvcml0eYIQKiaNNwwOIoRD
Re: memory allocated by SSL_CTX_new]
This was a known bug in 0.9.6b; I don't know if it is fixed in the current snapshot. Since the amount of memory leaked is small and fixed, correcting the bug was deemed to be low priority. As far as I know, there is no way to free up the memory other than adding your own code to the openssl package. == Greg Stark [EMAIL PROTECTED] == - Original Message - From: Ramaprasad K.R [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 04, 2001 10:30 AM Subject: [Fwd: memory allocated by SSL_CTX_new] Hi, Looks like the earlier message that I sent did not reach the list. So I am resending again. Could somebody help with this please. Regards Rampi Original Message Subject: memory allocated by SSL_CTX_new Date: Thu, 27 Sep 2001 19:49:27 +0530 From: Ramaprasad K.R [EMAIL PROTECTED] To: [EMAIL PROTECTED] Hello, When I call SSL_CTX_new, the function CRYPTO_get_ex_new_index() gets called and it seems to be allocating 56 bytes. And this memory does not get freed when I do a SSL_CTX_free() ? Could you please let me know if I need to call some other routine to ensure that those 56 bytes are also freed up. Thanks in advance, Rampi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Crypt::SSLeay: Code works on Linux but not Solaris.. HELP!
Ok, got past that one.. OpenSSL was looking for the certs.pem file where it didn't exist.. copied that over to the proper location and this problem was fixed.. Now I have hit an even uglier snag.. I am using the same script and now when I run it on the Solaris box all of the SSL handshake completes properly, including the client certitficate parts but the socket seems to be closed by my side before any response can be sent back from the server. Has anyone else seen this? Here is the output I get now when running the below script on the Solaris 8 box.. SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A SSL_connect:SSL renegotiate ciphers SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A 500 (Internal Server Error) read failed: Net::SSL::die_with_error('Net::SSL=GLOB(0x356870)', 'read failed') called at /usr/local/lib/perl5/site_perl/5.6.0/sun4-solaris/Net/SSL.pm line 211 Net::SSL::read('Net::SSL=GLOB(0x356870)', '', 4096, 0) called at /usr/local/lib/perl5/site_perl/5.6.0/LWP/Protocol/http.pm line 193 LWP::Protocol::http::request('LWP::Protocol::https=HASH(0xf713c)', 'HTTP::Request=HASH(0xf5cb0)', undef, undef, undef, 180) called at /usr/local/lib/perl5/site_perl/5.6.0/LWP/UserAgent.pm line 212 require 0 called at /usr/local/lib/perl5/site_perl/5.6.0/LWP/UserAgent.pm line 211 LWP::UserAgent::simple_request('LWP::UserAgent=HASH(0x2227bc)', 'HTTP::Request=HASH(0xf5cb0)', undef, undef) called at /usr/local/lib/perl5/site_perl/5.6.0/LWP/UserAgent.pm line 249 LWP::UserAgent::request('LWP::UserAgent=HASH(0x2227bc)', 'HTTP::Request=HASH(0xf5cb0)') called at ./dammit line 32 Client-Date: Thu, 04 Oct 2001 15:27:56 GM -Del Del Simmons wrote: Hey everyone.. I am using the following: machine 1: Linux 2.4.8 (RedHat 7.1 with new kernel) machine 2: Solaris 8 packages on both machines: openssl version 0.9.6 perl 5.6.0 Crypt::SSLeay 0.31 LWP 5.53 And I have the following code in a script: -- #!/usr/bin/perl use strict; $ENV{HTTPS_CERT_FILE} = 'certs/clcert.pem'; $ENV{HTTPS_KEY_FILE} = 'certs/key.pem'; $ENV{HTTPS_CA_FILE} = 'certs/cacerts.pem'; $ENV{HTTPS_CA_DIR} = '/usr/share/ssl/'; $ENV{HTTPS_VERSION} = '3'; $ENV{_SSL_DEBUG} = '1'; $ENV{SSL_DEBUG} = '1'; $ENV{HTTPS_DEBUG} = '1'; use HTTP::Request::Common qw(POST); use LWP::UserAgent; my $ua = LWP::UserAgent-new; my $req = POST 'https://secure.server.name.net', [param = 'value']; my $res = $ua-request($req); When I run this on machine 1 I get the following: [del@Rhino rioport]$ ./cert_test SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A SSL_connect:SSL renegotiate ciphers SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A SSL3 alert read:warning:close notify [del@Rhino rioport]$ -- So everything looks good under linux.. When I run it on the Solaris machine I get this:
RE: DES - 3DES (novice)
Thanks Robert. I think it worked, does this look correct to you?(or anyone) -output Connection from 17f, port e904 SSL connection using RC4-MD5 Client does not have certificate. Got 23 chars:'Hello World! Encrypt me' -end--- (is it in fact 3des now? I've been at http://www.openssl.org/docs/apps/ciphers.html to see if it looks right. but I can't tell. it reports RC4-MD5 but not DES-CBC3-SHA...I don't understand the syntax in the call. (can you please explain how RC4-MD5 is on the left of the colon':' and how it is used with the DES-CBC3-SHA on the right? If this IS right, then will I need to create a working certificate for the client next? SSL_CTX_set_cipher_list(yourCTX, RC4-MD5:DES-CBC3-SHA); Thanks very much, I'm sure this is simple and I just need to get these few answers to move forward. Aaron -Original Message- Here's an example: SSL_CTX_set_cipher_list(yourCTX, RC4-MD5:DES-CBC3-SHA); HTH, Rob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: DES - 3DES (novice)
In my zeal to quickly help you, I forget to switch the cipher string after I cut-n-pasted into my reply. My apologies. Read the file SSL_CTX_set_cipher_list.pod in the OpenSSL/doc/ssl directory for further information on that function call. Here's the correct call for your purpose: SSL_CTX_set_cipher_list(yourCTX, DES-CBC3-SHA); The cipher list is a colon separated list of ciphers in order of connection preference. There are quite a few options you can use when choosing ciphers. Note that this affects only the cipher used for the SSL connection itself, not which cipher was used in the certificate. HTH, Rob -Original Message- From: Aaron Kronis [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 04, 2001 11:35 AM To: [EMAIL PROTECTED] Subject: RE: DES - 3DES (novice) Thanks Robert. I think it worked, does this look correct to you?(or anyone) -output Connection from 17f, port e904 SSL connection using RC4-MD5 Client does not have certificate. Got 23 chars:'Hello World! Encrypt me' -end--- (is it in fact 3des now? I've been at http://www.openssl.org/docs/apps/ciphers.html to see if it looks right. but I can't tell. it reports RC4-MD5 but not DES-CBC3-SHA...I don't understand the syntax in the call. (can you please explain how RC4-MD5 is on the left of the colon':' and how it is used with the DES-CBC3-SHA on the right? If this IS right, then will I need to create a working certificate for the client next? SSL_CTX_set_cipher_list(yourCTX, RC4-MD5:DES-CBC3-SHA); Thanks very much, I'm sure this is simple and I just need to get these few answers to move forward. Aaron -Original Message- Here's an example: SSL_CTX_set_cipher_list(yourCTX, RC4-MD5:DES-CBC3-SHA); HTH, Rob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Alt Subject Name : IP Address
Can anyone send me a code snippet showing how I get the subject alternate name (IP address) in a form useful for IP source verification? Andy S. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
THE MAIL KING - ah13
IF YOU USE DIRECT MAIL IN YOUR BUSINESS -- THEN READ ON. OTHERWISE, JUST DELETE THIS MESSAGE. Make Every Letter Count - Get Every Letter Opened! Did you know?? According to experts, today's deluged direct mail recipient throws away 26% to 88% of all their junk mail UNOPENED! Would you like to increase your responses by an average of 3 to 6 times?? If you would (and who wouldn't) just REPLY to this message and we will e-mail you more details. CC Computer Consulting Co. PS: If you prefer a response by snail mail, include your name and mailing address in your reply. This email is sent in compliance with our strict anti-abuse regulations. This is not SPAM. This message was sent to you because you, or someone using your email address, requested information, sent or posted to our system, Opt-in, FFA site, Classifieds, web site or email box If you would like to be removed from this list, e-mail to or click on: [EMAIL PROTECTED] *** ah13 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
return value -1
Hi, SSL_accept returns -1. What does -1 mean?? command openssl errstr -1 gives me the following... [error:::lib(255) :func(4095) :reason(4095)] But, again what does this mean?? Anyone please? Regards, __ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_read() never returns an error if client rejects certificate
I have implemented a simple SSL server using the latest win32 version of the openssl library which behaves as I expect, EXCEPT that SSL_read() returns 0 (meaning, I must POLL it, which is retarded) as long as my browser (the client I am using) is waiting for me to accept the certificate (bogus certificate, not blindly accepted by default). In other words, if I accept the certificate, SSL_read() suddenly returns something other than 0 and I can process the session using SSL_read() and SSL_write() as I expect. However, if I reject the certificate, SSL_read() will keep returning 0, which means I don't know how to detect when the client has terminated the connection. How can I detect this?! Also, the documentation refers to the concept of a BIO all over the places, but never defines it anywhere that I can find. Is BIO some kind of universally understood concept that I have only just heard of? In any case, where can I go to learn about it? - RT __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: return value -1
Also, SSL_read does not return at all... I don't know what's going on. What does Blocking and non_blocking IO mean?? Where can I get more information on BIO? Thanks! Ruby --- Ruby Cruiser [EMAIL PROTECTED] wrote: Hi, SSL_accept returns -1. What does -1 mean?? command openssl errstr -1 gives me the following... [error:::lib(255) :func(4095) :reason(4095)] But, again what does this mean?? Anyone please? Regards, __ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: return value -1
Ruby Cruiser [EMAIL PROTECTED] writes: Also, SSL_read does not return at all... I don't know what's going on. What does Blocking and non_blocking IO mean?? Blocking I/O means that when you ask to read or write on the socket and there's no data or buffer space available the call won't return until it can complete. Nonblocking I/O means it will return with an error. See Stevens's Unix Network Programming or Advanced Programming In the Unix Environment for more details. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read() never returns an error if client rejects certificate
Also, the documentation refers to the concept of a BIO all over the places, but never defines it anywhere that I can find. Is BIO some kind of universally understood concept that I have only just heard of? In any case, where can I go to learn about it? BIO is, I think, Basic In/Out For people with flash disks and embedded devices, methinks. Jeremy. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: return value -1
Ruby, You can find additional info in the Openssl\doc\ssl directory. In this case, examine the file ssl_accept.pod which explains the function syntax, purpose, errors, and behavior of SSL_accept(). From your question it is quite apparent that you should really start by reading as much openssl documentation as you can. Start off by researching s_client and s_server functionality. These two programs alone are worth their weight in gold when first starting out developing using openssl. Rob -Original Message- From: Ruby Cruiser [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 04, 2001 12:27 PM To: [EMAIL PROTECTED] Subject: return value -1 Hi, SSL_accept returns -1. What does -1 mean?? command openssl errstr -1 gives me the following... [error:::lib(255) :func(4095) :reason(4095)] But, again what does this mean?? Anyone please? Regards, __ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read() never returns an error if client rejects certifica te
Neff Robert A [EMAIL PROTECTED] writes: Rick, Actually, the retardedness is due to the netscape browser not terminating the network connection while waiting for the user's input. Micro$oft IE implements that behaviour properly by terminating the connection, waiting for the user to accept the cert, then will reconnect once accepted. Chalk one up for Microsoft for server friendliness... Actually, MS's behavior is widely believed to be inferior because the server has no way of knowing what went wrong: the client just shut down the connection. By contrast, if you reject the certificate Netscape will send a bad_certificate alert. Worse yet, the client fails to send a close_notify before sending a TCP FIN. A truly compliant SSL server (which most are not) would discard the session, thus forcing a complete rehandshake when the client connects. This doubles the compute cost to the server. Whether sockets or CPU time is more precious to the server depends on the server. -Ekr [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_get_peer_certificate
Title: Message I'm having a problem getting my server on Solaris 8 ( Built with SunCC 5.2 ) to obtain a certificate from my client. I have set SSL_CTX_set_verify ( ctx , SSL_VERIFY_PEER,0 ) on both client and server. I have created valid certificates to the best of my knownledge. The same exact code works on Windows ( any platform ). I am at a loss at what could be happening. SSL_get_peer_certifiate always returns a null certificate.. Which to the best of my knownledge means the client didnt send one or the verify failed. How could I go about checking what is wrong? Thanks! -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
Re: SSL_read() never returns an error if client rejects certifica te
Neff Robert A [EMAIL PROTECTED] writes: I loved your book. Ordered it from BN as soon as I saw it. Helped me overcome some early initial mindblocks when first integrating with OpenSSL. For those of you reading this, Erik's book is titled: SSL and TLS - Designing and Building Secure Systems and is published by Addison-Wesley. Thanks for the plug. Always glad to meet a satisfied reader :) After reading your reply, I agree that the server should be receiving an alert prior to the FIN indicating the error condition which occurred on the client. Unfortunately, it's very hard to see how to do this correctly. If the client sends a fatal alert before it consults the user then the session won't be resumed (see below). OTOH, servers don't really know what to do with a warning level bad_certificate alert. Perhaps I should have qualified that my expectations of an HTTP SSL connection from a client should not hold a connection open on a server while the user waits god-knows-how-long to decide whether to accept a cert or not. Most users don't have a clue why they see that dialog box anyway. This isn't really that bad. Remember that modern HTTP connections often get held open for quite some time due to HTTP connection persistence. However, you realize that no session prior to this point would have been established on the server for that user as the cert was not previously authenticated... The session is established by IE when it it initiates the first connection. I.e. IE doesn't just close the connection, it finishes the SSL handshake completely before it pops up the error. When it reconnects it attempts to resume the session. Most servers allow it to do so. See the diagram and discussion on pages 309-313 of SSL and TLS, especially the diagram on p 313 which shows IE's behavior. (However: note that there's an error in the first printing. There should be a TCP FIN from the client prior to the server's first close_notify). This is fixed in the second printing. If you have the first printing, you may want to draw in the appropriate arrow :) -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Alt Subject Name : IP Address
Can anyone send me a code snippet showing how I get the subject alternate name (IP address) in a form useful for IP source verification? Don't know what you mean for sure, but here is some MS Visual C++ Client Code that will verify the Server's Name(IP,or DNS Name) based on the subject line from the Server Certificate. Note: this uses the CString Class which is part of Microsoft Foundation Classes. You can find CString documentation at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vcmfc98/htm l/_mfc_cstring.asp. CString sAddress = the server name X509 *ServerCert; ServerCert = SSL_get_peer_certificate(m_pSSL); //get the server certificate if(ServerCert == NULL)return FALSE; //could not get a certificate CString sCertAddress; char* szTempChar; szTempChar = X509_NAME_oneline(X509_get_subject_name(ServerCert), 0, 0); // get the server subject name if(szTempChar == NULL) { X509_free(ServerCert); //free the server cert return FALSE; //could not get a subject name } try{sCertAddress = szTempChar;} //attempt to set the value of sCertAddress to be the server subject name catch (...) { X509_free(ServerCert); //free the server cert return FALSE; // could not copy the server suject name } X509_free(ServerCert); //free the server cert int iStartStrPos,iEndStrPos; iStartStrPos = sCertAddress.Find(/CN); //Finding the portion of the subject name that relates to the Server Name if (iStartStrPos == -1) return FALSE; //Failed to find the server name in the server subject line iStartStrPos += 4; // moving the start string pos from locating the /CN SERVER_NAME to SERVER_NAME iEndStrPos = sCertAddress.Find('/',iStartStrPos+1); //Finding the end of the server name if(iEndStrPos == -1) iEndStrPos = sCertAddress.GetLength(); //The end must be the end of the line try { sCertAddress = sCertAddress.Mid(iStartStrPos,iEndStrPos-iStartStrPos); //Extract the server name out of the subject line. } catch (...) { return FALSE; //There was a memory exception } if(sCertAddress != sAddress) //If the server name from the server certificate and the server name do not match... return FALSE; //ERROR COULD NOT VALIDATE SERVER Joel Daniels (a novice). P.S. Please let me know if this code does not work. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
X509_get_notBefore
Title: Message I've looked in the documentation but is there a way to get a better from from the return of X509_get_notBefore instead of having to print it to a BIO ? I need something I can convert it into a date to compare it with the current time... Something that would return a time_t or the number of seconds or something besides a string. Thanks. -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
output format of PKCS7
Hi all, In my application, I called PKCS7_encrypt() to encrypt a document. When I call PEM_write_bio_PKCS7(out, p7) to write the encrypted document out to a file, the encrypted content always has --- BEGIN PKCS7 --- --- END PKCS7 --- wrapped arround it. And when I call PKCS7_decrypt(), it always need those headers there if the format is in PEM. Does openssl has another set of functions which can deals with BASE64 encoded PKCS7 content without those headers? Thanks for any advices. Kate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cert Chain
Hi Louis, I have a new question for you. After making the certifiate chain, Say, Root-CA -- Sub-CA -- User-Cert. I want to publish this CAuthority chain in pkcs7 file. Do you think it is the best format, if not which format do you prefere for that? And Which openssl's command do I need to use to produce this chain? Any ideas or comments will be very appreciated! Thank you PS. Many thanks for your last comments! -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # e-fingerprint = 73B7 2559 2968 5094 3B95 5C70 4E85 5F94 6068 1DD8 # http://www.keyserver.net/en/ # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Tru64 4.0f BN_sqr test fail
From: Todd Williams [EMAIL PROTECTED] Todd.Williams Square test failed! Todd.Williams make: *** [test_bn] Error 1 From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] You should find the file test/tmp.bntest, which contains what went through bc. Perhaps some investigation of it would help? The problem seems to now be in the BN_sqr function, not bc. Here's the results of the test: test BN_sqr print test BN_sqr\n -C64600F4F4 * -C64600F4F4 - B44048221A6E7E4 Square test failed! 1 I investigated the test_sqr function in bntest.c. The test is checking to see if n * n - (n^2) = 0. It actually tests this calculation: ((n^2) / n) - n == 0. ..or.. c = a ^ 2 d = c / a d = d - a d == 0 I can do the same calculation manually within bc and see that the problem is in bntest's calculation of (a^2), which is calculated with the BN_sqr function. BN_sqr has calculated (-C64600F4F4 ^ 2) as B44048221A6E7E4 which is incorrect. bc bc 1.06 Copyright 1991-1994, 1997, 1998, 2000 Free Software Foundation, Inc. This is free software with ABSOLUTELY NO WARRANTY. For details type `warranty'. a = -C64600F4F4 a -9646009494 a * a 93045499158338136036 93045499158338136036 / -9646009494 -9646009494 B44048221A6E7E4 944048221969794 You can see bc knows that -0xC64600F4F4 (decimal -9646009494) squared is 93045499158338136036, not 944048221969794 (0xB44048221A6E7E4) as BN_sqr calculated it. So I guess now we should look at BN_sqr function to see why it isn't working. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
frustration about x509 versions ?
Hello, I have request the root ca of my national digital sign authority. It's the german regulatory authority for telecommunication. I have tried to load this with openssl x509 -inform DER -in 4R-CA_1.crt -noout -text openssl x509 -inform PEM -in 4R-CA_1.crt -noout -text openssl x509 -inform NET -in 4R-CA_1.crt -noout -text nothing of this works. I have the same problem with some other CA's root certificates like the digicert root certificates (tid_x1_ne.cacert) . I have attached this ones to this mail. Has everyone an idea how to load this certificates to openssl ? Carlos 3R-CA_1.crt 4R-CA_1.crt tid_x1_ne.cacert
Client certificate verification problem
Hi, all. It seems my last e-mail is somehow lost, so I'm resending it. Please give me some advice. :) Since my program is not for web site but general client/server communication program, I'd like to add a client certificate verification from the server side. I couldn't find any reference on client certificate generation, nor client certificate verification on Server side. Do I generate the client certificate in the same way as I did for the server certificate? What methods should be called on both server/client side program to verify the client certificate? Does anyone know how to create a client certificate and how to verify it on Server side? Any help is greatly appreciated. Thank you! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cert Chain
On 10/04/01 10:58 PM, Averroes sat at the `puter and typed: Hi Louis, I have a new question for you. After making the certifiate chain, Say, Root-CA -- Sub-CA -- User-Cert. I want to publish this CAuthority chain in pkcs7 file. Do you think it is the best format, if not which format do you prefere for that? And Which openssl's command do I need to use to produce this chain? Any ideas or comments will be very appreciated! Actually, you probably just want to create the chain out of the intermediate CA certificates in PEM format - don't include the keys. Here's a layout: server_cert - int_ca_1 - int_ca_2 - . . . - int_ca_n - root_ca You get the idea. Your chain file should consist of the intermediate certs int_ca_1 - int_ca_n, and in that order. The cert that signed your server should be at the top of the chain, then the cert that signed that one, etc. I'm under the impression that the root CA can be included in the chain (at the end) but is not needed. If you are running Apache, you would want to point to it in httpd.conf with the SSLCertificateChainFile directive. The root CA should be installed on the browser in question, and can be installed by serving it with the proper mime type. Your httpd.conf should have something like the following: IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine Put the root ca in the html tree wherever you deem appropriate, and request it from the browser. Once you have installed it, and the cert chain is properly defined, your browser should trust the server implicitly. HTH Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ vuja de: The feeling that you've *never*, *ever* been in this situation before. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL Handshake Failure !
I don't have the specific code, but it's not that much. I take it that you're issuing your own certs with the acceptable client ip in the subjectAltName - you might want to allow a range. I have similar code but not for this purpose, so let's see if I can put them together. My code looks at the subject name, so I might be wrong in looking for the alt name in the subject, but it's a start. SSL *ssl;/* client SSL struct, assume this exists */ int fd, l; struct sockaddr client_addr; char ip_addr[4*3+3+1]; X509 *cert; X509_NAME *subject; char subject_ip[300]; /* get the ip of client */ fd = SSL_get_fd(ssl); l = sizeof(struct sockaddr); getpeername(fd, client_addr, l); /* check rc! */ strcpy(ip_addr, inet_ntoa(client_addr.sin_addr)); /* look in cert for subject name? */ cert = SSL_get_peer_certificate(ssl); subject = X509_get_subject_name(cert); /* check for NULL! */ X509_NAME_get_text_by_NID(subject, NID_subject_alt_name, subject_ip, 300); /* check rc! */ if (strcmp(subject_ip, client_ip) != 0) /* mismatch! */; X509_free(cert); /* reduce reference count */ Steve On Thu, 4 Oct 2001, Andy Schneider wrote: Does anyone have any canned code I could steal that does IP address validation. I.e. grabs the IP address from the alt subject name and compares it against the IP of the incoming socket? Andy S. -Original Message- From: Costas Magos [mailto:[EMAIL PROTECTED]] Sent: 04 October 2001 15:40 To: [EMAIL PROTECTED] Subject: SSL Handshake Failure ! Importance: High Dear all, Sorry for posting the following again, but I am in a bit hurry. I'm running an Apache server (1.3.19) with openssl 0.9.6b on Solaris 2.6 / SPARCclassic platform. Apache serves a site that accesses a database through various cgi-scripts or through a java applet for more specialized actions. The database is managed just fine with the cgi-scripts, but when I try to load the java applet to do some advanced configuration, the browser hangs at some point (while loading some classes) and the server produces the following error logs: [info] [client xxx.xxx.xxx.xxx] SSL accept timeout timed out [error] SSL_accept failed and then [debug] apache_ssl.c(1123): Generating 512 bit key [debug] apache_ssl.c(287): SSL_accept returned 0 [debug] apache_ssl.c(291): error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [debug] apache_ssl.c(379): Random input /dev/random(1024) - 1024 [debug] apache_ssl.c(1123): Generating 512 bit key [debug] apache_ssl.c(287): SSL_accept returned 0 [debug] apache_ssl.c(291): error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [debug] apache_ssl.c(379): Random input /dev/random(1024) - 1024 [debug] apache_ssl.c(1123): Generating 512 bit key [debug] apache_ssl.c(287): SSL_accept returned 0 [debug] apache_ssl.c(291): error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake What is going on? Could someone please help me? Any help would be much appreciated. Respectfully, ~~ Costas Magos Ariadne-t Network Operation Center, NCSR Demokritos ~~ email: [EMAIL PROTECTED] tel.: +30 1 6544279, +30 1 6503125 fax: +30 1 6532910 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Handshake Failure !
Andy Schneider wrote: Does anyone have any canned code I could steal that does IP address validation. I.e. grabs the IP address from the alt subject name and compares it against the IP of the incoming socket? No I don't. But in outline you need to extract and decode the subject alt name extension (see doc/openssl.txt) this will give you a STACK_OF(GENERAL_NAME). Then search for the ip address type and, if found, extract and compare. Theres a function that extracts email addresses from the subject name and subject alt name extensions (its used by the x509 utility) which should be easy enough to adapt. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read() never returns an error if client rejects certificate
Jeremy Smith [EMAIL PROTECTED] writes: Also, the documentation refers to the concept of a BIO all over the places, but never defines it anywhere that I can find. Is BIO some kind of universally understood concept that I have only just heard of? In any case, where can I go to learn about it? BIO is, I think, Basic In/Out You're thinking of BIOS, which is something totally different. For people with flash disks and embedded devices, methinks. Not really. BIO is the abstraction that OpenSSL uses for reading and writing data from various sources. This lets your SSL program be agnostic about what sort of I/O port you're talking to (socket, pipe, memory, serial line, etc.). All you need to do to make OpenSSL talk to whatever sort of channel you're using is to write an appropriate BIO. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]