openssl api
Dear all, I've an access violation exception error when I run the following code: ... RSA *key = RSA_generate_key(1024,3,NULL,NULL); FILE *fos; remove(mykey.puk); if ((fos = fopen(mykey.puk,w+b)) == NULL) { return -1; } i2d_RSAPublicKey_fp(fos,key); // access violation at this line ... Can you tell me why? The final goal of my program is to generate a public/private key pair and to store them separately in two files (like mykey.puk and mykey.prk). The private key must be stored with PKCS#8 specifications and the public key with X.509 specification. How can I do that? Thanks for your answer. Best regards. Nicolas Heuvelmans. Nicolas Heuvelmans mailto:[EMAIL PROTECTED] E.F.T. Consultants s.a. av. Plasky 157 / 6 - 1030 Brussels - Belgium Tel +32 (0)2 736.89.11 - Fax +32 (0)2 736.88.53 URL http://www.eft.be Note: This message and its attachements have been checked for viruses by InterScan VirusWall V3.4
Decrypt Encrypted Private Key
Hi, Hopefully somebody will know how to decrypt an encrypted private key. I just encrypt a privated key using command: openssl pkcs8 -in pkey.key -topk8 -v2 des3 -out enc.key -passin pass:ABC123 -passout pass:ABC123 Does anyone know what is the different between -passin and -passout parameter? I also no idea how to encrypt a string (eg. Decrypt Encrypted Private Key) using triple DES encryption, any idea? Thanks in advance... -Syukri __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
client/server using TLS
Hi all, I try to developp a client/server application using TLS... My client.c file is like this : first : initialize_ctx(); tcp_connect6(); - I use IPv6 socket SSL_new(); BIO_new_socket() SSL_set_bio() SSL_connect() in my server.c file I have : tcp_listen6(); initialize_ctx(); load_dh_params(); generate_eph_rsa_key() SSL_CTX_set_session_id_context(); accept(); BIO_new_socket() SSL_new() SSL_set_bio(); SSL_accept; For certificate purpose I've done this : I made a CA (cf www.teamware.com...:-) then I created certificate for the client and for the server signed by this CA. No difference in the method to create and signed them , only the name change. So, it doesn't work. When I debug them, there's no problem until SSL_accept() and SSL_connect(). The SSL_connect stay blocked and SSL_accept return an error of type 2. So if someone got an idea, he'll or she'll be welcome. I hope to not disturb you, Regards, [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Implementation Issues with OpenSSL
Hi! I know it has been a long time, but I have just continued to analyze your submission. I have not yet applied your patch. With respect to the SSL_SESSION_free() problem, it would only cure the symptoms of incorrect SSL_SESSION_free() use. It is not just the session list inside the SSL_CTX object; if a session is used by an SSL object we would also find a dangling pointer that we could not catch. The point should not be to cover for incorrect use of SSL_SESSION_free() and magically remove the session from the cache list, but to catch this as an error... Unfortunately SSL_SESSION_free() does not return diagnostic information (until now), so no application written with today's API would catch the error message... By now, I have updated the manual pages to reflect this problem and wait for more input with respect to this problem. Best regards, Lutz PS. Original message included in full length, as quite some time passed since the thread came up. Please also note, that I already answered to issue #3 in a seperate post several weeks ago. On Wed, Aug 22, 2001 at 04:13:17PM -0700, Chris D. Peterson wrote: We've been having some problems with our old OpenSSL implementation. It turns out that the bug we were experiencing has, in fact, been fixed in the latest version of OpenSSL. In tracking down this problem we noticed several issues that still exist in the latest version of ssl/ssl_sess.c that I'd like to bring to your attention. Making changes to address these problems should improve the maintainablity and robustness of the OpenSSL code. 1) The implementation in SSL_SESSION_list_{add,remove}() seems dangerous. 2) Calling SSL_SESSION_free() on a SSL_SESSION that has been placed in the SESSION_list with SSL_SESSION_list_add() could leave dangling pointers. 3) The hash method used in SSL_CTX_add_session() is passed a SSL_SESSION object, but is expecting to hash on a character string. The rest of this message is a discussion of this details of these issues. - Issue # 1--- It appears that the SSL_SESSION_list is a doubly linked list with a head and tail kept inside the SSL_CTX object. Each SSL_SESSION object contains a next and prev pointer. Assuming that you add A,B,C, and D to the session list with SSL_SESSION_list() you should end up with the following: D prev-D, next-C C prev-D, next-B B prev-C, next-A A prev-B, next-A head-D tail-A Notice that the ends of the list contain a SSL_SESSION ** that have been cast back to a SSL_SESSION *. This seems exceeding dangerous because if someone along the line gets confused you could deref this SSL_SESSION ** as if it were an SSL_SESSION *. A more common programming technique would be to mark the ends of the list with NULL. So that if you try to deref something bad the library will crash immediately rather than writing into a bad memory address. Changes to this effect are fairly simple and I have included them, as well as a list integrity checker, at the end of this message. - Issue #2 --- Because the SSL_SESSION_list is linked through the SSL_SESSION * objects, it is absolutely critical that no SSL_SESSION object that is on the SSL_SESSION list have SSL_SESSION_free() called on it without first removing it from the SSL_SESSION_list. I believe that code should be added to make certain that this can not happen. The current code is excessivly fragile in this respect. The simplest solution would be an assert in SSL_SESSION_free() that checked that ss-prev and ss-next were NULL. A more comprehensive solution would be to check the next and prev pointers and if they were not NULL call SSL_SESSION_list_remove() on the session. Unfortunately this call requires the ctx pointer, so a change to the api for SSL_SESSION_free() is required. Care should also be taken to remove the session from the ctx-sessions lh_hash on free unless the SSL_SESSION_free() is being done in response to an lh_insert(). - Issue #3 --- The lhash routines (e.g. lh_insert()) expect to be passed a NULL terminated string of characters to hash. But the code in ssl_sess.c is passing an SSL_SESSION *. Having a block of code that thinks it is reading a character string marching through a binary structure looking for a NULL terminator and then hashing on the contents sure seems like asking for trouble. Perhaps the session ID should be converted to a string representation and used as the hash key? Or a new entry point into these methods should be used that hashes a fixed number of bytes and uses the binary reprenentation of the session ID to has the values. In any case the current method is logicall just wrong athough it will generally work, because a 0 in the first byte of the session id is a rather rare occurance. I hope this information is useful, and you should feel free to contact me if you
Re: Load CA IE and NetScape
On 10/11/01 01:16 PM, anil kumar sat at the `puter and typed: Hi All, I am using OpenSSL with Apache on Win32. OpenSSL 0.9.6, mod-ssl 2.8.2, Apache 1.3.19. I have generated CA using openssl. Installed CA certificate in the server by editing httpd.conf SSLCACertificatePath confsslprivate SSLCACertificateFile confsslCAcert.pem. Can any one suggest me, how to install CA certificate in browsers. Ok, but first you should know that the SSLCACertificatePath and SSLCACertificateFile directives in Apache are intended to point to a directory and file that contain CAs your server will trust when it does client authentication. It doesn't need just the CA that signed your server certificate. And the values you assign should be full paths. Check out the directives online. As for installing a cert in the browser, just put it in your servers doc tree somewhere, and request it with the browser. So long as you have the mime types defined in httpd.conf, it should present the CA cert to the browser for installation. You will then have to decide wether and for what purposes to trust the CA. HTH Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ QOTD: Silence is the only virtue he has left. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_Connect hangs when network connection is lost
I am having a problem where the SSL_Connect function call hangs when the network connection is lost. The function writes the client hello to the server and then waits for a response. If no response is received it just seems to wait forever. Is there something that I can set so that the SSL_Connect function call will timeout if it doesn't receive a response after a certain amount of time? This email may contain information which is privileged or confidential. If you are not the intended recipient of this email, please notify the sender immediately and delete it without reading, copying, storing, forwarding or disclosing its contents to any other person Thank you Check us out at http://www.syntegra.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FTP over OpenSSL
On Wed, Oct 10, 2001 at 01:51:34PM -0700, Daniel Franks wrote: I am new to the list and OpenSSL. As the company programmer I have been assigned to setup FTP over SSL and am looking for pointers. Ask your favourite search engine for the document called draft-murray-auth-ftp-ssl-07.txt. (It's an Internet-draft, or I-D for short.) M2Crypto, a Python interface to OpenSSL, does FTP/TLS. Here's a transcript: from M2Crypto import ftpslib f = ftpslib.FTP_TLS() f.connect('', 9021) '220 spinnaker.dyndns.org M2Crypto (Medusa) FTP/TLS server v0.07 ready.' f.auth_tls() f.set_pasv(0) f.login('ftp', 'ngps@') '230 Ok.' f.retrlines('LIST') -rw-rw-r-- 1 0198 2326 Jul 3 1996 apache_pb.gif drwxrwxr-x 7 0198 1536 Oct 10 2000 manual drwxrwxr-x 2 0198 512 Oct 31 2000 modpy drwxrwxr-x 2 0198 512 Oct 31 2000 bobo drwxr-xr-x 2 0198 14336 May 28 15:54 postgresql drwxr-xr-x 4 100 198 512 May 16 17:19 home drwxr-xr-x 7 100 100 3584 Sep 23 2000 openacs drwxr-xr-x 10 00 512 Aug 5 2000 python1.5 -rw-r--r-- 1 100 198 326 Jul 29 03:29 index.html drwxr-xr-x 12 00 512 May 31 17:08 python2.1 '226 Transfer complete' f.quit() sprintf(action, cd %s; ftp -ni %s /dev/null 21 !\n %s user %s %s\n %s ls * %s\n bye\n !\n, DOWNLOAD_DIR, Host, Address, Login, flfvend.password, CurDirectory, FLIST); system(action); Python allows you to script FTP easily. Python + M2Crypto gives you FTP/TLS. Give it a go. M2Crypto is available here: http://www.post1.com/home/ngps/m2/ Cheers. -- Ng Pheng Siong [EMAIL PROTECTED] * http://www.post1.com/home/ngps __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Implementation Issues with OpenSSL
Thus spake Lutz Jaenicke ([EMAIL PROTECTED]): I know it has been a long time, but I have just continued to analyze your submission. I have not yet applied your patch. With respect to the SSL_SESSION_free() problem, it would only cure the symptoms of incorrect SSL_SESSION_free() use. It is not just the session list inside the SSL_CTX object; if a session is used by an SSL object we would also find a dangling pointer that we could not catch. The point should not be to cover for incorrect use of SSL_SESSION_free() and magically remove the session from the cache list, but to catch this as an error... Unfortunately SSL_SESSION_free() does not return diagnostic information (until now), so no application written with today's API would catch the error message... I don't claim to understand this code well enough to contradict you. It would certainly be an improvement to have SSL_SESSION_free() detect this error condition and complain loudly when it occurs. I also agree that an interface change is probably worthwhile to do better error reporting and recovery when this occurs. By now, I have updated the manual pages to reflect this problem and wait for more input with respect to this problem. Thanks for following up on this. -- Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: -RANDom confusion
Ok, I apologize but as a newbie I thank you very much for replying. Here's the details: Linux 2.2.16-22 #1 Tue Aug 22 16:16:55 EDT 2000 i586 unknown Apache/1.3.12 10312100 OpenSSL 0.9.6a 5 Apr 2001 I log in as root, but the files in /dev are hidden from me. There seems to be a file called urandom there though. Sending the command as -rand /dev/urandom is what is specified by thawte. Is there a different way you would recommend seeding the crypto library. I apologize but I'm definetly a newbie at this. - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 11, 2001 11:17 PM Subject: Re: -RANDom confusion On Thu, Oct 11, 2001 at 03:27:29PM -0700, ComCity wrote: I'm having trouble with the -rand command...I'm missing a critical piece of information which I have not been able to figure out on my own. Whenever I use the -rand modifier, my terminal just sits there and hangs. Intrupting out leaves me with a blank key. I type the following. openssl genrsa -rand /dev/urandom -out www.domain.com.key 1024 it hangs... If I type this: openssl genrsa -out www.domain.com.key 1024 everything works but it complains about the random number generator not being properly seeded. Anybody know what I'm doing wrong? Please name the platform, as your statement is confusing. * If you have a /dev/urandom device, using -rand /dev/urandom will request entropy without limit, therefore the process will never terminate, as /dev/urandom will deliver random bytes infinitely. (Consistent with your description.) * If you have a /dev/urandom device, the OpenSSL library will automatically query it and the process should succeed. This is contradicted by your statement. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl engine?
Hi, can anybody tell me the difference between openssl and openssl-engine. Couldn't find anything about that in the FAQ. I am not subscribed. Please give me a cc. Regards __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: client/server using TLS
julien Bournelle [EMAIL PROTECTED] writes: I try to developp a client/server application using TLS... My client.c file is like this : first : initialize_ctx(); tcp_connect6(); - I use IPv6 socket SSL_new(); BIO_new_socket() SSL_set_bio() SSL_connect() in my server.c file I have : tcp_listen6(); initialize_ctx(); load_dh_params(); generate_eph_rsa_key() SSL_CTX_set_session_id_context(); accept(); BIO_new_socket() SSL_new() SSL_set_bio(); SSL_accept; For certificate purpose I've done this : I made a CA (cf www.teamware.com...:-) then I created certificate for the client and for the server signed by this CA. No difference in the method to create and signed them , only the name change. So, it doesn't work. When I debug them, there's no problem until SSL_accept() and SSL_connect(). The SSL_connect stay blocked and SSL_accept return an error of type 2. So if someone got an idea, he'll or she'll be welcome. Let's try to separate out some issues: does it work if you use IPV4 sockets? -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Exporting private key from IIS
Hi all, I'm having trouble getting the private key out of an IIS .key cert. I've followed the instructions to strip off the extra ASN1 SEQUENCE data at the beginning of the key, but it doesn't seem to work: On Win32: E:\openssl-win32openssl rsa -inform NET -in priv.key -out key.pem read RSA key Enter Private Key password: unable to load key 1692:error:0D08C007:asn1 encoding routines:D2I_NETSCAPE_PKEY:expecting an asn1 sequence:.\crypto\asn1\n_pkey.c:311:address=3131288 offset=0 1692:error:0D08E08B:asn1 encoding routines:d2i_Netscape_RSA_2:unable to decode rsa private key:.\crypto\asn1\n_pkey.c:268: 1692:error:0D08D06F:asn1 encoding routines:d2i_Netscape_RSA:decoding error:.\crypto\asn1\n_pkey.c:4535002:address=8650824 offset=17 On Solaris 8: $ /usr/local/ssl/bin/openssl rsa -inform NET -in priv.key -out key.pem read RSA key zsh: segmentation fault (core dumped) /usr/local/ssl/bin/openssl rsa -inform NET -in priv.key Any ideas? The keys were exported from IIS 4... Thanks in advance... -Adam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read
Move to openssl-users... Xavier Roques wrote: hy, I have some questions. I'm using SSL with asynchronous sockets. So, when I want to receive data, I call select and SSL_READ. But sometimes, even if my select is OK, SSL_READ return SSL_ERROR_WANT_READ. That's normal behaviour. Just because select indicates that data can be read from the underlying transport there is no guarantee that SSL_read will return any data. This could be for several reasons: a complete packet may not be available (so data cannot be returned to the application until more has been read) or a handshake may be taking place. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl engine?
At 20:33 12.10.2001 +0200, Helmut Heilig wrote: can anybody tell me the difference between openssl and openssl-engine. Couldn't find anything about that in the FAQ. See: http://www.openssl.org/support/faq.html [MISC] 6. What is an 'engine' version? Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 Phone/Fax: +49-89-636-47852 / 47655 E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Crypt::SSLeay Win32 errors
Mike Allison wrote: I'm attempting to compile Crypt::SSLeay 0.31 on Windows 2000 using Perl 5.005_03 and MSVC++ 6.0. I cannot get past the error below. I have tried to use the prebuilt PPM's from active state, but get errors from SSLeay.dll everytime. I wish I could upgrade Perl, as the PPMs work great with the new releases, but Intershop(Ecommerce prog) is dependant on 5.005_03. ... SSLeay.obj : error LNK2001: unresolved external symbol __fltused SSLeay.obj : error LNK2001: unresolved external symbol _strcmp LINK : error LNK2001: unresolved external symbol __DllMainCRTStartup@12 blib\arch\auto\Crypt\SSLeay\SSLeay.dll : fatal error LNK1120: 3 unresolved exter nals NMAKE : fatal error U1077: 'link' : return code '0x460' Stop. My only thought here is that your perl version was compiled differently than how you are trying to compile Crypt::SSLeay. If you didn't compile perl yourself, then I wouldn't try to compile Crypt::SSLeay for it either. For getting the ppm install working from ActiveState, you can try older releases and see if they work but also I might not have a recent OpenSSL installed on my system where the lib in in the path just in case the ActiveState's use of openssl is conflicting with what you have installed. I have seen these errors before when compiling win32 stuff, but not sure I have ever worked through them before, so have little constructive advice for you, sorry. --Josh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]