Re: Cross Certification
Dear All, I do not receive any reply for this. Any pointers will be appreciated. Ravi Prakash B.V. Ravi Prakash B.V. wrote: Dear all, I want to establish cross certification between two different independent CAs. How is it possible? Any pointers/links/docs for the above. Thanks in Advance, Ravi Prakash B.V. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- I am NOMAD! begin:vcard n:Venkata Ravi Prakash;Burlagadda tel;cell:98490 30284 tel;home:08644 26681 tel;work:040 6328079(direct) 040 7814515/17/19 extn:387 x-mozilla-html:FALSE org:Tata Consultancy Services;Advanced Technology Centre version:2.1 email;internet:[EMAIL PROTECTED] title:ASE adr;quoted-printable:;;1-2-10, Coramandel House,=0D=0ASardar Patel Road;Secunderabad;AP;53;India x-mozilla-cpt:;28992 fn:Burlagadda Venkata Ravi Prakash end:vcard
Re: Multi-threading support in OpenSSL
Hi all, I didn't any receive replies on this. Any inputs or pointers will be very much appreciated. thanks, Krishna Hi, I have question regarding enabling multi-thread support in OpenSSL. We have ported OpenSSL library to VxWorks. We are having two applications (one server and one client). These two applications will run as separate tasks, each having its own SSL context. These tasks can concurrently do SSL operations. Since these two tasks have their own SSL contexts, do they need multi-thread protection? Does OpenSSL have some shared global data outside the SSL context? In VxWorks, since global data is global to all tasks, does this mean that we have to build OpenSSL with multi- thread support and provide locking callbacks? Any help on this will be very much appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cross Certification
On Mon, 22 Oct 2001, Ravi Prakash B.V. wrote: Dear All, I do not receive any reply for this. Any pointers will be appreciated. What is the application that could benefit from cross certification? Alternatively, what is the logic that requires cross certification? thank you, Vadim Ravi Prakash B.V. Ravi Prakash B.V. wrote: Dear all, I want to establish cross certification between two different independent CAs. How is it possible? Any pointers/links/docs for the above. Thanks in Advance, Ravi Prakash B.V. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- I am NOMAD! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Cross Certification
I would like to add to the original question. How chaining is different then cross-certification ?. If cross-certification means then two CAs sign each other then how we can scale to a scenario of more than two CAs in a fully meshed cross-certification model ?. Thanks for a help. Tariq Habib -- From: Vadim Fedukovich Reply To: [EMAIL PROTECTED] Sent: Monday, October 22, 2001 11:19 AM To: [EMAIL PROTECTED] Subject: Re: Cross Certification On Mon, 22 Oct 2001, Ravi Prakash B.V. wrote: Dear All, I do not receive any reply for this. Any pointers will be appreciated. What is the application that could benefit from cross certification? Alternatively, what is the logic that requires cross certification? thank you, Vadim Ravi Prakash B.V. Ravi Prakash B.V. wrote: Dear all, I want to establish cross certification between two different independent CAs. How is it possible? Any pointers/links/docs for the above. Thanks in Advance, Ravi Prakash B.V. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- I am NOMAD! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Generate a certficate request
Hello team, when I try the command, I get an error: E:\Oracle\iSuites\Apache\open_ssl\binopenssl req -new -key key.pem -out csr.pem -config openssl.cnf Using configuration from openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [DE]: State or Province Name (full name) [GERMANY]: Locality Name (eg, city) [Gelsenkirchen]: Organization Name (eg, company) [RAG INFORMATIK]:RAG-INFORMATIK Organizational Unit Name (eg, section) [BSDA]:BS Common Name (eg, YOUR name) []:www.riag.de Email Address []:[EMAIL PROTECTED] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 238:error:04075070:rsa routines:RSA_sign:digest too big for rsa key:.\crypto\rsa \rsa_sign.c:114: 238:error:0D072006:asn1 encoding routines:ASN1_sign:bad get asn1 object call:.\c rypto\asn1\a_sign.c:129: What I have to do? sincerely yours Margitta Seier RAG INFORMATIK GmbH Abt. BS/DA Bruchstr. 5a 45883 Gelsenkirchen Tel. 0209 9456-7657 Fax. 0209 9456-3440 EMail [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Generate a certficate request
Seier, Margitta (RAG INFORMATIK) wrote: Hello team, when I try the command, I get an error: E:\Oracle\iSuites\Apache\open_ssl\binopenssl req -new -key key.pem -out csr.pem [snip] 238:error:04075070:rsa routines:RSA_sign:digest too big for rsa key:.\crypto\rsa \rsa_sign.c:114: 238:error:0D072006:asn1 encoding routines:ASN1_sign:bad get asn1 object call:.\c rypto\asn1\a_sign.c:129: What I have to do? Have you edited the default key size in openssl.cnf? The normal reason for this error is that the RSA key size has been set to small: some people confuse the RSA key size with symmetric key size and set the RSA key size to 128 bits, it should be 1024. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Message modified (beginner)
Hi, I would like to generate some certificate to use with outlook express. I used this (under winnt cygwin) ./CA.pl -newca ./CA.pl -newreq ./CA.pl -signreq ./CA.pl -pkcs12 My Test Certificate Even tried verify, OK. Then imported into outlook, everithing ok. Sending email to myself I obtain an messaged modified error, Non valid sign. Tried to change from md5 to md2 or whatever else didn't work, any idea? Andrea __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cross Certification
Why cross-certify? Imagine two organizations, each with their own root, that have now merged. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cross Certification
How chaining is different then cross-certification ?. Chaining is a single link from an End Entity up to a root, or trust anchor: A -- CA1 -- CA2 -- ... -- Root (where a--b means B has signed the certificate for A) Cross-certification is when you have multiple chains that intersect: A -- CA1 -- CA2 -- ... -- Root | ^ v | B -- CAi -- CAii -- ... -- Root' If B presents a cert to A, A can go up the B chain until it gets to Root' which is sees has signed by Root, which is one of A's trust anchors, so A trust B's credentials. (For convenience, we will ignore the complications added by CRL's or OCSP.) If cross-certification means then two CAs sign each other then how we can scale to a scenario of more than two CAs in a fully meshed cross-certification model ?. Exactly. :) The US Government has a project to do this for some of their (Defense Dept?) PKI's. I forget the name. Put a new mega-root and have everyone cross-certify with that root. You still get full paths everywhere, but it's O(2N) instead of O(N**2) certifications. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_connect on Non-Blocking Socket under Windows
Dear list users, i'm going to code a tls-telnet module for teraterm under windows socket 2.x, using the Non Blocking version of the sockets. Supposing that I can't never revert the socket to blocking, there's someone that has the right solution for doing the SSL_connect either with tls or sslv3 ? In my tests the SSL_connect fails on a regular basis, with the (rigth) socket error WSAEWOULDBLOCK and the simple re-calling of the the SSL_connect is not useful at all any hints ? Note that teraterm is freeware for win, and my module will be also free (if it runs) Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No start line
Title: Message Could someone tell me what the usual cause of a PEM_read_bio:No start line error is? I am getting this and i think it's causing some problems in my application. Thanks. -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
Re: how to replace expired CA certificate
I had the same problem... until when I realised that the password I used was wrong... check u'r passwd if its the same... just incase. --- Sarath Chandra M [EMAIL PROTECTED] wrote: Hi, Recently I generated a CA certificate using openssl and installed it on a iPlanet webserver. This certificate has expired. Now I regenerated a new CA certificate. In the webserver, I removed the old one and installed the new one. But ssl is failing. Is it a problem with openssl new CA generation or I missed something in the iPlanet webserver ? Any help please. regards Sarath Chandra M IT Dept. UAE Exchange Centre LLC PO Box 170, Abu Dhabi, UAE Phone 02-6322166, 6394342 Fax 02-6221447, 6340713 GSM 050-4450417 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem with SSL_read
Dear friends, I have a problem with SSL_read() function. It returns a value 0 and the subsequent call to the SSL_get_error() function returns a value SSL_ERROR_SYSCALL. What happens ? Could anybody help me ? Thanks in advance. Juan Carlos Sáez begin:vcard n:Sáez de la Fuente;Juan Carlos tel;fax:34-91-337-89-82 tel;work:34-91-337-54-65 x-mozilla-html:TRUE org:Telefónica Sistemas;Area de Comercio Electrónico adr:;;Sor Angela de la Cruz, 3 - 6ª Planta;Madrid;Madrid;28020;España version:2.1 email;internet:[EMAIL PROTECTED] fn:Juan Carlos Sáez de la Fuente end:vcard
Re: Cross Certification
The US Government has a project to do this for some of their (Defense Dept?) PKI's. I forget the name. Put a new mega-root and have everyone cross-certify with that root. You still get full paths everywhere, but it's O(2N) instead of O(N**2) certifications. Bridge CA. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Amateur Radio TrustedQSL HELP!!! DSA Certs HOW TO?
Greetings, I am heading the open source TrustedQSL project for Amateur Radio which is a subproject of the ARRL Logbook of The World project. I would like to use OpenSSL as the base for TrustedQSL and have done so with my prototype. The problem is that none of the docs cover the X.509 routines. All of my PKI experience has been with non-standard certs so I am kind of lost getting started with X.509 and some of the other PKCS. Because of legal reason ie: import and usage of encryption softare by some governments we really want a DSA solution, so we can claim that it isn't crypto. Anyway I could really use some help. This isn't a pie in the sky project. It will be used by millions of Amateur Radio operators world wide. See project details at: http://www.arrl.org/news/stories/2001/08/02/3/ thank you and 73s -- Darryl Wagoner - WA1GON Evil triumphs when good men do nothing. - Edmund Burke [1729-1797] Join the TrustedQSL mailing list. An Open Source solution. Post message: [EMAIL PROTECTED] Subscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] http://www.trustedQSL.org __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]