SSL_CTX_set_client_CA_list
Hi everyone, Im trying to implement client authentication with OpenSSL client server. Everything works fine: server asks for clients certificate, gets it verification successes too. The only problem is that I cant make client to send to the server certificate that matches one of the names in servers CA list (defined on the server side with SSL_CTX_set_client_CA_list()). What I want is that client will send certificate ONLY if it signed by one of servers trusted CAs (from the CA list), and, if the client doesnt have certificate like that he shouldnt send anything. In fact, Im getting a different behavior: client always sends its certificate, even if it signed by CA unknown to the server. From SSL_CTX_set_client_CA_list() documentation is seems to me that the behavior that Im expecting is the right one, and the one Im getting is the wrong one. Does anybody know how to help me? This is the relevant snippet of server code: STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(CA_FILE); if (cert_names == NULL) { printf(Couldn't load CA names from CA file: %s\n, CA_FILE); exit(15); } else { if (sk_X509_NAME_num(cert_names) 0) { printf(---Acceptable client certificate CA names\n); for (int i=0; isk_X509_NAME_num(cert_names); i++) { str = X509_NAME_oneline(sk_X509_NAME_value(cert_names,i), 0, 0); printf (\t Name #%d: %s\n, (i+1), str); free (str); } } SSL_CTX_set_client_CA_list(ctx, cert_names); } SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_PATH); SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); Any help will be very appreciated. Thanks, Sharon Hezy.
Solaris 2.3 and ftime
Hi, I've recently inherited a lab with old Sparc 5s and 2s running Solaris 2.3. The researcher won't let me upgrade the OS or replace some of the machines...*^$! Nevertheless, I upgraded the compiler to gcc 3.0.2 and started to install openssl-0.9.6b. Unfortunately I've run into the infamous undefined reference to `ftime' that's plaguing the Mac OS X admins. Here's where things break: speed.o: In function `Time_F': /export/home/unixsys/openssl-0.9.6b/apps/speed.c:294: undefined reference to `ftime' /export/home/unixsys/openssl-0.9.6b/apps/speed.c:299: undefined reference to `ftime' collect2: ld returned 1 exit status make[1]: *** [openssl] Error 1 make[1]: Leaving directory `/export/home/unixsys/openssl-0.9.6b/apps' gmake: *** [sub_all] Error 1 Looking at speed.c 289 static struct timeb tstart,tend; 290 long i; 291 292 if (s == START) 293 { 294 ftime(tstart); 295 return(0); 296 } 297else 298 { 299 ftime(tend); 300 i=(long)tend.millitm-(long)tstart.millitm; 301 ret=((double)(tend.time-tstart.time))+((double)i)/1000.0; 302 return((ret 0.001)?0.001:ret); So I don't get it. The reference to ftime gets defined compiling on Solaris 2.5, 2.6 and 2.8. Is this an inherit problem with just 2.3? What's the fix? Trash the machines ;-). Thanks, Dave === Dave Encisco [EMAIL PROTECTED] [EMAIL PROTECTED] === __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL exception linking MSVCRT but not MSVCRTD
Has anyone come up with a solution for this? I've seen the same thing with openssl built with visual c++. From: Kim Majikes Subject: OpenSSL exception linking MSVCRT but not MSVCRTD Date: Wed, 31 Oct 2001 07:16:31 -0800 I'm having problems when running some OpenSSL commands from the command line. I performed the following steps as outlined in the Install.w32 file. - used ms\do_ms to create the mak files - compiled using ntdll.mak - Tested the following openssl commands. openssl req -x509 -newkey rsa:1024 -keyout server-key.pem - out server-req.pem openssl genrsa -out server-key.pem 1024 openssl req -new -key server-key.pem -out server-req.pem The first two commands seem to be working but then an exception occurs, The instruction at .. referenced memory at ... The memory could not be read. The third command works. When I modify the ntdll.mak to use '/MDd' (MSVCRTD.LIB debug lib) instead of '/MD' (MSVCRT.LIB), I do not see the errors. Any ideas? Thanks, Kim _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Apache-SSL Installation questions
Chris - This is from the FAQ at http://www.openssl.org/support/faq.html#MISC4 - 4. Where can I get a compiled version of OpenSSL? Some applications that use OpenSSL are distributed in binary form. When using such an application, you don't need to install OpenSSL yourself; the application will include the required parts (e.g. DLLs). If you want to install OpenSSL on a Windows system and you don't have a C compiler, read the Mingw32 section of INSTALL.W32 for information on how to obtain and install the free GNU C compiler. A number of Linux and *BSD distributions include OpenSSL. Bottom line - you will have to compile the source code yourself. By the way - pick one or the other of openssl-0.9.6b or openssl-0.9.6b-engine. You don't need to use both. Janet Shea -Original Message- From: Chris Mirras [mailto:[EMAIL PROTECTED]] Sent: Monday, November 05, 2001 5:09 PM To: [EMAIL PROTECTED] Subject: Apache-SSL Installation questions I am having some difficulty with the installation of the openssl v0.9.6b and openssl engine v0.9.6b. I have a Win NT 4.0 (sp 6a) Machine running Apache Web Server 1.3 and Jserver 1.0 and wish to install an SSL module. After reading the Apache info, I was directed to download the openSSL modules, which I have downloaded. However, I am not sure what to do next. I am searching through the readme files and other documentation, however, I am just not seeing it. If you have some generic, off-the-shelf documentation you could send me, that would be great. However, if I need to talk to a support group with per-incident help desk, please send me a name phone number and I will contact them. Thanks for your help. Chris Mirras 805.338.2956 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Triple DES Question
Does anyone know if there is a problem with using the same buffers for input and output with the des_ecb3_encrypt function? I have tested it and it is working fine, but I just want to ensure this won't cause some unforseen problems in the future. The documentation doesn't say a word about it and a search of the mailing list and FAQ also doesn't mention it. Thanks. -Tom -- ((( ( You should never, never doubt what nobody is sure about. ) ((( +++ + Thomas M. Sasala, Architecture Manager [EMAIL PROTECTED] + + Mindsurf Networks (W) 703.848.4441 + + 8180 Greensboro Dr, #500 (F) 703.848.4426 + + McLean, VA 22102 + +++ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: opaque data in SSL_CTX or SSL
On Wed, Nov 07, 2001 at 12:00:29PM -0800, Rahul S wrote: Is there any way I can keep my own user data ( opaque data) in either SSL_CTX or SSL. I want to associate one of my pointer with either SSL_CTX or SSL , so that I could later retrieve the same given a SSL_CTX or SSL. I am wondering whether I can somehow do it . man SSL_CTX_get_ex_new_index Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ssl reconnection problem
On Tue, Nov 06, 2001 at 03:52:07AM -, ganesh kumar godavari wrote: i am working on a ssl server, upon getting a request from the client, the server is succesfully serving the request. if i am going to use the same process for serving another request from the same/different client I get the following error during SSL_accept(): i am using external session handling to handle session reusability 10190:error:140D9115:SSL routines:SSL_GET_PREV_SESSION:- session id context uninitialized since problem may be caused by SSL_get_session() SSL_SESSION_free(), i looked in the SSL_set_session_id_context man page and added the following code int s_server_session_id_context = 1; SSL_CTX_set_session_id_context(ctx,(void*) s_server_session_id_context, sizeof s_server_session_id_context); Ok, looks good. on doing the above i am getting the following errors error:0D067007:asn1 encoding routines:ASN1_COLLATE_PRIMITIVE:expecting an asn1 sequence error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE- :peer did not return a certificate on internet explorer it is poping up a window and asking me for the certificate, i am not requesting any certificate from the client. That cannot be true, as the client will not send any certificate without the server's request. Please re-read the SSL_CTX_set_verify() manual page on netscape i donot get any such problems but i am getting the above error messages ??? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
test mail...
__ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
certificate format.
How can I find out the format of a certificate from a C program? thanks, -- vijo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_set_client_CA_list
Hi everyone, Im trying to implement client authentication with OpenSSL client server. Everything works fine: server asks for clients certificate, gets it verification successes too. The only problem is that I cant make client to send to the server certificate that matches one of the names in servers CA list (defined on the server side with SSL_CTX_set_client_CA_list()). What I want is that client will send certificate ONLY if it signed by one of servers trusted CAs (from the CA list), and, if the client doesnt have certificate like that he shouldnt send anything. In fact, Im getting a different behavior: client always sends its certificate, even if it signed by CA unknown to the server. From SSL_CTX_set_client_CA_list() documentation is seems to me that the behavior that Im expecting is the right one, and the one Im getting is the wrong one. Does anybody know how to help me? This is the relevant snippet of server code: STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(CA_FILE); if (cert_names == NULL) { printf(Couldn't load CA names from CA file: %s\n, CA_FILE); exit(15); } else { if (sk_X509_NAME_num(cert_names) 0) { printf(---Acceptable client certificate CA names\n); for (int i=0; isk_X509_NAME_num(cert_names); i++) { str = X509_NAME_oneline(sk_X509_NAME_value(cert_names,i), 0, 0); printf (\t Name #%d: %s\n, (i+1), str); free (str); } } SSL_CTX_set_client_CA_list(ctx, cert_names); } SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_PATH); SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); Any help will be very appreciated. Thanks, Sharon Hezy.
SSL_CTX_set_client_CA_list
Hi everyone, Im trying to implement client authentication with OpenSSL client server. Everything works fine: server asks for clients certificate, gets it verification successes too. The only problem is that I cant make client to send to the server certificate that matches one of the names in servers CA list (defined on the server side with SSL_CTX_set_client_CA_list()). What I want is that client will send certificate ONLY if it signed by one of servers trusted CAs (from the CA list), and, if the client doesnt have certificate like that he shouldnt send anything. In fact, Im getting a different behavior: client always sends its certificate, even if it signed by CA unknown to the server. From SSL_CTX_set_client_CA_list() documentation is seems to me that the behavior that Im expecting is the right one, and the one Im getting is the wrong one. Does anybody know how to help me? This is the relevant snippet of server code: STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(CA_FILE); if (cert_names == NULL) { printf(Couldn't load CA names from CA file: %s\n, CA_FILE); exit(15); } else { if (sk_X509_NAME_num(cert_names) 0) { printf(---Acceptable client certificate CA names\n); for (int i=0; isk_X509_NAME_num(cert_names); i++) { str = X509_NAME_oneline(sk_X509_NAME_value(cert_names,i), 0, 0); printf (\t Name #%d: %s\n, (i+1), str); free (str); } } SSL_CTX_set_client_CA_list(ctx, cert_names); } SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_PATH); SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); Any help will be very appreciated. Thanks, Sharon Hezy.
self-signed certificate for virtual webserver
Hi, I am trying to generate a self-signed certificate for one of my virtual webservers. The problem is that no matter what I enter as CN when asked by the second command below, the certificate is not created for the hostname I want (admin.frakira.cz, but for lexus.frakira.cz, which is the machine's name). These are the commands I used (I followed the man page): # openssl genrsa -out /etc/ssl/private/admin.frakira.cz.key 1024 # openssl req -new -key /etc/ssl/private/admin.frakira.cz.key -out /etc/ssl/private/admin.frakira.cz.csr # openssl x509 -req -days 365 -in /etc/ssl/private/admin.frakira.cz.csr -signkey /etc/ssl/private/admin.frakira.cz.key -out /etc/ssl/admin.frakira.cz.crt When I enter the last one, everything looks OK ... it outputs something about that the signature is ok and the DN, which is - as of this moment - exactly what I want. But when I try to open https://admin.frakira.cz, it complains about the certificate belonging to lexus.frakira.cz... (Yes, I did restarted apache). So, how do I arrange that the certificate belongs to admin.frakira.cz and is signed by lexus.frakira.cz? Please, reply directly to my email since the list seems to be rather slow in subscribing me that I could miss your reply for the list. Thank you in advance, Jakub Jermar __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Building openssl on SCO 3.2v4.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, I am not sure if this is the correct place to ask the question, please forgive me if it is not. I have tried google searching for SSL + SCO and found nothing I am trying to build Openssh on SCO 3.2v4.2, and that requires OpenSSL When I try to build openssl, I get the following error from after make : making all in crypto... ( echo #ifndef MK1MF_BUILD; \ echo /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c * /; \ echo #define CFLAGS \gcc -O3 -fomit-frame-pointer - -Dssize_t=int -DNO _SYS_UN_H\; \ echo #define PLATFORM \sco3-gcc\; \ echo #define DATE \`date`\; \ echo #endif ) buildinf.h gcc -I. -I../include -O3 -fomit-frame-pointer -Dssize_t=int - -DNO_SYS_UN_ H -c cryptlib.c cryptlib.c:104: #error Inconsistency between crypto.h and cryptlib.c *** Error code 1 *** Error code 1 The Tools that I have are : - -- perl, version 5.005_03 built for i386-sco gcc version 2.7.2.3 Autoconf version 2.13 automake (GNU automake) 1.5 GNU m4 1.4 Please Advise Thanks Vikash -BEGIN PGP SIGNATURE- Version: PGP 6.5.1i for non-commercial use http://www.pgpi.com/ iQA/AwUBO+jkOhvA3JmlEONgEQJpwgCfUvRDL8dQUeVjFGmeftD7JN7aKmsAoOuN uUejMCM3S0XNqMZfUTaFsHK8 =rj47 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl-0.9.6b on solaris-sparcv9-cc
I'm trying to compile openssl-0.9.6b on solaris-sparcv9-cc.. and when I do "make" as per the install in openssl-0.9.6b\.. I get following error message.. $ make+ rm -f libcrypto.so.0+ rm -f libcrypto.so+ rm -f libcrypto.so.0.9.6+ rm -f libssl.so.0+ rm -f libssl.so+ rm -f libssl.so.0.9.6making all in crypto...cc -I. -I../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM -c cryptlib.c/usr/ucb/cc: language optional software package not installed*** Error code 1make: Fatal error: Command failed for target `cryptlib.o'Current working directory /etc/export/home/openssl/openssl-0.9.6b/crypto*** Error code 1make: Fatal error: Command failed for target `sub_all' Could any one tell me what all he is asking about ?? Thanks Aslam
About how to use smime
Hello all, I am using openssl-0.9.6b. It does not operate well by smime of openssl. Is usage wrong? $ openssl smime -sign -inkey key.pem -signer cert.pem -certfile cacert.pem -in mail.txt -out mail.p7m $ openssl smime -verify -CAfile cacert.pem -in mail.p7m THIS IS TEST. Verification Successful $ openssl smime -sign -inkey key.pem -signer cert.pem -in mail.txt -outform pem -out mail.p7c $ openssl smime -verify -CAfile cacert.pem -inform pem -in mail.p7c -content mail.txt THIS IS TEST. Verification Failure 23894:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:762: 23894:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:256: Thanks, Tom Tomoaki Misaki [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SHA1
msg.pgp Description: PGP message
Re: mod_ssl for Red Hat 6.2
Jian Chen wrote: Hi, Edward, I also spent a long time to try to find it, and I only found one, it is: mod_ssl-2.6.6_1.3.12-1.i386.rpm. Do a search on www.google.com, and you will find this: http://www.megaloman.com/~hany/RPM/doors2.4/mod_ssl-2.6.6_1.3.12-1.i386.html So far, I do not think redhat provides a modssl version for redhat 6.2. Let me know if you have found any other better one. Jian Chen Nov. 11 Hello, I found the mod_ssl rpm package ( search on rpmfind.net and www.google.com )... But they are not under Red Hat 6.2 system , but I can't find the *.src.rpm for Red Hat 6.x system also ! I think I can install openssl and mod_ssl with source packages ( *.tar.gz ) only , but I'm not familiar with compiling and installing for linux system , actually, I'm a new user to use linux system... So, Can you help me ? Thank all, Edward. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Need clarification on SSL_CTX_sess*() routines
msg.pgp Description: PGP message
mod_ssl for Red Hat 6.2
Hello, Where can I get the rpm package of mod_ssl for install with Red Hat 6.2 ? Thanks, Edward. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SHA1
On Wed, Nov 07, 2001 at 05:32:48PM -0500, Dane Foster wrote: Hello, I'm not on the list but I'm hoping someone can help me nonetheless. I'm a Java programmer working w/ OpenLDAP on Linux. OpenLDAP supports the use of hashed passwords for binding, unfortunately it does do the hashing for you so this is where my direct use of OpenSSL comes in. As a simple test I issued the following command at the console: $ echo password |openssl dgst -sha1 -binary| openssl base64 I get the following output: yP7QDrLofxzujpDrvocMGQrDhIw= I wrote a simple Java class to verify that the program would generate the same hash that would be in the server. No such luck. It generates the following: W6ph5Mm5Pz8GgiULbPgzG37mj9g= The difference happens because echo version includes a newline. Something like: perl -e 'print password;' |openssl dgst -sha1 -binary| openssl base64 gets you: W6ph5Mm5Pz8GgiULbPgzG37mj9g= vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openSSL lib
Hi guys, I was able to built openSSL on Win2k platform with no problems. Currently, I am using openSSL to encode a file where I store sensitive information (password to a server). I am storing password in passwd.smime file, and I decrypt the file with my private key - pk8. So, every time I need to connect to the server, I have to invoke _popen() to call openSSL to decrypt password and connect to the server. I believe the above way is not the best way to go due to: 1. _popen() - is a pretty expensive call 2. openSSL depends on several DLL's and I'd like to get away from additional dependencies. Is there exist/or is it possible to build openSSL lib for my purpose? I couldn't find information regarding it anywhere. Thanks in advance for your advice, Leon --- Leon Zilber HP Internet Operation RD Lab phone: 973.443.78.82 email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: self-signed certificate for virtual webserver
On Fri, Nov 09, 2001 at 03:17:39PM +0100, Jakub Jermar wrote: Hi, I am trying to generate a self-signed certificate for one of my virtual webservers. The problem is that no matter what I enter as CN when asked by the second command below, the certificate is not created for the hostname I want (admin.frakira.cz, but for lexus.frakira.cz, which is the machine's name). These are the commands I used (I followed the man page): # openssl genrsa -out /etc/ssl/private/admin.frakira.cz.key 1024 # openssl req -new -key /etc/ssl/private/admin.frakira.cz.key -out /etc/ssl/private/admin.frakira.cz.csr # openssl x509 -req -days 365 -in /etc/ssl/private/admin.frakira.cz.csr -signkey /etc/ssl/private/admin.frakira.cz.key -out /etc/ssl/admin.frakira.cz.crt When I enter the last one, everything looks OK ... it outputs something about that the signature is ok and the DN, which is - as of this moment - exactly what I want. But when I try to open https://admin.frakira.cz, it complains about the certificate belonging to lexus.frakira.cz... (Yes, I did restarted apache). So, how do I arrange that the certificate belongs to admin.frakira.cz and is signed by lexus.frakira.cz? Please, reply directly to my email since the list seems to be rather slow in subscribing me that I could miss your reply for the list. Thank you in advance, Jakub Jermar __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] I did some checks eg: curly@FaiLurE:ttyp6 curly $ dnsip lexus.frakira.cz 217.11.254.38 217.11.254.38 curly@FaiLurE:ttyp6 curly $ dnsip admin.frakira.cz 217.11.254.38 217.11.254.38 I see, they are at same IP - gotcha :) Read carefully about certification and virtual hosting in apache/mod_ssl documentation. On same IP/port you can have only 1 cert. apache gives you warning about that certificate for overlaping certificate for - check your apache logs. you must use deferent IP or/and port for virtualhosts, if you wanna diferent certificates for each virt. -- rgdz curly http://www.e-card.bg PGP keyID: 0xCB6681D8 Key fingerprint = 5A 7B 24 E3 9F CE FF 03 E9 FE D0 BD 81 27 08 2C CB 66 81 D8 msg21634/pgp0.pgp Description: PGP signature
Re: SHA1
$ echo password |openssl dgst -sha1 -binary| openssl base64 You've got a newline there; try echo 'password' | tr -d '\012' | openssl dgst -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using openssl and smime with binary files
Folks As part of an exploration, I have used the openssl command line tool in Redhat 7.1 and successfully: - created a self-signed ca cert - created an end-entity cert - Using openssl smime, I've signed a text message. - Using openssl smime, I've verified the text message And that took some doing (the doc's are far from clear). I am unable do to this, however, with a binary file. I tried to append the word -binary to my openssl smime -sign command, but the verification step always fails with a message digest error. The exact message that shows up is: 5644:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:762 followed by another message about verify failure. Is there a way to use the command line tool for signing binary data? Thanks for your help David __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
dont want private key of the client in the ldap
Hi everybody, I trying to do client authenticationusing self signed CA and client certificates. I want to store the client certificate in the ldap entries. The CA certificate is in the web server. I followed the below mentioned steps to create the CA and client certificates : CA Certificate # generate the key for the certificate and store it in .key fileopenssl genrsa -des3 -out $CA_DIR/CA.key 1024 # sign the request for the CA cert and store it in .csr file openssl req -new -x509 -days 365 -config $SSLDIR/openssl.cnf -key $CA_DIR/CA.key -out $CA_DIR/CA.crt # convert the cert into pkcs12 format so that it can imported into IEopenssl pkcs12 -export -in $CA_DIR/CA.crt -inkey $CA_DIR/CA.key -out $CA_DIR/CA.pfxClient Certificate# generate the key for the client certificate and store it in User.key fileopenssl genrsa -des3 -out $CLIENT_DIR/User.key 1024# sign the request for the client cert and store it in User.csr fileopenssl req -new -config $SSLDIR/openssl.cnf -key $CLIENT_DIR/User.key -out $CLIENT_DIR/User.csr# generate the client cert and store it in UserID.crtopenssl ca -config $SSLDIR/openssl.cnf -cert $CA_DIR/CA.pem -in $CLIENT_DIR/User.csr -keyfile $CA_DIR/CA.key -out $CLIENT_DIR/User.crtNow I am storing this client certificate in the ldap entry of the client/user. What I would like to know is, whether the private key of the client is also being stored in the certificate ? Because I dont want the private key of the client certificate to be on the ldap. How to do it ? Any help please. regards Sarath
Re: SHA1
On Sun, Nov 11, 2001 at 10:08:16AM -0500, Rich Salz wrote: $ echo password |openssl dgst -sha1 -binary| openssl base64 You've got a newline there; try echo 'password' | tr -d '\012' | openssl dgst use echo with option -n -n is no new-line echo -n password |openssl dgst -sha1 -binary| openssl base64 -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- rgdz curly http://www.e-card.bg PGP keyID: 0xCB6681D8 Key fingerprint = 5A 7B 24 E3 9F CE FF 03 E9 FE D0 BD 81 27 08 2C CB 66 81 D8 msg21638/pgp0.pgp Description: PGP signature
[no subject]
Hi I can´t findpopsig and pushsig in file crypto/des/read_pwd.c ( version 0.96b ) any ide where to getthe missing code.Note it´s static void declared in read_pwd.c. My enviromentis RedHat 7.1 and linux-elf with Intel PentiumPro. Best. Reg. Jan Holmberg sysadm artech
Re: Using openssl and smime with binary files
david wrote: Folks As part of an exploration, I have used the openssl command line tool in Redhat 7.1 and successfully: - created a self-signed ca cert - created an end-entity cert - Using openssl smime, I've signed a text message. - Using openssl smime, I've verified the text message And that took some doing (the doc's are far from clear). In what way aren't the docs clear? There are extensive examples in the smime manual page. I am unable do to this, however, with a binary file. I tried to append the word -binary to my openssl smime -sign command, but the verification step always fails with a message digest error. The exact message that shows up is: 5644:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:762 followed by another message about verify failure. Is there a way to use the command line tool for signing binary data? Since you haven't included the complete command line I'm assuming you are using the default cleartext MIME format. This may have problems with binary data. You may have more luck using opaque signing (the -nodetach option) or using DER or PEM format and either distributing the signed content separately or including it with the signature (again the -nodetach option). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: About how to use smime
$B;0:j(B $BM'L@(B wrote: Hello all, I am using openssl-0.9.6b. It does not operate well by smime of openssl. Is usage wrong? $ openssl smime -sign -inkey key.pem -signer cert.pem -certfile cacert.pem -in mail.txt -out mail.p7m $ openssl smime -verify -CAfile cacert.pem -in mail.p7m THIS IS TEST. Verification Successful $ openssl smime -sign -inkey key.pem -signer cert.pem -in mail.txt -outform pem -out mail.p7c $ openssl smime -verify -CAfile cacert.pem -inform pem -in mail.p7c -content mail.txt THIS IS TEST. Verification Failure 23894:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:762: 23894:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:256: This is a text translation issue. By default all data signed and verified gets translated to canonical format which is basically CR+LF for EOL. In the first case the actual translated form is included in the message. As a result when it verifies it uses the same data it signed with. In the second case the signed data is translated but it isn't included with the message. When you verify you are then verifying against the original instead of the translated form so you get the error. There are a couple of ways to fix this. You can turn off the translation using the -binary option or you can include the signed content using the -nodetach option. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Importing https certificate in Internet Explorer 6
Hi, I have a https with a secure certificate made with Openssl. I have tryied to import that certificate in Internet Explorer 6.0 so it recognize the autority as trusted. I have created a custom CA, so IE always said that the CA is not a trusted one and display a dialog window each time a user visits the site. Any help is welcome. Thanks Oliver -- Oliver Schulze L. [EMAIL PROTECTED] Asuncion-Paraguay __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: mod_ssl for Red Hat 6.2
Hi, Edward, I also spent a long time to try to find it, and I only found one, it is: mod_ssl-2.6.6_1.3.12-1.i386.rpm. Do a search on www.google.com, and you will find this: http://www.megaloman.com/~hany/RPM/doors2.4/mod_ssl-2.6.6_1.3.12-1.i386.html So far, I do not think redhat provides a modssl version for redhat 6.2. Let me know if you have found any other better one. Jian Chen Nov. 11 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Sunday, November 11, 2001 6:52 AM To: [EMAIL PROTECTED] Subject: mod_ssl for Red Hat 6.2 Hello, Where can I get the rpm package of mod_ssl for install with Red Hat 6.2 ? Thanks, Edward. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using openssl and smime with binary files
Thanks for that advice. Your suggestion led me to try the -nodetach option on both the verify and the sign operation, and I can vouch for success. I think my confusion stems from two places: - I didn't see enough of the definitions of terms to quite understand what opaque signing was. - Some of the documents aren't quite as clear as they could be about possible data formats. For example, I initially confused the data formats taken by the rsautl function (they need raw keys) and dgst and smime, which need certificates or other formats. I'm sure it's just that I'm sort of new to this. Thanks for your efforts. At 05:03 PM 11/11/2001 +, you wrote: david wrote: Folks As part of an exploration, I have used the openssl command line tool in Redhat 7.1 and successfully: - created a self-signed ca cert - created an end-entity cert - Using openssl smime, I've signed a text message. - Using openssl smime, I've verified the text message And that took some doing (the doc's are far from clear). In what way aren't the docs clear? There are extensive examples in the smime manual page. I am unable do to this, however, with a binary file. I tried to append the word -binary to my openssl smime -sign command, but the verification step always fails with a message digest error. The exact message that shows up is: 5644:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:pk7_doit.c:762 followed by another message about verify failure. Is there a way to use the command line tool for signing binary data? Since you haven't included the complete command line I'm assuming you are using the default cleartext MIME format. This may have problems with binary data. You may have more luck using opaque signing (the -nodetach option) or using DER or PEM format and either distributing the signed content separately or including it with the signature (again the -nodetach option). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
linux v/s solaris
My client_server program with SSL, works fine in Linux but fails in Solaris. In solaris, SSL_accept and SSL_connect fails with reason 1 (which is [#define SSL_ERROR_SSL 1] I am using the cert and key file correctly. Am I missing anything else? Anyone please help! __ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
API's ??
For generating the certifcate and private file, I am currently using the command line interface... that is commands like openssl genrsa ... and openssl req -new -x509... etc. But, are there any openssl API's for the same? If yes, please let me know few APIs. Thanks for the assistance, Ruby __ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Installing Secure Cert
Hi; I would have thought finding information on how to install a secure certificate from Thawte would have been *easy*, but after searching everywhere I could think for over an hour I've become dismayed :(( Hopefully someone can point me to the step-by-step procedures on how to do this routine, mundane task. TIA, BenO __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
INSTALL OPENSSL
Hi, i'm new in openssl world XD. I don't know how install openssl in windows. Can anyone help me? Sorry, my english is horrible. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS7 problem sending enveloped messages across network.
I think (not sure) that the problem I'm having is one of big endian and little endian. I'm trying to send out the output of a PEM_write_bio_PKCS7 to other computers (sun and Linux). I'm sending these Multicast and with loopback and the sender is always able to process the message but the receiver never is (Need another sun workstation to prove theory and I don't have one). But my thought is that depending upon how the PKCS7 structure is saved (i.e. has ints that it just saves to a buffer) that the linux machine send them in little endian and the sun chokes on them and via versa. If you think this is the problem anyone solve this without changing openssl code (i.e PEM_wrote_bio_PKCS7/PEMASN1_write_bio)? Thanks, Frank __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems building OpenSSL (0.9.6b) on OpenBSD 2.6
I'm trying to get OpenSSL 0.9.6b working on OpenBSD 2.6 so that I can build the latest OpenSSH (I'm using the portable version as the native OpenBSD version does not build on releases before 2.6). I have installed the new OpenSSL under /usr/local/openssl, and when running the OpenSSH configure I get the following test failure for the OpenSSL library. Anyone have any ideas? What is the error concerning undefined __GLOBAL_OFFSET_TABLE_ all about? configure:8191: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I/usr/local/openssl/include -L/usr/local/openssl/lib conftest.c -lutil -lz -lcrypto 5 ld: symbol __GLOBAL_OFFSET_TABLE_ remains undefined configure:8194: $? = 0 configure:8196: ./conftest Memory fault (core dumped) configure:8199: $? = 139 configure: program exited with status 139 configure: failed program was: #line 8176 configure #include confdefs.h #include string.h #include openssl/rand.h int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() = 0); } -Paul- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.6b on solaris-sparcv9-cc
Hi Aslam wrote the following at 19:48 09.11.2001: I'm trying to compile openssl-0.9.6b on solaris-sparcv9-cc.. and when I do make as per the install in openssl-0.9.6b\.. I get following error message.. $ make + rm -f libcrypto.so.0 + rm -f libcrypto.so + rm -f libcrypto.so.0.9.6 + rm -f libssl.so.0 + rm -f libssl.so + rm -f libssl.so.0.9.6 making all in crypto... cc -I. -I../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xta rget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DUL TRASPARC -DMD5_ASM -c cryptlib.c /usr/ucb/cc: language optional software package not installed *** Error code 1 make: Fatal error: Command failed for target `cryptlib.o' Current working directory /etc/export/home/openssl/openssl-0.9.6b/crypto *** Error code 1 make: Fatal error: Command failed for target `sub_all' Could any one tell me what all he is asking about ?? Looks like you are missing some software on your solaris installation, e.g. the compiler You might try to use gcc regards Erich Titl THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
NT Services
Dear all, I am a newer to OpenSSL. I am now developing a Win2K Services (also a newer on writing Services) that can decrypt a message with private key and generating key pairs. I want to ask should I use the .lib in the Services directly / need to create an ATL COM to wrap the OpenSSL first?? Anymore suggestions on writing the Services? Thank you. Anthony
??: NT Services
i think using ATL COM is not necessary , u just need build a normal windows service. be careful of memory leak.:) -ÔʼÓʼþ-·¢¼þÈË: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]´ú±í Anthony Chau·¢ËÍʱ¼ä: 2001Äê11ÔÂ10ÈÕ 13:23ÊÕ¼þÈË: [EMAIL PROTECTED]Ö÷Ìâ: NT Services Dear all, I am a newer to OpenSSL. I am now developing a Win2K Services (also a newer on writing Services) that can decrypt a message with private key and generating key pairs. I want to ask should I use the .lib in the Services directly / need to create an ATL COM to wrap the OpenSSL first?? Anymore suggestions on writing the Services? Thank you. Anthony
listening to browser output
I am doing a lot of client programming replacing the browser by a client program. To verify my program I look at the browser output with ngrep. But in case of SSL I don't see anything. Is there a solution for this need. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl for Red Hat 6.2
Jian Chen wrote: Hi, Edward, I also spent a long time to try to find it, and I only found one, it is: mod_ssl-2.6.6_1.3.12-1.i386.rpm. Do a search on www.google.com, and you will find this: http://www.megaloman.com/~hany/RPM/doors2.4/mod_ssl-2.6.6_1.3.12-1.i386.html So far, I do not think redhat provides a modssl version for redhat 6.2. Let me know if you have found any other better one. Jian Chen Nov. 11 Hello, I found a mod_ssl for apache 1.3.22 ( rpm package ) at http://www.megaloman.com/~hany/RPM/doors3.1/mod_ssl-2.8.5-1.i386.html I think it is working with apache 1.3.22 under RH 6.2 system Edward. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to get extensions from request to cert?
Hi, is there a possibility to propagate the (values for) requested extensions by the CSR to the resulting cert, without mentioning them in the extension section of the config file (as long as copy_extensions doesnt work in production releases)? Gerd -- PS.: Send replies (if any) to the address below. The address in the header might be misleading or not available! -- -- Gerd Schering -- Email: [EMAIL PROTECTED] -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]