SSL_CTX_set_client_CA_list

[Sharon Hezy]

Hi everyone,



Im trying to implement client authentication with OpenSSL client 
server. Everything works fine: server asks for clients certificate, gets it
 verification successes too. The only problem is that I cant make client
to send to the server certificate that matches one of the names in servers CA
list (defined on the server side with SSL_CTX_set_client_CA_list()). What I
want is that client will send certificate ONLY if it signed by one of servers
trusted CAs (from the CA list), and, if the client doesnt have certificate
like that  he shouldnt send anything. In fact, Im getting a different
behavior: client always sends its certificate, even if it signed by CA unknown
to the server. From SSL_CTX_set_client_CA_list() documentation is seems to me
that the behavior that Im expecting is the right one, and the one Im getting
 is the wrong one. Does anybody know how to help me?



This is the relevant snippet of server code:



STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(CA_FILE);

if (cert_names == NULL) {


printf(Couldn't load CA names from CA file: %s\n, CA_FILE);

 exit(15);

} else {

 if
(sk_X509_NAME_num(cert_names)  0) {


printf(---Acceptable client certificate CA names\n);

 for (int i=0;
isk_X509_NAME_num(cert_names); i++) {

 str
= X509_NAME_oneline(sk_X509_NAME_value(cert_names,i), 0, 0);

 printf
(\t Name #%d: %s\n, (i+1), str);

 free
(str);

 }

 }


SSL_CTX_set_client_CA_list(ctx, cert_names);

}

SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_PATH);

SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);





Any help will be very appreciated.



Thanks,

Sharon Hezy.

Solaris 2.3 and ftime

[Dave Encisco]

Hi,

I've recently inherited a lab with old Sparc 5s and 2s running Solaris
2.3. The researcher won't let me upgrade the OS or replace some of the
machines...*^$! Nevertheless, I upgraded the compiler to gcc 3.0.2
and started to install openssl-0.9.6b. Unfortunately I've run into the
infamous undefined reference to `ftime' that's plaguing the Mac OS X
admins. Here's where things break:

speed.o: In function `Time_F':
/export/home/unixsys/openssl-0.9.6b/apps/speed.c:294: undefined reference to `ftime'
/export/home/unixsys/openssl-0.9.6b/apps/speed.c:299: undefined reference to `ftime'
collect2: ld returned 1 exit status
make[1]: *** [openssl] Error 1
make[1]: Leaving directory `/export/home/unixsys/openssl-0.9.6b/apps'
gmake: *** [sub_all] Error 1

Looking at speed.c

   289  static struct timeb tstart,tend;
   290  long i;
   291
   292   if (s == START)
   293  {
   294  ftime(tstart);
   295  return(0);
   296  }
   297else
   298  {
   299  ftime(tend);
   300  i=(long)tend.millitm-(long)tstart.millitm;
   301  ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
   302  return((ret  0.001)?0.001:ret);

So I don't get it. The reference to ftime gets defined compiling on
Solaris 2.5, 2.6 and 2.8. Is this an inherit problem with just 2.3?

What's the fix? Trash the machines ;-).

Thanks,
Dave

===
Dave Encisco
[EMAIL PROTECTED]
[EMAIL PROTECTED]
===


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL exception linking MSVCRT but not MSVCRTD

[Gregg K Gibson]

Has anyone come up with a solution for this?  I've seen the same thing with
openssl built with visual c++.

From: Kim Majikes Subject: OpenSSL exception linking MSVCRT but not MSVCRTD 
Date: Wed, 31 Oct 2001 07:16:31 -0800


I'm having problems when running some OpenSSL commands from the command 
line. I performed the following steps as outlined in the Install.w32 
file.

 - used ms\do_ms to create the mak files - compiled using ntdll.mak 
 - Tested the following openssl commands.  openssl req -x509 
-newkey rsa:1024 -keyout server-key.pem - out server-req.pem  
 openssl genrsa -out server-key.pem 1024  openssl req -new -key 
server-key.pem -out server-req.pem

The first two commands seem to be working but then an exception
occurs, The instruction at .. referenced memory at ...  The memory could 
not be read.   The third command works.

When I modify the ntdll.mak to use '/MDd' (MSVCRTD.LIB debug lib)
instead of '/MD' (MSVCRT.LIB), I do not see the errors.

Any ideas? Thanks, Kim


_ 
OpenSSL Project http://www.openssl.org User Support Mailing List
   [EMAIL PROTECTED] Automated List Manager 
 [EMAIL PROTECTED]




_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Apache-SSL Installation questions

[Shea Janet B CRBE]

Chris -

   This is from the FAQ at http://www.openssl.org/support/faq.html#MISC4 -

4. Where can I get a compiled version of OpenSSL?
Some applications that use OpenSSL are distributed in binary form. When using such an 
application, you don't need to install OpenSSL yourself; the application will include 
the required parts (e.g. DLLs). 

If you want to install OpenSSL on a Windows system and you don't have a C compiler, 
read the Mingw32 section of INSTALL.W32 for information on how to obtain and install 
the free GNU C compiler. 

A number of Linux and *BSD distributions include OpenSSL.


Bottom line - you will have to compile the source code yourself.

By the way - pick one or the other of openssl-0.9.6b or openssl-0.9.6b-engine. You 
don't need to use both.

Janet Shea


-Original Message-
From: Chris Mirras [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 05, 2001 5:09 PM
To: [EMAIL PROTECTED]
Subject: Apache-SSL Installation questions


I am having some difficulty with the installation of the openssl v0.9.6b and
openssl engine v0.9.6b.  I have a Win NT 4.0 (sp 6a) Machine running Apache
Web Server 1.3 and Jserver 1.0 and wish to install an SSL module.  After
reading the Apache info, I was directed to download the openSSL modules,
which I have downloaded.  However, I am not sure what to do next.  I am
searching through the readme files and other documentation, however, I am
just not seeing it.

If you have some generic, off-the-shelf documentation you could send me,
that would be great.  However, if I need to talk to a support group with
per-incident help desk, please send me a name  phone number and I will
contact them.

Thanks for your help.

Chris Mirras
805.338.2956

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Triple DES Question

[Thomas Sasala]

Does anyone know if there is a problem with using the
same buffers for input and output with the des_ecb3_encrypt
function?  I have tested it and it is working fine, but I 
just want to ensure this won't cause some unforseen problems 
in the future.  The documentation doesn't say a word about it 
and a search of the mailing list and FAQ also doesn't mention it.
Thanks.

-Tom


-- 
(((
  (  You should never, never doubt what nobody is sure about.   )
(((
+++
+ Thomas M. Sasala, Architecture Manager [EMAIL PROTECTED] + 
+ Mindsurf Networks  (W) 703.848.4441 +
+ 8180 Greensboro Dr, #500   (F) 703.848.4426 +
+ McLean, VA  22102   + 
+++
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: opaque data in SSL_CTX or SSL

[Lutz Jaenicke]

On Wed, Nov 07, 2001 at 12:00:29PM -0800, Rahul S wrote:
   Is there any way I can keep  my own user data ( opaque data) in either SSL_CTX or 
SSL.
 I want to  associate  one of my pointer with  either SSL_CTX or SSL , so that I 
could later retrieve the same given a SSL_CTX or SSL.
   I am wondering whether I can somehow do it .

man SSL_CTX_get_ex_new_index

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ssl reconnection problem

[Lutz Jaenicke]

On Tue, Nov 06, 2001 at 03:52:07AM -, ganesh kumar godavari wrote:
  i am working on a ssl server, upon getting a request from the client, the 
server is succesfully serving the request. if i am going to use the same process for 
serving another request from the same/different client I get the following error 
during SSL_accept(): i am using external session handling to handle session 
reusability
  
   10190:error:140D9115:SSL routines:SSL_GET_PREV_SESSION:-
   session id context uninitialized
  
   since problem may be caused by SSL_get_session()
  SSL_SESSION_free(), i looked in the
   SSL_set_session_id_context man page  and added the 
  following code
  
int s_server_session_id_context = 1;
  
SSL_CTX_set_session_id_context(ctx,(void*)
  s_server_session_id_context,
  sizeof s_server_session_id_context);

Ok, looks good.

   on doing the above i am getting the following errors
   
   error:0D067007:asn1 encoding 
  routines:ASN1_COLLATE_PRIMITIVE:expecting an asn1 
  sequence
   error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE-
  :peer did not return a certificate
  
   on internet explorer it is poping up a window and 
  asking me for the certificate, i am not requesting any certificate from the client.

That cannot be true, as the client will not send any certificate without
the server's request. Please re-read the SSL_CTX_set_verify() manual page

  on netscape i donot get any such problems but i am 
  getting the above error messages
???

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

test mail...

[Ruby Cruiser]

 
 

__
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

certificate format.

[Vijo Cherian]

How can I find out the format of a certificate from a C program?
thanks,
-- 
vijo
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL_CTX_set_client_CA_list

[Sharon Hezy]

Hi everyone,



Im trying to implement client authentication with OpenSSL client 
server. Everything works fine: server asks for clients certificate, gets it
 verification successes too. The only problem is that I cant make client to
send to the server certificate that matches one of the names in servers CA
list (defined on the server side with SSL_CTX_set_client_CA_list()). What I
want is that client will send certificate ONLY if it signed by one of servers
trusted CAs (from the CA list), and, if the client doesnt have certificate
like that  he shouldnt send anything. In fact, Im getting a different
behavior: client always sends its certificate, even if it signed by CA unknown
to the server. From SSL_CTX_set_client_CA_list() documentation is seems to me
that the behavior that Im expecting is the right one, and the one Im getting
 is the wrong one. Does anybody know how to help me?



This is the relevant snippet of server code:



STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(CA_FILE);

if (cert_names == NULL) {


printf(Couldn't load CA names from CA file: %s\n, CA_FILE);

 exit(15);

} else {

 if
(sk_X509_NAME_num(cert_names)  0) {


printf(---Acceptable client certificate CA names\n);

 for (int i=0;
isk_X509_NAME_num(cert_names); i++) {

 str
= X509_NAME_oneline(sk_X509_NAME_value(cert_names,i), 0, 0);

 printf
(\t Name #%d: %s\n, (i+1), str);

 free
(str);

 }

 }


SSL_CTX_set_client_CA_list(ctx, cert_names);

}

SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_PATH);

SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);





Any help will be very appreciated.



Thanks,

Sharon Hezy.

SSL_CTX_set_client_CA_list

[Sharon Hezy]

Hi everyone,



Im trying to implement client authentication with OpenSSL client 
server. Everything works fine: server asks for clients certificate, gets it
 verification successes too. The only problem is that I cant make client
to send to the server certificate that matches one of the names in servers CA
list (defined on the server side with SSL_CTX_set_client_CA_list()). What I
want is that client will send certificate ONLY if it signed by one of servers trusted
CAs (from the CA list), and, if the client doesnt have certificate like that 
he shouldnt send anything. In fact, Im getting a different behavior: client
always sends its certificate, even if it signed by CA unknown to the server. From
SSL_CTX_set_client_CA_list() documentation is seems to me that the behavior
that Im expecting is the right one, and the one Im getting  is the wrong
one. Does anybody know how to help me?



This is the relevant snippet of server code:



STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(CA_FILE);

if (cert_names == NULL) {

 printf(Couldn't load CA names from CA file:
%s\n, CA_FILE);

 exit(15);

} else {

 if
(sk_X509_NAME_num(cert_names)  0) {

 printf(---Acceptable
client certificate CA names\n);

 for (int i=0;
isk_X509_NAME_num(cert_names); i++) {

 str
= X509_NAME_oneline(sk_X509_NAME_value(cert_names,i), 0, 0);

 printf
(\t Name #%d: %s\n, (i+1), str);

 free
(str);

 }

 }

 SSL_CTX_set_client_CA_list(ctx,
cert_names);

}

SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_PATH);

SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);





Any help will be very appreciated.



Thanks,

Sharon Hezy.

self-signed certificate for virtual webserver

[Jakub Jermar]

Hi, I am trying to generate a self-signed certificate for one of my
virtual webservers.
The problem is that no matter what I enter as CN when asked by the
second command below,
the certificate is not created for the hostname I want
(admin.frakira.cz, but for lexus.frakira.cz, which is the machine's
name). These are the commands I used (I followed the man page):

# openssl genrsa -out /etc/ssl/private/admin.frakira.cz.key 1024
# openssl req -new -key /etc/ssl/private/admin.frakira.cz.key -out
/etc/ssl/private/admin.frakira.cz.csr 
# openssl x509 -req -days 365 -in /etc/ssl/private/admin.frakira.cz.csr
-signkey /etc/ssl/private/admin.frakira.cz.key -out
/etc/ssl/admin.frakira.cz.crt

When I enter the last one, everything looks OK ... it outputs something
about that the signature is ok and the DN, which is - as of this moment
- exactly what I want. But when I try to open https://admin.frakira.cz,
it complains about the certificate belonging to lexus.frakira.cz...
(Yes, I did restarted apache).

So, how do I arrange that the certificate belongs to admin.frakira.cz
and is signed by lexus.frakira.cz?

Please, reply directly to my email since the list seems to be rather
slow in subscribing me that I could miss your reply for the list.

Thank you in advance,
Jakub Jermar
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Building openssl on SCO 3.2v4.3

[Vikash Badal / PCS]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Greetings,

I am not sure if this is the correct place to ask the question, 
please forgive me if it is not.

I have tried google searching for SSL + SCO and found nothing

I am trying to build Openssh on SCO 3.2v4.2, and that requires
OpenSSL

When I try to build openssl, I get the following error from after
make :



making all in crypto...
( echo #ifndef MK1MF_BUILD; \
echo   /* auto-generated by crypto/Makefile.ssl for
crypto/cversion.c *
/; \
echo   #define CFLAGS \gcc -O3 -fomit-frame-pointer
- -Dssize_t=int -DNO
_SYS_UN_H\; \
echo   #define PLATFORM \sco3-gcc\; \
echo   #define DATE \`date`\; \
echo #endif ) buildinf.h
gcc -I. -I../include -O3 -fomit-frame-pointer -Dssize_t=int
- -DNO_SYS_UN_
H -c cryptlib.c
cryptlib.c:104: #error Inconsistency between crypto.h and
cryptlib.c
*** Error code 1
*** Error code 1




The Tools that I have are :
- --
perl, version 5.005_03 built for i386-sco

gcc version 2.7.2.3

Autoconf version 2.13

automake (GNU automake) 1.5

GNU m4 1.4


Please Advise

Thanks
Vikash


-BEGIN PGP SIGNATURE-
Version: PGP 6.5.1i for non-commercial use http://www.pgpi.com/

iQA/AwUBO+jkOhvA3JmlEONgEQJpwgCfUvRDL8dQUeVjFGmeftD7JN7aKmsAoOuN
uUejMCM3S0XNqMZfUTaFsHK8
=rj47
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl-0.9.6b on solaris-sparcv9-cc

[Aslam]

I'm trying to 
compile openssl-0.9.6b on solaris-sparcv9-cc.. and when I do "make" as per the 
install in openssl-0.9.6b\.. I get following error message.. 


$ make+ rm -f 
libcrypto.so.0+ rm -f libcrypto.so+ rm -f libcrypto.so.0.9.6+ rm -f 
libssl.so.0+ rm -f libssl.so+ rm -f libssl.so.0.9.6making all in 
crypto...cc -I. -I../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa 
-DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM -c 
cryptlib.c/usr/ucb/cc: language optional software package not 
installed*** Error code 1make: Fatal error: Command failed for target 
`cryptlib.o'Current working directory 
/etc/export/home/openssl/openssl-0.9.6b/crypto*** Error code 1make: 
Fatal error: Command failed for target `sub_all'

Could any one tell 
me what all he is asking about ?? 

Thanks
Aslam

About how to use smime

["$B;0:j(B $BM'L@(B"]

Hello all,

I am using openssl-0.9.6b.
It does not operate well by smime of openssl.
Is usage wrong?

$ openssl smime -sign -inkey key.pem -signer cert.pem -certfile cacert.pem -in 
mail.txt -out mail.p7m
$ openssl smime -verify -CAfile cacert.pem -in mail.p7m
THIS IS TEST.
Verification Successful

$ openssl smime -sign -inkey key.pem -signer cert.pem -in mail.txt -outform pem -out 
mail.p7c
$ openssl smime -verify -CAfile cacert.pem -inform pem -in mail.p7c -content mail.txt
THIS IS TEST.
Verification Failure
23894:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest 
failure:pk7_doit.c:762:
23894:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:256:


Thanks,
Tom


Tomoaki Misaki
[EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SHA1

[J. Johnson]

msg.pgp
Description: PGP message

Re: mod_ssl for Red Hat 6.2

[edward]

Jian Chen wrote:

 Hi, Edward,

 I also spent a long time to try to find it, and I only found one, it is:
 mod_ssl-2.6.6_1.3.12-1.i386.rpm. Do a search on www.google.com, and you will
 find this:

 http://www.megaloman.com/~hany/RPM/doors2.4/mod_ssl-2.6.6_1.3.12-1.i386.html

 So far, I do not think redhat provides a modssl version for redhat 6.2.

 Let me know if you have found any other better one.

 Jian Chen
 Nov. 11

Hello,

I found the mod_ssl rpm package ( search on rpmfind.net and www.google.com )...
But they are not under Red Hat 6.2 system , but I can't find the *.src.rpm for
Red Hat 6.x system also !
I think I can install openssl and mod_ssl with source packages ( *.tar.gz ) only
, but I'm not familiar with compiling and installing for linux system ,
actually, I'm a new user to use linux system...
So, Can you help me ?
Thank all,

Edward.




__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Need clarification on SSL_CTX_sess*() routines

[Louis LeBlanc]

msg.pgp
Description: PGP message

mod_ssl for Red Hat 6.2

[edward]

Hello,

Where can I get the rpm package of mod_ssl for install with Red Hat 6.2
?
Thanks,

Edward.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SHA1

[Mads Toftum]

On Wed, Nov 07, 2001 at 05:32:48PM -0500, Dane Foster wrote:
 Hello,
 I'm not on the list but I'm hoping someone can help me nonetheless.
 
 I'm a Java programmer working w/ OpenLDAP on Linux.  OpenLDAP supports the
 use of hashed passwords for binding, unfortunately it does do the hashing
 for you so this is where my direct use of OpenSSL comes in.  As a simple
 test I issued the following command at the console:
 
 $ echo password |openssl dgst -sha1 -binary| openssl base64
 
 I get the following output: yP7QDrLofxzujpDrvocMGQrDhIw=
 
 
 I wrote a simple Java class to verify that the program would generate the
 same hash that would be in the server.  No such luck.  It generates the
 following:
 W6ph5Mm5Pz8GgiULbPgzG37mj9g=
 
The difference happens because echo version includes a newline. Something
like:
perl -e 'print password;' |openssl dgst -sha1 -binary| openssl base64
gets you: W6ph5Mm5Pz8GgiULbPgzG37mj9g=

vh

Mads Toftum
-- 
With a rubber duck, one's never alone.
  -- The Hitchhiker's Guide to the Galaxy
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openSSL lib

[ZILBER,LEONID (HP-NewJersey,ex1)]

Hi guys,

I was able to built openSSL on Win2k platform with no problems. Currently, I
am using openSSL to encode a file where I store sensitive information
(password to a server).

I am storing password in passwd.smime file, and I decrypt the file with my
private key - pk8.
So, every time I need to connect to the server, I have to invoke _popen() to
call openSSL to decrypt password and connect to the server.

I believe the above way is not the best way to go due to:
1. _popen() - is a pretty expensive call
2. openSSL depends on several DLL's and I'd like to get away from additional
dependencies.

Is there exist/or is it possible to build openSSL lib for my purpose? I
couldn't find information regarding it anywhere. 

Thanks in advance for your advice,
Leon

---
Leon Zilber
HP Internet Operation RD Lab
phone: 973.443.78.82
email: [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: self-signed certificate for virtual webserver

[Valentin Zahariev]

On Fri, Nov 09, 2001 at 03:17:39PM +0100, Jakub Jermar wrote:
 Hi, I am trying to generate a self-signed certificate for one of my
 virtual webservers.
 The problem is that no matter what I enter as CN when asked by the
 second command below,
 the certificate is not created for the hostname I want
 (admin.frakira.cz, but for lexus.frakira.cz, which is the machine's
 name). These are the commands I used (I followed the man page):
 
 # openssl genrsa -out /etc/ssl/private/admin.frakira.cz.key 1024
 # openssl req -new -key /etc/ssl/private/admin.frakira.cz.key -out
 /etc/ssl/private/admin.frakira.cz.csr 
 # openssl x509 -req -days 365 -in /etc/ssl/private/admin.frakira.cz.csr
 -signkey /etc/ssl/private/admin.frakira.cz.key -out
 /etc/ssl/admin.frakira.cz.crt
 
 When I enter the last one, everything looks OK ... it outputs something
 about that the signature is ok and the DN, which is - as of this moment
 - exactly what I want. But when I try to open https://admin.frakira.cz,
 it complains about the certificate belonging to lexus.frakira.cz...
 (Yes, I did restarted apache).
 
 So, how do I arrange that the certificate belongs to admin.frakira.cz
 and is signed by lexus.frakira.cz?
 
 Please, reply directly to my email since the list seems to be rather
 slow in subscribing me that I could miss your reply for the list.
 
 Thank you in advance,
 Jakub Jermar
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

I did some checks eg:
curly@FaiLurE:ttyp6 curly $ dnsip lexus.frakira.cz
217.11.254.38 217.11.254.38
curly@FaiLurE:ttyp6 curly $ dnsip admin.frakira.cz
217.11.254.38 217.11.254.38

I see, they are at same IP - gotcha :)
Read carefully about certification and virtual hosting in apache/mod_ssl documentation.
On same IP/port you can have only 1 cert.
apache gives you warning about that certificate for  overlaping
certificate for  - check your apache logs.
you must use deferent IP or/and port for virtualhosts, if you wanna diferent
certificates for each virt.

-- 
rgdz
curly

http://www.e-card.bg

PGP keyID: 0xCB6681D8
Key fingerprint = 5A 7B 24 E3 9F CE FF 03  E9 FE D0 BD 81 27 08 2C  CB 66 81 D8



msg21634/pgp0.pgp
Description: PGP signature

Re: SHA1

[Rich Salz]

 $ echo password |openssl dgst -sha1 -binary| openssl base64

You've got a newline there; try
echo 'password' | tr -d '\012' | openssl dgst 
-- 
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Using openssl and smime with binary files

[david]

Folks

As part of an exploration, I have used the openssl command line tool in 
Redhat 7.1 and successfully:
- created a self-signed ca cert
- created an end-entity cert
- Using openssl smime, I've signed a text message.
- Using openssl smime, I've verified the text message
And that took some doing (the doc's are far from clear).

I am unable do to this, however, with a binary file.  I tried to append the 
word -binary to my
openssl smime -sign 
command, but the verification step always fails with a message digest 
error.  The exact message that shows up is:

5644:error:21071065:PKCS7 
routines:PKCS7_signatureVerify:digest  failure:pk7_doit.c:762
followed by another message about verify failure.

Is there a way to use the command line tool for signing binary data?

Thanks for your help

David

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

dont want private key of the client in the ldap

[Sarath Chandra M]

Hi 
everybody,
 I trying to do client authenticationusing self signed 
CA and client certificates. I want to store the client
certificate in the ldap entries. The CA certificate is in the web server. 
I followed the below mentioned steps
to 
create the CA and client certificates :

CA 
Certificate
# 
generate the key for the certificate and store it in .key fileopenssl 
genrsa -des3 -out $CA_DIR/CA.key 1024

# 
sign the request for the CA cert and store it in .csr 
file
openssl 
req -new -x509 -days 365 -config $SSLDIR/openssl.cnf -key $CA_DIR/CA.key -out 
$CA_DIR/CA.crt
# 
convert the cert into pkcs12 format so that it can imported into IEopenssl 
pkcs12 -export -in $CA_DIR/CA.crt -inkey $CA_DIR/CA.key -out $CA_DIR/CA.pfxClient 
Certificate# 
generate the key for the client certificate and store it in User.key 
fileopenssl genrsa -des3 -out $CLIENT_DIR/User.key 1024# 
sign the request for the client cert and store it in User.csr fileopenssl 
req -new -config $SSLDIR/openssl.cnf -key $CLIENT_DIR/User.key -out 
$CLIENT_DIR/User.csr# 
generate the client cert and store it in UserID.crtopenssl ca -config 
$SSLDIR/openssl.cnf -cert $CA_DIR/CA.pem -in $CLIENT_DIR/User.csr -keyfile 
$CA_DIR/CA.key -out $CLIENT_DIR/User.crtNow I am storing this client 
certificate in the ldap entry of the client/user. What I would like to know is, 
whether
the 
private key of the client is also being stored in the certificate ? Because I 
dont want the private key of the
client 
certificate to be on the ldap. How to do it 
?

Any 
help please.

regards
Sarath

Re: SHA1

[Valentin Zahariev]

On Sun, Nov 11, 2001 at 10:08:16AM -0500, Rich Salz wrote:
  $ echo password |openssl dgst -sha1 -binary| openssl base64
 
 You've got a newline there; try
   echo 'password' | tr -d '\012' | openssl dgst 

use echo with option -n
-n is no new-line

echo -n password |openssl dgst -sha1 -binary| openssl base64

 -- 
 Zolera Systems, Securing web services (XML, SOAP, Signatures,
 Encryption)
 http://www.zolera.com
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

-- 
rgdz
curly

http://www.e-card.bg

PGP keyID: 0xCB6681D8
Key fingerprint = 5A 7B 24 E3 9F CE FF 03  E9 FE D0 BD 81 27 08 2C  CB 66 81 D8



msg21638/pgp0.pgp
Description: PGP signature

[no subject]

[Jan Holmberg]

Hi

I can´t findpopsig and pushsig in file 
crypto/des/read_pwd.c ( version 0.96b ) any ide where to
getthe missing code.Note it´s 
static void declared in read_pwd.c.
My enviromentis RedHat 7.1 and linux-elf with Intel PentiumPro.


Best. Reg.

Jan Holmberg
sysadm artech

Re: Using openssl and smime with binary files

[Dr S N Henson]

david wrote:
 
 Folks
 
 As part of an exploration, I have used the openssl command line tool in
 Redhat 7.1 and successfully:
 - created a self-signed ca cert
 - created an end-entity cert
 - Using openssl smime, I've signed a text message.
 - Using openssl smime, I've verified the text message
 And that took some doing (the doc's are far from clear).
 

In what way aren't the docs clear? There are extensive examples in the
smime manual page.

 I am unable do to this, however, with a binary file.  I tried to append the
 word -binary to my
 openssl smime -sign 
 command, but the verification step always fails with a message digest
 error.  The exact message that shows up is:
 
 5644:error:21071065:PKCS7
 routines:PKCS7_signatureVerify:digest  failure:pk7_doit.c:762
 followed by another message about verify failure.
 
 Is there a way to use the command line tool for signing binary data?
 

Since you haven't included the complete command line I'm assuming you
are using the default cleartext MIME format. This may have problems with
binary data. You may have more luck using opaque signing (the -nodetach
option) or using DER or PEM format and either distributing the signed
content separately or including it with the signature (again the
-nodetach option).

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: About how to use smime

[Dr S N Henson]

$B;0:j(B $BM'L@(B wrote:
 
 Hello all,
 
 I am using openssl-0.9.6b.
 It does not operate well by smime of openssl.
 Is usage wrong?
 
 $ openssl smime -sign -inkey key.pem -signer cert.pem -certfile cacert.pem -in 
mail.txt -out mail.p7m
 $ openssl smime -verify -CAfile cacert.pem -in mail.p7m
 THIS IS TEST.
 Verification Successful
 
 $ openssl smime -sign -inkey key.pem -signer cert.pem -in mail.txt -outform pem -out 
mail.p7c
 $ openssl smime -verify -CAfile cacert.pem -inform pem -in mail.p7c -content mail.txt
 THIS IS TEST.
 Verification Failure
 23894:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest 
failure:pk7_doit.c:762:
 23894:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:pk7_smime.c:256:
 

This is a text translation issue. By default all data signed and
verified gets translated to canonical format which is basically CR+LF
for EOL.

In the first case the actual translated form is included in the message.
As a result when it verifies it uses the same data it signed with.

In the second case the signed data is translated but it isn't included
with the message. When you verify you are then verifying against the
original instead of the translated form so you get the error.

There are a couple of ways to fix this. You can turn off the translation
using the -binary option or you can include the signed content using the
-nodetach option.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Importing https certificate in Internet Explorer 6

[Oliver Schulze L.]

Hi,
I have a https with a secure certificate made with Openssl.

I have tryied to import that certificate in Internet Explorer 6.0 so
it recognize the autority as trusted.
I have created a custom CA, so IE always said that the CA is not
a trusted one and display a dialog window each time a user
visits the site.

Any help is welcome.

Thanks
Oliver

-- 
Oliver Schulze L.
[EMAIL PROTECTED]
Asuncion-Paraguay


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: mod_ssl for Red Hat 6.2

[Jian Chen]

Hi, Edward,

I also spent a long time to try to find it, and I only found one, it is:
mod_ssl-2.6.6_1.3.12-1.i386.rpm. Do a search on www.google.com, and you will
find this:

http://www.megaloman.com/~hany/RPM/doors2.4/mod_ssl-2.6.6_1.3.12-1.i386.html

So far, I do not think redhat provides a modssl version for redhat 6.2.

Let me know if you have found any other better one.

Jian Chen
Nov. 11



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
Sent: Sunday, November 11, 2001 6:52 AM
To: [EMAIL PROTECTED]
Subject: mod_ssl for Red Hat 6.2


Hello,

Where can I get the rpm package of mod_ssl for install with Red Hat 6.2
?
Thanks,

Edward.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Using openssl and smime with binary files

[david]

Thanks for that advice.  Your suggestion led me to try the -nodetach option 
on both the verify and the sign operation, and I can vouch for success.

I think my confusion stems from two places:
- I didn't see enough of the definitions of terms to quite understand what 
opaque signing was.
- Some of the documents aren't quite as clear as they could be about 
possible data formats.  For example, I initially confused the data formats 
taken by the rsautl function (they need raw keys) and dgst and smime, 
which need certificates or other formats.  I'm sure it's just that I'm sort 
of new to this.

Thanks for your efforts.


At 05:03 PM 11/11/2001 +, you wrote:
david wrote:
 
  Folks
 
  As part of an exploration, I have used the openssl command line tool in
  Redhat 7.1 and successfully:
  - created a self-signed ca cert
  - created an end-entity cert
  - Using openssl smime, I've signed a text message.
  - Using openssl smime, I've verified the text message
  And that took some doing (the doc's are far from clear).
 

In what way aren't the docs clear? There are extensive examples in the
smime manual page.

  I am unable do to this, however, with a binary file.  I tried to append the
  word -binary to my
  openssl smime -sign 
  command, but the verification step always fails with a message digest
  error.  The exact message that shows up is:
 
  5644:error:21071065:PKCS7
  routines:PKCS7_signatureVerify:digest  failure:pk7_doit.c:762
  followed by another message about verify failure.
 
  Is there a way to use the command line tool for signing binary data?
 

Since you haven't included the complete command line I'm assuming you
are using the default cleartext MIME format. This may have problems with
binary data. You may have more luck using opaque signing (the -nodetach
option) or using DER or PEM format and either distributing the signed
content separately or including it with the signature (again the
-nodetach option).

Steve.
--
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

linux v/s solaris

[Ruby Cruiser]

My client_server program with SSL, works fine in Linux
but fails in Solaris.

In solaris, SSL_accept and SSL_connect fails with
reason 1 (which is [#define SSL_ERROR_SSL 1] 

I am using the cert and key file correctly.

Am I missing anything else? Anyone please help!







__
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

API's ??

[Ruby Cruiser]

For generating the certifcate and private file, I am
currently using the command line interface... that is
commands like openssl genrsa ... and openssl req
-new -x509... etc.

But, are there any openssl API's for the same? If yes,
please let me know few APIs.

Thanks for the assistance,
Ruby



__
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Installing Secure Cert

[Ben Ocean]

Hi;
I would have thought finding information on how to install a secure 
certificate from Thawte would have been *easy*, but after searching 
everywhere I could think for over an hour I've become dismayed :(( 
Hopefully someone can point me to the step-by-step procedures on how to do 
this routine, mundane task.
TIA,
BenO


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

INSTALL OPENSSL

[Francisco Castillejo]

Hi,
i'm new in openssl world XD. I don't know how install openssl in windows.
Can anyone help me?
Sorry, my english is horrible.
Thanks

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

PKCS7 problem sending enveloped messages across network.

[Frank Geck]

I think (not sure) that the problem I'm having is one of big endian and
little endian.  I'm trying to send out the output of a
PEM_write_bio_PKCS7 to other computers (sun and Linux). I'm sending
these Multicast and with loopback and the sender is always able to
process the message but the receiver never is (Need another sun
workstation to prove theory and I don't have one). But my thought is
that depending upon how the PKCS7 structure is saved (i.e. has ints that
it just saves to a buffer) that the linux machine send them in little
endian and the sun chokes on them and via versa.  If you think this is
the problem anyone solve this without changing openssl code (i.e
PEM_wrote_bio_PKCS7/PEMASN1_write_bio)?

Thanks,

Frank

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problems building OpenSSL (0.9.6b) on OpenBSD 2.6

[Paul Civati]

I'm trying to get OpenSSL 0.9.6b working on OpenBSD 2.6 so that I can
build the latest OpenSSH (I'm using the portable version as the native
OpenBSD version does not build on releases before 2.6).

I have installed the new OpenSSL under /usr/local/openssl, and when
running the OpenSSH configure I get the following test failure for
the OpenSSL library.

Anyone have any ideas?

What is the error concerning undefined __GLOBAL_OFFSET_TABLE_ all
about?

configure:8191: gcc -o conftest -g -O2 -Wall -Wpointer-arith 
-Wno-uninitialized
-I/usr/local/openssl/include  -L/usr/local/openssl/lib  conftest.c -lutil 
-lz
 -lcrypto 5
ld: symbol __GLOBAL_OFFSET_TABLE_ remains undefined
configure:8194: $? = 0
configure:8196: ./conftest
Memory fault (core dumped) 
configure:8199: $? = 139
configure: program exited with status 139
configure: failed program was:
#line 8176 configure
#include confdefs.h

#include string.h
#include openssl/rand.h
int main(void)
{
char a[2048];
memset(a, 0, sizeof(a));
RAND_add(a, sizeof(a), sizeof(a));
return(RAND_status() = 0);
}

-Paul-

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl-0.9.6b on solaris-sparcv9-cc

[Erich Titl]

Hi

Aslam wrote the following at 19:48 09.11.2001:
I'm trying to compile openssl-0.9.6b on solaris-sparcv9-cc.. and when I do 
make as per the install in openssl-0.9.6b\.. I get following error message..

$ make
+ rm -f libcrypto.so.0
+ rm -f libcrypto.so
+ rm -f libcrypto.so.0.9.6
+ rm -f libssl.so.0
+ rm -f libssl.so
+ rm -f libssl.so.0.9.6
making all in crypto...
cc -I. -I../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H -xta
rget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN 
-DBN_DIV2W -DUL
TRASPARC -DMD5_ASM  -c  cryptlib.c
/usr/ucb/cc:  language optional software package not installed
*** Error code 1
make: Fatal error: Command failed for target `cryptlib.o'
Current working directory /etc/export/home/openssl/openssl-0.9.6b/crypto
*** Error code 1
make: Fatal error: Command failed for target `sub_all'

Could any one tell me what all he is asking about ??

Looks like you are missing some software on your solaris installation, e.g. 
the compiler
You might try to use gcc

regards

Erich Titl

THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

NT Services

[Anthony Chau]

Dear all,



I am a newer to OpenSSL.

I am now developing a Win2K Services
(also a newer on writing Services) that can decrypt a message with private key
and generating key pairs.

I want to ask should I use
the .lib in the Services directly / need to create an ATL COM to wrap the OpenSSL first??

Anymore
suggestions on writing the Services?



Thank you.



Anthony

??: NT Services

[YONG.YUE]

i think 
using ATL COM is not necessary , u just need build a normal windows 
service.
be 
careful of memory leak.:)

  -ÔʼÓʼþ-·¢¼þÈË: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]´ú±í Anthony 
  Chau·¢ËÍʱ¼ä: 2001Äê11ÔÂ10ÈÕ 13:23ÊÕ¼þÈË: 
  [EMAIL PROTECTED]Ö÷Ìâ: NT Services
  
  Dear 
  all,
  
  I am a 
  newer to OpenSSL.
  I am 
  now developing a Win2K Services (also a newer on writing Services) that can 
  decrypt a message with private key and generating key 
  pairs.
  I want 
  to ask should I use the .lib in the Services directly / need to create an ATL 
  COM to wrap the OpenSSL 
  first??
  Anymore 
  suggestions on writing the Services?
  
  Thank 
  you.
  
  Anthony
  
  
  

listening to browser output

[Hans-Heinrich Braun]

I am doing a lot of client programming replacing the browser by a client 
program.
To verify my program I look at the browser output with ngrep.
But in case of SSL I don't see anything. Is there a solution for this need.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: mod_ssl for Red Hat 6.2

[edward]

Jian Chen wrote:

 Hi, Edward,

 I also spent a long time to try to find it, and I only found one, it is:
 mod_ssl-2.6.6_1.3.12-1.i386.rpm. Do a search on www.google.com, and you will
 find this:

 http://www.megaloman.com/~hany/RPM/doors2.4/mod_ssl-2.6.6_1.3.12-1.i386.html

 So far, I do not think redhat provides a modssl version for redhat 6.2.

 Let me know if you have found any other better one.

 Jian Chen
 Nov. 11

Hello,

I found a mod_ssl for apache 1.3.22 ( rpm package ) at
http://www.megaloman.com/~hany/RPM/doors3.1/mod_ssl-2.8.5-1.i386.html
I think it is working with apache 1.3.22 under RH 6.2 system

Edward.


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

How to get extensions from request to cert?

[Gerd Schering]

Hi,

is there a possibility to propagate the (values for) requested
extensions by the CSR to the resulting cert, without
mentioning them in the extension section of the config file
(as long as copy_extensions doesnt work in production
releases)?

Gerd

-- 
PS.: Send replies (if any) to the address below. The address 
in the header might be misleading or not available!
 
--
-- Gerd Schering
-- Email: [EMAIL PROTECTED]
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]