RE: how to setup SSL_CTX to use private keys from smartcards.. ??
Aslam, I had the same problem. I solved it in the following way: I got the certificate from CryptoAPI and created a X509 struct from it. For the privatekey, I created a RSA struct and filled it with as much data as I could from CryptoAPI. I couldn't get the private key, of course, so I got only the key length... I used the app_data field of the RSA struct to point to a struct that contains extra info about the key (e.g. an indication that this is a CryptoAPI key, and the key's HCRYPTPROV and HCRYPTKEY). After that, the key should be wrapped as a EVP_PKEY. In order for the extra information to be actually used, I created a new RSA_METHOD with functions that call CryptoAPI to do the work. I had to implement the rsa_sign function too, in order to be able to call the CryptoAPI SignHash function with CALG_SSL3_SHAMD5. So when OpenSSL wants to use the private key associated with a connection, my rsa_method functions are being called, they determine if the key is an OpenSSL key (and if so - the original rsa_meth is used) or a CryptoAPI key (and then CryptoAPI is used with the extra info saved in the struct pointed by the app_data field). This works for RSA keys only (As far as I know there is no EVP_PKEY_METHOD so you can't hook your code to the EVP level), but you can do the same for DSA keys too, if your application uses them. Home this helps. Tal -Original Message- From: Aslam [SMTP:[EMAIL PROTECTED]] Sent: Tuesday, November 13, 2001 6:50 PM To: '[EMAIL PROTECTED]' Subject: how to setup SSL_CTX to use private keys from smartcards.. ?? Hi, I'm using openssl-0.9.6b for performing ssl/tls client and server stuff... I'm able to do it when I export my private keys in some file (PEM or pkcs8 format) and call appropriate API for SSL_CTX to set the private key. All this thing work good.. But how to setup the SSL_CTX to use private keys from some smartcard or say from key container in microsost crypto stuff ?? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ÉϹØϵͨƽ̨£¬½»ÊÂÒµÅóÓÑ£¬ÖÐÐĶ¯´ó½±
Title: ÉϹØϵͨ£¬½±ÉÌÎñͨ£¡ ÉϹØϵͨ£¬½±ÉÌÎñͨ ¹ØϵͨÈí¼þÊÇÈýÊ®¶øÁ¢Íøwww.up30.com¹ØϵÁªÃËÊý¾Ý¿âµÄ·ÃÎÊƽ̨£¬ÕâÊÇÒ»¸ö¾ßÓÐÐÅÓÃÌصãµÄÍøÂç½»Íùƽ̨£¬ËùÓÐÓû§ÒÔ¸öÈËÕæʵÉí·Ý¼ÓÈë¡£ÈýÊ®¶øÁ¢ÍøϵĹØϵÁªÃËÊÇһȺҵÄÚÈËʿΪÁË·½±ãÉÌÎñÁªÏµ£¬½»»»ÐÅÏ¢¶ø½¨Á¢µÄÒ»¸ö¹ØϵÁªÃË£¬¸÷¸öÐÐÒµ¡¢µØÇø¾ùÓпÊÍû²»¶ÏÍØÕ¹¸öÈ˹ØϵµÄ¾«Ó¢¼ÓÈë¡£ÒªÔÚ¹Øϵͨ½¨Á¢¸öÈ˸ü¹ã·ºµÄÈ˼ʹØϵ£¬ÄãËùÒª×öµÄ¾ÍÊÇÒÔÕæʵµÄÉí·ÝºÍÆäËûÓû§Ö÷¶¯È¥½»»»ÐÅÏ¢¡£ ¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢ÊÇÎÒÃǵĿںţ¡ µÇ½ÈýÊ®¶øÁ¢ÍøÕ¾www.up30.com£¬×¢²á³ÉΪ¹Øϵͨƽ̨Óû§£¬ÖÚ¶à¾ßÓÐÕæʵÉí·ÝºÍÐÅÓü¶±ðµÄÒµ½ç¾«Ó¢µÈ×ÅÄã¡£ÉϹØϵͨ£¬¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢¡£ »î¶¯Ï¸Ôò£º £¨»î¶¯Ê±¼ä£º2001Äê11ÔÂ1ÈÕµ½2001Äê11ÔÂ30ÈÕ£© ¡ô ÏÖÔڵǽÈýÊ®¶øÁ¢ÍøÕ¾×¢²á¸öÈËÕæʵ×ÊÁϳÉΪ¹ØϵͨÓû§£»£¨Ê¹ÓÃÃûƬ½»»»¹¦ÄܾͿÉÒԺܿ콨Á¢ÆðÄãµÄ¹ØϵȦ£©£» ¡ô ÔÚ11ÔÂ30ÈÕÇ°ÔÚÈýÊ®¶øÁ¢ÍøÕ¾Ê×Ò³ÉϽøÐÐÍƼö3λ¹ØϵͨÉÏÄãÈÏΪ×îÓмÛÖµµÄÅóÓÑ£»£¨´ó¼ÒҪעÒâµ½ÍøÕ¾Éϲ鿴һÏÂÍƼöÅÅÃû£© ¡ô µÃµ½ÍƼö×î¶àµÄ1λÓû§½«»ñµÃ×îÓмÛÖµ»ï°é½±£¬½±£º¼ÛÖµ4680ÔªµÄÉÌÎñͨ±¼Ñï2186£» ¡ô¸ù¾ÝÓû§µÄÆÀÓÎÒÃÇÔÚ»ñµÃÍƼöµÄÇ°10ÃûÓû§ÖÐÑ¡³ö×îÕæʵÓû§½±1ÃûºÍ×îÈÈÇéÓû§½±¸÷1Ãû£¬½±£º¼ÛÖµ1380ÔªµÄÉÌÎñͨÏȽÝMBA8823£» ¡ô Ç°30ÃûÓû§³ÉΪ¹ØϵͨµÄVIPÓû§£¬ÔÚÈýÊ®¶øÁ¢ÍøÕ¾ÉϽøÐиöÐÔÍƼö½éÉÜ£¬²¢ÏíÓÐÒÔºóµÄ¶àÖÖÌØÊâ·þÎñ¡£ ¡ô ÿλÓû§ÔÚʹÓùØϵͨµÄÇ°3´Î¿ÉÒÔÓлú»á½éÉÜÄãµÄ10λÀÏÓÑ¡£ÔÚÈκÎÒ»´Î¹ØϵͨµÄ»î¶¯ÖÐÖ»ÒªÄãÖн±£¬ËûÃǾͻáÁ¬´øÖн±¡£±¾´Î»î¶¯×îÓмÛÖµÓû§µÄ10λºÃÓÑ¿ÉÔÚJAZZÄÐÊ¿ÏãË®¡¢¾µäÈ«¸ÖÔ˶¯±í¡¢SANFOÖпÕËÄ¿×ÃÞÂÃÐÐ˯´ü¡¢È«Ì׶¡¶¡ÀúÏÕ¼ÇÖÐÑ¡Ôñ1·ÝÀñÆ·¡£ ¡¡ 1. ½«¶Ô»ñ½±Õß½øÐÐ×ÊÁÏÓèÒԺ˶ԣ¬Èç¹û³öÏÖÐé¼ÙÇé¿ö£¬È¡Ïû²Î¼Ó»î¶¯×ʸñ¡£ 2. ÉîÛÚ°®¶ûÆÕÐÅÏ¢¿Æ¼¼ÓÐÏÞ¹«Ë¾ÓµÓжԻµÄ×îÖÕ½âÊÍȨ¡£ www.up30.com Copyright 2001 UP30com All rights reserved. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ÉϹØϵͨƽ̨£¬½»ÊÂÒµÅóÓÑ£¬ÖÐÐĶ¯´ó½±
Title: ÉϹØϵͨ£¬½±ÉÌÎñͨ£¡ ÉϹØϵͨ£¬½±ÉÌÎñͨ ¹ØϵͨÈí¼þÊÇÈýÊ®¶øÁ¢Íøwww.up30.com¹ØϵÁªÃËÊý¾Ý¿âµÄ·ÃÎÊƽ̨£¬ÕâÊÇÒ»¸ö¾ßÓÐÐÅÓÃÌصãµÄÍøÂç½»Íùƽ̨£¬ËùÓÐÓû§ÒÔ¸öÈËÕæʵÉí·Ý¼ÓÈë¡£ÈýÊ®¶øÁ¢ÍøϵĹØϵÁªÃËÊÇһȺҵÄÚÈËʿΪÁË·½±ãÉÌÎñÁªÏµ£¬½»»»ÐÅÏ¢¶ø½¨Á¢µÄÒ»¸ö¹ØϵÁªÃË£¬¸÷¸öÐÐÒµ¡¢µØÇø¾ùÓпÊÍû²»¶ÏÍØÕ¹¸öÈ˹ØϵµÄ¾«Ó¢¼ÓÈë¡£ÒªÔÚ¹Øϵͨ½¨Á¢¸öÈ˸ü¹ã·ºµÄÈ˼ʹØϵ£¬ÄãËùÒª×öµÄ¾ÍÊÇÒÔÕæʵµÄÉí·ÝºÍÆäËûÓû§Ö÷¶¯È¥½»»»ÐÅÏ¢¡£ ¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢ÊÇÎÒÃǵĿںţ¡ µÇ½ÈýÊ®¶øÁ¢ÍøÕ¾www.up30.com£¬×¢²á³ÉΪ¹Øϵͨƽ̨Óû§£¬ÖÚ¶à¾ßÓÐÕæʵÉí·ÝºÍÐÅÓü¶±ðµÄÒµ½ç¾«Ó¢µÈ×ÅÄã¡£ÉϹØϵͨ£¬¿ªÍعØϵ£¬ÈýÊ®¶øÁ¢¡£ »î¶¯Ï¸Ôò£º £¨»î¶¯Ê±¼ä£º2001Äê11ÔÂ1ÈÕµ½2001Äê11ÔÂ30ÈÕ£© ¡ô ÏÖÔڵǽÈýÊ®¶øÁ¢ÍøÕ¾×¢²á¸öÈËÕæʵ×ÊÁϳÉΪ¹ØϵͨÓû§£»£¨Ê¹ÓÃÃûƬ½»»»¹¦ÄܾͿÉÒԺܿ콨Á¢ÆðÄãµÄ¹ØϵȦ£©£» ¡ô ÔÚ11ÔÂ30ÈÕÇ°ÔÚÈýÊ®¶øÁ¢ÍøÕ¾Ê×Ò³ÉϽøÐÐÍƼö3λ¹ØϵͨÉÏÄãÈÏΪ×îÓмÛÖµµÄÅóÓÑ£»£¨´ó¼ÒҪעÒâµ½ÍøÕ¾Éϲ鿴һÏÂÍƼöÅÅÃû£© ¡ô µÃµ½ÍƼö×î¶àµÄ1λÓû§½«»ñµÃ×îÓмÛÖµ»ï°é½±£¬½±£º¼ÛÖµ4680ÔªµÄÉÌÎñͨ±¼Ñï2186£» ¡ô¸ù¾ÝÓû§µÄÆÀÓÎÒÃÇÔÚ»ñµÃÍƼöµÄÇ°10ÃûÓû§ÖÐÑ¡³ö×îÕæʵÓû§½±1ÃûºÍ×îÈÈÇéÓû§½±¸÷1Ãû£¬½±£º¼ÛÖµ1380ÔªµÄÉÌÎñͨÏȽÝMBA8823£» ¡ô Ç°30ÃûÓû§³ÉΪ¹ØϵͨµÄVIPÓû§£¬ÔÚÈýÊ®¶øÁ¢ÍøÕ¾ÉϽøÐиöÐÔÍƼö½éÉÜ£¬²¢ÏíÓÐÒÔºóµÄ¶àÖÖÌØÊâ·þÎñ¡£ ¡ô ÿλÓû§ÔÚʹÓùØϵͨµÄÇ°3´Î¿ÉÒÔÓлú»á½éÉÜÄãµÄ10λÀÏÓÑ¡£ÔÚÈκÎÒ»´Î¹ØϵͨµÄ»î¶¯ÖÐÖ»ÒªÄãÖн±£¬ËûÃǾͻáÁ¬´øÖн±¡£±¾´Î»î¶¯×îÓмÛÖµÓû§µÄ10λºÃÓÑ¿ÉÔÚJAZZÄÐÊ¿ÏãË®¡¢¾µäÈ«¸ÖÔ˶¯±í¡¢SANFOÖпÕËÄ¿×ÃÞÂÃÐÐ˯´ü¡¢È«Ì׶¡¶¡ÀúÏÕ¼ÇÖÐÑ¡Ôñ1·ÝÀñÆ·¡£ ¡¡ 1. ½«¶Ô»ñ½±Õß½øÐÐ×ÊÁÏÓèÒԺ˶ԣ¬Èç¹û³öÏÖÐé¼ÙÇé¿ö£¬È¡Ïû²Î¼Ó»î¶¯×ʸñ¡£ 2. ÉîÛÚ°®¶ûÆÕÐÅÏ¢¿Æ¼¼ÓÐÏÞ¹«Ë¾ÓµÓжԻµÄ×îÖÕ½âÊÍȨ¡£ www.up30.com Copyright 2001 UP30com All rights reserved. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
__ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: build in HP using aCC compiler
Title: RE: build in HP using aCC compiler Mark, I tried both 3.25 and 3.31, but both give me different error messages. I am compiling openssl-0.9.6a. I printed the error message from 3.25 below, hope you can give me a hand to solve this problem. I created a soft link cc to aCC. I have used all the default configure flags from openssl makefile for ANSI C. I think this might be the problem, but because I am not fimiliar with aCC, I don't know what configuration options should I change. If possible, would you please let me know your configure options? Thanks a lot for your help. I am struggling with this for days. cc -I. -I../include -DTHREADS -D_REENTRANT -DDSO_DL -D_REENTRANT +O3 -z +DAportable +Olibcalls -Ae -Aa +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -c cryptlib.caCC: warning 901: unknown option: `-Ae': use +help for online documentation. cc -I. -I../include -DTHREADS -D_REENTRANT -DDSO_DL -D_REENTRANT +O3 -z +DAportable +Olibcalls -Ae -Aa +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -c mem.caCC: warning 901: unknown option: `-Ae': use +help for online documentation. cc -I. -I../include -DTHREADS -D_REENTRANT -DDSO_DL -D_REENTRANT +O3 -z +DAportable +Olibcalls -Ae -Aa +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -c mem_dbg.caCC: warning 901: unknown option: `-Ae': use +help for online documentation. Error 212: "mem_dbg.c", line 321 # Argument type 'unsigned long (app_mem_info_st *)' does not match expected parameter type 'unsigned long (*)()'. if ((amih=lh_new(app_info_hash,app_info_cmp)) == NULL) ^ Error 212: "mem_dbg.c", line 321 # Argument type 'int (app_mem_info_st *,app_mem_info_st *)' does not match expected parameter type 'int (*)()'. if ((amih=lh_new(app_info_hash,app_info_cmp)) == NULL) Error 212: "mem_dbg.c", line 414 # Argument type 'unsigned long (mem_st *)' does not match expected parameter type 'unsigned long (*)()'. if ((mh=lh_new(mem_hash,mem_cmp)) == NULL) Error 212: "mem_dbg.c", line 414 # Argument type 'int (mem_st *,mem_st *)' does not match expected parameter type 'int (*)()'. if ((mh=lh_new(mem_hash,mem_cmp)) == NULL) ^^^ Kate -Original Message-From: Mark Annal [mailto:[EMAIL PROTECTED]]Sent: Tuesday, November 13, 2001 4:26 PMTo: [EMAIL PROTECTED]Subject: RE: build in HP using aCC compiler I'm building on HP-UX 11.0 using aCC 3.25 with no issues. _ Mark Annal e-mail: [EMAIL PROTECTED] TARGUSinfo phone : (716) 598-7011 255 Woodcliff Drive fax : (716) 598-7001 Fairport, NY 14450 web : www.targusinfo.com _ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wang, Kate Sent: Tuesday, November 13, 2001 6:37 PM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: build in HP using aCC compiler Hi, Has anyone been able to build openssl on HP using aCC(c++) compiler? Thanks. kate __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need clarification on SSL_CTX_sess*() routines
Hey Lutz. Thanks for your confirmation to my last message. Sorry to
bother everyone again, but I'm still not seeing what I expect with
this one call to see how many renegotiations I am getting.
On Sun, Nov 11, 2001 at 11:22:07PM -0500, Louis LeBlanc wrote:
. . .
Here is what I'm calling:
. . .
SSL_CTX_sess_connect_renegotiate(ssl_ctx);
. . .
SSL_CTX_sess_connect_renegotiate()
returns the number of start renegotiations in client mode.
Total number of renegotiations as a client - wether active or not.
. . .
This is what I am doing to fetch the info:
void dump_sslcache_stats()
{
charerrbuf[1024];
long intitems, cca, ccs, crr, sch;
items = SSL_CTX_sess_number(ssl_ctx);
cca = SSL_CTX_sess_connect(ssl_ctx);
ccs = SSL_CTX_sess_connect_good(ssl_ctx);
crr = SSL_CTX_sess_connect_renegotiate(ssl_ctx);
sch = SSL_CTX_sess_hits(ssl_ctx);
sprintf(errbuf, SSL session cache stats: \n \
%25ld items in the session cache.\n \
%25ld client connects (SSL_connect()).\n \
%25ld client connects that finished.\n \
%25ld client renegotiatations requested.\n \
%25ld session cache hits.,
items, cca, ccs, crr, sch);
log_error(errbuf);
}
I've configured the process to call this routine on reciept of a
SIGUSR2 signal. Here is what it looks like in the log:
2004-19:20:10 20262: thread 0: waiting for QM
2004-19:20:10 20262: thread 1: dumping state
2004-19:20:10 20262: thread 2: waiting for ICP packet
2004-19:20:10 20262: 33 threads, 3 used, 3 active
2004-19:20:10 20262: SSL session cache stats:
1 items in the session cache.
44 client connects (SSL_connect()).
44 client connects that finished.
0 client renegotiatations requested.
43 session cache hits.
This one is as expected, but then I shut down the Apache server
accepting the requests, and remove the SSL session cache file and the
semaphore file to ensure that no sessions remain cached when I restart
Apache.
So when I restart the server, and request one more item (without
having shut my client process down) I get the following:
2004-19:22:53 20262: thread 0: waiting for QM
2004-19:22:53 20262: thread 1: dumping state
2004-19:22:53 20262: thread 2: waiting for ICP packet
2004-19:22:53 20262: 33 threads, 3 used, 3 active
2004-19:22:53 20262: SSL session cache stats:
2 items in the session cache.
45 client connects (SSL_connect()).
45 client connects that finished.
0 client renegotiatations requested.
43 session cache hits.
So the only thing that looks wrong is the client renegotiations
requested.
Any idea what I'm doing wrong?
BTW, we're still running with V0.95a, if that matters.
Thanks
Lou
--
Louis LeBlanc [EMAIL PROTECTED]
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://www.keyslapper.org ԿԬ
Reporter, n.:
A writer who guesses his way to the truth and dispels it with a
tempest of words.
-- Ambrose Bierce, The Devil's Dictionary
msg21764/pgp0.pgp
Description: PGP signature
RE: build in HP using aCC compiler
Title: RE: build in HP using aCC compiler Hi Kate, I created a soft link cc to aCC This is the problem. The OpenSSL configure script selects the cc compiler which on my box is /bin/cc which is a soft link to /opt/ansic/bin/cc, the standard HP ANSI 'C' compiler. All of my Open Source 'C' stuff is built using this compiler. I only use aCC for my own 'C' and 'C++' code. When I soft link cc to aCC I get the same problem. I'm usingOpenSSL 0.9.6b and configure using the command; ./config +DAportable +Z -DPIC You don't particularly need the extra options. I use them to generate "position independent code" since I do some trickery with shared libraries later in my source build. Mark Annal TARGUSinfo255 Woodcliff DriveFairport, NY 14450 Phone: (716) 598-7011Fax: (716) 598-7001
Creating a S/MIME cert
Hey All, I'm very new to the list and have been searching all day trying to find this answer. I would like to create S/MIME keys for all of my mail users so that they can encrypt/sign emails. Can anyone point me in the direction of a good howto? TIA, Harry __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Non standard X509 V3 extension.
Hi, The -certopt command doesn't seem to be in either 0.9.6b or in the snapshot from Nov 13. Is it available somewhere else? I'm wondering if there is a certTemplate for server as well as client. - Rod Dr S N Henson wrote: Alexey Kobozev wrote: Hi, All! I'm having a problem generating the certificate which can be used as client certificate on Windows XP. The problem is that client certificate must have the special MS's proprietary X509 V3 extension 'Certificate Template' with oid 1.3.6.1.4.1.311.20.2 and has to treated as a string (similar to nsComment, for example). I've tried to add it to oid_section in the openssl.cnf, but it doesn't works, because (afaik) these new oids are for the rvalue only - I need lvalue. So, the question is how can I add such a non standard thing into the newly generated cert? Can you send me an example of a certificate with that extension. Sure. I've sent it to [EMAIL PROTECTED] Thanks. The type of that extension is a BMPString not the IA5String that Netscape comment uses. In this case if you do openssl x509 -in a.cer -certopt ext_dump you get (among other things) 1.3.6.1.4.1.311.20.2: - 1e 08 00 55 00 73 00 65-00 72 ...U.s.e.r So if you add the oid you should be able to do: certTemplate=DER:1e:08:00:55:00:73:00:65:00:72 This isn't particularly friendly but it should work. I might extend the unsupported extension syntax a bit so you can do things like: certTemplate=BMPString:User There's also an otherName extension in there which I've been meaning to add support for too... Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Non standard X509 V3 extension.
Rod Gilchrist wrote: Hi, The -certopt command doesn't seem to be in either 0.9.6b or in the snapshot from Nov 13. Is it available somewhere else? Its in the 0.9.7 development version. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Ooerwriting the Private key file (file.pem)
I have a question regarding the private key file. I am working on writing a java program that will extract the public and private key from a keystore file and then overwrite the cert.pem and file.pemfrom another program that is using OpenSSL. The cert.pem and file.pem are created use the OpenSSL APIs to create a certificate key pair, without any encryption to protect the private key. I triedgetting the binary encoded private key from the keystore and then base 64 encoding it and writing it to the file.pem file in betweenthe "-BEGIN RSA PRIVATE KEY-" and "-END RSA PRIVATE KEY-", but that does not seem to work. I compared the files and besides a size difference I noticed that there were line feed characters every 64 bytes in the original "file.pem" file, so I modified the new "file.pem" to have line feeds every 64 bytes, but still no success. I am having trouble finding information on the formating of the private key file in OpenSSL "file.pem" and wouldappreciate any help in this area. Thank you, George
x509 howto
Anyone knows of a good introduction to x509 certificates? I am looking for info on the structure and encoding. I am currently studying the openssl implementation to see how to extract keys from the certificate but a guide or howto would be much appreciated. Kind regards, Mads Open Communication Security __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Importing self-signed certs into Outlook
I've managed to get outlook to work with stunnel and a self signed certificate for both sending and recieving mail. The only problem is that outlook keeps whining about not being able to verify the cert because the root certificate is not trusted. I tried importing it with the Certificate Manager Wizzard, but no luck. Has anyone managed to make Outlook behave? -- Tony Lill, [EMAIL PROTECTED] President, A. J. Lill Consultantsfax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --- http://www.ajlc.waterloo.on.ca/ Welcome to All Things UNIX, where if it's not UNIX, it's CRAP! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Importing self-signed certs into Outlook
Tony Lill wrote: I've managed to get outlook to work with stunnel and a self signed certificate for both sending and recieving mail. The only problem is that outlook keeps whining about not being able to verify the cert because the root certificate is not trusted. I tried importing it with the Certificate Manager Wizzard, but no luck. Has anyone managed to make Outlook behave? Have you tried explicitly trusting the certificate? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Importing self-signed certs into Outlook
Dr S N Henson wrote: Tony Lill wrote: I've managed to get outlook to work with stunnel and a self signed certificate for both sending and recieving mail. The only problem is that outlook keeps whining about not being able to verify the cert because the root certificate is not trusted. I tried importing it with the Certificate Manager Wizzard, but no luck. Has anyone managed to make Outlook behave? Have you tried explicitly trusting the certificate? Oops, didn't read the query enough. It may well not be possible to actually use a self signed user certificate. Netscape also has problems with this in that the same certificate has to be a user and CA certificate. You may have to create a self signed root CA and sign end user certificates with that. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_connect and SSL_accept
Hi again,
My problem with SSL_connect and SSL_accept that I
was having yesterday has been tracked down to this...
ssl23_get_server_hello
ssl23_read_bytes...
and then ...
int ret=0;
if (out != NULL){#ifndef
BIO_FDclear_socket_error();ret=readsocket(b-num,out,outl);
I've made a few changes to my code, such as
explicitly setting the method, ensuring that SSL_set_connect_state() has been
called (For the client) and SSL_set_accept_state() has been called for the
server. I moved away from using a BIO_
for associating the socket with SSL, and rather
tried the SSL_set_fd() call - now it blocks at that readsocket(). (Almost what I
was expecting - but why is nothing coming back ?)
Anybody who can help, it would be greatly
appreciated.
__
PascalQbik New Zealand
"meddle not in the affairs of dragons, for ye
are crunchy and taste good with tomato
sauce"
Re: Importing self-signed certs into Outlook
Dr S N Henson wrote: Oops, didn't read the query enough. It may well not be possible to actually use a self signed user certificate. Netscape also has problems with this in that the same certificate has to be a user and CA certificate. You may have to create a self signed root CA and sign end user certificates with that. It isn't -- the protocol calls for the server to send a list of DNs from acceptable signers, and the browser can't find one. So, plan B is correct -- a self-signed signer, and user certs signed with that. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Importing self-signed certs into Outlook
Tony, Outlook has a multi-dimensional certificate store. There are user stores and machine stores. Within each store there are various compartments my, intermediate, root, publishers, etc. You may have problems if the certificate was imported into the incorrect certificate store. Try using the MMC Certificate Management tool to import the certificate instead. Ryan -Original Message- From: Tony Lill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 2:27 PM To: [EMAIL PROTECTED] Subject: Importing self-signed certs into Outlook I've managed to get outlook to work with stunnel and a self signed certificate for both sending and recieving mail. The only problem is that outlook keeps whining about not being able to verify the cert because the root certificate is not trusted. I tried importing it with the Certificate Manager Wizzard, but no luck. Has anyone managed to make Outlook behave? -- Tony Lill, [EMAIL PROTECTED] President, A. J. Lill Consultantsfax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --- http://www.ajlc.waterloo.on.ca/ Welcome to All Things UNIX, where if it's not UNIX, it's CRAP! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Importing self-signed certs into Outlook
Additionally since it is a self signed certificate place it in both the My store and the Root store. Ryan -Original Message- From: Ryan Hurst [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 4:33 PM To: '[EMAIL PROTECTED]' Subject: RE: Importing self-signed certs into Outlook Tony, Outlook has a multi-dimensional certificate store. There are user stores and machine stores. Within each store there are various compartments my, intermediate, root, publishers, etc. You may have problems if the certificate was imported into the incorrect certificate store. Try using the MMC Certificate Management tool to import the certificate instead. Ryan -Original Message- From: Tony Lill [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 2:27 PM To: [EMAIL PROTECTED] Subject: Importing self-signed certs into Outlook I've managed to get outlook to work with stunnel and a self signed certificate for both sending and recieving mail. The only problem is that outlook keeps whining about not being able to verify the cert because the root certificate is not trusted. I tried importing it with the Certificate Manager Wizzard, but no luck. Has anyone managed to make Outlook behave? -- Tony Lill, [EMAIL PROTECTED] President, A. J. Lill Consultantsfax/data (519) 650 3571 539 Grand Valley Dr., Cambridge, Ont. N3H 2S2 (519) 241 2461 --- http://www.ajlc.waterloo.on.ca/ Welcome to All Things UNIX, where if it's not UNIX, it's CRAP! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_accept and SSL_connect
Hiya, To anyone who's interested- I found the problem. It was my own stupidity, and a load of WSock calls that was messing me around (Essentially because I'm inheriting from a slightly deviant socket implementation), but I've got it up and working now, all's well, connections work the first time. Still some neatening to do - but that's the easy bit. Thx to everyone who responded with advice/suggestions. OpenSSL rocks ! __ PascalQbik New Zealand "meddle not in the affairs of dragons, for ye are crunchy and taste good with tomato sauce"
