Re: ssl connection from Eudora or Outlook
On Sat, Dec 01, 2001 at 12:05:43AM -0800, Edgar Hodge wrote: I have a ssl connection problem and would like to know if anyone out there can assist with resolving the problem. I am using stunnel/ssl to connect on port 995 (Unix Solaris 8.0) from a Windows machine running Eudora 5.1. Upon trying to connect from the Eudora client to check my mail, I get the following error: Logging into POP Server, SSL Negotiation Failed: You have configured this personality/protocol to reject any exchange key lengths below 0. , But the negotiated exchange key length is -1. Hence this established secure channel is unacceptable. Connection will be dropped. Cause: (-6992) If I use the openssl client to connect with the following command from the Unix Prompt: #openssl s_client -connect localhost:995 I get the following error message: CONNECTED(0003) write:errno=131 My HP-UX box does not offer errno=131... Anyway: your problem seems to be at the server side. Please check out the logs of stunnel... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
Hello everybody, I use now openssl library for implement a protocol over ssl. for test it I want to create a certificate Authority CA(root), an other CA called(CA Member) signed by Root certificate and a certificate for a user(Allan) as client. My protocol use a connection ssl between a client and a server. The server require a client's certificate and vice-versa. the trusted party is the CA Member. My problem is : Do necessary to be a root for creating a root CA? if yes how to do so? How do create a member CA signed by root certificate? Thank you for your help. CHaraf from Lausanna. Switzerland. - This mail sent through IMP: imapwww.epfl.ch __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
21ÊÀ¼ÍµÄÌØ´óÉÌ»ú
Èç¹ûÕâ·âÐÅÓ°Ïìµ½ÄúµÄ¹¤×÷£¬»òÕ¼ÓÃÁËÄúµÄʱ¼ä£¬¾ÍÇëÄúÁ¢¼´É¾³ý¡£Èç¹ûÄúÄܳé³öÒ»µãʱ¼äÀ´Á˽â21ÊÀ¼ÍµÄÌØ´óÉÌ»ú£¬¿ÉʹÄúºÍÄúµÄÆóÒµ´ïµ½³É¹¦µÄ¶¥·å£¬Ò»ÇÐÉúÃüµÄ½¡¿µ¿É³ÖÐø·¢Õ¹¶¼²»ÄÜÀ뿪µÄÊÂÒµ¡£Î人ÕñÒµ£¨EVERPURE£©ÒûË®É豸¿ª·¢ÓÐÏÞ¹«Ë¾ÏòÈ«¹ú¸÷µØ³ÏÕдúÀí¡¢¾ÏúÉÌ¡£¸÷µØÇøÏÞ±¨Ò»Ãû£¬ÁãͶÈ룬Áã·çÏÕ£¬ÎÞÏ޻ر¨£¡ ÎÒÃÇÓÀÔ¶³Ðŵ£¬Èç¹ûÄãÄÜÔÚµØÇòÉÏÕÒµ½¾»Ë®ÄÜÁ¦³¬¹ýÕñÒµ¹«Ë¾EVERPUREÉúÒû»úµÄͬÀà²úÆ·£¬ÕñÒµ¹«Ë¾½«¸øÄã100ÍòÔªÈËÃñ±Ò£¡ Ò»¡¢ÉêÇë´úÀíÌõ¼þ£º ¡ñÉêÇëÈË»òÆóÒµ·¨ÈË´ú±í±ØÐë¾ß±¸Á¼ºÃµÄ×ÛºÏËØÖÊ¡£ ¡ñ×Ô¾õ¡¢×ÔÔ¸½ÓÊÜË®ÎÄ»¯½ÌÓý£¬Ìá¸ßˮ֪ʶ¡£ ¡ñÔÚËù´úÀíµØÇøÓй̶¨µÄ¾ÓסµØ¡¢¹Ì¶¨µç»°¡£ ¶þ¡¢ÕñÒµEVERPUREÈ«ÇòÖªÃûÓû§£º ¡ñÈ«Çò²¨Òô747¡¢DC¿Í»úµÈ100¼ÒÒÔÉϺ½¿Õ¹«Ë¾¼°Êýǧ¼ÜÃñº½»úÉ϶¼ÓÐÕâÖÖÉ豸£» ¡ñÈ«ÇòÂóµ±ÀÍ¡¢¿ÏµÂ»ù¡¢¿É¿Ú¿ÉÀÖ¡¢°ÙÊ¿ÉÀÖÕâЩÖøÃûµÄ²ÍÒûÒµºÍÒûÁÏÐÐÒµ£» ¡ñ»¹ÓÐÈ«ÊÀ½çÖªÃû´óÆóÒµÈçÃÀ¹ú¶Å°î¹«Ë¾¡¢µÏ˹ÄáÀÖÔ°¡¢»¨»¨¹«×Ó¾ãÀÖ²¿µÈ£» ¡ñÈ«Çò±ãÀûÉ̵ꡢʳƷ¹¤ÒµîÒÇæ¼°90%ÒÔÉÏ×Ô¶¯··Âô»úÒµÒ²¶¼ÊÇEVERPUREÖÒʵµÄÓû§£» ¡ñÃÀ¹ú½¡¢º£¡¢¿ÕÈý¾üºÍÃÀ¹úº£ÉÏ·þÒÛµÄÿËÒ½¢Í§ÉÏ£¬ÉõÖÁÔÚÃÀ¹ú×ÜͳµÄ×ù»ú¿Õ¾üÒ»ºÅÉ϶¼Å䱸ÁËEVERPUREÉúÒû»ú¡£ ¡ñÎÞÊýÁìµ¼ÐÔ¹¤ÉÌÆóÒµÒÔ¼°Å·ÃÀÈÕǧÍò¸ö¼ÒÍ¥Óû§Ò²¶¼¹ã·ºÊ¹ÓÃEVERPUREÉúÒû»ú¡£ Èý¡¢²úÆ·ÌØÉ«£º Òý½øÃÀ¹úEVERPURE¹«Ë¾¸ß¼¼ÊõÖÕ¶ËË®´¦Àí¼¼Êõ£¬ÈÙ»ñÃÀ¹ú¹ú¼Ò×î¸ßÎÀÉú±ê×¼ºÍ×î¸ßÒûË®±ê×¼¡£ EVERPUREÉúÒû»úͬʱҲ±»ÃÀ¹ú¹ú¼ÒÎÀÉú»ù½ð»áÆÀ¶¨µÚÒ»¼¶³¬¾«ÃÜÉúÒûÓÃË®É豸¡£ ÕñÒµ¹«Ë¾ÒѾÔì¾ÍÁËÊ®¼¸Î»°ÙÍò¸»ÎÌ£¬ÏÂÒ»¸ö¾ÍµÈÄãÁË¡£ ´ËÖ ¾´Àñ ÕñÒµEVERPUREµç×ÓÉÌÎñ²¿ ÍøÕ¾£º http://www.china-everpure.com µç×ÓÐÅÏ䣺 [EMAIL PROTECTED] µç»°£º027-86796627 ´«Õ棺027-86775406 ͬʱ£¬ÕñÒµ.µç×ÓÉÌÎñ²¿Ê×ÅúÌرðÍƳö£º 1¡¢¸÷ÐÐÒµÓʼþµØÖ·ÁÐ±í£¨6000ÍòµÄÓʼþµØÖ·Êý¾Ý¿â£©£«¸ßËÙÓʼþȺ·¢Èí¼þÌײͣ¬²¢Äܸù¾ÝÄúµÄÐèÒªÌṩ¸÷ÖÖ²»Í¬µÄÓʼþµØÖ·ÁÐ±í¡£ 2¡¢ÎªÄúÌṩ¿í´ø£¨10M£©ÉÌÎñÐÅÏ¢´úÀí·¢²¼·þÎñ£¬¿ÉÒÔ°´ÄúµÄÐèÒª½«Ö¸¶¨µÄÄÚÈÝ·¢²¼µ½¸÷ÆóÒµ¡¢¸öÈËÓÊÏä¡£ 3¡¢Ìṩһ´Î¹ºÂò£¬ÖÕÉúÉý¼¶£¬²»¶ÏΪÄú¹ºÂòµÄÓʼþµØÖ·ÌṩÉý¼¶¡¢¸üС£ ÎÒÃÇÓµÓÐ6000ÍòµÄÓʼþµØÖ·Êý¾Ý¿â£¬ÎÒÃǽ«ÎªÄúÌṩ×îÓÅÖʵķþÎñ£¡ ÐÐÒµ·ÖÀ฽±í£º Ò»¡¢¹ú¼Ò»ú¹Ø£¨332Íò£© 1¡¢ÈË´óίԱ»á 2¡¢ÈËÃñÕþ¸® 3¡¢·¨Ôº 4¡¢¼ì²ìÔº 5¡¢Ïû·À 6¡¢¹«°² 7¡¢¹¤ÉÌ 8¡¢Ë°Îñ 9¡¢¹úÍÁ¾Ö 10¡¢³Ç½¨ 11¡¢¹æ»®¾Ö 12¡¢»·ÎÀ 13¡¢¼ìÒß 14¡¢ÓÊÕþ 15¡¢µçÐÅ 16¡¢ÌúµÀ 17¡¢²ÆÕþ¾Ö 18¡¢ÈËÊÂ¾Ö 19¡¢ÀͶ¯¾Ö 20¡¢Ë®Àû 21¡¢Éó¼Æ 22¡¢²¿¶Ó 23¡¢º£¹Ø ¶þ¡¢Õþµ³»ú¹Ø£¨1Íò£© 1¡¢Öйú¹²²úµ³ 2¡¢ÃñÖ÷µ³ÅÉ 3¡¢ÕþÐ Èý¡¢Éç»áÍÅÌ壨311Íò£© 1¡¢¹¤»á 2¡¢¹²ÇàÍÅ¡¢ÇàÁª¡¢Ñ§Áª 3¡¢¸¾Áª 4¡¢ÎÄÁª 5¡¢²ÐÁª 6¡¢¹¤ÉÌÁª 7¡¢Ð»á 8¡¢Ñ§»á 9¡¢ºìÊ®×Ö»á 10¡¢»ù½ð»á 11¡¢¹ØÐÄÏÂÒ»´úлá 12¡¢ÀÏÁäίԱ»á 13¡¢×Ú½ÌÍÅÌå 14¡¢Éç»áÍÅÌå ËÄ¡¢ÊÂÒµÐÔµ¥Î»£¨874Íò£© 1¡¢Ñ§Ð£ 2¡¢Ò½Ôº 3¡¢ÊÂÎñËù 4¡¢Íâó 5¡¢¼¼Êõ¼à¶½¾Ö 6¡¢×ʲúÆÀ¹À 7¡¢½Ìί 8¡¢±£°² 9¡¢¿ÆÑÐËù 10¡¢Ô°ÒÕ 11¡¢µç̨ 12¡¢µçÊǪ́ 13¡¢³ö°æ¾Ö 14¡¢±¨Éç 15¡¢ÖÆƬ³§ 16¡¢Öнé 17¡¢¹«Ö¤ Îå¡¢ÆóÒµ£¨¹«Ë¾£©£¨3464Íò£© 1¡¢»úе É豸 2¡¢½¨Öþ ½¨²Ä ×°ÊÎ 3¡¢Îå½ð 4¡¢µç×Ó 5¡¢¼ÆËã»ú 6¡¢»¥ÁªÍø 7¡¢·ÄÖ¯ 8¡¢»¯¹¤ 9¡¢¼Òµç 10¡¢·þ×° 11¡¢·¿µØ²ú 12¡¢ÎïÒµ 13¡¢Ó¡Ë¢ 14¡¢½ø³ö¿Ú 15¡¢Ê³Æ· 16¡¢ÒûÁÏ 17¡¢²ÄÁÏ 18¡¢Í¨ÐÅ 19¡¢É̳¡ ³¬ÊÐ 20¡¢°ì¹«É豸 ÎÄ¾ß 21¡¢°ü×° 22¡¢±ö¹Ý ·¹µê ¾Æµê 23¡¢³ö°æ 24¡¢¿±Ì½ ²â»æ 25¡¢²ÍÒû 26¡¢Ð¬ ñ 27¡¢º½Ìì º½¿Õ 28¡¢¹¤ÒµÓÃÆ· 29¡¢»áÒé Õ¹ÀÀ 30¡¢¼Ò¾ß 31¡¢½»Í¨ ÔËÊä 32¡¢¿ó²ú Ò±½ð ½ðÊô¼Ó¹¤ 33¡¢ÂÃÐÐÉç ÂÃÓÎ 34¡¢Å© ÁÖ ÄÁ Óã 35¡¢Æû³µ ĦÍгµ 36¡¢ÇṤ ÊÖ¹¤ 37¡¢Çå½à 38¡¢Éç»á·þÎñ 39¡¢Ë®µç ¹©ÈÈ 40¡¢Êéµê 41¡¢ÑÌ 42¡¢¾Æ 43¡¢Ò½Ò© ±£½¡ 44¡¢ÒÇÆ÷ ÒDZí 45¡¢ÒôÏì 46¡¢ÒôÏñ 47¡¢ÔìÖ½ Ö½ÖÆÆ· 48¡¢ÉúÎï¼¼Êõ ÉúÎ﹤³Ì 49¡¢Ê¯ÓÍ ÌìÈ»Æø 50¡¢µç×ÓÉÌÎñ 51¡¢ÓéÀÖ 52¡¢ÈÕÓÃÆ· Éú»îÓÃÆ· 53¡¢ÖÆÔì 54¡¢ËÜÁÏ Ëܽº Áù¡¢½ðÈÚ£¨1018Íò£© 1¡¢ÒøÐÐ 2¡¢Ö¤È¯ 3¡¢Í¶×ʹ«Ë¾ 3¡¢ÅÄÂô 4¡¢ÐÅÍÐ 5¡¢±£ÏÕ 7¡¢·¿µØ²ú 8¡¢ÆóÒµ¹ÜÀí 9¡¢¹ã¸æ 10¡¢È˲ŠÕÐƸ ÁÔÍ· 11¡¢´úÀí __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
REMOVE
Title: REMOVE REMOVE
Q about padding
Gens, I'm new to encryption and just thinking about an application using SSL to communicate and also for data (file) encryption both by OpenSSL (of course :-) I found the next paragraphs in the EVP doc (http://www.openssl.org/docs/crypto/EVP_EncryptInit.html#) quote When decrypting the final block is checked to see if it has the correct form. Although the decryption operation can produce an error if padding is enabled, it is not a strong test that the input data or key is correct. A random block has better than 1 in 256 chance of being of the correct format and problems with the input data earlier on will not produce a final decrypt error. /quote Would you please tell me what exactly can be the problem with padding? I hope this does not mean that I cannot decrypt what I encrypt with the same parameter (padding enabled). Does this mean that padding can be tricked too easily or what? Many thanks Laszlo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ssl-cert-HOWTO.txt for review
Title: RE: ssl-cert-HOWTO.txt for review If openssl can generate random data and spit it out in a file then why use a file to begin with? Can't openssl ( tool ) just generate its random data internally and use that? I think that's a lot safer than spitting it out to a file and prevents less problems with the random data getting deleted/viewed. - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Marcus Redivo [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 7:14 PM To: [EMAIL PROTECTED] Subject: RE: ssl-cert-HOWTO.txt for review Hello Fiel, Thanks for the comments. At 10:45 AM 12/1/01 -0800, Fiel Cabral wrote: My suggestion is to include info about the RANDFILE variable. I set RANDFILE=$HOME/.rnd in my environment and in the configuration file (the default value: $ENV::HOME/.rnd). If .rnd doesn't exist, I just copy a file to it (usually a binary file or a random-looking log file). I did not mention the RANDFILE, and in fact left it out of the example configuration, because I was under the impression that if I had /dev/*random I did not need it. If this is not true, could someone please correct me? Thanks. Now, the RANDFILE candidate. Using a binary or a log is nowhere near random enough. Fortunately, openssl has a command to create a better random file: # openssl rand -out $HOME/.rnd 1024 (Don't send the output to your console unless you add the -base64 switch, unless you like abstract art... ;) ) BTW, I'm on the list now. Marcus Redivo The Binary Tool Foundry PO Box 2087 Stn Main Sidney BC Canada mailto:[EMAIL PROTECTED] http://www.binarytool.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
REMOVE
REMOVE -- This message is intended only for the personal and confidential use of the designated recipient(s) named above. If you are not the intended recipient of this message you are hereby notified that any review, dissemination, distribution or copying of this message is strictly prohibited. This communication is for information purposes only and should not be regarded as an offer to sell or as a solicitation of an offer to buy any financial product, an official confirmation of any transaction, or as an official statement of Lehman Brothers. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: ssl-cert-HOWTO.txt for review
Andrew, openssl is rather mixer than generator or random data. No deterministic (ok, stable) program can make something random. To make a random secret one need some input unavailable to attacker. /dev/random is internal enough and could be quite a good one. regards, Vadim On Mon, 3 Dec 2001, Andrew Finnell wrote: If openssl can generate random data and spit it out in a file then why use a file to begin with? Can't openssl ( tool ) just generate its random data internally and use that? I think that's a lot safer than spitting it out to a file and prevents less problems with the random data getting deleted/viewed. - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Marcus Redivo [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 7:14 PM To: [EMAIL PROTECTED] Subject: RE: ssl-cert-HOWTO.txt for review Hello Fiel, Thanks for the comments. At 10:45 AM 12/1/01 -0800, Fiel Cabral wrote: My suggestion is to include info about the RANDFILE variable. I set RANDFILE=$HOME/.rnd in my environment and in the configuration file (the default value: $ENV::HOME/.rnd). If .rnd doesn't exist, I just copy a file to it (usually a binary file or a random-looking log file). I did not mention the RANDFILE, and in fact left it out of the example configuration, because I was under the impression that if I had /dev/*random I did not need it. If this is not true, could someone please correct me? Thanks. Now, the RANDFILE candidate. Using a binary or a log is nowhere near random enough. Fortunately, openssl has a command to create a better random file: # openssl rand -out $HOME/.rnd 1024 (Don't send the output to your console unless you add the -base64 switch, unless you like abstract art... ;) ) BTW, I'm on the list now. Marcus Redivo The Binary Tool Foundry PO Box 2087 Stn Main Sidney BC Canada mailto:[EMAIL PROTECTED] http://www.binarytool.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
IE5 on Mac - Security Problem
I've seen similar posts on the following topic here but as yet no solution. I get Security Failure: Data encryption error using IE 5.0 on a Mac when I attempt to connect to a secure server running openssl 0.9.6.a. How do I configure the server to get round this? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA Keys
On 03.12.2001 11:39:54 owner-openssl-users wrote: Hi Sorry for the resend. This is a resend with the complete encoding type. I am getting a file from a MS machine that contains an exported public key. This data appears to be binary data. It has been exported with the flag X509_ASN_ENCODING Trying to read the file with PEM_read_publickkey() does not appear to work. What is the correct function or other method to use to get this data into a RSA * struct or a EVP_PKEY structure. Preferably EVP_PKEY to add to a certificate. PEM is the ascii version of the binary ASN/DER encoding, so PEM functions won't work. To convert a binary (der) encoding into an internal OpenSSL structure, use the d2i_* functions. In your case, probably the d2i_PublicKey() or a similar function will do. See also the FAQ for more information about the d2i_* functions. Alex. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
bad rsa decrypt
Hello, I am getting this error with Apache Web Server and mod_ssl (2.8.3-1.3.19) OpenSSL: error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt I get this error while testing my http server with "openssl s_client -connect localhost:443" What is wrong ? Anyone can help me tofix it ? Dario PresterPT-TPD PAITALTEL SPALocalità Bivio Foresta SS. 113Carini (PA) - ITALYtel. +39 091 8615 577fax. +39 091 8615 288e-mail: [EMAIL PROTECTED]
bad rsa decrypt
Hello, I am getting this error with Apache Web Server and mod_ssl (2.8.3-1.3.19) OpenSSL: error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt I get this error while testing my http server with "openssl s_client -connect localhost:443" What is wrong ? Anyone can help me tofix it ? Thanks in advance Dario PresterPT-TPD PAITALTEL SPALocalità Bivio Foresta SS. 113Carini (PA) - ITALYtel. +39 091 8615 577fax. +39 091 8615 288e-mail: [EMAIL PROTECTED]
bad rsa decrypt
Hello, I am getting this error with Apache Web Server and mod_ssl (2.8.3-1.3.19) OpenSSL: error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt I get this error while testing my http server with "openssl s_client -connect localhost:443" What is wrong ? Anyone can help me tofix it ? Thanks in advance Dario PresterPT-TPD PAITALTEL SPALocalità Bivio Foresta SS. 113Carini (PA) - ITALYtel. +39 091 8615 577fax. +39 091 8615 288e-mail: [EMAIL PROTECTED]
REMOVE
REMOVE --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 9/10/2001 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Q about padding
Keresztfalvi Laszlo wrote: quote When decrypting the final block is checked to see if it has the correct form. Although the decryption operation can produce an error if padding is enabled, it is not a strong test that the input data or key is correct. A random block has better than 1 in 256 chance of being of the correct format and problems with the input data earlier on will not produce a final decrypt error. /quote Would you please tell me what exactly can be the problem with padding? Its not a problem more a limitation. I hope this does not mean that I cannot decrypt what I encrypt with the same parameter (padding enabled). Does this mean that padding can be tricked too easily or what? All it is really saying is that passing the padding test (that is EVP_DecryptFinal completing without error) is not by itself a realiable guarantee of the integrity of the decrypted data or indeed the correctness of the decryption key. The structure of the padding is such that if the last byte of the last block decrypted is 01 then it is considered valid. The chance of this happening is 1 in 256 for random data. Additionally only the final block is tested so errors earlier in the data will not produce any error at all. Protocols which in which integrity of the data is important use additional techniques such as message digests. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
random file???
I am trying to run the command line /usr/local/ssl/bin/openssl -req -new -nodes -keyout private.key -out public.csr to create a verisign certificate. I am getting the PRNG not seeded error message. How do I create a .rand file? Any suggestions? Thanks I read the faq, not a lot of help: [USER] 1. Why do I get a PRNG not seeded error message? Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a randomness device that serves this purpose. On other systems, applications have to call the RAND_add() ../docs/crypto/RAND_add.html or RAND_seed() function with appropriate data before generating keys or performing public key encryption. (These functions initialize the pseudo-random number generator, PRNG.) Some broken applications do not do this. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the random number generator has not been seeded with at least 128 bits of randomness. If this error occurs, please contact the author of the application you are using. It is likely that it never worked correctly. OpenSSL 0.9.5 and later make the error visible by refusing to perform potentially insecure encryption. On systems without /dev/urandom and /dev/random, it is a good idea to use the Entropy Gathering Demon (EGD); see the RAND_egd() ../docs/crypto/RAND_egd.html manpage for details. Starting with version 0.9.7, OpenSSL will automatically look for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and /etc/entropy. Most components of the openssl command line utility automatically try to seed the random number generator from a file. The name of the default seeding file is determined as follows: If environment variable RANDFILE is set, then it names the seeding file. Otherwise if environment variable HOME is set, then the seeding file is $HOME/.rnd. If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will use file .rnd in the current directory while OpenSSL 0.9.6a uses no default seeding file at all. OpenSSL 0.9.6b and later will behave similarly to 0.9.6a, but will use a default of C:\ for HOME on Windows systems if the environment variable has not been set. If the default seeding file does not exist or is too short, the PRNG not seeded error message may occur. The openssl command line utility will write back a new state to the default seeding file (and create this file if necessary) unless there was no sufficient seeding. Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. Use the -rand option of the OpenSSL command line tools instead. The $RANDFILE environment variable and $HOME/.rnd are only used by the OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application. For Solaris 2.6, Tim Nibbe [EMAIL PROTECTED] and others have suggested installing the SUNski package from Sun patch 105710-01 (Sparc) which adds a /dev/random device and make sure it gets used, usually through $RANDFILE. There are probably similar patches for the other Solaris versions. However, be warned that /dev/random is usually a blocking device, which may have some effects on OpenSSL. Seth Rosner Webmaster - OpenTV.com ...OLE_Obj... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
FW: updates (SSL-Certificates-HOWTO)
For your information I will now add the comments I have received as well as the ssl-cert-HOWTO.txt inside it... Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Web site: http://www.sopac.org/ http://www.sopac.org/ Support FMaps: http://fmaps.sourceforge.net/ http://fmaps.sourceforge.net/ This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -Original Message- From: Greg Ferguson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 4 December 2001 3:18 To: [EMAIL PROTECTED] Subject: updates (SSL-Certificates-HOWTO) SSL Certificates HOWTO Franck Martin [EMAIL PROTECTED] v0.1 2001-11-18 A first hand approach on how to manage a certificate authority (CA), and issue or sign certificates to be used for secure web, secure e-mail, or signing code and other usages. * NEW entry http://www.linuxdoc.org/HOWTO/SSL-Certificates-HOWTO/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Running Apache/SSL and openSSL on Solaris 7
I need a document that states what should be installed first or if it does not matter to install APACHE then OPENSSL Can you please answer these questions for me: I already have Apache 1.3.20 installed and running I would like to get APache/SSL also running, do I remove Apache 1.3.20 and redo the installation of Apache and SSL ?? Please help me out. Thanks Waleed
OpenSSH Keys and JSSE
Is it possible to use key/certificates that are generated with OPENSSH in Java Secure Sockets and vice a versa keys created with keytool can be used with openSSH? If no, how do I get the 2 to work together? Thanks JL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
REMOVE
REMOVE__ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Running Apache/SSL and openSSL on Solaris 7
Waleed, I would install Apache first, but it really doesn't matter. Check-out www.apache-ssl.org E. At 06:06 PM 12/3/01 -0600, you wrote: I need a document that states what should be installed first or if it does not matter to install APACHE then OPENSSL Can you please answer these questions for me: I already have Apache 1.3.20 installed and running I would like to get APache/SSL also running, do I remove Apache 1.3.20 and redo the installation of Apache and SSL ?? Please help me out. Thanks Waleed
ÉÏÍø£¬Äú¿¼ÂǹÜÀíÁËÂð£¿
ÉÏÍø£¬Äú¿¼ÂǹÜÀíÁËÂ𣿡ª¡ªÏêϸ×ÊÁÏÇëµã»÷ ÕâÁ½Ä꣬µ½´¦¶¼ÔÚ¸ãÉÏÍø¹¤³Ì£¬Ì¸ÂÛÈý´óÒªËØ£ºInfrastructure»ù´¡ÉèÊ©¡¢ApplicationÓ¦Óá¢InformationÐÅÏ¢£¬ÕâÈý´óÒªËر»ÐÎÏóµØ±ÈÓ÷ΪÐÅÏ¢¸ßËÙ¹«Â·¡¢³µºÍ»õ¡£µ«ÊÇ£¬ÓÐÒ»¸ö·Ç³£ÖØÒªµÄÒªËر»ºöÂÔÁË£¬ÄǾÍÊǹÜÀí¡£¸ù¾ÝFBIµÄÑо¿±íÃ÷£ºÓÉÓÚÉÏÍøδʵʩ¹ÜÀí¶øÒý·¢µÄ²ÆÎñºÍ°²È«ÎÊÌâÖУ¬97%ÊÇÓÉÓÚÄÚ²¿ÈËÔ±ÀÄÓÃÍøÂç·ÃÎÊ£¬55%ÊÇÄÚ²¿ÈËÔ±·Ç·¨·ÃÎÊ¡£ÔÚʵʩÉÏÍø¹ÜÀíµÄ»ú¹¹£¬³É±¾·ÑÓÃÖ§³öºÍ°²È«ÎÊÌⶼµÃµ½ÓÐЧµÄ¿ØÖÆ£¬Ð§ÂÊ´ó·ù¶ÈÌá¸ß¡£¡¡ ÄúÒѾÔÚ¿¼ÂÇÉÏÍø¹ÜÀí£¬µ«ÊÇÄúÓÐËù¹ËÂÇ£º ÄúºÜÏ뽫ÉÏÍø¹ÜºÃ£¬µ«ÊÇÄúÓÐËùµ£ÓÇ£»ÄúÒѾ¿¼ÂÇÉÏÍø¹ÜÀíÁË£¬µ«ÊÇÄúÓöµ½ÁËеÄÂé·³£º (1) ѡ˵ĺÃÄØ£¿ (2) ÔõÑù²ÅÄܱÜÃâÅäÖú͹ÜÀíÌ«¸´ÔÓµÄÎÊÌâÄØ£¿ (3) ÈçºÎ±ÜÃâÖظ´»¨Ç®ÎÊÌâÄØ£¿ Òײ©BroadenGate£¬È«·½Î»ÉÏÍø¹ÜÀí£¬¡°Ò»Õ¾Ê½¡±½â¾ö·½°¸ Òײ©Êǹú¼ÊÖªÃûµÄÈí¼þ¿ª·¢É̺ͷþÎñÍâ°üÉÌ£¬ÔÚ»¥ÁªÍø¼¼ÊõÁìÓò¾ßÓÐ6ÄêÒÔÉϵÄרҵ¾Ñ飬ÏÖÓÐÔ±¹¤½ü400ÈË¡£Òײ©ÒÔ¡°È«·½Î»ÉÏÍø¹ÜÀí¡±ÎªÌØÉ«µÄBroadenGateÉÏÍø¹ÜÀí²úÆ·£¬³«µ¼¡°Ò»Õ¾Ê½¡±½â¾ö·½°¸£¬ÒýÓò¿Êð»¥ÁªÍøÓ¦ÓÃÕâһз½·¨£¬ÈÃÄúµÄÉÏÍø¹ÜÀíʡʱ¡¢Ê¡Á¦¡¢Ê¡ÐÄ¡¢Ê¡Ç®¡£ Òײ©BroadenGateÉÏÍø¹ÜÀí-È«·½Î»µÄ²úÆ·Ïß Òײ©BroadenGateÉÏÍø¹ÜÀí-È«·½Î»µÄ·þÎñÌåϵ Òײ©BroadenGateÉÏÍø¹ÜÀí-È«·½Î»¿Í»§µÄÊ¢Óþ Òײ©BroadenGateÉÏÍø¹ÜÀí-È«·½Î»ºÏ×÷»ï°éµÄÖ§³Ö ¡¡ ÈçÓûÁ˽â²úÆ·ºÍ·þÎñÏêϸÐÅÏ¢£¬ÇëÁªÏµ£º ×îвúÆ·ÏêϸÐÅÏ¢£º²úÆ·¾Àí£º¶Å°®Æ¼[EMAIL PROTECTED] µç»°£º010-65224665/67ת300 ÖйúÇøÓò²úÆ·×Éѯ£ºÏúÊÛÐÀí£ºÐ¤½Ý [EMAIL PROTECTED] µç»°£º010-65224665/67ת118 Öйú±±·½ÇøÓòÏúÊÛ£ºÏúÊÛ¾Àí£ºÌÆÀö [EMAIL PROTECTED] µç»°£º010-65224665/67ת127 ÖйúÄÏ·½ÇøÓòÏúÊÛ£ºÏúÊÛ¾Àí£º·ë½¨Ó [EMAIL PROTECTED] µç»°£º0755-6716652/54ת Öйú¶«²¿ÇøÓòÏúÊÛ£ºÏúÊÛ¾Àí£ºÐ¤Ô½Éî [EMAIL PROTECTED] µç»°£º021-64383414/3854ת ±±¾©¹úÐÅÒײ©Èí¼þϵͳÓÐÏÞ¹«Ë¾ µØÖ·£º£¨15£©±±¾©¶«ËÄÄÏ´ó½Ö249ºÅ±±¼Æ´óÂ¥7²ã µç»°£º010-65224665/67 65239715/17/35/36/37/39 ´«Õ棺010-65239897 ·µ»Ø °æȨËùÓÐ ±±¾©¹úÐÅÒײ©Èí¼þϵͳÓÐÏÞ¹«Ë¾ ¹ØÓÚBroadenGate | ºÏ×÷»ï°é | ÍøÕ¾µ¼º½ | ÁªÏµ·½Ê½ | °æȨÉùÃ÷ ¡¶µçÐÅÓëÐÅÏ¢·þÎñÒµÎñ¾ÓªÐí¿ÉÖ¤¡·±àºÅ£º¾©ICPÖ¤000109
ÉÏÍø£¬Äú¿¼ÂǹÜÀíÁËÂð£¿
ÉÏÍø£¬Äú¿¼ÂǹÜÀíÁËÂ𣿡ª¡ªÏêϸ×ÊÁÏÇëµã»÷ ÕâÁ½Ä꣬µ½´¦¶¼ÔÚ¸ãÉÏÍø¹¤³Ì£¬Ì¸ÂÛÈý´óÒªËØ£ºInfrastructure»ù´¡ÉèÊ©¡¢ApplicationÓ¦Óá¢InformationÐÅÏ¢£¬ÕâÈý´óÒªËر»ÐÎÏóµØ±ÈÓ÷ΪÐÅÏ¢¸ßËÙ¹«Â·¡¢³µºÍ»õ¡£µ«ÊÇ£¬ÓÐÒ»¸ö·Ç³£ÖØÒªµÄÒªËر»ºöÂÔÁË£¬ÄǾÍÊǹÜÀí¡£¸ù¾ÝFBIµÄÑо¿±íÃ÷£ºÓÉÓÚÉÏÍøδʵʩ¹ÜÀí¶øÒý·¢µÄ²ÆÎñºÍ°²È«ÎÊÌâÖУ¬97%ÊÇÓÉÓÚÄÚ²¿ÈËÔ±ÀÄÓÃÍøÂç·ÃÎÊ£¬55%ÊÇÄÚ²¿ÈËÔ±·Ç·¨·ÃÎÊ¡£ÔÚʵʩÉÏÍø¹ÜÀíµÄ»ú¹¹£¬³É±¾·ÑÓÃÖ§³öºÍ°²È«ÎÊÌⶼµÃµ½ÓÐЧµÄ¿ØÖÆ£¬Ð§ÂÊ´ó·ù¶ÈÌá¸ß¡£¡¡ ÄúÒѾÔÚ¿¼ÂÇÉÏÍø¹ÜÀí£¬µ«ÊÇÄúÓÐËù¹ËÂÇ£º ÄúºÜÏ뽫ÉÏÍø¹ÜºÃ£¬µ«ÊÇÄúÓÐËùµ£ÓÇ£»ÄúÒѾ¿¼ÂÇÉÏÍø¹ÜÀíÁË£¬µ«ÊÇÄúÓöµ½ÁËеÄÂé·³£º (1) ѡ˵ĺÃÄØ£¿ (2) ÔõÑù²ÅÄܱÜÃâÅäÖú͹ÜÀíÌ«¸´ÔÓµÄÎÊÌâÄØ£¿ (3) ÈçºÎ±ÜÃâÖظ´»¨Ç®ÎÊÌâÄØ£¿ Òײ©BroadenGate£¬È«·½Î»ÉÏÍø¹ÜÀí£¬¡°Ò»Õ¾Ê½¡±½â¾ö·½°¸ Òײ©Êǹú¼ÊÖªÃûµÄÈí¼þ¿ª·¢É̺ͷþÎñÍâ°üÉÌ£¬ÔÚ»¥ÁªÍø¼¼ÊõÁìÓò¾ßÓÐ6ÄêÒÔÉϵÄרҵ¾Ñ飬ÏÖÓÐÔ±¹¤½ü400ÈË¡£Òײ©ÒÔ¡°È«·½Î»ÉÏÍø¹ÜÀí¡±ÎªÌØÉ«µÄBroadenGateÉÏÍø¹ÜÀí²úÆ·£¬³«µ¼¡°Ò»Õ¾Ê½¡±½â¾ö·½°¸£¬ÒýÓò¿Êð»¥ÁªÍøÓ¦ÓÃÕâһз½·¨£¬ÈÃÄúµÄÉÏÍø¹ÜÀíʡʱ¡¢Ê¡Á¦¡¢Ê¡ÐÄ¡¢Ê¡Ç®¡£ Òײ©BroadenGateÉÏÍø¹ÜÀí-È«·½Î»µÄ²úÆ·Ïß Òײ©BroadenGateÉÏÍø¹ÜÀí-È«·½Î»µÄ·þÎñÌåϵ Òײ©BroadenGateÉÏÍø¹ÜÀí-È«·½Î»¿Í»§µÄÊ¢Óþ Òײ©BroadenGateÉÏÍø¹ÜÀí-È«·½Î»ºÏ×÷»ï°éµÄÖ§³Ö ¡¡ ÈçÓûÁ˽â²úÆ·ºÍ·þÎñÏêϸÐÅÏ¢£¬ÇëÁªÏµ£º ×îвúÆ·ÏêϸÐÅÏ¢£º²úÆ·¾Àí£º¶Å°®Æ¼[EMAIL PROTECTED] µç»°£º010-65224665/67ת300 ÖйúÇøÓò²úÆ·×Éѯ£ºÏúÊÛÐÀí£ºÐ¤½Ý [EMAIL PROTECTED] µç»°£º010-65224665/67ת118 Öйú±±·½ÇøÓòÏúÊÛ£ºÏúÊÛ¾Àí£ºÌÆÀö [EMAIL PROTECTED] µç»°£º010-65224665/67ת127 ÖйúÄÏ·½ÇøÓòÏúÊÛ£ºÏúÊÛ¾Àí£º·ë½¨Ó [EMAIL PROTECTED] µç»°£º0755-6716652/54ת Öйú¶«²¿ÇøÓòÏúÊÛ£ºÏúÊÛ¾Àí£ºÐ¤Ô½Éî [EMAIL PROTECTED] µç»°£º021-64383414/3854ת ±±¾©¹úÐÅÒײ©Èí¼þϵͳÓÐÏÞ¹«Ë¾ µØÖ·£º£¨15£©±±¾©¶«ËÄÄÏ´ó½Ö249ºÅ±±¼Æ´óÂ¥7²ã µç»°£º010-65224665/67 65239715/17/35/36/37/39 ´«Õ棺010-65239897 ·µ»Ø °æȨËùÓÐ ±±¾©¹úÐÅÒײ©Èí¼þϵͳÓÐÏÞ¹«Ë¾ ¹ØÓÚBroadenGate | ºÏ×÷»ï°é | ÍøÕ¾µ¼º½ | ÁªÏµ·½Ê½ | °æȨÉùÃ÷ ¡¶µçÐÅÓëÐÅÏ¢·þÎñÒµÎñ¾ÓªÐí¿ÉÖ¤¡·±àºÅ£º¾©ICPÖ¤000109
Re: FW: updates (SSL-Certificates-HOWTO)
Hi Franck, Cool How-to But it be nice to describe all relevant options in config file openssl.cnf before to build any certificate. Since the default option are simple. You should take in consideration the config file of pyCA: http://www.pyca.de/config.html Regards Franck Martin wrote: For your information I will now add the comments I have received as well as the ssl-cert-HOWTO.txt inside it... Franck Martin Network and Database Development Officer SSL Certificates HOWTO Franck Martin [EMAIL PROTECTED] v0.1 2001-11-18 A first hand approach on how to manage a certificate authority (CA), and issue or sign certificates to be used for secure web, secure e-mail, or signing code and other usages. * NEW entry http://www.linuxdoc.org/HOWTO/SSL-Certificates-HOWTO/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # e-fingerprint = 63:B0:7D:A1:23:BC:25:96:AE:B7:76:36:F3:07:1F:88 # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- smime.p7s Description: S/MIME Cryptographic Signature
RE: FW: updates (SSL-Certificates-HOWTO)
Michael, As you may read below, I have written an SSL HOWTO. Averroes, suggested to me to use the text of the configuration file on your site to describe the openssl.cnf file. I know that you have released your software under GPL, but I prefer to ask you if you authorise me to include some part of your text inside my SSL HOWTO. Proper achnowledgement will be done. Thanks in advance for your positive answer. Franck Martin Network and Database Development Officer SOPAC South Pacific Applied Geoscience Commission Fiji E-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Web site: http://www.sopac.org/ http://www.sopac.org/ Support FMaps: http://fmaps.sourceforge.net/ http://fmaps.sourceforge.net/ This e-mail is intended for its addresses only. Do not forward this e-mail without approval. The views expressed in this e-mail may not be necessarily the views of SOPAC. -Original Message- From: Averroes [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 4 December 2001 5:36 To: [EMAIL PROTECTED] Subject: Re: FW: updates (SSL-Certificates-HOWTO) Hi Franck, Cool How-to But it be nice to describe all relevant options in config file openssl.cnf before to build any certificate. Since the default option are simple. You should take in consideration the config file of pyCA: http://www.pyca.de/config.html Regards Franck Martin wrote: For your information I will now add the comments I have received as well as the ssl-cert-HOWTO.txt inside it... Franck Martin Network and Database Development Officer SSL Certificates HOWTO Franck Martin [EMAIL PROTECTED] v0.1 2001-11-18 A first hand approach on how to manage a certificate authority (CA), and issue or sign certificates to be used for secure web, secure e-mail, or signing code and other usages. * NEW entry http://www.linuxdoc.org/HOWTO/SSL-Certificates-HOWTO/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: P7B to PEM format Conversion.
Hi srinu Cat the cert in PEM the last one need to be the Root CA RootCA, SubCa1, Sub-SubCA1 Exemple: ]# cat Sub-SubCA1 ./path/to/cachain.pem ]# cat SubCA1 ./path/to/cachain.pem }# cat RooCA ./path/to/cachain.pem Ciao! srinu wrote: I have a Root Certificate and another Intermediate root Certificate issued by the root installed in my browser. I imported the intermediate Certificate to a p7b file and also checked the option include all Certificates in the path. Now i want to Convert this P7B file into PEM text format so that the PEM will contain all the certificates in the trusted path. I donno how to do so. what utility i need to use for this conversion. Thanks in advance. srinu -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # e-fingerprint = 63:B0:7D:A1:23:BC:25:96:AE:B7:76:36:F3:07:1F:88 # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- smime.p7s Description: S/MIME Cryptographic Signature
