Solaris 2.6
Hi, I have read on the Sunfreeware site that Openssl 0.9.6b does not compile the libaries correctly for solaris 2.6, is this true? If so do you have a work around or a recomendation for an earlier version? I will try to compile binaries today to see what happens. Thanks in advance for all of your help in this matter.. Regards Simon De Friend 0044 7951578 570 __ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Microsoft CryptoAPI and OpenSSL
Hi, What i need is a library to provide CA x509 and it's storage(saving and loading),encrypting and decrypting data via(DES,RC4,RSA).Both can handle this.(MS and OpenSSL) Does anybody knows advantages and disadvantages of Microsofts CryptoAPI in comparsion to the OpenSSL-toolkit? Thanks Larry __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Private key in exernal hardware (engine) ?
From: Alexander Kuit [EMAIL PROTECTED] AKuit As far as I understand this function, it requests the private key from the AKuit engine. Unfortunately (but not surprisingly), the private key is inside AKuit the smartcard and cannot be read (only selected for cryptographic AKuit operations). So how can a client perform a successful handshake, AKuit including sending its certificate, without providing a private key? AKuit This is crucial for our security requirements, so any help would AKuit be very appreciated. Incorrect. All one really needs to do is to refer to the private key and have appropriate routines use that reference to do encryption and verification. That's what an engine does, it redirects relevant RSA operations to whatever library that handles the card (which ultimately leads to the card itself, I suppose), and creates a fake RSA key that is just a reference (by some kind of identity) to the private key on the card. The client does *not* need to actually read the bits of the private key, it just needs to use the appropriate operations on it (or the reference to it). Some of your text above seems to suggest the client needs to send the private key over to the server. I hope that wasn't what you meant, because *that* would be really bad from a security point of view. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to setup cert server using openssl ?(No Content)
__ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error in the make process
Dear , We are trying tu install the openssl-0.9.6b package and we are doing the make process we get the following error message. could you help me? O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -c cbc_enc.c -o cbc_enc.o /usr/ccs/bin/as: "/var/tmp/cc6ryJDO.s", line 362: error: unknown opcode ".subsection" /usr/ccs/bin/as: "/var/tmp/cc6ryJDO.s", line 362: error: statement syntax /usr/ccs/bin/as: "/var/tmp/cc6ryJDO.s", line 373: error: unknown opcode ".previous" /usr/ccs/bin/as: "/var/tmp/cc6ryJDO.s", line 373: error: statement syntax /usr/ccs/bin/as: "/var/tmp/cc6ryJDO.s", line 374: error: unknown opcode ".subsection" /usr/ccs/bin/as: "/var/tmp/cc6ryJDO.s", line 374: error: statement syntax /usr/ccs/bin/as: "/var/tmp/cc6ryJDO.s", line 385: error: unknown opcode ".previous" /usr/ccs/bin/as: "/var/tmp/cc6ryJDO.s", line 385: error: statement syntax make[2]: *** [cbc_enc.o] Error 1 make[2]: Leaving directory `/usr/local/src/openssl-0.9.6b/crypto/des' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/usr/local/src/openssl-0.9.6b/crypto' make: *** [sub_all] Error 1
ADSL
ÉîÛÚµØÇø£¬ADSL¸ßËÙÉÏÍø£¬Áã³õ×°·Ñ¡£ÓÐÒâÕßÇë»Ø¸´¡£[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Echo is openssl
Hi there... I posted this problem once, but as I didn't have any reply I'm trying again: I'm working on a SSL server using openSSL. Problem is, when I'm asking for a string to the user, I don't want that string to echo... I tried to do that with the ways I do to telnet connections (sending some chars that are interpreted by terminal) but nothing works with openssl. I'm using openssl libraries for the server, and openssl to the client connection to the server. As I'm a little hurry with this and I can't find an answer... Can you please try to help me? Thank you. -- === Marcos Marado AKA Mind Booster === Visit Mind Booster NetWorks on: http://mindbooster.cjb.net Mail me to: [EMAIL PROTECTED] === Putt's Law: Technology is dominated by two types of people: Those who understand what they do not manage. Those who manage what they do not understand. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: error in the make process
On Wed, Dec 12, 2001 at 10:53:32AM +0100, Jesus Ferreira wrote: Dear , We are trying tu install the openssl-0.9.6b package and we are doing the make process we get the following error message. could you help me? O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -c cbc_enc.c -o cbc_enc.o /usr/ccs/bin/as: /var/tmp/cc6ryJDO.s, line 362: error: unknown opcode .subsection /usr/ccs/bin/as: /var/tmp/cc6ryJDO.s, line 362: error: statement syntax /usr/ccs/bin/as: /var/tmp/cc6ryJDO.s, line 373: error: unknown opcode .previous /usr/ccs/bin/as: /var/tmp/cc6ryJDO.s, line 373: error: statement syntax /usr/ccs/bin/as: /var/tmp/cc6ryJDO.s, line 374: error: unknown opcode .subsection /usr/ccs/bin/as: /var/tmp/cc6ryJDO.s, line 374: error: statement syntax /usr/ccs/bin/as: /var/tmp/cc6ryJDO.s, line 385: error: unknown opcode .previous /usr/ccs/bin/as: /var/tmp/cc6ryJDO.s, line 385: error: statement syntax make[2]: *** [cbc_enc.o] Error 1 make[2]: Leaving directory `/usr/local/src/openssl-0.9.6b/crypto/des' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/usr/local/src/openssl-0.9.6b/crypto' make: *** [sub_all] Error 1 You don't provide any further information (platform, compiler, etc). From the options shown in the snippet (-fomit-frame-pointer, -Wall) I guess, that you are using gcc. The assembler is called as /usr/ccs/bin/as, which may lead to the conclusiion that you may be on HP-UX (maybe other platforms have the same location). In any case it seems, that your compiler produces assembler code that as cannot understand. I therefore guess, that your gcc installation may be intended for a different (newer?) version of your operating system... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
On Wed, Dec 12, 2001 at 12:31:30PM +, Marcos D. Marado Torres wrote: Hi there... I posted this problem once, but as I didn't have any reply I'm trying again: I'm working on a SSL server using openSSL. Problem is, when I'm asking for a string to the user, I don't want that string to echo... I tried to do that with the ways I do to telnet connections (sending some chars that are interpreted by terminal) but nothing works with openssl. I'm using openssl libraries for the server, and openssl to the client connection to the server. Your problem has nothing to do with openssl. Sending terminal control sequences should be transparent to TLS/SSL layer around it. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Private key in exernal hardware (engine) ?
On 12.12.2001 11:12:35 Vadim Fedukovich wrote: On Wed, 12 Dec 2001, Alexander Kuit wrote: I'm using the engine version to let the client do rsa private encryption by a smartcard. This means of course that the private key is hidden inside the card. However, during debugging SSL_connect() I discovered that a client certificate is only sent to the server if a private key is set (e.g. by SSL_CTX_use_PrivateKey). How is this supposed to work? At the moment the only way to avoid handshake error is to give ssl a dummy private key. Does anybody know a proper way? look for ENGINE_load_private_key(...) in engine.h. As far as I understand this function, it requests the private key from the engine. Unfortunately (but not surprisingly), the private key is inside the smartcard and cannot be read (only selected for cryptographic operations). So how can a client perform a successful handshake, including sending its certificate, without providing a private key? This is crucial for our security requirements, so any help would be very appreciated. Short answer is your card should be capable of doing MD5+SHA1 type of signature and this function should be available as rsa_sign member of ENGINE structure. RSA_FLAG_SIGN_VER should be set to route signing operation to the card. This signing will be requested while ssl3_send_client_verify(). The problem occurs before ssl3_send_client_verify(), in ssl3_send_client_certificate(). The existence of a private key is checked there: if ((s-cert == NULL) || (s-cert-key-x509 == NULL) || (s-cert-key-privatekey == NULL)) There seems to be no way around that, which means that I have to provide a private key, even if I don't have one (it's in the card). I now believe I understand that's what ENGINE_load_private_key() is for (please correct me if I'm still wrong). If I'm right with that, then how do I generate a dummy private key, without having to fill in the bits of the rsa structure myself ? Any idea is very welcome. Alex. Could I ask what are the cards? Is it hard for you to do it? The card is one of my employer's, ORGA Kartensysteme GmbH, with the MICARDO operating system (http://www.orga.com) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PrivateKey.
On Tue, Dec 11, 2001 at 10:47:40AM +0100, Douglas Wikström wrote: Hello! I use this when initializing. SSL_CTX_use_PrivateKey_file(ssl_ctx, keyfile, SSL_FILETYPE_PEM) what is the correct way of accessing this keyfile later. I.e. I would like to say: skey = ssl_ctx-private_key; There is no offical way in the API to access the private key later. This is partly true, as you can at least have two private keys (one for RSA and one for DSA authentication) at the same time. Solution: Use PEM_read_PrivateKey() to read the key from the file (and thus are able to access it as is) and then use SSL_CTX_use_PrivateKey() to set it. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
Marcos, However if you look through the openssl source code it has a method that turns echoing off for it's own passphrase obtaining method. You could consult that code on how to turn off the echo. But Lutz is correct console operations have nothing to do with OpenSSL. - Andrew - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 11:55 AM Subject: Re: Echo is openssl On Wed, Dec 12, 2001 at 12:31:30PM +, Marcos D. Marado Torres wrote: Hi there... I posted this problem once, but as I didn't have any reply I'm trying again: I'm working on a SSL server using openSSL. Problem is, when I'm asking for a string to the user, I don't want that string to echo... I tried to do that with the ways I do to telnet connections (sending some chars that are interpreted by terminal) but nothing works with openssl. I'm using openssl libraries for the server, and openssl to the client connection to the server. Your problem has nothing to do with openssl. Sending terminal control sequences should be transparent to TLS/SSL layer around it. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows cert stores
Hello, I want to be able to access the certificates for Windows that the certificate manager looks after (the trusted CA's that come with Windows), there does Windows store these certificates, and in what format? Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
Yes, it should... But it isn't! Isn't it a problem with openssl? (The client I'm using to connect...). Regards, Mind Booster On Wed, 12 Dec 2001, Lutz Jaenicke wrote: On Wed, Dec 12, 2001 at 12:31:30PM +, Marcos D. Marado Torres wrote: Hi there... I posted this problem once, but as I didn't have any reply I'm trying again: I'm working on a SSL server using openSSL. Problem is, when I'm asking for a string to the user, I don't want that string to echo... I tried to do that with the ways I do to telnet connections (sending some chars that are interpreted by terminal) but nothing works with openssl. I'm using openssl libraries for the server, and openssl to the client connection to the server. Your problem has nothing to do with openssl. Sending terminal control sequences should be transparent to TLS/SSL layer around it. Best regards, Lutz -- === Marcos Marado AKA Mind Booster === Visit Mind Booster NetWorks on: http://mindbooster.cjb.net Mail me to: [EMAIL PROTECTED] === It is so very hard to be an on-your-own-take-care-of-yourself-because-there-is-no-one-else-to-do-it-for-you grown-up. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
Well... So, I don't know. This code works out with telnet connections or used in any other program, but it doesn't work here... Any clue? Regards, Mind Booster On Wed, 12 Dec 2001, Andrew T. Finnell wrote: Marcos, However if you look through the openssl source code it has a method that turns echoing off for it's own passphrase obtaining method. You could consult that code on how to turn off the echo. But Lutz is correct console operations have nothing to do with OpenSSL. - Andrew - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 11:55 AM Subject: Re: Echo is openssl On Wed, Dec 12, 2001 at 12:31:30PM +, Marcos D. Marado Torres wrote: Hi there... I posted this problem once, but as I didn't have any reply I'm trying again: I'm working on a SSL server using openSSL. Problem is, when I'm asking for a string to the user, I don't want that string to echo... I tried to do that with the ways I do to telnet connections (sending some chars that are interpreted by terminal) but nothing works with openssl. I'm using openssl libraries for the server, and openssl to the client connection to the server. Your problem has nothing to do with openssl. Sending terminal control sequences should be transparent to TLS/SSL layer around it. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- === Marcos Marado AKA Mind Booster === Visit Mind Booster NetWorks on: http://mindbooster.cjb.net Mail me to: [EMAIL PROTECTED] === It is so very hard to be an on-your-own-take-care-of-yourself-because-there-is-no-one-else-to-do-it-for-you grown-up. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
convert pcks#12 in pem
I need to convert a server certicate PKCS#12 in PEM format. What i doing? Daniele Zippo
Re: Echo is openssl
Marcos, I dont see what obtaining input from the user has to do with OpenSSL? You should be able to take all the openssl code out of your application and still be able to obtain input from the console. Maybe we are confused about what your problem is? - Andrew - Original Message - From: Marcos D. Marado Torres [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 12:19 PM Subject: Re: Echo is openssl Well... So, I don't know. This code works out with telnet connections or used in any other program, but it doesn't work here... Any clue? Regards, Mind Booster On Wed, 12 Dec 2001, Andrew T. Finnell wrote: Marcos, However if you look through the openssl source code it has a method that turns echoing off for it's own passphrase obtaining method. You could consult that code on how to turn off the echo. But Lutz is correct console operations have nothing to do with OpenSSL. - Andrew - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 11:55 AM Subject: Re: Echo is openssl On Wed, Dec 12, 2001 at 12:31:30PM +, Marcos D. Marado Torres wrote: Hi there... I posted this problem once, but as I didn't have any reply I'm trying again: I'm working on a SSL server using openSSL. Problem is, when I'm asking for a string to the user, I don't want that string to echo... I tried to do that with the ways I do to telnet connections (sending some chars that are interpreted by terminal) but nothing works with openssl. I'm using openssl libraries for the server, and openssl to the client connection to the server. Your problem has nothing to do with openssl. Sending terminal control sequences should be transparent to TLS/SSL layer around it. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- === Marcos Marado AKA Mind Booster === Visit Mind Booster NetWorks on: http://mindbooster.cjb.net Mail me to: [EMAIL PROTECTED] === It is so very hard to be an on-your-own-take-care-of-yourself-because-there-is-no-one-else-to-do-it-for- you grown-up. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
On Wed, Dec 12, 2001 at 05:17:38PM +, Marcos D. Marado Torres wrote: Yes, it should... But it isn't! Isn't it a problem with openssl? (The client I'm using to connect...). What is the client? In your original mail you are claiming to be working on the server side. Turning off the echo on the client must be done by the client. (stty for the commandline tool, or termio/termios for the programming interface.) Of course, the client software must handle the control sequences sent by the server. (Or the terminal emulator used has an echo off control sequence, that is being directly being honored.) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OCSP_basic_verify
(sobbing) I have been looking for the documentation, but there is none. All I can see i the definition of some flags: #define OCSP_NOCERTS0x1 #define OCSP_NOINTERN 0x2 #define OCSP_NOSIGS 0x4 #define OCSP_NOCHAIN0x8 #define OCSP_NOVERIFY 0x10 #define OCSP_NOEXPLICIT 0x20 #define OCSP_NOCASIGN 0x40 #define OCSP_NODELEGATED0x80 #define OCSP_NOCHECKS 0x100 #define OCSP_TRUSTOTHER 0x200 #define OCSP_RESPID_KEY 0x400 #define OCSP_NOTIME 0x800 What are they? Tat. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Dr S N Henson Sent: 11 December 2001 18:21 To: [EMAIL PROTECTED] Subject: Re: OCSP_basic_verify Tat Sing Kong wrote: Hi, I have been trying to figure out what the flags are for this function and have come up with the following, can someone verify? int OCSP_basic_verify(OCSP_BASICRESP *bs, // the OCSP response STACK_OF(X509) *certs, // intermediate signing certs X509_STORE *st, // trusted responder certs unsigned long flags // flags as defined in ocsp.h ); Can someone tell me what the difference between certs and st is? certs is a stack of certificates which can aid the verify operation. For example if the response doesn't contain the signer's certificate it can look in there. st is a trusted certificate store which contains trusted certificates which are used to verify the signers certificate. Setting various values for the flags can change the meaning somewhat too. The ocsp application source in apps/ocsp.c and documentation should help clarify this. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Private key in exernal hardware (engine) ?
Alexander Kuit wrote: On 12.12.2001 11:12:35 Vadim Fedukovich wrote: On Wed, 12 Dec 2001, Alexander Kuit wrote: I'm using the engine version to let the client do rsa private encryption by a smartcard. This means of course that the private key is hidden inside the card. However, during debugging SSL_connect() I discovered that a client certificate is only sent to the server if a private key is set (e.g. by SSL_CTX_use_PrivateKey). look for ENGINE_load_private_key(...) in engine.h. As far as I understand this function, it requests the private key from the engine. Unfortunately (but not surprisingly), the private key is inside the smartcard and cannot be read (only selected for cryptographic operations). So how can a client perform a successful handshake, including sending its certificate, without providing a private key? This is crucial for our security requirements, so any help would be very appreciated. Short answer is your card should be capable of doing MD5+SHA1 type of signature and this function should be available as rsa_sign member of ENGINE structure. RSA_FLAG_SIGN_VER should be set to route signing operation to the card. This signing will be requested while ssl3_send_client_verify(). There seems to be no way around that, which means that I have to provide a private key, even if I don't have one (it's in the card). But you have an EVP_PKEY. I now believe I understand that's what ENGINE_load_private_key() is for (please correct me if I'm still wrong). If I'm right with that, then how do I generate a dummy private key, without having to fill in the bits of the rsa structure myself ? Especially that does ENGINE_load_private_key(...). You get an handle to an private key (filled with public data and some other data that the ENGINE needs to access its internal private key. You call SSL_CTX_use_PrivateKey() with this EVP_PKEY returned from the ENGINE... Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 smime.p7s Description: S/MIME Cryptographic Signature
Re: Echo is openssl
I'm working out the server code, but I'm testing it using openssl as the client too. I know that client can turn the echo off, but what I want is that, for that string, echo is taken for user! Something like: --- Tell me your password: --- And client when writes the password it will not echo! On Wed, 12 Dec 2001, Lutz Jaenicke wrote: On Wed, Dec 12, 2001 at 05:17:38PM +, Marcos D. Marado Torres wrote: Yes, it should... But it isn't! Isn't it a problem with openssl? (The client I'm using to connect...). What is the client? In your original mail you are claiming to be working on the server side. Turning off the echo on the client must be done by the client. (stty for the commandline tool, or termio/termios for the programming interface.) Of course, the client software must handle the control sequences sent by the server. (Or the terminal emulator used has an echo off control sequence, that is being directly being honored.) Best regards, Lutz -- === Marcos Marado AKA Mind Booster === Visit Mind Booster NetWorks on: http://mindbooster.cjb.net Mail me to: [EMAIL PROTECTED] === It is so very hard to be an on-your-own-take-care-of-yourself-because-there-is-no-one-else-to-do-it-for-you grown-up. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
Marcos, We are very willing to help you out but from what you are saying it doesn't make any logical sense. Please describe in a much more detail what you are trying to do. I do not see how console output/input has anything to do with openssl. Thanks - Andrew - Original Message - From: Marcos D. Marado Torres [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 12:41 PM Subject: Re: Echo is openssl I'm working out the server code, but I'm testing it using openssl as the client too. I know that client can turn the echo off, but what I want is that, for that string, echo is taken for user! Something like: --- Tell me your password: --- And client when writes the password it will not echo! On Wed, 12 Dec 2001, Lutz Jaenicke wrote: On Wed, Dec 12, 2001 at 05:17:38PM +, Marcos D. Marado Torres wrote: Yes, it should... But it isn't! Isn't it a problem with openssl? (The client I'm using to connect...). What is the client? In your original mail you are claiming to be working on the server side. Turning off the echo on the client must be done by the client. (stty for the commandline tool, or termio/termios for the programming interface.) Of course, the client software must handle the control sequences sent by the server. (Or the terminal emulator used has an echo off control sequence, that is being directly being honored.) Best regards, Lutz -- === Marcos Marado AKA Mind Booster === Visit Mind Booster NetWorks on: http://mindbooster.cjb.net Mail me to: [EMAIL PROTECTED] === It is so very hard to be an on-your-own-take-care-of-yourself-because-there-is-no-one-else-to-do-it-for- you grown-up. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
When Telnet protocol is used, echoing is performed by the host. The host has complete control over the echoing. The control is gained by the host by negotiating the TELNET ECHO option. If this option is not negotiated then echoing is handled by the local application. If you have replaced Telnet with raw TLS and have not changed the application in any other way, the client is probably performing echoing. Although, there is no reason why you can use Telnet protocol over TLS. Marcos, I dont see what obtaining input from the user has to do with OpenSSL? You should be able to take all the openssl code out of your application and still be able to obtain input from the console. Maybe we are confused about what your problem is? - Andrew - Original Message - From: Marcos D. Marado Torres [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 12:19 PM Subject: Re: Echo is openssl Well... So, I don't know. This code works out with telnet connections or used in any other program, but it doesn't work here... Any clue? Regards, Mind Booster On Wed, 12 Dec 2001, Andrew T. Finnell wrote: Marcos, However if you look through the openssl source code it has a method that turns echoing off for it's own passphrase obtaining method. You could consult that code on how to turn off the echo. But Lutz is correct console operations have nothing to do with OpenSSL. - Andrew - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 11:55 AM Subject: Re: Echo is openssl On Wed, Dec 12, 2001 at 12:31:30PM +, Marcos D. Marado Torres wrote: Hi there... I posted this problem once, but as I didn't have any reply I'm trying again: I'm working on a SSL server using openSSL. Problem is, when I'm asking for a string to the user, I don't want that string to echo... I tried to do that with the ways I do to telnet connections (sending some chars that are interpreted by terminal) but nothing works with openssl. I'm using openssl libraries for the server, and openssl to the client connection to the server. Your problem has nothing to do with openssl. Sending terminal control sequences should be transparent to TLS/SSL layer around it. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- === Marcos Marado AKA Mind Booster === Visit Mind Booster NetWorks on: http://mindbooster.cjb.net Mail me to: [EMAIL PROTECTED] === It is so very hard to be an on-your-own-take-care-of-yourself-because-there-is-no-one-else-to-do-it-for- you grown-up. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. SSH soon to follow. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP_basic_verify
Tat Sing Kong wrote: (sobbing) I have been looking for the documentation, but there is none. All I can see i the definition of some flags: #define OCSP_NOCERTS0x1 #define OCSP_NOINTERN 0x2 #define OCSP_NOSIGS 0x4 #define OCSP_NOCHAIN0x8 #define OCSP_NOVERIFY 0x10 #define OCSP_NOEXPLICIT 0x20 #define OCSP_NOCASIGN 0x40 #define OCSP_NODELEGATED0x80 #define OCSP_NOCHECKS 0x100 #define OCSP_TRUSTOTHER 0x200 #define OCSP_RESPID_KEY 0x400 #define OCSP_NOTIME 0x800 What are they? I meant you can check the ocsp.c source code and documentation and see how each option is related to the flag it sets. Most of the time you wont need any of the flags. However for the OCSP_basic_verify operation here's a summary... OCSP_NOINTERN don't look internally in the OCSP response for the signer's certificate only look in the certs STACK. Same as -no_intern in ocsp app. OCSP_NOSIGS don't verify the signature on the reponse. Same as no_sig_verify in ocsp app. OCSP_NOCHAIN don't chain verify the signer's certificate: this effectively means all other certificates in the chain must be in the trusted store. Same as no_chain. OCSP_NOVERIFY don't verify the signer's certificate in any way. Same as no_cert_verify OCSP_NOEXPLICIT don't support explicit trust of a root CA. OCSP_NOCASIGN don't allow an OCSP response to be signed by the issuing CA certificate. OCSP_NODELEGATED don't allow delegated trust. OCSP_NOCHECKS don't perform additional checks on the signer's certificate. Same as no_cert_checks OCSP_TRUSTOTHER if the reponse signer's cert is one of those in the 'certs' STACK then implicitly trust it: don't verify it or check it in any way. Same as trust_other Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
Lutz Jaenicke wrote: Your problem has nothing to do with openssl. Sending terminal control sequences should be transparent to TLS/SSL layer around it. Lutz is quite correct -- once a handshake is complete, your application passes data through the SSL Record Layer. The spec reads: The SSL Record Layer receives uninterpreted data from higher layers in non-empty blocks of arbitrary size. You are asking a question that sounds to me like: Why doesn't this violing play Mozart? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
Michael Sierchio wrote: - violing play Mozart? + violin play Mozart? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: delayed setting of IV w/ EVP interface
The man pages says for EncryptInit It is possible to set all parameters to NULL except type in an initial call and supply the remaining parameters in subsequent calls, all of which have type set to NULL. This is done when the default cipher parameters are not appropriate. Does that mean you should call EncryptInit with a null IV, then again with a IV? Or can you just set the ctx-iv value directly? You should avoid accessing structure elements where possible. You can call EncryptInit with a null key and IV and later set them but you don't have to. This is normally done so that additional calls such as changing the key length in variable ciphers can be made. What are the functions to set the IV ? I see that there are EVP_CIPHER_CTX_set_key_length() and some others function . Would it be proper to add a function EVP_CIPHER_CTX_set_iv() ? the pseudo code I would then have is after key exchange: ... EVP_CIPHER_CTX g_ctx; // only one ctx for this example ... ... EVP_EncryptInit(myctx,EVP_des_cbc(),key,NULL); ... ... per packet function: ... get_iv_from_packet(packet,myiv); ... EVP_CIPHER_CTX_set_iv(g_ctx,myiv); ... EVP_EncryptUpdate(g_ctx,.); EVP_EncryptFinal(g_ctx,); Also is it possible to copy the CTX variable after it has been init'ed and use a copy of it with calls to EncryptUpdate, EncryptFinal? Possible yes, but it may cause problems in future versions of OpenSSL where the EVP_CIPHER_CTX structure is no longer flat and which may use crypto hardware. In future some kind of EVP_CIPHER_CTX_copy() function will be used to do this portably. Steve. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OCSP_basic_verify
Steve, Please, please, please put your comments like this into the CVS source or man pages. Your knowledge of this stuff is priceless to us mere mortals! :-) Thank you. Rob -Original Message- From: Dr S N Henson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 12:57 PM To: [EMAIL PROTECTED] Subject: Re: OCSP_basic_verify Tat Sing Kong wrote: (sobbing) I have been looking for the documentation, but there is none. All I can see i the definition of some flags: #define OCSP_NOCERTS0x1 #define OCSP_NOINTERN 0x2 #define OCSP_NOSIGS 0x4 #define OCSP_NOCHAIN0x8 #define OCSP_NOVERIFY 0x10 #define OCSP_NOEXPLICIT 0x20 #define OCSP_NOCASIGN 0x40 #define OCSP_NODELEGATED0x80 #define OCSP_NOCHECKS 0x100 #define OCSP_TRUSTOTHER 0x200 #define OCSP_RESPID_KEY 0x400 #define OCSP_NOTIME 0x800 What are they? I meant you can check the ocsp.c source code and documentation and see how each option is related to the flag it sets. Most of the time you wont need any of the flags. However for the OCSP_basic_verify operation here's a summary... OCSP_NOINTERN don't look internally in the OCSP response for the signer's certificate only look in the certs STACK. Same as -no_intern in ocsp app. OCSP_NOSIGS don't verify the signature on the reponse. Same as no_sig_verify in ocsp app. OCSP_NOCHAIN don't chain verify the signer's certificate: this effectively means all other certificates in the chain must be in the trusted store. Same as no_chain. OCSP_NOVERIFY don't verify the signer's certificate in any way. Same as no_cert_verify OCSP_NOEXPLICIT don't support explicit trust of a root CA. OCSP_NOCASIGN don't allow an OCSP response to be signed by the issuing CA certificate. OCSP_NODELEGATED don't allow delegated trust. OCSP_NOCHECKS don't perform additional checks on the signer's certificate. Same as no_cert_checks OCSP_TRUSTOTHER if the reponse signer's cert is one of those in the 'certs' STACK then implicitly trust it: don't verify it or check it in any way. Same as trust_other Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Ϊ¸öÈËÊÂÒµ×ö´òË㣬ѡÔñ¹Øϵͨ2.0
Title: Äã×¼±¸ºÃÁËÂ𣿠Ϊ¸öÈËÊÂÒµ×ö´òË㣬ѡÔñ¹Øϵͨ2.0 23¡¢24ËêʱÄ㻹ûÓÐÏëºÃ½ñºó×öʲô£¬µ«ÊÇתÑÛ30ËêÕâ¸öÈËÉú´óÏÞÀ´ÁË£¬Äã±ØÐëΪ½«À´¼Æ»®ÁË£»»òÕßÄãÕýÔÚΪ×Ô¼ºµÄÈýÊ®¶øÁ¢¶ø´òÆ´¡£ÃæÁÙÉú»îºÍ¹¤×÷µÄѹÁ¦²»¶Ï£¬Äã×¼±¸ºÃÁËÒ»ÇÐÂð£¿ÇëÉϹØϵͨ£¬ÒѾΪÄã×¼±¸ºÃÁË¡£ ÎÒÃǶ¼ÏòÍùʤȯÔÚÎյĸоõ£¬ÔÚÕâ¸ö½²¾¿¹ØϵµÄÉç»áÖÐÄãÓÖƾʲôʤȯÔÚÎÕ£¿ÓмÛÖµµÄ¹ØϵȦ¿ÉÒԳɾÍÄãÊÂÒµ¡£µ«ÊÇÏÖʵÉú»îÖпª·¢ºÍά»¤ÅóÓѵÄʱ¼ä³É±¾ºÍ»ú»á³É±¾Ì«¸ß£¬¿öÇÒÃæ¶ÔÐèÇó£¬ÄãµÄÅóÓÑÍùÍù°®ÄªÄÜÖú¡£ÇëÉϹØϵͨ£¬ÒѾΪÄã×¼±¸ºÃÁË¡£ ÍøÂçÊÇÒ»¸öºÃµÄÑ¡Ôñ£¬Èç¹ûÄãÈÏΪ×Ô¼ºÓÐÒ»¶¨µÄÐÅÏ¢ºÍÉç»á×ÊÔ´£¬¿ÉÒÔ½øÐн»»»£¬À´ÍØÕ¹×Ô¼ºµÄÉÌÎñ¹Øϵ¡£µ«ÊÇËæÖ®¾ÍÓÐÎÊÌâÁË£¬Ã¿Ì칤×÷ռȥÁËÄãµÄÖ÷Ҫʱ¼ä£¬ÄãÒªµÄ²»ÊÇÓéÀÖÁÄÌ죬ÄãÔÚÏßʱ¼ä²»¹Ì¶¨£¬ÄãÒªÇó×Ô¼º´¦ÀíÐÅÏ¢µÄЧÂÊÒªºÜ¸ß£¬ÄãÒªÇóÆäËûÓû§ºÍÄãÒ»Ñù¶ÔÐÅÏ¢ÓÐ×Å¿ÊÇó£¬ÄãÏ£Íûͨ¹ýÐÅÓúÍÕæʵÉí·ÝÕÒµ½ÒªÕÒµÄÈË¡£¡£¡£¡£¡£¡£ÇëÉϹØϵͨ£¬ÒѾΪÄã×¼±¸ºÃÁË¡£ ΪÈýÊ®¶øÁ¢Äã×¼±¸ºÃÒ»ÇÐÁËÂ𣿠¡¡ ¡¡ еÄÒ»Äê¾ÍÒªÀ´ÁË£¬¹ØϵͨһÈç¼ÈÍùÖÂÁ¦ÓÚΪÓû§ÌṩÍØÕ¹ÉÌÎñ¹ØϵµÄ¿çƽ̨·þÎñ£¬ÏÖÔÚÎÒÃÇÍƳö¾«ÐÄ´òÔì³ö2.0°æ±¾È¥ÊµÏÖÕâ¸ö³Ðŵ¡£Ö®ËùÒÔ2.0°æ±¾³ÆΪרҵ°æ£¬ÒòΪËüÍêÈ«°´ÕÕÖйúÉÌÎñÈËȺ¹ØϵÍØÕ¹µÄ²½ÖèÒ»²½²½Õ¹¿ªµÄ£¬Óû§¿ÉÒÔÔÚ¹ØϵͨÉÏÍê³É´ÓÄ¿±ê¹ØϵѰÕÒ¡¢ÐÅÓÃÕç±ð¡¢¹ØϵÒý¼ö¡¢¶àÇþµÀͨѶºÍ½»Ò×Ö§³Ö5¸ö¹ý³Ì¡£¹ØϵͨÉϵÄÓû§Ö÷ÒªÊǸ÷ÐÐÒµµÄÒµÄÚÈËÊ¿£¬È«²¿ÓµÓÐÕæʵµÄÉí·ÝºÍͨѶ·½Ê½£¬Óû§¿ÉÒÔͨ¹ý¹ØϵͨµÄ°ïÖúѸËÙ½¨Á¢Æð×Ô¼ºµÄ¹ØϵȦ£¬¶ø²»ÊÇÐéÄâµÄÍøÂç½»Íù¡£ Ãâ·Ñ×¢²á³ÉΪ¹ØϵͨÆÕͨÓû§£¬ÏàÐÅÎÒÃÇÒ»¶¨¿ÉÒÔ¸øÄãÃÇ´øÀ´ÕæÕýµÄ¹Øϵ¼ÛÖµ¡£¹ØϵͨµÄÔÔòÊÇ£º¹«²¼Õæʵ×ÊÁÏ¡¢¹«Æ½½»»»ÐÅÏ¢¡¢½¨Á¢¸öÈËÐÅÓᣠwww.up30.com Copyright 2001 UP30com All rights reserved. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [jacorb-developer] JDK 1.3.0.2 / JacORB 1.4 w/ jsse 1.0.2 Fix/problem
Title: RE: [jacorb-developer] JDK 1.3.0.2 / JacORB 1.4 w/ jsse 1.0.2 Fix/problem Well I have gotten it to work kind of. I am running a TAO server from which im connecting to with a JacORB client. I see the debug output on the server but OpenSSL(TAO) complains about about 'alert certificate unknown'. Im taking this to mean that the certificate the client sent over is unknown. Well I don't want the JacORB client to send a certificate over. I only want the server to have a public/private key pair. Or better yet all I want is encryption. I must be missing something or doing something wrong. Anyone have an idea? Although this same code worked with JacORB 1.3 it's kind of strange it doesn't work with JacORB 1.4 Just let me know when you get sick of SSL questions. :-) - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Stephan Feder [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 2:51 PM To: Andrew Finnell Cc: '[EMAIL PROTECTED]' Subject: Re: [jacorb-developer] JDK 1.3.0.2 / JacORB 1.4 w/ jsse 1.0.2 Fix/problem First: _Do not remove_ the classes listed under 3. in sun_jsse/README.jsse1_0_2. The whole point of my patch was to make that work again! Now: The JSSE docs clearly state SunX509 as the algorithm for both key and trust managers, and the JSSE classes are found so I suspect that the JSSE provider is not registered. Did you put security.provider.3=com.sun.net.ssl.internal.ssl.Provider into the java.security file? Otherwise you have to also uncomment the line Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider() ); in sun_jsse/SSL(Server)SocketFactory.java. Hope it works Stephan Andrew Finnell wrote: I used some changes mentioned earlier to make JAcORB 1.4 compile with JSSE 1.0.2 and when I try running my application I get a dump like this. Unknown algorithm SunX509?? I believe the changes were suggested by Stephan Fester. If anyone has any ideas let me know. I'm going to try and figure out what's going on. Thanks!! - Andrew StackTrace java.security.NoSuchAlgorithmException: Algorithm SunX509 not available at com.sun.net.ssl.b.a([DashoPro-V1.2-120198]) at com.sun.net.ssl.TrustManagerFactory.getInstance([DashoPro-V1.2-120198] ) ___ jacorb-developer maillist - [EMAIL PROTECTED] http://lists.spline.inf.fu-berlin.de/mailman/listinfo/jacorb-developer