openssl-users@openssl.org
ÈçÓдòÈÅ£¬½÷Çë»Ø¸´[EMAIL PROTECTED] ·ÀµÁÃÅÑ¡¹ºÖ®µÀ ·ÀµÁÃÅ£¬±¾Îª·À±¸ÇÔÔô¶øÉ裬¿ÉÈç¹ûÓÃÉϵÄÊÇÁÓÖÊÆ·£¬È´¸øÈËÃÇ´øÀ´²Æ²úËðʧºÍÞÏÞΡ£¾ÝÓйز¿ÃÅͳ¼Æ£¬ÖîÖÖÁÓÖÊ·ÀµÁÃÅÔ¼Õ¼Õû¸öÊг¡µÄ10%¡£¿ÉÁÓÖÊ·ÀµÁÃÅÒ»µ©½øÈëÓû§¼Ò£¬¾ÍÊǰٷְٵز»±£ÏÕÁË¡£Îª´Ë£¬ÖйúÖÊÁ¿¼ìÑéлᡢ¹«°²²¿¼¼Êõ·À·¶°ì¹«ÊÒ¼°ÖйúÈËÃñ±£ÏÕ¹«Ë¾½«ÅÎÅΡ¢½ðÒâ´ï¡¢ÍõÁ¦¡¢²½ÑôµÈÆ·ÅÆÁÐΪÐŵùý²úÆ·ÏòÊÐÃñÍƼö¡£Ñ¡¹º·ÀµÁÃÅʱ½¨Òé´ÓÒÔϼ¸·½Ãæ½øÐп¼²ì£º Ò»£® ºÏ¸ñµÄ·ÀµÁÃÅ°´ÕÕ¹ú¼ÒGB17565-1998¡¶·ÀµÁ°²È«ÃÅͨÓü¼ÊõÌõ¼þ¡·±ê×¼Éú²ú¡£ ¶þ£® ºÏ¸ñµÄ·ÀµÁÃÅ°²×°Ê¹ÓõķÀµÁËø¾ßÓ¦·ûºÏGA/T 73-1994ÖеÄÒªÇ󣬽ṹÊÇ·ÀÇ˵ģ»ÁÓÖÊÆ·ÓõÄÊÇÆÕͨÃÅËø£¬ÎÞ·À×ê×°Ö㬽ṹ¼òÒ×£¬ÊÖµç×êÒ»Ò¡¾Í¿ª¡£ Èý£® ºÏ¸ñµÄ·ÀµÁÃÅÒ»°ã²ÉÓÃÈý·½Î»Ëø¾ß£¬²»½öÃÅËøËø¶¨£¬ÉÏϺá¸Ë¶¼¿É²åÈëËø¶¨£¬¶ÔÃżÓÒԹ̶¨¡£ÁÓÖÊÆ·Ò»°ã²»¾ß±¸ÈýµãËø¶¨»ò×ÔÑ¡ÈýµãËø¶¨½á¹¹£¬Êµ¼ÊÉϲ»·ÀµÁ»ò¾³£³öÏÖ¹ÊÕÏ¡£ ËÄ£® Ñ¡Ôñ¿Æ¼¼º¬Á¿½Ï¸ßµÄ·ÀµÁÃÅ¡£ÓйØר¼ÒÖ¸³ö£¬·ÀµÁÃſƼ¼º¬Á¿²»¸ßʹµÃ¼ÙðÕߺÜÈÝÒ×Ä£·Â£¬¶ø²ÉÓÃпƼ¼µÄ²úÆ·Ôò²»ÈÝÒ×·ÂÕÕ¡£ ½ðÒâ´ï·ÀµÁÃÅÊÛºó·þÎñÖÐÐÄ 0579-7151898 7151897 http://www.jinyida.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS1 Compliant
On Thu, 13 Dec 2001, Tony Vo wrote: Hello, Is OpenSSL PKCS1 compliant? I've noticed that in the function for padding type 2 that the first byte (octet) is 0x00 followed by 0x02 for the second byte (octet). Is this correct? According to the PKCS1 specification, the first byte (octet) should be 0x02. Please help. According to specification, version 1.5, file pkcs-1.ps.gz available from RSA Labs site, first byte is 0. Please take a look at 8.1 clause, Encryption-block formatting. Well, Block Type byte could be 2. Regards, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
newbie question
well. i am a newbie trying to understand 1. what is a certificate? 2. who shall make it? 3. who how to get it? 4. if i have my own setup, and some previleged users only should get the access to the site, how can i implement that? 5. and if 4( as above) is possible, how can i achieve it? infact, i went through the openssl documentation at openssl.org but, for my primitive knowledge, it was all greek and latin. please forgive me ...and just give me a little information. regds murali krishna vemuri __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Crypt::SSLeay
I have a small perl script I wrote that retrieves files using LWP::UserAgent to get files from a cert protected directory off o a web server. The script works fine on *nix boxes. Now I have to get it to work on an NT box, and I am new to perl on NT. I installed activestate perl, then mingw. I compiled openssl, which seemed to work just fine (no error messages) using the included instructions for mingw. Installed the Net::SSLeay package. Move the script over, changed things to match the new environment. The script is returning web error 500. I am thinking that it is not correctly passing the certs. I tried to compile Crypt::SSLeay myself, but I am getting make errors, so maybe I will try nmake. I did note that perl Makefile.PL does not find the openssl libraries. I also noted the the libraries for openssl are in the out directory, and no include or inc32 directories exists. Do I need to create these and where should they be located? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
WebLogic and OpenSSL
I've been having problems getting a Weblogic 5.1 server to run using a cert genertated with OpenSSL. Here's what I've done: Created a CA key of 4096 bits = ohrescakey.pem Created a self-signed cert for the CA key (ohrescacert.der) valid for five years, using the following command: OpenSSL req -new -x509 -out ohrescacert.der -key ohrescakey.pem -days 1825 -config openssl_config.txt Then I created a new key and cert request for the web server, and used the OpenSSL CA function to sign this cert. All the certs are recognized by IE just fine, but when I load them into the WebLogic Server, they don't seem to work. weblogic.security.certificate.server=portalsdccert.pem weblogic.security.key.server=portalsdckey.pem weblogic.security.certificate.authority=ohrescacert.der If I submit the web server CSR to Verisign, and get a test cert back from them, then it works just fine. The only difference I can see is that the Verisign Root CA cert is a V1 cert, while the OpenSSL root CA cert I created is a V3 cert. Is there any way to force OpenSSL to create a V1 self-signed cert? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: newbie question
Go to either http://www.netscape.com/ http://www.verisign.com/ http://www.rsa.com/ and read up on the docs contained there. On each site can be found good info discussing the questions you ask. -Original Message- From: Murali K. Vemuri [mailto:[EMAIL PROTECTED]] Sent: Friday, December 14, 2001 6:58 AM To: [EMAIL PROTECTED] Subject: newbie question well. i am a newbie trying to understand 1. what is a certificate? 2. who shall make it? 3. who how to get it? 4. if i have my own setup, and some previleged users only should get the access to the site, how can i implement that? 5. and if 4( as above) is possible, how can i achieve it? infact, i went through the openssl documentation at openssl.org but, for my primitive knowledge, it was all greek and latin. please forgive me ...and just give me a little information. regds murali krishna vemuri __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
client/server verify problems
We're porting some (previously) working code from an ancient version of ssleay to openssl 0.9.6b (HPUX). We're having a problem (apparently) with the server-side of a client-server application, both ends using openssl 0.9.6b. We're using locally generated certificates (Entrust PKI) for both the client and server, which according to openssl verify are only given the purpose of server. One Verisign server cert we played with appears to not have a purpose set, or at least permit both sslclient and sslserver. The client side doesn't have any trouble with talking to web servers (in particular, Stronghold 2.2) with the Entrust certs, and the web server is successfully able to retrieve the client cert. Tho, 2.2 of course uses ssleay internally. Yeah, once this mess is over, we're going to upgrade to Stronghold 3. When we use our client with a verisign-signed server cert, our server side successfully verifies. When we use openssl s_client (or our client) with our entrust cert, our server spits out: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned When we use openssl s_client we get: 29776:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:964:SSL alert number 46 29776:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:490: when running openssl verify with our root_certs, -purpose sslclient returns: error 26 at 0 depth lookup:unsupported certificate purpose OK Whereas with -purpose sslserver returns just OK. I _assume_ this has something to do with the purpose. openssl's code _apepars_ to verify that the cert has the right purpose. Right? Our SSL_CTX_set_verify call has SSL_VERIFY_PEER and SSL_VERIFY_FAIL_IF_NO_PEER_CERT. [I get confused around here, because I can't see anything that implies it would generate a no certificate returned message. If purpose was the real problem, wouldn't it say something more specific?] For various (mostly political) reasons, we can't [re]generate the certs we use with sslclient. Do we need to resort to a verify callback to permit an 0.9.6b server to accept server certs from the client? Or is something else going wrong? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OUCH! Successful Install Broke Logons
Hi, Yesterday I successfully compiled and installed openssl-0.9.6b on RedHat Linux 6.1. Immediately, I couldn't log on (as root or as a regular user) to the Linux box from the console although I could log on using ssh from another computer. In addition, when a workstation within the subnet which had been turned off was booted up, it received the error that it's ip address was in use. So, I shut down the Linux box and then the workstation booted OK. Today I started the Linux box and I can't logon from the console or through ssh. I realize that it's probably back to the install disks for me, but does anyone have any insight to what would cause this nightmare? (I don't believe that I've been hacked.) Thanks! Bob Foster __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OUCH! Successful Install Broke Logons
I realize that it's probably back to the install disks for me, ... Bob Foster Before you do that, have you tried boot: linux single during bootup? If you can get on here, you can fix the problem. Alternatively, you can get a copy of tomsrtbt and boot with that to find and fix the problem. (Can't remember the URL; http://lwn.net has a link from its Distributions page...) Marcus Redivo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re(2): OUCH! Successful Install Broke Logons
Thanks Marcus! I'll give those ideas a try. Bob [EMAIL PROTECTED] writes: I realize that it's probably back to the install disks for me, ... Bob Foster Before you do that, have you tried boot: linux single during bootup? If you can get on here, you can fix the problem. Alternatively, you can get a copy of tomsrtbt and boot with that to find and fix the problem. (Can't remember the URL; http://lwn.net has a link from its Distributions page...) Marcus Redivo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: re. Successful Install Broke Logons - Tomsrtbt
Thanks. I found the tomsrtbt home page at http://www.toms.net/rb/. Also, boot: linux single worked just fine. (I learn something every day!) I have a copy of that floppy around here. If you can't find the URL get back to me and I'll try to locate it. On Fri, Dec 14, 2001 at 01:15:02PM -0800, Marcus Redivo wrote: I realize that it's probably back to the install disks for me, ... Before you do that, have you tried boot: linux single during bootup? If you can get on here, you can fix the problem. Alternatively, you can get a copy of tomsrtbt and boot with that to find and fix the problem. (Can't remember the URL; http://lwn.net has a link from its Distributions page...) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question
Try www.linuxdoc.org look for the SSL Certificates HOWTO. On Fri, 2001-12-14 at 11:57, Murali K. Vemuri wrote: well. i am a newbie trying to understand 1. what is a certificate? 2. who shall make it? 3. who how to get it? 4. if i have my own setup, and some previleged users only should get the access to the site, how can i implement that? 5. and if 4( as above) is possible, how can i achieve it? infact, i went through the openssl documentation at openssl.org but, for my primitive knowledge, it was all greek and latin. please forgive me ...and just give me a little information. regds murali krishna vemuri __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]