101-OpenSSL question..
Hi expert guys,.. :) I'm starting a class project which requires handling a packet after encryption it, and before transmi it to the IP layer. I want to to add a header and modify the current IP address of the packet. The steps -- in summery -- are as follow: ** 1- Packet encryption. (I have nothing to do with it) -- 2- My work: Get a packet. Add my own header information to it. Modify the IP address. Pass it to the next layer. -- 3- Send it to TCP/IP layer for transmit (I have nothing to do with it too) ** So I need your help to step me in the first step of this project, I need to know from where to start. I download the OpenSSL project, and I found 1500 files ,,!!! So would you mind pointing me out to the files that I should start modifying and playing with. Any information is valuable to me and appreciated :) Thanks alot. Dave.
certificate for IPsec & outlook
Dear all, I was able to create a certificate for my website successfully using openssl and this ssl-enabled website works fine so far. Recently, I tried to create certificate for IPsec and outlook but both failed. I import my CA's certificate to w2k. But my CA never appear in the list while configuring IPsec. So is outlook, import was ok but always give me warning while sending secure email. Is there any special option for windows client while generating certificate? Thanks, Vincent Chen __ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
generating a certificate
hi i am very new to cryptography and i was trying my hands to generate a certificate using openssl but was not able to make one due to absence of any good tutorial. could some one provide a pointer to a detailed procedure in creating a certificate. I want to make a certificate for weblogic application server (just for testing) , and don't want to use services of versign, etc is it possible to generate a working certificate (for ssl between my client and server) with openssl only. thanks deepak __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache and SSL
On Sat, 22 Dec 2001, Mike Brandonisio wrote: > Hi, > > I wanted to post an answer to a problem I had with Apache and SSL. It took > some time to figure this one out but here it is: > > PROBLEM: > When I installed Apache and setup a virtual server for my test web site the > standard HTTP requests worked fine and port 80 requests work fine. However > when I would enable SSL on the Test Web Site It would act like the HTTP:80 > and HTTPS:443 were switched. > > When I'd hit the server with http://192.168.0.60 I get an error saying that > the I am trying to talk to the server in an ssl enabled port try https. I > thought that http was port-80. So I try https and is gives me an error could > not connect to host. I try https://192.168.0.60:80 it makes an ssl > connection. Now here is the odd part I try http://192.168.0.60:443 and it > makes non-secure connection. To summarize it looked like the server is > talking ssl on port80 and plain talk on port443. > > RESOLUTION: (newbie brain fart) > It turns out that you can only have 1 virtual server respond to 1 port. > Previously I had SSL enabled on a single virtual server that was set to > respond to port 80. To have a web site respond to HTTP:80 and HTTPS:443 you > need two virtual servers both responding to the same IP and both using the > same path for their root. Then set virtual server 1 to respond to HTTP:80 > and virtual server 2 to respond to HTTPS:443. Enable SSL on virtual server 2 > as well. It's unlikely one would want to set the same path for ssl and plain-tcp apache virtual servers. SSL is used to transport sensitive information and giving that out over tcp would be security problem at site design level. > I guess I was confused by my past experience with IIS servers. There you > have one server that you enable SSL on. > > I hope this helps some else on the list as it helped me. I should say this stuff is apache-specific and apache is not the only one project that could be compiled with openssl. Please consider another mailing list (I guess mod_ssl -users). best wishes, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 101-OpenSSL question..
On Mon, 24 Dec 2001 [EMAIL PROTECTED] wrote: > > Hi expert guys,.. :) > > I'm starting a class project which requires handling a packet after > encryption it, and before transmi it to the IP layer. I want to to add a > header and modify the current IP address of the packet. > > The steps -- in summery -- are as follow: > > ** > 1- Packet encryption. (I have nothing to do with it) > -- > 2- My work: > Get a packet. > Add my own header information to it. > Modify the IP address. > Pass it to the next layer. > -- > 3- Send it to TCP/IP layer for transmit (I have nothing to do with it too) Theese 3 steps could be done with IPSec, tunnel (subnet-to-subnet) mode. Please consider to install FreeSWAN to handle IP packets. good luck, Vadim > > ** > > So I need your help to step me in the first step of this project, I > need to know from where to start. I download the OpenSSL project, and I > found 1500 files ,,!!! > > So would you mind pointing me out to the files that I should start > modifying and playing with. > > Any information is valuable to me and appreciated :) > > Thanks alot. > > Dave. > > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: 101-OpenSSL question..
Simple but stupid…Why don’t you just capture packets coming into a box…on the lower levels of the osi, modify the packet and send to the higher levels of the osi.. Why do you need to use OpenSSL… Let us know .. give me some more hints.. Regards, Matthew Smith (MCSE,CNE,CCNA,CCIE) TigerNET Pty Ltd : -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, 25 December 2001 6:22 PM To: [EMAIL PROTECTED] Subject: 101-OpenSSL question.. Hi expert guys,.. :) I'm starting a class project which requires handling a packet after encryption it, and before transmi it to the IP layer. I want to to add a header and modify the current IP address of the packet. The steps -- in summery -- are as follow: ** 1- Packet encryption. (I have nothing to do with it) -- 2- My work: Get a packet. Add my own header information to it. Modify the IP address. Pass it to the next layer. -- 3- Send it to TCP/IP layer for transmit (I have nothing to do with it too) ** So I need your help to step me in the first step of this project, I need to know from where to start. I download the OpenSSL project, and I found 1500 files ,,!!! So would you mind pointing me out to the files that I should start modifying and playing with. Any information is valuable to me and appreciated :) Thanks alot. Dave.
X509 extensions checking.
Hi, All! Suppose I have a SSL server and I want to check the purpose of the client certificate, which means that I need to check the enhancedKeyUsage contents. What I've done is enumerated the X509 extensions by X509_get_ext_count() and X509_get_ext(), found the enhancedKeyUsage by OID X509_EXTENSION_get_oid_buf() and got the X509_EXTENSION* pointer on it. Now I need to found the specified OID in this extension, for example, client authentication purpose with OID 1.3.6.1.5.5.7.3.1 How can I do it? I can get the ASN1_OBJECT* by X509_EXTENSION_get_object() and X509v3_pack_type_by_OBJ() returns me X509_EXT_PACK_UNKNOWN, so I need handle it like ASN1 octet string. On this point I'm stuck. What to do next? Thanks a lot. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 40 / 56 bit encyption
hi all,
i've been having trouble with this pice of code, i get a segmentation fault
when reading the public key, this is the way i generated both private and
public keys.
priv Key: openssl genrsa -out priv.key 1024
pub Key: cat pub.key | openssl rsa -pubout > pub.key
does anyone have any idea about what does this happen?
i'm using rh linux 6.2 with openssl 0.9.6b 9
int FOROLicense::LoadPublicKey (char *name)
{
FILE *file;
if ((file=fopen(name, "rb"))== NULL)
return 0;
pubKey=*PEM_read_RSAPublicKey(file, NULL, NULL, NULL);
fclose (file);
loadedPub=1;
return loadedPub;
}
--
This email is confidential and intended solely for the use of the individual to whom
it is addressed. Any views or opinions presented are solely those of the author and do
not necessarily represent those of SchlumbergerSema.
If you are not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this email
is strictly prohibited.
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: X509 extensions checking.
Alexey Kobozev wrote: > > Hi, All! > > Suppose I have a SSL server and I want to check the purpose of > the client certificate, which means that I need to check the > enhancedKeyUsage contents. What I've done is enumerated the > X509 extensions by X509_get_ext_count() and X509_get_ext(), > found the enhancedKeyUsage by OID X509_EXTENSION_get_oid_buf() > and got the X509_EXTENSION* pointer on it. > > Now I need to found the specified OID in this extension, for example, > client authentication purpose with OID 1.3.6.1.5.5.7.3.1 > > How can I do it? > > I can get the ASN1_OBJECT* by X509_EXTENSION_get_object() and > X509v3_pack_type_by_OBJ() returns me X509_EXT_PACK_UNKNOWN, so > I need handle it like ASN1 octet string. On this point I'm stuck. > > What to do next? > Err start again :-) Purpose checking is done automatically in the newer releases of OpenSSL as part of the client certificate verify process, including checking extendedKeyUsage. Several checks take place, currently documented in the x509 manual page. If you want to perform the checks yourself you can all X509_check_purpose() on the certificate. If you still want to get the OIDs in extendedKeyUsage then you can call the X509 extension routines documented in doc/openssl.txt, X509_get_ext_d2i() will return a STACK_OF(ASN1_OBJECT) for extended key usage. There's some documentation about manipulating an ASN1_OBJECT structure in the older SSLeay docs in doc/ssleay.txt Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: X509 extensions checking.
Hi! > Err start again :-) Oops, sorry, I didn't see thread about it. > Purpose checking is done automatically in the newer releases of OpenSSL > as part of the client certificate verify process, including checking >extendedKeyUsage. > > Several checks take place, currently documented in the x509 manual page. > > If you want to perform the checks yourself you can all X509_check_purpose() on the certificate. > > If you still want to get the OIDs in extendedKeyUsage then you can call > the X509 extension routines documented in doc/openssl.txt, > X509_get_ext_d2i() will return a STACK_OF(ASN1_OBJECT) for extended key > usage. There's some documentation about manipulating an ASN1_OBJECT > structure in the older SSLeay docs in doc/ssleay.txt Thank you very much. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PEM_read_RSAPublicKey
hi all,
i've been having trouble with this pice of code, i get a segmentation fault
when reading the public key, this is the way i generated both private and
public keys.
priv Key: openssl genrsa -out priv.key 1024
pub Key: cat pub.key | openssl rsa -pubout > pub.key
does anyone have any idea about what does this happen?
i'm using rh linux 6.2 with openssl 0.9.6b 9
int FOROLicense::LoadPublicKey (char *name)
{
FILE *file;
if ((file=fopen(name, "rb"))== NULL)
return 0;
pubKey=*PEM_read_RSAPublicKey(file, NULL, NULL, NULL);
fclose (file);
loadedPub=1;
return loadedPub;
}
--
This email is confidential and intended solely for the use of the individual to whom
it is addressed. Any views or opinions presented are solely those of the author and do
not necessarily represent those of SchlumbergerSema.
If you are not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this email
is strictly prohibited.
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: PEM_read_RSAPublicKey
Ricardo Guerra wrote:
>
> hi all,
>
> i've been having trouble with this pice of code, i get a segmentation fault
> when reading the public key, this is the way i generated both private and
> public keys.
>
> priv Key: openssl genrsa -out priv.key 1024
> pub Key: cat pub.key | openssl rsa -pubout > pub.key
>
> does anyone have any idea about what does this happen?
>
> i'm using rh linux 6.2 with openssl 0.9.6b 9
>
> int FOROLicense::LoadPublicKey (char *name)
> {
>FILE *file;
>if ((file=fopen(name, "rb"))== NULL)
> return 0;
>
>pubKey=*PEM_read_RSAPublicKey(file, NULL, NULL, NULL);
>
>fclose (file);
>loadedPub=1;
>return loadedPub;
> }
Not sure what the pubkey stuff is supposed to be doing. pubKey should be
declared somewhere as:
RSA *pubKey;
then call:
pubKey = PEM_read_RSA_PUBKEY(file, NULL, NULL, NULL);
(not RSAPublicKey).
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Gemplus: http://www.gemplus.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Seems to be a bug with EVP_get_cipherbyname(p)
> chris mollis wrote: > > > so far so good (I hope).. when I use the function > PEM_Read_PrivateKey(fp, null, null, null) to construct the key, it > always returns null. When I debugged it, I found that > EVP_get_cipherbyname() called in PEM_get_EVP_CIPHER_INFO() always > returns NULL when passed the encryption scheme (in this case, > triple-des in cbc mode). > > Am I doing something wrong? > I'm using opensllv0.9.6b on Win2K. > Read the FAQ. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM_read_RSAPublicKey
thanks :)
pubKey is supposed to be used to decrypt a string previously encrypted with
the privateKey (rsa_private_encrypt)..
by the way... is it possible? i have seen some code and openssl itself to
encrypt using public key and decrypt using the private key...
El Miércoles 26 Diciembre 2001 19:09, escribiste:
> Ricardo Guerra wrote:
> > hi all,
> >
> > i've been having trouble with this pice of code, i get a segmentation
> > fault when reading the public key, this is the way i generated both
> > private and public keys.
> >
> > priv Key: openssl genrsa -out priv.key 1024
> > pub Key: cat pub.key | openssl rsa -pubout > pub.key
> >
> > does anyone have any idea about what does this happen?
> >
> > i'm using rh linux 6.2 with openssl 0.9.6b 9
> >
> > int FOROLicense::LoadPublicKey (char *name)
> > {
> >FILE *file;
> >if ((file=fopen(name, "rb"))== NULL)
> > return 0;
> >
> >pubKey=*PEM_read_RSAPublicKey(file, NULL, NULL, NULL);
> >
> >fclose (file);
> >loadedPub=1;
> >return loadedPub;
> > }
>
> Not sure what the pubkey stuff is supposed to be doing. pubKey should be
> declared somewhere as:
>
> RSA *pubKey;
>
> then call:
>
> pubKey = PEM_read_RSA_PUBKEY(file, NULL, NULL, NULL);
>
> (not RSAPublicKey).
>
> Steve.
--
This email is confidential and intended solely for the use of the individual to whom
it is addressed. Any views or opinions presented are solely those of the author and do
not necessarily represent those of SchlumbergerSema.
If you are not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this email
is strictly prohibited.
--
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Question on SSL_dup...
I am adding TLS support to one of our servers, and for some legacy reasons i need to share the main SSL pointer across several threads. in the dispatcher thread i use SSL_dup and then allow the worker threads to free the dup'ed SSL object when it is done... however, SSL_write's on the dup'ed object fail (null pointer write). a bit of investigation using VCd reveals that the problem s3_pkt.c, function do_ssl_write the s->s3 object's write buffer is null... am i missing something or is there a better way to share SSL connections across threads? any help is appreciated. Sankaran Narayanan http://www.cs.columbia.edu/~sankaran __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: basic constraints extension
Hi, > "Schor, Bella" wrote: > > HI, > > can please anybody help me with using this extension? I try to create and sign > a certificate. I define basicConstraints=CA:true, and that's ok. When I add > (pathLengConstraint:0) I receive an error message that this name is unknown. > What can I do to make it work? Here are the synopsis: basicConstraints= CA:FALSE # for end-users certificat basicConstraints= CA:TRUE # for CA basicConstraints= CA:TURE,pathlen:2 # for CA with two sub-levels Enjoy! > > Thanks, > Bella Schor > VoIP CPE > TERAYON Communication Systems LTD -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # e-fingerprint = 63:B0:7D:A1:23:BC:25:96:AE:B7:76:36:F3:07:1F:88 # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- smime.p7s Description: S/MIME Cryptographic Signature
RE: basic constraints extension
> can please anybody help me with using this extension? I try to create and sign a > certificate. I define basicConstraints=CA:true, and that's ok. When I add > (pathLengConstraint:0) I receive an error message that this name is unknown. What > can I do to make it work? Try pathLengthConstraint. -- Joerg Bruenner Commerzbank AG Zentraler Servicebereich IT Development Fachbereich Electronic Commerce Hafenstrasse 51, D-60327 Frankfurt am Main Tel.: +49 (0)69 136 28289, Fax: +49 (0)69 136 28252 eMail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
