How to create a certificate
Dear team I have Apache1.3.22, mod_jk and open-ssl-0.9.6 compiled in my machine(Redhat linux 6.2). Followed the documentation of mod_ssl (INSTALL) Now each time I want to create a certificate I need to go to the directory where I had compiled apache and type make certificate. Now if I need to test my product with SSL in someother persons PC I either have to do the full apache-openssl-mod_ssl compilation or create a certificate from my PC. Is there a way where I can create a certificate using openssl. (ie) If a person has openssl in his machine he should be able to create a certificate. This question may sound silly but I am (very)new to SSL. Expecting a quick reply, Thanks Regards E.Sriram __ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
HELP: making under Win32
I'm trying to compile openssl-0.9.6c under win32 without much success. I follow the instructions in INSTALL.WIN32. Here's how it goes: (1) perl Configure VC-WIN32 ... Configured for VC-WIN32. (2) ms\do_nasm.bat (3) nmake -f ms/ntdll.mak ms/ntdll.mak(239) : fatal error U1001: syntax error : illegal character '^M' in macro The ntdll.mak file is totall screwed up. It has references for files like ./..h, paths like '.\\cryptlib.h' and even \r chars in its macros! (4) ok, strip all \r chars and \\ perl -i.bak -pne 's/\r//g; s//\\/g' ms/ntdll.mak nmake -f ms/ntdll.mak NMAKE : fatal error U1073: don't know how to make '.\cryptlib.h' This just isn't working at all. Has anyone build openssl under Win32? (not cygwin!) - Noel Burton-Krahn CTO, Mercurial Communications [EMAIL PROTECTED] 200B-1630 Store St. phone: 250-380-2006 Victoria, BC cell: 250-888-0864 V8W 1V3 fax: 250-380-2008 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: how to add our own ssl implementation to server?
Goto http://www.modssl.org or http://www.thawte.com/whitepapers/contents.html These are pretty good guides. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of raju Sent: Wednesday, December 26, 2001 10:52 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: how to add our own ssl implementation to server? Hi all, I've implemented SSL, now i want to add this to webserver like apache, and browser like netscape (netscape apache should use my ssl implementation whenever secure connection necessary) for that what i've to do?. I'm trying to figure out how to do but i failed to do so. thanks in advance --prl __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: application/pkcs7-signature
Re: HELP: making under Win32
Noel Burton-Krahn wrote: I'm trying to compile openssl-0.9.6c under win32 without much success. I follow the instructions in INSTALL.WIN32. Here's how it goes: (1) perl Configure VC-WIN32 ... Configured for VC-WIN32. (2) ms\do_nasm.bat (3) nmake -f ms/ntdll.mak ms/ntdll.mak(239) : fatal error U1001: syntax error : illegal character '^M' in macro The ntdll.mak file is totall screwed up. It has references for files like ./..h, paths like '.\\cryptlib.h' and even \r chars in its macros! (4) ok, strip all \r chars and \\ perl -i.bak -pne 's/\r//g; s//\\/g' ms/ntdll.mak nmake -f ms/ntdll.mak NMAKE : fatal error U1073: don't know how to make '.\cryptlib.h' This just isn't working at all. Has anyone build openssl under Win32? (not cygwin!) Yes every version of OpenSSL is tested under VC++ before releast. I tested OpenSSL 0.9.6c personally. Sounds like a perl problem. Which version of perl are you using? I use the ActiveState version from www.activestate.com Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem with PKCS7 verify
I'm having a problem with PKCS7_dataVerify returning 1 (seemingly success full but displaying the following): depth=0 [EMAIL PROTECTED] m verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 [EMAIL PROTECTED] m verify error:num=27:certificate not trusted verify return:1 depth=0 [EMAIL PROTECTED] m verify error:num=21:unable to verify the first certificate verify return:1 I have had this working before in another program and cant seem to figure out what I did wrong here. I took this code from crypto/pkcs7/verify.c for the most part. So what it looks like is that its calling my callback but failing when it tries to verify the cert. I think its the certificate chain that it is failing on but the CA cert is in the cert store and I verified the hashed link name several times. These are also the same certs I used in the other program. The validity period looks good. Anybody have any thoughts? Thanks, Frank __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with PKCS7 verify
Frank Geck wrote: I'm having a problem with PKCS7_dataVerify returning 1 (seemingly success full but displaying the following): It will do that if your callback tells it to ignore verify errors... depth=0 [EMAIL PROTECTED] m verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 This means it can't find a valid issuer certificate either in the message or the trusted store. All the other messages are bogus due to the callback overriding errors. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with PKCS7 verify
Steve, Thanks. How did I tells it to ignore verify errors..? Did not due that on purpose to my understanding. Well I put the CA cert in the store with a link to the hashed name also with a .0 after it. This worked on another program that I did but I seem to be having a problem now. If you don't mine could you look at the piece of code that I have going this and see if you see any problems (attached)? Thanks, Frank Dr S N Henson wrote: Frank Geck wrote: I'm having a problem with PKCS7_dataVerify returning 1 (seemingly success full but displaying the following): It will do that if your callback tells it to ignore verify errors... depth=0 [EMAIL PROTECTED] m verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 This means it can't find a valid issuer certificate either in the message or the trusted store. All the other messages are bogus due to the callback overriding errors. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] pkcs7_dec.cpp Description: application/unknown-content-type-cppfile verify_callback.cpp Description: application/unknown-content-type-cppfile
Re: Problem with PKCS7 verify
Frank Geck wrote: Steve, Thanks. How did I tells it to ignore verify errors..? Did not due that on purpose to my understanding. Well there's a tendency to copy some of the verify callback examples in various files from OpenSSL. These are largely there for debugging purposes and to give more information about errors. These will typically return 1 in some or all circumstances when the supplied 'ok' parameter is zero. From your example: if (!ok) { BIO_printf(bio_err,verify error:num=%d:%s\n,err, X509_verify_cert_error_string(err)); if (depth 6) { ok=1; X509_STORE_CTX_set_error(ctx,X509_V_OK); } ... This is actually rather dangerous for real purposes in that its telling the verify code to ignore all errors below a certain depth. Effectively allowing any certificate (or chain) to be considered valid. Unless you want to customize certificate verification in some way you rarely need a verify callback at all. Well I put the CA cert in the store with a link to the hashed name also with a .0 after it. This worked on another program that I did but I seem to be having a problem now. If you don't mine could you look at the piece of code that I have going this and see if you see any problems (attached)? Is there some reason you can't use PKCS7_verify()? Its somewhat simpler to use that the low level stuff. Also try verifying the structure using the 'smime' application. If you can get it working with that it should be OK. Also you can use the openssl utilities 'pkcs7' (to extract certifictates) and 'verify' to see if you can get the certificate to verify. Usually the cause of such errors is that the root CA isn't included or can't be found in the trusted certificate store. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with PKCS7 verify
Thanks. Well did not use PKCS7_verify() because I could not find examples using it. Since you wrote it I guess you might have some examples? As you know lots of this is undocumented and it's hard to figure out what to use. Thanks, Frank Dr S N Henson wrote: Frank Geck wrote: Steve, Thanks. How did I tells it to ignore verify errors..? Did not due that on purpose to my understanding. Well there's a tendency to copy some of the verify callback examples in various files from OpenSSL. These are largely there for debugging purposes and to give more information about errors. These will typically return 1 in some or all circumstances when the supplied 'ok' parameter is zero. From your example: if (!ok) { BIO_printf(bio_err,verify error:num=%d:%s\n,err, X509_verify_cert_error_string(err)); if (depth 6) { ok=1; X509_STORE_CTX_set_error(ctx,X509_V_OK); } ... This is actually rather dangerous for real purposes in that its telling the verify code to ignore all errors below a certain depth. Effectively allowing any certificate (or chain) to be considered valid. Unless you want to customize certificate verification in some way you rarely need a verify callback at all. Well I put the CA cert in the store with a link to the hashed name also with a .0 after it. This worked on another program that I did but I seem to be having a problem now. If you don't mine could you look at the piece of code that I have going this and see if you see any problems (attached)? Is there some reason you can't use PKCS7_verify()? Its somewhat simpler to use that the low level stuff. Also try verifying the structure using the 'smime' application. If you can get it working with that it should be OK. Also you can use the openssl utilities 'pkcs7' (to extract certifictates) and 'verify' to see if you can get the certificate to verify. Usually the cause of such errors is that the root CA isn't included or can't be found in the trusted certificate store. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with PKCS7 verify
Frank Geck wrote: Thanks. Well did not use PKCS7_verify() because I could not find examples using it. Since you wrote it I guess you might have some examples? As you know lots of this is undocumented and it's hard to figure out what to use. Well currently there's the stuff in apps/smime.c The function is pretty simple to use: int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); p7 is the PKCS#7 structure to verify certs is some optional additional certificates which will be searched to find the signers certificate, normally NULL. store is a trusted certificate store. indata is the signed data (if not included in the PKCS#7 structure) out is a BIO to write the data to and flags flags various flags, normally set to 0. I'll look into adding some docs for this stuff. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl on ipv6
...i suppose right now openssl does not natively provide support for IPv6...is there a plan to add one? or, if i want to enable IPv6 support - is writing a BIO the correct thing to do? comments appreciated. --- Sankaran Narayanan http://www.cs.columbia.edu/~sankaran __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl on ipv6
From: Sankaran Narayanan [EMAIL PROTECTED] sankaran ...i suppose right now openssl does not natively provide support sankaran for IPv6...is there a plan to add one? or, if i want to enable IPv6 sankaran support - is writing a BIO the correct thing to do? Either change the appropriate BIOs or make your own similar that's specific to IPv6. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]