public key info
Hello, I'm just not sure about somethingsay I generate a certificate (a signed cert request using a self signed cert) and the resulting certificate is newcert.pem. Will this newcert.pem contain both a private and a public key? If so, can I extract the public key contents from this .pem file? I would appreciate some guidance on this. Thank you all. - H. Chan
Re: Help with PEM_write_PKCS7
Nicolas, make sure that you compile your program so that it uses the correct runtime-environment. For this, check the following setting: Project-Settings, tab C/C++, Category = Code generation, Option = Use run-time library If your program uses the release build of OpenSSL libraries, set this to Multithreaded DLL. If you're using debug builds of the OpenSSL libraries, set this to Debug Multithreaded DLL. Recompile your application, it should work fine now. For more info: See the OpenSSL FAQ (http://www.openssl.org/support/faq.html#PROG2) Steve Nicolas Chelebifski wrote: Hi everyone, Under the window 2000 with VC++ 6, I have the following example program which is always crashes when calls PEM_write_PKCS7 function. But the same program is working well under the unix, Solaris 2.7, environment. The error message is: --- Unhandled exception in myProg.exe (NTDLL.DLL): 0xC005: Access Violation --- Has anyone same experience? Thanks advanced, Nicolas Chelebifski. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: FW: how to port openssl for win-ce for pocket pcs
Yeah, me too, as far as a PalmOS port. The crypto libraries basically work, though they're not optimized. SSL OTOH is a completey different story. Like you, I dont have a need for it anymore, and as such it has taken a back burner. - Max On Thu, 11 Apr 2002, Steven Reddie wrote: I started a port sometime ago, but I didn't end up needing it and I haven't found the time to finish it. It's something I'd like to get done as there seems to be some demand for it, but it's a matter of priorities. If anyone wants to sponsor the work I'd be happy to continue. Regards, Steven -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Leendert Meyer Sent: Thursday, 11 April 2002 5:30 PM To: [EMAIL PROTECTED] Subject: Re: FW: how to port openssl for win-ce for pocket pcs Can any one tell me how to port openssl on win-ce based pocket pcs. Hi Aslam, I posted a similar question a while back. It seems though, that either there is no need for it (which I find hard to believe), or that it is just to huge a task to undertake. It is very unfortunate since the crypto libraries that MicroSoft provides comes with non-existent documentation. If anyone can provide a solution for crypto libraries on Windows-CE (pocketPC), please let us know. Kind regards, Leendert. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SHA256/512
On Wed, Apr 10, 2002 at 11:08:24PM -0700, Aleksey Sanin wrote: Just wonder why OpenSSL has no SHA256/512 support (grep -i sha `find . -name *` | grep 256 in openssl-0.9.7-stable-SNAP-20020319 returns only bunch of *_AES_256_SHA references)? Does there exist any reason or simply nobody had time (or interest) to do it? What is the current state? I checked out the NIST pages and found a draft and comments. One of the comments included a proposed change to the algorithm. Is the algorithm now really fix? I don't think it would be a good idea to include it before it is clear that it will stay unchanged. (0.9.7 is in feature freeze, so it won't be added before 0.9.8). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SHA256/512
AFAIK, the last fix was made back in October and it addressed an attack related to random numbers generator. I am not sure I have any fresh insider information on the topic :) The problem is that SHA256 and greater are became required in other standards (XML Encryption, for example). And quick search showed that there is no solid open source implementation yet. Aleksey Sanin. Lutz Jaenicke wrote: [EMAIL PROTECTED]"> On Wed, Apr 10, 2002 at 11:08:24PM -0700, Aleksey Sanin wrote: Just wonder why OpenSSL has no SHA256/512 support("grep -i sha `find . -name "*"` | grep 256" in openssl-0.9.7-stable-SNAP-20020319returns only bunch of *_AES_256_SHA references)?Does there exist any reason or simply nobody had time(or interest) to do it? What is the current state?I checked out the NIST pages and found a draft and comments.One of the comments included a proposed change to the algorithm.Is the algorithm now really fix? I don't think it would be a good ideato include it before it is clear that it will stay unchanged.(0.9.7 is in feature freeze, so it won't be added before 0.9.8).Best regards, Lutz
Re: SHA256/512
On Thu, Apr 11, 2002 at 02:01:51AM -0700, Aleksey Sanin wrote: AFAIK, the last fix was made back in October and it addressed an attack related to random numbers generator. I am not sure I have any fresh insider information on the topic :) The problem is that SHA256 and greater are became required in other standards (XML Encryption, for example). And quick search showed that there is no solid open source implementation yet. With respect to my research the XML encryption is also still in draft standard. I agree on that SHA-2 will be a worthwile (and required) extension. There exist open source implementations, but I have not looked into this issue yet, so that I cannot give any statement about the quality. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: public key info
On Thu, 11 Apr 2002 15:56:52 +0800, Howard Chan wrote: I'm just not sure about somethingsay I generate a certificate (a signed cert request using a self signed cert) and the resulting certificate is newcert.pem. Will this newcert.pem contain both a private and a public key? If so, can I extract the public key contents from this ..pem file? Of course not. Where would it get the private key from in the first place? It's private and belongs to the cert's owner, not the CA. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Fwd: [BUG suggested PATCH] EVP_DecodeUpdate 0.9.6b 0.9.6c
This is a forwarded message From: Pavel Tsekov [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thursday, April 11, 2002, 12:39:59 PM Subject: [BUG suggested PATCH] EVP_DecodeUpdate 0.9.6b 0.9.6c Seem like the original message could not made its way to the mail list so am I forwarding it. ===8==Original message text=== Hello, there! :) My colleague Nedelcho Stanev and myself have identified what we would think to be a bug (or a flaw) in the EVP_DecodeUpdate() routine. We were trying to read base64 encoded data with the base64 BIO which has the 'next' member pointed to membuf BIO in which we write the encoded data. So far so good ... Eventually it turned up that some of the data we pass to the BIO chain is properly decoded while other not - or more properly would be to say - partially decoded. We tried to debug the problem and here is what we have found: The EVP_DecodeUpdate() routine errnously returns 0 (EOF) if the buffer passed it, ends with CRLF and EVP_DecodeBlock() has just processed the data upto the ending CRLF. Attached is a patch and a testcase. I tried to follow the coding style and to make the change not intrusive :) though its a very small change :) Here is how to reproduce: 1. Base64 encode a file lets say 200kb 2. unix2dos the output 3. Use the attached testcase to decode the file ===8===End of original message text=== encode.c.patch Description: Binary data bio.cpp Description: Binary data
[BUG suggested PATCH] EVP_DecodeUpdate 0.9.6b 0.9.6c
Hello, there! :) My colleague Nedelcho Stanev and myself have identified what we would think to be a bug (or a flaw) in the EVP_DecodeUpdate() routine. We were trying to read base64 encoded data with the base64 BIO which has the 'next' member pointed to membuf BIO in which we write the encoded data. So far so good ... Eventually it turned up that some of the data we pass to the BIO chain is properly decoded while other not - or more properly would be to say - partially decoded. We tried to debug the problem and here is what we have found: The EVP_DecodeUpdate() routine errnously returns 0 (EOF) if the buffer passed it, ends with CRLF and EVP_DecodeBlock() has just processed the data upto the ending CRLF. Attached is a patch and a testcase. I tried to follow the coding style and to make the change not intrusive :) though its a very small change :) Here is how to reproduce: 1. Base64 encode a file lets say 200kb 2. unix2dos the output 3. Use the attached testcase to decode the file encode.c.patch Description: Binary data bio.cpp Description: Binary data
Error when signing a certificate
Hi , I am trying to do a SSL certificate to use TLS/SSL encryption with Qpopper. I read the doc and I created a certificate request succesfully but it seems that when I try to sign it, it crash with a serious error, here's the output: [bob@domain]# openssl ca -in req.pem -out signed_req.pemUsing configuration from /usr/share/ssl/openssl.cnf./demoCA/private/cakey.pem: No such file or directorytrying to load CA private key14403:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r')14403:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247: I am running OpenSSL 0.9.6b-8 on RH7.2. Thanks for your help! Charles
error:00000001:lib(0):func(0):reason(1)
We have an SSL application that works great on Linux and Wndows NT. After porting to Solaris (compiled on Solaris 2.6 Sun cc) we got the following error from SSL handshake: error:0001:lib(0):func(0):reason(1) SSL dump reveals that the client has closed the socket after ServerHelloDone. I used Google to search, got 10 or so hits, all of them were stale links. Any idea what might cause this error? Here's the output from ssldump: === [root@risken root]# ssldump port 15002 Kernel filter, protocol ALL, raw packet socket New TCP connection #1: assar.it.volvo.se(33499) - risken.it.volvo.se(15002) 1 1 0.0018 (0.0018) CS Handshake ClientHello Version 3.0 cipher suites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_RC4_128_SHA SSL_RSA_WITH_IDEA_CBC_SHA SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_DHE_DSS_WITH_RC2_56_CBC_SHA SSL_RSA_EXPORT1024_WITH_RC4_56_SHA SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA SSL_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 SSL_RSA_EXPORT1024_WITH_RC4_56_MD5 SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 compression methods NULL 1 2 0.0022 (0.0003) SC Handshake ServerHello Version 3.0 session_id[0]= cipherSuite SSL_RSA_WITH_3DES_EDE_CBC_SHA compressionMethod NULL 1 3 0.0022 (0.) SC Handshake Certificate 1 4 0.0022 (0.) SC Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign certificate_authority 30 81 9a 31 0b 30 09 06 03 55 04 06 13 02 53 45 31 0c 30 0a 06 03 55 04 08 13 03 4e 2f 41 31 13 30 11 06 03 55 04 07 13 0a 47 6f 74 68 65 6e 62 75 72 67 31 11 30 0f 06 03 55 04 0a 13 08 56 6f 6c 76 6f 20 49 54 31 1f 30 1d 06 03 55 04 0b 13 16 56 43 4f 4d 20 64 65 76 65 6c 6f 70 6d 65 6e 74 20 67 72 6f 75 70 31 12 30 10 06 03 55 04 03 13 09 56 43 4f 4d 20 74 65 73 74 31 20 30 1e 06 09 2a 86 48 86 f7 0d 01 09 01 16 11 76 63 6f 6d 64 65 76 40 76 6f 6c 76 6f 2e 63 6f 6d ServerHelloDone 10.0122 (0.0099) CS TCP FIN 10.0125 (0.0003) SC TCP FIN Raimo Kangassalo Volvo Information Technology Dept 2570, HD1S SE-405 08 Gothenburg, Sweden Telephone: +46 31 669721 E-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error when signing a certificate
Hello Charles, Thursday, April 11, 2002, 3:38:44 PM, you wrote: CH Hi , I am trying to do a SSL certificate to use TLS/SSL encryption with Qpopper. I read the doc and I created a certificate request succesfully but it seems that when I try to sign it, it crash CH with a serious error, here's the output: CH [bob@domain ]# openssl ca -in req.pem -out signed_req.pem CH Using configuration from /usr/share/ssl/openssl.cnf CH ./demoCA/private/cakey.pem: No such file or directory CH trying to load CA private key CH 14403:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r') CH 14403:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247: What's so serious here ? It just cannot find a file ? Have you checked that the file it complains about really exists ? I see it uses a relative path to look the CA key - maybe you have a erronous configuration file ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error when signing a certificate
It's ok, It looked serious because of the .c file thing. I fixed my problem, I just created a test certificate, sorry. Charles - Original Message - From: Pavel Tsekov [EMAIL PROTECTED] To: Charles Hamel [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, April 11, 2002 9:56 AM Subject: Re: Error when signing a certificate Hello Charles, Thursday, April 11, 2002, 3:38:44 PM, you wrote: CH Hi , I am trying to do a SSL certificate to use TLS/SSL encryption with Qpopper. I read the doc and I created a certificate request succesfully but it seems that when I try to sign it, it crash CH with a serious error, here's the output: CH [bob@domain ]# openssl ca -in req.pem -out signed_req.pem CH Using configuration from /usr/share/ssl/openssl.cnf CH ./demoCA/private/cakey.pem: No such file or directory CH trying to load CA private key CH 14403:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r') CH 14403:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247: What's so serious here ? It just cannot find a file ? Have you checked that the file it complains about really exists ? I see it uses a relative path to look the CA key - maybe you have a erronous configuration file ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error when signing a certificate
Hi, I got the same error the first time I ran OpenSSL. I don't know if it's the same error for you, but for me it was just an error in my config file.. Look for the foolowing line in the [ CA_default ] part of the config file: private_key= $dir/private/privkey.pem # CA private key Make sure there is a space between .pem and the comment. It worked for me... Hope it'll help you ! Regards, Philippe On Thu, 2002-04-11 at 15:38, Charles Hamel wrote: Hi , I am trying to do a SSL certificate to use TLS/SSL encryption with Qpopper. I read the doc and I created a certificate request succesfully but it seems that when I try to sign it, it crash with a serious error, here's the output: [bob@domain ]# openssl ca -in req.pem -out signed_req.pem Using configuration from /usr/share/ssl/openssl.cnf ./demoCA/private/cakey.pem: No such file or directory trying to load CA private key 14403:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('./demoCA/private/cakey.pem','r') 14403:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247: I am running OpenSSL 0.9.6b-8 on RH7.2. Thanks for your help! Charles -- Philippe Camus - Unix Administrator In-Fusio http://www.in-fusio.com/ The mobile game connection Le Millenium 12 Quai de Queyries 33072 Bordeaux Cedex France Tel : +33 (0) 557 773 800 Ext.3846 Fax : +33 (0) 556 400 548 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Adding Application Attributes to X509 Certificates?
Hello, I have searched the mailing list archives and cannot seem to find a specific answer to a very high-level question. Is there a method for adding (and retrieving) application-specific attributes to an SSL certificate using OpenSSL? Specifically, I would like to add a collection of attributes to certificates that I will be issuing in order to tie a set of application permissions to each certificate. I have managed to add attributes to CSRs by creating new OIDs in the openssl config file and filling them in during CSR creation. Calling: openssl req -noout -text -in csr.pem displays the custom attributes in the Attributes: section of the text display. However I'm not certain that this is the appropriate way to achieve this function. Additionally, I am unsure of how to retrieve these attributes after the requests have been signed and turned into certificates. Displaying the certificate using: openssl x509 -noout -text -in crt.pem does not display the attributes as they were shown in the CSR. Any hints, pointers, or (dare I dream to be so lucky) sample code will be much appreciated. Thank you, ~brian skrab [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
using X.509 certificates in Ckermit 8.0
I know this is sort of off topic... but I wanted to see if anyone on the list have used the x.509 (pem) certificates in the newest ckermit 8.0 ftp client. Not exactly sure where to import into the kermit so the cert can be used by the ftp server. Thanks.. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Adding Application Attributes to X509 Certificates?
In message [EMAIL PROTECTED] on Thu, 11 Apr 2002 19:10:00 +0500, Brian Skrab [EMAIL PROTECTED] said: brian.skrabopenssl x509 -noout -text -in crt.pem brian.skrab brian.skrab does not display the attributes as they were shown in the CSR. brian.skrab brian.skrab Any hints, pointers, or (dare I dream to be so lucky) brian.skrab sample code will be much appreciated. In http://www.openssl.org/docs/apps/ca.html, read up on the configuration setting copy_extensions. Note: that feature is very new, as far as I remember only available in 0.9.7-dev. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Effective time for verification
I would like to specify an effective time for openssl to use when verifying S/MIME messages, so that i can override my system clock when checking the validity period. I tried adding an (eww) global variable called effective_time which is -1 by default and can be set with a command line option. All the parts of OpenSSL that get the current time will check this variable, and if it's not -1, will use its value in place of time(NULL) However, i've had trouble putting a variable into global scope because of the modular nature of OpenSSL. Suggestions on The Right Way to do this? Ideally i'd like to not use a global variable. -- Mike Schiraldi VeriSign Applied Research smime.p7s Description: application/pkcs7-signature
Re: Effective time for verification
On Tue, Feb 26, 2002 at 06:02:25PM -0500, Mike Schiraldi wrote: I would like to specify an effective time for openssl to use when verifying S/MIME messages, so that i can override my system clock when checking the validity period. I tried adding an (eww) global variable called effective_time which is -1 by default and can be set with a command line option. All the parts of OpenSSL that get the current time will check this variable, and if it's not -1, will use its value in place of time(NULL) However, i've had trouble putting a variable into global scope because of the modular nature of OpenSSL. Suggestions on The Right Way to do this? Ideally i'd like to not use a global variable. Do you think of the openssl smime command line utility only? Or do you request an extension for the internal verification API as a whole? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using X.509 certificates in Ckermit 8.0
I know this is sort of off topic... but I wanted to see if anyone on the list have used the x.509 (pem) certificates in the newest ckermit 8.0 ftp client. Not exactly sure where to import into the kermit so the cert can be used by the ftp server. Read http://www.kermit-project.org/security.html SET AUTH TLS DSA-CERT-FILE SET AUTH TLS DSA-CERT-KEY SET AUTH TLS RSA-CERT-FILE SET AUTH TLS RSA-CERT-KEY Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Trust
Hi All I've created a server certificate and configured Apache with mod_ssl and eveything seems to work well. However, as it's a self-sogned certificate, the browser insists on popping up a warning to the user each time they visit the site - even if they've installed the certificate (in IE it will only install in the personal list not the Trusted Root CA list even though it says it was successfully imported. What do users (or I) need to do to make sure that they don't get the warning pop-up each visit to the site (assuming, of course, that they want to trust my certificate)? Thanks Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
Hi, I am trying to compile Openssl on windows 2000 server. I have downloaded Openssl from a link pointed by openCA.org(right now the site is not responding so i am not able to give you the link here) and did the following perl Configure VC-WIN32 --prefix=(dir) ms\do_ms set PATH=%PATH%;c:\progra~1\DevStudio\VC\bin;c:\progra~1\devstudio\SharedIDE\bin; set INCLUDE=c:\progra~1\devstudio\vc\include set LIB=c:\progra~1\devstudio\vc\lib nmake /f ms\ntdll.mak and I am getting the following error LIBEAY32.def : error LNK2001: unresolved external symbol EVP_dev_crypto_des_ede3 _cbc LIBEAY32.def : error LNK2001: unresolved external symbol EVP_dev_crypto_md5 LIBEAY32.def : error LNK2001: unresolved external symbol EVP_dev_crypto_rc4 LIBEAY32.def : error LNK2001: unresolved external symbol des_release_key out32dll\libeay32.lib : fatal error LNK1120: 4 unresolved externals LINK : fatal error LNK1141: failure during build of exports file NMAKE : fatal error U1077: 'link' : return code '0x475' Stop. Could somebody please tell what is the mistake I am doing? Thanks Rakesh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Adding Application Attributes to X509 Certificates?
Richard, Thank you for your quick reply. The addition of the attributes to the certificate does not need to take place in the signing request. In fact, it should actually take place when the CSR is turned into a certificate. Is there a way (using OpenSSL 0.9.6c) for the CA to add extensions to the certificate at the time that it is signed? I have added custom OIDs to the configuration file, and have created a section called [ extensions ] in which I list the new objects, but when I call: openssl ca -keyfile cakey.pem -in csr.pem \ -extensions extensions -out crt.pem I receive an error that reads: Error Loading extension section extensions 903:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown extension:v3_conf.c:125: 903:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:91:name=MyAttribute, value=MyValue Is there something else I must do before I can use these attributes in an extensions section? Thanks again for your help, ~brian skrab [EMAIL PROTECTED] Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Thu, 11 Apr 2002 19:10:00 +0500, Brian Skrab [EMAIL PROTECTED] said: brian.skrab openssl x509 -noout -text -in crt.pem brian.skrab brian.skrab does not display the attributes as they were shown in the CSR. brian.skrab brian.skrab Any hints, pointers, or (dare I dream to be so lucky) brian.skrab sample code will be much appreciated. In http://www.openssl.org/docs/apps/ca.html, read up on the configuration setting copy_extensions. Note: that feature is very new, as far as I remember only available in 0.9.7-dev. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: using X.509 certificates in Ckermit 8.0
thanks for the heads up.. Terrelle -Original Message- From: Jeffrey Altman [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 11:47 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]' Subject: Re: using X.509 certificates in Ckermit 8.0 I know this is sort of off topic... but I wanted to see if anyone on the list have used the x.509 (pem) certificates in the newest ckermit 8.0 ftp client. Not exactly sure where to import into the kermit so the cert can be used by the ftp server. Read http://www.kermit-project.org/security.html SET AUTH TLS DSA-CERT-FILE SET AUTH TLS DSA-CERT-KEY SET AUTH TLS RSA-CERT-FILE SET AUTH TLS RSA-CERT-KEY Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 available now!!! The Kermit Project @ Columbia University includes Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Trust
Steve, Actually, you will be further ahead using your self-signed certificate and private key to sign additional certificates that you create using OpenSSL for your servers. Then, simply import that self-signed CA certificate that corresponds to the private key you used to sign the server certificate with into your and your clients' browsers. For Internet Explore do: Tools/Internet Options/Content/Certificates/Trusted Root Certification Authorities and then click on the import button to import your public CA cert. Your browser will now trust all sites (servers) containing certificates signed by your self-signed CA cert. HTH, Rob -Original Message- From: Steve [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 3:59 PM To: [EMAIL PROTECTED] Subject: Trust Hi All I've created a server certificate and configured Apache with mod_ssl and eveything seems to work well. However, as it's a self-sogned certificate, the browser insists on popping up a warning to the user each time they visit the site - even if they've installed the certificate (in IE it will only install in the personal list not the Trusted Root CA list even though it says it was successfully imported. What do users (or I) need to do to make sure that they don't get the warning pop-up each visit to the site (assuming, of course, that they want to trust my certificate)? Thanks Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Trust
Hi, I've just ran into the exact same problem. There's a quick solution to this that I had to run before the import. # openssl x509 -in cacert.pem -out cacert.crt You can see this solution on http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/x120.html Regards - Steve Harris Neff Robert A wrote: Steve, Actually, you will be further ahead using your self-signed certificate and private key to sign additional certificates that you create using OpenSSL for your servers. Then, simply import that self-signed CA certificate that corresponds to the private key you used to sign the server certificate with into your and your clients' browsers. For Internet Explore do: Tools/Internet Options/Content/Certificates/Trusted Root Certification Authorities and then click on the import button to import your public CA cert. Your browser will now trust all sites (servers) containing certificates signed by your self-signed CA cert. HTH, Rob -Original Message- From: Steve [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 3:59 PM To: [EMAIL PROTECTED] Subject: Trust Hi All I've created a server certificate and configured Apache with mod_ssl and eveything seems to work well. However, as it's a self-sogned certificate, the browser insists on popping up a warning to the user each time they visit the site - even if they've installed the certificate (in IE it will only install in the personal list not the Trusted Root CA list even though it says it was successfully imported. What do users (or I) need to do to make sure that they don't get the warning pop-up each visit to the site (assuming, of course, that they want to trust my certificate)? Thanks Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Adding Application Attributes to X509 Certificates?
In message [EMAIL PROTECTED] on Thu, 11 Apr 2002 15:26:49 +0500, Brian Skrab [EMAIL PROTECTED] said: brian.skrab Thank you for your quick reply. The addition of the brian.skrab attributes to the certificate does not need to take brian.skrab place in the signing request. Do you mean that the attributes do not necessarely need to be part of the CSR? I agree, I just thought that was what you were after. brian.skrab Is there a way (using OpenSSL 0.9.6c) for the CA to add brian.skrab extensions to the certificate at the time that it is brian.skrab signed? Absolutely. If you look in the default openssl.cnf, you'll see that the CA_default section has a key called x509_extensions which names the section where the extensions are stored. If you go to that section usr_cert, you'll see the extensions that are added to the new certificates. That default section is of course ignored if you've given a different section name with -extensions. brian.skrab I have added custom OIDs to the configuration file, and brian.skrab have created a section called [ extensions ] in which I brian.skrab list the new objects, but when I call: brian.skrabopenssl ca -keyfile cakey.pem -in csr.pem \ brian.skrab-extensions extensions -out crt.pem brian.skrab brian.skrab I receive an error that reads: brian.skrab brian.skrab Error Loading extension section extensions brian.skrab 903:error:2207C081:X509 V3 routines:DO_EXT_CONF:unknown brian.skrab extension:v3_conf.c:125: brian.skrab 903:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in brian.skrab extension:v3_conf.c:91:name=MyAttribute, value=MyValue So, you either haven't added an OID named MyAttribute, or you have misspelled something. Care to show us your configuration file? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Adding Application Attributes to X509 Certificates?
If I understand you correctly, subjectAltName would serve you fine. There are enough fields there to add stuff. For example, you can just use email:[EMAIL PROTECTED] It will not be a real e-mail address, but it will have the information you need. You need to have this in openssl.cnf to to the CSR, but automating that is not hard enough. --Javed -Original Message- From: Brian Skrab [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: Adding Application Attributes to X509 Certificates? Hello, I have searched the mailing list archives and cannot seem to find a specific answer to a very high-level question. Is there a method for adding (and retrieving) application-specific attributes to an SSL certificate using OpenSSL? Specifically, I would like to add a collection of attributes to certificates that I will be issuing in order to tie a set of application permissions to each certificate. I have managed to add attributes to CSRs by creating new OIDs in the openssl config file and filling them in during CSR creation. Calling: openssl req -noout -text -in csr.pem displays the custom attributes in the Attributes: section of the text display. However I'm not certain that this is the appropriate way to achieve this function. Additionally, I am unsure of how to retrieve these attributes after the requests have been signed and turned into certificates. Displaying the certificate using: openssl x509 -noout -text -in crt.pem does not display the attributes as they were shown in the CSR. Any hints, pointers, or (dare I dream to be so lucky) sample code will be much appreciated. Thank you, ~brian skrab [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Adding Application Attributes to X509 Certificates?
Richard Levitte - VMS Whacker wrote: Do you mean that the attributes do not necessarely need to be part of the CSR? I agree, I just thought that was what you were after. You are correct. The attributes do not have to be part of the CSR. I should have been more clear about that fact. I mentioned the CSR because I was able to get the attributes to appear in the CSR (as request attributes), but not the signed certificate as attributes or extensions. Absolutely. If you look in the default openssl.cnf, you'll see that the CA_default section has a key called x509_extensions which names the section where the extensions are stored. If you go to that section usr_cert, you'll see the extensions that are added to the new certificates. That default section is of course ignored if you've given a different section name with -extensions. I have moved my additions into the default usr_cert section of the config file. Executing the following command delivers the same error as mentioned in my last message: openssl ca -keyfile cakey.pem -in csr.pem -out crt.pem So, you either haven't added an OID named MyAttribute, or you have misspelled something. Care to show us your configuration file? Absolutely. Below is the text of my openssl.cnf. # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: extensions = usr_cert # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 MyAttribute=2.44.88 [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir = /usr/local/apache/conf/ssl.csr # Where everything is kept certs = $dir # Where the issued certs are kept new_certs_dir = $dir/ca.db.certs crl_dir = $dir/crl # Where the issued crl are kept database= $dir/ca.db.index serial = $dir/ca.db.serial RANDFILE= $dir/ca.db.rand certificate = $dir/ca.crt private_key = $dir/ca.key x509_extensions = usr_cert # The extentions to add to the cert # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions= crl_ext default_days= 365 # how long to certify for default_crl_days= 30# how long before next CRL default_md = md5 # which md to use. preserve= no# keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK: a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask =
Re: Adding Application Attributes to X509 Certificates?
In message [EMAIL PROTECTED] on Thu, 11 Apr 2002 16:43:52 +0500, Brian Skrab [EMAIL PROTECTED] said: brian.skrab [ new_oids ] brian.skrab brian.skrab # We can add new OIDs in here for use by 'ca' and 'req'. brian.skrab # Add a simple OID like this: brian.skrab # testoid1=1.2.3.4 brian.skrab # Or use config file substitution like this: brian.skrab # testoid2=${testoid1}.5.6 brian.skrab MyAttribute=2.44.88 Ah, that's an invalid OID. The first number must be 0 to 2, and the second number must be 1 to 40. There are hysteri^H^H^H^H^H^H^Hhistorical reasons for this... Anyhow, you have uncovered a bug. It seems like OBJ_create() doesn't check the return value from a2d_ASN1_OBJECT and thereby fools you into thinking that everything is OK. I'll correct that. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Adding Application Attributes to X509 Certificates?
Richard Levitte - VMS Whacker wrote: brian.skrab MyAttribute=2.44.88 Ah, that's an invalid OID. The first number must be 0 to 2, and the second number must be 1 to 40. There are hysteri^H^H^H^H^H^H^Hhistorical reasons for this... That's an interesting fact that I don't think I would have every figured out. I have changed the attribute definition line to: MyAttribute=1.2.3.4 But I still receive the same error when I attempt to sign a request. Any other thoughts as to why this isn't working? Thanks again for all of your assistance. ~brian skrab [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Serial Number
Hi Richard, Yes, you are right, it could be difficult to garantee that the random serial number will be unique. Also a digest from timestamp will be more appropriate. So suppose I can do something like that with e.g. (Linux) TIMESTAMP=`date` SN=`md5sum ${TIMESTAMP}` My question for you is how to write this SN's value when I sign the CSR? Regards #- Averroes __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
New Solaris 8 /dev/random and OpenSSL
Sun recently release a new patch that adds /dev/random support to Solaris (Patch-ID# 112438-01). When I did a fresh compile and install of OpenSSL 0.9.6c and then OpenSSH 3.1p1, OpenSSH does not use /dev/random even though I put in the --with-random=/dev/random. It looks as if it is using information/methods from OpenSSL to tell it what to use. I have looked at trying to compile openSSL with the new /dev/random, but I cannot tell what flag to use or what I need to modify to force it to use the new /dev/random (just modify the Makefile.ssl with DEVRANDOM=/dev/random?). Has anyone successfully using the new /dev/random with OpenSSL and OpenSSH? If so, what recipe did you use? ---Paul __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]