accept of SSLeay hangs up.

2002-04-30 Thread Atsushi Ikeda 


Hi,

  if anybody know this problem, please give me some advice.
  I made a simple web server with SSLeay in perl, but sometime it
hangs up. It hangs up in accept(). accept() calls read() system call
and the read() system call is always waiting for coming data when it
hangs up. I read a manual of SSLeay and I found Net::SSLeay::slowly.
I set 1 on it.
  It looks slowdown, but hanging up doesn't happen so far. Did I
choose a right solution?

Thank you,
  Atsushi

###
Atsushi Ikeda 
Elegant Solutions Consulting Inc. 
TEL:604-709-0712  FAX:604-709-0733  Email: [EMAIL PROTECTED]





__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: S/MIME signature BASE-64 encoding assumption

2002-04-30 Thread Dr. Stephen Henson 

On Mon, Apr 29, 2002, Paul V Ford-Hutchinson wrote:

> Hi, I can't see this question anywhere - sorry if it's a known issue 
> but..
> 
> I have an S/MIME message which is not coming over SMTP and so is not 
> BASE-64 encoded. 
> It arrives as a DER encoded p7 file and "$ openssl pkcs7 ..." happily puts 
> it into PEM format.
> The PEM file is then decrypted with "$openssl smime -decrypt ..." it looks 
> a bit like 
> 
> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; 
> micalg=sha1; boundary="MP10200863192650"
> --MP10200863192650
> Content-Type: application/EDI-X12
> Content-Transfer-Encoding: binary
> Content-Disposition: inline; filename="BROWN_TO_BIGGLES_10.edi"
> 
> DATA
> --MP10200863192650
> Content-Type: application/pkcs7-signature
> Content-Disposition: inline; filename="smime.p7s"
> 
> BINARY data
> --MP10200863192650--
> 
> Which "$openssl smime -verify  " complains about with a Base-64 
> decoding error
> 
> If I hack out the BINARY data (the signature), BASE-64 encode it and 
> replace it - Then it works OK.
> 
> Is the sending application at fault, or should openssl not be assuming b64 
> ?
> 
OpenSSL is at fault. Its MIME routines are rather primitive. Please send me
an example mail in that format and I may be able to fix the MIME stuff for
future versions of OpenSSL.

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: pkcs12 problem?

2002-04-30 Thread Dr. Stephen Henson 

On Tue, Apr 30, 2002, Stephen Degler wrote:

> Hi,
> 
> I've created a root cert with CA.pl and I'm trying to create a pkcs12
> file with just the public portion, for inclusion in browsers.  I try
> the following:
> 
Read the FAQ.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: OpenSSL on BeOS^H^H^H^Hnon-Windows & non-Linux OSes

2002-04-30 Thread GOLDING,CHARLTON (Non-HP-Corvallis,ex1) 








Hi,
yeah true, having been burned by Be when working on their OS I wish the OS
would go away, but not really.  I'm glad to hear it might have been
purchased by 3Com (is that true?)  

 

If the OS doesn't have good TCP/IP
stack support such as a lack of getsockopt() it sounds like the OS needs fixed.
 I think from what I remember of the little I ever knew of this, to call getsockopt()
from some stacks you have to be root (a scary concept to me), so perhaps if
that's the case in BeOS your app isn't running as root or doesn't
have security privilege?  If you feel up to it you might write (ugly
proposal sorry) your own glue to fix the hole in the BeOS networking
stack.  I never dealt with this side of BeOS so can't comment on how
hard that might be, my interest was mostly in video drivers.  This was
back when Be had it's own box, and the code ports related to PowerPC. 
(Yeah, some time ago sorry.)

 

Best of luck.

Chet

 

-Original Message-
From: Zero One
[mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, April
 30, 2002 4:59 PM
To: [EMAIL PROTECTED]
Subject: Re: OpenSSL on
BeOS^H^H^H^Hnon-Windows & non-Linux OSes

 



Ok, let me amend and repeat this request since there wasn't even so much as a
"No! BeOS is stupid! Go away!" response to my original message. (Yes,
sometimes a flame is better than utter silence ;) ) 

The biggest problem that I seem to be running into in getting OpenSSL to
compile and generate shared libraries is that the net_server version of BeOS
does not apparently have getsockopt() in it's networking libraries. At least
not in the standard ones that I have. 

So, my question is now how would one get around this lack of functionality on
any operating system? The reason this is important is because one of the
required files (crypto/bio/b_sock.c) in OpenSSL uses this function, precisely
once (line 224). I've tried working around it by supplying the value of errno
if there is an error, and I've tried following a 1998 era suggestion on it,
though neither method worked. 

So, does anyone have suggestions based on lack of a particular function as
opposed to OS wonkiness?

Thanks. --- Zero One <[EMAIL PROTECTED]>wrote: > Has anyone out there had
any luck getting OpenSSL compiled and > running properly under BeOS R5.0.x,
in particular with the > "net_server" rather than
"BONE"?If so, please drop me an email > telling me precisely how
you managed this feat, and whether you > compiled the shared libraries or
not.Thank you. > > > - > Do You
Yahoo!? > Yahoo! Games - play chess, backgammon, pool and more 

 







Do You
Yahoo!?
Yahoo! Health
- your guide to health and wellness

Re: OpenSSL on BeOS^H^H^H^Hnon-Windows & non-Linux OSes

2002-04-30 Thread Zero One 


Ok, let me amend and repeat this request since there wasn't even so much as a "No! BeOS is stupid! Go away!" response to my original message. (Yes, sometimes a flame is better than utter silence ;) ) 

The biggest problem that I seem to be running into in getting OpenSSL to compile and generate shared libraries is that the net_server version of BeOS does not apparently have getsockopt() in it's networking libraries. At least not in the standard ones that I have.

So, my question is now how would one get around this lack of functionality on any operating system? The reason this is important is because one of the required files (crypto/bio/b_sock.c) in OpenSSL uses this function, precisely once (line 224). I've tried working around it by supplying the value of errno if there is an error, and I've tried following a 1998 era suggestion on it, though neither method worked.

So, does anyone have suggestions based on lack of a particular function as opposed to OS wonkiness?

Thanks.
--- Zero One <[EMAIL PROTECTED]> wrote:
> Has anyone out there had any luck getting OpenSSL compiled and
> running properly under BeOS R5.0.x, in particular with the
> "net_server" rather than "BONE"?If so, please drop me an email
> telling me precisely how you managed this feat, and whether you
> compiled the shared libraries or not.Thank you.
> 
> 
> -
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness

ssl client renegotiation

2002-04-30 Thread Shyamal Kumar 

Hi!
As i understand, SSL renegotiation is more of a server-side feature than
a client-side one. Is this correct? Do the popular browsers of today
implement client-initiated renegotiation?


Thanks,
Shyamal
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

REMOVE

2002-04-30 Thread Simon Wong 

 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

pkcs12 bug? or is it me

2002-04-30 Thread Stephen Degler 

Hi,

I was trying to convert my self created root public key into 
pkcs12 format for inclusion in browsers.  I tried the following:

openssl pkcs12 -export -nokeys -in demoCA/cacert.pem  -out cacert.pfx

This failed, demanding the private key.  So then I tried:

openssl pkcs12 -export -nokeys -in demoCA/cacert.pem -inkey demoCA/private/cakey.pem 
-out cacert.pfx

This succeeds but seems to leave the private key in the output file.
Further experimenting with adding -cacerts did not seem to help.

I'm I just trying to do the wrong thing here or is this a bug?

I am using openssl 0.9.6b.

Thanks,
skd
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

pkcs12 problem?

2002-04-30 Thread Stephen Degler 

Hi,

I've created a root cert with CA.pl and I'm trying to create a pkcs12
file with just the public portion, for inclusion in browsers.  I try
the following:

openssl pkcs12 -export -nokeys -in demoCA/cacert.pem -out foo.pfx

and I get:

31627:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: 
ANY PRIVATE KEY

Ok, I don't mind supplying the private key as long as it doesn't appear in
the output:

openssl pkcs12 -export -nokeys -in demoCA/cacert.pem -inkey demoCA/private/cakey.pem 
-out foo.pkfx

But it seems like it ignores "-nokeys" in this instance.  Unfortunately I think
the private key is present in the resulting files.   Adding -cacerts doesn't
seem to help either.

Is this a bug in pkcs12 or I am just going about things the wrong way?

skd

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS 12 examples

2002-04-30 Thread cch 

You can create one for yourself, if you have a private key file, pvk.pem,
and corresponding cert file cert.pem. Optionally you can have your CA chain
in ca.pem. Then try the following command

openssl pkcs12 -export -in cert.pem -inkey pvk.pem -certfile ca.pem -name
"John Doe - TestCA"  -out output.p12

Then the output.pem will contain the pkcs12 file.
Best Regards,

Loren
- Original Message -
From: "Mads Rasmussen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 30, 2002 5:01 AM
Subject: PKCS 12 examples


> Hi there,
>
> Could some kind soul send me some PKCS # 12 examples?
>
> Thanks,
>
> Mads
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
>

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

help me!

2002-04-30 Thread 刘 峰 

openssl-users, hello!
  I am using openssl on windows 2000, but when I comes to the 
function   
SSL_CTX_use_PrivateKey_file(...),the program stops. If I disable 
this function
, SSL_get_error() returns SSL_ERROR_SSL.
  What cause this happen, How can I solve it?
  Thank you very much!
   [EMAIL PROTECTED]



_
Ãâ·ÑÏÂÔØ MSN Explorer£ºhttp://explorer.msn.com/lccn/intl.asp
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

X509 Certificates & Outlook

2002-04-30 Thread Rigo Rigo 

Hello to everyone,
I'm trying to get X509 Certificates from Outlook Address Book Contact, does 
anyone know how to use PR_X509_USER_CERTIFICATE property (how can I get the 
certificate from the system store starting from the value of this 
property?)? Does anyone know in wich format certificate are stored in this 
property by Outlook and/or Outlook Express ?
Thanks to every one.
_Rigo

_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Java SSL Support (didn't have a subject, so I am giving it one.)

2002-04-30 Thread Eric Rescorla 

Chris Cleeland <[EMAIL PROTECTED]> writes:
> On 30 Apr 2002, Eric Rescorla wrote:
> Right.  Good point.  However, for some reason I remember that we had problems 
> with JSSE doing RSA properly, too.  But memory is fuzzy anymore.
That could be. I've heard such reports but never really verified them.

> > PureTLS (http://www.rtfm.com/puretls) is a free Java SSL/TLS
> > implementation that interoperates fine with OpenSSL.
> 
> Thanks for the link!  I checked it out.  Do you have any idea what the 
> performance is like compared to JSSE?  (I notice that you suggest using 
> GoNative accelerated implementations of crypto stuff, so comparisons should 
> specify whether PureTLS uses GoNative or not.)
I haven't benchmarked JSSE.

I imagine the performance of JSSE and PureTLS are pretty similar,
since the DSA and RSA impls. use the same bignum operations and
there's only so much you can do to optimize DES or SHA-1 in Java.
The purpose of GoNative is to improve performance over what you
can get in Java.

-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Java SSL Support (didn't have a subject, so I am giving it one.)

2002-04-30 Thread Chris Cleeland 

On 30 Apr 2002, Eric Rescorla wrote:

> Chris Cleeland <[EMAIL PROTECTED]> writes:
> > On Tue, 30 Apr 2002, Ed Moyle wrote:
> > Does anybody know if the "wrong signature length" problems in JSSE have been 
> > fixed?  Otherwise, I don't think this'll work, even if you code it 
> > properly...
> > 
> > Check out the following link:
> > 
> > 
>http://groups.google.com/groups?hl=en&frame=right&th=364ff2e1a2f20db0&seekm=40373dc3.0108131639.3b69c55d%40posting.google.com#link3
>
> I dunno if this has been fixed or not (though it only applies to
> DSA).

Right.  Good point.  However, for some reason I remember that we had problems 
with JSSE doing RSA properly, too.  But memory is fuzzy anymore.

> PureTLS (http://www.rtfm.com/puretls) is a free Java SSL/TLS
> implementation that interoperates fine with OpenSSL.

Thanks for the link!  I checked it out.  Do you have any idea what the 
performance is like compared to JSSE?  (I notice that you suggest using 
GoNative accelerated implementations of crypto stuff, so comparisons should 
specify whether PureTLS uses GoNative or not.)

Thanks!
-cj

-- 
  Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris
 Principal Software Engineer, Object Computing, Inc., +1 314 579 0066
  Support Me Supporting Cancer Survivors in Ride for the Roses 2002
>Donate at http://www.milodesigns.com/donate<

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Java SSL Support (didn't have a subject, so I am giving it one.)

2002-04-30 Thread Eric Rescorla 

Chris Cleeland <[EMAIL PROTECTED]> writes:
> On Tue, 30 Apr 2002, Ed Moyle wrote:
> Does anybody know if the "wrong signature length" problems in JSSE have been 
> fixed?  Otherwise, I don't think this'll work, even if you code it 
> properly...
> 
> Check out the following link:
> 
> 
>http://groups.google.com/groups?hl=en&frame=right&th=364ff2e1a2f20db0&seekm=40373dc3.0108131639.3b69c55d%40posting.google.com#link3
I dunno if this has been fixed or not (though it only applies to
DSA). PureTLS (http://www.rtfm.com/puretls) is a free Java SSL/TLS
implementation that interoperates fine with OpenSSL.


-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: trustway pkcs11 engine for openssl

2002-04-30 Thread afchine madjlessi 



Hi Chet!
CC2000 trustway card works in appliance devices 
(TVPN, TSSL) , 
and run also as a PCI bus card in Pentium 
systems.
You can use PKCS#11 interface to access and 
accelerate the cryptographic
 functions by the card.
The PKCS#7 format of the certificate is transparent 
for the interface.
Regards,
afchine
__[EMAIL PROTECTED]Bull 
Trustway R&D - Networking & Securityhttp://www.servers.bull.com/trustway
 
 

  - Original Message - 
  From: 
  GOLDING,CHARLTON 
  (Non-HP-Corvallis,ex1) 
  To: '[EMAIL PROTECTED]' 
  
  Sent: Thursday, April 25, 2002 5:49 
  PM
  Subject: RE: trustway pkcs11 engine for 
  openssl
  
  
  Afchine,
   
  Hi, I am interested in this 
  post.  Can you tell me a little about this card?  Will your comments 
  about PKCS#11 work with PKCS#7 for example?  I helped set up a Linux 
  system with openssl because we had a requirement to generate certificates with 
  PKCS#7 formatting.  We use a range of hardware some for similar purposes, 
  and so I took a quick glance at the site that relates to Trustway.  Does 
  this card work in one of the appliance devices, or will it run in other 
  hardware as well?  For example would it perhaps work as a PCI bus card in 
  a Pentium system such as a HP 1-U NetServer?
   
  Thanks for the 
  time,
   
  Chet Golding
  WebOperations 
  Engineering
  Email: 
  [EMAIL PROTECTED]
   
   

RE: Java SSL Support (didn't have a subject, so I am giving it one.)

2002-04-30 Thread Chris Cleeland 

On Tue, 30 Apr 2002, Ed Moyle wrote:

> On Monday, April 29, 2002 09:15, arjan pot [mailto:[EMAIL PROTECTED]] wrote:
> 
> > In other words; is it possible to connect with a Java - client through 
> > OpenSSL to a server, written in C?
> 
> The part about this that sounds hard is the "connect through OpenSSL" part.
> My recommendation would be to use the javax.net.ssl.SSLSocket extensions
> and use the built-in SSL support in the java API.  Check out the following:
> http://java.sun.com/j2se/1.4/docs/api/javax/net/ssl/SSLSocket.html
> There are numerousimplementations (e.g. JCSI for example, is free for 
> research and educational purposes: http://www.wedgetail.com/jcsi/index.html).
> 
> So, for example, you might do something like:
> 
> SSLSocketFactory factory = new SSLSocketFactory();
> Socket myClientSocket = createSocket(new String("127.0.0.1"), 443);
> //myClient should be an SSLSocket.  Use like you would any other.

Does anybody know if the "wrong signature length" problems in JSSE have been 
fixed?  Otherwise, I don't think this'll work, even if you code it 
properly...

Check out the following link:

http://groups.google.com/groups?hl=en&frame=right&th=364ff2e1a2f20db0&seekm=40373dc3.0108131639.3b69c55d%40posting.google.com#link3

-cj

-- 
  Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris
 Principal Software Engineer, Object Computing, Inc., +1 314 579 0066
  Support Me Supporting Cancer Survivors in Ride for the Roses 2002
>Donate at http://www.milodesigns.com/donate<


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Java SSL Support (didn't have a subject, so I am giving it one.)

2002-04-30 Thread Ed Moyle 

On Monday, April 29, 2002 09:15, arjan pot [mailto:[EMAIL PROTECTED]] wrote:

> In other words; is it possible to connect with a Java - client through 
> OpenSSL to a server, written in C?

The part about this that sounds hard is the "connect through OpenSSL" part.
My recommendation would be to use the javax.net.ssl.SSLSocket extensions
and use the built-in SSL support in the java API.  Check out the following:
http://java.sun.com/j2se/1.4/docs/api/javax/net/ssl/SSLSocket.html
There are numerousimplementations (e.g. JCSI for example, is free for 
research and educational purposes: http://www.wedgetail.com/jcsi/index.html).

So, for example, you might do something like:

SSLSocketFactory factory = new SSLSocketFactory();
Socket myClientSocket = createSocket(new String("127.0.0.1"), 443);
//myClient should be an SSLSocket.  Use like you would any other.

-E
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Creating password-protected certs.

2002-04-30 Thread Vadim Fedukovich 

On Tue, 30 Apr 2002, Richard Levitte - VMS Whacker wrote:

> In message <[EMAIL PROTECTED]> on Mon, 29 Apr 2002 
>12:22:32 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said:
>
> t0psecret> I'm trying to create password-protected client certs
> t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz.  Is this what
> t0psecret> "export password" refers to (when creating the key),
> t0psecret> or is there another way?  I'm not sure whether the
> t0psecret> export password is a permanent password for the cert
> t0psecret> or just a one-time password used to import the .p12
> t0psecret> file.
> t0psecret>
> t0psecret> If it's the former, it seems as though Window strips
> t0psecret> this password when I import the cert, because I'm only
> t0psecret> asked for it the one time when importing. Is there any
> t0psecret> way around this?
>
> You're mixing up certificate and private key.  The password will
> protect the private key.  The certificate is (or should be) filled
> with public information only, and therefore doesn't require any
> password protection.

PKCS12 also specify mac-based integrity check that use another one
password and may be usefull for certificate. Yes, one could ignore
integrity check while parsing pkcs12 data.

just a note,
Vadim

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

REMOVE

2002-04-30 Thread Sharkey, Aoife 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

This e-mail and any attachment is for authorised use by the intended recipient(s) 
only.  It may contain proprietary material, confidential information and/or be subject 
to legal privilege.  It should not be copied, disclosed to, retained or used by, any 
other party.  If you are not an intended recipient then please promptly delete this 
e-mail and any attachment and all copies and inform the sender.  Thank you.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

REMOVE

2002-04-30 Thread Dave Beseke 


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Creating password-protected certs.

2002-04-30 Thread Tim Jones 


--- Richard Levitte - VMS Whacker
<[EMAIL PROTECTED]> wrote:
> In message
> <[EMAIL PROTECTED]>
> on Mon, 29 Apr 2002 12:22:32 -0700 (PDT), Tim Jones
> <[EMAIL PROTECTED]> said:
> 
> t0psecret> I'm trying to create password-protected
> client certs
> t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz.  Is
> this what
> t0psecret> "export password" refers to (when
> creating the key),
> t0psecret> or is there another way?  I'm not sure
> whether the
> t0psecret> export password is a permanent password
> for the cert
> t0psecret> or just a one-time password used to
> import the .p12
> t0psecret> file.
> t0psecret> 
> t0psecret> If it's the former, it seems as though
> Window strips
> t0psecret> this password when I import the cert,
> because I'm only
> t0psecret> asked for it the one time when importing.
> Is there any
> t0psecret> way around this?
> 
> You're mixing up certificate and private key.  The
> password will
> protect the private key.  The certificate is (or
> should be) filled
> with public information only, and therefore doesn't
> require any
> password protection.

Thanks for the help... I'm pretty new at this stuff. 
So, the private key is protected with the export
password, but this is a one-time password that is only
used when importing?  From my standpoint it would
really be nice to have a permanent password on the
private key... Is this something that is common with
SSL?  If not, I'm wondering how Windows would react to
such a thing.


__
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Creating password-protected certs.

2002-04-30 Thread Richard Levitte - VMS Whacker 

In message <[EMAIL PROTECTED]> on Tue, 30 Apr 
2002 11:03:15 +0200, Joern Sierwald <[EMAIL PROTECTED]> said:

joern> That reminds me of a question I once asked, but didn't get a reply:
joern> pkcs#12 files can contain encrypted certificates or unencrypted certificates.
joern> Since, like you notice, the cert doesn't require protection, why can't openssl
joern> generate pkcs#12 file with encrypted private key, but cleartext cert?

That's a very good question.  I think Steve should answer that one,
since he implemented the PKCS#12 part...

Steve?

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

callback methods

2002-04-30 Thread Srikanth_Chakravarthy 



Hi,

Could anybody please send me an example of how to define and use a callback for
the keys and certificates. The examples I have seen from some references do not
seem
to be working.

Thanks
Sri










---

This email message (including any attachment) is confidential and may be legally
privileged.
It is intended solely for the addressee. If you are not the addressee, you may
not disclose it, copy it, distribute it or take or omit to take any action on
foot of it. Any such act or omission is prohibited and may be unlawful. This
message (including any attachment) is transmitted for discussion purposes only.
It is protected by copyright laws and it has no other legal or contractual
standing.




**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.Kindlesystems.com
**
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Creating password-protected certs.

2002-04-30 Thread Joern Sierwald 

At 10:52 30.04.2002 +0200, you wrote:
>In message <[EMAIL PROTECTED]> on Mon, 29 
>Apr 2002 12:22:32 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said:
>
>t0psecret> I'm trying to create password-protected client certs
>t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz.  Is this what
>t0psecret> "export password" refers to (when creating the key),
>t0psecret> or is there another way?  I'm not sure whether the
>t0psecret> export password is a permanent password for the cert
>t0psecret> or just a one-time password used to import the .p12
>t0psecret> file.
>t0psecret>
>t0psecret> If it's the former, it seems as though Window strips
>t0psecret> this password when I import the cert, because I'm only
>t0psecret> asked for it the one time when importing. Is there any
>t0psecret> way around this?
>
>You're mixing up certificate and private key.  The password will
>protect the private key.  The certificate is (or should be) filled
>with public information only, and therefore doesn't require any
>password protection.
>
>--
>Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]

That reminds me of a question I once asked, but didn't get a reply:
pkcs#12 files can contain encrypted certificates or unencrypted certificates.
Since, like you notice, the cert doesn't require protection, why can't openssl
generate pkcs#12 file with encrypted private key, but cleartext cert?

Jörn Sierwald


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: libssl and crl-checking

2002-04-30 Thread Lutz Jaenicke 

On Fri, Apr 26, 2002 at 11:10:33AM +0200, Thorsten Ziegler wrote:
> Is there a possibility to check crl's? I didn't find a hint on that
> topic in the man-pages - but i actually don't believe this function is
> missing, as it is of somewhat great importance regarding the integrity
> of the Certificates.

It will be included in the 0.9.7 release.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: PROBLEMS READ PUBLIC KEY

2002-04-30 Thread Richard Levitte - VMS Whacker 

In message <002501c1efce$2dd63900$030a@yoke> on Tue, 30 Apr 2002 00:35:34 +0200, 
"Lidia" <[EMAIL PROTECTED]> said:

lidia.castillejo01> EVP_PKEY *clave_publica=NULL;
lidia.castillejo01> clave_publica = EVP_PKEY_new();
lidia.castillejo01> 
lidia.castillejo01> int  lee_clave_publica(char *fichero_publica)
lidia.castillejo01> {
lidia.castillejo01> BIO *bp_publica;
lidia.castillejo01> OpenSSL_add_all_algorithms(); 
lidia.castillejo01> SSLeay_add_all_algorithms();
lidia.castillejo01> 
lidia.castillejo01> bp_publica=BIO_new(BIO_s_file());
lidia.castillejo01>
lidia.castillejo01> if (BIO_read_filename(bp_publica,fichero_publica) <= 0)
lidia.castillejo01>  {
lidia.castillejo01> printf("ERROR");
lidia.castillejo01> BIO_free(bp_publica);
lidia.castillejo01> return 0;
lidia.castillejo01>  }
lidia.castillejo01>
lidia.castillejo01>if 
((clave_publica=PEM_read_bio_PUBKEY(bp_publica,NULL,0,NULL)==NULL)  
lidia.castillejo01> /*Always clave_publica==NULL !*/
lidia.castillejo01>{
lidia.castillejo01> printf("ERROR"); 

How about adding the following line here:

ERR_print_errors_fp(stdout);

lidia.castillejo01> BIO_free(bp_publica);
lidia.castillejo01> return 0;
lidia.castillejo01> }
lidia.castillejo01> 
lidia.castillejo01>BIO_free(bp_publica);
lidia.castillejo01>return 1;  
lidia.castillejo01> }

I'm sure that line will give you some information that might help you.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Creating password-protected certs.

2002-04-30 Thread Richard Levitte - VMS Whacker 

In message <[EMAIL PROTECTED]> on Mon, 29 Apr 2002 
12:22:32 -0700 (PDT), Tim Jones <[EMAIL PROTECTED]> said:

t0psecret> I'm trying to create password-protected client certs
t0psecret> with OpenSSL and ssl.ca-0.1.tar.gz.  Is this what
t0psecret> "export password" refers to (when creating the key),
t0psecret> or is there another way?  I'm not sure whether the
t0psecret> export password is a permanent password for the cert
t0psecret> or just a one-time password used to import the .p12
t0psecret> file.
t0psecret> 
t0psecret> If it's the former, it seems as though Window strips
t0psecret> this password when I import the cert, because I'm only
t0psecret> asked for it the one time when importing. Is there any
t0psecret> way around this?

You're mixing up certificate and private key.  The password will
protect the private key.  The certificate is (or should be) filled
with public information only, and therefore doesn't require any
password protection.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

PROBLEMS READ PUBLIC KEY

2002-04-30 Thread Lidia 

Hi !
I need read a public key from pem file (this file content ONLY the public key). 
This public key can be RSA,DSA... For this reason i try use:

EVP_PKEY *clave_publica=NULL;
clave_publica = EVP_PKEY_new();

int  lee_clave_publica(char *fichero_publica)
{
BIO *bp_publica;
OpenSSL_add_all_algorithms(); 
SSLeay_add_all_algorithms();

bp_publica=BIO_new(BIO_s_file());
   
if (BIO_read_filename(bp_publica,fichero_publica) <= 0)
 {
printf("ERROR");
BIO_free(bp_publica);
return 0;
 }
   
   if ((clave_publica=PEM_read_bio_PUBKEY(bp_publica,NULL,0,NULL)==NULL)  
/*Always clave_publica==NULL !*/
   {
printf("ERROR"); 
BIO_free(bp_publica);
return 0;
}

   BIO_free(bp_publica);
   return 1;  
}

Finally in the main function when I finish my work , I write: 
EVP_PKEY_free(clave_publica);

But always the pem_read_bio_pubkey return null
Can anybody help me?
Thanks,
lidia

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Creating password-protected certs.

2002-04-30 Thread Tim Jones 

Hello.

I'm trying to create password-protected client certs
with OpenSSL and ssl.ca-0.1.tar.gz.  Is this what
"export password" refers to (when creating the key),
or is there another way?  I'm not sure whether the
export password is a permanent password for the cert
or just a one-time password used to import the .p12
file.

If it's the former, it seems as though Window strips
this password when I import the cert, because I'm only
asked for it the one time when importing. Is there any
way around this?

Thanks!

__
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]