Re: Please disregard my plea for help I figured everything out.
Thanks, I figured everything out. Have a good one! Dan! - Original Message - From: Dan Nelson To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] ; [EMAIL PROTECTED] ; William F. Slater, III ; Jimmie Jones ; [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Friday, June 21, 2002 12:07 AM Subject: Please help if you can??? Solving SSL. I am running Apache with mod_ssl / open_ssl . I established myself as a Certificate Authority using CA.pl. I created and signed a certificate and a private key for the server using CA.pl and placed them in the appropriate area. I configured SSL in my Apache httpd.conf file everything seems to work ok. The secure area of my web-site seems to function ok. To see it function go to www.wblsconsulting.com and scroll down to the eToken area and click on go to secure area to see the SSL function. I created a signed certificate using CA.pl and converted it to .p12 using pkcs12. The certificate is attached. It installs fine, both in IE and on the eToken. When I attempt to use the dan_etoken_cert.p12 to connect to the secure area I get a this page can not be displayed screen. And my logs generate the attached error message. I get the same error whether or not the certificate is installed on the token or left on IE. Sincerely,Dan NelsonThe WBLS Group847-242-9447www.thewblsgroup.com[EMAIL PROTECTED]
Re: handshake failure in SSL_read occasionally
On Fri, Jun 21, 2002 at 12:36:55AM +, Ming Zeng wrote: I have a multithreade application which uses OpenSSL to get contents from HTTPS server (here an IIS server). The HTTPS server requires client side certificate. My program uses: SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); so I do not need to handle SSL_ERROR_WANT_WRITE, SSL_ERROR_WANT_READ (even though my code covers these logics). My program calls SSL_set_connect_state(...) to tell its a SSL client, and it uses SSL_connect(...) to connect to the HTTPS server. In most times, my program works without any problem. But every couple of hours (sometimes 2 hours, sometimes 3 or more), SSL_read gives me back SSL_ERROR_SYSCALL error and the detail is: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure And you don't get any more error entry than this single one? Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error 02001002.
Hi all, I run a mailserver that supports openSSL (eXtremail). I have generated a key and certificate with the following command: openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out cert.pem -x509 -config /usr/local/ssl/openssl.cnf I copied the key and certificate to /etc/ssl: dslrtr.local:/ # ls -al /etc/ssl drwxr-xr-x 2 root root 1024 Jun 21 09:57 . drwxr-xr-x 9 root root 1024 Jun 21 09:42 .. -rw-rw 1 root root 1322 Jun 21 10:00 cert.pem -rw-rw 1 root root 891 Jun 21 10:00 key.pem I changed to config of my mailserver so that it will look for an SSL-key and certificate in /etc/ssl but when I start the mail server I get this error: SSL Error: error:02001002:system library:fopen:No such file or directory Does this error mean that it can't find the key and certificate or does it mean something completely different maybe? -- Best regards, Henri mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MDC2 inconsistancy
Rich Salz wrote: Try doing echo foo bar baz | od -c on both machines and see if you get different output. Ok I just did and it's the same: ff@leo:~ echo foo bar baz | od -c 000 f o o b a r b a z \n 014 [ff@partyticket ff]$ echo foo bar baz | od -c 000 f o o b a r b a z \n 014 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error 02001002.
Hello Henri, Friday, June 21, 2002, 10:15:57 AM, you wrote: HvR Hi all, HvR I run a mailserver that supports openSSL (eXtremail). I have generated a HvR key and certificate with the following command: HvR openssl req -new -newkey rsa:1024 -nodes -keyout key.pem -out cert.pem HvR -x509 -config /usr/local/ssl/openssl.cnf HvR I copied the key and certificate to /etc/ssl: HvR dslrtr.local:/ # ls -al /etc/ssl HvR drwxr-xr-x 2 root root 1024 Jun 21 09:57 . HvR drwxr-xr-x 9 root root 1024 Jun 21 09:42 .. HvR -rw-rw 1 root root 1322 Jun 21 10:00 cert.pem HvR -rw-rw 1 root root 891 Jun 21 10:00 key.pem HvR I changed to config of my mailserver so that it will look for an SSL-key HvR and certificate in /etc/ssl but when I start the mail server I get this HvR error: HvR SSL Error: error:02001002:system library:fopen:No such file or directory HvR Does this error mean that it can't find the key and certificate or does it HvR mean something completely different maybe? Sorry guys, problem solved... turns out it was a silly typo on my part. -- Best regards, Henrimailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate creation with openssl.cfg days being ignored
Title: Certificate creation with openssl.cfg days being ignored I have a script that creates all my cert/key pairs for me. The thing though is when creating a self-signed CA it does not read the number of days from the openssl.cfg. Is there a way to put in the openssl.cfg how many days the CA should expire in? This has been a huge problem at the moment and was wondering if someone could quickly respond. I thank you very much! - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
Re: Errors by compiling Apapache with mod_ssl
On Fri, Jun 21, 2002 at 03:02:46PM +0200, ?ernoevi? Michal wrote: I can't compile Apache 1.3.24 with openssl-beta2, mod_ssl and mod_perl, but there is no error with 0.96d version. Can anybody see some problems? Update to mod_ssl-2.8.9, which is adapted for OpenSSL 0.9.7 use. You will need it anyway due to the recommended upgrade to Apache 1.3.26. http://www.openssl.org/support/faq.html#PROG11 Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: handshake failure in SSL_read occasionally
On Fri, Jun 21, 2002 at 10:18:51AM -0400, Zeng, Ming wrote: Maybe I am too stupid to figure out how to reply to your question from your message directly, so I choose to do it my way. Yes. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure is the only error my program keeps logging every couple of hours. I have all the error handling code in place, and this error only happens in the SSL_read. I did have a look into the ssl/* code. SSL_HANDSHAKE_FAILURE in ssl3_read_bytes is only flagged, if the s-handshake function returns 0. This means, that a handshake took place. If the connection was already open, this means that a renegotiation took place (or at least was attempted). If I didn't misunderstand ssl3_connect (which is the handshake function for SSLv3), a return value of 0 should only appear, if 0 bytes where read from the server: the server did simply close the connection. (From the source it also seems to be consistent, that there is no error logged, as I did not see any entry added to the error queue in this case when looking over the code.) I don't have an idea however, on what you could do against the problem... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA_sign
Hi all, thanks for your help on DH stuff :-) Now I have a pb with RSA_sign(). I have a buffer and I want to sign it with my private key. So I generate a key: openssl genrsa -out key.pem 1024 then I have the following code: rsa = RSA_new(); get_my_priv_RSA(rsa); sigbuf = malloc(RSA_size(rsa)); length_buffer = 99; if (RSA_sign(NID_md5, buf, length_buffer, sigbuf, siglen, rsa) != 1) { printf(Error while signing buffer..\n); error = ERR_get_error(); if (error != NULL) { ERR_error_string(error, error_buf); printf(%s\n, error_buf); } } I have no pb with get_my_priv_RSA() but what is strange is that if length_buffer = 100 then I have the following errors : error:0406C06E:rsa routines:RSA_padding_add_PKCS1_type_1:data too large for key size if length_buffer is the real length of my buffer then I have the following errors: error:04075070:rsa routines:RSA_sign:digest too big for rsa key so I don't understand what is going on with the value 100...and more I don't know how to sign my real buffer (length ~= 500 octets) If anyone has an idea..don't hesitate :-) Have a good week-end, [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ANNOUNCE: Network Security with OpenSSL (+DC area SSL talk)
O'Reilly has just published our book, Network Security with OpenSSL. First, the marketing speak: Instead of getting bogged down in the technical details of how SSL/TLS works under the hood, this book focuses on the information that is necessary to use OpenSSL safely and effectively. The reader is taken step by step from understanding the challenges faced in communicating securely to using the OpenSSL tools to best meet those challenges. System and network administrators will benefit from the thorough treatment of the OpenSSL command-line interface, as well as from step-by-step directions for obtaining certificates and setting up their own certification authority. Developers will benefit from the in-depth discussions and examples of how to use OpenSSL in their own programs. Although OpenSSL is written in C, information on how to use OpenSSL with Perl, Python and PHP is also included. The book is available from the usual sources, such as Amazon: http://www.amazon.com/exec/obidos/ASIN/059600270X/ We'll also have a few signed copies available to people in the Washington DC area, this Thursday (the 27th). We'll have them at 30% off. Please email me to reserve a copy, as we only have a limited number. At the event, John Viega will be giving a FREE talk entitled, Why SSL Isn't Securing Your Software. You can find more information on the event at: http://dc.securitygeeks.com/june2002.html John Viega Matt Messier Pravir Chandra msg26403/pgp0.pgp Description: PGP signature
problems with TLS in openldap server/client
Hallo everybody! As you know openldap uses openssl, and I started to get feeling that they use it somehow wrong. Problem I somehow can not manage to make TLS server to authenticate TLS client. Could you please look in debug output of client and server below, probably, you will be able to say what's going wrong there? Thanx, Vadim Tarassov. TLS trace: SSL_connect:before/connect initialization tls_write: want=130, written=130 : 80 80 01 03 01 00 57 00 00 00 20 00 00 16 00 00 ..W... . 0010: 13 00 00 0a 07 00 c0 00 00 66 00 00 07 00 00 05 .f.. 0020: 00 00 04 05 00 80 03 00 80 01 00 80 08 00 80 00 0030: 00 65 00 00 64 00 00 63 00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040: 60 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 `...@... 0050: 00 00 11 00 00 08 00 00 06 00 00 03 04 00 80 02 0060: 00 80 06 aa 6a 6a c9 64 40 70 d9 c7 08 30 89 29 [EMAIL PROTECTED]) 0070: 9a 10 de 0e d3 f5 2f 17 af 38 96 21 9a 07 3d ad ../..8.!..=. 0080: cf f8 .. TLS trace: SSL_connect:SSLv2/v3 write client hello A tls_read: want=7, got=7 : 16 03 01 00 4a 02 00 J.. tls_read: want=72, got=72 : 00 46 03 01 3d 13 60 a9 a8 53 44 ab 95 3f 3b e3 .F..=.`..SD..?;. 0010: 8b d1 60 fe 07 c6 12 bf c5 d5 d5 ef d5 7e 18 84 ..`..~.. 0020: 35 41 ad 10 20 56 04 a1 dd d6 38 fa 2f 95 91 dd 5A.. V8./... 0030: 74 33 9c 36 08 cd 58 0e 46 8c 92 3b d6 2b fb 86 t3.6..X.F..;.+.. 0040: f2 ad 8e e2 be 00 0a 00 TLS trace: SSL_connect:SSLv3 read server hello A tls_read: want=5, got=5 : 16 03 01 07 e6 . tls_read: want=2022, got=2022 : 0b 00 07 e2 00 07 df 00 03 fc 30 82 03 f8 30 82 ..0...0. 0010: 03 61 a0 03 02 01 02 02 02 10 02 30 0d 06 09 2a .a.0...* 0020: 86 48 86 f7 0d 01 01 04 05 00 30 81 aa 31 0b 30 .H0..1.0 0030: 09 06 03 55 04 06 13 02 43 48 31 12 30 10 06 03 ...UCH1.0... 0040: 55 04 08 13 09 53 6f 6d 65 77 68 65 72 65 31 13 USomewhere1. 0050: 30 11 06 03 55 04 07 13 0a 57 69 6e 74 65 72 74 0...UWintert 0060: 68 75 72 31 1c 30 1a 06 03 55 04 0a 13 13 4f 6e hur1.0...UOn 0070: 6c 69 6e 65 20 56 69 6f 6c 65 6e 63 65 20 4c 74 line Violence Lt 0080: 64 31 1a 30 18 06 03 55 04 0b 13 11 53 65 78 75 d1.0...USexu 0090: 61 6c 20 48 61 72 61 73 6d 65 6e 74 73 31 0e 30 al Harasments1.0 00a0: 0c 06 03 55 04 03 13 05 52 61 74 74 65 31 28 30 ...URatte1(0 00b0: 26 06 09 2a 86 48 86 f7 0d 01 09 01 16 19 72 61 ..*.Hra 00c0: 74 74 65 40 6f 6e 6c 69 6e 65 2d 76 69 6f 6c 65 tte@online-viole 00d0: 6e 63 65 2e 63 6f 6d 30 1e 17 0d 30 32 30 36 31 nce.com0...02061 00e0: 38 31 37 30 34 30 37 5a 17 0d 30 33 30 36 31 38 8170407Z..030618 00f0: 31 37 30 34 30 37 5a 30 81 9d 31 0b 30 09 06 03 170407Z0..1.0... 0100: 55 04 06 13 02 43 48 31 12 30 10 06 03 55 04 08 UCH1.0...U.. 0110: 13 09 53 6f 6d 65 77 68 65 72 65 31 1c 30 1a 06 ..Somewhere1.0.. 0120: 03 55 04 0a 13 13 4f 6e 6c 69 6e 65 20 56 69 6f .UOnline Vio 0130: 6c 65 6e 63 65 20 4c 74 64 31 1a 30 18 06 03 55 lence Ltd1.0...U 0140: 04 0b 13 11 53 65 78 75 61 6c 20 48 61 72 61 73 Sexual Haras 0150: 6d 65 6e 74 73 31 13 30 11 06 03 55 04 03 13 0a ments1.0...U 0160: 65 63 70 6d 61 69 6e 74 30 35 31 2b 30 29 06 09 ecpmaint051+0).. 0170: 2a 86 48 86 f7 0d 01 09 01 16 1c 76 61 64 69 6d *.Hvadim 0180: 2e 74 61 72 61 73 73 6f 76 40 77 69 6e 74 65 72 .tarassov@winter 0190: 74 68 75 72 2e 63 68 30 81 9f 30 0d 06 09 2a 86 thur.ch0..0...*. 01a0: 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 H0.. 01b0: 02 81 81 00 a4 d3 f9 b8 89 f6 ec b0 75 d9 eb 1c u... 01c0: 1c 11 42 b7 19 f0 18 5f c6 50 03 49 2f 72 59 4b ..B_.P.I/rYK 01d0: 4c c3 b3 50 73 b8 0c b6 e1 60 98 e7 f1 48 8f b2 L..Ps`...H.. 01e0: 27 64 0d 89 9b c1 e7 d6 e8 68 d3 78 fc a1 cc fc 'd...h.x 01f0: ef 7b fb de 4d d3 52 c5 bd d5 80 a0 43 e1 77 e0 .{..M.R.C.w. 0200: 88 84 a8 52 86 85 25 40 9a a1 09 6b 0b 48 e2 c7 ...R..%@...k.H.. 0210: b3 09 50 aa 05 74 cd d1 1f 17 62 52 45 88 72 8b ..P..tbRE.r. 0220: ed 73 a3 8a d4 df a0 e5 e6 46 5e 3a c9 9d c5 55 .s...F^:...U 0230: 83 e2 2a 37 02 03 01 00 01 a3 82 01 36 30 82 01 ..*760.. 0240: 32 30 09 06 03 55 1d 13 04 02 30 00 30 2c 06 09 20...U0.0,.. 0250: 60 86 48 01 86 f8 42 01 0d 04 1f 16 1d 4f 70 65 `.H...B..Ope 0260: 6e 53 53 4c 20 47 65 6e 65 72 61 74 65 64 20 43 nSSL Generated C 0270: 65
Re: handshake failure in SSL_read occasionally
Thanks Lutz for the helpful information. Could this be an IIS configuration issue? Mike From: Lutz Jaenicke [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: Re: handshake failure in SSL_read occasionally Date: Fri, 21 Jun 2002 16:51:14 +0200 On Fri, Jun 21, 2002 at 10:18:51AM -0400, Zeng, Ming wrote: Maybe I am too stupid to figure out how to reply to your question from your message directly, so I choose to do it my way. Yes. error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure is the only error my program keeps logging every couple of hours. I have all the error handling code in place, and this error only happens in the SSL_read. I did have a look into the ssl/* code. SSL_HANDSHAKE_FAILURE in ssl3_read_bytes is only flagged, if the s-handshake function returns 0. This means, that a handshake took place. If the connection was already open, this means that a renegotiation took place (or at least was attempted). If I didn't misunderstand ssl3_connect (which is the handshake function for SSLv3), a return value of 0 should only appear, if 0 bytes where read from the server: the server did simply close the connection. (From the source it also seems to be consistent, that there is no error logged, as I did not see any entry added to the error queue in this case when looking over the code.) I don't have an idea however, on what you could do against the problem... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ssl-0.9.7-beta 2 error (Help)
I've just complied openssl-0.9.7-beta2 and now I'm getting a error in SSH saying: EVP_CipherInit: set key failed for none I've search the web be nothing... any ideas? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]