Creating new certificate for FTP Server with openssl
I'm playing around with my FTP server (RaidenFTPD) and amtrying to make a new certificate for it with openssl. I get as far as making the keys: cert.pem key.pem which I'm supposed to be using. The PEM Phrase is supposed to be "password" but what about the challenge password? When I later connect to my server I get "invalid certificate" with the openssl certs. I've made certs with FTP Voyager and CuteFTP also, then my clients reports "self signed". Is there some part I've missed? : " openSSL genrsa -des3 -out ca.key 1024openSSL req -new -x509 -days 365 -key ca.key -out ca.crtopenSSL x509 -noout -text -in ca.crtopenSSL genrsa -des3 -out server.key 1024openSSL rsa -noout -text -in server.keyopenSSL req -new -key server.key -out server.csropenSSL ca -days 365 -cert ca.crt -keyfile ca.key -in server.csr -out server.crt" Any help would be appreciated :) It's a fun project, but not really prosperous :D
Re: SUN Crypto Accelerator + OpenSSL
Arin Komins wrote: This is just from memory, but isn't the Sun card a repackaged Rainbow Cryptoswift? (which is engine cswift?) I read an article on the web, indicating that the old SUN Crypto Accelerator 1 is a CryptoSwift (http://www.james.rcpt.to/2001/sun-crypto/), but I don't know about the 1000, because the libs mentioned in that article are not on my machine I have filed a SUN support request, but no answer yet. I'll let you know when I get a response. Joerg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error in instalation
Dear colleague, I am installing Openssl on a Sun Workstation (SOlaris 2.6). It gives the following error (with make; with config it gave a couple of warnings only): echo #define DATE \`LC_ALL=C LC_TIME=C date`\; \ echo '#endif' ) buildinf.h cc -I. -I../include -KPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM -c -o cryptlib.o cryptlib.c License Error : Licensing product (Sun WorkShop Compiler C SPARC). License File: /usr/fortran/SUNWspro/bin/../SC5.0/bin/../../license_dir/sunpro.lic,1 Invalid (inconsistent) license key The license-key and data for the feature do no match. This usually happens when a license file has been altered Feature:workshop.c.sparc FLEXlm error:-8,130. cc: acomp failed for cryptlib.c make[1]: *** [cryptlib.o] Error 2 make[1]: Leaving directory `/ssh/openssl-engine-0.9.6g/crypto' make: *** [sub_all] Error 1 bash-2.05# We do have the given package properly installed (we purchased it so we have a legal prduct and key). How do we overcome this problem? Thanks a lot for your help. Sincerely, Pedro Augusto -- Dr. Pedro Augusto Assistant Professor tel: +351 291 705150/8 Dep. Matematica fax: +351 291 705199 Universidade da Madeira Caminho da Penteada 9000-390 Funchal Portugal -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Problem using crypt() with 0.9.6g Apache 2.0.43 php 4.2.3
Just got the latest tree and build 0.9.7-stable. Worked like a charm. Thanks! Don -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard Levitte - VMS Whacker Sent: Saturday, October 05, 2002 5:24 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Problem using crypt() with 0.9.6g Apache 2.0.43 php 4.2.3 In message 000401c26c2b$149aad70$637ba8c0@sanctuary on Fri, 4 Oct 2002 21:52:59 -0700, Don MacAskill [EMAIL PROTECTED] said: onethumb It's been a bit of a pain to figure out where the error is onethumb occuring, and I may be totally wrong still, but it *appears* onethumb to be in OpenSSL at this point. [...] onethumb Am I barking up the wrong tree? You're barking up the right tree. I just commited a change that removes the definition of crypt() in OpenSSL (it's been increasingly in the way more than anything else). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/ ~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: apache and that whole bugbear thing
Uhhh last time I checked bugbear was a virus infecting M$ Lookout users. Don't think it runs against Linux. At 20:51 5-10-02 -0400, [EMAIL PROTECTED] wrote: Is this the right place to ask questions about the bugbear worm? On a Sun box, we upgraded openssl to 0.9.6g because of the potential for the whole bugbear attack... I realize it's apparently targeted at linux, but better safe then sorry... well, we've started getting hit with what we think may be attacks... they're not getting through, but they cause apache to lock up... it's very strange... the situation seems to happen as follows: We get a couple http requests that return a 400 status... then the server stops serving requests... then EXACTLY (every time) 5 minutes later, to the second, we get a request that gives a 408 error from the same IP, then apache needs to be restarted before it accepts any further requests... until this morning, there has not been much information in the logs... but this morning, there were some entries in the ssl_engine_log that looked like this: [05/Oct/2002 02:55:42 00969] [error] SSL handshake timed out (client 66.46.213.130, server XXX.XXX.com:443) [05/Oct/2002 02:55:42 00969] [info] Connection to child 14 established (server YYY.YYY.com:443, client 66.46.213.130) [05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 bytes of entropy [05/Oct/2002 02:55:42 00969] [error] SSL handshake failed (server YYY.YYY.com:443, client 66.46.213.130) (OpenSSL library error follows) [05/Oct/2002 02:55:42 00969] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long [05/Oct/2002 02:55:42 00969] [info] Connection to child 14 established (server XXX.XXX.com:443, client 66.46.213.130) [05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 bytes of entropy 66.46.213.130 was the ip address that gave the 400's and 408 this time around (different IP each time)... If this is not the best place to ask about this, please point me in the right direction... I'm starting to sweat with my boss breathing down my next... this is a 24/7 production server, running critical web applications that internal and external customers access constantly... so any help towards an answer would be greatly appreciated... Thanks. Dan. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Normal operation?
We're operating the network by using the function of OpenSSL. If taskmanager of Windows is seen during the network communication, the amount of the memory used will increase gradually. Is this normal workings? In addition, it checked that the increase in the memory is not a memory leak by using "Purify". The environment of operation is as follows: Openssl Version$B!'(BOpenssl-0.9.6g Operation System $B!'(BWindows2000 sp3 Please give me a reply. The results of an investigation of memory necessary quantity and sample program are indicated below. ++--+ | Windows |DES:@STRENGHTH| | 2000 ++++ || Before | After| Difference | +++++ | 100 times |1032|2444|1412| +++++ | 1000 times |1028|2780|1752| +++++ | 2000 times |1032|3044|2012| +++++ | 3000 times |1028|3096|2068| +++++ #include stdio.h #include memory.h #include string.h #ifdef WIN32 #include winsock2.h #include io.h #else #include unistd.h #include sys/socket.h #include arpa/inet.h #endif #include openssl/ssl.h #include openssl/err.h #include openssl/rand.h #define CIPHER_LIST_STR "ALL:@STRENGTH" */ #define CIPHER_LIST_STR "DES:@STRENGTH" #define SERVER_IP "255.255.255.255" #define _SERVER_PORT5963 #define HELLO_MESSAGE "Hello, World!" #define QUIT_REQUEST"Shut you down." #define SEND_FILE_1000KB"./SKDDL.cpp" // about 100kb int main(int argc, char **argv) { SSL_CTX *ctx = NULL; SSL *ssl = NULL; SSL_SESSION *session = NULL; struct sockaddr_in sa; int sd = -1; int ret; int err; int len; char buf[4096]; int exit_count = 1; FILE *fp = NULL; char *server_ip = SERVER_IP; int server_port = _SERVER_PORT; if (argc 1) { server_ip = *(argv + 1); if (argc 2) { sscanf(*(argv + 2), "%d", server_port); } } fprintf(stdout,"Ready...\n"); getchar();/* 0 */ // SSL_library_init(); fprintf(stdout,"SSL_library_init\n"); // SSL_load_error_strings(); fprintf(stdout,"SSL_load_error_strings\n"); // while (RAND_status() == 0) { int rnd = rand(); RAND_seed(rnd, sizeof(rnd)); } fprintf(stdout,"RAND_status\n"); // ctx = SSL_CTX_new(TLSv1_client_method()); fprintf(stdout,"SSL_CTX_new"); if (ctx == NULL) { fprintf(stderr, "SSL_CTX_new() failed\n"); goto cleanup; } // SSL_CTX_set_cipher_list(ctx, CIPHER_LIST_STR); fprintf(stdout,"SSL_CTX_set_cipher_list"); // ssl = SSL_new(ctx); fprintf(stdout,"SSL_new"); if (ssl == NULL) { fprintf(stderr, "SSL_new() failed\n"); goto cleanup; } #ifdef WIN32 // WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD(2, 2); if (WSAStartup(wVersionRequested, wsaData) != 0) { fprintf(stderr,"WSAStartup failed\n"); goto cleanup; } #endif fprintf(stdout,"WSAStartup"); start_connect: fprintf(stdout,"\n** %d **\n", exit_count); // if (sd != -1) { close(sd); } fprintf(stdout,"close\n"); sd = socket(AF_INET, SOCK_STREAM, 0); if (sd == -1) { // fprintf(stderr, "socket() failed\n"); goto cleanup; } fprintf(stdout,"socket\n"); // memset (sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr(server_ip); sa.sin_port = htons(server_port); ret = connect(sd, (struct sockaddr*)sa, sizeof(sa)); fprintf(stdout,"connect\n"); if (ret != 0) { // fprintf(stderr, "connect() failed\n"); goto cleanup; } // SSL_set_fd(ssl, sd); fprintf(stdout,"SSL_set_fd\n"); // ret = SSL_connect(ssl); fprintf(stdout,"SSL_connect\n"); if (ret != 1) { err = SSL_get_error(ssl, ret); ERR_error_string(err, buf); fprintf(stderr, "SSL_connect() failed: %s\n", buf); goto cleanup; } // printf("SSL connection established.\n"); // if(session != NULL){
smime utility: can't get decrypt to return the data that was encrypted
Hi I am using openssl engine 0.9.6g on Windows XP. I sign an html file using using smime as follows: openssl.exe smime -sign -nodetach -signer signer.pem -in in.html -binary -inkey signer.key -out out.p7s -outform DER Then, I encrypt the signed data as follows: openssl.exe smime -encrypt -des3 -in out.p7s -inform DER -out out.enc -outform DER cert.pem Then, I decrypt the encryped data as follows: openssl.exe smime -decrypt -recip cert.pem -in out.enc -inform DER -inkey cert.key -out out2.p7s -outform DER The output from the decrypt is not the same size of the input to encrypt. Files out.p7s and out2.p7s differ in size and contents. I am sure I am doing something wrong here. Any ideas what it is? I have attached my certs and a batch file with this email. Thanx Himanshu Soni __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com files.tar Description: files.tar
basic SSL questions
Hey all, I have some newbie questions about how to use certificates properly, so I've compiled a few questions for anyone out there willing to offer a few minutes of their time to help me out. RedHat 7.3 apache-devel-1.3.23-14 apache-manual-1.3.23-14 apacheconf-0.8.2-2 apache-1.3.23-14 openssl-0.9.6b-28 openssl-perl-0.9.6b-28 openssl095a-0.9.5a-18 openssl096-0.9.6-13 openssl-devel-0.9.6b-28 1. When I use the Makefile in /etc/httpd/conf/ I can generate the .crt and .key files, no problem, add them to httpd.conf, piece of cake. But when I try to view the site I'm securing, it says the certificate comes from localhost.localhost, and not mydomain.com. How do I get around this? I plan to eventually get Thawte to sign my cert.'s, just curious if they're all going to say they came from localhost.localhost? 2. From a very basic, high-level view, if I make a certificate for mydomain.com, will it, by default, work without complaining to the user about the host name if I try to use it for https://www.mydomain.com and https://myprefix1.mydomain.com and https://myprefix2.mydomain.com - or is it absolutely tied to the hostname? That is, if I make a certificate for mydomain.com it will ONLY work as https://mydomain.com/ or can I add whatever prefix I want (www., myprefix1. etc)? Thanks for any info, -id __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
question about ciphers used by OpenSSL and general terminology
Hi there, I was wondering if anyone could tell me what ciphers implemented and used by OpenSSL. I've followed the example in the book Network Security with OpenSSL, and have tried to create an SSL enabled server and have called SSL_CTX_set_cipher_list() like this: #define CIPHER_LIST ALL:!ADH:!LOW:!EXP:!MD5:@STRENGH SSL_CTX_set_cipher_list(ctx, CIPHER_LIST); My understanding is, this enables all algorithms, but disables certain ones. But what are all the algorithms that are enabled by doing this? I also have a general terminology question...what are key management algorithms? And what is the modulus size? Thanks, Ed __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: apache and that whole bugbear thing
I think you ([EMAIL PROTECTED]) are confusing bugbear with slapper. Provided you restarted your web server after the upgrade to 0.9.6g, you should be OK as far as that is concerned. The restart is necessary to ensure that no code from the previous version of openssl is still in memory. Could you give some more details about your other problems please? eg, version of apache and mod_ssl? You may need to upgrade these. For example, there is a recent update to apache (1.3.27) that contains several new security fixes. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: B. van Ouwerkerk [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 17:17 To: [EMAIL PROTECTED] Subject: Re: apache and that whole bugbear thing Uhhh last time I checked bugbear was a virus infecting M$ Lookout users. Don't think it runs against Linux. At 20:51 5-10-02 -0400, [EMAIL PROTECTED] wrote: Is this the right place to ask questions about the bugbear worm? On a Sun box, we upgraded openssl to 0.9.6g because of the potential for the whole bugbear attack... I realize it's apparently targeted at linux, but better safe then sorry... well, we've started getting hit with what we think may be attacks... they're not getting through, but they cause apache to lock up... it's very strange... the situation seems to happen as follows: We get a couple http requests that return a 400 status... then the server stops serving requests... then EXACTLY (every time) 5 minutes later, to the second, we get a request that gives a 408 error from the same IP, then apache needs to be restarted before it accepts any further requests... until this morning, there has not been much information in the logs... but this morning, there were some entries in the ssl_engine_log that looked like this: [05/Oct/2002 02:55:42 00969] [error] SSL handshake timed out (client 66.46.213.130, server XXX.XXX.com:443) [05/Oct/2002 02:55:42 00969] [info] Connection to child 14 established (server YYY.YYY.com:443, client 66.46.213.130) [05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 bytes of entropy [05/Oct/2002 02:55:42 00969] [error] SSL handshake failed (server YYY.YYY.com:443, client 66.46.213.130) (OpenSSL library error follows) [05/Oct/2002 02:55:42 00969] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long [05/Oct/2002 02:55:42 00969] [info] Connection to child 14 established (server XXX.XXX.com:443, client 66.46.213.130) [05/Oct/2002 02:55:42 00969] [info] Seeding PRNG with 1160 bytes of entropy 66.46.213.130 was the ip address that gave the 400's and 408 this time around (different IP each time)... If this is not the best place to ask about this, please point me in the right direction... I'm starting to sweat with my boss breathing down my next... this is a 24/7 production server, running critical web applications that internal and external customers access constantly... so any help towards an answer would be greatly appreciated... Thanks. Dan. _ _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing