Re: otherName and dNSName

[Dr. Stephen Henson]

On Thu, Oct 24, 2002, Andrea Vallorani wrote:

> hi
> 
> I'd know if i can insert in the field "subject alternative name" both 'dNSName' and 
>'other name' with DER code (DER: ..).
> I tried to do it, but when i see my certificate with other software, subject 
>alternative name don't show up in clear-text but in hex code. I see this : ' other 
>name: 1.3.6.1.4.1.311.25.1=0A1A010306. '
> It's possible to make use DER code or I must modify OpenSSL source code? 
> 

You can use dNSName in a config file (see doc/openssl.txt).

For otherName the actual OID you use has to be understood by the other
software otherwise it will use some default operation to display the extension
which may just be to dump the DER encoding.

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: question about X.509 certs and subjectAltName

[Dr. Stephen Henson]

On Fri, Oct 25, 2002, Edward Chan wrote:

> Yikes, thanks for the heads up.  When you say not
> portable, do you mean with future versions of openssl,
> or not portable across platforms?
> 

It wont work in future versions of OpenSSL. It wont in 0.9.7.

> Can you point me to some good examples of how to use
> those X509 API's to do a post connection check?
> 

As I mentioned in my other message, check out X509_get1_email() which accesses
subjectAltName to retrieve email addresses. 

Also check the docs in doc/openssl.txt.

What you are want is fairly easily accomplished: all you really need to do is
to call X509_get_ext_d2i() using NID_subjectAltName and just look through the
returned stucture (which is STACK_OF(GENERAL_NAME) for the entries you want.

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: R: PKCS12_parse problem

[Dr. Stephen Henson]

On Fri, Oct 25, 2002, Marco Donati wrote:

> Well... the application is actually an intermediate library, so every 
>''cryptographic'' operation is enclosed between
> OpenSSL_add_all_algorithms()...EVP_cleanup() calls.
> 
> There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and 
>vice versa, there are no EVP_cleanup() calls without the initial 
>OpenSSL_add_all_algorithms().
> 
> Are you saying that this is not enough and that the library should call 
>OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ?
> This could be  not straightforward
> 

Well let me explain a bit...

OpenSSL has an internal global table of supported algorithms (digests and ciphers).
Certain operations such as PKCS12_parse() lookup digests and ciphers from this
table so if it can't find one it gives the error you are seeing.

Now addding and removing all ciphers whenever you use an OpenSSL command is
not really recommended, it will repeatedly rebuild the table and it is not
thread safe. One thread could access a partially complete table.

So ideally you should only build the table in a single threaded context before
calling any OpenSSL functions and clean it up only after no further calls will
be made.

However one added complication is that a change was made to OpenSSL 0.9.6g
which avoids a problem of duplicate calls to OpenSSL_add_all_algorithms()
creating duplicate table entries by only making the first call work. This
has a problem because EVP_cleanup() doesn't reset the flag so effectively
only the first call to OpenSSL_add_all_algorithms() works. This isn't what
earlier 0.9.6X did and this will be fixed for 0.9.6h. You can get the old
baheviour by deleting the relevant lines from OpenSSL_add_all_ciphers() and
OpenSSL_add_all_digest().

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Cert Extension conversition

[F Awan]

Thanks Richard!!! It worked. I was trying to figure it out for the past two days. I really appreciated.
 
 Richard Andrus <[EMAIL PROTECTED]> wrote:
use the command :openssl pkcs12 -in xxx.pfx -out xxx.pemBy default, this will encrypt the private key with triple DES inside the PEM file.It will first prompt you for the password used to protect the pfx back when it wascreated, then it will prompt you for the password used to encrypt it in the PEM file.Scott Harris wrote:> I have a CA Certificate genereated from Microsoft CA and I was able to > convert it to PEM format. It only has public key>> *Openssl:x509 -n xxx.cer -inform d -out xxx.pem*>> But I am unable to covert a private key (in .pfx) of the server > certicate to PEM.>> Any body knows how to convert a .pfx in .PEM format.>> Thats was I am looking for after converstion>> ---BEGIN ENCRYPTED PRIVATE KEY>> --!
 ---END ENCRYPTED PRIVATE KEY>> I am just getting garballed and do not see this. Is this possible > using OPENSSL or I need to look into other tools to do the conversition.>> >> >> >>> > Do you Yahoo!?> Y! Web Hosting - Let the expert host > your web site __OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site

Re: Cert Extension conversition

[Richard Andrus]

use the command :

openssl pkcs12 -in xxx.pfx -out xxx.pem

By default, this will encrypt the private key with triple DES inside the 
PEM file.
It will first prompt you for the password used to protect the pfx back 
when it was
created, then it will prompt you for the password used to encrypt it in 
the PEM file.

Scott Harris wrote:

I have a CA Certificate genereated from Microsoft CA and I was able to 
convert it to PEM format. It only has public key

*Openssl:x509 -n xxx.cer -inform d -out xxx.pem*

 But I am unable to covert a private key (in .pfx) of the server 
certicate to PEM.

Any body knows how to convert a .pfx in .PEM format.

Thats was I am looking for after converstion

---BEGIN ENCRYPTED PRIVATE KEY

-END ENCRYPTED PRIVATE KEY

I am just getting garballed and do not see this. Is this possible 
using OPENSSL or I need to look into other tools to do the conversition.

 

 

 



Do you Yahoo!?
Y! Web Hosting  - Let the expert host 
your web site 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Cert Extension conversition

[Scott Harris]

I have a CA Certificate genereated from Microsoft CA and I was able to convert it to PEM format. It only has public key
Openssl:x509 -n xxx.cer -inform d -out xxx.pem
 But I am unable to covert a private key (in .pfx) of the server certicate to PEM.
Any body knows how to convert a .pfx in .PEM format.
Thats was I am looking for after converstion
---BEGIN ENCRYPTED PRIVATE KEY
-END ENCRYPTED PRIVATE KEY
I am just getting garballed and do not see this. Is this possible using OPENSSL or I need to look into other tools to do the conversition.
 
 
 Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site

RE: oids, attributes (doc pointers)

[Markus Lorch]

Eric,

if you request a new OID branch for your organization 
you should be fine. This can be done at:
http://www.iana.org/cgi-bin/enterprise.pl


Markus

Markus Lorch
Doctoral Student in Computer Science
Virginia Tech
http://csgrad.cs.vt.edu/~mlorch

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:owner-openssl-users@;openssl.org]On Behalf Of Eric Weitzman
> Sent: Friday, October 25, 2002 1:52 PM
> To: [EMAIL PROTECTED]
> Subject: oids, attributes (doc pointers)
> 
> 
> Would someone be kind enough to direct me to sources of information on:
> 
> 1) creating new oids that don't conflict with existing oids
> 2) creating new attributes in certificates that can hold arbitrary values
> 
> Thanks,
> - Eric
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: question about X.509 certs and subjectAltName

[Edward Chan]

Yikes, thanks for the heads up.  When you say not
portable, do you mean with future versions of openssl,
or not portable across platforms?

Can you point me to some good examples of how to use
those X509 API's to do a post connection check?

Thanks,
Ed

--- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote:
> On Thu, Oct 24, 2002, Edward Chan wrote:
> 
> > Hi there,
> > 
> > I'm looking at some code for doing post connection
> > checks to make sure the DNS name specified in the
> > certificate matches the host the client is trying
> to
> > connect to.  The code is from Chapter 5 of
> "Network
> > Security with OpenSSL".  
> > 
> > It looks like it first gets the subjectAltName
> field
> > of the certificate, then tries to get the dNSName.
> 
> > However, it specifies "DNS" instead of "dNSName". 
> Is
> > this an error?  Should it be "DNS" or "dNSName". 
> And
> > if I want to check for IP address, should I
> specify
> > "iPAddress"?
> > 
> > The code is below. The line
> > 
> > if (!strcmp(nval->name, "DNS") &&
> !strcmp(nval->value,
> > host))
> > 
> > looks suspicious to me.
> > 
> > 
> > long post_connection_check(SSL *ssl, char *host)
> > {
> > X509  *cert;
> > X509_NAME *subj;
> > char  data[256];
> > int   extcount;
> > int   ok = 0;
> >  
> > /* Checking the return from
> > SSL_get_peer_certificate here is not strictly
> >  * necessary.  With our example programs, it
> is
> > not possible for it to return
> >  * NULL.  However, it is good form to check
> the
> > return since it can return NULL
> >  * if the examples are modified to enable
> > anonymous ciphers or for the server
> >  * to not require a client certificate.
> >  */
> > if (!(cert = SSL_get_peer_certificate(ssl)) ||
> > !host)
> > goto err_occured;
> > if ((extcount = X509_get_ext_count(cert)) > 0)
> > {
> > int i;
> >  
> > for (i = 0;  i < extcount;  i++)
> > {
> > char  *extstr;
> > X509_EXTENSION*ext;
> >  
> > ext = X509_get_ext(cert, i);
> > extstr =
> >
>
OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
> >  
> > if (!strcmp(extstr, "subjectAltName"))
> > {
> > int  j;
> > unsigned char*data;
> > STACK_OF(CONF_VALUE) *val;
> > CONF_VALUE   *nval;
> > X509V3_EXT_METHOD*meth;
> >  
> > if (!(meth = X509V3_EXT_get(ext)))
> > break;
> > data = ext->value->data;
> >  
> > val = meth->i2v(meth, 
> > meth->d2i(NULL,
> &data,
> > ext->value->length),
> > NULL);
> > for (j = 0;  j <
> > sk_CONF_VALUE_num(val);  j++)
> > {
> > nval =
> sk_CONF_VALUE_value(val,
> > j);
> > if (!strcmp(nval->name, "DNS")
> &&
> > !strcmp(nval->value, host))
> > {
> > ok = 1;
> > break;
> > }
> > }
> > }
> > if (ok)
> > break;
> > }
> > }
> >  
> > if (!ok && (subj =
> X509_get_subject_name(cert)) &&
> > X509_NAME_get_text_by_NID(subj,
> > NID_commonName, data, 256) > 0)
> > {
> > data[255] = 0;
> > if (strcasecmp(data, host) != 0)
> > goto err_occured;
> > }
> >  
> > X509_free(cert);
> > return SSL_get_verify_result(ssl);
> >  
> > err_occured:
> > if (cert)
> > X509_free(cert);
> > return X509_V_ERR_APPLICATION_VERIFICATION;
> > }
> > 
> > 
> One additional comment. I'd advise against using the
> technique above: it is
> non portable and not guaranteed to work on future
> versions of OpenSSL: in
> fact it wont work on 0.9.7.
> 
> Steve.
> --
> Dr. Stephen Henson  [EMAIL PROTECTED]   
> 
> OpenSSL Project
> http://www.openssl.org/~steve/
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: question about X.509 certs and subjectAltName

[Edward Chan]

Sorry if I'm being dumb...but what if the certificate
was not generated using OpenSSL?  Do I still access
this field of of subjectAltName by getting "DNS"?  Is
"DNS" OpenSSL specific?



Ed

--- Christian Hohnstaedt <[EMAIL PROTECTED]>
wrote:
> Hi,
> 
> The "DNS" refers to the configuration value in your
> openssl.cnf file
> it is the name of the "conf-value"
> e.g. 
> subjectAltName = DNS:foo.bar.com, IP:10.11.12.13
> 
> also look at doc/openssl.txt
> 
> Greets
> 
> Christian
> 
> 
> On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward
> Chan wrote:
> > Hi there,
> > 
> > I'm looking at some code for doing post connection
> > checks to make sure the DNS name specified in the
> > certificate matches the host the client is trying
> to
> > connect to.  The code is from Chapter 5 of
> "Network
> > Security with OpenSSL".  
> > 
> > It looks like it first gets the subjectAltName
> field
> > of the certificate, then tries to get the dNSName.
> 
> > However, it specifies "DNS" instead of "dNSName". 
> Is
> > this an error?  Should it be "DNS" or "dNSName". 
> And
> > if I want to check for IP address, should I
> specify
> > "iPAddress"?
> > 
> > The code is below. The line
> > 
> > if (!strcmp(nval->name, "DNS") &&
> !strcmp(nval->value,
> > host))
> > 
> > looks suspicious to me.
> > 
> > 
> > long post_connection_check(SSL *ssl, char *host)
> > {
> > X509  *cert;
> > X509_NAME *subj;
> > char  data[256];
> > int   extcount;
> > int   ok = 0;
> >  
> > /* Checking the return from
> > SSL_get_peer_certificate here is not strictly
> >  * necessary.  With our example programs, it
> is
> > not possible for it to return
> >  * NULL.  However, it is good form to check
> the
> > return since it can return NULL
> >  * if the examples are modified to enable
> > anonymous ciphers or for the server
> >  * to not require a client certificate.
> >  */
> > if (!(cert = SSL_get_peer_certificate(ssl)) ||
> > !host)
> > goto err_occured;
> > if ((extcount = X509_get_ext_count(cert)) > 0)
> > {
> > int i;
> >  
> > for (i = 0;  i < extcount;  i++)
> > {
> > char  *extstr;
> > X509_EXTENSION*ext;
> >  
> > ext = X509_get_ext(cert, i);
> > extstr =
> >
>
OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
> >  
> > if (!strcmp(extstr, "subjectAltName"))
> > {
> > int  j;
> > unsigned char*data;
> > STACK_OF(CONF_VALUE) *val;
> > CONF_VALUE   *nval;
> > X509V3_EXT_METHOD*meth;
> >  
> > if (!(meth = X509V3_EXT_get(ext)))
> > break;
> > data = ext->value->data;
> >  
> > val = meth->i2v(meth, 
> > meth->d2i(NULL,
> &data,
> > ext->value->length),
> > NULL);
> > for (j = 0;  j <
> > sk_CONF_VALUE_num(val);  j++)
> > {
> > nval =
> sk_CONF_VALUE_value(val,
> > j);
> > if (!strcmp(nval->name, "DNS")
> &&
> > !strcmp(nval->value, host))
> > {
> > ok = 1;
> > break;
> > }
> > }
> > }
> > if (ok)
> > break;
> > }
> > }
> >  
> > if (!ok && (subj =
> X509_get_subject_name(cert)) &&
> > X509_NAME_get_text_by_NID(subj,
> > NID_commonName, data, 256) > 0)
> > {
> > data[255] = 0;
> > if (strcasecmp(data, host) != 0)
> > goto err_occured;
> > }
> >  
> > X509_free(cert);
> > return SSL_get_verify_result(ssl);
> >  
> > err_occured:
> > if (cert)
> > X509_free(cert);
> > return X509_V_ERR_APPLICATION_VERIFICATION;
> > }
> > 
> > 
> > 
> > __
> > Do you Yahoo!?
> > Y! Web Hosting - Let the expert host your web site
> > http://webhosting.yahoo.com/
> >
>
__
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List   
> [EMAIL PROTECTED]
> > Automated List Manager  
> [EMAIL PROTECTED]
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project  

RE: Moving certificates

[Paul Ogden]

Perry,
Thanks for the response.  That is what we were hoping for.  Yes, they are
truly meant to be cold-spares, i.e. database moves, dns moves, etc.  The
spares will run at a different location, as thus will have different IPs,
but dns will be transferred to those ips as part of moving to the
cold-spares, should the need arise.

Paul Ogden
Claresco Corporation
(510) 549-2290

-Original Message-
From: [EMAIL PROTECTED]
[mailto:owner-openssl-users@;openssl.org]On Behalf Of Perry The Cynic
Sent: Friday, October 25, 2002 10:19
To: [EMAIL PROTECTED]
Subject: Re: Moving certificates


The server certificate contains the DNS name of the server host. If your
spares are meant to run with the same DNS name as the primary server, then
you can simply use the same certificate. This applies whether they are
cold spares that use the same IP address, or whether your servers' DNS
name is a "rator" DNS that names multiple servers' IP addresses.

(The converse is also true: if you have multiple DNS names pointing to the
same server, you need separate certificates for them.)

If your spares run at different DNS host names, you need separate
certificates. But then they're not really (ready-to-run) spares, are they?

If you do find yourself in a situation where you need certificates for
many different servers each with their own DNS name, you may want to get a
signing certificate (from Verisign or someone else) and use it to sign
your own set of server certs.

Cheers
  -- perry

On Fri, Oct 25, 2002 at 06:54:52AM -0700, Paul Ogden wrote:
> Hello,
>
> We are getting ready to host an app that requires a complement of offsite
> cold spare backup servers.  We are going to be testing the configuration
of
> the servers and our procedures for switching to cold spare in the event of
a
> catastrophic failure of the primary servers.
>
> My question is - what do I do about the certificate/key for the web
server?
> Can I merely move the server cert and private key files from the
production
> web server to the spare web server ( which has been built and configured
> identically to the production box )?  Or will this scenario require a
second
> certificate from the CA?
>
> We have signed our own certs in the past for internal intranet use for
> smaller hosted apps with just a few client connecting, but this is for a
> rather large customer and there will be many clients connecting to the app
> so we must go with Verisign or such.
>
> Thanks,
>
> Paul Ogden
> Claresco Corporation
> (510) 549-2290
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
---
Perry The Cynic [EMAIL PROTECTED]
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

oids, attributes (doc pointers)

[Eric Weitzman]

Would someone be kind enough to direct me to sources of information on:

1) creating new oids that don't conflict with existing oids
2) creating new attributes in certificates that can hold arbitrary values

Thanks,
- Eric


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

friendlyName

[Eric Weitzman]

Is it possible to add a friendlyName to a .pem certificate using
either the config file or a friendlyName key in the distinguished
name?

The only way that I've been able to make a certificate such that
Microsoft's Certificate Manager recognizes the friendlyName on import
is to encrypt the certificate using openssl pkcs12 with the -name
 option.

Thanks,
- Eric


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Threading model constraint?

[David Schwartz]

On Fri, 25 Oct 2002 09:19:51 -0700, [EMAIL PROTECTED] wrote:

>Our app uses a leader-follower thread pattern (e.g., "Pattern-Oriented
>Software Architecture", Schmidt, et al) which means that any given
>connection event will be serviced by selecting from a threadpool.  My
>reading suggests that OpenSSL is built around a thread-per-connection
>"orientation".  On the other hand, I think I remember reading that OpenSSL
>does not use thread local storage so I thought we should be able to work
>around that since we can get to the BIO's underlying fd.  Then I read that
>error state was maintained "by thread id".  %-[
>
>Can someone clarify this for me:  does OpenSSL depend upon
>one-thread-per-connection or can it be used in the context of other
>threading models?

Use bio pairs and don't let the OpenSSL ilbrary ever touch a file 
descriptor. You can then do the threading any way you want. The only 
exception is that you can't run the OpenSSL data pump in both directions for 
the same connection.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Moving certificates

[Perry The Cynic]

The server certificate contains the DNS name of the server host. If your
spares are meant to run with the same DNS name as the primary server, then
you can simply use the same certificate. This applies whether they are
cold spares that use the same IP address, or whether your servers' DNS
name is a "rator" DNS that names multiple servers' IP addresses.

(The converse is also true: if you have multiple DNS names pointing to the
same server, you need separate certificates for them.)

If your spares run at different DNS host names, you need separate
certificates. But then they're not really (ready-to-run) spares, are they?

If you do find yourself in a situation where you need certificates for
many different servers each with their own DNS name, you may want to get a
signing certificate (from Verisign or someone else) and use it to sign
your own set of server certs.

Cheers
  -- perry

On Fri, Oct 25, 2002 at 06:54:52AM -0700, Paul Ogden wrote:
> Hello,
> 
> We are getting ready to host an app that requires a complement of offsite
> cold spare backup servers.  We are going to be testing the configuration of
> the servers and our procedures for switching to cold spare in the event of a
> catastrophic failure of the primary servers.
> 
> My question is - what do I do about the certificate/key for the web server?
> Can I merely move the server cert and private key files from the production
> web server to the spare web server ( which has been built and configured
> identically to the production box )?  Or will this scenario require a second
> certificate from the CA?
> 
> We have signed our own certs in the past for internal intranet use for
> smaller hosted apps with just a few client connecting, but this is for a
> rather large customer and there will be many clients connecting to the app
> so we must go with Verisign or such.
> 
> Thanks,
> 
> Paul Ogden
> Claresco Corporation
> (510) 549-2290
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
---
Perry The Cynic [EMAIL PROTECTED]
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

automatic password entry with the dgst command

[Richard Andrus]

I've used openssl off and on for about a 18 months now, but I'm definitely

an OpenSSL beginner.

I'm digitally signing some documents like this :

openssl dgst -md5 -binary -sign privkey.pem -out sig.bin testdoc.txt
or alternatively
openssl md5 -binary -sign privkey.pem -out sig.bin testdoc.txt

When I do this, I get the 
"Enter PEM pass phrase:" 
prompt, and must interactively give the password
which decrypts the private key in the PEM file in 
order to calculate the signature.

I would like to give the password to this command non-interactively.
Other commands in openssl have options like "passin" or "pass" which
enable this functionality. Unfortunately "dgst" doesn't have this option.

After searching the archives of this list, I found some posts which 
made me think I could do it with the "echo" command and a pipe.

I tried some things like this :

echo mypassword | openssl md5 -sign privkey.pem -out sig.bin testdoc.txt

echo -n -e mypassword\r\n | openssl md5 -sign privkey.pem -out sig.bin testdoc.txt

echo -n -e \r\nmypassword\r\n | openssl md5 -sign privkey.pem -out sig.bin
testdoc.txt 
openssl md5 -sign -privkey.pem -out sig.bin testdoc.txt < echo mypassword
openssl md5 -sign -privkey.pem -out sig.bin testdoc.txt | echo mypassword

but none of them works.

After trying a lot more variations than these, it seems like it is 
an "order of argument" processing problem.

I'm running OpenSSL under Cygwin on Windows2000 - but I am using 
the unix-like version of  "echo". Does the OS have an impact on how 
arguments are processed ?

The only other think I can think of doing is calculating the plain 
hashes in a first pass, and then using "enc" to encrypt them in another 
pass. What encryption algorithm is used when MD5 does a signing ?
I would really rather do it in one step, if possible.

Any suggestions for how to avoid the interactive password entry ?

Thanks
Richard



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Threading model constraint?

[Dick . Bridges]

I'm retrofitting an existing program to use [OpenSSL?] TLS between nodes.
Most of my info comes from reading "Network Security with OpenSSL" and
lurking on this list.  I don't have the time right now to grok the code,
hence this request.

Our app uses a leader-follower thread pattern (e.g., "Pattern-Oriented
Software Architecture", Schmidt, et al) which means that any given
connection event will be serviced by selecting from a threadpool.  My
reading suggests that OpenSSL is built around a thread-per-connection
"orientation".  On the other hand, I think I remember reading that OpenSSL
does not use thread local storage so I thought we should be able to work
around that since we can get to the BIO's underlying fd.  Then I read that
error state was maintained "by thread id".  %-[

Can someone clarify this for me:  does OpenSSL depend upon
one-thread-per-connection or can it be used in the context of other
threading models?

TIA

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Converting PEM file to PKCS12 or PFX for the MacOS (Not Mac OSx)...

[Auteria Wally Winzer Jr.]

has anyone converted pem files into pkcs12, pfx, or der format 
explicitly for the MacOS versions 8.5 and above?
i have 3 macs that needs CA's loaded.  if anyone has done 
this by all means give me the lowdown.
i really appreciate everyone's efforts in solving this major 
issue, one being the CEO!
 
thanks!
 
wally winzer jr.

RE: Remove passprase

[Robbert Hardin]

Hello Adriano

The keypair was generated by a former employee and we can't find the pass
phrase. Fortunately it is only used once in our intranet. 

Thanx, Robbert

> -Original Message-
> Subject: Re: Remove passprase
> What is your problem..? perhaps you can't open the PEM file? 
> even if you
> purchase thecorrect  passphrase?
> 
> Regards, Adriano
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Adriano Devillaine]

What is your problem..? perhaps you can't open the PEM file? even if you
purchase thecorrect  passphrase?

Regards, Adriano

El vie, 25-10-2002 a las 10:45, Rabellino Sergio escribió:
> Robbert Hardin wrote:
> > 
> > Hello Bruno
> > 
> > I tried, but it doesn't work:
> > 
> > # openssl rsa -in cakey.pem -out canokey.pem
> > read RSA key
> > Enter PEM pass phrase:
> > unable to load key
> > 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
> > decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
> > _enc.c:277:
> > 15251:error:0906A065:PEM routines:PEM_do_header:bad
> > decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
> > _lib.c:452:
> > #
> > 
> > I forgot to tell you I lost the pass phrase, which is why I wanted to change
> > it. Sorry.
> > 
> > Let me rephrase my question:
> > Is it possible to remove or change a PEM pass phrase on keypair.pem
> > generated with openssl if you don't have the PEM pass phrase?
> > 
> > Cheers, Robbert
> Only by brute force, I suppose, or everything we do is not security 
> -- 
> Dott. Sergio Rabellino 
> 
>  Technical Staff
>  Department of Computer Science
>  University of Torino (Italy)
>  Member of the Internet Society
> 
> http://www.di.unito.it/~rabser
> Tel. +39-0116706701
> Fax. +39-011751603
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Bruno Mattarollo]

Hi Robbert!

Unfortunately you will have to generate a new key I guess, unless you can break
it ... :(

Cheers

/B

On Fri, 25 Oct 2002, Robbert Hardin wrote:

> Hello Bruno 
> 
> I tried, but it doesn't work:
> 
> # openssl rsa -in cakey.pem -out canokey.pem
> read RSA key
> Enter PEM pass phrase:
> unable to load key
> 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
> decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
> _enc.c:277:
> 15251:error:0906A065:PEM routines:PEM_do_header:bad
> decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
> _lib.c:452:
> #
> 
> I forgot to tell you I lost the pass phrase, which is why I wanted to change
> it. Sorry. 
> 
> Let me rephrase my question:
> Is it possible to remove or change a PEM pass phrase on keypair.pem
> generated with openssl if you don't have the PEM pass phrase?
> 
> Cheers, Robbert
> 
> > -Original Message-
> > From: Bruno Mattarollo [mailto:bruno.mattarollo@;diala.greenpeace.org]
> > Sent: vrijdag 25 oktober 2002 15:26
> > To: [EMAIL PROTECTED]
> > Subject: Re: Remove passprase
> > 
> > 
> > Hi Robbert!
> > 
> > openssl rsa -in keyfile-with-passphrase.pem -out 
> > keyfile-without-passphrase.pem
> > 
> > IIRC.
> > Cheers
> > 
> > /B
> > 
> > On Fri, 25 Oct 2002, Robbert Hardin wrote:
> > 
> > > Hello All
> > > 
> > > Is it possible to remove or chagne a PEM pass phrase on keypair.pem
> > > generated with openssl?
> > > 
> > > Kind regards, Robbert
> > > 
> > __
> > > OpenSSL Project 
> > http://www.openssl.org
> > > User Support Mailing List
> > [EMAIL PROTECTED]
> > > Automated List Manager   
> > [EMAIL PROTECTED]
> > 
> > -- 
> > Bruno Mattarollo <[EMAIL PROTECTED]>
> > Systems Administrator & Greenpeace Planet project Technical Lead
> > Greenpeace [ http://www.greenpeace.org/ ]
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List[EMAIL PROTECTED]
> > Automated List Manager   [EMAIL PROTECTED]
> > 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Bruno Mattarollo <[EMAIL PROTECTED]>
Systems Administrator & Greenpeace Planet project Technical Lead
Greenpeace [ http://www.greenpeace.org/ ]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Moving certificates

[Paul Ogden]

Hello,

We are getting ready to host an app that requires a complement of offsite
cold spare backup servers.  We are going to be testing the configuration of
the servers and our procedures for switching to cold spare in the event of a
catastrophic failure of the primary servers.

My question is - what do I do about the certificate/key for the web server?
Can I merely move the server cert and private key files from the production
web server to the spare web server ( which has been built and configured
identically to the production box )?  Or will this scenario require a second
certificate from the CA?

We have signed our own certs in the past for internal intranet use for
smaller hosted apps with just a few client connecting, but this is for a
rather large customer and there will be many clients connecting to the app
so we must go with Verisign or such.

Thanks,

Paul Ogden
Claresco Corporation
(510) 549-2290

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Remove passprase

[Dale]

> Let me rephrase my question:
> Is it possible to remove or change a PEM pass phrase on keypair.pem
> generated with openssl if you don't have the PEM pass phrase?

No, that's the point.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Remove passprase

[Tim Regovich]

Robbert,

only if you have can crack it.
Anyone have quantum computer laying around that can
help with this?

your best bet is to create a new key and start over.

Tim
--- Robbert Hardin <[EMAIL PROTECTED]> wrote:
> Hello Bruno 
> 
> I tried, but it doesn't work:
> 
> # openssl rsa -in cakey.pem -out canokey.pem
> read RSA key
> Enter PEM pass phrase:
> unable to load key
> 15251:error:06065064:digital envelope
> routines:EVP_DecryptFinal:bad
>
decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
> _enc.c:277:
> 15251:error:0906A065:PEM routines:PEM_do_header:bad
>
decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
> _lib.c:452:
> #
> 
> I forgot to tell you I lost the pass phrase, which
> is why I wanted to change
> it. Sorry. 
> 
> Let me rephrase my question:
> Is it possible to remove or change a PEM pass phrase
> on keypair.pem
> generated with openssl if you don't have the PEM
> pass phrase?
> 
> Cheers, Robbert
> 
> > -Original Message-
> > From: Bruno Mattarollo
> [mailto:bruno.mattarollo@;diala.greenpeace.org]
> > Sent: vrijdag 25 oktober 2002 15:26
> > To: [EMAIL PROTECTED]
> > Subject: Re: Remove passprase
> > 
> > 
> > Hi Robbert!
> > 
> > openssl rsa -in keyfile-with-passphrase.pem -out 
> > keyfile-without-passphrase.pem
> > 
> > IIRC.
> > Cheers
> > 
> > /B
> > 
> > On Fri, 25 Oct 2002, Robbert Hardin wrote:
> > 
> > > Hello All
> > > 
> > > Is it possible to remove or chagne a PEM pass
> phrase on keypair.pem
> > > generated with openssl?
> > > 
> > > Kind regards, Robbert
> > > 
> >
>
__
> > > OpenSSL Project 
> > http://www.openssl.org
> > > User Support Mailing List
> > [EMAIL PROTECTED]
> > > Automated List Manager  
> 
> > [EMAIL PROTECTED]
> > 
> > -- 
> > Bruno Mattarollo
> <[EMAIL PROTECTED]>
> > Systems Administrator & Greenpeace Planet project
> Technical Lead
> > Greenpeace [ http://www.greenpeace.org/ ]
> >
>
__
> > OpenSSL Project
> http://www.openssl.org
> > User Support Mailing List   
> [EMAIL PROTECTED]
> > Automated List Manager  
> [EMAIL PROTECTED]
> > 
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Christian Hohnstaedt]

http://www.openssl.org/docs/apps/rsa.html

On Fri, Oct 25, 2002 at 03:16:10PM +0200, Robbert Hardin wrote:
> Hello All
> 
> Is it possible to remove or chagne a PEM pass phrase on keypair.pem
> generated with openssl?
> 
> Kind regards, Robbert
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Rabellino Sergio]

Robbert Hardin wrote:
> 
> Hello Bruno
> 
> I tried, but it doesn't work:
> 
> # openssl rsa -in cakey.pem -out canokey.pem
> read RSA key
> Enter PEM pass phrase:
> unable to load key
> 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
> decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
> _enc.c:277:
> 15251:error:0906A065:PEM routines:PEM_do_header:bad
> decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
> _lib.c:452:
> #
> 
> I forgot to tell you I lost the pass phrase, which is why I wanted to change
> it. Sorry.
> 
> Let me rephrase my question:
> Is it possible to remove or change a PEM pass phrase on keypair.pem
> generated with openssl if you don't have the PEM pass phrase?
> 
> Cheers, Robbert
Only by brute force, I suppose, or everything we do is not security 
-- 
Dott. Sergio Rabellino 

 Technical Staff
 Department of Computer Science
 University of Torino (Italy)
 Member of the Internet Society

http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Remove passprase

[Robbert Hardin]

Hello Bruno 

I tried, but it doesn't work:

# openssl rsa -in cakey.pem -out canokey.pem
read RSA key
Enter PEM pass phrase:
unable to load key
15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
_enc.c:277:
15251:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
_lib.c:452:
#

I forgot to tell you I lost the pass phrase, which is why I wanted to change
it. Sorry. 

Let me rephrase my question:
Is it possible to remove or change a PEM pass phrase on keypair.pem
generated with openssl if you don't have the PEM pass phrase?

Cheers, Robbert

> -Original Message-
> From: Bruno Mattarollo [mailto:bruno.mattarollo@;diala.greenpeace.org]
> Sent: vrijdag 25 oktober 2002 15:26
> To: [EMAIL PROTECTED]
> Subject: Re: Remove passprase
> 
> 
> Hi Robbert!
> 
> openssl rsa -in keyfile-with-passphrase.pem -out 
> keyfile-without-passphrase.pem
> 
> IIRC.
> Cheers
> 
> /B
> 
> On Fri, 25 Oct 2002, Robbert Hardin wrote:
> 
> > Hello All
> > 
> > Is it possible to remove or chagne a PEM pass phrase on keypair.pem
> > generated with openssl?
> > 
> > Kind regards, Robbert
> > 
> __
> > OpenSSL Project 
> http://www.openssl.org
> > User Support Mailing List
> [EMAIL PROTECTED]
> > Automated List Manager   
> [EMAIL PROTECTED]
> 
> -- 
> Bruno Mattarollo <[EMAIL PROTECTED]>
> Systems Administrator & Greenpeace Planet project Technical Lead
> Greenpeace [ http://www.greenpeace.org/ ]
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Tim Regovich]

Robert,

try :

openssl rsa -in private-key -out
private-key.no-passphrase

be very careful with this though.  ANyone who gets his
hands on priviate-key.no-passphrase can more easily
spoof you, so if you have this on an nfs shared mount,
or you are accessing the file via any non secure
method, anyone on your network now has potential
access to it.

Regards,

Tim
--- Robbert Hardin <[EMAIL PROTECTED]> wrote:
> Hello All
> 
> Is it possible to remove or chagne a PEM pass phrase
> on keypair.pem
> generated with openssl?
> 
> Kind regards, Robbert
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Bruno Mattarollo]

Hi Robbert!

openssl rsa -in keyfile-with-passphrase.pem -out keyfile-without-passphrase.pem

IIRC.
Cheers

/B

On Fri, 25 Oct 2002, Robbert Hardin wrote:

> Hello All
> 
> Is it possible to remove or chagne a PEM pass phrase on keypair.pem
> generated with openssl?
> 
> Kind regards, Robbert
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

-- 
Bruno Mattarollo <[EMAIL PROTECTED]>
Systems Administrator & Greenpeace Planet project Technical Lead
Greenpeace [ http://www.greenpeace.org/ ]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Remove passprase

[Robbert Hardin]

Hello All

Is it possible to remove or chagne a PEM pass phrase on keypair.pem
generated with openssl?

Kind regards, Robbert
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

R: PKCS12_parse problem

[Marco Donati]

Well... the application is actually an intermediate library, so every 
''cryptographic'' operation is enclosed between
OpenSSL_add_all_algorithms()...EVP_cleanup() calls.

There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and 
vice versa, there are no EVP_cleanup() calls without the initial 
OpenSSL_add_all_algorithms().

Are you saying that this is not enough and that the library should call 
OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ?
This could be  not straightforward

Thanks in advance


> -Messaggio originale-
> Da: Dr. Stephen Henson [mailto:steve@;openssl.org] 
> Inviato: mercoledì 23 ottobre 2002 18.14
> A: [EMAIL PROTECTED]
> Oggetto: Re: PKCS12_parse problem
> 
> 
> On Wed, Oct 23, 2002, Marco Donati wrote:
> 
> > Adding OpenSSL_add_all_ciphers() or 
> OpenSSL_add_all_digests() doesn't help.
> > 
> > If we comment out the OpenSSL_add_all_algorithms() call, we 
> get the ''correct'' error:
> > 
> > <<
> > 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown 
> digest algorithm:p12_mutl.c:80:
> > 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac 
> generation error:p12_mutl.c:105:
> > 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify 
> failure:p12_kiss.c:121:
> > >>
> > 
> > If we put the OpenSSL_add_all_algorithms() back in the code 
> we get the ''unexplained'' error:
> > 
> > <<
> > 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80:
> > 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105:
> > 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121:
> > >>
> > 
> > Let me underline again some facts:
> > 
> > 1) the first call to PKCS12_parse is ok
> > 
> > 2) the PKCS12_parse calls starting from the second reports 
> the error above
> > 
> > 3) if we restart the application we have the same behavior 
> (first call OK, then errors)
> > 
> > 4) the error happens only with OpenSSL 0.9.6g, NOT with 
> OpenSSL 0.9.6c (we haven't tried intermediate versions)
> > 
> > 5) with openSSL 0.9.6g we get ''similar'' (related?) error 
> in calls like
> > 
> Are you calling EVP_cleanup() in between calls?
> 
> You should really only call OpenSSL_add_all_algorithms() once 
> on application
> startup and EVP_cleanup() when it shuts down.
> 
> Steve.
> --
> Dr. Stephen Henson  [EMAIL PROTECTED]
> OpenSSL Project http://www.openssl.org/~steve/
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
> 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[no subject]

[Richard Levitte - VMS Whacker]

In message <[EMAIL PROTECTED]> on Thu, 24 Oct 2002 
23:55:20 -0700, "Hara" <[EMAIL PROTECTED]> said:

hara> Is anyone tell me how I can stop this messages??

Are you running Apache with SSL on port 80?  The solution is to use
SSL on port 443 instead...

hara> I am using openssl-0.9.5a and apache1.3.22.
hara> 
hara> <>
hara> 
hara> [Thu Oct 24 23:32:48 2002] [error] SSL_accept failed
hara> [Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL
hara> routines:SSL23_GET_CLIENT_HELLO:http
hara>  request
hara> [Thu Oct 24 23:32:48 2002] [error] SSL_accept failed
hara> [Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL
hara> routines:SSL23_GET_CLIENT_HELLO:http
hara>  request
hara> [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
hara> [Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
hara> routines:SSL23_GET_CLIENT_HELLO:http
hara>  request
hara> [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
hara> [Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
hara> routines:SSL23_GET_CLIENT_HELLO:http
hara>  request
hara> [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
hara> [Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
hara> routines:SSL23_GET_CLIENT_HELLO:http
hara>  request
hara> [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[no subject]

[Hara]

Hi
(B
(BIs anyone tell me how I can stop this messages??
(B
(BI am using openssl-0.9.5a and apache1.3.22.
(B
(B<>
(B
(B[Thu Oct 24 23:32:48 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:48 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
(B
(BThks  Hara
(B
(B__
(BOpenSSL Project http://www.openssl.org
(BUser Support Mailing List[EMAIL PROTECTED]
(BAutomated List Manager   [EMAIL PROTECTED]

Re: question about X.509 certs and subjectAltName

[Christian Hohnstaedt]

Hi,

The "DNS" refers to the configuration value in your openssl.cnf file
it is the name of the "conf-value"
e.g. 
subjectAltName = DNS:foo.bar.com, IP:10.11.12.13

also look at doc/openssl.txt

Greets

Christian


On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward Chan wrote:
> Hi there,
> 
> I'm looking at some code for doing post connection
> checks to make sure the DNS name specified in the
> certificate matches the host the client is trying to
> connect to.  The code is from Chapter 5 of "Network
> Security with OpenSSL".  
> 
> It looks like it first gets the subjectAltName field
> of the certificate, then tries to get the dNSName. 
> However, it specifies "DNS" instead of "dNSName".  Is
> this an error?  Should it be "DNS" or "dNSName".  And
> if I want to check for IP address, should I specify
> "iPAddress"?
> 
> The code is below. The line
> 
> if (!strcmp(nval->name, "DNS") && !strcmp(nval->value,
> host))
> 
> looks suspicious to me.
> 
> 
> long post_connection_check(SSL *ssl, char *host)
> {
> X509  *cert;
> X509_NAME *subj;
> char  data[256];
> int   extcount;
> int   ok = 0;
>  
> /* Checking the return from
> SSL_get_peer_certificate here is not strictly
>  * necessary.  With our example programs, it is
> not possible for it to return
>  * NULL.  However, it is good form to check the
> return since it can return NULL
>  * if the examples are modified to enable
> anonymous ciphers or for the server
>  * to not require a client certificate.
>  */
> if (!(cert = SSL_get_peer_certificate(ssl)) ||
> !host)
> goto err_occured;
> if ((extcount = X509_get_ext_count(cert)) > 0)
> {
> int i;
>  
> for (i = 0;  i < extcount;  i++)
> {
> char  *extstr;
> X509_EXTENSION*ext;
>  
> ext = X509_get_ext(cert, i);
> extstr =
> OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
>  
> if (!strcmp(extstr, "subjectAltName"))
> {
> int  j;
> unsigned char*data;
> STACK_OF(CONF_VALUE) *val;
> CONF_VALUE   *nval;
> X509V3_EXT_METHOD*meth;
>  
> if (!(meth = X509V3_EXT_get(ext)))
> break;
> data = ext->value->data;
>  
> val = meth->i2v(meth, 
> meth->d2i(NULL, &data,
> ext->value->length),
> NULL);
> for (j = 0;  j <
> sk_CONF_VALUE_num(val);  j++)
> {
> nval = sk_CONF_VALUE_value(val,
> j);
> if (!strcmp(nval->name, "DNS") &&
> !strcmp(nval->value, host))
> {
> ok = 1;
> break;
> }
> }
> }
> if (ok)
> break;
> }
> }
>  
> if (!ok && (subj = X509_get_subject_name(cert)) &&
> X509_NAME_get_text_by_NID(subj,
> NID_commonName, data, 256) > 0)
> {
> data[255] = 0;
> if (strcasecmp(data, host) != 0)
> goto err_occured;
> }
>  
> X509_free(cert);
> return SSL_get_verify_result(ssl);
>  
> err_occured:
> if (cert)
> X509_free(cert);
> return X509_V_ERR_APPLICATION_VERIFICATION;
> }
> 
> 
> 
> __
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]