Re: question about X.509 certs and subjectAltName

[Christian Hohnstaedt]

Hi,

The DNS refers to the configuration value in your openssl.cnf file
it is the name of the conf-value
e.g. 
subjectAltName = DNS:foo.bar.com, IP:10.11.12.13

also look at doc/openssl.txt

Greets

Christian


On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward Chan wrote:
 Hi there,
 
 I'm looking at some code for doing post connection
 checks to make sure the DNS name specified in the
 certificate matches the host the client is trying to
 connect to.  The code is from Chapter 5 of Network
 Security with OpenSSL.  
 
 It looks like it first gets the subjectAltName field
 of the certificate, then tries to get the dNSName. 
 However, it specifies DNS instead of dNSName.  Is
 this an error?  Should it be DNS or dNSName.  And
 if I want to check for IP address, should I specify
 iPAddress?
 
 The code is below. The line
 
 if (!strcmp(nval-name, DNS)  !strcmp(nval-value,
 host))
 
 looks suspicious to me.
 
 
 long post_connection_check(SSL *ssl, char *host)
 {
 X509  *cert;
 X509_NAME *subj;
 char  data[256];
 int   extcount;
 int   ok = 0;
  
 /* Checking the return from
 SSL_get_peer_certificate here is not strictly
  * necessary.  With our example programs, it is
 not possible for it to return
  * NULL.  However, it is good form to check the
 return since it can return NULL
  * if the examples are modified to enable
 anonymous ciphers or for the server
  * to not require a client certificate.
  */
 if (!(cert = SSL_get_peer_certificate(ssl)) ||
 !host)
 goto err_occured;
 if ((extcount = X509_get_ext_count(cert))  0)
 {
 int i;
  
 for (i = 0;  i  extcount;  i++)
 {
 char  *extstr;
 X509_EXTENSION*ext;
  
 ext = X509_get_ext(cert, i);
 extstr =
 OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
  
 if (!strcmp(extstr, subjectAltName))
 {
 int  j;
 unsigned char*data;
 STACK_OF(CONF_VALUE) *val;
 CONF_VALUE   *nval;
 X509V3_EXT_METHOD*meth;
  
 if (!(meth = X509V3_EXT_get(ext)))
 break;
 data = ext-value-data;
  
 val = meth-i2v(meth, 
 meth-d2i(NULL, data,
 ext-value-length),
 NULL);
 for (j = 0;  j 
 sk_CONF_VALUE_num(val);  j++)
 {
 nval = sk_CONF_VALUE_value(val,
 j);
 if (!strcmp(nval-name, DNS) 
 !strcmp(nval-value, host))
 {
 ok = 1;
 break;
 }
 }
 }
 if (ok)
 break;
 }
 }
  
 if (!ok  (subj = X509_get_subject_name(cert)) 
 X509_NAME_get_text_by_NID(subj,
 NID_commonName, data, 256)  0)
 {
 data[255] = 0;
 if (strcasecmp(data, host) != 0)
 goto err_occured;
 }
  
 X509_free(cert);
 return SSL_get_verify_result(ssl);
  
 err_occured:
 if (cert)
 X509_free(cert);
 return X509_V_ERR_APPLICATION_VERIFICATION;
 }
 
 
 
 __
 Do you Yahoo!?
 Y! Web Hosting - Let the expert host your web site
 http://webhosting.yahoo.com/
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[no subject]

[Hara]

Hi
(B
(BIs anyone tell me how I can stop this messages??
(B
(BI am using openssl-0.9.5a and apache1.3.22.
(B
(BError Logs
(B
(B[Thu Oct 24 23:32:48 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:48 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
(B[Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
(Broutines:SSL23_GET_CLIENT_HELLO:http
(B request
(B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
(B
(BThks  Hara
(B
(B__
(BOpenSSL Project http://www.openssl.org
(BUser Support Mailing List[EMAIL PROTECTED]
(BAutomated List Manager   [EMAIL PROTECTED]

[no subject]

[Richard Levitte - VMS Whacker]

In message [EMAIL PROTECTED] on Thu, 24 Oct 2002 
23:55:20 -0700, Hara [EMAIL PROTECTED] said:

hara Is anyone tell me how I can stop this messages??

Are you running Apache with SSL on port 80?  The solution is to use
SSL on port 443 instead...

hara I am using openssl-0.9.5a and apache1.3.22.
hara 
hara Error Logs
hara 
hara [Thu Oct 24 23:32:48 2002] [error] SSL_accept failed
hara [Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL
hara routines:SSL23_GET_CLIENT_HELLO:http
hara  request
hara [Thu Oct 24 23:32:48 2002] [error] SSL_accept failed
hara [Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL
hara routines:SSL23_GET_CLIENT_HELLO:http
hara  request
hara [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
hara [Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
hara routines:SSL23_GET_CLIENT_HELLO:http
hara  request
hara [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
hara [Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
hara routines:SSL23_GET_CLIENT_HELLO:http
hara  request
hara [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed
hara [Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL
hara routines:SSL23_GET_CLIENT_HELLO:http
hara  request
hara [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Redakteur@Stacken  \ S-168 35  BROMMA  \ T: +46-8-26 52 47
\  SWEDEN   \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

R: PKCS12_parse problem

[Marco Donati]

Well... the application is actually an intermediate library, so every 
''cryptographic'' operation is enclosed between
OpenSSL_add_all_algorithms()...EVP_cleanup() calls.

There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and 
vice versa, there are no EVP_cleanup() calls without the initial 
OpenSSL_add_all_algorithms().

Are you saying that this is not enough and that the library should call 
OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ?
This could be  not straightforward

Thanks in advance


 -Messaggio originale-
 Da: Dr. Stephen Henson [mailto:steve;openssl.org] 
 Inviato: mercoledì 23 ottobre 2002 18.14
 A: [EMAIL PROTECTED]
 Oggetto: Re: PKCS12_parse problem
 
 
 On Wed, Oct 23, 2002, Marco Donati wrote:
 
  Adding OpenSSL_add_all_ciphers() or 
 OpenSSL_add_all_digests() doesn't help.
  
  If we comment out the OpenSSL_add_all_algorithms() call, we 
 get the ''correct'' error:
  
  
  5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown 
 digest algorithm:p12_mutl.c:80:
  5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac 
 generation error:p12_mutl.c:105:
  5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify 
 failure:p12_kiss.c:121:
  
  
  If we put the OpenSSL_add_all_algorithms() back in the code 
 we get the ''unexplained'' error:
  
  
  5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80:
  5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105:
  5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121:
  
  
  Let me underline again some facts:
  
  1) the first call to PKCS12_parse is ok
  
  2) the PKCS12_parse calls starting from the second reports 
 the error above
  
  3) if we restart the application we have the same behavior 
 (first call OK, then errors)
  
  4) the error happens only with OpenSSL 0.9.6g, NOT with 
 OpenSSL 0.9.6c (we haven't tried intermediate versions)
  
  5) with openSSL 0.9.6g we get ''similar'' (related?) error 
 in calls like
  
 Are you calling EVP_cleanup() in between calls?
 
 You should really only call OpenSSL_add_all_algorithms() once 
 on application
 startup and EVP_cleanup() when it shuts down.
 
 Steve.
 --
 Dr. Stephen Henson  [EMAIL PROTECTED]
 OpenSSL Project http://www.openssl.org/~steve/
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Remove passprase

[Robbert Hardin]

Hello All

Is it possible to remove or chagne a PEM pass phrase on keypair.pem
generated with openssl?

Kind regards, Robbert
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Bruno Mattarollo]

Hi Robbert!

openssl rsa -in keyfile-with-passphrase.pem -out keyfile-without-passphrase.pem

IIRC.
Cheers

/B

On Fri, 25 Oct 2002, Robbert Hardin wrote:

 Hello All
 
 Is it possible to remove or chagne a PEM pass phrase on keypair.pem
 generated with openssl?
 
 Kind regards, Robbert
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

-- 
Bruno Mattarollo [EMAIL PROTECTED]
Systems Administrator  Greenpeace Planet project Technical Lead
Greenpeace [ http://www.greenpeace.org/ ]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Remove passprase

[Robbert Hardin]

Hello Bruno 

I tried, but it doesn't work:

# openssl rsa -in cakey.pem -out canokey.pem
read RSA key
Enter PEM pass phrase:
unable to load key
15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
_enc.c:277:
15251:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
_lib.c:452:
#

I forgot to tell you I lost the pass phrase, which is why I wanted to change
it. Sorry. 

Let me rephrase my question:
Is it possible to remove or change a PEM pass phrase on keypair.pem
generated with openssl if you don't have the PEM pass phrase?

Cheers, Robbert

 -Original Message-
 From: Bruno Mattarollo [mailto:bruno.mattarollo;diala.greenpeace.org]
 Sent: vrijdag 25 oktober 2002 15:26
 To: [EMAIL PROTECTED]
 Subject: Re: Remove passprase
 
 
 Hi Robbert!
 
 openssl rsa -in keyfile-with-passphrase.pem -out 
 keyfile-without-passphrase.pem
 
 IIRC.
 Cheers
 
 /B
 
 On Fri, 25 Oct 2002, Robbert Hardin wrote:
 
  Hello All
  
  Is it possible to remove or chagne a PEM pass phrase on keypair.pem
  generated with openssl?
  
  Kind regards, Robbert
  
 __
  OpenSSL Project 
 http://www.openssl.org
  User Support Mailing List
 [EMAIL PROTECTED]
  Automated List Manager   
 [EMAIL PROTECTED]
 
 -- 
 Bruno Mattarollo [EMAIL PROTECTED]
 Systems Administrator  Greenpeace Planet project Technical Lead
 Greenpeace [ http://www.greenpeace.org/ ]
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Rabellino Sergio]

Robbert Hardin wrote:
 
 Hello Bruno
 
 I tried, but it doesn't work:
 
 # openssl rsa -in cakey.pem -out canokey.pem
 read RSA key
 Enter PEM pass phrase:
 unable to load key
 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
 decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
 _enc.c:277:
 15251:error:0906A065:PEM routines:PEM_do_header:bad
 decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
 _lib.c:452:
 #
 
 I forgot to tell you I lost the pass phrase, which is why I wanted to change
 it. Sorry.
 
 Let me rephrase my question:
 Is it possible to remove or change a PEM pass phrase on keypair.pem
 generated with openssl if you don't have the PEM pass phrase?
 
 Cheers, Robbert
Only by brute force, I suppose, or everything we do is not security 
-- 
Dott. Sergio Rabellino 

 Technical Staff
 Department of Computer Science
 University of Torino (Italy)
 Member of the Internet Society

http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Christian Hohnstaedt]

http://www.openssl.org/docs/apps/rsa.html

On Fri, Oct 25, 2002 at 03:16:10PM +0200, Robbert Hardin wrote:
 Hello All
 
 Is it possible to remove or chagne a PEM pass phrase on keypair.pem
 generated with openssl?
 
 Kind regards, Robbert
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Remove passprase

[Tim Regovich]

Robbert,

only if you have can crack it.
Anyone have quantum computer laying around that can
help with this?

your best bet is to create a new key and start over.

Tim
--- Robbert Hardin [EMAIL PROTECTED] wrote:
 Hello Bruno 
 
 I tried, but it doesn't work:
 
 # openssl rsa -in cakey.pem -out canokey.pem
 read RSA key
 Enter PEM pass phrase:
 unable to load key
 15251:error:06065064:digital envelope
 routines:EVP_DecryptFinal:bad

decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
 _enc.c:277:
 15251:error:0906A065:PEM routines:PEM_do_header:bad

decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
 _lib.c:452:
 #
 
 I forgot to tell you I lost the pass phrase, which
 is why I wanted to change
 it. Sorry. 
 
 Let me rephrase my question:
 Is it possible to remove or change a PEM pass phrase
 on keypair.pem
 generated with openssl if you don't have the PEM
 pass phrase?
 
 Cheers, Robbert
 
  -Original Message-
  From: Bruno Mattarollo
 [mailto:bruno.mattarollo;diala.greenpeace.org]
  Sent: vrijdag 25 oktober 2002 15:26
  To: [EMAIL PROTECTED]
  Subject: Re: Remove passprase
  
  
  Hi Robbert!
  
  openssl rsa -in keyfile-with-passphrase.pem -out 
  keyfile-without-passphrase.pem
  
  IIRC.
  Cheers
  
  /B
  
  On Fri, 25 Oct 2002, Robbert Hardin wrote:
  
   Hello All
   
   Is it possible to remove or chagne a PEM pass
 phrase on keypair.pem
   generated with openssl?
   
   Kind regards, Robbert
   
 

__
   OpenSSL Project 
  http://www.openssl.org
   User Support Mailing List
  [EMAIL PROTECTED]
   Automated List Manager  
 
  [EMAIL PROTECTED]
  
  -- 
  Bruno Mattarollo
 [EMAIL PROTECTED]
  Systems Administrator  Greenpeace Planet project
 Technical Lead
  Greenpeace [ http://www.greenpeace.org/ ]
 

__
  OpenSSL Project
 http://www.openssl.org
  User Support Mailing List   
 [EMAIL PROTECTED]
  Automated List Manager  
 [EMAIL PROTECTED]
  

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 [EMAIL PROTECTED]
 Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Remove passprase

[Dale]

 Let me rephrase my question:
 Is it possible to remove or change a PEM pass phrase on keypair.pem
 generated with openssl if you don't have the PEM pass phrase?

No, that's the point.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Moving certificates

[Paul Ogden]

Hello,

We are getting ready to host an app that requires a complement of offsite
cold spare backup servers.  We are going to be testing the configuration of
the servers and our procedures for switching to cold spare in the event of a
catastrophic failure of the primary servers.

My question is - what do I do about the certificate/key for the web server?
Can I merely move the server cert and private key files from the production
web server to the spare web server ( which has been built and configured
identically to the production box )?  Or will this scenario require a second
certificate from the CA?

We have signed our own certs in the past for internal intranet use for
smaller hosted apps with just a few client connecting, but this is for a
rather large customer and there will be many clients connecting to the app
so we must go with Verisign or such.

Thanks,

Paul Ogden
Claresco Corporation
(510) 549-2290

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Bruno Mattarollo]

Hi Robbert!

Unfortunately you will have to generate a new key I guess, unless you can break
it ... :(

Cheers

/B

On Fri, 25 Oct 2002, Robbert Hardin wrote:

 Hello Bruno 
 
 I tried, but it doesn't work:
 
 # openssl rsa -in cakey.pem -out canokey.pem
 read RSA key
 Enter PEM pass phrase:
 unable to load key
 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
 decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
 _enc.c:277:
 15251:error:0906A065:PEM routines:PEM_do_header:bad
 decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
 _lib.c:452:
 #
 
 I forgot to tell you I lost the pass phrase, which is why I wanted to change
 it. Sorry. 
 
 Let me rephrase my question:
 Is it possible to remove or change a PEM pass phrase on keypair.pem
 generated with openssl if you don't have the PEM pass phrase?
 
 Cheers, Robbert
 
  -Original Message-
  From: Bruno Mattarollo [mailto:bruno.mattarollo;diala.greenpeace.org]
  Sent: vrijdag 25 oktober 2002 15:26
  To: [EMAIL PROTECTED]
  Subject: Re: Remove passprase
  
  
  Hi Robbert!
  
  openssl rsa -in keyfile-with-passphrase.pem -out 
  keyfile-without-passphrase.pem
  
  IIRC.
  Cheers
  
  /B
  
  On Fri, 25 Oct 2002, Robbert Hardin wrote:
  
   Hello All
   
   Is it possible to remove or chagne a PEM pass phrase on keypair.pem
   generated with openssl?
   
   Kind regards, Robbert
   
  __
   OpenSSL Project 
  http://www.openssl.org
   User Support Mailing List
  [EMAIL PROTECTED]
   Automated List Manager   
  [EMAIL PROTECTED]
  
  -- 
  Bruno Mattarollo [EMAIL PROTECTED]
  Systems Administrator  Greenpeace Planet project Technical Lead
  Greenpeace [ http://www.greenpeace.org/ ]
  __
  OpenSSL Project http://www.openssl.org
  User Support Mailing List[EMAIL PROTECTED]
  Automated List Manager   [EMAIL PROTECTED]
  
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

-- 
Bruno Mattarollo [EMAIL PROTECTED]
Systems Administrator  Greenpeace Planet project Technical Lead
Greenpeace [ http://www.greenpeace.org/ ]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Remove passprase

[Adriano Devillaine]

What is your problem..? perhaps you can't open the PEM file? even if you
purchase thecorrect  passphrase?

Regards, Adriano

El vie, 25-10-2002 a las 10:45, Rabellino Sergio escribió:
 Robbert Hardin wrote:
  
  Hello Bruno
  
  I tried, but it doesn't work:
  
  # openssl rsa -in cakey.pem -out canokey.pem
  read RSA key
  Enter PEM pass phrase:
  unable to load key
  15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad
  decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp
  _enc.c:277:
  15251:error:0906A065:PEM routines:PEM_do_header:bad
  decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem
  _lib.c:452:
  #
  
  I forgot to tell you I lost the pass phrase, which is why I wanted to change
  it. Sorry.
  
  Let me rephrase my question:
  Is it possible to remove or change a PEM pass phrase on keypair.pem
  generated with openssl if you don't have the PEM pass phrase?
  
  Cheers, Robbert
 Only by brute force, I suppose, or everything we do is not security 
 -- 
 Dott. Sergio Rabellino 
 
  Technical Staff
  Department of Computer Science
  University of Torino (Italy)
  Member of the Internet Society
 
 http://www.di.unito.it/~rabser
 Tel. +39-0116706701
 Fax. +39-011751603
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Remove passprase

[Robbert Hardin]

Hello Adriano

The keypair was generated by a former employee and we can't find the pass
phrase. Fortunately it is only used once in our intranet. 

Thanx, Robbert

 -Original Message-
 Subject: Re: Remove passprase
 What is your problem..? perhaps you can't open the PEM file? 
 even if you
 purchase thecorrect  passphrase?
 
 Regards, Adriano
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Converting PEM file to PKCS12 or PFX for the MacOS (Not Mac OSx)...

[Auteria Wally Winzer Jr.]

has anyone converted pem files into pkcs12, pfx, or der format 
explicitly for the MacOS versions 8.5 and above?
i have 3 macs that needs CA's loaded. if anyone has done 
this by all means give me the lowdown.
i really appreciate everyone's efforts in solving this major 
issue, one being the CEO!

thanks!

wally winzer jr.

Threading model constraint?

[Dick . Bridges]

I'm retrofitting an existing program to use [OpenSSL?] TLS between nodes.
Most of my info comes from reading Network Security with OpenSSL and
lurking on this list.  I don't have the time right now to grok the code,
hence this request.

Our app uses a leader-follower thread pattern (e.g., Pattern-Oriented
Software Architecture, Schmidt, et al) which means that any given
connection event will be serviced by selecting from a threadpool.  My
reading suggests that OpenSSL is built around a thread-per-connection
orientation.  On the other hand, I think I remember reading that OpenSSL
does not use thread local storage so I thought we should be able to work
around that since we can get to the BIO's underlying fd.  Then I read that
error state was maintained by thread id.  %-[

Can someone clarify this for me:  does OpenSSL depend upon
one-thread-per-connection or can it be used in the context of other
threading models?

TIA

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

automatic password entry with the dgst command

[Richard Andrus]

I've used openssl off and on for about a 18 months now, but I'm definitely

an OpenSSL beginner.

I'm digitally signing some documents like this :

openssl dgst -md5 -binary -sign privkey.pem -out sig.bin testdoc.txt
or alternatively
openssl md5 -binary -sign privkey.pem -out sig.bin testdoc.txt

When I do this, I get the 
"Enter PEM pass phrase:" 
prompt, and must interactively give the password
which decrypts the private key in the PEM file in 
order to calculate the signature.

I would like to give the password to this command non-interactively.
Other commands in openssl have options like "passin" or "pass" which
enable this functionality. Unfortunately "dgst" doesn't have this option.

After searching the archives of this list, I found some posts which 
made me think I could do it with the "echo" command and a pipe.

I tried some things like this :

echo mypassword | openssl md5 -sign privkey.pem -out sig.bin testdoc.txt

echo -n -e mypassword\r\n | openssl md5 -sign privkey.pem -out sig.bin testdoc.txt

echo -n -e \r\nmypassword\r\n | openssl md5 -sign privkey.pem -out sig.bin
testdoc.txt 
openssl md5 -sign -privkey.pem -out sig.bin testdoc.txt  echo mypassword
openssl md5 -sign -privkey.pem -out sig.bin testdoc.txt | echo mypassword

but none of them works.

After trying a lot more variations than these, it seems like it is 
an "order of argument" processing problem.

I'm running OpenSSL under Cygwin on Windows2000 - but I am using 
the unix-like version of "echo". Does the OS have an impact on how 
arguments are processed ?

The only other think I can think of doing is calculating the plain 
hashes in a first pass, and then using "enc" to encrypt them in another 
pass. What encryption algorithm is used when MD5 does a signing ?
I would really rather do it in one step, if possible.

Any suggestions for how to avoid the interactive password entry ?

Thanks
Richard



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Moving certificates

[Perry The Cynic]

The server certificate contains the DNS name of the server host. If your
spares are meant to run with the same DNS name as the primary server, then
you can simply use the same certificate. This applies whether they are
cold spares that use the same IP address, or whether your servers' DNS
name is a rator DNS that names multiple servers' IP addresses.

(The converse is also true: if you have multiple DNS names pointing to the
same server, you need separate certificates for them.)

If your spares run at different DNS host names, you need separate
certificates. But then they're not really (ready-to-run) spares, are they?

If you do find yourself in a situation where you need certificates for
many different servers each with their own DNS name, you may want to get a
signing certificate (from Verisign or someone else) and use it to sign
your own set of server certs.

Cheers
  -- perry

On Fri, Oct 25, 2002 at 06:54:52AM -0700, Paul Ogden wrote:
 Hello,
 
 We are getting ready to host an app that requires a complement of offsite
 cold spare backup servers.  We are going to be testing the configuration of
 the servers and our procedures for switching to cold spare in the event of a
 catastrophic failure of the primary servers.
 
 My question is - what do I do about the certificate/key for the web server?
 Can I merely move the server cert and private key files from the production
 web server to the spare web server ( which has been built and configured
 identically to the production box )?  Or will this scenario require a second
 certificate from the CA?
 
 We have signed our own certs in the past for internal intranet use for
 smaller hosted apps with just a few client connecting, but this is for a
 rather large customer and there will be many clients connecting to the app
 so we must go with Verisign or such.
 
 Thanks,
 
 Paul Ogden
 Claresco Corporation
 (510) 549-2290
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
---
Perry The Cynic [EMAIL PROTECTED]
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Threading model constraint?

[David Schwartz]

On Fri, 25 Oct 2002 09:19:51 -0700, [EMAIL PROTECTED] wrote:

Our app uses a leader-follower thread pattern (e.g., Pattern-Oriented
Software Architecture, Schmidt, et al) which means that any given
connection event will be serviced by selecting from a threadpool.  My
reading suggests that OpenSSL is built around a thread-per-connection
orientation.  On the other hand, I think I remember reading that OpenSSL
does not use thread local storage so I thought we should be able to work
around that since we can get to the BIO's underlying fd.  Then I read that
error state was maintained by thread id.  %-[

Can someone clarify this for me:  does OpenSSL depend upon
one-thread-per-connection or can it be used in the context of other
threading models?

Use bio pairs and don't let the OpenSSL ilbrary ever touch a file 
descriptor. You can then do the threading any way you want. The only 
exception is that you can't run the OpenSSL data pump in both directions for 
the same connection.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

friendlyName

[Eric Weitzman]

Is it possible to add a friendlyName to a .pem certificate using
either the config file or a friendlyName key in the distinguished
name?

The only way that I've been able to make a certificate such that
Microsoft's Certificate Manager recognizes the friendlyName on import
is to encrypt the certificate using openssl pkcs12 with the -name
friendlyname option.

Thanks,
- Eric


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

oids, attributes (doc pointers)

[Eric Weitzman]

Would someone be kind enough to direct me to sources of information on:

1) creating new oids that don't conflict with existing oids
2) creating new attributes in certificates that can hold arbitrary values

Thanks,
- Eric


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Moving certificates

[Paul Ogden]

Perry,
Thanks for the response.  That is what we were hoping for.  Yes, they are
truly meant to be cold-spares, i.e. database moves, dns moves, etc.  The
spares will run at a different location, as thus will have different IPs,
but dns will be transferred to those ips as part of moving to the
cold-spares, should the need arise.

Paul Ogden
Claresco Corporation
(510) 549-2290

-Original Message-
From: [EMAIL PROTECTED]
[mailto:owner-openssl-users;openssl.org]On Behalf Of Perry The Cynic
Sent: Friday, October 25, 2002 10:19
To: [EMAIL PROTECTED]
Subject: Re: Moving certificates


The server certificate contains the DNS name of the server host. If your
spares are meant to run with the same DNS name as the primary server, then
you can simply use the same certificate. This applies whether they are
cold spares that use the same IP address, or whether your servers' DNS
name is a rator DNS that names multiple servers' IP addresses.

(The converse is also true: if you have multiple DNS names pointing to the
same server, you need separate certificates for them.)

If your spares run at different DNS host names, you need separate
certificates. But then they're not really (ready-to-run) spares, are they?

If you do find yourself in a situation where you need certificates for
many different servers each with their own DNS name, you may want to get a
signing certificate (from Verisign or someone else) and use it to sign
your own set of server certs.

Cheers
  -- perry

On Fri, Oct 25, 2002 at 06:54:52AM -0700, Paul Ogden wrote:
 Hello,

 We are getting ready to host an app that requires a complement of offsite
 cold spare backup servers.  We are going to be testing the configuration
of
 the servers and our procedures for switching to cold spare in the event of
a
 catastrophic failure of the primary servers.

 My question is - what do I do about the certificate/key for the web
server?
 Can I merely move the server cert and private key files from the
production
 web server to the spare web server ( which has been built and configured
 identically to the production box )?  Or will this scenario require a
second
 certificate from the CA?

 We have signed our own certs in the past for internal intranet use for
 smaller hosted apps with just a few client connecting, but this is for a
 rather large customer and there will be many clients connecting to the app
 so we must go with Verisign or such.

 Thanks,

 Paul Ogden
 Claresco Corporation
 (510) 549-2290

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
---
Perry The Cynic [EMAIL PROTECTED]
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: question about X.509 certs and subjectAltName

[Edward Chan]

Sorry if I'm being dumb...but what if the certificate
was not generated using OpenSSL?  Do I still access
this field of of subjectAltName by getting DNS?  Is
DNS OpenSSL specific?



Ed

--- Christian Hohnstaedt [EMAIL PROTECTED]
wrote:
 Hi,
 
 The DNS refers to the configuration value in your
 openssl.cnf file
 it is the name of the conf-value
 e.g. 
 subjectAltName = DNS:foo.bar.com, IP:10.11.12.13
 
 also look at doc/openssl.txt
 
 Greets
 
 Christian
 
 
 On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward
 Chan wrote:
  Hi there,
  
  I'm looking at some code for doing post connection
  checks to make sure the DNS name specified in the
  certificate matches the host the client is trying
 to
  connect to.  The code is from Chapter 5 of
 Network
  Security with OpenSSL.  
  
  It looks like it first gets the subjectAltName
 field
  of the certificate, then tries to get the dNSName.
 
  However, it specifies DNS instead of dNSName. 
 Is
  this an error?  Should it be DNS or dNSName. 
 And
  if I want to check for IP address, should I
 specify
  iPAddress?
  
  The code is below. The line
  
  if (!strcmp(nval-name, DNS) 
 !strcmp(nval-value,
  host))
  
  looks suspicious to me.
  
  
  long post_connection_check(SSL *ssl, char *host)
  {
  X509  *cert;
  X509_NAME *subj;
  char  data[256];
  int   extcount;
  int   ok = 0;
   
  /* Checking the return from
  SSL_get_peer_certificate here is not strictly
   * necessary.  With our example programs, it
 is
  not possible for it to return
   * NULL.  However, it is good form to check
 the
  return since it can return NULL
   * if the examples are modified to enable
  anonymous ciphers or for the server
   * to not require a client certificate.
   */
  if (!(cert = SSL_get_peer_certificate(ssl)) ||
  !host)
  goto err_occured;
  if ((extcount = X509_get_ext_count(cert))  0)
  {
  int i;
   
  for (i = 0;  i  extcount;  i++)
  {
  char  *extstr;
  X509_EXTENSION*ext;
   
  ext = X509_get_ext(cert, i);
  extstr =
 

OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
   
  if (!strcmp(extstr, subjectAltName))
  {
  int  j;
  unsigned char*data;
  STACK_OF(CONF_VALUE) *val;
  CONF_VALUE   *nval;
  X509V3_EXT_METHOD*meth;
   
  if (!(meth = X509V3_EXT_get(ext)))
  break;
  data = ext-value-data;
   
  val = meth-i2v(meth, 
  meth-d2i(NULL,
 data,
  ext-value-length),
  NULL);
  for (j = 0;  j 
  sk_CONF_VALUE_num(val);  j++)
  {
  nval =
 sk_CONF_VALUE_value(val,
  j);
  if (!strcmp(nval-name, DNS)
 
  !strcmp(nval-value, host))
  {
  ok = 1;
  break;
  }
  }
  }
  if (ok)
  break;
  }
  }
   
  if (!ok  (subj =
 X509_get_subject_name(cert)) 
  X509_NAME_get_text_by_NID(subj,
  NID_commonName, data, 256)  0)
  {
  data[255] = 0;
  if (strcasecmp(data, host) != 0)
  goto err_occured;
  }
   
  X509_free(cert);
  return SSL_get_verify_result(ssl);
   
  err_occured:
  if (cert)
  X509_free(cert);
  return X509_V_ERR_APPLICATION_VERIFICATION;
  }
  
  
  
  __
  Do you Yahoo!?
  Y! Web Hosting - Let the expert host your web site
  http://webhosting.yahoo.com/
 

__
  OpenSSL Project
 http://www.openssl.org
  User Support Mailing List   
 [EMAIL PROTECTED]
  Automated List Manager  
 [EMAIL PROTECTED]

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 [EMAIL PROTECTED]
 Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: question about X.509 certs and subjectAltName

[Edward Chan]

Yikes, thanks for the heads up.  When you say not
portable, do you mean with future versions of openssl,
or not portable across platforms?

Can you point me to some good examples of how to use
those X509 API's to do a post connection check?

Thanks,
Ed

--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
 On Thu, Oct 24, 2002, Edward Chan wrote:
 
  Hi there,
  
  I'm looking at some code for doing post connection
  checks to make sure the DNS name specified in the
  certificate matches the host the client is trying
 to
  connect to.  The code is from Chapter 5 of
 Network
  Security with OpenSSL.  
  
  It looks like it first gets the subjectAltName
 field
  of the certificate, then tries to get the dNSName.
 
  However, it specifies DNS instead of dNSName. 
 Is
  this an error?  Should it be DNS or dNSName. 
 And
  if I want to check for IP address, should I
 specify
  iPAddress?
  
  The code is below. The line
  
  if (!strcmp(nval-name, DNS) 
 !strcmp(nval-value,
  host))
  
  looks suspicious to me.
  
  
  long post_connection_check(SSL *ssl, char *host)
  {
  X509  *cert;
  X509_NAME *subj;
  char  data[256];
  int   extcount;
  int   ok = 0;
   
  /* Checking the return from
  SSL_get_peer_certificate here is not strictly
   * necessary.  With our example programs, it
 is
  not possible for it to return
   * NULL.  However, it is good form to check
 the
  return since it can return NULL
   * if the examples are modified to enable
  anonymous ciphers or for the server
   * to not require a client certificate.
   */
  if (!(cert = SSL_get_peer_certificate(ssl)) ||
  !host)
  goto err_occured;
  if ((extcount = X509_get_ext_count(cert))  0)
  {
  int i;
   
  for (i = 0;  i  extcount;  i++)
  {
  char  *extstr;
  X509_EXTENSION*ext;
   
  ext = X509_get_ext(cert, i);
  extstr =
 

OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext)));
   
  if (!strcmp(extstr, subjectAltName))
  {
  int  j;
  unsigned char*data;
  STACK_OF(CONF_VALUE) *val;
  CONF_VALUE   *nval;
  X509V3_EXT_METHOD*meth;
   
  if (!(meth = X509V3_EXT_get(ext)))
  break;
  data = ext-value-data;
   
  val = meth-i2v(meth, 
  meth-d2i(NULL,
 data,
  ext-value-length),
  NULL);
  for (j = 0;  j 
  sk_CONF_VALUE_num(val);  j++)
  {
  nval =
 sk_CONF_VALUE_value(val,
  j);
  if (!strcmp(nval-name, DNS)
 
  !strcmp(nval-value, host))
  {
  ok = 1;
  break;
  }
  }
  }
  if (ok)
  break;
  }
  }
   
  if (!ok  (subj =
 X509_get_subject_name(cert)) 
  X509_NAME_get_text_by_NID(subj,
  NID_commonName, data, 256)  0)
  {
  data[255] = 0;
  if (strcasecmp(data, host) != 0)
  goto err_occured;
  }
   
  X509_free(cert);
  return SSL_get_verify_result(ssl);
   
  err_occured:
  if (cert)
  X509_free(cert);
  return X509_V_ERR_APPLICATION_VERIFICATION;
  }
  
  
 One additional comment. I'd advise against using the
 technique above: it is
 non portable and not guaranteed to work on future
 versions of OpenSSL: in
 fact it wont work on 0.9.7.
 
 Steve.
 --
 Dr. Stephen Henson  [EMAIL PROTECTED]   
 
 OpenSSL Project
 http://www.openssl.org/~steve/

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 [EMAIL PROTECTED]
 Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: oids, attributes (doc pointers)

[Markus Lorch]

Eric,

if you request a new OID branch for your organization 
you should be fine. This can be done at:
http://www.iana.org/cgi-bin/enterprise.pl


Markus

Markus Lorch
Doctoral Student in Computer Science
Virginia Tech
http://csgrad.cs.vt.edu/~mlorch

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:owner-openssl-users;openssl.org]On Behalf Of Eric Weitzman
 Sent: Friday, October 25, 2002 1:52 PM
 To: [EMAIL PROTECTED]
 Subject: oids, attributes (doc pointers)
 
 
 Would someone be kind enough to direct me to sources of information on:
 
 1) creating new oids that don't conflict with existing oids
 2) creating new attributes in certificates that can hold arbitrary values
 
 Thanks,
 - Eric
 
 
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Cert Extension conversition

[Scott Harris]

I have aCACertificate genereated from Microsoft CA and I was able to convert it to PEM format. It only has public key
Openssl:x509 -n xxx.cer -inform d -out xxx.pem
But I am unable to covert a private key (in .pfx)of the server certicate to PEM.
Any body knows how toconvert a .pfxin .PEM format.
Thats was I am looking for after converstion
---BEGIN ENCRYPTED PRIVATE KEY
-END ENCRYPTED PRIVATE KEY
I am just getting garballed and do not see this. Is this possible using OPENSSL or I need to look into other tools to do the conversition.


Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site

Re: Cert Extension conversition

[Richard Andrus]

use the command :

openssl pkcs12 -in xxx.pfx -out xxx.pem

By default, this will encrypt the private key with triple DES inside the 
PEM file.
It will first prompt you for the password used to protect the pfx back 
when it was
created, then it will prompt you for the password used to encrypt it in 
the PEM file.

Scott Harris wrote:

I have a CA Certificate genereated from Microsoft CA and I was able to 
convert it to PEM format. It only has public key

*Openssl:x509 -n xxx.cer -inform d -out xxx.pem*

 But I am unable to covert a private key (in .pfx) of the server 
certicate to PEM.

Any body knows how to convert a .pfx in .PEM format.

Thats was I am looking for after converstion

---BEGIN ENCRYPTED PRIVATE KEY

-END ENCRYPTED PRIVATE KEY

I am just getting garballed and do not see this. Is this possible 
using OPENSSL or I need to look into other tools to do the conversition.

 

 

 



Do you Yahoo!?
Y! Web Hosting http://webhosting.yahoo.com/%20 - Let the expert host 
your web site 



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Cert Extension conversition

[F Awan]

Thanks Richard!!! It worked.I was trying to figure it out for the past two days. I really appreciated.

Richard Andrus [EMAIL PROTECTED] wrote:
use the command :openssl pkcs12 -in xxx.pfx -out xxx.pemBy default, this will encrypt the private key with triple DES inside the PEM file.It will first prompt you for the password used to protect the pfx back when it wascreated, then it will prompt you for the password used to encrypt it in the PEM file.Scott Harris wrote: I have a CA Certificate genereated from Microsoft CA and I was able to  convert it to PEM format. It only has public key *Openssl:x509 -n xxx.cer -inform d -out xxx.pem* But I am unable to covert a private key (in .pfx) of the server  certicate to PEM. Any body knows how to convert a .pfx in .PEM format. Thats was I am looking for after converstion ---BEGIN ENCRYPTED PRIVATE KEY --!
 ---END ENCRYPTED PRIVATE KEY I am just getting garballed and do not see this. Is this possible  using OPENSSL or I need to look into other tools to do the conversition. Do you Yahoo!? Y! Web Hosting - Let the expert host  your web site __OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site

Re: R: PKCS12_parse problem

[Dr. Stephen Henson]

On Fri, Oct 25, 2002, Marco Donati wrote:

 Well... the application is actually an intermediate library, so every 
''cryptographic'' operation is enclosed between
 OpenSSL_add_all_algorithms()...EVP_cleanup() calls.
 
 There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and 
vice versa, there are no EVP_cleanup() calls without the initial 
OpenSSL_add_all_algorithms().
 
 Are you saying that this is not enough and that the library should call 
OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ?
 This could be  not straightforward
 

Well let me explain a bit...

OpenSSL has an internal global table of supported algorithms (digests and ciphers).
Certain operations such as PKCS12_parse() lookup digests and ciphers from this
table so if it can't find one it gives the error you are seeing.

Now addding and removing all ciphers whenever you use an OpenSSL command is
not really recommended, it will repeatedly rebuild the table and it is not
thread safe. One thread could access a partially complete table.

So ideally you should only build the table in a single threaded context before
calling any OpenSSL functions and clean it up only after no further calls will
be made.

However one added complication is that a change was made to OpenSSL 0.9.6g
which avoids a problem of duplicate calls to OpenSSL_add_all_algorithms()
creating duplicate table entries by only making the first call work. This
has a problem because EVP_cleanup() doesn't reset the flag so effectively
only the first call to OpenSSL_add_all_algorithms() works. This isn't what
earlier 0.9.6X did and this will be fixed for 0.9.6h. You can get the old
baheviour by deleting the relevant lines from OpenSSL_add_all_ciphers() and
OpenSSL_add_all_digest().

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: question about X.509 certs and subjectAltName

[Dr. Stephen Henson]

On Fri, Oct 25, 2002, Edward Chan wrote:

 Yikes, thanks for the heads up.  When you say not
 portable, do you mean with future versions of openssl,
 or not portable across platforms?
 

It wont work in future versions of OpenSSL. It wont in 0.9.7.

 Can you point me to some good examples of how to use
 those X509 API's to do a post connection check?
 

As I mentioned in my other message, check out X509_get1_email() which accesses
subjectAltName to retrieve email addresses. 

Also check the docs in doc/openssl.txt.

What you are want is fairly easily accomplished: all you really need to do is
to call X509_get_ext_d2i() using NID_subjectAltName and just look through the
returned stucture (which is STACK_OF(GENERAL_NAME) for the entries you want.

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: otherName and dNSName

[Dr. Stephen Henson]

On Thu, Oct 24, 2002, Andrea Vallorani wrote:

 hi
 
 I'd know if i can insert in the field subject alternative name both 'dNSName' and 
'other name' with DER code (DER: ..).
 I tried to do it, but when i see my certificate with other software, subject 
alternative name don't show up in clear-text but in hex code. I see this : ' other 
name: 1.3.6.1.4.1.311.25.1=0A1A010306. '
 It's possible to make use DER code or I must modify OpenSSL source code? 
 

You can use dNSName in a config file (see doc/openssl.txt).

For otherName the actual OID you use has to be understood by the other
software otherwise it will use some default operation to display the extension
which may just be to dump the DER encoding.

Steve.
--
Dr. Stephen Henson  [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~steve/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]