Re: question about X.509 certs and subjectAltName
Hi, The DNS refers to the configuration value in your openssl.cnf file it is the name of the conf-value e.g. subjectAltName = DNS:foo.bar.com, IP:10.11.12.13 also look at doc/openssl.txt Greets Christian On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward Chan wrote: Hi there, I'm looking at some code for doing post connection checks to make sure the DNS name specified in the certificate matches the host the client is trying to connect to. The code is from Chapter 5 of Network Security with OpenSSL. It looks like it first gets the subjectAltName field of the certificate, then tries to get the dNSName. However, it specifies DNS instead of dNSName. Is this an error? Should it be DNS or dNSName. And if I want to check for IP address, should I specify iPAddress? The code is below. The line if (!strcmp(nval-name, DNS) !strcmp(nval-value, host)) looks suspicious to me. long post_connection_check(SSL *ssl, char *host) { X509 *cert; X509_NAME *subj; char data[256]; int extcount; int ok = 0; /* Checking the return from SSL_get_peer_certificate here is not strictly * necessary. With our example programs, it is not possible for it to return * NULL. However, it is good form to check the return since it can return NULL * if the examples are modified to enable anonymous ciphers or for the server * to not require a client certificate. */ if (!(cert = SSL_get_peer_certificate(ssl)) || !host) goto err_occured; if ((extcount = X509_get_ext_count(cert)) 0) { int i; for (i = 0; i extcount; i++) { char *extstr; X509_EXTENSION*ext; ext = X509_get_ext(cert, i); extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (!strcmp(extstr, subjectAltName)) { int j; unsigned char*data; STACK_OF(CONF_VALUE) *val; CONF_VALUE *nval; X509V3_EXT_METHOD*meth; if (!(meth = X509V3_EXT_get(ext))) break; data = ext-value-data; val = meth-i2v(meth, meth-d2i(NULL, data, ext-value-length), NULL); for (j = 0; j sk_CONF_VALUE_num(val); j++) { nval = sk_CONF_VALUE_value(val, j); if (!strcmp(nval-name, DNS) !strcmp(nval-value, host)) { ok = 1; break; } } } if (ok) break; } } if (!ok (subj = X509_get_subject_name(cert)) X509_NAME_get_text_by_NID(subj, NID_commonName, data, 256) 0) { data[255] = 0; if (strcasecmp(data, host) != 0) goto err_occured; } X509_free(cert); return SSL_get_verify_result(ssl); err_occured: if (cert) X509_free(cert); return X509_V_ERR_APPLICATION_VERIFICATION; } __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[no subject]
Hi (B (BIs anyone tell me how I can stop this messages?? (B (BI am using openssl-0.9.5a and apache1.3.22. (B (BError Logs (B (B[Thu Oct 24 23:32:48 2002] [error] SSL_accept failed (B[Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL (Broutines:SSL23_GET_CLIENT_HELLO:http (B request (B[Thu Oct 24 23:32:48 2002] [error] SSL_accept failed (B[Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL (Broutines:SSL23_GET_CLIENT_HELLO:http (B request (B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed (B[Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL (Broutines:SSL23_GET_CLIENT_HELLO:http (B request (B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed (B[Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL (Broutines:SSL23_GET_CLIENT_HELLO:http (B request (B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed (B[Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL (Broutines:SSL23_GET_CLIENT_HELLO:http (B request (B[Thu Oct 24 23:32:49 2002] [error] SSL_accept failed (B (BThks Hara (B (B__ (BOpenSSL Project http://www.openssl.org (BUser Support Mailing List[EMAIL PROTECTED] (BAutomated List Manager [EMAIL PROTECTED]
[no subject]
In message [EMAIL PROTECTED] on Thu, 24 Oct 2002 23:55:20 -0700, Hara [EMAIL PROTECTED] said: hara Is anyone tell me how I can stop this messages?? Are you running Apache with SSL on port 80? The solution is to use SSL on port 443 instead... hara I am using openssl-0.9.5a and apache1.3.22. hara hara Error Logs hara hara [Thu Oct 24 23:32:48 2002] [error] SSL_accept failed hara [Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL hara routines:SSL23_GET_CLIENT_HELLO:http hara request hara [Thu Oct 24 23:32:48 2002] [error] SSL_accept failed hara [Thu Oct 24 23:32:48 2002] [error] error:1407609C:SSL hara routines:SSL23_GET_CLIENT_HELLO:http hara request hara [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed hara [Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL hara routines:SSL23_GET_CLIENT_HELLO:http hara request hara [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed hara [Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL hara routines:SSL23_GET_CLIENT_HELLO:http hara request hara [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed hara [Thu Oct 24 23:32:49 2002] [error] error:1407609C:SSL hara routines:SSL23_GET_CLIENT_HELLO:http hara request hara [Thu Oct 24 23:32:49 2002] [error] SSL_accept failed -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
R: PKCS12_parse problem
Well... the application is actually an intermediate library, so every ''cryptographic'' operation is enclosed between OpenSSL_add_all_algorithms()...EVP_cleanup() calls. There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and vice versa, there are no EVP_cleanup() calls without the initial OpenSSL_add_all_algorithms(). Are you saying that this is not enough and that the library should call OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ? This could be not straightforward Thanks in advance -Messaggio originale- Da: Dr. Stephen Henson [mailto:steve;openssl.org] Inviato: mercoledì 23 ottobre 2002 18.14 A: [EMAIL PROTECTED] Oggetto: Re: PKCS12_parse problem On Wed, Oct 23, 2002, Marco Donati wrote: Adding OpenSSL_add_all_ciphers() or OpenSSL_add_all_digests() doesn't help. If we comment out the OpenSSL_add_all_algorithms() call, we get the ''correct'' error: 5257:error:2306B076:PKCS12 routines:PKCS12_gen_mac:unknown digest algorithm:p12_mutl.c:80: 5257:error:2307E06D:PKCS12 routines:VERIFY_MAC:mac generation error:p12_mutl.c:105: 5257:error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure:p12_kiss.c:121: If we put the OpenSSL_add_all_algorithms() back in the code we get the ''unexplained'' error: 5637:error:2306B076:lib(35):func(107):reason(118):p12_mutl.c:80: 5637:error:2307E06D:lib(35):func(126):reason(109):p12_mutl.c:105: 5637:error:23076071:lib(35):func(118):reason(113):p12_kiss.c:121: Let me underline again some facts: 1) the first call to PKCS12_parse is ok 2) the PKCS12_parse calls starting from the second reports the error above 3) if we restart the application we have the same behavior (first call OK, then errors) 4) the error happens only with OpenSSL 0.9.6g, NOT with OpenSSL 0.9.6c (we haven't tried intermediate versions) 5) with openSSL 0.9.6g we get ''similar'' (related?) error in calls like Are you calling EVP_cleanup() in between calls? You should really only call OpenSSL_add_all_algorithms() once on application startup and EVP_cleanup() when it shuts down. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Remove passprase
Hello All Is it possible to remove or chagne a PEM pass phrase on keypair.pem generated with openssl? Kind regards, Robbert __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Remove passprase
Hi Robbert! openssl rsa -in keyfile-with-passphrase.pem -out keyfile-without-passphrase.pem IIRC. Cheers /B On Fri, 25 Oct 2002, Robbert Hardin wrote: Hello All Is it possible to remove or chagne a PEM pass phrase on keypair.pem generated with openssl? Kind regards, Robbert __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Bruno Mattarollo [EMAIL PROTECTED] Systems Administrator Greenpeace Planet project Technical Lead Greenpeace [ http://www.greenpeace.org/ ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Remove passprase
Hello Bruno I tried, but it doesn't work: # openssl rsa -in cakey.pem -out canokey.pem read RSA key Enter PEM pass phrase: unable to load key 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp _enc.c:277: 15251:error:0906A065:PEM routines:PEM_do_header:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem _lib.c:452: # I forgot to tell you I lost the pass phrase, which is why I wanted to change it. Sorry. Let me rephrase my question: Is it possible to remove or change a PEM pass phrase on keypair.pem generated with openssl if you don't have the PEM pass phrase? Cheers, Robbert -Original Message- From: Bruno Mattarollo [mailto:bruno.mattarollo;diala.greenpeace.org] Sent: vrijdag 25 oktober 2002 15:26 To: [EMAIL PROTECTED] Subject: Re: Remove passprase Hi Robbert! openssl rsa -in keyfile-with-passphrase.pem -out keyfile-without-passphrase.pem IIRC. Cheers /B On Fri, 25 Oct 2002, Robbert Hardin wrote: Hello All Is it possible to remove or chagne a PEM pass phrase on keypair.pem generated with openssl? Kind regards, Robbert __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Bruno Mattarollo [EMAIL PROTECTED] Systems Administrator Greenpeace Planet project Technical Lead Greenpeace [ http://www.greenpeace.org/ ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Remove passprase
Robbert Hardin wrote: Hello Bruno I tried, but it doesn't work: # openssl rsa -in cakey.pem -out canokey.pem read RSA key Enter PEM pass phrase: unable to load key 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp _enc.c:277: 15251:error:0906A065:PEM routines:PEM_do_header:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem _lib.c:452: # I forgot to tell you I lost the pass phrase, which is why I wanted to change it. Sorry. Let me rephrase my question: Is it possible to remove or change a PEM pass phrase on keypair.pem generated with openssl if you don't have the PEM pass phrase? Cheers, Robbert Only by brute force, I suppose, or everything we do is not security -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Remove passprase
http://www.openssl.org/docs/apps/rsa.html On Fri, Oct 25, 2002 at 03:16:10PM +0200, Robbert Hardin wrote: Hello All Is it possible to remove or chagne a PEM pass phrase on keypair.pem generated with openssl? Kind regards, Robbert __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Remove passprase
Robbert, only if you have can crack it. Anyone have quantum computer laying around that can help with this? your best bet is to create a new key and start over. Tim --- Robbert Hardin [EMAIL PROTECTED] wrote: Hello Bruno I tried, but it doesn't work: # openssl rsa -in cakey.pem -out canokey.pem read RSA key Enter PEM pass phrase: unable to load key 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp _enc.c:277: 15251:error:0906A065:PEM routines:PEM_do_header:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem _lib.c:452: # I forgot to tell you I lost the pass phrase, which is why I wanted to change it. Sorry. Let me rephrase my question: Is it possible to remove or change a PEM pass phrase on keypair.pem generated with openssl if you don't have the PEM pass phrase? Cheers, Robbert -Original Message- From: Bruno Mattarollo [mailto:bruno.mattarollo;diala.greenpeace.org] Sent: vrijdag 25 oktober 2002 15:26 To: [EMAIL PROTECTED] Subject: Re: Remove passprase Hi Robbert! openssl rsa -in keyfile-with-passphrase.pem -out keyfile-without-passphrase.pem IIRC. Cheers /B On Fri, 25 Oct 2002, Robbert Hardin wrote: Hello All Is it possible to remove or chagne a PEM pass phrase on keypair.pem generated with openssl? Kind regards, Robbert __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Bruno Mattarollo [EMAIL PROTECTED] Systems Administrator Greenpeace Planet project Technical Lead Greenpeace [ http://www.greenpeace.org/ ] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Remove passprase
Let me rephrase my question: Is it possible to remove or change a PEM pass phrase on keypair.pem generated with openssl if you don't have the PEM pass phrase? No, that's the point. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Moving certificates
Hello, We are getting ready to host an app that requires a complement of offsite cold spare backup servers. We are going to be testing the configuration of the servers and our procedures for switching to cold spare in the event of a catastrophic failure of the primary servers. My question is - what do I do about the certificate/key for the web server? Can I merely move the server cert and private key files from the production web server to the spare web server ( which has been built and configured identically to the production box )? Or will this scenario require a second certificate from the CA? We have signed our own certs in the past for internal intranet use for smaller hosted apps with just a few client connecting, but this is for a rather large customer and there will be many clients connecting to the app so we must go with Verisign or such. Thanks, Paul Ogden Claresco Corporation (510) 549-2290 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Remove passprase
Hi Robbert! Unfortunately you will have to generate a new key I guess, unless you can break it ... :( Cheers /B On Fri, 25 Oct 2002, Robbert Hardin wrote: Hello Bruno I tried, but it doesn't work: # openssl rsa -in cakey.pem -out canokey.pem read RSA key Enter PEM pass phrase: unable to load key 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp _enc.c:277: 15251:error:0906A065:PEM routines:PEM_do_header:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem _lib.c:452: # I forgot to tell you I lost the pass phrase, which is why I wanted to change it. Sorry. Let me rephrase my question: Is it possible to remove or change a PEM pass phrase on keypair.pem generated with openssl if you don't have the PEM pass phrase? Cheers, Robbert -Original Message- From: Bruno Mattarollo [mailto:bruno.mattarollo;diala.greenpeace.org] Sent: vrijdag 25 oktober 2002 15:26 To: [EMAIL PROTECTED] Subject: Re: Remove passprase Hi Robbert! openssl rsa -in keyfile-with-passphrase.pem -out keyfile-without-passphrase.pem IIRC. Cheers /B On Fri, 25 Oct 2002, Robbert Hardin wrote: Hello All Is it possible to remove or chagne a PEM pass phrase on keypair.pem generated with openssl? Kind regards, Robbert __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Bruno Mattarollo [EMAIL PROTECTED] Systems Administrator Greenpeace Planet project Technical Lead Greenpeace [ http://www.greenpeace.org/ ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Bruno Mattarollo [EMAIL PROTECTED] Systems Administrator Greenpeace Planet project Technical Lead Greenpeace [ http://www.greenpeace.org/ ] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Remove passprase
What is your problem..? perhaps you can't open the PEM file? even if you purchase thecorrect passphrase? Regards, Adriano El vie, 25-10-2002 a las 10:45, Rabellino Sergio escribió: Robbert Hardin wrote: Hello Bruno I tried, but it doesn't work: # openssl rsa -in cakey.pem -out canokey.pem read RSA key Enter PEM pass phrase: unable to load key 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp _enc.c:277: 15251:error:0906A065:PEM routines:PEM_do_header:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem _lib.c:452: # I forgot to tell you I lost the pass phrase, which is why I wanted to change it. Sorry. Let me rephrase my question: Is it possible to remove or change a PEM pass phrase on keypair.pem generated with openssl if you don't have the PEM pass phrase? Cheers, Robbert Only by brute force, I suppose, or everything we do is not security -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Remove passprase
Hello Adriano The keypair was generated by a former employee and we can't find the pass phrase. Fortunately it is only used once in our intranet. Thanx, Robbert -Original Message- Subject: Re: Remove passprase What is your problem..? perhaps you can't open the PEM file? even if you purchase thecorrect passphrase? Regards, Adriano __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Converting PEM file to PKCS12 or PFX for the MacOS (Not Mac OSx)...
has anyone converted pem files into pkcs12, pfx, or der format explicitly for the MacOS versions 8.5 and above? i have 3 macs that needs CA's loaded. if anyone has done this by all means give me the lowdown. i really appreciate everyone's efforts in solving this major issue, one being the CEO! thanks! wally winzer jr.
Threading model constraint?
I'm retrofitting an existing program to use [OpenSSL?] TLS between nodes. Most of my info comes from reading Network Security with OpenSSL and lurking on this list. I don't have the time right now to grok the code, hence this request. Our app uses a leader-follower thread pattern (e.g., Pattern-Oriented Software Architecture, Schmidt, et al) which means that any given connection event will be serviced by selecting from a threadpool. My reading suggests that OpenSSL is built around a thread-per-connection orientation. On the other hand, I think I remember reading that OpenSSL does not use thread local storage so I thought we should be able to work around that since we can get to the BIO's underlying fd. Then I read that error state was maintained by thread id. %-[ Can someone clarify this for me: does OpenSSL depend upon one-thread-per-connection or can it be used in the context of other threading models? TIA __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
automatic password entry with the dgst command
I've used openssl off and on for about a 18 months now, but I'm definitely an OpenSSL beginner. I'm digitally signing some documents like this : openssl dgst -md5 -binary -sign privkey.pem -out sig.bin testdoc.txt or alternatively openssl md5 -binary -sign privkey.pem -out sig.bin testdoc.txt When I do this, I get the "Enter PEM pass phrase:" prompt, and must interactively give the password which decrypts the private key in the PEM file in order to calculate the signature. I would like to give the password to this command non-interactively. Other commands in openssl have options like "passin" or "pass" which enable this functionality. Unfortunately "dgst" doesn't have this option. After searching the archives of this list, I found some posts which made me think I could do it with the "echo" command and a pipe. I tried some things like this : echo mypassword | openssl md5 -sign privkey.pem -out sig.bin testdoc.txt echo -n -e mypassword\r\n | openssl md5 -sign privkey.pem -out sig.bin testdoc.txt echo -n -e \r\nmypassword\r\n | openssl md5 -sign privkey.pem -out sig.bin testdoc.txt openssl md5 -sign -privkey.pem -out sig.bin testdoc.txt echo mypassword openssl md5 -sign -privkey.pem -out sig.bin testdoc.txt | echo mypassword but none of them works. After trying a lot more variations than these, it seems like it is an "order of argument" processing problem. I'm running OpenSSL under Cygwin on Windows2000 - but I am using the unix-like version of "echo". Does the OS have an impact on how arguments are processed ? The only other think I can think of doing is calculating the plain hashes in a first pass, and then using "enc" to encrypt them in another pass. What encryption algorithm is used when MD5 does a signing ? I would really rather do it in one step, if possible. Any suggestions for how to avoid the interactive password entry ? Thanks Richard __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Moving certificates
The server certificate contains the DNS name of the server host. If your spares are meant to run with the same DNS name as the primary server, then you can simply use the same certificate. This applies whether they are cold spares that use the same IP address, or whether your servers' DNS name is a rator DNS that names multiple servers' IP addresses. (The converse is also true: if you have multiple DNS names pointing to the same server, you need separate certificates for them.) If your spares run at different DNS host names, you need separate certificates. But then they're not really (ready-to-run) spares, are they? If you do find yourself in a situation where you need certificates for many different servers each with their own DNS name, you may want to get a signing certificate (from Verisign or someone else) and use it to sign your own set of server certs. Cheers -- perry On Fri, Oct 25, 2002 at 06:54:52AM -0700, Paul Ogden wrote: Hello, We are getting ready to host an app that requires a complement of offsite cold spare backup servers. We are going to be testing the configuration of the servers and our procedures for switching to cold spare in the event of a catastrophic failure of the primary servers. My question is - what do I do about the certificate/key for the web server? Can I merely move the server cert and private key files from the production web server to the spare web server ( which has been built and configured identically to the production box )? Or will this scenario require a second certificate from the CA? We have signed our own certs in the past for internal intranet use for smaller hosted apps with just a few client connecting, but this is for a rather large customer and there will be many clients connecting to the app so we must go with Verisign or such. Thanks, Paul Ogden Claresco Corporation (510) 549-2290 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- Perry The Cynic [EMAIL PROTECTED] To a blind optimist, an optimistic realist must seem like an Accursed Cynic. --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Threading model constraint?
On Fri, 25 Oct 2002 09:19:51 -0700, [EMAIL PROTECTED] wrote: Our app uses a leader-follower thread pattern (e.g., Pattern-Oriented Software Architecture, Schmidt, et al) which means that any given connection event will be serviced by selecting from a threadpool. My reading suggests that OpenSSL is built around a thread-per-connection orientation. On the other hand, I think I remember reading that OpenSSL does not use thread local storage so I thought we should be able to work around that since we can get to the BIO's underlying fd. Then I read that error state was maintained by thread id. %-[ Can someone clarify this for me: does OpenSSL depend upon one-thread-per-connection or can it be used in the context of other threading models? Use bio pairs and don't let the OpenSSL ilbrary ever touch a file descriptor. You can then do the threading any way you want. The only exception is that you can't run the OpenSSL data pump in both directions for the same connection. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
friendlyName
Is it possible to add a friendlyName to a .pem certificate using either the config file or a friendlyName key in the distinguished name? The only way that I've been able to make a certificate such that Microsoft's Certificate Manager recognizes the friendlyName on import is to encrypt the certificate using openssl pkcs12 with the -name friendlyname option. Thanks, - Eric __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
oids, attributes (doc pointers)
Would someone be kind enough to direct me to sources of information on: 1) creating new oids that don't conflict with existing oids 2) creating new attributes in certificates that can hold arbitrary values Thanks, - Eric __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Moving certificates
Perry, Thanks for the response. That is what we were hoping for. Yes, they are truly meant to be cold-spares, i.e. database moves, dns moves, etc. The spares will run at a different location, as thus will have different IPs, but dns will be transferred to those ips as part of moving to the cold-spares, should the need arise. Paul Ogden Claresco Corporation (510) 549-2290 -Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl-users;openssl.org]On Behalf Of Perry The Cynic Sent: Friday, October 25, 2002 10:19 To: [EMAIL PROTECTED] Subject: Re: Moving certificates The server certificate contains the DNS name of the server host. If your spares are meant to run with the same DNS name as the primary server, then you can simply use the same certificate. This applies whether they are cold spares that use the same IP address, or whether your servers' DNS name is a rator DNS that names multiple servers' IP addresses. (The converse is also true: if you have multiple DNS names pointing to the same server, you need separate certificates for them.) If your spares run at different DNS host names, you need separate certificates. But then they're not really (ready-to-run) spares, are they? If you do find yourself in a situation where you need certificates for many different servers each with their own DNS name, you may want to get a signing certificate (from Verisign or someone else) and use it to sign your own set of server certs. Cheers -- perry On Fri, Oct 25, 2002 at 06:54:52AM -0700, Paul Ogden wrote: Hello, We are getting ready to host an app that requires a complement of offsite cold spare backup servers. We are going to be testing the configuration of the servers and our procedures for switching to cold spare in the event of a catastrophic failure of the primary servers. My question is - what do I do about the certificate/key for the web server? Can I merely move the server cert and private key files from the production web server to the spare web server ( which has been built and configured identically to the production box )? Or will this scenario require a second certificate from the CA? We have signed our own certs in the past for internal intranet use for smaller hosted apps with just a few client connecting, but this is for a rather large customer and there will be many clients connecting to the app so we must go with Verisign or such. Thanks, Paul Ogden Claresco Corporation (510) 549-2290 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- Perry The Cynic [EMAIL PROTECTED] To a blind optimist, an optimistic realist must seem like an Accursed Cynic. --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: question about X.509 certs and subjectAltName
Sorry if I'm being dumb...but what if the certificate was not generated using OpenSSL? Do I still access this field of of subjectAltName by getting DNS? Is DNS OpenSSL specific? Ed --- Christian Hohnstaedt [EMAIL PROTECTED] wrote: Hi, The DNS refers to the configuration value in your openssl.cnf file it is the name of the conf-value e.g. subjectAltName = DNS:foo.bar.com, IP:10.11.12.13 also look at doc/openssl.txt Greets Christian On Thu, Oct 24, 2002 at 11:57:42AM -0700, Edward Chan wrote: Hi there, I'm looking at some code for doing post connection checks to make sure the DNS name specified in the certificate matches the host the client is trying to connect to. The code is from Chapter 5 of Network Security with OpenSSL. It looks like it first gets the subjectAltName field of the certificate, then tries to get the dNSName. However, it specifies DNS instead of dNSName. Is this an error? Should it be DNS or dNSName. And if I want to check for IP address, should I specify iPAddress? The code is below. The line if (!strcmp(nval-name, DNS) !strcmp(nval-value, host)) looks suspicious to me. long post_connection_check(SSL *ssl, char *host) { X509 *cert; X509_NAME *subj; char data[256]; int extcount; int ok = 0; /* Checking the return from SSL_get_peer_certificate here is not strictly * necessary. With our example programs, it is not possible for it to return * NULL. However, it is good form to check the return since it can return NULL * if the examples are modified to enable anonymous ciphers or for the server * to not require a client certificate. */ if (!(cert = SSL_get_peer_certificate(ssl)) || !host) goto err_occured; if ((extcount = X509_get_ext_count(cert)) 0) { int i; for (i = 0; i extcount; i++) { char *extstr; X509_EXTENSION*ext; ext = X509_get_ext(cert, i); extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (!strcmp(extstr, subjectAltName)) { int j; unsigned char*data; STACK_OF(CONF_VALUE) *val; CONF_VALUE *nval; X509V3_EXT_METHOD*meth; if (!(meth = X509V3_EXT_get(ext))) break; data = ext-value-data; val = meth-i2v(meth, meth-d2i(NULL, data, ext-value-length), NULL); for (j = 0; j sk_CONF_VALUE_num(val); j++) { nval = sk_CONF_VALUE_value(val, j); if (!strcmp(nval-name, DNS) !strcmp(nval-value, host)) { ok = 1; break; } } } if (ok) break; } } if (!ok (subj = X509_get_subject_name(cert)) X509_NAME_get_text_by_NID(subj, NID_commonName, data, 256) 0) { data[255] = 0; if (strcasecmp(data, host) != 0) goto err_occured; } X509_free(cert); return SSL_get_verify_result(ssl); err_occured: if (cert) X509_free(cert); return X509_V_ERR_APPLICATION_VERIFICATION; } __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: question about X.509 certs and subjectAltName
Yikes, thanks for the heads up. When you say not portable, do you mean with future versions of openssl, or not portable across platforms? Can you point me to some good examples of how to use those X509 API's to do a post connection check? Thanks, Ed --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Oct 24, 2002, Edward Chan wrote: Hi there, I'm looking at some code for doing post connection checks to make sure the DNS name specified in the certificate matches the host the client is trying to connect to. The code is from Chapter 5 of Network Security with OpenSSL. It looks like it first gets the subjectAltName field of the certificate, then tries to get the dNSName. However, it specifies DNS instead of dNSName. Is this an error? Should it be DNS or dNSName. And if I want to check for IP address, should I specify iPAddress? The code is below. The line if (!strcmp(nval-name, DNS) !strcmp(nval-value, host)) looks suspicious to me. long post_connection_check(SSL *ssl, char *host) { X509 *cert; X509_NAME *subj; char data[256]; int extcount; int ok = 0; /* Checking the return from SSL_get_peer_certificate here is not strictly * necessary. With our example programs, it is not possible for it to return * NULL. However, it is good form to check the return since it can return NULL * if the examples are modified to enable anonymous ciphers or for the server * to not require a client certificate. */ if (!(cert = SSL_get_peer_certificate(ssl)) || !host) goto err_occured; if ((extcount = X509_get_ext_count(cert)) 0) { int i; for (i = 0; i extcount; i++) { char *extstr; X509_EXTENSION*ext; ext = X509_get_ext(cert, i); extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); if (!strcmp(extstr, subjectAltName)) { int j; unsigned char*data; STACK_OF(CONF_VALUE) *val; CONF_VALUE *nval; X509V3_EXT_METHOD*meth; if (!(meth = X509V3_EXT_get(ext))) break; data = ext-value-data; val = meth-i2v(meth, meth-d2i(NULL, data, ext-value-length), NULL); for (j = 0; j sk_CONF_VALUE_num(val); j++) { nval = sk_CONF_VALUE_value(val, j); if (!strcmp(nval-name, DNS) !strcmp(nval-value, host)) { ok = 1; break; } } } if (ok) break; } } if (!ok (subj = X509_get_subject_name(cert)) X509_NAME_get_text_by_NID(subj, NID_commonName, data, 256) 0) { data[255] = 0; if (strcasecmp(data, host) != 0) goto err_occured; } X509_free(cert); return SSL_get_verify_result(ssl); err_occured: if (cert) X509_free(cert); return X509_V_ERR_APPLICATION_VERIFICATION; } One additional comment. I'd advise against using the technique above: it is non portable and not guaranteed to work on future versions of OpenSSL: in fact it wont work on 0.9.7. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Y! Web Hosting - Let the expert host your web site http://webhosting.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: oids, attributes (doc pointers)
Eric, if you request a new OID branch for your organization you should be fine. This can be done at: http://www.iana.org/cgi-bin/enterprise.pl Markus Markus Lorch Doctoral Student in Computer Science Virginia Tech http://csgrad.cs.vt.edu/~mlorch -Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl-users;openssl.org]On Behalf Of Eric Weitzman Sent: Friday, October 25, 2002 1:52 PM To: [EMAIL PROTECTED] Subject: oids, attributes (doc pointers) Would someone be kind enough to direct me to sources of information on: 1) creating new oids that don't conflict with existing oids 2) creating new attributes in certificates that can hold arbitrary values Thanks, - Eric __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Cert Extension conversition
I have aCACertificate genereated from Microsoft CA and I was able to convert it to PEM format. It only has public key Openssl:x509 -n xxx.cer -inform d -out xxx.pem But I am unable to covert a private key (in .pfx)of the server certicate to PEM. Any body knows how toconvert a .pfxin .PEM format. Thats was I am looking for after converstion ---BEGIN ENCRYPTED PRIVATE KEY -END ENCRYPTED PRIVATE KEY I am just getting garballed and do not see this. Is this possible using OPENSSL or I need to look into other tools to do the conversition. Do you Yahoo!? Y! Web Hosting - Let the expert host your web site
Re: Cert Extension conversition
use the command : openssl pkcs12 -in xxx.pfx -out xxx.pem By default, this will encrypt the private key with triple DES inside the PEM file. It will first prompt you for the password used to protect the pfx back when it was created, then it will prompt you for the password used to encrypt it in the PEM file. Scott Harris wrote: I have a CA Certificate genereated from Microsoft CA and I was able to convert it to PEM format. It only has public key *Openssl:x509 -n xxx.cer -inform d -out xxx.pem* But I am unable to covert a private key (in .pfx) of the server certicate to PEM. Any body knows how to convert a .pfx in .PEM format. Thats was I am looking for after converstion ---BEGIN ENCRYPTED PRIVATE KEY -END ENCRYPTED PRIVATE KEY I am just getting garballed and do not see this. Is this possible using OPENSSL or I need to look into other tools to do the conversition. Do you Yahoo!? Y! Web Hosting http://webhosting.yahoo.com/%20 - Let the expert host your web site __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cert Extension conversition
Thanks Richard!!! It worked.I was trying to figure it out for the past two days. I really appreciated. Richard Andrus [EMAIL PROTECTED] wrote: use the command :openssl pkcs12 -in xxx.pfx -out xxx.pemBy default, this will encrypt the private key with triple DES inside the PEM file.It will first prompt you for the password used to protect the pfx back when it wascreated, then it will prompt you for the password used to encrypt it in the PEM file.Scott Harris wrote: I have a CA Certificate genereated from Microsoft CA and I was able to convert it to PEM format. It only has public key *Openssl:x509 -n xxx.cer -inform d -out xxx.pem* But I am unable to covert a private key (in .pfx) of the server certicate to PEM. Any body knows how to convert a .pfx in .PEM format. Thats was I am looking for after converstion ---BEGIN ENCRYPTED PRIVATE KEY --! ---END ENCRYPTED PRIVATE KEY I am just getting garballed and do not see this. Is this possible using OPENSSL or I need to look into other tools to do the conversition. Do you Yahoo!? Y! Web Hosting - Let the expert host your web site __OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do you Yahoo!? Y! Web Hosting - Let the expert host your web site
Re: R: PKCS12_parse problem
On Fri, Oct 25, 2002, Marco Donati wrote: Well... the application is actually an intermediate library, so every ''cryptographic'' operation is enclosed between OpenSSL_add_all_algorithms()...EVP_cleanup() calls. There are no OpenSSL_add_all_algorithms() calls without the final EVP_cleanup() and vice versa, there are no EVP_cleanup() calls without the initial OpenSSL_add_all_algorithms(). Are you saying that this is not enough and that the library should call OpenSSL_add_all_algorithms()...EVP_cleanup() only ONCE ? This could be not straightforward Well let me explain a bit... OpenSSL has an internal global table of supported algorithms (digests and ciphers). Certain operations such as PKCS12_parse() lookup digests and ciphers from this table so if it can't find one it gives the error you are seeing. Now addding and removing all ciphers whenever you use an OpenSSL command is not really recommended, it will repeatedly rebuild the table and it is not thread safe. One thread could access a partially complete table. So ideally you should only build the table in a single threaded context before calling any OpenSSL functions and clean it up only after no further calls will be made. However one added complication is that a change was made to OpenSSL 0.9.6g which avoids a problem of duplicate calls to OpenSSL_add_all_algorithms() creating duplicate table entries by only making the first call work. This has a problem because EVP_cleanup() doesn't reset the flag so effectively only the first call to OpenSSL_add_all_algorithms() works. This isn't what earlier 0.9.6X did and this will be fixed for 0.9.6h. You can get the old baheviour by deleting the relevant lines from OpenSSL_add_all_ciphers() and OpenSSL_add_all_digest(). Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: question about X.509 certs and subjectAltName
On Fri, Oct 25, 2002, Edward Chan wrote: Yikes, thanks for the heads up. When you say not portable, do you mean with future versions of openssl, or not portable across platforms? It wont work in future versions of OpenSSL. It wont in 0.9.7. Can you point me to some good examples of how to use those X509 API's to do a post connection check? As I mentioned in my other message, check out X509_get1_email() which accesses subjectAltName to retrieve email addresses. Also check the docs in doc/openssl.txt. What you are want is fairly easily accomplished: all you really need to do is to call X509_get_ext_d2i() using NID_subjectAltName and just look through the returned stucture (which is STACK_OF(GENERAL_NAME) for the entries you want. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: otherName and dNSName
On Thu, Oct 24, 2002, Andrea Vallorani wrote: hi I'd know if i can insert in the field subject alternative name both 'dNSName' and 'other name' with DER code (DER: ..). I tried to do it, but when i see my certificate with other software, subject alternative name don't show up in clear-text but in hex code. I see this : ' other name: 1.3.6.1.4.1.311.25.1=0A1A010306. ' It's possible to make use DER code or I must modify OpenSSL source code? You can use dNSName in a config file (see doc/openssl.txt). For otherName the actual OID you use has to be understood by the other software otherwise it will use some default operation to display the extension which may just be to dump the DER encoding. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]