Re: Problem mit Extension bei Cross Zertifizierung?
Olaf Gellert wrote: Hallo, So das sind knapp 20 Mails. Wer also etwas Zeit hat ... http://www.mail-archive.com/openssl-dev%40openssl.org/msg13538.html Danke, das war einfach und loest die Frage. Man braucht noch nicht einmal alle zwanzig Mails lesen... ;-) Grusz... Olaf Gellert Leider löst das aber nur die Frage, was in die Extension rein muss/darf. Aber m.E. nicht völlig die Frage nach dem Verhalten von Applikationen:-) Ausser das MS mit der Kombination von DN und SN Probleme hat. Was also sollte man Eurer Meinung nach tun? 1) Extension ganz weglassen? Was ist dann z.B. bei Schlüsselwechsel, wenn noch Zertifikate in Umlauf sind, die mit dem alten Schlüssel signiert wurden und Applikationen den richtigen Schlüssel nicht finden? 2) Nur keyid setzen? Das scheint mir am besten, da das obige Problem damit gelöst ist. Aber wie wird der Zertifizierungspfad verifiziert: Root1 - ServerCAcert1 - Servercert oder Root2 - ServerCAcert2 - Servercert Da im Servercert nur die keyid der ServerCA auftaucht, müssten doch eigentlich beide gültig sein. Oder wurde das in den angesprochenen Emails auch beantwortet und ich hab es übersehen? Gruß, Gerd -- -- -- Gerd Schering, Email: [EMAIL PROTECTED] -- -- TU Berlin, Zentraleinrichtung Rechenzentrum -- -- Sekr. E-N 50, Einsteinufer 17, 10587 Berlin -- -- phone: +49 30 314 24383, fax: +49 30 314 21060 -- -- smime.p7s Description: S/MIME Cryptographic Signature
TLS_accept error in SSLv3 read client certificate B
Hi All:
I'm testing 802.1X - EAP TLS functionality with:
* freeRADIUS-0.8 and the latest beta version of
OPENSSL -(openssl-0.9.7-beta4) on the server;
* Linux machine as a client, and
* Cisco's AP350 as the authenticator.
I generated the server and client certificates.
I get a TLS_accept error in SSLv3 read client
certificate B. I also get SSL_read Error which can
be omitted. (Please see the attached radius server
log).
* Any pointers would be highly appreciated?
* How are certificates A different from certificates
B?
==
run_radius -X -A radius_log
+ LD_LIBRARY_PATH=/usr/local/openssl-beta-latest/lib
+
LD_PRELOAD=/usr/local/openssl-beta-latest/lib/libcrypto.so
+ export LD_LIBRARY_PATH LD_PRELOAD
+ /usr/local/sbin/radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir =
/usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
/usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
/usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/1x/tstpc11.pem
tls: certificate_file = /etc/1x/tstpc11.pem
tls: CA_file = /etc/1x/root.pem
tls: private_key_password = whatever
tls: dh_file = /etc/1x/DH
tls: random_file = /etc/1x/random
tls: fragment_size = 1024
tls: include_length = yes
rlm_eap_tls: conf N ctx stored
rlm_eap: Loaded and initialized the type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile =
/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Address, NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename =
/usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
main: smux_password =
main: snmp_write_access = no
SMUX connect try 1
Can't connect to SNMP agent with SMUX: Connection
refused
Listening on IP address *, ports 1812/udp and
1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host
192.168.11.20:1549, id=13, length=116
User-Name = Cisco
NAS-IP-Address = 192.168.11.20
cert5.db
Hello. I'm using openssl(1) 2-3 years without bigger problem, but now I have one question: I have some nasty piece of software called cisco access registrar (radius server). Documentation for that radius server says that I can have SSL encrypted connection between radius and my OpenLDAP server. However, it also says that certificate MUST be in ... let me cite documentation: CertificateDBPath Required if you are using an LDAP RemoteServer, and you want Cisco Access Registrar to use SSL when communicating with that LDAP RemoteServer. This property specifies the name of the file containing the client certificates to be used when establishing an SSL connection to an LDAP RemoteServer. It must be either the cert5.db certificate database used by Netscape Navigator 3.x (and above), or the ServerCert.db certificate database used by Netscape 2.x servers. So, I cannot put server's cert and/or our CA + key in pem formats someware and configure server to use it. I must convert normal certificates in cert5.db or ServerCert.db format. How can I do this with openssl(1)? I have read man pages for pkcs7 pkcs8 pkcs12 etc ... grep google but I cannot find anything usefull. Can you help me please? -- The Network is the Filesystem __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Multiple CRL Distribution Points ?
Hello, I am trying to generate a certificate with two CRL Distribution points. But the problem is that I generate two SEQUENCE instead of one containing the two distribution points. How could I do it correctly ? Do I need to encode all the stuff at hand ? Thanks ! Stephane PS: The reason why I want to use two CRL DP is that I want to provide the CRL in both DER and BASE64 formats. -- -- Dr. Sc. Stephane Spahni Hopitaux Universitaires de Geneve eMail: [EMAIL PROTECTED] Division d'informatique medicale (DIM) Tel: (+41 22) 372 62 78 24 rue Micheli-du-Crest Fax: (+41 22) 372 61 98 CH-1211 Geneve 4 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Multiple CRL Distribution Points ?
The CRL Distribution points is a list of CRL distribution point.
You need to create a single CRL Distribution points list and add each CRL
distribution point.
Basically the syntax is
cRLDistributionPoints ::= {
CRLDistPointsSyntax
}
CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
DistributionPoint ::= SEQUENCE {
distributionPoint [0] DistributionPointName OPTIONAL,
reasons [1] ReasonFlags OPTIONAL,
cRLIssuer [2] GeneralNames OPTIONAL
}
DistributionPointName ::= CHOICE {
fullName[0] GeneralNames,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName
}
ReasonFlags ::= BIT STRING {
unused (0),
keyCompromise (1),
cACompromise(2),
affiliationChanged (3),
superseded (4),
cessationOfOperation(5),
certificateHold (6)
}
Regards,
Murali
-Original Message-
From: Stephane Spahni [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 28, 2002 7:55 PM
To: [EMAIL PROTECTED]
Subject: Multiple CRL Distribution Points ?
Hello,
I am trying to generate a certificate with two CRL Distribution points.
But the problem is that I generate two SEQUENCE instead of one containing
the two distribution points. How could I do it correctly ? Do I need to
encode all the stuff at hand ?
Thanks !
Stephane
PS: The reason why I want to use two CRL DP is that I want to provide the
CRL in both DER and BASE64 formats.
--
--
Dr. Sc. Stephane Spahni Hopitaux Universitaires de Geneve
eMail: [EMAIL PROTECTED] Division d'informatique medicale
(DIM)
Tel: (+41 22) 372 62 78 24 rue Micheli-du-Crest
Fax: (+41 22) 372 61 98 CH-1211 Geneve 4
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: cert5.db
Miroslav Zubcic a écrit: I must convert normal certificates in cert5.db or ServerCert.db format. How can I do this with openssl(1)? I have read man pages for pkcs7 pkcs8 pkcs12 etc ... grep google but I cannot find anything usefull. Convert them to pkcs12. Run a netscape 4.x (best done with a fresh new profile). Import the PKCS#12 in netscape through the security option Find the cert5.db file in the Netscape profile (~/.netscape) Copy it to where you want it to be exploited by the cisco access registrar. Somehow the cisco access registrar will need to know the password Netscape asked you before accessing the certificate db and that is used to encrypt cert5.db __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem: SSL-Certs for MS-Servers, if intermediate CA?
Hi, Experts, Is there a solution for the issue of misunderstanding concerning the authorityKeyIdentifier? (i.e. misunderstanding between MS and the rest of the world, including openSSL) Best regards, Michael -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Multiple CRL Distribution Points ?
Hi, Stephane! Use crlDistributionPoints=@crl_section [crl_section] URI.1=. URI.2=. URI.3=. Best regards, Michael Am 2002-11-28 15:24 Uhr schrieb Stephane Spahni unter [EMAIL PROTECTED]: Hello, I am trying to generate a certificate with two CRL Distribution points. But the problem is that I generate two SEQUENCE instead of one containing the two distribution points. How could I do it correctly ? Do I need to encode all the stuff at hand ? Thanks ! Stephane PS: The reason why I want to use two CRL DP is that I want to provide the CRL in both DER and BASE64 formats. -- Karl-Michael Werzowa A-1190 Wien, Paradisgasse 28/4/6 +43 (664)302 4511, fax +43 (1)328 1992 14 [EMAIL PROTECTED], [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: question!!
I don't know for OpenSSL but OpenLDAP you can. On Thu, 2002-11-28 at 14:43, Touria Zaddaoui wrote: Hi everybody, i have a question about openssl and LDAP, is there any option with openssl that can be used to publish an openssl generated certificate to an LDAP directory. i'll be very greatful if i get an answer. thanks to all __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
WinCE Patch for OpenSSL 0.9.6g
Hi all, I've intended to patch OpenSSL 0.9.6g for WinCE / Pocket PC. I've a patch for it but I doesn't work fine. I write (on Cygwin): $ patch -i openssl-0.9.6g-wince.patch and I obtain the follow error: patching file 'MINFO' can't find file to patch at input line 1194 The text leading up to this was: - | Only in openssl-0.9.6g: Makefile.ssl | diff -ur -P openssl-0.9.6g/crypto/asn1/p7_s_e.c openssl-0.9.6g-wince/crypto/asn1/p7_s_e.c |--- openssl-0.9.6g/crypto/asn1/p7_s_e.c |--- openssl-0.9.6g-wince/crypto/asn1/p7_s_e.c - File to patch: Can anyone help me?? Am I applying the patch well?? Regards. Manuel Gil Pérez - Proyecto MIMICS II Facultad de Informática Universidad de Murcia (Spain) Tfo: +34 968364640
Re: question!!
In message [EMAIL PROTECTED] on Thu, 28 Nov 2002 13:43:34 + (GMT), Touria Zaddaoui [EMAIL PROTECTED] said: 971BJ235187 i have a question about openssl and LDAP, is there any 971BJ235187 option with openssl that can be used to publish an 971BJ235187 openssl generated certificate to an LDAP directory. i'll 971BJ235187 be very greatful if i get an answer. Not directly. Something like this should do what you want, however, assuming your certificate is in foo.pem: USERCERTIFICATE=`openssl x509 -in foo.pem -outform d | openssl -A base64` ldapadd ... EOF dn: ... objectclass: ... ... usercertificate;binary:: $USERCERTIFICATE EOF At all places where there is a '...', you need to replace it with appropiate stuff. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: co-signature
On Mon, Nov 25, 2002 at 12:50:40PM +0200, [EMAIL PROTECTED] wrote: Hi I'm wondering if you can help me with co-signature problem and if you know something about co-signature and how to implement this on openssl. I'm trying to sign a message by several signers then put the all in one pkcs7 format. I only know how to do that with one signer. Refering to the pkcs#7 documentation, I'll need to put all the signer info in one SignedData value. I found no instruction to do that and I need it so. Any information about the subject will be very helpfull. just PKCS7_add_signer() After PKCS7_dataFinal() there will be two SignerInfos Please note something else might be named co-signature good luck, Vadim Thanks a lot --- L'e-mail gratuit pas comme les autres. NOMADE.FR, pourquoi chercher ailleurs ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Naina library: http://www.unity.net/~vf/naina_r1.tgz __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PLEASE HELP..URGENT!!!!] OPENSSL on Compaq Tru64 or any 64-bit machine.
Hi, Is there any variable that is supposed to be set for compiling on a 64 bit machine like Compaq's Tru64?? I have used the openssl library for all the machines and it works except for Tru64. I defined 'SIXTY_FOUR_BIT' in the bn.h file and that made the session key encryption with a public key work fine. But, I still had problems using the EVP_Decrypt functions!! Please help me with this. Is there something that I have to define somewhere else for the other algorithms to work? as I had done for bn.h?? Any help would be greatly appreciated. Thanx, Jay.. = - J | - [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
What the heck is wrong here?
I am a newbie with this so please be patient with me. I don't know much about this product, I am trying to install it for use with openldap. Anyway here's my problem: I downloaded, configured, did the make, and make install with no problem. Everything went fine, next I type in this command: openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 365 It then gives me this response: Using configuration from /usr/lib/ssl/openssl.cnf Generating a 1024 bit RSA private key . Then it just hangs, and does nothing... no error message, nothing. I've tried installing on Mandrake Linux 8.2 and 9.0, on three different machines, all with the same result. I have been working on this for a whole day, and am going crazy, please tell me what to do. Thanx in advance, Kyle __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [PLEASE HELP..URGENT!!!!] OPENSSL on Compaq Tru64 or any 64-bit machine.
Use compiler option like: cc +DD64 eg: ./configure hpux-cc +DD64 Bye, Durai. ( [EMAIL PROTECTED]) Hi, Is there any variable that is supposed to be set for compiling on a 64 bit machine like Compaq's Tru64?? I have used the openssl library for all the machines and it works except for Tru64. I defined 'SIXTY_FOUR_BIT' in the bn.h file and that made the session key encryption with a public key work fine. But, I still had problems using the EVP_Decrypt functions!! Please help me with this. Is there something that I have to define somewhere else for the other algorithms to work? as I had done for bn.h?? Any help would be greatly appreciated. Thanx, Jay.. = - J | - [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
inatallation problem
openssl-users: I have some problems on installation. I want to install openssl0.9.6g version on win2000,vc++6.0,perl 5.6.1 and NASM environment. According to intallation on the win32 platform,I do the command perl configure VC-WIN32and ms\do_nasm at openssl0.9.6g environment successfully , but when from the vc++ environment at a prompt donmake -f ms\ntdll.mak ,it is fail. The screen showcan not find ms\ntdll.mak.so I do nmake -f f:\openssl096g\ms\ntdll.mak,it is still fail and display building openssl mkdir temp32dll mkdir out32dll mkdir inc32 mkdir inc32\openssl nmake:fatal error u1073:don't know how to make '.\crypto\cryptlib.h' why? what can i do? thanks in advance chenwan [EMAIL PROTECTED] 2002-11-29 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
