Re: SSL_connect problem : bad asn1 object header
the problem seems to be that you use self signed certificates /both sides/. there is a few possible ways to do this: 1. use custom handler for errors in certificates in your server static int SSL_verify_callback(int ok, X509_STORE_CTX *ctx) { charbuf[256]; X509* err_cert; int err, depth, ret; err_cert= X509_STORE_CTX_get_current_cert(ctx); err= X509_STORE_CTX_get_error(ctx); depth= X509_STORE_CTX_get_error_depth(ctx); switch(err) { case X509_V_OK: } } and use SSL_CTX_set_verify( ,SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,SSL_verify_callback); 2. you may use valid certificates /not expired, signed from thrusted root e.t.c/ then your default handler will report success. --- ozan alptekin <[EMAIL PROTECTED]> wrote: > > hi, > > I am using openssl 0.9.6.b and trying to write a > server-client program in which both parties should > authenticate each other and i am new to OpenSSL. > > but I have a problem during the handshake process, I > get a "SSL error: 5 : error:0005::lib(0) > :func(0) :bad asn1 object header" error when client > calls SSL_connect. I realized that it is related > with the verification mode of the server or > something with the certificates I have created. I am > using same selfsigned CA for creating certificates > for server and client. > > I have set the verification flags as > "SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT" > both for the client and the server. > Using methods TLSv1_server_method for the server and > TLSv1_client_method for the client. > > Thanks a lot... > > Ozan Alptekin > > > > - > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Proxy'ing client certs
I have already posted the following on the lists under "Proxy'ing client certs" thread. Could not see the posting, hence re-posting. - My understanding had been the following : Client Proxy Server -- Proxy Client Server produces a consumes presents aCan only recv CA signed the ProxyClient Cert ProxyClient Cert Client Cert Client Cert "ProxyClient Cert" is not the same as "Client Cert". Though the Proxy Server is in receipt of the "Client Cert", it cannot represent the same in the SSL connection between "ProxyClient - Server". The requirement is to make the Proxy faithfully forward the "Client Cert" to the "Server". Vadim, suggested that "CONNECT method of HTTP can be used to setup TCP connections first and run SSL next. Proxy could forward SSL traffic". It had been difficult to understand the solution. It seems to me that we need to set up a TCP connection via the proxy server first and add SSL to it later. I am not aware of how to do this. Could one help me further. Namaste, R S Chandrasekhar [EMAIL PROTECTED] ISD : 091-080-2051166 Telnet : 847-1166 Phone : 2052427 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem passing BIO buffer to PKCS7_sign()
On Sun, Jan 19, 2003, marcus.carey wrote: > There was no data in BIO out. > > I needed to call BIO_reset() after calling PKCS7_sign(). > >From which I deduce you are also using PKCS7_DETACHED. Yes at present you have to call BIO_reset() to rewind the BIO to the start. This is because detached data needs to make two passes over the signed data, one to sign it and the other to output the data itself. If the OpenSSL code was made a little bit cleverer only one pass would be needed which would combine the operations... Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem passing BIO buffer to PKCS7_sign()
There was no data in BIO out. I needed to call BIO_reset() after calling PKCS7_sign(). Thanks - Original Message - From: "Dr. Stephen Henson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, January 19, 2003 5:10 AM Subject: Re: Problem passing BIO buffer to PKCS7_sign() > On Sat, Jan 18, 2003, marcus.carey wrote: > > > > > BIO *in = BIO_new(BIO_s_mem()); > > BIO *out = BIO_new(BIO_s_mem()); > > char buffer[40]; > > > > BIO_puts(in,"data"); > > > > pkcs7 = PKCS7_sign(cert,pkey,chain,in,flags) > > SMIME_write_PKCS7(out,pkcs7,in,flags) > > > > BIO_read(out,buffer); > > > > "data" does not appear in the S/MIME message. > > > > What's the correct method for setting up BIO buffers for S/MIME messages? > > > > > > What do you mean "does not appear"? Do you mean the data written to the BIO > 'out' doesn't contain "data" or it doesn't show up in some client like Outlook > Express? > > If you aren't using PKCS7_DETACHED for flags "data" wont be visible but will > still be encoded. If you are reading it with a client and can't see "data" > then you may need PKCS7_TEXT as well. > > Steve. > -- > Dr. Stephen Henson [EMAIL PROTECTED] > OpenSSL Project http://www.openssl.org/~steve/ > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ASK: any option for CERTID in OCSP using AKID of the cert tobe checked
Hi, I thought that two values could be the same. Both use the hash value of the subject public key field information of the issuer certificate. RFC 2560 does not have any description of the use of authority key identifer. However looking at the archives of PKIX discussion, some mentioned the use of authority key identifer to avoid the hash calculation at the client side. Or am i misunderstanding about the calculation over the two values? #The authority Key identifer has different methods to calculate, so #it is not good to rely on the authority key identifer value only. -Kiyoshi Kiyoshi Watanabe > On Sun, Jan 19, 2003, Kiyoshi WATANABE wrote: > > > > > Dear all and developers, > > > > Is any option to create the CertID.issuerKeyHash using the AKID of the > > cert to be checked, instead of using the issuer certificate itself, in > > OCSP request? > > > > In addition, do you see any security concerns over this usage if being > > developed? > > > > The OCSP standard define what CertID.issuerKeyHash should be so changing that > makes the implementation non compliant. > > Updated versions of the OCSP standards are being discussed which do allow > alternative certificate identifiers but they are still being discussed and > OpenSSL doesn't support them yet. > > Steve. > -- > Dr. Stephen Henson [EMAIL PROTECTED] > OpenSSL Project http://www.openssl.org/~steve/ > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]