Openssl and Kerberos

[Markus Moeller]

Are there any example programs documentations of how to use Openssl with 
Kerberos for authentication/encryption (rfc2712) ?

Thank you
Markus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Openssl and Kerberos

[Jeffrey Altman]

C-Kermit 8.0 http://www.kermit-project.org/ckermit.html implements it 
for both client and server sides.

- Jeff

Markus Moeller wrote:

Are there any example programs documentations of how to use Openssl with 
Kerberos for authentication/encryption (rfc2712) ?

Thank you
Markus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

ftp implicit ssl connection

[gomess]

Hi,first of all sorry for my english 
;-PNext... i'm trying to make a ftp client for linux that uses implicit 
SSLv23 connection, but i have a problem: when i connect to a server and the ssl 
connection is established i try to send a command but the server doesn't answer 
with any byte...Taking a look at the logs of other (windows) clients i've 
seen that the first command sent is the PBSZ command and i send it too, but i 
receive no answer...I tried all the ftp commands with the same 
result...what can i do ?

Thank U all :-)

Edo

Re: Openssl and Kerberos

[Markus Moeller]

On Tuesday 11 Mar 2003 12:12, Jeffrey Altman wrote:
Jeff,

thanks for the link. The only problem I have now is how to filter out of the 
hundred of options the ones related to openssl/kerberos?  Also I was 
wondering, what you would need to do if you write your own little 
client/server program. (e.g. Is a kinit on the client side enough before you 
start the client. How does the server side create/verify the cert). ckermit 
does all this undercover for me, great program !!

Regards
Markus

 C-Kermit 8.0 http://www.kermit-project.org/ckermit.html implements it
 for both client and server sides.

 - Jeff

 Markus Moeller wrote:
 Are there any example programs documentations of how to use Openssl with
 Kerberos for authentication/encryption (rfc2712) ?
 
 Thank you
 Markus
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: ftp implicit ssl connection

[gomess]

Hi,
this is a simple test program i wrote:

--- code ---
  SSL_library_init ();
  SSL_load_error_strings();

  meth= SSLv23_method();
  ctx= SSL_CTX_new (meth);

  sock = socket (AF_INET, SOCK_STREAM, 0);
  host_p= gethostbyname (argv[1]);

  addr.sin_family= AF_INET;
  addr.sin_port= htons (atoi(argv[2]));
  memcpy (addr.sin_addr, host_p-h_addr, sizeof (struct in_addr));

  connect (sock, (struct sockaddr *) addr, sizeof (struct sockaddr_in));

  ssl=SSL_new(ctx);
  sbio=BIO_new_socket(sock,BIO_NOCLOSE);
  SSL_set_bio(ssl,sbio,sbio);
  SSL_connect(ssl);
  SSL_read(ssl,buf,sizeof(buf));
  printf (%s, buf);
  SSL_write (ssl, PBSZ 0\n, 7);
  while (SSL_read(ssl,buf,sizeof(buf))  0)
printf (%s\n, buf);
--- end code 

I cut all the error checks... can u see where am I wrong ?

Thank U :-)

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Openssl and Kerberos

[Jeffrey Altman]

Certs are not used when authenticating with Kerberos. You must have a
Kerberos Ticket Getting Ticket retrieved via kinit. Everything else
(other than restricting the cipher suite to Kerberos ciphers) should be
transparent to the applications. Either the SSL_connect() and
SSL_accept() succeed or they do not.

- Jeff


Markus Moeller wrote:

  On Tuesday 11 Mar 2003 12:12, Jeffrey Altman wrote:
Jeff,

thanks for the link. The only problem I have now is how to filter out of the 
hundred of options the ones related to openssl/kerberos?  Also I was 
wondering, what you would need to do if you write your own little 
client/server program. (e.g. Is a kinit on the client side enough before you 
start the client. How does the server side create/verify the cert). ckermit 
does all this undercover for me, great program !!

Regards
Markus

  
  
C-Kermit 8.0 http://www.kermit-project.org/ckermit.html implements it
for both client and server sides.

- Jeff

Markus Moeller wrote:


  Are there any example programs documentations of how to use Openssl with
Kerberos for authentication/encryption (rfc2712) ?

Thank you
Markus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
  

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

  
  
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
  

Reading certificate from structure using d2i_X509??

[rajagopalan ramanujam]

hi,

I am having a problem  when reading a certificate and
private key from a memory buffer instead of a file.
i am using d2i_X509(NULL,cert,strlen(cert)) to read
the certificate string which was defined in one of
.pem
file. Should i use SSL_CTX_use_certificate_ASN1
instead??? Please help me.

copied from server.pem file
unsigned char * cert
=MIIDDzCCAs2gAwIBAgICAQw==;
unsigned char * key =
y5qH6Q0Nvb5SUcJEYY...p6==;

here is my sample server code :

void ssl_server ()
{

   SSL_CTX* ctx;
  SSL* ssl;
  X509*client_cert,*x509_cert,*x509_key;
  char*str;
  SSL_METHOD *meth;
  int theFd;
  fd_set  theFdSet;
  
  /* SSL preliminaries. We keep the certificate and
key with the context. */

  SSL_load_error_strings();
  SSLeay_add_ssl_algorithms();
  meth = SSLv23_server_method();
  ctx = SSL_CTX_new (meth);

  x509_cert = d2i_X509(NULL,cert,strlen(cert));

  if (SSL_CTX_use_certificate(ctx,x509_cert) = 0) {
return;
  }

  x509_key = d2i_X509(NULL,key,sizeof(key));
  
  if (SSL_CTX_use_PrivateKey(ctx,x509_key) = 0) {
return;
  }

  if (!SSL_CTX_check_private_key(ctx)) {
printf(Private key does not match the certificate
public key\n);
return;
  }

.
.
}

when d2i_X509 its failing for the following reason.
IMPLEMENT_ASN1_FUNCTIONS(X509)
ASN1_VALUE *ASN1_item_d2i(..)
asn1_check_tlen(..)
ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG);
return 0;


__
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

problem with outlook express

[Soo Hom]

Hello,

I am using an openssl certificate to authenticate imap.  Outlook express
keeps complaining about the certificate.  Is there a way to make outlook
express save the certificate and stop generating the warning?

This is on a windows 2000  machine.


Soo


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Reading certificate from structure using d2i_X509??

[Dr. Stephen Henson]

On Tue, Mar 11, 2003, rajagopalan ramanujam wrote:

 
 hi,
 
 I am having a problem  when reading a certificate and
 private key from a memory buffer instead of a file.
 i am using d2i_X509(NULL,cert,strlen(cert)) to read
 the certificate string which was defined in one of
 .pem
 file. Should i use SSL_CTX_use_certificate_ASN1
 instead??? Please help me.
 
 copied from server.pem file
 unsigned char * cert
 =MIIDDzCCAs2gAwIBAgICAQw==;
 unsigned char * key =
 y5qH6Q0Nvb5SUcJEYY...p6==;
 

You can only use d2i_X509() with the DER (binary) form of the certificate.
Since this can contain embedded zeroes strlen() is not usable, you need a
separate length parameter.

The -C option of the 'x509' utility can translate a certificate into
appropriate C code. For other things like private keys you need to translate
them yourself. Something like the Unix utility xxd on the binary form can do
that.

The stuff you have looks like base64 form with all the newlines deleted. That
isn't parseable directly. If you'd included all the newlines then you could
use the standard PEM routines with a memory BIO.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problem with outlook express

[Dr. Stephen Henson]

On Tue, Mar 11, 2003, Soo Hom wrote:

 Hello,
 
 I am using an openssl certificate to authenticate imap.  Outlook express
 keeps complaining about the certificate.  Is there a way to make outlook
 express save the certificate and stop generating the warning?
 
 This is on a windows 2000  machine.
 
 

What warning does it give?

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problem with outlook express

[Soo Hom]

A box pops up stating
The server you are connected to is using a security certificate
which has expired or is not yet valid.  Do you want to continue using this
server?

It's annoying in that it pops up every few minutes.


Soo


On Tue, 11 Mar 2003, Dr. Stephen Henson wrote:

 On Tue, Mar 11, 2003, Soo Hom wrote:
 
  Hello,
  
  I am using an openssl certificate to authenticate imap.  Outlook express
  keeps complaining about the certificate.  Is there a way to make outlook
  express save the certificate and stop generating the warning?
  
  This is on a windows 2000  machine.
  
  
 
 What warning does it give?
 
 Steve.
 --
 Dr Stephen N. Henson.
 Core developer of the   OpenSSL project: http://www.openssl.org/
 Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
 Email: [EMAIL PROTECTED], PGP key: via homepage.
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Reading certificate from structure using d2i_X509??

[rajagopalan ramanujam]

Thanks steve!!

Can i use these to function calls to convert?

   PEM_read_bio_X509
   PEM_read_bio_PrivateKey 


--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
 On Tue, Mar 11, 2003, rajagopalan ramanujam wrote:
 
  
  hi,
  
  I am having a problem  when reading a certificate
 and
  private key from a memory buffer instead of a
 file.
  i am using d2i_X509(NULL,cert,strlen(cert)) to
 read
  the certificate string which was defined in one of
  .pem
  file. Should i use SSL_CTX_use_certificate_ASN1
  instead??? Please help me.
  
  copied from server.pem file
  unsigned char * cert
  =MIIDDzCCAs2gAwIBAgICAQw==;
  unsigned char * key =
  y5qH6Q0Nvb5SUcJEYY...p6==;
  
 
 You can only use d2i_X509() with the DER (binary)
 form of the certificate.
 Since this can contain embedded zeroes strlen() is
 not usable, you need a
 separate length parameter.
 
 The -C option of the 'x509' utility can translate a
 certificate into
 appropriate C code. For other things like private
 keys you need to translate
 them yourself. Something like the Unix utility xxd
 on the binary form can do
 that.
 
 The stuff you have looks like base64 form with all
 the newlines deleted. That
 isn't parseable directly. If you'd included all the
 newlines then you could
 use the standard PEM routines with a memory BIO.
 
 Steve.
 --
 Dr Stephen N. Henson.
 Core developer of the   OpenSSL project:
 http://www.openssl.org/
 Freelance consultant see:
 http://www.drh-consultancy.demon.co.uk/
 Email: [EMAIL PROTECTED], PGP key:
 via homepage.

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 [EMAIL PROTECTED]
 Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: problem with outlook express

[Dr. Stephen Henson]

On Tue, Mar 11, 2003, Soo Hom wrote:

 A box pops up stating
 The server you are connected to is using a security certificate
 which has expired or is not yet valid.  Do you want to continue using this
 server?
 
 It's annoying in that it pops up every few minutes.
 
 

Check the time the PC is set to and the times of the server and CA certificatess
with:

openssl x509 -in cert.pem -noout -dates

If these all seem OK then it may be a validity nesting issue. The CA
certificates times should cover the period of any certificates it issues with
MS validity checking. That is notBefore(CA) must be earlier than
notBefore(server) and notAfter(CA) must be after notAfter(server).

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Reading certificate from structure using d2i_X509??

[Dr. Stephen Henson]

On Tue, Mar 11, 2003, rajagopalan ramanujam wrote:

 Thanks steve!!
 
 Can i use these to function calls to convert?
 
PEM_read_bio_X509
PEM_read_bio_PrivateKey 
 
 

If you include all the newlines in the base64 encoded structure and create a
memory BIO from the string using BIO_new_mem_buf(), see the BIO_s_mem manual
page. Using binary and DER is more efficient though.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL_AD_HANDSHAKE_FAILURE??

[rajagopalan ramanujam]

I am not setting the server certi and key files. But
Set_chiper_list is called with ALL both on the
server and client side. even then handshake fails when
the server extracts the chiper.
al=SSL_AD_HANDSHAKE_FAILURE;
SSLer(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);

ssl_server ()
{  
:
:
 SSL_load_error_strings();
  SSLeay_add_ssl_algorithms();
  meth = SSLv23_server_method();
  ctx = SSL_CTX_new (meth);
:
: socket()..
bind()
listen()
:
accept()

SSL_CTX_set_cipher_list(ctx,ALL);
ssl = SSL_new (ctx); 
SSL_set_fd (ssl, sd);
err = SSL_accept (ssl); 

Is it because i have not added the certi and keys?

please help!!


__
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL_AD_HANDSHAKE_FAILURE??

[Dr. Stephen Henson]

On Tue, Mar 11, 2003, rajagopalan ramanujam wrote:

 I am not setting the server certi and key files. But
 Set_chiper_list is called with ALL both on the
 server and client side. even then handshake fails when
 the server extracts the chiper.
 al=SSL_AD_HANDSHAKE_FAILURE;
 SSLer(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER);
 
 ssl_server ()
 {  
 :
 :
  SSL_load_error_strings();
   SSLeay_add_ssl_algorithms();
   meth = SSLv23_server_method();
   ctx = SSL_CTX_new (meth);
 :
 : socket()..
 bind()
 listen()
 :
 accept()
 
 SSL_CTX_set_cipher_list(ctx,ALL);
 ssl = SSL_new (ctx); 
 SSL_set_fd (ssl, sd);
 err = SSL_accept (ssl); 
 
 Is it because i have not added the certi and keys?
 

If you don't set and server certificates then only those ciphersuites without
authentication will work: currently anon DH which is however vulnerable to man
in the middle attacks. However for anon DH to work you need to set some DH
parameters, see FAQ and related manual pages.

So either set a server certificate or some DH parameters.

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Reading certificate from structure using d2i_X509??

[Lutz Jaenicke]

On Tue, Mar 11, 2003 at 01:54:55PM -0800, rajagopalan ramanujam wrote:
 hi,
 
 I am having a problem  when reading a certificate and
 private key from a memory buffer instead of a file.
 i am using d2i_X509(NULL,cert,strlen(cert)) to read
 the certificate string which was defined in one of
 .pem
 file. Should i use SSL_CTX_use_certificate_ASN1
 instead??? Please help me.
 
 copied from server.pem file
 unsigned char * cert
 =MIIDDzCCAs2gAwIBAgICAQw==;
 unsigned char * key =
 y5qH6Q0Nvb5SUcJEYY...p6==;

Your data are in PEM format (the data is ASCII-armored with BASE64).
The d2i_ functions require the data to be in ASN.1 (DER) format.
You must therefore first decode from the BASE64 armoring.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]