Openssl and Kerberos
Are there any example programs documentations of how to use Openssl with Kerberos for authentication/encryption (rfc2712) ? Thank you Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl and Kerberos
C-Kermit 8.0 http://www.kermit-project.org/ckermit.html implements it for both client and server sides. - Jeff Markus Moeller wrote: Are there any example programs documentations of how to use Openssl with Kerberos for authentication/encryption (rfc2712) ? Thank you Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ftp implicit ssl connection
Hi,first of all sorry for my english ;-PNext... i'm trying to make a ftp client for linux that uses implicit SSLv23 connection, but i have a problem: when i connect to a server and the ssl connection is established i try to send a command but the server doesn't answer with any byte...Taking a look at the logs of other (windows) clients i've seen that the first command sent is the PBSZ command and i send it too, but i receive no answer...I tried all the ftp commands with the same result...what can i do ? Thank U all :-) Edo
Re: Openssl and Kerberos
On Tuesday 11 Mar 2003 12:12, Jeffrey Altman wrote: Jeff, thanks for the link. The only problem I have now is how to filter out of the hundred of options the ones related to openssl/kerberos? Also I was wondering, what you would need to do if you write your own little client/server program. (e.g. Is a kinit on the client side enough before you start the client. How does the server side create/verify the cert). ckermit does all this undercover for me, great program !! Regards Markus C-Kermit 8.0 http://www.kermit-project.org/ckermit.html implements it for both client and server sides. - Jeff Markus Moeller wrote: Are there any example programs documentations of how to use Openssl with Kerberos for authentication/encryption (rfc2712) ? Thank you Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ftp implicit ssl connection
Hi, this is a simple test program i wrote: --- code --- SSL_library_init (); SSL_load_error_strings(); meth= SSLv23_method(); ctx= SSL_CTX_new (meth); sock = socket (AF_INET, SOCK_STREAM, 0); host_p= gethostbyname (argv[1]); addr.sin_family= AF_INET; addr.sin_port= htons (atoi(argv[2])); memcpy (addr.sin_addr, host_p-h_addr, sizeof (struct in_addr)); connect (sock, (struct sockaddr *) addr, sizeof (struct sockaddr_in)); ssl=SSL_new(ctx); sbio=BIO_new_socket(sock,BIO_NOCLOSE); SSL_set_bio(ssl,sbio,sbio); SSL_connect(ssl); SSL_read(ssl,buf,sizeof(buf)); printf (%s, buf); SSL_write (ssl, PBSZ 0\n, 7); while (SSL_read(ssl,buf,sizeof(buf)) 0) printf (%s\n, buf); --- end code I cut all the error checks... can u see where am I wrong ? Thank U :-) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl and Kerberos
Certs are not used when authenticating with Kerberos. You must have a Kerberos Ticket Getting Ticket retrieved via kinit. Everything else (other than restricting the cipher suite to Kerberos ciphers) should be transparent to the applications. Either the SSL_connect() and SSL_accept() succeed or they do not. - Jeff Markus Moeller wrote: On Tuesday 11 Mar 2003 12:12, Jeffrey Altman wrote: Jeff, thanks for the link. The only problem I have now is how to filter out of the hundred of options the ones related to openssl/kerberos? Also I was wondering, what you would need to do if you write your own little client/server program. (e.g. Is a kinit on the client side enough before you start the client. How does the server side create/verify the cert). ckermit does all this undercover for me, great program !! Regards Markus C-Kermit 8.0 http://www.kermit-project.org/ckermit.html implements it for both client and server sides. - Jeff Markus Moeller wrote: Are there any example programs documentations of how to use Openssl with Kerberos for authentication/encryption (rfc2712) ? Thank you Markus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Reading certificate from structure using d2i_X509??
hi, I am having a problem when reading a certificate and private key from a memory buffer instead of a file. i am using d2i_X509(NULL,cert,strlen(cert)) to read the certificate string which was defined in one of .pem file. Should i use SSL_CTX_use_certificate_ASN1 instead??? Please help me. copied from server.pem file unsigned char * cert =MIIDDzCCAs2gAwIBAgICAQw==; unsigned char * key = y5qH6Q0Nvb5SUcJEYY...p6==; here is my sample server code : void ssl_server () { SSL_CTX* ctx; SSL* ssl; X509*client_cert,*x509_cert,*x509_key; char*str; SSL_METHOD *meth; int theFd; fd_set theFdSet; /* SSL preliminaries. We keep the certificate and key with the context. */ SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_server_method(); ctx = SSL_CTX_new (meth); x509_cert = d2i_X509(NULL,cert,strlen(cert)); if (SSL_CTX_use_certificate(ctx,x509_cert) = 0) { return; } x509_key = d2i_X509(NULL,key,sizeof(key)); if (SSL_CTX_use_PrivateKey(ctx,x509_key) = 0) { return; } if (!SSL_CTX_check_private_key(ctx)) { printf(Private key does not match the certificate public key\n); return; } . . } when d2i_X509 its failing for the following reason. IMPLEMENT_ASN1_FUNCTIONS(X509) ASN1_VALUE *ASN1_item_d2i(..) asn1_check_tlen(..) ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_WRONG_TAG); return 0; __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problem with outlook express
Hello, I am using an openssl certificate to authenticate imap. Outlook express keeps complaining about the certificate. Is there a way to make outlook express save the certificate and stop generating the warning? This is on a windows 2000 machine. Soo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reading certificate from structure using d2i_X509??
On Tue, Mar 11, 2003, rajagopalan ramanujam wrote: hi, I am having a problem when reading a certificate and private key from a memory buffer instead of a file. i am using d2i_X509(NULL,cert,strlen(cert)) to read the certificate string which was defined in one of .pem file. Should i use SSL_CTX_use_certificate_ASN1 instead??? Please help me. copied from server.pem file unsigned char * cert =MIIDDzCCAs2gAwIBAgICAQw==; unsigned char * key = y5qH6Q0Nvb5SUcJEYY...p6==; You can only use d2i_X509() with the DER (binary) form of the certificate. Since this can contain embedded zeroes strlen() is not usable, you need a separate length parameter. The -C option of the 'x509' utility can translate a certificate into appropriate C code. For other things like private keys you need to translate them yourself. Something like the Unix utility xxd on the binary form can do that. The stuff you have looks like base64 form with all the newlines deleted. That isn't parseable directly. If you'd included all the newlines then you could use the standard PEM routines with a memory BIO. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem with outlook express
On Tue, Mar 11, 2003, Soo Hom wrote: Hello, I am using an openssl certificate to authenticate imap. Outlook express keeps complaining about the certificate. Is there a way to make outlook express save the certificate and stop generating the warning? This is on a windows 2000 machine. What warning does it give? Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem with outlook express
A box pops up stating The server you are connected to is using a security certificate which has expired or is not yet valid. Do you want to continue using this server? It's annoying in that it pops up every few minutes. Soo On Tue, 11 Mar 2003, Dr. Stephen Henson wrote: On Tue, Mar 11, 2003, Soo Hom wrote: Hello, I am using an openssl certificate to authenticate imap. Outlook express keeps complaining about the certificate. Is there a way to make outlook express save the certificate and stop generating the warning? This is on a windows 2000 machine. What warning does it give? Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reading certificate from structure using d2i_X509??
Thanks steve!! Can i use these to function calls to convert? PEM_read_bio_X509 PEM_read_bio_PrivateKey --- Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Tue, Mar 11, 2003, rajagopalan ramanujam wrote: hi, I am having a problem when reading a certificate and private key from a memory buffer instead of a file. i am using d2i_X509(NULL,cert,strlen(cert)) to read the certificate string which was defined in one of .pem file. Should i use SSL_CTX_use_certificate_ASN1 instead??? Please help me. copied from server.pem file unsigned char * cert =MIIDDzCCAs2gAwIBAgICAQw==; unsigned char * key = y5qH6Q0Nvb5SUcJEYY...p6==; You can only use d2i_X509() with the DER (binary) form of the certificate. Since this can contain embedded zeroes strlen() is not usable, you need a separate length parameter. The -C option of the 'x509' utility can translate a certificate into appropriate C code. For other things like private keys you need to translate them yourself. Something like the Unix utility xxd on the binary form can do that. The stuff you have looks like base64 form with all the newlines deleted. That isn't parseable directly. If you'd included all the newlines then you could use the standard PEM routines with a memory BIO. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: problem with outlook express
On Tue, Mar 11, 2003, Soo Hom wrote: A box pops up stating The server you are connected to is using a security certificate which has expired or is not yet valid. Do you want to continue using this server? It's annoying in that it pops up every few minutes. Check the time the PC is set to and the times of the server and CA certificatess with: openssl x509 -in cert.pem -noout -dates If these all seem OK then it may be a validity nesting issue. The CA certificates times should cover the period of any certificates it issues with MS validity checking. That is notBefore(CA) must be earlier than notBefore(server) and notAfter(CA) must be after notAfter(server). Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reading certificate from structure using d2i_X509??
On Tue, Mar 11, 2003, rajagopalan ramanujam wrote: Thanks steve!! Can i use these to function calls to convert? PEM_read_bio_X509 PEM_read_bio_PrivateKey If you include all the newlines in the base64 encoded structure and create a memory BIO from the string using BIO_new_mem_buf(), see the BIO_s_mem manual page. Using binary and DER is more efficient though. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_AD_HANDSHAKE_FAILURE??
I am not setting the server certi and key files. But Set_chiper_list is called with ALL both on the server and client side. even then handshake fails when the server extracts the chiper. al=SSL_AD_HANDSHAKE_FAILURE; SSLer(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); ssl_server () { : : SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_server_method(); ctx = SSL_CTX_new (meth); : : socket().. bind() listen() : accept() SSL_CTX_set_cipher_list(ctx,ALL); ssl = SSL_new (ctx); SSL_set_fd (ssl, sd); err = SSL_accept (ssl); Is it because i have not added the certi and keys? please help!! __ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_AD_HANDSHAKE_FAILURE??
On Tue, Mar 11, 2003, rajagopalan ramanujam wrote: I am not setting the server certi and key files. But Set_chiper_list is called with ALL both on the server and client side. even then handshake fails when the server extracts the chiper. al=SSL_AD_HANDSHAKE_FAILURE; SSLer(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_SHARED_CIPHER); ssl_server () { : : SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); meth = SSLv23_server_method(); ctx = SSL_CTX_new (meth); : : socket().. bind() listen() : accept() SSL_CTX_set_cipher_list(ctx,ALL); ssl = SSL_new (ctx); SSL_set_fd (ssl, sd); err = SSL_accept (ssl); Is it because i have not added the certi and keys? If you don't set and server certificates then only those ciphersuites without authentication will work: currently anon DH which is however vulnerable to man in the middle attacks. However for anon DH to work you need to set some DH parameters, see FAQ and related manual pages. So either set a server certificate or some DH parameters. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reading certificate from structure using d2i_X509??
On Tue, Mar 11, 2003 at 01:54:55PM -0800, rajagopalan ramanujam wrote: hi, I am having a problem when reading a certificate and private key from a memory buffer instead of a file. i am using d2i_X509(NULL,cert,strlen(cert)) to read the certificate string which was defined in one of .pem file. Should i use SSL_CTX_use_certificate_ASN1 instead??? Please help me. copied from server.pem file unsigned char * cert =MIIDDzCCAs2gAwIBAgICAQw==; unsigned char * key = y5qH6Q0Nvb5SUcJEYY...p6==; Your data are in PEM format (the data is ASCII-armored with BASE64). The d2i_ functions require the data to be in ASN.1 (DER) format. You must therefore first decode from the BASE64 armoring. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]