SSL client certificate checking
Hi, from an SSL server side I want to check the client certificate/private key but I don't know how to do this. Below I have wrote a small server sample and it's client. I don't know if it's correct what I did. // SSL Server int listen_sd = socket(AF_INET, SOCK_STREAM, 0); sockaddr_in sa_serv; memset(sa_serv, '\0', sizeof(sa_serv)); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.s_addr = INADDR_ANY; sa_serv.sin_port= htons (8001); bind(listen_sd, (sockaddr*)sa_serv, sizeof(sa_serv)); listen(listen_sd, 5); sockaddr_in sa_cli; size_t client_len = sizeof(sa_cli); int sd = accept(listen_sd, (sockaddr*)sa_cli,(int*)client_len); closesocket(listen_sd); SSLeay_add_ssl_algorithms(); SSL_CTX* ctx = SSL_CTX_new(SSLv3_server_method()); SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM); if(!SSL_CTX_check_private_key(ctx)) exit(1); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL* ssl = SSL_new(ctx); SSL_set_fd(ssl, sd); CHK_SSL(SSL_accept(ssl)); X509* client_cert = SSL_get_peer_certificate(ssl); if(client_cert != NULL) // is always NULL. why? { printf(Client certificate:\n); char* str = X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0); printf(\t subject: %s\n, str); free(str); str = X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0); printf(\t issuer: %s\n, str); free(str); X509_free(client_cert); } . // reading/writing operations and cleaning up . and the client looks like this: // SSL Client SSLeay_add_ssl_algorithms(); SSL_METHOD* meth = SSLv3_client_method(); SSL_CTX* ctx = SSL_CTX_new(meth); SSL_CTX_use_certificate_chain_file(ctx, CERTF); SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM); int sd = socket(AF_INET, SOCK_STREAM, 0); sockaddr_in sa; memset(sa, '\0', sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr(127.0.0.1); // Server IP sa.sin_port= htons(8001);// Server Port number connect(sd, (sockaddr*)sa, sizeof(sa)); SSL*ssl = SSL_new (ctx); SSL_set_fd(ssl, sd); SSL_connect(ssl); . // reading/writing operations and cleaning up . What is wrong on the code above? Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
why -issuer option in OCSP client options must be PEM format?
(B (B (BHi,all, (B (BCould some one tell me kindly why the -issuer option in the OpenSSL OCSP (Bclient options MUST be PEM format ? (B (B (Bthanks, (B (Bwjw
Re: why -issuer option in OCSP client options must be PEM format?
(B (B (BAnd, (B (BIs that ONLY because the FORMAT_PEM in load_cert() in app.c? (B (BHow about if I change it like following: (can I input the pkcs#12 file or (Basn.1 file after doing such changing?) (B (Bload_cert(bio_err, *args, FORMAT_PKCS12, pass, e, "issuer certificate"); (B (B/*I think I should also add the pass in the PKCS12_parse(p12, (BNULL, NULL, x, NULL) in load_cert(); (B*/ (B (Bor (B (Bload_cert(bio_err, *args, FORMAT_ASN1, pass, e, "issuer (Bcertificate"); (B (Bor (Bothers ? (B (B (BWhy there is no such notice on -cert option? It also uses FORMAT_PEM. (B (BThanks , (Bwjw (B (B- Original Message - (B (B From: (B Wu (B Junwei (B To: [EMAIL PROTECTED] (B Sent: Tuesday, June 17, 2003 6:07 (B PM (B Subject: why -issuer option in OCSP (B client options must be PEM format? (B (B Hi,all, (B (B Could some one tell me kindly why the -issuer option in the OpenSSL OCSP (B client options MUST be PEM format ? (B (B (B thanks, (B (B wjw
Re: why -issuer option in OCSP client options must be PEM format?
Hello, As you can see, the default certificate format is PEM in openssl command. I do not know the excact reason, but I agree that the ocsp command had better to have format option if you are requesting so. -Kiyoshi Kiyoshi Watanabe Hi,all, Could some one tell me kindly why the -issuer option in the OpenSSL OCSP client options MUST be PEM format ? thanks, wjw __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
outlook express
(B (B (BCAN SOMEBODY (BHELP? (B (BHi, I am a new to (Bssl and I am in desperate need to create a certificate for outlook (Bexpress. (BI tried hard with (Bsome SSL HOW TO and with a tutorial on a site called eclectica... something but (Boutlook keeps rejecting the certificates I make. (B (BI need the (Bcertificates for a small network on which users need just a little assurance (Bnothing more. (B (B10X in advance for (Bany help provided. (B
RE: outlook express
Hi, First, make sure that your openssl.cnf as the correct configuration. After that, your first step is to create a certification authority to sign user email certificate. CA: Openssl rand out .rnd 1024 openssl req -new -x509 -keyout CA.key -out CA.crt -days 9132 -config openssl.cnf User certificate : Openssl genrsa rand rnd out [you_key_filename].key des3 1024 (create your private key) openssl req new key [your_key_filename].key out [your_csr_filename].csr config openssl.cnf (create a certificate signin request) (Now you have to enter all information for the certificate, match the common name with the email adresse of the user) CA (signin) openssl ca config openssl.cnf extensions [section_of_openssl_for_email_certificate] -policy policy_match -out NewCert.crt notext days 9132 -infiles [your_csr_filename].csr Convert you new certificate to p12 format. openssl pkcs12 -export -in newcert.crt -out user_email_cert.p12 -name My Certificate My openssl email certificate section [ email ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # For normal client use this is typical nsCertType = client, email # This is typical in keyUsage for a client certificate. keyUsage = digitalSignature, keyEncipherment,dataEncipherment extendedKeyUsage=emailProtection # This will be displayed in Netscape's comment listbox. nsComment = Certificat S/MIME # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName I hope this can help you. Im almost new to SSL so if Im doing wrong tell me, but as I know, thats working for me ;o) Bye --- Pascal Rodrigue Analystede l'informatique Division de l'exploitation Service de l'informatique et des télécommunications Pavillon Louis-Jacques-Casault, local 2410 Université Laval, Québec, Canada, G1K 7P4 [EMAIL PROTECTED] La vie n'est pas que la somme des obstacle que l'on rencontre à chaque jour. La vie, la vraie, c'est la manière dont on les franchit! Das Leben ist nicht nur die Summe des Hindernisses, daß man an jedem Tag begegnet. Das Leben, das wahre, ist es die Art, von der man sie überquert! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Emil Stanchev Sent: 17 juin, 2003 08:17 To: [EMAIL PROTECTED] Subject: outlook express CAN SOMEBODY HELP? Hi, I am a new to ssl and I am in desperate need to create a certificate for outlook express. I tried hard with some SSL HOW TO and with a tutorial on a site called eclectica... something but outlook keeps rejecting the certificates I make. I need the certificates for a small network on which users need just a little assurance nothing more. 10X in advance for any help provided. BEGIN:VCARD VERSION:2.1 N:Rodrigue;Pascal FN:Pascal Rodrigue ([EMAIL PROTECTED]) ORG:Université Laval;SIT TITLE:Analyste TEL;WORK;VOICE:(418) 656-2131 KEY;X509;ENCODING=BASE64: MIIEUDCCA7mgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBwjELMAkGA1UEBhMCQ0ExDzANBgNV BAgTBlF1ZWJlYzETMBEGA1UEBxMKU2FpbnRlLUZveTEZMBcGA1UEChMQVW5pdmVyc2l0ZSBM YXZhbDEMMAoGA1UECxMDU0lUMTYwNAYDVQQDEy1DQSBsb2NhbGUgcG91ciBsZXMgc2VydmV1 cnMgV2ViIE9yYWNsZSBkdSBTSVQxLDAqBgkqhkiG9w0BCQEWHVBhc2NhbC5Sb2RyaWd1ZUBz aXQudWxhdmFsLmNhMB4XDTAzMDUwOTEzMjQzM1oXDTI4MDUwOTEzMjQzM1owgZ0xCzAJBgNV BAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxGTAXBgNVBAoTEFVuaXZlcnNpdGUgTGF2YWwxDDAK BgNVBAsTA1NJVDEmMCQGA1UEAxQdUGFzY2FsLlJvZHJpZ3VlQHNpdC51bGF2YWwuY2ExLDAq BgkqhkiG9w0BCQEWHVBhc2NhbC5Sb2RyaWd1ZUBzaXQudWxhdmFsLmNhMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQCnQlRUQycnBLP1+D0XAR9Ps+ziuHF67NwFpmS84qbSNyt4gxfs QXYlOVhsFOrrwvyjeGL+HraKF0cjIDMGTTqrQUKv+f/pUjKWJGoaualzkfjEvrKq7ervJQb3 uKZSOSJGRarS31DkbAjn5C43IhVZeanPHA9c33v6mj4W/hDdnwIDAQABo4IBdzCCAXMwCQYD VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSwMBMGA1UdJQQMMAoGCCsG AQUFBwMEMCAGCWCGSAGG+EIBDQQTFhFDZXJ0aWZpY2F0IFMvTUlNRTAdBgNVHQ4EFgQUw2H5 7kZDHhdhNSTnVUO++yEZcGIwge8GA1UdIwSB5zCB5IAUSVnQK7u1H4OvERW+IIigwUY3wGSh gcikgcUwgcIxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxEzARBgNVBAcTClNhaW50 ZS1Gb3kxGTAXBgNVBAoTEFVuaXZlcnNpdGUgTGF2YWwxDDAKBgNVBAsTA1NJVDE2MDQGA1UE AxMtQ0EgbG9jYWxlIHBvdXIgbGVzIHNlcnZldXJzIFdlYiBPcmFjbGUgZHUgU0lUMSwwKgYJ KoZIhvcNAQkBFh1QYXNjYWwuUm9kcmlndWVAc2l0LnVsYXZhbC5jYYIBADANBgkqhkiG9w0B
PKCS12 MAC password
Hello, I need to create and parsing a pkcs12 with the -twopass option. How can I provide the MAC password to openssl pkcs12 command directly from the command line? The -passin option allows to specify the password for the input key (with the -export option) or for the import in parsing operation. Thanks for your help __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem building openssl-0.97b on alpha-dec-osf1
Hi, I've been trying to build openssl-0.97b on an alpha with Tru64g and gcc-3.2.3 for a couple of days now with no luck. I'm doing the config with the following line: ./Configure --openssldir=%{openssldir} alpha-gcc zlib \ threads shared no-bio This is the erro that I'm getting: make[2]: Entering directory `/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto/err'gcc -I.. -I../.. -I../../include -DZLIB -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DSSL_ALLOW_ADH -D_REENTRANT -DOPENSSL_NO_BIO -DOPENSSL_NO_ERR -O3 -c -o err.o err.c err.c: In function `ERR_add_error_data': err.c:1007: incompatible type for argument 1 of `__builtin_stdarg_start' err.c:1034: incompatible type for argument 1 of `__builtin_va_end' err.c:1011: first argument to `va_arg' not of type `va_list' make[2]: *** [err.o] Error 1 make[2]: Leaving directory `/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto/err' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto' make: *** [sub_all] Error 1 If I use ./Configure --openssldir=%{openssldir} alpha-gcc zlib \ threads shared I get the following: gcc -I.. -I../.. -I../../include -DZLIB -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DSSL_ALLOW_ADH -D_REENTRANT -DOPENSSL_NO_ERR -O3 -c -o b_print.o b_print.c b_print.c: In function `_dopr': b_print.c:238: first argument to `va_arg' not of type `va_list' b_print.c:258: first argument to `va_arg' not of type `va_list' b_print.c:297: first argument to `va_arg' not of type `va_list' b_print.c:300: first argument to `va_arg' not of type `va_list' b_print.c:303: first argument to `va_arg' not of type `va_list' b_print.c:306: first argument to `va_arg' not of type `va_list' b_print.c: In function `BIO_printf': b_print.c:771: incompatible type for argument 1 of `__builtin_stdarg_start' b_print.c:775: incompatible type for argument 1 of `__builtin_va_end' b_print.c: In function `BIO_snprintf': b_print.c:817: incompatible type for argument 1 of `__builtin_stdarg_start' b_print.c:821: incompatible type for argument 1 of `__builtin_va_end' make[2]: *** [b_print.o] Error 1 make[2]: Leaving directory `/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto/bio' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto' I'm working on Tru64 4.0g with gcc-3.2.3 Any Ideas on whats going on? -- Democracy is two wolves and a sheep voting on what to have for dinner. Liberty is two wolves attempting to have a sheep for dinner and finding a well-informed, well-armed sheep. .-. / .-. Pablo Endres Lozada.-. \ | / \ Laboratorio Docente de Computacion / \ | | |\_. |USB - Venezuela |/| | |\| | /| |\ | |/| | `---' | [EMAIL PROTECTED] | `---' | | | | | | |-| | \ | | / \ / \ / `---' `---' __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
something maybe out of topic
Estimate users: Good afternoon for all!. I try to study all the features in OpenSSL, but i unknow about ASN.1, OID's, Distinguished Name's etc. Where i can find information about this?. I read the manuals page about OpenSSL, but need more information. Thanks in advance Rafael Lara
Error using BIO_set_conn_ip
I am using the the BIO_set_conn_ip() macro to set the local loop back address 127.0.0.1. However I am getting the following errors. The file bss_conn.c shows the host to be 49.50.55.46 although I set it to 127.0.0.1. ** C:\Client\Client.c:38 Error connecting to remote machine7336:error:0200274C:system library:connect:reason(1868):C:\OpenSSL\crypto\bio\bss_conn.c:269:host=49.50.55.46:160017336:error:20073067:BIO routines:CONN_STATE:connect error:C:\OpenSSL\crypto\bio\bss_conn.c:273: Marcus ---Outgoing mail is certified Virus Free.Checked by AVG anti-virus system (http://www.grisoft.com).Version: 6.0.489 / Virus Database: 288 - Release Date: 6/10/2003
RE: something maybe out of topic
For ASN.1, start with "A Layman's Guide to a Subset of ASN.1, BER, and DER". You will find a copy at http://security.polito.it/asn1/layman.pdf. A search on google for "distinguished name" should return you some useful information. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Rafael LaraSent: Wednesday, 18 June 2003 7:35 AMTo: [EMAIL PROTECTED]Subject: something maybe out of topic Estimate users: Good afternoon for all!. I try to study all the features in OpenSSL, but i unknow about ASN.1, OID's, Distinguished Name's etc. Where i can find information about this?. I read the manuals page about OpenSSL, but need more information. Thanks in advance Rafael Lara