SSL client certificate checking

2003-06-17 Thread Marius Cabas 
Hi, from an SSL server side I want to check the client certificate/private key but I 
don't know how to do this. Below I have wrote a small server sample and it's client. I 
don't know if it's correct what I did. 

// SSL Server
int  listen_sd = socket(AF_INET, SOCK_STREAM, 0);
  
sockaddr_in  sa_serv;
memset(sa_serv, '\0', sizeof(sa_serv));
sa_serv.sin_family  = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port= htons (8001);
  
bind(listen_sd, (sockaddr*)sa_serv, sizeof(sa_serv));
listen(listen_sd, 5);
  
sockaddr_in  sa_cli;
size_t   client_len = sizeof(sa_cli);
int  sd = accept(listen_sd, (sockaddr*)sa_cli,(int*)client_len);
closesocket(listen_sd);

SSLeay_add_ssl_algorithms();
SSL_CTX*  ctx = SSL_CTX_new(SSLv3_server_method());
 
SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM);
if(!SSL_CTX_check_private_key(ctx))
 exit(1);

SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);

SSL*  ssl = SSL_new(ctx);
SSL_set_fd(ssl, sd);
CHK_SSL(SSL_accept(ssl));

X509*  client_cert = SSL_get_peer_certificate(ssl);
if(client_cert != NULL) // is always NULL. why?
{
  printf(Client certificate:\n);
  char* str = X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0);  
  
  printf(\t subject: %s\n, str);
  free(str);

  str = X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0);
  printf(\t issuer: %s\n, str);
  free(str);

  X509_free(client_cert);
}
.
// reading/writing operations and cleaning up
.

and the client looks like this:
// SSL Client
SSLeay_add_ssl_algorithms();
SSL_METHOD*  meth = SSLv3_client_method();
SSL_CTX* ctx = SSL_CTX_new(meth);

SSL_CTX_use_certificate_chain_file(ctx, CERTF);
SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM);
 
int  sd = socket(AF_INET, SOCK_STREAM, 0); 
 
sockaddr_in sa;
memset(sa, '\0', sizeof(sa));
sa.sin_family  = AF_INET;
sa.sin_addr.s_addr = inet_addr(127.0.0.1); // Server IP
sa.sin_port= htons(8001);// Server Port number

connect(sd, (sockaddr*)sa, sizeof(sa));

SSL*ssl = SSL_new (ctx);
SSL_set_fd(ssl, sd);
SSL_connect(ssl);
.
// reading/writing operations and cleaning up
.


What is wrong on the code above?



Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

why -issuer option in OCSP client options must be PEM format?

2003-06-17 Thread Wu Junwei 

(B
(B
(BHi,all,
(B
(BCould some one tell me kindly why the -issuer option in the OpenSSL OCSP 
(Bclient options MUST be PEM format ?
(B
(B
(Bthanks,
(B
(Bwjw

Re: why -issuer option in OCSP client options must be PEM format?

2003-06-17 Thread Wu Junwei 

(B
(B
(BAnd,
(B
(BIs that ONLY because the FORMAT_PEM in load_cert() in app.c?
(B
(BHow about if I change it like following: (can I input the pkcs#12 file or 
(Basn.1 file after doing such changing?)
(B
(Bload_cert(bio_err, *args, FORMAT_PKCS12, pass, e, "issuer certificate"); 
(B
(B/*I think I should also add the pass in the PKCS12_parse(p12, 
(BNULL, NULL, x, NULL) in load_cert();
(B*/
(B
(Bor 
(B
(Bload_cert(bio_err, *args, FORMAT_ASN1, pass, e, "issuer 
(Bcertificate");
(B
(Bor 
(Bothers ?
(B
(B
(BWhy there is no such notice on -cert option? It also uses FORMAT_PEM.
(B
(BThanks ,
(Bwjw
(B
(B- Original Message - 
(B
(B  From: 
(B  Wu 
(B  Junwei 
(B  To: [EMAIL PROTECTED] 
(B  Sent: Tuesday, June 17, 2003 6:07 
(B  PM
(B  Subject: why -issuer option in OCSP 
(B  client options must be PEM format?
(B  
(B  Hi,all,
(B  
(B  Could some one tell me kindly why the -issuer option in the OpenSSL OCSP 
(B  client options MUST be PEM format ?
(B  
(B  
(B  thanks,
(B  
(B  wjw

Re: why -issuer option in OCSP client options must be PEM format?

2003-06-17 Thread Kiyoshi WATANABE 

Hello,

As you can see, the default certificate format is PEM in openssl
command. I do not know the excact reason, but I agree that the ocsp
command had better to have format option if you are requesting so. 

-Kiyoshi
Kiyoshi Watanabe

 Hi,all,
 
 Could some one tell me kindly why the -issuer option in the OpenSSL OCSP
 client options MUST be PEM format ?
 
 
 thanks,
 
 wjw
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

outlook express

2003-06-17 Thread Emil Stanchev 

(B
(B
(BCAN SOMEBODY 
(BHELP?
(B
(BHi, I am a new to 
(Bssl and I am in desperate need to create a certificate for outlook 
(Bexpress.
(BI tried hard with 
(Bsome SSL HOW TO and with a tutorial on a site called eclectica... something but 
(Boutlook keeps rejecting the certificates I make. 
(B
(BI need the 
(Bcertificates for a small network on which users need just a little assurance 
(Bnothing more.
(B
(B10X in advance for 
(Bany help provided. 
(B

RE: outlook express

2003-06-17 Thread Pascal Rodrigue 









Hi,



  First, make sure that your openssl.cnf
as the correct configuration. After that, your first step is to create a
certification authority to sign user email certificate.



CA: 

Openssl rand out .rnd
1024



openssl req -new -x509
-keyout CA.key -out CA.crt -days 9132 -config openssl.cnf



User certificate :

 

Openssl genrsa rand
rnd out [you_key_filename].key des3 1024   (create
your private key)



openssl req new key 
[your_key_filename].key out [your_csr_filename].csr config openssl.cnf 
(create a certificate signin request)



(Now you have to enter
all information for the certificate, match the common name with the email
adresse of the user)



CA (signin)



openssl ca config
openssl.cnf extensions [section_of_openssl_for_email_certificate] -policy
policy_match -out NewCert.crt notext days 9132 -infiles [your_csr_filename].csr





Convert you new certificate to p12 format.

    openssl pkcs12 -export -in newcert.crt
-out user_email_cert.p12 -name My Certificate





My openssl email certificate section

[ email ]



# These extensions are added when 'ca'
signs a request.



# This goes against PKIX guidelines but
some CAs do it and some software

# requires this to avoid interpreting an
end user certificate as a CA.



basicConstraints=CA:FALSE



# Here are some examples of the usage of
nsCertType. If it is omitted

# the certificate can be used for anything
*except* object signing.



# For normal client use this is typical

nsCertType = client, email



# This is typical in keyUsage for a client
certificate.

keyUsage = digitalSignature,
keyEncipherment,dataEncipherment



extendedKeyUsage=emailProtection



# This will be displayed in Netscape's
comment listbox.

nsComment       =
Certificat S/MIME



# PKIX recommendations harmless if
included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always



#nsCaRevocationUrl   =
http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName





I hope this can help you. Im almost
new to SSL so if Im doing wrong tell me, but as I know, thats
working for me ;o)

Bye





---

Pascal
Rodrigue

Analystede
l'informatique

Division de
l'exploitation

Service de
l'informatique et des télécommunications

Pavillon
Louis-Jacques-Casault, local 2410
Université Laval, Québec, Canada, G1K 7P4
[EMAIL PROTECTED]



La vie n'est pas que la somme
des obstacle que l'on rencontre à chaque jour. La vie, la vraie, c'est la
manière dont on les franchit!





Das Leben ist nicht nur die Summe des
Hindernisses, daß man an jedem Tag begegnet. Das Leben, das wahre, ist es die
Art, von der man sie überquert! 





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Emil Stanchev
Sent: 17 juin, 2003 08:17
To: [EMAIL PROTECTED]
Subject: outlook express 





CAN SOMEBODY HELP? 



Hi, I am a new to ssl and I am in desperate need to create a certificate
for outlook express.

I tried hard with some SSL HOW TO and with a tutorial on a site called
eclectica... something but outlook keeps rejecting the certificates I make. 



I need the certificates for a small network on which users need just a
little assurance nothing more.



10X in advance for any help provided. 










BEGIN:VCARD
VERSION:2.1
N:Rodrigue;Pascal
FN:Pascal Rodrigue ([EMAIL PROTECTED])
ORG:Université Laval;SIT
TITLE:Analyste
TEL;WORK;VOICE:(418) 656-2131
KEY;X509;ENCODING=BASE64:
MIIEUDCCA7mgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBwjELMAkGA1UEBhMCQ0ExDzANBgNV
BAgTBlF1ZWJlYzETMBEGA1UEBxMKU2FpbnRlLUZveTEZMBcGA1UEChMQVW5pdmVyc2l0ZSBM
YXZhbDEMMAoGA1UECxMDU0lUMTYwNAYDVQQDEy1DQSBsb2NhbGUgcG91ciBsZXMgc2VydmV1
cnMgV2ViIE9yYWNsZSBkdSBTSVQxLDAqBgkqhkiG9w0BCQEWHVBhc2NhbC5Sb2RyaWd1ZUBz
aXQudWxhdmFsLmNhMB4XDTAzMDUwOTEzMjQzM1oXDTI4MDUwOTEzMjQzM1owgZ0xCzAJBgNV
BAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxGTAXBgNVBAoTEFVuaXZlcnNpdGUgTGF2YWwxDDAK
BgNVBAsTA1NJVDEmMCQGA1UEAxQdUGFzY2FsLlJvZHJpZ3VlQHNpdC51bGF2YWwuY2ExLDAq
BgkqhkiG9w0BCQEWHVBhc2NhbC5Sb2RyaWd1ZUBzaXQudWxhdmFsLmNhMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQCnQlRUQycnBLP1+D0XAR9Ps+ziuHF67NwFpmS84qbSNyt4gxfs
QXYlOVhsFOrrwvyjeGL+HraKF0cjIDMGTTqrQUKv+f/pUjKWJGoaualzkfjEvrKq7ervJQb3
uKZSOSJGRarS31DkbAjn5C43IhVZeanPHA9c33v6mj4W/hDdnwIDAQABo4IBdzCCAXMwCQYD
VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgSwMBMGA1UdJQQMMAoGCCsG
AQUFBwMEMCAGCWCGSAGG+EIBDQQTFhFDZXJ0aWZpY2F0IFMvTUlNRTAdBgNVHQ4EFgQUw2H5
7kZDHhdhNSTnVUO++yEZcGIwge8GA1UdIwSB5zCB5IAUSVnQK7u1H4OvERW+IIigwUY3wGSh
gcikgcUwgcIxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIEwZRdWViZWMxEzARBgNVBAcTClNhaW50
ZS1Gb3kxGTAXBgNVBAoTEFVuaXZlcnNpdGUgTGF2YWwxDDAKBgNVBAsTA1NJVDE2MDQGA1UE
AxMtQ0EgbG9jYWxlIHBvdXIgbGVzIHNlcnZldXJzIFdlYiBPcmFjbGUgZHUgU0lUMSwwKgYJ
KoZIhvcNAQkBFh1QYXNjYWwuUm9kcmlndWVAc2l0LnVsYXZhbC5jYYIBADANBgkqhkiG9w0B

PKCS12 MAC password

2003-06-17 Thread gianni 
Hello,

I need to create and parsing a pkcs12 with the -twopass option. How can 
I provide the MAC
password to openssl pkcs12 command directly from the command line? The 
-passin option
allows to specify the password for the input key (with the -export 
option) or for the import
in parsing operation.

Thanks for your help

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problem building openssl-0.97b on alpha-dec-osf1

2003-06-17 Thread LDC - Pablo Endres Lozada 

  Hi, I've been trying to build openssl-0.97b on an alpha with
Tru64g and gcc-3.2.3 for a couple of days now with no luck.

I'm doing the config with the following line:
./Configure --openssldir=%{openssldir} alpha-gcc zlib \
threads shared no-bio

This is the erro that I'm getting:
make[2]: Entering directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto/err'gcc -I.. -I../..
-I../../include -DZLIB -DOPENSSL_THREADS -DDSO_DLFCN -DHAVE_DLFCN_H
-DOPENSSL_NO_KRB5 -DSSL_ALLOW_ADH -D_REENTRANT -DOPENSSL_NO_BIO
-DOPENSSL_NO_ERR -O3   -c -o err.o err.c
err.c: In function `ERR_add_error_data':
err.c:1007: incompatible type for argument 1 of `__builtin_stdarg_start'
err.c:1034: incompatible type for argument 1 of `__builtin_va_end'
err.c:1011: first argument to `va_arg' not of type `va_list'
make[2]: *** [err.o] Error 1
make[2]: Leaving directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto/err'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto'
make: *** [sub_all] Error 1

If I use
./Configure --openssldir=%{openssldir} alpha-gcc zlib \
threads shared
I get the following:
gcc -I.. -I../.. -I../../include -DZLIB -DOPENSSL_THREADS -DDSO_DLFCN
-DHAVE_DLFCN_H -DOPENSSL_NO_KRB5 -DSSL_ALLOW_ADH -D_REENTRANT
-DOPENSSL_NO_ERR -O3   -c -o b_print.o b_print.c
b_print.c: In function `_dopr':
b_print.c:238: first argument to `va_arg' not of type `va_list'
b_print.c:258: first argument to `va_arg' not of type `va_list'
b_print.c:297: first argument to `va_arg' not of type `va_list'
b_print.c:300: first argument to `va_arg' not of type `va_list'
b_print.c:303: first argument to `va_arg' not of type `va_list'
b_print.c:306: first argument to `va_arg' not of type `va_list'
b_print.c: In function `BIO_printf':
b_print.c:771: incompatible type for argument 1 of
`__builtin_stdarg_start'
b_print.c:775: incompatible type for argument 1 of `__builtin_va_end'
b_print.c: In function `BIO_snprintf':
b_print.c:817: incompatible type for argument 1 of
`__builtin_stdarg_start'
b_print.c:821: incompatible type for argument 1 of `__builtin_va_end'
make[2]: *** [b_print.o] Error 1
make[2]: Leaving directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto/bio'
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory
`/usr/local/src/dec/BUILD/openssl-0.9.7b/crypto'


I'm working on Tru64 4.0g with gcc-3.2.3

Any Ideas on whats going on?

-- 
Democracy is two wolves and a sheep voting on what to have for dinner.
Liberty is two wolves attempting to have a sheep for dinner and
finding a well-informed, well-armed sheep.


   .-.
  /  .-.   Pablo Endres Lozada.-.  \
 |  /   \   Laboratorio Docente de Computacion  /   \  |
 | |\_.  |USB - Venezuela  |/| |
 |\|  | /| |\  | |/|
 | `---' |   [EMAIL PROTECTED] | `---' |
 |   | |   | 
 |   |-|   |
 \   | |   /
  \ /   \ /
   `---' `---'

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

something maybe out of topic

2003-06-17 Thread Rafael Lara 



Estimate users:

 Good afternoon for all!. I try to 
study all the features in OpenSSL, but i unknow about ASN.1, OID's, 
Distinguished Name's etc.

 Where i can find information about 
this?. I read the manuals page about OpenSSL, but need more 
information.


Thanks in advance



Rafael Lara

Error using BIO_set_conn_ip

2003-06-17 Thread Marcus Carey 




I am using the the BIO_set_conn_ip() macro to set 
the local loop back address 127.0.0.1.
However I am getting the following errors. 
The file bss_conn.c shows the host to be
49.50.55.46 although I set it to 
127.0.0.1.



** C:\Client\Client.c:38 Error connecting to remote 
machine7336:error:0200274C:system 
library:connect:reason(1868):C:\OpenSSL\crypto\bio\bss_conn.c:269:host=49.50.55.46:160017336:error:20073067:BIO 
routines:CONN_STATE:connect 
error:C:\OpenSSL\crypto\bio\bss_conn.c:273:


Marcus

---Outgoing mail is certified Virus 
Free.Checked by AVG anti-virus system (http://www.grisoft.com).Version: 6.0.489 / 
Virus Database: 288 - Release Date: 6/10/2003

RE: something maybe out of topic

2003-06-17 Thread Steven Reddie 



For 
ASN.1, start with "A Layman's Guide to a Subset of ASN.1, BER, and DER". 
You will find a copy at http://security.polito.it/asn1/layman.pdf. 
A search on google for "distinguished name" should return you some useful 
information.

  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On 
  Behalf Of Rafael LaraSent: Wednesday, 18 June 2003 7:35 
  AMTo: [EMAIL PROTECTED]Subject: something maybe 
  out of topic
  Estimate users:
  
   Good afternoon for all!. I try to 
  study all the features in OpenSSL, but i unknow about ASN.1, OID's, 
  Distinguished Name's etc.
  
   Where i can find information about 
  this?. I read the manuals page about OpenSSL, but need more 
  information.
  
  
  Thanks in advance
  
  
  
  Rafael Lara