Re: FQDN
Hi Richard, In your case, it is the client want to check server. I know it is common to check server's location. But now I want to check client as well. The server doesn't know where the client comes from, so the server needs to get client's ip address and then its FQDN. I think this problem is security model related. If your client's location is very flexible, from one domain to another, then we can't check it based where it is from. In this case, maybe u can create a list for the client's legtimate locations. Ciao Jacky - Original Message - From: "Richard Koenning" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 23, 2003 10:20 AM Subject: Re: FQDN > Jue (Jacky) Shu wrote: > > Sorry, Richard. > > Maybe I didn't put it clearly. > > There r two names, one is from the certificate, another one is from DNS. > > They must match. > > The other one is *not* from DNS, but from the *user* (step 1 from Lutz' > list). The user wants to connect to a specific site, and the system has > to ensure that it does, what the *user* wants. Therefore, get the FQDN > from the *user* and ensure that the name from the certificate agrees > with the FQDN from the *user*. > Ciao, > Richard > -- > Dr. Richard W. Könning > Fujitsu Siemens Computers GmbH, EP LP COM 5 > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
Jue (Jacky) Shu wrote: Sorry, Richard. Maybe I didn't put it clearly. There r two names, one is from the certificate, another one is from DNS. They must match. The other one is *not* from DNS, but from the *user* (step 1 from Lutz' list). The user wants to connect to a specific site, and the system has to ensure that it does, what the *user* wants. Therefore, get the FQDN from the *user* and ensure that the name from the certificate agrees with the FQDN from the *user*. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
Sorry, Richard. Maybe I didn't put it clearly. There r two names, one is from the certificate, another one is from DNS. They must match. Jacky - Original Message - From: "Richard Koenning" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 23, 2003 9:43 AM Subject: Re: FQDN > Jue (Jacky) Shu wrote: > > Yes, Lutz. That's why I want to check peer's FQDN against which on its > > certificate. > > Look at Lutz' list. You get already in step 1 the FQDN from the *user*, > so there is no need for further actions to find out the peer's FQDN. > Ciao, > Richard > -- > Dr. Richard W. Könning > Fujitsu Siemens Computers GmbH, EP LP COM 5 > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
Jue (Jacky) Shu wrote: Yes, Lutz. That's why I want to check peer's FQDN against which on its certificate. Look at Lutz' list. You get already in step 1 the FQDN from the *user*, so there is no need for further actions to find out the peer's FQDN. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl+zlib /MD problem
I have been linking applications with both OpenSSL and ZLIB for many years now without difficulties. My guess is that either your app is not using the MSVCRT.DLL or that your are linking to some other library which is using an alternative C Runtime library. Jeffrey Altman Andrew Marlow wrote: The openssl FAQ and INSTALL.W32 warn about a corruption problem if an app does not use the multithreaded DLL option /MD, given that the build of openssl uses it. However, I am seeing the exact opposite of this problem. This is a desperate appeal for help. I build openssl using the following steps: cd vcvars32 perl Configure -DZLIB -I VC-WIN32 ms\do_ms nmake -f ms\ntdll.mak This causes it to be built using /MD. I link with a ZLIB that has also been built using /MD. I get what appears to be a C++ exception upon return from SSL_write. This cannot be, since openssl is written in C. I presume that some sort of corruption occurs. When my own app links with a ZLIB that does not use /MD, the problem goes away. I notice that someone else posted that there might be memory corruptions in 0.9.7b so I tried the snapshot that was made last night. Same problem. I also tried adding a call to CRYPTO_malloc_init() as the first line in subroutine main(). Again, no effect. Any ideas? Regards, Andrew Marlow There is an emerald here the size of a plover's egg! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
RE: Please help
Thanks for that Steve, that was the conclusion I had just come to. Now I need to convince by bosses. I wonder if they'll pay me to write things from scratch? Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: 23 July 2003 13:52 To: [EMAIL PROTECTED] Subject: Re: Please help On Wed, Jul 23, 2003, steve thornton wrote: > Yes I've noticed this. Basically I am making an embedded client, and am > looking for every way possible to reduce code size, and obj_dat is very big. > I've more or less concluded that it is not worth the trouble, but 24k is > 24k. > It surely should be possible to parse the essential info (Issuer, Subject > and public key info etc.) from a cert. without having all the machinery that > is in OpenSSL, but achieving that within the context of OpenSSL at present > would be a *lot* of work. Would you agree, have you any comments? > Well if its embedded then binary compatibility wont matter if you can just recompile everything. You can delete a large number of objects in objects.txt without any major harm. There are other areas you can also look into to reduce code size such as crypto and digest algorithms, extension code, PKCS#12, PKCS#7, ENGINE etc etc. It would be *very* difficult to try to restrict OpenSSL to the sizes claimed for some SSL libraries (40K I've heard quoted for one), so hard in fact that starting again might be less effort. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
Yes, Lutz. That's why I want to check peer's FQDN against which on its certificate. Actually, just like what Steve said before, even the hacker can spoof DNS, he still needs peer's certificates and key to masquerade the owner of that key. Checking of the FQDN is an extra step to prevent this to happen. Jacky - Original Message - From: "Lutz Jaenicke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, July 23, 2003 8:43 AM Subject: Re: FQDN > On Wed, Jul 23, 2003 at 01:28:36PM +0100, Dan Kendall wrote: > > I'm a newcomer to this crypto business and maybe I'm a little confused... I > > don't want to hijack this conversation but surely somebody from evil.bar.com > > could provide a certificate signed by a trusted party for example.foo.com. > > After all, the certificate is public right? So something else, be it DNS > > related or otherwise, must be needed to make sure the connection is sound. > > Is it not common practice to do a test encryption, thereby ensuring the > > 'other end' has a private key to match the public key in the certificate? > > This is an elementary part of the protocol. Your party will send its > certificate _and_ will cryptographically sign it with the private key. > Therefore only the holder of the private key will be able to use the > public key being part of the certificate. > > Again: DNS is not secure. Therefore the standards (RFCs) describing > the use of TLS for certain protocols insist on: > 1 choose a peer and remember its NAME > 2 look up the peer in DNS, if required to establish the connection > 3 perform the TLS handshake and obtain the peer's certificate > 4 check validity of the certificate (expiry, CA, ...) > 5 check whether the subject certified is identical to NAME > > Point 2 (DNS lookup) is only an auxilliary step required due to the > network protocol used. It does not have any security implications beyond > the fact that it is not trustworthy. The security comes from step 5. > > Best regards, > Lutz > -- > Lutz Jaenicke [EMAIL PROTECTED] > http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > BTU Cottbus, Allgemeine Elektrotechnik > Universitaetsplatz 3-4, D-03044 Cottbus > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Client certs
Check these pages: http://www.mysql.com/doc/en/Secure_basics.html http://www.mysql.com/doc/en/Secure_Create_Certs.html http://www.mysql.com/doc/en/Secure_GRANT.html You need to have a certificate for the server and the client signed by the same CA. Hope this helps Bart... -Original Message- From: theoharis tsenis [mailto:[EMAIL PROTECTED] Sent: 22 July 2003 21:26 To: [EMAIL PROTECTED] Subject: Client certs Hi, i am trying to use openssl under mysql. I finally compile everything and they looks ok. At the PC of the mysql-server i create a signed-certificate for the server and a signed-certificate for a client. When i connect to the mysql from the console of the PC everything works fine. But when i connect to the mysql from a remote client there are some questions (newbie in the openssl). Fist what certificates to use to the remote clients, secondly the creation of these certificates must be done at the remote clients seperately or just copy-paste the certs, thirdly the mysql-server need to have stored locally remote clients certs? Please advice or redirect me? Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help
On Wed, Jul 23, 2003, steve thornton wrote: > Yes I've noticed this. Basically I am making an embedded client, and am > looking for every way possible to reduce code size, and obj_dat is very big. > I've more or less concluded that it is not worth the trouble, but 24k is > 24k. > It surely should be possible to parse the essential info (Issuer, Subject > and public key info etc.) from a cert. without having all the machinery that > is in OpenSSL, but achieving that within the context of OpenSSL at present > would be a *lot* of work. Would you agree, have you any comments? > Well if its embedded then binary compatibility wont matter if you can just recompile everything. You can delete a large number of objects in objects.txt without any major harm. There are other areas you can also look into to reduce code size such as crypto and digest algorithms, extension code, PKCS#12, PKCS#7, ENGINE etc etc. It would be *very* difficult to try to restrict OpenSSL to the sizes claimed for some SSL libraries (40K I've heard quoted for one), so hard in fact that starting again might be less effort. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: FQDN
Thank you, that makes more sense. Regards, Dan > -Original Message- > From: Lutz Jaenicke [mailto:[EMAIL PROTECTED] > Sent: 23 July 2003 13:44 > To: [EMAIL PROTECTED] > Subject: Re: FQDN > > > On Wed, Jul 23, 2003 at 01:28:36PM +0100, Dan Kendall wrote: > > I'm a newcomer to this crypto business and maybe I'm a > little confused... I > > don't want to hijack this conversation but surely somebody > from evil.bar.com > > could provide a certificate signed by a trusted party for > example.foo.com. > > After all, the certificate is public right? So something > else, be it DNS > > related or otherwise, must be needed to make sure the > connection is sound. > > Is it not common practice to do a test encryption, thereby > ensuring the > > 'other end' has a private key to match the public key in > the certificate? > > This is an elementary part of the protocol. Your party will send its > certificate _and_ will cryptographically sign it with the private key. > Therefore only the holder of the private key will be able to use the > public key being part of the certificate. > > Again: DNS is not secure. Therefore the standards (RFCs) describing > the use of TLS for certain protocols insist on: > 1 choose a peer and remember its NAME > 2 look up the peer in DNS, if required to establish the connection > 3 perform the TLS handshake and obtain the peer's certificate > 4 check validity of the certificate (expiry, CA, ...) > 5 check whether the subject certified is identical to NAME > > Point 2 (DNS lookup) is only an auxilliary step required due to the > network protocol used. It does not have any security > implications beyond > the fact that it is not trustworthy. The security comes from step 5. > > Best regards, > Lutz > -- > Lutz Jaenicke > [EMAIL PROTECTED] > http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > BTU Cottbus, Allgemeine Elektrotechnik > Universitaetsplatz 3-4, D-03044 Cottbus > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
On Wed, Jul 23, 2003 at 01:28:36PM +0100, Dan Kendall wrote: > I'm a newcomer to this crypto business and maybe I'm a little confused... I > don't want to hijack this conversation but surely somebody from evil.bar.com > could provide a certificate signed by a trusted party for example.foo.com. > After all, the certificate is public right? So something else, be it DNS > related or otherwise, must be needed to make sure the connection is sound. > Is it not common practice to do a test encryption, thereby ensuring the > 'other end' has a private key to match the public key in the certificate? This is an elementary part of the protocol. Your party will send its certificate _and_ will cryptographically sign it with the private key. Therefore only the holder of the private key will be able to use the public key being part of the certificate. Again: DNS is not secure. Therefore the standards (RFCs) describing the use of TLS for certain protocols insist on: 1 choose a peer and remember its NAME 2 look up the peer in DNS, if required to establish the connection 3 perform the TLS handshake and obtain the peer's certificate 4 check validity of the certificate (expiry, CA, ...) 5 check whether the subject certified is identical to NAME Point 2 (DNS lookup) is only an auxilliary step required due to the network protocol used. It does not have any security implications beyond the fact that it is not trustworthy. The security comes from step 5. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help
Yes I've noticed this. Basically I am making an embedded client, and am looking for every way possible to reduce code size, and obj_dat is very big. I've more or less concluded that it is not worth the trouble, but 24k is 24k. It surely should be possible to parse the essential info (Issuer, Subject and public key info etc.) from a cert. without having all the machinery that is in OpenSSL, but achieving that within the context of OpenSSL at present would be a *lot* of work. Would you agree, have you any comments? many thanks Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: 23 July 2003 12:36 To: [EMAIL PROTECTED] Subject: Re: Please help On Wed, Jul 23, 2003, steve thornton wrote: > Hi > > I've been trying to edit and rebuild the ASN.1 database using objects.pl. I > am having problems understanding what is going on. As I understand it, the > file to edit is objects.txt, but if I change this file in any way, then > objects.pl no longer works. Can anybody please tell me what I should be > doing here? > If the added lines use the correct syntax you should be OK as long as you call 'make update'. You should be careful about deleting lines from objects.txt because this will break binary compatibility with any applications that use the NIDs directly: they'd need to be recompiled. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FQDN
On Wed, Jul 23, 2003, Dan Kendall wrote: > Hi, > > I'm a newcomer to this crypto business and maybe I'm a little confused... I > don't want to hijack this conversation but surely somebody from evil.bar.com > could provide a certificate signed by a trusted party for example.foo.com. > After all, the certificate is public right? So something else, be it DNS > related or otherwise, must be needed to make sure the connection is sound. > Is it not common practice to do a test encryption, thereby ensuring the > 'other end' has a private key to match the public key in the certificate? > > Again, apologies for interrupting but I am now quite confused, > The way the SSL/TLS handshake works means that it will fail if the server does not have access to the private key corresponding to the certificate it claims to be its own. In one case the client send some data (the premaster secret) encrypted using the servers certified public key and both sides derive various session keys based on it. If the server cannot decrypt this data it can't derive the session keys and the handshake fails. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CPAN.pm: "I could not find your OpenSSL"
I want to install the Perl module Net::SSLeay.pm, which requires "OpenSSL-0.9.6j or 0.9.7b or newer," but the installer script complains that it cannot find my OpenSSL. I have tried supplying various directories (/usr/bin, /etc/ssl, /usr/lib/ssl), but the installer can't find OpenSSL in any of them. Just to make sure, I uninstalled and re-installed from openssl_0.9.7b-2_i386.deb (I use Linux Debian). Still, no luck. So either I need to install some other package in addition to openssl_0.9.7b-2_i386.deb, or else the "installation directory" for OpenSSL is completely non-obvious, (or the installer for Net::SSLeay is broken). I could not find any other openssl-related packages (such as openssl-devel) at the Debian site. (I am trying hard to install everything on this machine from *.deb package files with apt-get or dpkg). If anybody can throw me a cluebrick on this I would greatly appreciate it. Thanks in advance. Best regards, Kynn PS: Please Cc: me in your replies. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: FQDN
Hi, I'm a newcomer to this crypto business and maybe I'm a little confused... I don't want to hijack this conversation but surely somebody from evil.bar.com could provide a certificate signed by a trusted party for example.foo.com. After all, the certificate is public right? So something else, be it DNS related or otherwise, must be needed to make sure the connection is sound. Is it not common practice to do a test encryption, thereby ensuring the 'other end' has a private key to match the public key in the certificate? Again, apologies for interrupting but I am now quite confused, Dan > -Original Message- > From: David Schwartz [mailto:[EMAIL PROTECTED] > Sent: 23 July 2003 02:55 > To: [EMAIL PROTECTED] > Subject: RE: FQDN > > > > > > Thank you, David and Steve. > > Yes, it will be a big problem if someone spoof DNS, > > but it can prevent man-in-the-middle to some extent. > > No, it cannot. > > > If the DNS is sabotaged, what can we do? > > What should I believe? :-) > > You should ignore the DNS entirely. If you receive a > certificate signed by > a trusted authority, you can believe that you are talking to > the entity > whose name appears in that certificate. All a > man-in-the-middle can do in > that case is break the connection. > > I don't understand why you care about DNS at all. If > you receive a > certificate with a common name of 'foo.example.com', you are > talking to > 'foo.example.com', period. It doesn't matter what IP address > you connected > to, connect to you, or what it resolves or doesn't resolve to. > > DS > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A question about ENGINE
On Wed, Jul 23, 2003, Michiels Olivier wrote: > Hi, > I've developped my own ENGINE with OpenSSL. I use that ENGINE to use the > private keys of my root certificates. Those certificates are used to > sign X509 certificates, CRLs and OCSP responses. > On the other part, one of my component that use the ENGINE must open a > ssl connection, the private key and the certificate are not used by the > ENGINE. > My question is, how can I setup a ssl connection without having the > ENGINE used by the SSL connection ? > If the SSL private keys aren't ENGINE specific then the SSL connection will use the default implementation of the relevant algorithms. If the code that loads your ENGINE replaces the default implementation then it will be used for SSL. You can however make private keys ENGINE specific so the relevant routines call the ENGINEs own private key code and don't use the default implementation. This is handled when the keys are initialized. If they call RSA_new() which ends up calling RSA_new_method(NULL) then they will use the default implementation. If instead they are initialized with RSA_new_method(engine) then they will always use 'engine'. So the solution to your case would be to not replace the default ENGINE implementation and to initialize the keys you want to use the ENGINE appropriately. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help
On Wed, Jul 23, 2003, steve thornton wrote: > Hi > > I've been trying to edit and rebuild the ASN.1 database using objects.pl. I > am having problems understanding what is going on. As I understand it, the > file to edit is objects.txt, but if I change this file in any way, then > objects.pl no longer works. Can anybody please tell me what I should be > doing here? > If the added lines use the correct syntax you should be OK as long as you call 'make update'. You should be careful about deleting lines from objects.txt because this will break binary compatibility with any applications that use the NIDs directly: they'd need to be recompiled. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ca certificate
On Tue, Jul 22, 2003, 5468696A6D656E wrote: > (resend because it seems not to have arrived at the list, maybe because it > is subscribers only?) > > Sorry if this has been asked before, but i have a few questions regarding > creating a ca root certificate: I create the root certificate like this: > > ../openssl req -config ../ca.cnf -x509 -new -days 3652 -out > domain_comCA.cert -keyout domain_comCA.key > > The resulting .cert file i use in apache's SSLCACertificateFile config entry > > Then i create a pkcs12 file for people to download (because that supports > the "friendly name") ../openssl pkcs12 -export -nokeys -inkey > domain_comCA.key -in domain_comCA.cert -out file.p12 -caname "Domain.com > Certification Authority" -name "Domain.com" > > Later on i create a site certificate for a server, which will get signed by > this root certificate. It all works really nice, however i do have some > questions: > > How can i add a "issuer statement" so you user can check on with the CA's > policy is. (this is usually a url) The pkcs12 exports the private key as > well, allthough i thought -nokeys should prevent that. Why is that? I saw > no difference with or without -nokeys in the exported pkcs12 file. (the have > the same size) I dont want my private key up for download, so how can i > prevent that? > In OpenSSL 0.9.7 and earlier -nokeys only affects outputted files when converting from PKCS#12 to PEM. Many browsers only handle PKCS#12 files properly when a private key is included and give strange errors when one is absent. Some of the newer versions can handle them though so OpenSSL 0.9.8 does handle -nokeys when creating a PKCS#12 file. Read the FAQ as to why you shouldn't include the CA private key: it reduces your CA security to zero. Instead you should send the file with a link including it as type application/x-x509-cacert and an appropriate extension such as .cer The policy can be set using the certificatePolicies extension, see doc/openssl.txt. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ca certificate
(resend because it seems not to have arrived at the list, maybe because it is subscribers only?) Sorry if this has been asked before, but i have a few questions regarding creating a ca root certificate: I create the root certificate like this: ../openssl req -config ../ca.cnf -x509 -new -days 3652 -out domain_comCA.cert -keyout domain_comCA.key The resulting .cert file i use in apache's SSLCACertificateFile config entry Then i create a pkcs12 file for people to download (because that supports the "friendly name") ../openssl pkcs12 -export -nokeys -inkey domain_comCA.key -in domain_comCA.cert -out file.p12 -caname "Domain.com Certification Authority" -name "Domain.com" Later on i create a site certificate for a server, which will get signed by this root certificate. It all works really nice, however i do have some questions: How can i add a "issuer statement" so you user can check on with the CA's policy is. (this is usually a url) The pkcs12 exports the private key as well, allthough i thought -nokeys should prevent that. Why is that? I saw no difference with or without -nokeys in the exported pkcs12 file. (the have the same size) I dont want my private key up for download, so how can i prevent that? Please include my email when replying, as i am not on this list. Thanx! Th. -- __Thijmen Klok __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl+zlib /MD problem
The openssl FAQ and INSTALL.W32 warn about a corruption problem if an app does not use the multithreaded DLL option /MD, given that the build of openssl uses it. However, I am seeing the exact opposite of this problem. This is a desperate appeal for help. I build openssl using the following steps: cd vcvars32 perl Configure -DZLIB -I VC-WIN32 ms\do_ms nmake -f ms\ntdll.mak This causes it to be built using /MD. I link with a ZLIB that has also been built using /MD. I get what appears to be a C++ exception upon return from SSL_write. This cannot be, since openssl is written in C. I presume that some sort of corruption occurs. When my own app links with a ZLIB that does not use /MD, the problem goes away. I notice that someone else posted that there might be memory corruptions in 0.9.7b so I tried the snapshot that was made last night. Same problem. I also tried adding a call to CRYPTO_malloc_init() as the first line in subroutine main(). Again, no effect. Any ideas? Regards, Andrew Marlow There is an emerald here the size of a plover's egg! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help
I *think* I understand it now, but any clarification etc. would still be most appreciated. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of steve thornton Sent: 23 July 2003 10:09 To: [EMAIL PROTECTED] Subject: Please help Hi I've been trying to edit and rebuild the ASN.1 database using objects.pl. I am having problems understanding what is going on. As I understand it, the file to edit is objects.txt, but if I change this file in any way, then objects.pl no longer works. Can anybody please tell me what I should be doing here? many many thanks Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL
HiI want to make a ca.crl file for my apache revocation. Now I executed thefollowing commands:>openssl ca -gencrl -out CRL/crl.pem>openssl ca -revoke cert.pemSo, I think this is the way to distribute the CRL to browsers (am I right?),what are the commands for creating the ca.crl file on the server side?Thanks for your helpmichael
Please help
Hi I've been trying to edit and rebuild the ASN.1 database using objects.pl. I am having problems understanding what is going on. As I understand it, the file to edit is objects.txt, but if I change this file in any way, then objects.pl no longer works. Can anybody please tell me what I should be doing here? many many thanks Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
A question about ENGINE
Hi, I've developped my own ENGINE with OpenSSL. I use that ENGINE to use the private keys of my root certificates. Those certificates are used to sign X509 certificates, CRLs and OCSP responses. On the other part, one of my component that use the ENGINE must open a ssl connection, the private key and the certificate are not used by the ENGINE. My question is, how can I setup a ssl connection without having the ENGINE used by the SSL connection ? Thanks, Michiels Olivier
