Re: client certificates and Net::SSLeay
ok I think I figured out one problem - the client side was using a cert signed with a password protected key, which my script was unable to deal with. Having fixed that, I am now getting error 140890B2 : SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned on the server side. and error: 14094418 : SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca on the client side. Looking at the Net::SSLeay module, it seems to fail on the 'get_peer_certificate' line. I'm presuming that it has a list of known CA's somewhere, and hence there must be some way of adding another CA to it. Does anyone know if there is a function to do this? is it Net::SSLeay::CTX_set_client_CA_list() by any chance? I can't seem to find any examples for this, could someone point me in the right direction? thanks Lutz for letting me know about the 'openssl errstr' command by the way, it's quite useful! Thanks, Stella On Wed, Nov 12, 2003 at 12:51:58PM +0100, Lutz Jaenicke wrote: On Wed, Nov 12, 2003 at 10:53:58AM +, Stella Power wrote: I was wondering if anyone on this list could help me. I'm trying to use the post_https() function in Net::SSLeay to post to a website that needs a valid client certificate. ... However, the server fails to validate my cert. I'm not sure if it is the module or my actual cert which is wrong. I then used the path to newcert.pem for $cert_path above, and the path to newreq.pem as the $key_path above (post_https() line). I get the following errors in /var/log/httpd/error_log mod_ssl: SSL handshake failed (server renegade.dev.ie.alphyra.com:443, client 192.168.1.146) (OpenSSL library error follows) [error] OpenSSL: error:140890C7:lib(20):func(137):reason(199) [EMAIL PROTECTED]:~/cc/openssl-0.9.7-stable/ssl$ openssl errstr 140890C7 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Your client does not send a certificate, even though requested. So the problem is on the client side. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: BIO bug
Shema wrote: Hello friends, this bug exists from the earlier versions of OpenSSL and the question is why it is not fixed yet? :) Currently I am using openssl-0.9.7c.tar.gz. So, this code crashes on any WIN32 platform, Visual C++ 60 compiler: { BIO *bio; char buf[] = HELLO; bio = BIO_new_fp(stdout, BIO_NOCLOSE); BIO_write(bio, buf, sizeof(buf)); BIO_flush(bio); } From: Thomas Monjalon [EMAIL PROTECTED] from the FAQ : -- Your application must link against the same version of the Win32 C-Runtime against which your openssl libraries were linked. The default version for OpenSSL is /MD - Multithreaded DLL. If you are using Microsoft Visual C++'s IDE (Visual Studio), in many cases, your new project most likely defaulted to Debug Singlethreaded - /ML. This is NOT interchangeable with /MD and your program will crash, typically on the first BIO related read or write operation. Shema wrote: Thanks a lot, it helped, i had multithreaded C-Runtime. As I see that's big difference between multithreaded and multithreaded dll from Stephen Henson's website : --- I've lost count of the number of times someone asks why they can't read a private key encrypted with a password in a program or why a Windows program crashes on the first BIO call. ;-) = RTFM __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to setting Issuing Distribution Point in CRL?
On Wed, Nov 12, 2003, Thitikorn Trakoonsirisak wrote: Hi I have sent mail to this mailing list to ask about how to set Issuing Distribution Point in CRL but there is no any answer. It is important for my work. I try to search documents in many webs but I can't find answer, so I send this question again. I hope there is someone can shed some light. It isn't directly supported at this time though may be in future. If you merely wish to copy an existing IDP you can use the asn1parse tools along with the DER option in the config file. If you want to create your own then, as Nils mentions, the mini ASN1 generator in 0.9.8-dev is one option though you need a fair bit of ASN1 knowledge to use than and produce the correct encoding. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Getting connect errors on openssl from vbssl client
Hi all, I tried to connect from my client ssl (Part of visibroker ORB SSL lib). When connecting to OpenSSL, I get the following errors on the OpenSSL. ERROR 18650:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown Any clues as to why I get the above error? thanks, -Sriram --OpenSSL server errors su-ultra10# openssl s_server -cert cert.pem -key cert.key -debug ACCEPTread from 0014E1C8 [00158508] (11 bytes = 11 (0xB)) - 47 49 4f 50 01 02 GIOP..000b - SPACES/NULSERROR18650:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:634:shutting down SSLCONNECTION CLOSEDACCEPT-- Client side messages: - 0440,11/12/03 5:53 AM,010.077.240.060,00018199,VBJ-Application,main,NOTICE,Created a new outgoing connection: Connection[socket=Socket[addr=codc3-xdm1.cisco.com/192.122.173.179,port=4433,localport=40301]] Adding to active connections: Connection[socket=Socket[addr=codc3-xdm1.cisco.com/192.122.173.179,port=4433,localport=40301]]0441,11/12/03 5:53 AM,010.077.240.060,00018199,VBJ-Application,main,INFO,reconnected Writing 164 bytes at offset 0 to Socket[addr=codc3-xdm1.cisco.com/192.122.173.179,port=4433,localport=40301] timeout 0 msecs... complete Reading 12 bytes at offset 0 from Socket[addr=codc3-xdm1.cisco.com/192.122.173.179,port=4433,localport=40301] with timeout 0 msecs ... failed Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard
verify the digital signature
Hi, I used the following command to creat a signature. openssl dgst -sign private_keyFile -out outFile inputFile However why the signature can not be verified using corresponding self-signed certificate. openssl dgst -signature signatureFile -verify certFile inputFile What's wrong? Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: client certificates and Net::SSLeay
ok never mind, got it working. My server certificate had expired. Thanks for all your help. Stella On Wed, Nov 12, 2003 at 01:23:15PM +, Stella Power wrote: ok I think I figured out one problem - the client side was using a cert signed with a password protected key, which my script was unable to deal with. Having fixed that, I am now getting error 140890B2 : SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned on the server side. and error: 14094418 : SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca on the client side. Looking at the Net::SSLeay module, it seems to fail on the 'get_peer_certificate' line. I'm presuming that it has a list of known CA's somewhere, and hence there must be some way of adding another CA to it. Does anyone know if there is a function to do this? is it Net::SSLeay::CTX_set_client_CA_list() by any chance? I can't seem to find any examples for this, could someone point me in the right direction? thanks Lutz for letting me know about the 'openssl errstr' command by the way, it's quite useful! Thanks, Stella On Wed, Nov 12, 2003 at 12:51:58PM +0100, Lutz Jaenicke wrote: On Wed, Nov 12, 2003 at 10:53:58AM +, Stella Power wrote: I was wondering if anyone on this list could help me. I'm trying to use the post_https() function in Net::SSLeay to post to a website that needs a valid client certificate. ... However, the server fails to validate my cert. I'm not sure if it is the module or my actual cert which is wrong. I then used the path to newcert.pem for $cert_path above, and the path to newreq.pem as the $key_path above (post_https() line). I get the following errors in /var/log/httpd/error_log mod_ssl: SSL handshake failed (server renegade.dev.ie.alphyra.com:443, client 192.168.1.146) (OpenSSL library error follows) [error] OpenSSL: error:140890C7:lib(20):func(137):reason(199) [EMAIL PROTECTED]:~/cc/openssl-0.9.7-stable/ssl$ openssl errstr 140890C7 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate Your client does not send a certificate, even though requested. So the problem is on the client side. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: BIO bug
Please remove my id from user list Id:[EMAIL PROTECTED] .muralidharan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shema Sent: Wednesday, November 12, 2003 7:01 PM To: [EMAIL PROTECTED] Subject: Re: BIO bug Thanks a lot, it helped, i had multithreaded C-Runtime. As I see that's big difference between multithreaded and multithreaded dll - Original Message - From: Thomas Monjalon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 2:49 PM Subject: Re: BIO bug Shema wrote: Hello friends, this bug exists from the earlier versions of OpenSSL and the question is why it is not fixed yet? :) Currently I am using openssl-0.9.7c.tar.gz. So, this code crashes on any WIN32 platform, Visual C++ 60 compiler: { BIO *bio; char buf[] = HELLO; bio = BIO_new_fp(stdout, BIO_NOCLOSE); BIO_write(bio, buf, sizeof(buf)); BIO_flush(bio); } __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] from the FAQ : -- Your application must link against the same version of the Win32 C-Runtime against which your openssl libraries were linked. The default version for OpenSSL is /MD - Multithreaded DLL. If you are using Microsoft Visual C++'s IDE (Visual Studio), in many cases, your new project most likely defaulted to Debug Singlethreaded - /ML. This is NOT interchangeable with /MD and your program will crash, typically on the first BIO related read or write operation. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]