config file to generate request with asn1parse
Hello, some time ago I posted a question to this list about how to generate a certificate request, knowing only the public key. One of the answers I got is generate a request manually from its fields, then hack the openssl utilities so they don't check the signature on the request. The new function asn1parse -genconf in 0.9.8dev seems to address the issue of manual generation, and the question arises: how should the config file look, for asn1parse -genconf to generate a certificate request? I've already succeeded in generating a valid (i.e. acceptable by openssl utilities) RSA public key in DER format with asn1parse -genconf, but this one seems a little trickier. Regards, Vladimir Slepnev Programmer, IVK Systems Moscow, Russia __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: config file to generate request with asn1parse
Can anyone help me with my Windows Async sockets questions? I have it working fine on Unix, and I'm hoping I don't have to modify my app to use select or polling. TIA, Tuviah __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: async windows sockets
Oops sorry wrong thread. Can anyone help me with my Windows Async sockets questions? I have it working fine on Unix, and I'm hoping I don't have to modify my app to use select or polling. TIA, Tuviah __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Printing ssl handshake messages...
Sriram R [EMAIL PROTECTED] writes: Is it possible to print the ssl handshake and keys exchanged on the openssl side?..If so how? I recommend using ssldump URL: http://www.rtfm.com/ssldump/ . -- Jostein Tveit ([EMAIL PROTECTED]) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: config file to generate request with asn1parse
On Tue, Dec 02, 2003, Ñëåïíåâ Âëàäèìèð wrote: Hello, some time ago I posted a question to this list about how to generate a certificate request, knowing only the public key. One of the answers I got is generate a request manually from its fields, then hack the openssl utilities so they don't check the signature on the request. The new function asn1parse -genconf in 0.9.8dev seems to address the issue of manual generation, and the question arises: how should the config file look, for asn1parse -genconf to generate a certificate request? I've already succeeded in generating a valid (i.e. acceptable by openssl utilities) RSA public key in DER format with asn1parse -genconf, but this one seems a little trickier. I didn't actually mean it like that. What I meant was this... 1. Create a certificate request using any private key using the OpenSSL 'req' utility. 2. Write a short program that reads in the request and the new public key. It should call X509_REQ_set_pubkey() then write the request out again. This will have the correct public key but an invalid signature. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: async windows sockets
On Tue, Dec 02, 2003, tuviah snyder wrote: Oops sorry wrong thread. Can anyone help me with my Windows Async sockets questions? I have it working fine on Unix, and I'm hoping I don't have to modify my app to use select or polling. OpenSSL socket BIOs don't care how you decide data is available on whatever the host OS version of a socket is. All that matters is that it is using the correct I/O commands and that it can correctly determine how much data (if any) is avaiable. Under Windows the socket BIOs use send/recv on the relevant socket as long as that's OK for the method you are using it should work. If that isn't OK you could either write your own BIO for the relevant transport you are using or use a BIO pair and process the data at an application level. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
intermediate CA
Hello, My question is: I created a certificate chain: usr.cert-CA_1.cert-CA.cert. where CA.cert is self-signed certificate and is imported as trusted certificate. Signing CA_1's request with CA's private key and certificate generates CA_1.cert. Signing usr's request with CA_1's private key and CA_1.cert generates usr.cert. However, when I tried to verify the certificate chain using a third party software, I got the following error: CA_1.cert is not a valid CA. But with certificate chain containing only two certificates: usr.cert-CA.cert, the verification is ok. SO my question is that how can i create a valid intermediate CA? Thanks, Wu __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Seg fault in BN_mod_exp
I might be doing something really stupid, but I checked my code again and don't seem to be able to find it. I'm trying to use the function BN_mod_exp for values which are earlier generated by other BN_* functions. Here's the code: e = BN_new(); /* e = (a ^ t) (mod(phi)) */ if (!BN_mod_exp(e, a, t, phi, ctx)){ BIO_printf(bio_err, Can't calculate e = 2^t mod(phi)); ERR_print_errors(bio_err); goto err5; } I get the following error from gdb: Program received signal SIGSEGV, Segmentation fault. 0x4cd31169 in free () from /lib/libc.so.6 (gdb) An example set of values generated by the program before segfaulting are: p: E885D06663F9DAF3 q:E3DCF32C591FF3A5 n: CEF757A92F690551B3D2C608994BC79F (p-1): E885D06663F9DAF2 (q-1): E3DCF32C591FF3A4 phi: CEF757A92F69054FE7700275DC31F908 t: 2710 a: 2 /*achieved by using BN_dec2bn*/ I would appreciate any help on this. thanks, Ashu __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: intermediate CA
On Tue, Dec 02, 2003, Jia L Wu wrote: Hello, My question is: I created a certificate chain: usr.cert-CA_1.cert-CA.cert. where CA.cert is self-signed certificate and is imported as trusted certificate. Signing CA_1's request with CA's private key and certificate generates CA_1.cert. Signing usr's request with CA_1's private key and CA_1.cert generates usr.cert. However, when I tried to verify the certificate chain using a third party software, I got the following error: CA_1.cert is not a valid CA. But with certificate chain containing only two certificates: usr.cert-CA.cert, the verification is ok. SO my question is that how can i create a valid intermediate CA? The default extensions when OpenSSL signs a certificate request for security reasons are only usable in an end entity EE certificate. You can however sign as a CA instead by using the appropriate command line switches. If you are using CA.pl then CA.pl -signCA will do. If you are using either the 'ca' or the 'x509' utilities then -extensions v3_ca should work. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seg fault in BN_mod_exp
On Tue, Dec 02, 2003, Ashutosh Jaiswal wrote: I might be doing something really stupid, but I checked my code again and don't seem to be able to find it. I'm trying to use the function BN_mod_exp for values which are earlier generated by other BN_* functions. Here's the code: e = BN_new(); /* e = (a ^ t) (mod(phi)) */ if (!BN_mod_exp(e, a, t, phi, ctx)){ BIO_printf(bio_err, Can't calculate e = 2^t mod(phi)); ERR_print_errors(bio_err); goto err5; } I get the following error from gdb: Program received signal SIGSEGV, Segmentation fault. 0x4cd31169 in free () from /lib/libc.so.6 (gdb) An example set of values generated by the program before segfaulting are: p: E885D06663F9DAF3 q:E3DCF32C591FF3A5 n: CEF757A92F690551B3D2C608994BC79F (p-1): E885D06663F9DAF2 (q-1): E3DCF32C591FF3A4 phi: CEF757A92F69054FE7700275DC31F908 t: 2710 a: 2 /*achieved by using BN_dec2bn*/ I would appreciate any help on this. Why don't you compile it with debugging symbols so its possible to see where it crashed? That looks like you are manually working out the CRT components... the standard OpenSSL RSA functions will do that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seg fault in BN_mod_exp
Dr. Stephen Henson wrote: On Tue, Dec 02, 2003, Ashutosh Jaiswal wrote: I might be doing something really stupid, but I checked my code again and don't seem to be able to find it. I'm trying to use the function BN_mod_exp for values which are earlier generated by other BN_* functions. Here's the code: e = BN_new(); /* e = (a ^ t) (mod(phi)) */ if (!BN_mod_exp(e, a, t, phi, ctx)){ BIO_printf(bio_err, "Can't calculate e = 2^t mod(phi)"); ERR_print_errors(bio_err); goto err5; } I get the following error from gdb: Program received signal SIGSEGV, Segmentation fault. 0x4cd31169 in free () from /lib/libc.so.6 (gdb) An example set of values generated by the program before segfaulting are: p: E885D06663F9DAF3 q:E3DCF32C591FF3A5 n: CEF757A92F690551B3D2C608994BC79F (p-1): E885D06663F9DAF2 (q-1): E3DCF32C591FF3A4 phi: CEF757A92F69054FE7700275DC31F908 t: 2710 a: 2 /*achieved by using BN_dec2bn*/ I would appreciate any help on this. Why don't you compile it with debugging symbols so its possible to see where it crashed? I'll do that and report back. That looks like you are manually working out the CRT components... the standard OpenSSL RSA functions will do that. CRT? I'm trying to implement a Time lock crypto puzzle as documented at: http://theory.lcs.mit.edu/~rivest/RivestShamirWagner-timelock.ps I don't know if this is already implemented in OpenSSL. thanks, Ashu
Re: Seg fault in BN_mod_exp
Dr. Stephen Henson wrote: On Tue, Dec 02, 2003, Ashutosh Jaiswal wrote: I might be doing something really stupid, but I checked my code again and don't seem to be able to find it. I'm trying to use the function BN_mod_exp for values which are earlier generated by other BN_* functions. Here's the code: e = BN_new(); /* e = (a ^ t) (mod(phi)) */ if (!BN_mod_exp(e, a, t, phi, ctx)){ BIO_printf(bio_err, "Can't calculate e = 2^t mod(phi)"); ERR_print_errors(bio_err); goto err5; } I get the following error from gdb: Program received signal SIGSEGV, Segmentation fault. 0x4cd31169 in free () from /lib/libc.so.6 (gdb) An example set of values generated by the program before segfaulting are: p: E885D06663F9DAF3 q:E3DCF32C591FF3A5 n: CEF757A92F690551B3D2C608994BC79F (p-1): E885D06663F9DAF2 (q-1): E3DCF32C591FF3A4 phi: CEF757A92F69054FE7700275DC31F908 t: 2710 a: 2 /*achieved by using BN_dec2bn*/ I would appreciate any help on this. Why don't you compile it with debugging symbols so its possible to see where it crashed? Pardon my rather limited knowledge about debugging with gdb, but does this mean that there's some problem with glibc: Program received signal SIGSEGV, Segmentation fault. 0x45964169 in free () from /lib/libc.so.6 (gdb) i sym 0x45964169 free + 74 in section .text (gdb) i sym free free in section .text I recently upgraded my versions of glibc and gcc. thanks, Ashu
SSL_ERROR_SYSCALL in https client
Client: OpenSSL 0.9.6k, Windows98 WebServer: IIS 6.0 (Don't know the OS specifics) My client app is getting this from SSL_get_error() after an SSL_read() returning 0. errno = ENOENT, which in the Win32 universe means no such file or directory. This occurs on the 3rd successive SSL_read() in the act of downloading a web page. As it happens, I know the expected content being downloaded so I know that (in this case at least) all of the data has already been downloaded. All the other SSL_read() calls return fine, no errors, and I would expect the error on this call to be either SSL_ERROR_NONE or SSL_ERROR_ZERO_RETURN; that's what happens on all the other URLs we download. I always get this same error on this particular URL, though. Any suggestions on the correct client behavior in this condition would be greatly appreciated. -- kov
Re: Seg fault in BN_mod_exp
On Tue, Dec 02, 2003, Ashutosh Jaiswal wrote: Pardon my rather limited knowledge about debugging with gdb, but does this mean that there's some problem with glibc: Program received signal SIGSEGV, Segmentation fault. 0x45964169 in free () from /lib/libc.so.6 (gdb) i sym 0x45964169 free + 74 in section .text (gdb) i sym free free in section .text I recently upgraded my versions of glibc and gcc. thanks, Not necessarily. Recompile OpenSSL and your program with debugging symbols to see where or if it crashes in OpenSSL. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Seg fault in BN_mod_exp
On Tue, Dec 02, 2003, Dr. Stephen Henson wrote: On Tue, Dec 02, 2003, Ashutosh Jaiswal wrote: Pardon my rather limited knowledge about debugging with gdb, but does this mean that there's some problem with glibc: Program received signal SIGSEGV, Segmentation fault. 0x45964169 in free () from /lib/libc.so.6 (gdb) i sym 0x45964169 free + 74 in section .text (gdb) i sym free free in section .text I recently upgraded my versions of glibc and gcc. thanks, Not necessarily. Recompile OpenSSL and your program with debugging symbols to see where or if it crashes in OpenSSL. Oh and a stacktrace in gdb (the 'where') command helps :-) Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Pop, imap cert
CN=pop.xxx.com CN=smtp.xxx.com CN=www.xxx.com That way, pop3, smtp and https can use the same certificate and the clients won't complain of a name mismatch. How do add (or create) multiple CNs in a certificate? I used openssl to create a root certificate and then used it again with that root to create the server certificate, with the multiple CN's. Edit the openssl.cnf on the server and in the [req_distinguished_name] add as many CommonName(s) as you with, thusly: 0.CommonName = one name 1.CommonName = another name ... You get the idea. then run openssl to generate the request, which you sign with the root cert. For pop3s your clients need to import the root (I usually point them at a web server with the same root and get them to import from there). After that, the client won't get a security warning when they try to pop their email from the server. If you want to pay money for a real cert, I'm not sure if you can. I would hope it's possible, you can certainly add multiple E= values to your DN (see my s/mime cert on this email if it hasn't been stripped). And smtp-tls seems to be oppertunistic and other than generating logs about the root, still seems to negotiate just fine. I would think TLS would be done on the standard POP3 port? I was wrong, sorry. TLS can be negotiate in-band on the normal pop3 port, 110. But for outlook to use it you need to pick another port, not it's suggested 995, and setup qpopper tls-support=alternate-port. Just what I figured out, there may be better solutions. -lee smime.p7s Description: S/MIME cryptographic signature