Re: PHP ftp_ssl_connect - secure ftp via openssl

2004-01-20 Thread Joseph Bruni 
Take a look at the "scp" program also which is another program that 
uses the SSH protocol.

Some other ideas are "rsync" over SSH, or you could use "curl" which 
will support HTTPS.

If the files don't change much, or if you need to sync up entire 
directories, rsync is the way to go.

FTP/SSL is a different protocol and not that common.



On Jan 20, 2004, at 7:56 PM, Mitch Sink wrote:

Hi,

Red Hat 9 (both systems)

I need a secure way to transfer files between two systems running Red 
Hat Linux 9 by running a program or script from a cron. I would like 
to run a PHP program from the cron that calls ftp_ssl_connect to 
create a secure ftp connectiony using openssl:
http://www.php.net/manual/en/function.ftp-ssl-connect.php
ftp_ssl_connect -- Opens an Secure SSL-FTP connection

I can connect to the remote host manually using sftp.  I can't connect 
manually using regular ftp (its been turned off for security 
purposes).

Is the problem that the remote server needs to be running ftp or vsftp 
instead of sftp?

Thanks!

Mitch

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


smime.p7s
Description: S/MIME cryptographic signature

PHP ftp_ssl_connect - secure ftp via openssl

2004-01-20 Thread Mitch Sink 
Hi,

Red Hat 9 (both systems)

I need a secure way to transfer files between two systems running Red 
Hat Linux 9 by running a program or script from a cron. I would like 
to run a PHP program from the cron that calls ftp_ssl_connect to 
create a secure ftp connectiony using openssl:
http://www.php.net/manual/en/function.ftp-ssl-connect.php
ftp_ssl_connect -- Opens an Secure SSL-FTP connection

I can connect to the remote host manually using sftp.  I can't 
connect manually using regular ftp (its been turned off for security 
purposes).

Is the problem that the remote server needs to be running ftp or 
vsftp instead of sftp?

Thanks!

Mitch

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL support for Tandem

2004-01-20 Thread Dan Hestand 
I see that OpenSSL is supported on Tandem with OSS but has anyone done a
port to Tandem Non Stop OS without OSS?  Thanks for any info.

Dan Hestand
---
Senior Consultant
IONA Technologies, Inc
200 West Street
Waltham, MA 02451
781.902.8305
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Keep CRLs up-to-date

2004-01-20 Thread Dr. Stephen Henson 
On Tue, Jan 20, 2004, Michael Helm wrote:

> Joseph Bruni writes:
> > -- call "curl" or "wget" to retrieve the CRL
> > -- use "openssl crl -nextupdate ..." to extract the update time
> > -- call "at" to schedule itself to run again in the future.
> 
> Here are some other things that would be worth taking into consideration.
> 
> In downloaded crl's:
> Look for CRLv2 sequence numbers -- don't go backwards
>[See RFC 3280 5.2.3 CRL Number -- does openssl understand this? 
> probably not]

It can decode and display CRL Number and the data is accessible
programmatically. OpenSSL 0.9.8 can also issue CRLs using CRL Number.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Keep CRLs up-to-date

2004-01-20 Thread Michael Helm 
Joseph Bruni writes:
> -- call "curl" or "wget" to retrieve the CRL
> -- use "openssl crl -nextupdate ..." to extract the update time
> -- call "at" to schedule itself to run again in the future.

Here are some other things that would be worth taking into consideration.

In downloaded crl's:
Look for CRLv2 sequence numbers -- don't go backwards
   [See RFC 3280 5.2.3 CRL Number -- does openssl understand this? 
probably not]
Look for downloaded "next update" that's _earlier_ than on the CRL you're
   replacing  (this happened to us -- it's a very bad thing)

next update -
   schedule your next fetch at some reasonable time period before 
"next update".   Schedule the fetch to repeat until it gets something
new [see above sanity checks] , at some reasonable interval.  I suggest
you take startfetch = (now + nextupdate)/2 and then do some kind of
exponential check as nextupdate gets close.   Provide an optional warning
message about this.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Keep CRLs up-to-date

2004-01-20 Thread Mark Foster 
Arne Jørgensen wrote:
Maybe I will finish my code and publish it.
Yes, please do!
--
=> Somedays it's just not worth chewing through the restraints...
=> Mark Foster <[EMAIL PROTECTED]> http://mark.foster.cc/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Keep CRLs up-to-date

2004-01-20 Thread Arne Jørgensen 
Joseph Bruni <[EMAIL PROTECTED]> writes:

> Actually, you could probably do this with a few lines of Perl. The
> nextupdate field can be read via "openssl crl -nextupdate ...". If you
> don't want to leave it running, you could probably schedule it to run
> at the appointed time using the "at" command. The whole program would
> consist of:

Yes. In fact I have some half-finished perl code doing this.

But I didn't want to reinvent the wheel. And I was looking for
something to recommend to other users. Something polished and
maintained which my code probably never will be.

Maybe I will finish my code and publish it.

Kind regards,
-- 
Arne Jørgensen
Valby Langgade 272, 1. tv., 2500 Valby
tlf: 36 44 18 03, mobil: 21 65 01 13
e-post: [EMAIL PROTECTED], 

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Ports from OpenSSL to SSLeay

2004-01-20 Thread S.Mehdi Sheikhalishahi 
Hi All
 I develop a function (OpenSSL Compatible) that
generate hash value of messages.Now I want to port it
to SSLeay.


1 #include 
  2 #include 
  3 void gen_digest(char* digest_name,char*
input,unsigned char* digest,int* digest_len)
  4 {
  5 EVP_MD_CTX mdctx;
  6 const EVP_MD *md;
  7 char mess1[] = "Test Message\n";
  8 unsigned char
md_value[EVP_MAX_MD_SIZE];
  9 int md_len, i;
 10
 11 OpenSSL_add_all_digests();
 12
 13 strcpy(mess1,input);
 14
 15 md =
EVP_get_digestbyname(digest_name);
 16
 17 if(!md) {
 18printf("Unknown message digest
%s\n", digest_name);
 19exit(1);
 20 }
 21
 22 EVP_MD_CTX_init(&mdctx);
 23 EVP_DigestInit_ex(&mdctx, md, NULL);
 24 EVP_DigestUpdate(&mdctx, mess1,
strlen(mess1));
 25// EVP_DigestUpdate(&mdctx, mess2,
strlen(mess2));
 26 EVP_DigestFinal_ex(&mdctx, md_value,
&md_len);
 27 EVP_MD_CTX_cleanup(&mdctx);
 28 strcpy(digest,md_value);
 29 *digest_len=md_len;
 }
 31  main(int argc, char *argv[])
 32 {
 33 unsigned char
md_value[EVP_MAX_MD_SIZE];
 34 int md_len,i;
 35
 36 printf("Digest is: ");
 37
gen_digest("md5","Salam",md_value,&md_len);
 38 for(i = 0; i < md_len; i++)
printf("%02x", md_value[i]);
 39 printf("\n");
 40 }

Please Help me

__
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Validate PDF signature with OpenSSL

2004-01-20 Thread Luis Pascual Forner 
Not. I have used Acrobat 5.

Finally I have validated the signature. Did not it be able due to
that Acrobat stores it BER encoded, not DER encoded. I did it with
Java and Bouncy Castle API's.
Ulf Moeller escribió:
On Tue, Dec 30, 2003, Luis Pascual Forner wrote:


 I'm trying to validate the signature of a PDF document using OpenSSL.
 

   openssl dgst -sha1 -verify public_key -signature sign contents

but the validation fails.


Are you trying to validate signatures generated with Acrobat 6? For some
obscure reason they hash the message twice and use an invalid OID.
That means you will have to modify OpenSSL or any other PKCS#7 compliant
application to verify Acrobat 6 signatures.
Ulf

.



smime.p7s
Description: S/MIME Cryptographic Signature