Re: SSL and Python

2004-04-23 Thread Lukasz Wójcicki 
> > > > I have server SSL written in C and client SSL written by python.
Also, I
> > use
> > > > SSL non blocking in server SSL.
> > > > Beginning If I trying send any data to client, it's ok. In one
moment I
> > get
> > > > SSL_ERROR_WANT_WRITE. Because I have non blocking SSL in server, my
> > program
> > > > is suspend.
> > > > Maybe, someone have similar problem ?
> > > > I think that it is not correct that I have SSL_ERROR_WRITE.
> > >
> > > Getting non-blocking IO right is quite difficult.  There is a good
> > > starter explanation in the OpenSSL book pages 155 through 166,
> > > especially the section "Non-blocking IO" starting on page 159.
> > >
> > > Viega, Messier & Chandra; Network Security with OpenSSL,
> > > 2002, O'Reilly & Associates, Sebastapol CA USA
> > >
> > > http://www.everythinglinux.com.au/item/OR270X
> > >
> > > I would have given you the OReilly URL but their web site seems
> > > REALLY messed up today -- going to oreilly.com says "the proxy could
> > > not open the server"?
> > >
> >
> > I read about non blocking IO in documentation of OpenSSL. There is
written
> > that I have to call SSL_write when I get SSL_ERROR_WRITE. What I'm doing
bad
> > ?
> >
>
> Where does it say that? In general you should wait until the condition has
> been satisfied (in this case that its OK to write data) and retry the
failed
> call.
>

"If the underlying BIO is non-blocking, SSL_write() will also return, when
the underlying BIO could not satisfy the needs of SSL_write() to continue
the operation. In this case a call to SSL_get_error(3) with the return value
of SSL_write() will yield SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. As at
any time a re-negotiation is possible, a call to SSL_write() can also cause
read operations! The calling process then must repeat the call after taking
appropriate action to satisfy the needs of SSL_write()"

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Success: Re: cannot compile openssl-0.9.7d into php-4.3.6 with apache-1.3.27 on Redhat 7.3

2004-04-23 Thread Richard Levitte - VMS Whacker 
In message <[EMAIL PROTECTED]> on Thu, 22 Apr 2004 22:38:33 -0700 (PDT), Mike Ryerse 
<[EMAIL PROTECTED]> said:

mikeryerse> I was able to finally get php-4.3.7-devel loaded into
mikeryerse> apache by removing my install of openssl-0.9.7d (by
mikeryerse> deleting /usr/local/ssl) and then installing
mikeryerse> openssl-0.9.6b-35.7.i386.rpm with 'rpm -Uvh --force' and
mikeryerse> installing openssl-devel-0.9.6b-35.7.i386.rpm with 'rpm
mikeryerse> -ivh --force'.  Apparently the version name says 0.9.6b
mikeryerse> but the build number (35.7) indicates it's newer than
mikeryerse> that.  Man I am one happy camper.

Yes, that's correct, RedHat are treating OpenSSL in their own special
way, mostly because there has been some incompatible changes since
0.9.6b.  I'm assuming they're trying to keep things backward
compatible as much as they can.

mikeryerse> Thanks for all of your help, this list has been a lot of
mikeryerse> help, especially Richard Levitte.

You're welcome.

I'd like to comment one more thing:

mikeryerse> > /usr/bin/ld: warning: libssl.so.2, needed by
mikeryerse> > /usr/local/lib/libcurl.so, may conflict with libssl.so.0.9.7
mikeryerse> > /usr/bin/ld: warning: libcrypto.so.2, needed by
mikeryerse> > /usr/local/lib/libcurl.so, may conflict with libcrypto.so.0.9.7

This made things quite clear.  I'm not entirely sure why PHP didn't
link with your build of OpenSSL, but it seems that it gets linked with
libcurl.so, which in turn was linked with /lib/libssl.so.2, and PHP
simply inherited that from libcurl.

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problems compiling 0.9.7d for WCE

2004-04-23 Thread Antonio Ruiz Martínez 
Hello!

I'm compiling OpenSSL 0.9.7d for WCE but when I execute: nmake -f
ms\ce.mak
I'm getting the next error:

clarm.exe /Fotmp32_ARM\apps.obj -DMONOLITH -Iinc32 -Itmp32_ARM
/W3 /WX /
Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWCEPLATFORM=MS_POCKET_PC_2002 -DARM
-D_ARM_ -
DUNDER_CE=300 -D_WIN32_CE=300 -DUNICODE -D_UNICODE -DWIN32
-DWIN32_LEAN_AND_MEAN
 -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD -IC:\Programacion\wcecompat/include
/Fdout32_
ARM -DOPENSSL_NO_KRB5  -c .\apps\apps.c
apps.c
.\apps\apps.c(1621) : error C2143: syntax error : missing ')' before
'goto'
.\apps\apps.c(1896) : error C2143: syntax error : missing ')' before
'goto'
.\apps\apps.c(1932) : error C2143: syntax error : missing ')' before
'goto'
NMAKE : fatal error U1077: 'clarm.exe' : return code '0x2'
Stop.

Could you be so kind to help me, please?
Regards,
Antonio.

--
--
Antonio Ruiz Martínez
Faculty of Computer Science-University of Murcia
30071 Murcia - Spain
Telf: +34968364644 e-mail: [EMAIL PROTECTED]
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

signing a file with openssl

2004-04-23 Thread gilles . lami 
Hi,

I am trying to sign a file with openssl :

openssl rsautl -raw -sign -in coucou1.pdf -inkey gilles.pem -out sig
Enter pass phrase for gilles.pem:
RSA operation error
30452:error:0406B06E:rsa routines:RSA_padding_add_none:data too large for
key size:rsa_none.c:70:

I did not find anything clear about this error. My key size is 1024.

How do you sign files with openssl ?





**
Ce message electronique et tous les fichiers attaches qu'il contient sont 
confidentiels et destines exclusivement a l'usage de la personne a laquelle ils sont 
adresses.
Si vous avez recu ce message par erreur,merci de le retourner a son emetteur.
Les idees et opinions presentees dans ce messages sont celles de son auteur, et ne 
representent pas necessairement celles du Groupe HAYS plc ou d'une quelconque de ses 
filiales.
La publication, l'usage, la distribution, l'impression ou la copie non autorisee de ce 
message et des attachements qu'il contient sont strictement interdits.

Nous vous informons egalement que nous avons verifie l'absence de virus dans ce 
message mais que, malgre ce controle, nous ne saurions etre tenus pour responsables 
d'eventuels degats occasionnes par un virus non detecte.

This e-mail and any attached files are confidential and intended solely for the use of 
the individual to whom it is addressed.
If you have received this email in error please send it back to the person that sent 
it to you.
Any views or opinions presented are solely those of author and do not necessarily 
represent those the HAYS plc group or any of its subsidiary companies.
Unauthorized publication, use, dissemination, forwarding, printing or copying of this 
email and its associated attachments is strictly prohibited.

We also inform you that we have checked that this message does not contain any virus 
but we decline any responsability in case of any damage caused by an a non detected 
virus.
**

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Problems compiling 0.9.7d for WCE

2004-04-23 Thread Steven Reddie 
Hi Antonio,

A patch for this has been submitted and I'll work it into a larger set of
changes for supporting newer WCE SDKs.  To fix the problem that you're
having right now take a look at the source code at the locations listed
below and make sure that the closing ')' is included.  You'll see that an
#ifdef causes the ')' to be dropped, so just add it to the line above/below.

Regards,

Steven

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Antonio Ruiz Martínez
Sent: Friday, 23 April 2004 8:19 PM
To: [EMAIL PROTECTED]
Subject: Problems compiling 0.9.7d for WCE


Hello!

I'm compiling OpenSSL 0.9.7d for WCE but when I execute: nmake -f
ms\ce.mak I'm getting the next error:

clarm.exe /Fotmp32_ARM\apps.obj -DMONOLITH -Iinc32 -Itmp32_ARM /W3
/WX / Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWCEPLATFORM=MS_POCKET_PC_2002 -DARM
-D_ARM_ - DUNDER_CE=300 -D_WIN32_CE=300 -DUNICODE -D_UNICODE -DWIN32
-DWIN32_LEAN_AND_MEAN  -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD
-IC:\Programacion\wcecompat/include
/Fdout32_
ARM -DOPENSSL_NO_KRB5  -c .\apps\apps.c
apps.c
.\apps\apps.c(1621) : error C2143: syntax error : missing ')' before 'goto'
.\apps\apps.c(1896) : error C2143: syntax error : missing ')' before 'goto'
.\apps\apps.c(1932) : error C2143: syntax error : missing ')' before 'goto'
NMAKE : fatal error U1077: 'clarm.exe' : return code '0x2' Stop.

Could you be so kind to help me, please?
Regards,
Antonio.

--
--
Antonio Ruiz Martínez
Faculty of Computer Science-University of Murcia
30071 Murcia - Spain
Telf: +34968364644 e-mail: [EMAIL PROTECTED]
--


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: signing a file with openssl

2004-04-23 Thread Dr. Stephen Henson 
On Fri, Apr 23, 2004, [EMAIL PROTECTED] wrote:

> Hi,
> 
> I am trying to sign a file with openssl :
> 
> openssl rsautl -raw -sign -in coucou1.pdf -inkey gilles.pem -out sig
> Enter pass phrase for gilles.pem:
> RSA operation error
> 30452:error:0406B06E:rsa routines:RSA_padding_add_none:data too large for
> key size:rsa_none.c:70:
> 
> I did not find anything clear about this error. My key size is 1024.
> 
> How do you sign files with openssl ?

The raw RSA algorithm should not be used for signing files: it can only sign
data smaller than the modulus[*]. You can use the appropriate command line
options to the 'dgst' command instead.

[*] Exactly how much smaller depends on the padding used.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Crypt::SSLeay & client certificate authentication

2004-04-23 Thread Sean Evans 
Reposting this since it got lost in the churn.

I have a Perl script using that is failing mysteriously to connect with
an HTTPS site requiring client certificates for authentication. Here's
the command that allows me to connect to the site in question:

openssl s_client -connect hostname:443 -cert test.crt
 -key test.key -CAfile cacerts.crt -prexit

I can then do a GET on the directory protected with cert auth. Something
key to note is that the connection is not successfu1l unless -CAfile is
present to show the server that my client's certificate (test.crt)
chains to a CA trusted by the server.

Here is debug output from my script:

-BEGIN OUTPUT
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
-END OUTPUT-

The Perl module my script is using, Crypt::SSLeay, has options
comparable to -CAfile and -CAdir, but when specified I get the following
debug output which seems to be telling me that the *client* failed to
verify the server's cert:

-BEGIN OUTPUT-SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:unknown CA
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:bad certificate
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:failed in SSLv2 read server hello A
-END OUTPUT-

So I need to figure out where things are going wrong in Crypt::SSLeay,
which is basically just a wrapper around OpenSSL. Since I was successful
in connecting with s_client, I looked in s_client.c and found this:

  SSL_CTX_set_verify(ctx,verify,verify_callback);
  if (!set_cert_stuff(ctx,cert_file,key_file))
goto end;

  if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
  (!SSL_CTX_set_default_verify_paths(ctx)))
{
  /* BIO_printf(bio_err,"error setting default verify
locations\n"); */
  ERR_print_errors(bio_err);
  /* goto end; */
}

  store = SSL_CTX_get_cert_store(ctx);
  X509_STORE_set_flags(store, vflags);

  con=SSL_new(ctx);

So it would appear that SSL_CTX_load_verify_locations is the OpenSSL
function that gets called with CAfile. Looking inside SSLeay.xs, which
implements the Perl glue to OpenSSL functions, I find:

  SV*
  SSL_CTX_set_verify(ctx)
SSL_CTX* ctx
PREINIT:
  char* CAfile;
  char* CAdir;
CODE:
  CAfile=getenv("HTTPS_CA_FILE");
  CAdir =getenv("HTTPS_CA_DIR");

  if(!CAfile && !CAdir) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
RETVAL = newSViv(0);
  } else {
SSL_CTX_load_verify_locations(ctx,CAfile,CAdir);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
RETVAL = newSViv(1);
  }
OUTPUT:
  RETVAL

This appears to be doing the right thing since it calls
SSL_CTX_load_verify_locations, but I am unsure that I understand Perl XS
well enough to confirm this.

It may be unimportant, but the only suspicious thing I can see is that
s_client calls SSL_CTX_set_verify before calling
SSL_CTX_load_verify_locations whereas SSLeay.xs reverses the order of
those calls. Is that significant? If not, does anyone have hints as to
where to look for a solution?

Thanks,
-- 
Sean Evans

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: SSL and Python

2004-04-23 Thread Dr. Stephen Henson 
On Fri, Apr 23, 2004, Lukasz Wójcicki wrote:

> > >
> > > I read about non blocking IO in documentation of OpenSSL. There is
> written
> > > that I have to call SSL_write when I get SSL_ERROR_WRITE. What I'm doing
> bad
> > > ?
> > >
> >
> > Where does it say that? In general you should wait until the condition has
> > been satisfied (in this case that its OK to write data) and retry the
> failed
> > call.
> >
> 
> "If the underlying BIO is non-blocking, SSL_write() will also return, when
> the underlying BIO could not satisfy the needs of SSL_write() to continue
> the operation. In this case a call to SSL_get_error(3) with the return value
> of SSL_write() will yield SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. As at
> any time a re-negotiation is possible, a call to SSL_write() can also cause
> read operations! The calling process then must repeat the call after taking
> appropriate action to satisfy the needs of SSL_write()"
> 

That doesn't actually say you have to call SSL_write() when you get
SSL_ERROR_WANT_WRITE irrespctive of the source. It says if SSL_write() returns
SSL_ERROR_WANT_WRITE you call SSL_write().

The general rule is that you retry the failed call which doesn't have to be
SSL_write().

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Réf. : Re: signing a file with openssl

2004-04-23 Thread LAMI, Gilles - DSIA 
Thank you !





"Dr. Stephen Henson" <[EMAIL PROTECTED]>
23/04/2004 14:38
Veuillez répondre à openssl-users

Pour :  [EMAIL PROTECTED]@[EMAIL PROTECTED] Hub
cc :
Objet : Re: signing a file with openssl 


On Fri, Apr 23, 2004, [EMAIL PROTECTED] wrote:

> Hi,
> 
> I am trying to sign a file with openssl :
> 
> openssl rsautl -raw -sign -in coucou1.pdf -inkey 
gilles.pem -out sig
> Enter pass phrase for gilles.pem:
> RSA operation error
> 30452:error:0406B06E:rsa 
routines:RSA_padding_add_none:data too large for
> key size:rsa_none.c:70:
> 
> I did not find anything clear about this error. My 
key size is 1024.
> 
> How do you sign files with openssl ?

The raw RSA algorithm should not be used for signing 
files: it can only sign
data smaller than the modulus[*]. You can use the 
appropriate command line
options to the 'dgst' command instead.

[*] Exactly how much smaller depends on the padding 
used.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see 
homepage
OpenSSL project core developer and freelance 
consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk

__
OpenSSL Project 
http://www.openssl.org
User Support Mailing List[EMAIL 
PROTECTED]
Automated List Manager   
[EMAIL PROTECTED]




**
Ce message électronique et tous les fichiers attachés qu'il contient sont 
confidentiels et destinés exclusivement à l'usage de la personne à laquelle ils sont 
adressés.
Si vous avez reçu ce message par erreur,merci de le retourner à son émetteur.
Les idées et opinions présentées dans ce messages sont celles de son auteur, et ne 
représentent pas nécessairement celles du Groupe HAYS plc ou d'une quelconque de ses 
filiales.
La publication, l'usage, la distribution, l'impression ou la copie non autorisée de ce 
message et des attachements qu'il contient sont strictement interdits.

Nous vous informons également que nous avons vérifié l'absence de virus dans ce 
message mais que, malgré ce contrôle, nous ne saurions être tenus pour responsables 
d'éventuels dégâts occasionnés par un virus non détecté.

This e-mail and any attached files are confidential and intended solely for the use of 
the individual to whom it is addressed.
If you have received this email in error please send it back to the person that sent 
it to you.
Any views or opinions presented are solely those of author and do not necessarily 
represent those the HAYS plc group or any of its subsidiary companies.
Unauthorized publication, use, dissemination, forwarding, printing or copying of this 
email and its associated attachments is strictly prohibited.

We also inform you that we have checked that this message does not contain any virus 
but we decline any responsability in case of any damage caused by an a non detected 
virus.
**

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Securing a CA

2004-04-23 Thread Charles B Cranston 
Mark H. Wood wrote:

Um, feel free to point me elsewhere, but I'm having trouble visualizing
what's being discussed.  I keep reading "branched certificate chain", but
what I understood from the description is like this:

Before:OurRoot ---> Level1 ---> EndUsers
After:  IdenTrust ---> OurRoot ---> Level1 ---> EndUsers
What is the contents of the "issuer" field of the cert marked OurRoot?

Before: our name
After:  IdenTrust's name
So consider a browser that still has the OLD OurRoot sitting
it its disk file, and then it gets ANOTHER DIFFERENT OurRoot in the
chain shipped down from the server.
Now, it starts building the chain with EndUsers, gets to Level1 OK,
but when it wants to extend the next time, it has two choices,
the OLD OurRoot still in its disk file, and the NEW OurRoot
(which is not actually a root anymore) that came from the server.
I could draw you more complicated diagrams in the context of the
problem I was trying to solve last year: transparent upgrade from an
old local root to a new local root.  The approach I was trying was
various forms of "old root signed by new root" and "new root signed by
old root" but as I said I cannot show you something that actually works
because I didn't find one...   :-)
--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Success: Re: cannot compile openssl-0.9.7d into php-4.3.6 with apache-1.3.27 on Redhat 7.3

2004-04-23 Thread Mike Ryerse 
So do you think that if I would have re-installed curl and made sure
that it used libssl.so.0.9.7 instead of libssl.so.2 (and the same for
libcrypto.*) that PHP might have worked?

--- Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> wrote:
> In message <[EMAIL PROTECTED]> on
> Thu, 22 Apr 2004 22:38:33 -0700 (PDT), Mike Ryerse
> <[EMAIL PROTECTED]> said:
> 
> mikeryerse> I was able to finally get php-4.3.7-devel loaded into
> mikeryerse> apache by removing my install of openssl-0.9.7d (by
> mikeryerse> deleting /usr/local/ssl) and then installing
> mikeryerse> openssl-0.9.6b-35.7.i386.rpm with 'rpm -Uvh --force'
> and
> mikeryerse> installing openssl-devel-0.9.6b-35.7.i386.rpm with 'rpm
> mikeryerse> -ivh --force'.  Apparently the version name says 0.9.6b
> mikeryerse> but the build number (35.7) indicates it's newer than
> mikeryerse> that.  Man I am one happy camper.
> 
> Yes, that's correct, RedHat are treating OpenSSL in their own
> special
> way, mostly because there has been some incompatible changes since
> 0.9.6b.  I'm assuming they're trying to keep things backward
> compatible as much as they can.
> 
> mikeryerse> Thanks for all of your help, this list has been a lot
> of
> mikeryerse> help, especially Richard Levitte.
> 
> You're welcome.
> 
> I'd like to comment one more thing:
> 
> mikeryerse> > /usr/bin/ld: warning: libssl.so.2, needed by
> mikeryerse> > /usr/local/lib/libcurl.so, may conflict with
> libssl.so.0.9.7
> mikeryerse> > /usr/bin/ld: warning: libcrypto.so.2, needed by
> mikeryerse> > /usr/local/lib/libcurl.so, may conflict with
> libcrypto.so.0.9.7
> 
> This made things quite clear.  I'm not entirely sure why PHP didn't
> link with your build of OpenSSL, but it seems that it gets linked
> with
> libcurl.so, which in turn was linked with /lib/libssl.so.2, and PHP
> simply inherited that from libcurl.
> 
> -
> Please consider sponsoring my work on free software.
> See http://www.free.lp.se/sponsoring.html for details.
> 
> -- 
> Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
> [EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
> \  SWEDEN   \
> Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
> Member of the OpenSSL development team: http://www.openssl.org/
> 
> Unsolicited commercial email is subject to an archival fee of $400.
> See  for more info.
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List   
> [EMAIL PROTECTED]
> Automated List Manager  
[EMAIL PROTECTED]





__
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

DES write key out

2004-04-23 Thread Kai 








Hi,

 

Just a quick question on the DES library, I have generated and
scheduled a key to work with, but how do I see the contents of the key? I would
like to extract the key and write it to a file…

 

Thanks

 

John

Re: Problems compiling 0.9.7d for WCE

2004-04-23 Thread Antonio Ruiz Martínez 
Hello!

Steven Reddie wrote:

> Hi Antonio,
>
> A patch for this has been submitted and I'll work it into a larger set of
> changes for supporting newer WCE SDKs.  To fix the problem that you're
> having right now take a look at the source code at the locations listed
> below and make sure that the closing ')' is included.  You'll see that an
> #ifdef causes the ')' to be dropped, so just add it to the line above/below.
>

Ok. That's right,
Thanks a lot,
Antonio.


>
> Regards,
>
> Steven
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Ruiz Martínez
> Sent: Friday, 23 April 2004 8:19 PM
> To: [EMAIL PROTECTED]
> Subject: Problems compiling 0.9.7d for WCE
>
> Hello!
>
> I'm compiling OpenSSL 0.9.7d for WCE but when I execute: nmake -f
> ms\ce.mak I'm getting the next error:
>
> clarm.exe /Fotmp32_ARM\apps.obj -DMONOLITH -Iinc32 -Itmp32_ARM /W3
> /WX / Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DWCEPLATFORM=MS_POCKET_PC_2002 -DARM
> -D_ARM_ - DUNDER_CE=300 -D_WIN32_CE=300 -DUNICODE -D_UNICODE -DWIN32
> -DWIN32_LEAN_AND_MEAN  -DL_ENDIAN -DDSO_WIN32 -DNO_CHMOD
> -IC:\Programacion\wcecompat/include
> /Fdout32_
> ARM -DOPENSSL_NO_KRB5  -c .\apps\apps.c
> apps.c
> .\apps\apps.c(1621) : error C2143: syntax error : missing ')' before 'goto'
> .\apps\apps.c(1896) : error C2143: syntax error : missing ')' before 'goto'
> .\apps\apps.c(1932) : error C2143: syntax error : missing ')' before 'goto'
> NMAKE : fatal error U1077: 'clarm.exe' : return code '0x2' Stop.
>
> Could you be so kind to help me, please?
> Regards,
> Antonio.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Add a new signer to a PKCS#7

2004-04-23 Thread Antonio Ruiz Martínez 
Hello!

I'm trying to add a new signer to a PKCS#7 that I receive from
another person. In first term, I'm decoding the PKCS#7 and then I'm
trying to using my private key and my cert to sign the content of this
PKCS#7 and insert my signature in this PKCS#7 in order to get the PKCS#7
with the two signatures. The problem is that, when I'm verifying the
PKCS#7 obtained, with this code, the first signature is invalid and the
second one is valid (the first signature's signer).

I have parsed the result and I think the problem is the length of the
signature is 0.

Do you have any idea?
Could you help me, please?
Regards,
Antonio.


 PKCS7 *p7_Co=B64_read_PKCS7(in);
 if (p7_Co==NULL) {
  printf("Error\n");
 }
 BIO_free(in);

PKCS7_SIGNER_INFO
*si=PKCS7_add_signature(p7_Co,certCo,privKeyCo,EVP_md5());
PKCS7_add_certificate(p7_Co,certCo);

if ((p7bio=PKCS7_dataInit(p7_Co,NULL))==NULL) {
  return -1;
 }
 BIO_write(p7bio,ASN1_STRING_data(p7_Co->d.data),ASN1_STRING_length(p7_Co->d.data));

 BIO_flush(p7bio);
 if (!PKCS7_dataFinal(p7_Co,p7bio)) {
  return -2;
 }
 BIO_free(p7bio);

 int lenDerP7Co=i2d_PKCS7(p7_Co,NULL);
 unsigned char *derSignedP7Co=(unsigned char
*)malloc((lenDerP7Co)*sizeof(unsigned char));
 if ((derSignedP7Co)==NULL) {
  return -3;
 }
 unsigned char *tmpderP7Co=derSignedP7Co;
 lenDerP7Co=i2d_PKCS7(p7_Co,&tmpderP7Co);


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Add a new signer to a PKCS#7

2004-04-23 Thread Dr. Stephen Henson 
On Fri, Apr 23, 2004, Antonio Ruiz Martínez wrote:

> Hello!
> 
> I'm trying to add a new signer to a PKCS#7 that I receive from
> another person. In first term, I'm decoding the PKCS#7 and then I'm
> trying to using my private key and my cert to sign the content of this
> PKCS#7 and insert my signature in this PKCS#7 in order to get the PKCS#7
> with the two signatures. The problem is that, when I'm verifying the
> PKCS#7 obtained, with this code, the first signature is invalid and the
> second one is valid (the first signature's signer).
> 
> I have parsed the result and I think the problem is the length of the
> signature is 0.
> 

There isn't any way to do this cleanly with the current API. Ideally adding a
new signer should take the digest from the existing signer and add it to the
new signer data however this isn't supported at present.

The best you can do is to create a new PKCS#7 structure by signing the same
content then merge the two manually by modifying the PKCS7 structure
internals.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Problems decrypting PKCS# Private Key , Help needed

2004-04-23 Thread Carlos Roberto Zainos H 
Hi all!!!
 
Thanks again for the answers.
 
The question that I now post refers to decrypt a private key PBE (PKCS#5). I've working with priv/pub keys gotten from openssl, but now my C applications needs to work with ones generated with another application (commercial software). I've been discovered (with openssl help) that private key is in "clear" PEM format (not encrypted) and PBE (PKCS#5 v2(?)) protected (form DER: privkey.key ). My problem is that I can't decrypt that key for use this in my C application. Follows my code:
 
 alg = PKCS5_pbe2_set (EVP_des_cbc(), -1, NULL, 0); /*pkcs5 v2.0 */ err = EVP_PBE_CipherInit (alg->algorithm, password, strlen(password), alg->parameter, &ctx, decripta); /*descripta is defined as 0 */decr_buf = (unsigned char *) malloc (longitud + EVP_CIPHER_CTX_block_size(&ctx) + 1);
 err = EVP_CipherUpdate (&ctx, decr_buf, &bytes_decr, privkey_pointer, length_privkey);
err = EVP_CipherFinal (&ctx, decr_buf+bytes_decr, &bytes_final);
if ( err == 0 ) {  printf("Ha ocurrido un error EVP_CipherFinal \n");  while ( c_error = ERR_get_error() )   fprintf(stderr, ERR_error_string(c_error, NULL));  exit(1); }
 
So, err always is 0 in EVP_CipherFinal,  error code returns:
error:0606506D:digital envelope routines:EVP_DecryptFinal:wrong final block length
 
I thought that the problem could be the priv key, so I generate privkeys in PKCS#5 and PKCS#8 with:
openssl pkcs8 -inform DER -in privkey.key -topk8 -v1 PBE_MD5_DES -outform DER -out privkeyp5.key ; and
openssl pkcs8 -inform DER -in privkey.key -topk8  -outform DER -out privkeyp8.key
 
And test my application again with those keys but results are the same.
 

I don't know what is wrong ... any suggestions or tips???
 
Best regards
 
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Re: Problems decrypting PKCS# Private Key , Help needed

2004-04-23 Thread Dr. Stephen Henson 
On Fri, Apr 23, 2004, Carlos Roberto Zainos H wrote:

> Hi all!!!
>  
> Thanks again for the answers.
>  
> The question that I now post refers to decrypt a private key PBE (PKCS#5).
> I've working with priv/pub keys gotten from openssl, but now my C
> applications needs to work with ones generated with another application
> (commercial software). I've been discovered (with openssl help) that private
> key is in "clear" PEM format (not encrypted) and PBE (PKCS#5 v2(?))
> protected (form DER: privkey.key ). My problem is that I can't decrypt that
> key for use this in my C application. Follows my code:
>  
>  alg = PKCS5_pbe2_set (EVP_des_cbc(), -1, NULL, 0); /*pkcs5 v2.0 */ err =
>  EVP_PBE_CipherInit (alg->algorithm, password, strlen(password),
>  alg->parameter, &ctx, decripta); /*descripta is defined as 0 */ decr_buf =
>  (unsigned char *) malloc (longitud + EVP_CIPHER_CTX_block_size(&ctx) + 1);
>  err = EVP_CipherUpdate (&ctx, decr_buf, &bytes_decr, privkey_pointer,
>  length_privkey); err = EVP_CipherFinal (&ctx, decr_buf+bytes_decr,
>  &bytes_final); if ( err == 0 ) { printf("Ha ocurrido un error
>  EVP_CipherFinal \n"); while ( c_error = ERR_get_error() ) fprintf(stderr,
>  ERR_error_string(c_error, NULL)); exit(1); }
>  
> So, err always is 0 in EVP_CipherFinal,  error code returns:
> error:0606506D:digital envelope routines:EVP_DecryptFinal:wrong final block
> length
>  
> I thought that the problem could be the priv key, so I generate privkeys in
> PKCS#5 and PKCS#8 with: openssl pkcs8 -inform DER -in privkey.key -topk8 -v1
> PBE_MD5_DES -outform DER -out privkeyp5.key ; and openssl pkcs8 -inform DER
> -in privkey.key -topk8  -outform DER -out privkeyp8.key
>  
> And test my application again with those keys but results are the same.
>  
> I don't know what is wrong ... any suggestions or tips???

If the private key is in PEM format that PEM_read_bio_PrivateKey() will
automatically handle PKCS#8 format.

If its in DER format then d2i_PKCS8PrivateKey_bio() will handle the encrypted
form, and d2i_PKCS8_PRIV_KEY_INFO() followed by EVP_PKCS82PKEY() for the
unencrypted form.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

OpenSSL with Pound rev-proxy problem - repost without Re:

2004-04-23 Thread Jonathan Cyr 








Hello OpenSSL folks,

Having a problem generating the proper certificate set for my Verisign
128bit class 3 certificate.

Here's the story...

I am using a Reverse-proxy, load balancer called Pound, it's open
source, and uses certificates/keys from OpenSSL.  They seem to be
generated before the proxy is started, more like an IMAP server, not
like Apache.  http://www.apsis.ch/pound

I had this entire configuration working at one time, Pound, OpenSSL,
Verisign...

It all started after 1/7/2004 when Verisign had switched over their
infrastructure to a new configuration.  They provided a new
intermediate certificate for use, of course generic OpenSSL
instructions are not in the Verisign website.   At the time I was using
an older version of OpenSSL with RedHat AS 2.1.  I was warned not to
upgrade this version, RedHat had tweaked it for use.  I was unable to
install this intermediate certificate or upgrade the OpenSSL.

I switched to SuSE 9.0, using the OpenSSL 0.9.7b installed with it.  I
created a self-signed certificate & key using the command, and
pointed Pound at it...

 openssl req -x509 -newkey rs:1024 -keyout test.pem -out test.pem
-days 365 -nodes

Success, a self-signed key/certificate that I point at  in the Pound
config file.  This basically proves that Pound is working and set up
correctly, and processing OpenSSL-generated keys correctly.  I've done
it wrong enough times to know when its wrong.

So then, I need to produce the same type of set using Verisign as my
3rd party.

I used the command...

    umask 077
    openssl req -new -out filenamecsr.pem -keyout privkey.pem

I then submitted the CSR file to Versign, and received the certificate
thereafter.

I then combined it after decoding the key, with this command...

    openssl rsa -in privkey.pem >> keyandcert.pem

Prompted me for a passphrase, entered it.  This then created a file
with this key to which I added the verisign certificate.

Pointed Pound at it in the config file.  Pound, sees the file, and
reads the key and the certificate, properly formed evidently, Pound is
working, and processing SSL requests.

IE tells me my certificate is wrong, same certificate as before the
1/7/2004 problem, but allows me to continue, Verisign intermediate cert
is expired 1/7/2004, same problem.

Mozilla 1.4 tells me error -8101, which looked up, certificate of wrong
type.  Bad CSR?

After emailing the development team for Pound, here's some important
facts... Pound doesn't actively "run" OpenSSL, it uses the keys and
certificates only (not Apache-like).  On the configure step for
installing Pound, you use a flag  ./configure --with-ssl=/etc/ssl/ for
OpenSSL's home directory.  Also ran SuSE's /usr/bin/c_rehash script
before configure and make, to update certificate "registry hash".  For
security audit reasons, Pound starts up, looks at a config file and
cert/key file, and does a root jail.

Questions:

Is this a certificate chain problem, do I need to update the
intermediate certificate, or is it included with a new OpenSSL like
0.9.7b How would I do that on SuSE 9.0?

Is this a CSR generation problem? Did I form the CSR command correctly
for a Verisign Class 3 128bit certificate?  If not, what command
should  I use?

Or Both?



Unfortunately, this proxy is production, and I get to try to adjust it
after business hours.  There's no URL to look at, when I'm not
testing.  The self-signed version is working and in place for
production.

Thanks for listening,

Jonathan Cyr
Cyr Information Systems
Verisign Acct: WWW.DOCUMENTALSOLUTIONS.COM
Cranston, RI, USA
[EMAIL PROTECTED]

Re: OpenSSL with Pound rev-proxy problem - repost without Re:

2004-04-23 Thread Dr. Stephen Henson 
On Fri, Apr 23, 2004, Jonathan Cyr wrote:

> Hello OpenSSL folks,
> 
> Having a problem generating the proper certificate set for my Verisign 
> 128bit class 3 certificate.
> 
> Here's the story...
> 
> I am using a Reverse-proxy, load balancer called Pound, it's open 
> source, and uses certificates/keys from OpenSSL.  They seem to be 
> generated before the proxy is started, more like an IMAP server, not 
> like Apache.  http://www.apsis.ch/pound
> 
> I had this entire configuration working at one time, Pound, OpenSSL, 
> Verisign...
> 
> It all started after 1/7/2004 when Verisign had switched over their 
> infrastructure to a new configuration.  They provided a new intermediate 
> certificate for use, of course generic OpenSSL instructions are not in 
> the Verisign website.   At the time I was using an older version of 
> OpenSSL with RedHat AS 2.1.  I was warned not to upgrade this version, 
> RedHat had tweaked it for use.  I was unable to install this 
> intermediate certificate or upgrade the OpenSSL.
> 
> I switched to SuSE 9.0, using the OpenSSL 0.9.7b installed with it.  I 
> created a self-signed certificate & key using the command, and pointed 
> Pound at it...
> 
> openssl req -x509 -newkey rs:1024 -keyout test.pem -out test.pem 
> -days 365 -nodes
> 
> Success, a self-signed key/certificate that I point at  in the Pound 
> config file.  This basically proves that Pound is working and set up 
> correctly, and processing OpenSSL-generated keys correctly.  I've done 
> it wrong enough times to know when its wrong.
> 
> So then, I need to produce the same type of set using Verisign as my 3rd 
> party.
> 
> I used the command...
> 
>umask 077
>openssl req -new -out filenamecsr.pem -keyout privkey.pem
> 
> I then submitted the CSR file to Versign, and received the certificate 
> thereafter.
> 
> I then combined it after decoding the key, with this command...
> 
>openssl rsa -in privkey.pem >> keyandcert.pem
> 
> Prompted me for a passphrase, entered it.  This then created a file with 
> this key to which I added the verisign certificate.
> 
> Pointed Pound at it in the config file.  Pound, sees the file, and reads 
> the key and the certificate, properly formed evidently, Pound is 
> working, and processing SSL requests.
> 
> IE tells me my certificate is wrong, same certificate as before the 
> 1/7/2004 problem, but allows me to continue, Verisign intermediate cert 
> is expired 1/7/2004, same problem.
> 
> Mozilla 1.4 tells me error -8101, which looked up, certificate of wrong 
> type.  Bad CSR?
> 
> After emailing the development team for Pound, here's some important 
> facts... Pound doesn't actively "run" OpenSSL, it uses the keys and 
> certificates only (not Apache-like).  On the configure step for 
> installing Pound, you use a flag  ./configure --with-ssl=/etc/ssl/ for 
> OpenSSL's home directory.  Also ran SuSE's /usr/bin/c_rehash script 
> before configure and make, to update certificate "registry hash".  For 
> security audit reasons, Pound starts up, looks at a config file and 
> cert/key file, and does a root jail.
> 
> Questions:
> 
> Is this a certificate chain problem, do I need to update the 
> intermediate certificate, or is it included with a new OpenSSL like 
> 0.9.7b How would I do that on SuSE 9.0?
> 
> Is this a CSR generation problem? Did I form the CSR command correctly 
> for a Verisign Class 3 128bit certificate?  If not, what command should  
> I use?
> 
> Or Both?
> 
> 
> 
> Unfortunately, this proxy is production, and I get to try to adjust it 
> after business hours.  There's no URL to look at, when I'm not testing.  
> The self-signed version is working and in place for production.
> 

If you use the command:

openssl s_client -connect hostname:portnum -showcerts

it will output the certificate chain the server uses. You can then examine
them using (for example):

openssl x509 -in cert.pem -text -noout

to see if the full chain is being sent. 

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problems decrypting PKCS# Private Key , Docs needed

2004-04-23 Thread Carlos Roberto Zainos H 


If its in DER format then d2i_PKCS8PrivateKey_bio() will handle the encryptedform, and d2i_PKCS8_PRIV_KEY_INFO() followed by EVP_PKCS82PKEY() for theunencrypted form.Steve.
 
Thanks a lot dr Henson . just another little question  where are the references to d21PKCS8_PRIV_KEY_INFO() and EVP_PKCS82PKEY(), I can't found it in evp.h and pem.h  in openssl web page crypto section also could'n find it... sorry.
I'm working in WinXP environement with openssl-w32-version
Thanks in advance
 
ZAINOS Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

certificate creation verification errors / ldap

2004-04-23 Thread Mark 

so i created local certs for ldap using:


/usr/depot/openssl/current/ssl/misc/CA.sh -newca

openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

/usr/depot/openssl/current/ssl/misc/CA.sh -sign




and then i tried to start the ldap and verify the certs using


openssl s_client -connect needlefish.internal.outerbay.com:636 -showcerts -state 
-CAfile /etc/depot/openldap/certs/cacert.pem

and i got 

connect: Connection refused
connect:errno=146



am i missing somehting here???


thanx for the help
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problems decrypting PKCS# Private Key , Docs needed

2004-04-23 Thread Dr. Stephen Henson 
On Fri, Apr 23, 2004, Carlos Roberto Zainos H wrote:

> 
> 
> If its in DER format then d2i_PKCS8PrivateKey_bio() will handle the
> encrypted form, and d2i_PKCS8_PRIV_KEY_INFO() followed by EVP_PKCS82PKEY()
> for the unencrypted form.
> 
> Steve.
> 
>  
> 
> Thanks a lot dr Henson . just another little question  where are the
> references to d21PKCS8_PRIV_KEY_INFO() and EVP_PKCS82PKEY(), I can't found
> it in evp.h and pem.h  in openssl web page crypto section also could'n
> find it... sorry.
> 
> I'm working in WinXP environement with openssl-w32-version
> 

d2i_PKCS8_PRIV_KEY_INFO isn't documented at present but it behaves just like
any other ASN1 function and takes a PKCS8_PRIV_KEY_INFO argument.

EVP_PKCS82PKEY() is briefly mentioned in openssl.txt: it just takes a
PKCS8_PRIV_KEY_INFO structure and converts it to an EVP_PKEY.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]