Re: [openssl-users] Re: OpenSSL can't store and generate some valid DN (fwd)

[Erwann Abalea]

Bonjour,

On Thu, 3 Jun 2004, Dr. Stephen Henson wrote:

 On Thu, Jun 03, 2004, Erwann Abalea wrote:

  I was looking at the RFC3739 for Qualified Certificates and the changes
  with the RFC3039, and noticed (among other things) that the example
  certificate changed.

 What makes you think it has changed?

My fault, I must have been reading an older draft of the RFC3039, and I
haven't checked the definitive version.

  The subject of this certificat has 3 RDN, and the last one has 2
  AttributeTypeAndValue fields.
 
  When OpenSSL reads this certificate, it stores the subject as a sequence
  of 4 RDN, each one having only one AttributeTypeAndValue field. When you
  store it back, the certificate has changed, of course, and that is Bad
  (tm).

 Well OpenSSL seems to recognize that DN properly. If you include:
 -nameopt oneline
 for example in the 'x509' command line it will correctly display the last RDN.

Well. My fault again, I haven't played with the -nameopt option yet. Now
I've read the man page, it appears that not specifying the good -nameopt
option results in OpenSSL using the same separator for several AVA of the
same RDN as for several RDN, which confused me.

And let me add another 'my fault' for having written that a certificate
read and stored again was changed. OpenSSL did its job properly, but on
the first file a trailing 0xa0 (*not* 0x0a) was present that wasn't part
of the certificate. I don't know where it came from.

I'm dumb :(

 If you look at the internals of how this is stored it does at first sight
 appear to only store the lot in a single sequence. The structure used is an
 X509_NAME which includes a STACK_OF(X509_NAME_ENTRY) however each
 X509_NAME_ENTRY has a field called 'set' which indicates which set the
 AttributeTypeAndValue should be in.

Thanks for the explanations. I looked at the code and the
X509_NAME_add_entry man page, and with your explanations, it is much more
clearer. So in a case where I have a multivalued RDN, if I want to sort
the DN, the comparison function must be carefully written, since the 'set'
can only have values -1 or 1, telling the library that this AVA belongs to
the previous or the next set of AVA (or 0, of course, if the AVA is alone
in its own RDN). Well. I won't sort DNs for the moment.

 OpenSSL wont normally reencode DNs at all because it caches the original
 encoding.  If the DN is modified in some way it will of course be reencoded
 though.

Thanks. I'm using OpenSSL professionaly since the SSLeay days, and
I'm still learning new stuff everytime.

Keep doing a good work.

-- 
Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5
-
If you can't beat your computer at chess, try kickboxing.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Passing a SSL connection to a worker thread and back

[Jochen Eisinger]

Hello,

I have the following problem I didn't find a solution for:

A process establishes a SSL connection. Now the process forks from time
to time a worker child that uses this connection. This works the first
time, every other time the child can't use the SSL connection.

I guess this is because the first forked child modifies the state of the
SSL connection when using it, and since the modified state is not passed
back to the parent, the parent (and all the later forked childs) cannot
reuse the SSL connection.

My question is now: is this guess correct, and if yes, how can I pass
the updated SSL connection back to the parent?

kind regards
-- jochen
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Passing a SSL connection to a worker thread and back

[Lutz Jaenicke]

On Fri, Jun 04, 2004 at 11:00:01AM +0200, Jochen Eisinger wrote:
 Hello,
 
 I have the following problem I didn't find a solution for:
 
 A process establishes a SSL connection. Now the process forks from time
 to time a worker child that uses this connection. This works the first
 time, every other time the child can't use the SSL connection.
 
 I guess this is because the first forked child modifies the state of the
 SSL connection when using it, and since the modified state is not passed
 back to the parent, the parent (and all the later forked childs) cannot
 reuse the SSL connection.
 
 My question is now: is this guess correct, and if yes, how can I pass
 the updated SSL connection back to the parent?

You are probably out of luck with your model. If at all possible you
should move the SSL layer to a separate process or have the parent
handle the SSL traffic for the child processes.
If you process is a SSL client and the server does support session
reuse, you could have your child processes establish independant
connections with the same session data, thus saving the expensive
handshake with authentication.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: EOFException when connecting to ldap server with jndi

[mark brophy]

Hi:
Okay, sorry 'bout that... I'll try over there.  Thanks for the suggestion on 
the tls.close()/ctx.close removal, but I'm stilll about out of luck.
Cya,
-Mark

From: Lawrence Bowie [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: EOFException when connecting to ldap server with jndi
Date: Thu, 03 Jun 2004 20:14:17 -0400
MIME-Version: 1.0
X-Sender: Lawrence Bowie [EMAIL PROTECTED]
Received: from mc6-f15.hotmail.com ([65.54.252.151]) by mc6-s21.hotmail.com 
with Microsoft SMTPSVC(5.0.2195.6713); Thu, 3 Jun 2004 17:17:46 -0700
Received: from mmx.engelschall.com ([195.27.130.252]) by 
mc6-f15.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 3 Jun 2004 
17:16:50 -0700
Received: by mmx.engelschall.com (Postfix)id E34631934D; Fri,  4 Jun 2004 
02:15:56 +0200 (CEST)
Received: from master.openssl.org (master.openssl.org [195.27.176.155])by 
mmx.engelschall.com (Postfix) with ESMTP id C7B8B19301for 
[EMAIL PROTECTED]; Fri,  4 Jun 2004 02:15:56 +0200 
(CEST)
Received: by master.openssl.org (Postfix)id A36AD203EF0; Fri,  4 Jun 2004 
02:16:03 +0200 (CEST)
Received: by master.openssl.org (Postfix, from userid 5003)id 8ADDD203EED; 
Fri,  4 Jun 2004 02:16:03 +0200 (CEST)
Received: from vs221.server4me.com (ns1.ldb-jab.org [216.55.187.221])by 
master.openssl.org (Postfix) with ESMTP id 6CB73203EBBfor 
[EMAIL PROTECTED]; Fri,  4 Jun 2004 02:15:45 +0200 (CEST)
Received: from ldb-jab.org (pool-141-152-29-217.rich.east.verizon.net 
[141.152.29.217])by vs221.server4me.com (8.12.11/8.12.11) with ESMTP id 
i540EJI5007294for [EMAIL PROTECTED]; Thu, 3 Jun 2004 17:14:19 
-0700 (PDT)
X-Message-Info: 9FGFoCED9ZPgGV3/xLPmZcZb5wMJZ4Z/uHxn7ZKcksg=
Delivered-To: [EMAIL PROTECTED]
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Message-ID: [EMAIL PROTECTED]
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 
Netscape/7.1
X-Accept-Language: en-us, en
References: [EMAIL PROTECTED]
In-Reply-To: [EMAIL PROTECTED]
X-Enigmail-Version: 0.76.8.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Precedence: bulk
X-List-Manager: OpenSSL Majordomo [version 1.94.5]
X-List-Name: openssl-users
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 04 Jun 2004 00:16:50.0764 (UTC) 
FILETIME=[3B6F98C0:01C449C9]

You need to post to http://forum.java.sun.com/index.jsp at the Java Secure 
Socket Extensions
section.

Also, the EOFException means your connection closed unexpectedly .. I would 
lose

tls.close();
ctx.close();
LDB
mark brophy wrote:
Hi all:
This is my first post, so please redirect me if I'm in the wrong place.  
I've been having the same problem for weeks, and I can't seem to get 
around it. I'm connecting to an openldap server using tls/ssl (openssl), 
and I'm constantly getting an eofexception around the time of tls READ on 
the client side, and I can't figure out whether it's ssl or tls that's 
dying.  If anyone has any idea what's going on, I'd really appreciate the 
input.  He's some relevant java output with debugging on:
..
setting up default SSLSocketFactory
use default SunJSSE impl class: 
com.sun.net.ssl.internal.ssl.SSLSocketFactoryImp l
class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded
keyStore is : /path/to/mycert
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: /path/to/mycert
trustStore type is : jks
trustStore provider is :
init truststore
adding as trusted cert:
**removed sensitive info here**

 Algorithm: RSA; Serial number: 0x0
 Valid from Mon Mar 17 20:28:46 NST 2003 until Tue Mar 16 20:28:46 NST 
2004

init context
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class 
com.sun.net.ssl.internal.ssl.SSLSocketFactoryI mpl
export control - checking the cipher suites
export control - no cached value available...
export control - storing legal entry into cache...
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1069503884 bytes = { 7, 48, 141, 114, 165, 47, 223, 
142, 90,  51, 199, 37, 149, 8, 3, 229, 3, 181, 2, 201, 24, 205, 74, 133, 
18, 50, 70, 121 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, 
TLS_RSA_WITH _AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC _SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_ DSS_WITH_3DES_EDE_CBC_SHA, 
SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SH A, 
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, 
SSL_RSA_EXPORT_ WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, 
SSL_DHE_DSS_EXPORT_WI TH_DES40_CBC_SHA]
Compression Methods:  { 0 }
***
[write] MD5 and SHA1 hashes:  len = 73
: 01 00 00 45 03 01 40 BF   56 8C 07 30 8D 72 A5 2F  [EMAIL PROTECTED]/
0010: DF 8E 5A 33 C7 25 95 08   03 E5 03 B5 02 C9 18 CD  ..Z3.%..
0020: 4A 85 12 32 46 79 00 00   1E 00 04 00 05 00 2F 00  J..2Fy/.
0030: 33 00 32 00 0A 00 16 00  

Re: X509_CRL_verify() failed after X509_CRL_dup(),why?

[Dr. Stephen Henson]

On Fri, Jun 04, 2004, BlackSnail wrote:

 
 Hi,
 
 I write a program to insert revoked certificate information to CRL.
 After insertion I do X509_CRL_sign() and X509_CRL_verify() and everything is OK.
 Then I do X509_CRL_dup() to duplicate CRL structure.
 Things followed are weird.After duplication,I do X509_CRL_verify() again and 
 verification failed!
 I print the content of CRL as below:
 
[examples snipped]

The PEM version of the CRLs would've been better because then anyone wanting
to can print the things out as well as analyze it at the ASN1 level which you
can't with a print out. Not that it really matters in this case...

 The only difference is the serial number sequence.
 I can understand that stack pop operation make the difference.
 But I can't understand why verify failed.
 
 I replace X509_CRL_dup() with i2d_X509_CRL(crl1,NULL),the result is same.
 
 Any help will be appreciated.Thank you.

I think this is the solution...

Short answer:

Before you call X509_CRL_sign() call X509_CRL_sort().

Long answer: 

The actual order of revoked entries in a CRL is arbitrary according to the
ASN1 but in actual fact it is quite common (but not mandatory) to sort the
entries into serial number order.

When OpenSSL looks up a serial number in a CRL it reorders the entries in
serial number order to increase the speed of the search. However if the CRL
was rewritten as it is the order would change and the CRL signature would no
longer be valid. Therefore OpenSSL retains the original order when it reads in
a CRL.

When a CRL is generated this order fields are uninitialized until you
call X509_CRL_sort() which sorts the revoked entries and initializes the
order fields.

If the order fields aren't initialized then things may well misbehave.

It could be argued that this is a bug and that the order field should be
initialized when a revoked entry is written.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

HTML man pages

[Ken Goldman]

I've found HTML versions of the openSSL man pages on the web,
including at the openSSL site itself.  

Is there a place to download all the HTML, so I can access it off
line?

-- 
Ken Goldman   [EMAIL PROTECTED]   914-784-7646
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HTML man pages

[Christopher Fowler]

wget can do it for you

On Fri, 2004-06-04 at 09:17, Ken Goldman wrote:
 I've found HTML versions of the openSSL man pages on the web,
 including at the openSSL site itself.  
 
 Is there a place to download all the HTML, so I can access it off
 line?

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: HTML man pages

[Richard Levitte - VMS Whacker]

In message [EMAIL PROTECTED] on Fri, 4 Jun 2004 09:17:05 -0400, Ken Goldman [EMAIL 
PROTECTED] said:

kgold I've found HTML versions of the openSSL man pages on the web,
kgold including at the openSSL site itself.  
kgold 
kgold Is there a place to download all the HTML, so I can access it
kgold off line?

You can do it easily, using wget:

wget -c -m -L -np http://www.openssl.org/docs/

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See http://www.stacken.kth.se/~levitte/mail/ for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Openssl on windows vc++ project

[ahmad hassan]

Hello,
I would like to know that is it possible to compile and build openssl files 
on windows.
I would like to be adding only the h and c files in the project. I have come 
through research on internet that it is possible to use it under windows 
using vc++ by making dll files or lib file using perl but i don't want that 
way. I want it in such a way that i have header and c files in my project 
and i do a compile on them and build them.

Plz a detailed answer is needed.
Waiting for an urgent reply.
Thank You.
_
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Openssl on windows vc++ project

[Marcus Carey]

http://www.openssl.org/related/
http://www.iconsinc.com/~agray/ossldev/


- Original Message - 
From: ahmad hassan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, June 04, 2004 8:24 AM
Subject: Openssl on windows vc++ project


 Hello,
 I would like to know that is it possible to compile and build openssl
files
 on windows.
 I would like to be adding only the h and c files in the project. I have
come
 through research on internet that it is possible to use it under windows
 using vc++ by making dll files or lib file using perl but i don't want
that
 way. I want it in such a way that i have header and c files in my project
 and i do a compile on them and build them.

 Plz a detailed answer is needed.

 Waiting for an urgent reply.

 Thank You.

 _
 Tired of spam? Get advanced junk mail protection with MSN 8.
 http://join.msn.com/?page=features/junkmail

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

remove

[Steve Michael]

remove

Re: remove

[albert wu]

remove

Openssl Seg Fault

[Bruce Dubbs]

Apologies if this was already posted, but we've been having email problems.
--
I am trying to run down a problem I am having with openssl.
When I run:
openssl ca -in test-req.pem  test-cert.pem
and give a *wrong* password for my ca key, the program
prints two debugging error messages and segfaults.
I would prefer the program just say Bad password and exit.
When giving a correct password, everything is fine.
I'm compiling with gcc 3.3.1 on a Linux 2.4.25 kernel.
openssl version is 0.9.7d.
My build instructions are
./config --openssldir=/etc/ssl  --prefix=/usr shared
make
make install
I am also interested in turning off the debugging error messages.  How 
do I do that?  I tried passing no-err to config and that did not work.

Thanks.
 -- Bruce Dubbs

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]