Re: [openssl-users] Re: OpenSSL can't store and generate some valid DN (fwd)
Bonjour, On Thu, 3 Jun 2004, Dr. Stephen Henson wrote: On Thu, Jun 03, 2004, Erwann Abalea wrote: I was looking at the RFC3739 for Qualified Certificates and the changes with the RFC3039, and noticed (among other things) that the example certificate changed. What makes you think it has changed? My fault, I must have been reading an older draft of the RFC3039, and I haven't checked the definitive version. The subject of this certificat has 3 RDN, and the last one has 2 AttributeTypeAndValue fields. When OpenSSL reads this certificate, it stores the subject as a sequence of 4 RDN, each one having only one AttributeTypeAndValue field. When you store it back, the certificate has changed, of course, and that is Bad (tm). Well OpenSSL seems to recognize that DN properly. If you include: -nameopt oneline for example in the 'x509' command line it will correctly display the last RDN. Well. My fault again, I haven't played with the -nameopt option yet. Now I've read the man page, it appears that not specifying the good -nameopt option results in OpenSSL using the same separator for several AVA of the same RDN as for several RDN, which confused me. And let me add another 'my fault' for having written that a certificate read and stored again was changed. OpenSSL did its job properly, but on the first file a trailing 0xa0 (*not* 0x0a) was present that wasn't part of the certificate. I don't know where it came from. I'm dumb :( If you look at the internals of how this is stored it does at first sight appear to only store the lot in a single sequence. The structure used is an X509_NAME which includes a STACK_OF(X509_NAME_ENTRY) however each X509_NAME_ENTRY has a field called 'set' which indicates which set the AttributeTypeAndValue should be in. Thanks for the explanations. I looked at the code and the X509_NAME_add_entry man page, and with your explanations, it is much more clearer. So in a case where I have a multivalued RDN, if I want to sort the DN, the comparison function must be carefully written, since the 'set' can only have values -1 or 1, telling the library that this AVA belongs to the previous or the next set of AVA (or 0, of course, if the AVA is alone in its own RDN). Well. I won't sort DNs for the moment. OpenSSL wont normally reencode DNs at all because it caches the original encoding. If the DN is modified in some way it will of course be reencoded though. Thanks. I'm using OpenSSL professionaly since the SSLeay days, and I'm still learning new stuff everytime. Keep doing a good work. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - If you can't beat your computer at chess, try kickboxing. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Passing a SSL connection to a worker thread and back
Hello, I have the following problem I didn't find a solution for: A process establishes a SSL connection. Now the process forks from time to time a worker child that uses this connection. This works the first time, every other time the child can't use the SSL connection. I guess this is because the first forked child modifies the state of the SSL connection when using it, and since the modified state is not passed back to the parent, the parent (and all the later forked childs) cannot reuse the SSL connection. My question is now: is this guess correct, and if yes, how can I pass the updated SSL connection back to the parent? kind regards -- jochen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Passing a SSL connection to a worker thread and back
On Fri, Jun 04, 2004 at 11:00:01AM +0200, Jochen Eisinger wrote: Hello, I have the following problem I didn't find a solution for: A process establishes a SSL connection. Now the process forks from time to time a worker child that uses this connection. This works the first time, every other time the child can't use the SSL connection. I guess this is because the first forked child modifies the state of the SSL connection when using it, and since the modified state is not passed back to the parent, the parent (and all the later forked childs) cannot reuse the SSL connection. My question is now: is this guess correct, and if yes, how can I pass the updated SSL connection back to the parent? You are probably out of luck with your model. If at all possible you should move the SSL layer to a separate process or have the parent handle the SSL traffic for the child processes. If you process is a SSL client and the server does support session reuse, you could have your child processes establish independant connections with the same session data, thus saving the expensive handshake with authentication. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EOFException when connecting to ldap server with jndi
Hi: Okay, sorry 'bout that... I'll try over there. Thanks for the suggestion on the tls.close()/ctx.close removal, but I'm stilll about out of luck. Cya, -Mark From: Lawrence Bowie [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: EOFException when connecting to ldap server with jndi Date: Thu, 03 Jun 2004 20:14:17 -0400 MIME-Version: 1.0 X-Sender: Lawrence Bowie [EMAIL PROTECTED] Received: from mc6-f15.hotmail.com ([65.54.252.151]) by mc6-s21.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 3 Jun 2004 17:17:46 -0700 Received: from mmx.engelschall.com ([195.27.130.252]) by mc6-f15.hotmail.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 3 Jun 2004 17:16:50 -0700 Received: by mmx.engelschall.com (Postfix)id E34631934D; Fri, 4 Jun 2004 02:15:56 +0200 (CEST) Received: from master.openssl.org (master.openssl.org [195.27.176.155])by mmx.engelschall.com (Postfix) with ESMTP id C7B8B19301for [EMAIL PROTECTED]; Fri, 4 Jun 2004 02:15:56 +0200 (CEST) Received: by master.openssl.org (Postfix)id A36AD203EF0; Fri, 4 Jun 2004 02:16:03 +0200 (CEST) Received: by master.openssl.org (Postfix, from userid 5003)id 8ADDD203EED; Fri, 4 Jun 2004 02:16:03 +0200 (CEST) Received: from vs221.server4me.com (ns1.ldb-jab.org [216.55.187.221])by master.openssl.org (Postfix) with ESMTP id 6CB73203EBBfor [EMAIL PROTECTED]; Fri, 4 Jun 2004 02:15:45 +0200 (CEST) Received: from ldb-jab.org (pool-141-152-29-217.rich.east.verizon.net [141.152.29.217])by vs221.server4me.com (8.12.11/8.12.11) with ESMTP id i540EJI5007294for [EMAIL PROTECTED]; Thu, 3 Jun 2004 17:14:19 -0700 (PDT) X-Message-Info: 9FGFoCED9ZPgGV3/xLPmZcZb5wMJZ4Z/uHxn7ZKcksg= Delivered-To: [EMAIL PROTECTED] X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en References: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] X-Enigmail-Version: 0.76.8.0 X-Enigmail-Supports: pgp-inline, pgp-mime Precedence: bulk X-List-Manager: OpenSSL Majordomo [version 1.94.5] X-List-Name: openssl-users Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 04 Jun 2004 00:16:50.0764 (UTC) FILETIME=[3B6F98C0:01C449C9] You need to post to http://forum.java.sun.com/index.jsp at the Java Secure Socket Extensions section. Also, the EOFException means your connection closed unexpectedly .. I would lose tls.close(); ctx.close(); LDB mark brophy wrote: Hi all: This is my first post, so please redirect me if I'm in the wrong place. I've been having the same problem for weeks, and I can't seem to get around it. I'm connecting to an openldap server using tls/ssl (openssl), and I'm constantly getting an eofexception around the time of tls READ on the client side, and I can't figure out whether it's ssl or tls that's dying. If anyone has any idea what's going on, I'd really appreciate the input. He's some relevant java output with debugging on: .. setting up default SSLSocketFactory use default SunJSSE impl class: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImp l class com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl is loaded keyStore is : /path/to/mycert keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509 trustStore is: /path/to/mycert trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: **removed sensitive info here** Algorithm: RSA; Serial number: 0x0 Valid from Mon Mar 17 20:28:46 NST 2003 until Tue Mar 16 20:28:46 NST 2004 init context trigger seeding of SecureRandom done seeding SecureRandom instantiated an instance of class com.sun.net.ssl.internal.ssl.SSLSocketFactoryI mpl export control - checking the cipher suites export control - no cached value available... export control - storing legal entry into cache... %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1069503884 bytes = { 7, 48, 141, 114, 165, 47, 223, 142, 90, 51, 199, 37, 149, 8, 3, 229, 3, 181, 2, 201, 24, 205, 74, 133, 18, 50, 70, 121 } Session ID: {} Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH _AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC _SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_ DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SH A, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_ WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WI TH_DES40_CBC_SHA] Compression Methods: { 0 } *** [write] MD5 and SHA1 hashes: len = 73 : 01 00 00 45 03 01 40 BF 56 8C 07 30 8D 72 A5 2F [EMAIL PROTECTED]/ 0010: DF 8E 5A 33 C7 25 95 08 03 E5 03 B5 02 C9 18 CD ..Z3.%.. 0020: 4A 85 12 32 46 79 00 00 1E 00 04 00 05 00 2F 00 J..2Fy/. 0030: 33 00 32 00 0A 00 16 00
Re: X509_CRL_verify() failed after X509_CRL_dup(),why?
On Fri, Jun 04, 2004, BlackSnail wrote: Hi, I write a program to insert revoked certificate information to CRL. After insertion I do X509_CRL_sign() and X509_CRL_verify() and everything is OK. Then I do X509_CRL_dup() to duplicate CRL structure. Things followed are weird.After duplication,I do X509_CRL_verify() again and verification failed! I print the content of CRL as below: [examples snipped] The PEM version of the CRLs would've been better because then anyone wanting to can print the things out as well as analyze it at the ASN1 level which you can't with a print out. Not that it really matters in this case... The only difference is the serial number sequence. I can understand that stack pop operation make the difference. But I can't understand why verify failed. I replace X509_CRL_dup() with i2d_X509_CRL(crl1,NULL),the result is same. Any help will be appreciated.Thank you. I think this is the solution... Short answer: Before you call X509_CRL_sign() call X509_CRL_sort(). Long answer: The actual order of revoked entries in a CRL is arbitrary according to the ASN1 but in actual fact it is quite common (but not mandatory) to sort the entries into serial number order. When OpenSSL looks up a serial number in a CRL it reorders the entries in serial number order to increase the speed of the search. However if the CRL was rewritten as it is the order would change and the CRL signature would no longer be valid. Therefore OpenSSL retains the original order when it reads in a CRL. When a CRL is generated this order fields are uninitialized until you call X509_CRL_sort() which sorts the revoked entries and initializes the order fields. If the order fields aren't initialized then things may well misbehave. It could be argued that this is a bug and that the order field should be initialized when a revoked entry is written. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
HTML man pages
I've found HTML versions of the openSSL man pages on the web, including at the openSSL site itself. Is there a place to download all the HTML, so I can access it off line? -- Ken Goldman [EMAIL PROTECTED] 914-784-7646 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTML man pages
wget can do it for you On Fri, 2004-06-04 at 09:17, Ken Goldman wrote: I've found HTML versions of the openSSL man pages on the web, including at the openSSL site itself. Is there a place to download all the HTML, so I can access it off line? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTML man pages
In message [EMAIL PROTECTED] on Fri, 4 Jun 2004 09:17:05 -0400, Ken Goldman [EMAIL PROTECTED] said: kgold I've found HTML versions of the openSSL man pages on the web, kgold including at the openSSL site itself. kgold kgold Is there a place to download all the HTML, so I can access it kgold off line? You can do it easily, using wget: wget -c -m -L -np http://www.openssl.org/docs/ - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Openssl on windows vc++ project
Hello, I would like to know that is it possible to compile and build openssl files on windows. I would like to be adding only the h and c files in the project. I have come through research on internet that it is possible to use it under windows using vc++ by making dll files or lib file using perl but i don't want that way. I want it in such a way that i have header and c files in my project and i do a compile on them and build them. Plz a detailed answer is needed. Waiting for an urgent reply. Thank You. _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl on windows vc++ project
http://www.openssl.org/related/ http://www.iconsinc.com/~agray/ossldev/ - Original Message - From: ahmad hassan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 04, 2004 8:24 AM Subject: Openssl on windows vc++ project Hello, I would like to know that is it possible to compile and build openssl files on windows. I would like to be adding only the h and c files in the project. I have come through research on internet that it is possible to use it under windows using vc++ by making dll files or lib file using perl but i don't want that way. I want it in such a way that i have header and c files in my project and i do a compile on them and build them. Plz a detailed answer is needed. Waiting for an urgent reply. Thank You. _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
remove
remove
Re: remove
remove
Openssl Seg Fault
Apologies if this was already posted, but we've been having email problems. -- I am trying to run down a problem I am having with openssl. When I run: openssl ca -in test-req.pem test-cert.pem and give a *wrong* password for my ca key, the program prints two debugging error messages and segfaults. I would prefer the program just say Bad password and exit. When giving a correct password, everything is fine. I'm compiling with gcc 3.3.1 on a Linux 2.4.25 kernel. openssl version is 0.9.7d. My build instructions are ./config --openssldir=/etc/ssl --prefix=/usr shared make make install I am also interested in turning off the debugging error messages. How do I do that? I tried passing no-err to config and that did not work. Thanks. -- Bruce Dubbs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]