Re: openssl reads client cert. error when no client cert. required
On Mon, Aug 09, 2004, Yan Zhou wrote: > I was not using a browser, I am writing a client using JSSE to make web > service calls. And I only see this error once in a while. That does not > sound like the issue with SGC? > Well the other possibility is that the client sometimes prematurely closes the connection part way through the handshake. You could try ssldump to see if that gives some similar result. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Suggestions for the password storing
Hi team!! I have a "big" question, where is an appropriate place to store the encryption password of the private key? I mean, the security base of the priv key is based on the password which is encrypted it (PKCS#1), so where will be a safe place to put this pwd in the client's computer (windows environement)??? Thanks in advance. Zainos Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
RE: Suggestions for the password storing
> Hi team!! > I have a "big" question, where is an appropriate place to store the encryption > password of the private key? I mean, the security base of the priv key is based on > the > password which is encrypted it (PKCS#1), so where will be a safe place > to put this pwd in the client's computer (windows environement)??? It totally depends upon your application and threat model. There's no generic answer. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Random number seed in RSA
Hi, I have a snippet that encrypts/decrypts using RSA. #include #include #include // RSATest: Program illustrating Simple RSA Encryption/Decryption int main() { char *plain="Sample text"; //Sample text (plain text) to Encrypt/Decrypt char *ciphertext; char *plain1; int enclen,i,declen; printf("%s\n",plain); // Generate RSA key RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL); // RSA_size() will determine how much memory must be allocated for an RSA encrypted value ciphertext = (char *)malloc(RSA_size(rsa1)); printf("RSA size %d",RSA_size(rsa1)); I am using Cygwin. My question is thisWhere and How do I seed the random number generator? Thanks, Joe Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages!
Re: mutual authentication
I think this is OpenSSL's mailing list and not JSSE :) (B (BAnyway, my quick guess is probably you need to add the "-trustcacert" (Boption when doing the Java's keytool import. (B (BCheers (B (B[EMAIL PROTECTED] wrote: (B> Hi! (B> (B> I have the following problem in mutual authentication. (B> (B> Connection failed: javax.net.ssl.SSLHandshakeException: (B> sun.security.validator.V (B> alidatorException: No trusted certificate found (B> (B> At first, I created key and certification as follows. (B> (B> - (B> (B> 1. Create CA Authority Key using SSL (B> openssl genrsa -out ca.key 1024 (B> (B> 2. Create self-signed CA Certificate (B> openssl req -new -x509 -key ca.key -out demoCA/cacert.pem (B> (B> 3. Create Client Keystore (B> keytool -genkey -alias clientapp -keystore clientkeys (B> (B> 4. Create Server Keystore (B> keytool -genkey -alias serverapp -keystore serverkeys (B> (B> 5. Export public keys from Client and Server keystores (B> keytool -keystore clientkeys -certreq -alias clientapp -file clientapp.crs (B> keytool -keystore serverkeys -certreq -alias serverapp -file serverapp.crs (B> (B> 6. Signs both public keys with CA Authority key (B> openssl ca -in clientapp.crs -out clientapp.pem -keyfile ca.key (B> openssl ca -in serverapp.crs -out serverapp.pem -keyfile ca.key (B> (B> 7. Convert signed keys to DER format (B> openssl x509 -in clientapp.pem -out clientapp.der -outform DER (B> openssl x509 -in serverapp.pem -out serverapp.der -outform DER (B> (B> 8. Import CA certificate to Client and Server keystores (B> keytool -keystore clientkeys -alias systemca -import -file demoCA/cacert.pem (B> keytool -keystore serverkeys -alias systemca -import -file demoCA/cacert.pem (B> (B> 9. Import signed key to Client keystore (B> keytool -keystore clientkeys -alias clientapp -import -file clientapp.der (B> (B> 10. Import signed key to Serverkeystore (B> keytool -keystore serverkeys -alias serverapp -import -file serverapp.der (B> (B> (B> Then, I executed programs. (B> (B> Server$B!'(B (B> (B> $ java -Djavax.net.ssl.keyStore=serverkeys (B> -Djavax.net.ssl.keyStorePassword=pas (B> sword CASSLServer (B> SimpleSSLServer running on port 4915 (B> (B> Client$B!'(B (B> (B> $ keytool -import -keystore truststore/cacerts -alias trustca -file (B> demoCA/cace (B> rt.pem (B> (B> $ java (B> -Djavax.net.ssl.trustStore=/cygdrive/c/eclipse-SDK-2.1.1-win32/eclipse/w (B> orkspace/xacml/truststore/cacerts (B> -Djavax.net.ssl.trustStorePassword=changeit C (B> ACustomKeyStoreClient (B> Connection failed: javax.net.ssl.SSLHandshakeException: (B> sun.security.validator.V (B> alidatorException: No trusted certificate found (B> (B> Are there something wrong with my setting? (B> (B> (B> CASSLServer.java-- (B> (B> import javax.net.ssl.*; (B> import java.security.cert.*; (B> import java.io.*; (B> (B> /** (B> * A very simple server which accepts SSL connections, and displays (B> * text sent through the SSL socket on stdout. The server requires (B> * client authentication. (B> * Listens on port 49152 by default, configurable with "-port" on the (B> * command-line. (B> * The server needs to be stopped with Ctrl-C. (B> */ (B> public class CASSLServer extends Thread (B> { (B> private static final int DEFAULT_PORT=49152; (B> (B> private SSLServerSocketFactory serverSocketFactory; (B> private int port; (B> (B> /** (B>* main() method, called when run from the command-line. Deals with (B>* command-line parameters, then starts listening for connections (B>*/ (B> public static void main(String args[]) (B> { (B> int port=DEFAULT_PORT; (B> (B> // Parse command-line arguments (B> boolean parseFailed=false; (B> try { (B> for (int i=0; i String arg=args[i].trim().toUpperCase(); (B> (B> // Only the "-port" argument is supported (B> if (arg.equals("-PORT")) port=Integer.parseInt(args[++i]); (B> else parseFailed=true; (B> } (B> } (B> catch(Exception e) { (B> // Something went wrong with the command-line parse. (B> // A real application would issue a good error message; (B> // we'll just display our usage. (B> parseFailed=true; (B> } (B> (B> if (parseFailed) { (B> displayUsage(); (B> } (B> else { (B> // The command-line parse succeeded. (B> // Construct a new instance of SimpleSSLServer based around the (B> // default SSLServerSocketFactory and start it up. (B> SSLServerSocketFactory ssf= (B> (SSLServerSocketFactory)SSLServerSocketFactory.getDefault(); (B> CASSLServer server=new CASSLServer(ssf, port); (B> server.start(); (B> } (B> } (B> (B> /** Displays the command-line usage for Si
question about TLS bytestream order
Hi all, I like to know which spec specifies the byte order for the TLS data stream? For example, in the section A.1 (Record Layer) of RFC 2246, it shows the ProtocolVersion before the ContentType. But the openSSL seems sending the value of the ContentType before the value of ProtocolVersion in the ClientHello request. Could anyone point me to a spec which I can find the exact byte order (the sequence to write data from a structure to the tcp pipe) for the TLS data stream? thank you, weijun __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Suggestions for the password storing
In a user's brain. Any file that is readable by the system is, well, readable, therefore is only as secure as the OS can make it. On OS X you could use the Keychain Services to store your password in an encrypted database, available via an API. This is available as Open Source if you're interested. http://www.opensource.apple.com/ Alternatively, you can use Bruce Schenier's Password Safe. I'm not sure it has an API, though. http://www.schneier.com/passsafe.html On Aug 9, 2004, at 2:21 PM, Carlos Roberto Zainos H wrote: Hi team!! I have a "big" question, where is an appropriate place to store the encryption password of the private key? I mean, the security base of the priv key is based on the password which is encrypted it (PKCS#1), so where will be a safe place to put this pwd in the client's computer (windows environement)??? Thanks in advance. Zainos Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]