Re: openssl reads client cert. error when no client cert. required

2004-08-09 Thread Dr. Stephen Henson 
On Mon, Aug 09, 2004, Yan Zhou wrote:

> I was not using a browser, I am writing a client using JSSE to make web
> service calls. And I only see this error once in a while. That does not
> sound like the issue with SGC?
> 

Well the other possibility is that the client sometimes prematurely closes the
connection part way through the handshake. You could try ssldump to see if that
gives some similar result.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Suggestions for the password storing

2004-08-09 Thread Carlos Roberto Zainos H 


Hi team!!
I have a "big" question, where is an appropriate place to store the encryption password of the private key? I mean, the security base of the priv key is based on the password which is encrypted it (PKCS#1), so  where will be a safe place to put this pwd in the client's computer (windows environement)???
Thanks in advance.
Zainos Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

RE: Suggestions for the password storing

2004-08-09 Thread David Schwartz 

> Hi team!!
> I have a "big" question, where is an appropriate place to store the
encryption
> password of the private key? I mean, the security base of the priv key is
based on
> the
> password which is encrypted it (PKCS#1), so  where will be a safe
place
> to put this pwd in the client's computer (windows environement)???

It totally depends upon your application and threat model. There's no
generic answer.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Random number seed in RSA

2004-08-09 Thread Joe smith 
Hi,
I have a snippet that encrypts/decrypts using RSA. 
 

#include 
#include 
#include 
// RSATest: Program illustrating Simple RSA Encryption/Decryption 
int main()
{
char *plain="Sample text"; //Sample text (plain text) to Encrypt/Decrypt
char *ciphertext;
char *plain1;
int enclen,i,declen; 
printf("%s\n",plain);

// Generate RSA key
RSA *rsa1= RSA_generate_key(1024,65537,NULL,NULL);
// RSA_size() will determine how much memory must be allocated for an RSA encrypted value
ciphertext = (char *)malloc(RSA_size(rsa1));
printf("RSA size %d",RSA_size(rsa1));
 
I am using Cygwin. My question is thisWhere and How do I seed the random number generator?
Thanks,
Joe
 
		Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!

Re: mutual authentication

2004-08-09 Thread Tan Eng Ten 
I think this is OpenSSL's mailing list and not JSSE :)
(B
(BAnyway, my quick guess is probably you need to add the "-trustcacert"
(Boption when doing the Java's keytool import.
(B
(BCheers
(B
(B[EMAIL PROTECTED] wrote:
(B> Hi!
(B> 
(B> I have the following problem in mutual authentication.
(B> 
(B> Connection failed: javax.net.ssl.SSLHandshakeException:
(B> sun.security.validator.V
(B> alidatorException: No trusted certificate found
(B> 
(B> At first, I created key and certification as follows.
(B> 
(B> -
(B> 
(B> 1. Create CA Authority Key using SSL
(B> openssl genrsa -out ca.key 1024
(B> 
(B> 2. Create self-signed CA Certificate
(B> openssl req -new -x509 -key ca.key -out demoCA/cacert.pem
(B> 
(B> 3. Create Client Keystore
(B> keytool -genkey -alias clientapp -keystore clientkeys
(B> 
(B> 4. Create Server Keystore
(B> keytool -genkey -alias serverapp -keystore serverkeys
(B> 
(B> 5. Export public keys from Client and Server keystores
(B> keytool -keystore clientkeys -certreq -alias clientapp -file clientapp.crs
(B> keytool -keystore serverkeys -certreq -alias serverapp -file serverapp.crs
(B> 
(B> 6. Signs both public keys with CA Authority key
(B> openssl ca -in clientapp.crs -out clientapp.pem -keyfile ca.key
(B> openssl ca -in serverapp.crs -out serverapp.pem -keyfile ca.key
(B> 
(B> 7. Convert signed keys to DER format
(B> openssl x509 -in clientapp.pem -out clientapp.der -outform DER
(B> openssl x509 -in serverapp.pem -out serverapp.der -outform DER
(B> 
(B> 8. Import CA certificate to Client and Server keystores
(B> keytool -keystore clientkeys -alias systemca -import -file demoCA/cacert.pem
(B> keytool -keystore serverkeys -alias systemca -import -file demoCA/cacert.pem
(B> 
(B> 9. Import signed key to Client keystore
(B> keytool -keystore clientkeys -alias clientapp -import -file clientapp.der
(B> 
(B> 10. Import signed key to Serverkeystore
(B> keytool -keystore serverkeys -alias serverapp -import -file serverapp.der
(B> 
(B> 
(B> Then, I executed programs.
(B> 
(B> Server$B!'(B
(B> 
(B> $ java -Djavax.net.ssl.keyStore=serverkeys
(B> -Djavax.net.ssl.keyStorePassword=pas
(B> sword CASSLServer
(B> SimpleSSLServer running on port 4915
(B> 
(B> Client$B!'(B
(B> 
(B> $ keytool -import -keystore truststore/cacerts -alias trustca -file
(B> demoCA/cace
(B> rt.pem
(B> 
(B> $ java
(B> -Djavax.net.ssl.trustStore=/cygdrive/c/eclipse-SDK-2.1.1-win32/eclipse/w
(B> orkspace/xacml/truststore/cacerts
(B> -Djavax.net.ssl.trustStorePassword=changeit C
(B> ACustomKeyStoreClient
(B> Connection failed: javax.net.ssl.SSLHandshakeException:
(B> sun.security.validator.V
(B> alidatorException: No trusted certificate found
(B> 
(B> Are there something wrong with my setting?
(B> 
(B> 
(B> CASSLServer.java--
(B> 
(B> import javax.net.ssl.*;
(B> import java.security.cert.*;
(B> import java.io.*;
(B> 
(B> /**
(B>  * A very simple server which accepts SSL connections, and displays
(B>  * text sent through the SSL socket on stdout. The server requires
(B>  * client authentication.
(B>  * Listens on port 49152 by default, configurable with "-port" on the
(B>  * command-line.
(B>  * The server needs to be stopped with Ctrl-C.
(B>  */
(B> public class CASSLServer extends Thread
(B> {
(B>   private static final int DEFAULT_PORT=49152;
(B> 
(B>   private SSLServerSocketFactory serverSocketFactory;
(B>   private int port;
(B> 
(B>   /**
(B>* main() method, called when run from the command-line. Deals with
(B>* command-line parameters, then starts listening for connections
(B>*/
(B>   public static void main(String args[])
(B>   {
(B> int port=DEFAULT_PORT;
(B> 
(B> // Parse command-line arguments
(B> boolean parseFailed=false;
(B> try {
(B>   for (int i=0; i String arg=args[i].trim().toUpperCase();
(B> 
(B> // Only the "-port" argument is supported
(B> if (arg.equals("-PORT")) port=Integer.parseInt(args[++i]);
(B> else parseFailed=true;
(B>   }
(B> }
(B> catch(Exception e) {
(B>   // Something went wrong with the command-line parse.
(B>   // A real application would issue a good error message;
(B>   // we'll just display our usage.
(B>   parseFailed=true;
(B> }
(B> 
(B> if (parseFailed) {
(B>   displayUsage();
(B> }
(B> else {
(B>   // The command-line parse succeeded.
(B>   // Construct a new instance of SimpleSSLServer based around the
(B>   // default SSLServerSocketFactory and start it up.
(B>   SSLServerSocketFactory ssf=
(B> (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
(B>   CASSLServer server=new CASSLServer(ssf, port);
(B>   server.start();
(B> }
(B>   }
(B> 
(B>   /** Displays the command-line usage for Si

question about TLS bytestream order

2004-08-09 Thread weijun jiang 
Hi all,

I like to know which spec specifies the
byte order for the TLS data stream?
For example, in the section A.1 (Record Layer) of RFC 2246, it 
shows the ProtocolVersion before the ContentType. But
the openSSL seems sending the value of the ContentType
before the value of ProtocolVersion in the ClientHello 
request. Could anyone point me to a spec which I can find the exact
byte order (the sequence to write data from a structure to 
the tcp pipe) for the TLS data stream?

thank you,

weijun



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Suggestions for the password storing

2004-08-09 Thread Joseph Bruni 
In a user's brain. Any file that is readable by the system is, well, 
readable, therefore is only as secure as the OS can make it.

On OS X you could use the Keychain Services to store your password in 
an encrypted database, available via an API. This is available as Open 
Source if you're interested.

http://www.opensource.apple.com/
Alternatively, you can use Bruce Schenier's Password Safe. I'm not sure 
it has an API, though.

http://www.schneier.com/passsafe.html

On Aug 9, 2004, at 2:21 PM, Carlos Roberto Zainos H wrote:
Hi team!!
I have a "big" question, where is an appropriate place to store the 
encryption password of the private key? I mean, the security base of 
the priv key is based on the password which is encrypted it (PKCS#1), 
so  where will be a safe place to put this pwd in the client's 
computer (windows environement)???

Thanks in advance.
Zainos 
Do You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por  
$100 al mes.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]