Re: Removing passphrase for Apache server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 07 September 2004 19:53, Joe DeBattista wrote: > Hi, >I sent a query last week about removing a passphrase from an Apache > server I have set up with openssl-0.9.7d and compiled with the gcc > compiler. I thought I'd provide a little more information. When I try to > remove the passphrase, it says I need a minimum of 4 characters in the > passphrase. Is this something in this version of openssl, as I don't > remember having this requirement with earlier versions? I generated the > key with > > $openssl genrsa -des3 -rand randfile1:randfile2:randfile3 1024 > \ > /usr/local/apache2/conf/ssl.key/server.key > > I made a copy of server.key to server.bak and then tried the following > command to redo the passphrase and get the following: > > # /usr/local/ssl/bin/openssl rsa -in server.bak -out server.key > Enter pass phrase for server.bak: > 21202:error:28069065:lib(40):UI_set_result:result too > small:ui_lib.c:847:You must type in 4 to 4095 characters > > Is there a way around this? Something like that: openssl genrsa -passout pass: -des3 -rand randfile1:randfile2:randfile3 1024 | openssl rsa -passin pass: -out /usr/local/apache2/conf/ssl.key/server.key Torsten -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBPsE+wicyCTir8T4RAtKXAJsE3EN+P2v40uPViYkcsm5Ayf3/QACfXoin xOecJp8J/MaEArbK2LdNS9c= =nPD9 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Some X509 fields appear garbaged under IE
Hi, I'm coming with a strange phenomenon about which I didn't find any answer on the Net (using keywords like garbage, IE, openssl). I've ben using X509 certificates for couple of years but that was for VPN softwares. These are not less stricts than browsers but this phenomenon didn't seem to disturb them neither did for Firefox or Lynx. Indeed, I already saw this behaviour last year but this didn't annoy me. Today, It becomes really annoying because this forbids the access to my webmail when using IE on MacIntosh for example. So. I'd like to know what's going on. Well, this behaviour can be described as follows : IE "sees" a few X509 fields as a binary form instead of a simple string. It concerns subjet, issuer, altsubject, etc Truly speaking, if I have: CN=mail.toot.com, OU=toot, O=toot, C=FR IE sees: CN=0C0D 6D61 696C 2C74 6F6F 742C 636F 6D OU=0C04 746F 6F74 O=0C04 746F 6F74 C=FR That is to say that it adds the char 12 (0xC) followed by the string length. One could say that Ie can do whatever it wants but the problem is that this browser doesn't recognize the site (which URL is in the CN part) because it keeps only the part that represents, for it, a string that is to say the C=FR part. And, of course, FR is different from mail.toot.net I tried a few things like modifying the hash algorithm, the DN : no way. I have other certifictes that IE "sees" correctlly but impossible to find the difference. The same certificate seens under openssl or Firefox is correct. If someone has an idea, it is welcome, Best, db __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate expired error
Use the "openssl x509 -dates" option to view the actual dates in the certificate. Also check your system clock. On Sep 7, 2004, at 5:09 PM, Edward Chan wrote: Hi there, I had created a certificate to test with using OpenSSL. It is supposed to expire in Aug. 2005. I have been using it for the past few weeks. Then all of a sudden, I'm getting "sslv3 alert certificate expired" from SSL_accept(). What's going on? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error during Cert Request
The text database used by the openssl ca command can only allow one certificate per subject. If you need to issue another certificate with the exact same subject, revoke the previous certificate first, even if the earlier certificate has expired. On Sep 7, 2004, at 3:03 PM, Areg Alimian wrote: I’m using the OpenSSL Certificate Authority to generate X.509 v3 certs for TLS Client Authentication. After creating the CA Root cert and the private key, I generate a certificate request and then issue the command to get it signed by the CA. At this point I get the following error: 780:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_li b.c:329:group=CA_default name=unique_subject Could anyone please help me understand what this refers to. Thank you! -Areg __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
setting CA certificate expiration to more than 30 days through conf file
I'd like to create an own CA certificate that will last for more than 30 days. I tried to add the default_days attribute into [ req ] section but this attribute never gets applied. However, if I set "-days" through a CLI (command line) everything work fine. Any thoughts? hints? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Error during Cert Request
On Wed, Sep 08, 2004, Joseph Bruni wrote: > The text database used by the openssl ca command can only allow one > certificate per subject. If you need to issue another certificate with > the exact same subject, revoke the previous certificate first, even if > the earlier certificate has expired. > > The latest versions can issue multiple certificates with the same subject using the unique_subject option. Back to the OP query... > On Sep 7, 2004, at 3:03 PM, Areg Alimian wrote: > > >Im using the OpenSSL Certificate Authority to generate X.509 v3 certs > >for TLS Client Authentication. After creating the CA Root cert and > >the private key, I generate a certificate request and then issue the > >command to get it signed by the CA. At this point I get the following > >error: > > > > > > > >780:error:0E06D06C:configuration file routines:NCONF_get_string:no > >value:conf_li > > > >b.c:329:group=CA_default name=unique_subject > > > > > > > >Could anyone please help me understand what this refers to. > > This is a bug in OpenSSL 0.9.7d, please try the latest 0.9.7-stable snapshot. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: setting CA certificate expiration to more than 30 days through conf file
The default_days in the REQ section doesn't do anything since a certificate request doesn't expire. The default_days is used in the CA section when making a certificate from a request. On Sep 8, 2004, at 5:29 PM, IB wrote: I'd like to create an own CA certificate that will last for more than 30 days. I tried to add the default_days attribute into [ req ] section but this attribute never gets applied. However, if I set "-days" through a CLI (command line) everything work fine. Any thoughts? hints? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: setting CA certificate expiration to more than 30 days through conf file
On Wed, Sep 08, 2004, IB wrote: > I'd like to create an own CA certificate that will last for more than 30 > days. > I tried to add the default_days attribute into [ req ] section but this > attribute > never gets applied. However, if I set "-days" through a CLI (command line) > everything > work fine. > If you mean "openssl req -x509" then there isn't currently an option to change the default number of days in the configuration file: only on the command line. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificate expired error
It says 2005, and my system clock is fine. But it seems to expire after 30 days. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni > Sent: Wednesday, September 08, 2004 3:54 PM > To: [EMAIL PROTECTED] > Subject: Re: Certificate expired error > > Use the "openssl x509 -dates" option to view the actual dates > in the certificate. > Also check your system clock. > > > On Sep 7, 2004, at 5:09 PM, Edward Chan wrote: > > > Hi there, > > > > I had created a certificate to test with using OpenSSL. It is > > supposed to expire in Aug. 2005. I have been using it for the past > > few weeks. Then all of a sudden, I'm getting "sslv3 alert > certificate > > expired" from SSL_accept(). > > > > What's going on? > > > > Thanks, > > Ed > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Light AES
Hi You should try a 8-bit microcontroller driven implementation. However, even on these plataforms (e. g. 8051), the addressing overhead plus the tables is smaller than the overhead of a function call plus the function itself. That note applies both for the S-Tables, Inv-S-Tables and the XTime function. All those considerations refer to a C implementation. Regards, Roberto Gallo Original Message Follows From: Joe smith <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Light AES Date: Wed, 8 Sep 2004 12:00:52 -0700 (PDT) Hi, Does any one know where I can find the AES slow/light version wherein there are no static tables and hence we have to generate our own tables. I think bouncycastle has 3 versions of AES but I want it in C. I am looking for the slowest version but with a small footprint. Thanks, Joe - Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. _ MSN Messenger: instale grátis e converse com seus amigos. http://messenger.msn.com.br __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: setting CA certificate expiration to more than 30 days through conf file
Hmm, I am not sure if I explained my dilemma correctly. Let me jump onto CLI, maybe it will make more sense that way: #create a new CA cert openssl req -x509 -newkey rsa -keyout ca_key.pam -keyform PEM -out ca_cert.pem -outform PEM -config #create a new server cert openssl req -newkey rsa -keyout serv_key.pam -keyform PEM -out serv_cert_tmp.pem -outform PEM -config #sign server certificate openssl ca -in serv_cert_tmp.pem -out serv_cert.pem -cert ca_cert.pem -keyfile ca_key.pem -config after these steps I am left with ca_cert.pem and serv_cert.pem of which ca_cert expires after 30 days (because a problem I described) --SNIP OF THE CONFIG prompt = no [ ca ] default_ca = infobloxca# The default ca section [ infobloxca ] default_crl_days= 30# how long before next CRL default_md = md5 # which md to use. preserve= no# keep passed DN ordering subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always default_days= 365 x509_extensions = v3_ca policy = policy_anything [ req ] prompt = no default_keyfile= rsa_key.pem distinguished_name = req_distinguished_name x509_extensions = v3_ca string_mask = nombstr default_bits = 2048 default_days= 365 <--- this one is never applied >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Joseph Bruni >Sent: Wednesday, September 08, 2004 4:33 PM >To: [EMAIL PROTECTED] >Subject: Re: setting CA certificate expiration to more than 30 days >through conf file > > >The default_days in the REQ section doesn't do anything since a >certificate request doesn't expire. The default_days is used in the CA >section when making a certificate from a request. > > >On Sep 8, 2004, at 5:29 PM, IB wrote: > >> I'd like to create an own CA certificate that will last for more than >> 30 >> days. >> I tried to add the default_days attribute into [ req ] section but this >> attribute >> never gets applied. However, if I set "-days" through a CLI (command >> line) >> everything >> work fine. >> >> Any thoughts? hints? >> >> >> >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List[EMAIL PROTECTED] >> Automated List Manager [EMAIL PROTECTED] >> > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: setting CA certificate expiration to more than 30 days through conf file
That is what I meant, thank you! >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson >Sent: Wednesday, September 08, 2004 4:36 PM >To: [EMAIL PROTECTED] >Subject: Re: setting CA certificate expiration to more than 30 days >through conf file > > >On Wed, Sep 08, 2004, IB wrote: > >> I'd like to create an own CA certificate that will last for more than 30 >> days. >> I tried to add the default_days attribute into [ req ] section but this >> attribute >> never gets applied. However, if I set "-days" through a CLI >(command line) >> everything >> work fine. >> > >If you mean "openssl req -x509" then there isn't currently an >option to change >the default number of days in the configuration file: only on the command >line. > >Steve. >-- >Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage >OpenSSL project core developer and freelance consultant. >Funding needed! Details on homepage. >Homepage: http://www.drh-consultancy.demon.co.uk >__ >OpenSSL Project http://www.openssl.org >User Support Mailing List[EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate expired error
Perhaps the issuer's certificate expired? (Assuming it's not a self-signed cert.) On Sep 8, 2004, at 5:53 PM, Edward Chan wrote: It says 2005, and my system clock is fine. But it seems to expire after 30 days. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joseph Bruni Sent: Wednesday, September 08, 2004 3:54 PM To: [EMAIL PROTECTED] Subject: Re: Certificate expired error Use the "openssl x509 -dates" option to view the actual dates in the certificate. Also check your system clock. On Sep 7, 2004, at 5:09 PM, Edward Chan wrote: Hi there, I had created a certificate to test with using OpenSSL. It is supposed to expire in Aug. 2005. I have been using it for the past few weeks. Then all of a sudden, I'm getting "sslv3 alert certificate expired" from SSL_accept(). What's going on? Thanks, Ed __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
