Re: Key generation question
Steve Hay wrote: El hallabi-Kettani Abderrahmane wrote: the function PKCS5_v2_PBE_keyivgen() exist in version openssl0.7.9d in directory openssl/crypto/evp/p5_crypt.c it corresponds to what you want to do . If you'd read my mail properly, you'd see that I'd already found that function. The problem is that it only exists in 0.9.4 and above, and I was looking for a way to do this (and/or wondering if I need to do this at all) in earlier versions as well. It occurs to me that I can make use of PKCS5_v2_PBE_keyivgen() for 0.9.4+, and just use EVP_BytesToKey() for earlier versions -- the fact that the latter doesn't support non-default key lengths isn't a problem because I can't set the key length prior to 0.9.6 anyway! So my question now is how do I use the (undocumented!) PKCS5_v2_PBE_keyivgen() function? If I understand it correctly from looking at the source code, the first three parameters are the cipher context to have the generated key+iv set in plus the data and data length to generate the key+iv from. The last two parameters are the digest function to use and the encrypt/decrypt mode. What are the other two parameters for? Namely, param and cipher in the following signature: int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de); I could set the cipher to the cipher function that is already set in the ctx, but why doesn't PKCS5_v2_PBE_keyivgen() just use that itself? Am I missing something here? I've no idea what the ASN1_TYPE *param is, or where to get one from. I had a look at EVP_CIPHER_param_to_asn1(), but it says that the cipher IV in the ctx passed to it must be set when the call is made, which seems to be a chicken-and-egg problem to me -- I haven't got the cipher IV yet ;) Any clues how to use PKCS5_v2_PBE_keyivgen() would be greatly appreciated. - Steve Radan Computational Ltd. The information contained in this message and any files transmitted with it are confidential and intended for the addressee(s) only. If you have received this message in error or there are any problems, please notify the sender immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Radan Computational Ltd. The recipient(s) of this message should check it and any attached files for viruses: Radan Computational will accept no liability for any damage caused by any virus transmitted by this email. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SV: SV: SV: SV: Signed PKCS#7 without a certificate included ?
Thank you for your answer. I don't know OpenSSL that well, so I just wanted to know if I was doing something wrong or there were some inconsistencies in the OpenSSL code. But now that I know it's a bug, I'll try to work around it. Regards, Kim -Oprindelig meddelelse- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] vegne af Dr. Stephen Henson Sendt: 8. september 2004 19:09 Til: [EMAIL PROTECTED] Emne: Re: SV: SV: SV: Signed PKCS#7 without a certificate included ? On Wed, Sep 08, 2004, Hellan.Kim KHE wrote: Any comments on this issue? Am I doing something wrong, or is there really an error in the PKCS7_verify() function? I'd thought you could avoid this issue by disabling signature verification and certificate verification, since then the code wont need a certificate at all. However due to a bug in the code it still needs a signer's certificate. A work around is to supply the correct signer's certificate which it will then effectively ignore. I'll commit a fix when I have time to look at this in more detail. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ___ www.kmd.dk www.kundenet.kmd.dk www.eboks.dk www.civitas.dk www.netborger.dk Hvis du har modtaget denne mail ved en fejl vil jeg gerne, at du informerer mig og sletter den. KMD skaber it-services, der fremmer effektivitet hos det offentlige, erhvervslivet og borgerne. If you received this e-mail by mistake, please notify me and delete it. Thank you. Our mission is to enhance the efficiency of the public sector and improve its service of the general public. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: storing PEM encoded certs in database
Thanks to Eric I found the problem. It was a simple programming error.
While I had malloced correctly to include a exta byte, I was storing
the null character in the string array incorrectly. I was doing
cert_data[bio_store_bytes +1] = '\0';
instead of cert_data[bio_store_bytes] = '\0';
Thanks for the help :-)
--Smith
On Wed, 08 Sep 2004 13:29:36 -0700, Eric Meyer [EMAIL PROTECTED] wrote:
I thought I'd address you directly, instead of the alias...
I am working on an application which does a similar operation. I tried
to duplicate your problem, but was unable. The only real difference is
that I find the length via: bio_store_bytes = BIO_get_mem_date (... )
instead of BIO_pending, but a quick test proved that these two
functions are returning the same number. While testing this, I compared
the character count (via wc) of the returned data to the PEM returned,
to see if they were equal. Have you verified that the count in
bio_store_bytes is equal to the amount of data to the end of -END
CERTIFICATE-? Does the count include garbage characters which you
are seeing?
Eric
On Sep 7, 2004, at 4:02 PM, Smith Baylor wrote:
This is the progam snippet:
BIO *mbio;
int bio_store_bytes;
unsigned char *cert_data, *cert_data_ptr;
unsigned char *cert_data_tmp;
//create a read/write BIO
mbio = BIO_new(BIO_s_mem());
//Assume x is of X509 type and is a result of X509_sign
PEM_write_bio_X509(mbio, x);
BIO_flush(mbio);
bio_store_bytes = BIO_pending(mbio);
BIO_get_mem_data(mbio, (unsigned char *)cert_data_tmp);
cert_data_ptr =
(unsigned char *) OPENSSL_malloc(bio_store_bytes + 1); /* for \0 */
if (cert_data_ptr != NULL) {
cert_data = cert_data_ptr;
strncpy(cert_data, cert_data_tmp, bio_store_bytes);
for (i = (bio_store_bytes);
i == strlen(cert_data_tmp);
i++) {
cert_data[i] = '\0';
}
}
BIO_free_all(mbio);
I still see the garbage characters:
ukOjszaLTZuAFA==
-END CERTIFICATE-
[EMAIL PROTECTED]
--Smith
On Tue, 07 Sep 2004 14:39:19 -0700, Eric Meyer [EMAIL PROTECTED]
wrote:
The PEM format is already Base64.
Also, your sample includes characters that are invalid for a Base64
encoded data, which is explicitly 7 bit safe, so would not include an
accented character. It looks like your null byte is in the wrong
place.
It probably should have come after the = sign.
Eric
On Sep 7, 2004, at 1:12 PM, Smith Baylor wrote:
Hi,
I am using C as the programming language and MySQL as the db.
unsigned char *cert_data;
Instead of storing in PEM format directly, I am storing it in base64
format - I believe this is more safer - feel free to prove me
otherwise.
Once I store the cert_data value, I also pad this with '\0' - string
terminator.
I get something like this at the end of the encoding:
TGZ3am0wTDNjeTN3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
7HZm
which the db insert or update commands don't like.
/Shivaram
- Original Message -
From: Carlos Roberto Zainos H [EMAIL PROTECTED]
Date: Tue, 7 Sep 2004 12:36:44 -0500 (CDT)
Subject: Re: storing PEM encoded certs in database
To: [EMAIL PROTECTED]
Hi
I'm not an expert, but I think that could be some different depending
on the DBMS and the driver connection being used.
For example, I'm using Oracle DB 10g with ODBC based client
connection
to the DB.
I'm storing PEM certificates making a copy of it to a buffer and then
storing it into the DB via INSERT with the apropiate convertions:
unsigned char cert[2*1024];
BIO *buf;
buf = BIO_new (BIO_s_mem());
res = PEM_write_bio_X509(buf, xreq);//xreq is the X509 cert
longitud = sizeof(cert);
res = BIO_read(buf, cert, (int)longitud);
cert[res]='\0';
//executing the INSERT via exec_sql_comm(sentence) function, where
sentence = insert into certificados
(estadocer,fechacaducidad,numserie,certificado) values
('V',to_date('%s','-MM-DD HH24:MI:SS'),'%i','%s'),fecha_cad,
num_serie, cert)
Holpe this helps.
Zainos
Smith Baylor [EMAIL PROTECTED] wrote:
Do You Yahoo!?
Yahoo! Net: La mejor conexin a internet y 25MB extra a tu correo
por
$100 al mes.
_
_
OpenSSL Project
http://www.openssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Key generation question
On Thu, Sep 09, 2004, Steve Hay wrote: Steve Hay wrote: It occurs to me that I can make use of PKCS5_v2_PBE_keyivgen() for 0.9.4+, and just use EVP_BytesToKey() for earlier versions -- the fact that the latter doesn't support non-default key lengths isn't a problem because I can't set the key length prior to 0.9.6 anyway! So my question now is how do I use the (undocumented!) PKCS5_v2_PBE_keyivgen() function? If I understand it correctly from looking at the source code, the first three parameters are the cipher context to have the generated key+iv set in plus the data and data length to generate the key+iv from. The last two parameters are the digest function to use and the encrypt/decrypt mode. What are the other two parameters for? Namely, param and cipher in the following signature: int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, ASN1_TYPE *param, const EVP_CIPHER *cipher, const EVP_MD *md, int en_de); I could set the cipher to the cipher function that is already set in the ctx, but why doesn't PKCS5_v2_PBE_keyivgen() just use that itself? Am I missing something here? I've no idea what the ASN1_TYPE *param is, or where to get one from. I had a look at EVP_CIPHER_param_to_asn1(), but it says that the cipher IV in the ctx passed to it must be set when the call is made, which seems to be a chicken-and-egg problem to me -- I haven't got the cipher IV yet ;) Any clues how to use PKCS5_v2_PBE_keyivgen() would be greatly appreciated. The function itself is intended to be used to generate or supply various paramaters in an appropriate DER structure. The password based encryption functions are intended to be called via the EVP_PBE_CipherInit() interface which is very similar to EVP_CipherInit(). The ASN1_TYPE parameter comes from various places depending on the PBE algorithm in use. For PKCS#5 v2.0 PKCS5_pbe2_set() is used. This is primarily to allow the PBE stuff to be used in appropriate ASN1 structures. The IV is generated randomly and included in the structure. Currently there's no way to supply your own IV but that will be fixed at some point... Alternatively you can get at the guts of the function by using PKCS5_PBKDF2_HMAC_SHA1(). Then you have to generate your own salt and pass it to the function along with the password and interation count. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
creating a STACK_OF(X509) from a X509 Cert
Hi, How can you create a STACK_OF(X509) object from a given X509 CA Cert? X509 *x509ca; STACK_OF(X509) *ca; x509ca = ReadX509Cert(file_name); Now how to populate the ca object with this x509ca object? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: creating a STACK_OF(X509) from a X509 Cert
On Thu, Sep 09, 2004, Smith Baylor wrote: Hi, How can you create a STACK_OF(X509) object from a given X509 CA Cert? X509 *x509ca; STACK_OF(X509) *ca; x509ca = ReadX509Cert(file_name); Now how to populate the ca object with this x509ca object? There is some old documentation in doc/ssleay.txt in the bit marked stack.doc. The STACK_OF(whatever) has the same functionality but the you use different macro names, specificall sk_whatever_macroname. So for example you'd use x509ca = sk_X509_new_null() to create the thing and sk_X509_push() to append X509 (certificate) structures to it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: creating a STACK_OF(X509) from a X509 Cert
Thanks that helped and worked. --Smith On Thu, 9 Sep 2004 15:04:10 +0200, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Sep 09, 2004, Smith Baylor wrote: Hi, How can you create a STACK_OF(X509) object from a given X509 CA Cert? X509 *x509ca; STACK_OF(X509) *ca; x509ca = ReadX509Cert(file_name); Now how to populate the ca object with this x509ca object? There is some old documentation in doc/ssleay.txt in the bit marked stack.doc. The STACK_OF(whatever) has the same functionality but the you use different macro names, specificall sk_whatever_macroname. So for example you'd use x509ca = sk_X509_new_null() to create the thing and sk_X509_push() to append X509 (certificate) structures to it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Reloading the CRL
Hi, I am currently trying to implement CRL checking inside a server. I am now facing the problem, that I would like to trigger a reload of the CRL from disc if it has been updated, without restarting the server application. How can that be done. Is there any possiblity to remove a CRL for the X509_STORE, and trigger a reload? How do others solve this problem? -- regards, Ralf Haferkamp SUSE LINUX AG, Maxfeldstrasse 5, D-90409 Nuernberg T: +49-911-74053-0 F: +49-911-74053575 - [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Server attack ?
Hello All, in my server system log (/var/log/messages) i read: Sep 7 13:05:39 sshd[18706]: Did not receive identification string from \ 144.16.93.115 Sep 7 14:01:58 sshd[21432]: Connection closed by 144.16.93.115 Does 144.16.93.115 stand in my server about 1 h? I use OpenSSL/0.9.6h. Do you think it's time to upgrade? Thank you in advance. Robby __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Key generation question
Dr. Stephen Henson wrote: On Thu, Sep 09, 2004, Steve Hay wrote: I've no idea what the ASN1_TYPE *param is, or where to get one from. I had a look at EVP_CIPHER_param_to_asn1(), but it says that the cipher IV in the ctx passed to it must be set when the call is made, which seems to be a chicken-and-egg problem to me -- I haven't got the cipher IV yet ;) Any clues how to use PKCS5_v2_PBE_keyivgen() would be greatly appreciated. The function itself is intended to be used to generate or supply various paramaters in an appropriate DER structure. The password based encryption functions are intended to be called via the EVP_PBE_CipherInit() interface which is very similar to EVP_CipherInit(). The ASN1_TYPE parameter comes from various places depending on the PBE algorithm in use. For PKCS#5 v2.0 PKCS5_pbe2_set() is used. This is primarily to allow the PBE stuff to be used in appropriate ASN1 structures. The IV is generated randomly and included in the structure. Currently there's no way to supply your own IV but that will be fixed at some point... I'm afraid I don't know what password based encryption is, so I don't know if this is the right thing to even be trying to do. It doesn't sound like what I wanted... Does the fact that the IV is generated randomly mean that this will be no good for encrypting and then later (i.e. with a different IV) decrypting some data? If so, then this no good anyway. Alternatively you can get at the guts of the function by using PKCS5_PBKDF2_HMAC_SHA1(). Then you have to generate your own salt and pass it to the function along with the password and interation count. Sounds a little more hopeful. Where do I get the salt from? Would randomly generating it lead to the same encryption/decryption problem as with the IV above? Would hard-coding something in the source code suffice or is that not advisable? However, PKCS5_PBKDF2_HMAC_SHA1() only seems to generate a key, not an IV, but I already have a key -- it's the IV that I want! It may be worth taking a step back and reconsidering what I'm trying to achieve. I'm just trying to create a program to encrypt (and later decrypt) a plain text file. The user chooses (or more likely randomly generates) a key and specifies this as the key to use when *building* the program. I then discovered that the encryption/decryption functions require an IV too, but still don't really know what an IV is... At the moment I'm trying to generate the IV, and also getting a new key, from the key that the user has supplied, and I'm getting lost in all sorts of things that I don't understand and wasn't expecting to encounter -- passwords, IV's, salt, PKCS#5, etc :( Is it necessary/advisable to generate a key+IV in this way, or would it in fact suffice to have the user supply the IV too and just use the given key+IV? - Steve Radan Computational Ltd. The information contained in this message and any files transmitted with it are confidential and intended for the addressee(s) only. If you have received this message in error or there are any problems, please notify the sender immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Radan Computational Ltd. The recipient(s) of this message should check it and any attached files for viruses: Radan Computational will accept no liability for any damage caused by any virus transmitted by this email. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Key generation question
Perhaps one way to think of the IV is that it is part of the key. That is, the IV and key are used to encrypt, and then the (same) IV and the (same) key can decrypt. It's just that if the IV is sent in clear text (included in the structure...) then it is not secret. One popular algorithm is to use MD5 to make a 128 bit hash of a password string, then use 64 bits of it as an IV and the other 64 bits of it as a DES key. So the IV and the key are innately related. Of course you could use the first and second 64 bits of an SHA1 hash just as well. In these cases, the IV can be regenerated from the password string at decrypt time, as long as it is the same string :-) IV is used in cipher block chaining, that is, the output from block N is used as part of the input for block N+1, and the IV is the initial shift in at the very beginning: clear clear clear block 1 block 2 block 3 | | | v v v +--+--+ +--+--+ +--+--+ IV -| DES ++ DES ++ DES +--- +--+--+ +--+--+ +--+--+ | | | v v v cipher cipher cipher 3 block 1 block 2 block 3 You can find a diagram like this in any good book on encryption.. Look under Cipher Block Chaining. So, given that you are doing chaining, the IV supplies the startup value for the chain. Steve Hay wrote: I then discovered that the encryption/decryption functions require an IV too, but still don't really know what an IV is... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problems storing a P12 in base64 format
BIO *mbio, *b64bio, *bio; mbio = BIO_new(BIO_s_mem()); b64bio = BIO_new(BIO_f_base64()); bio = BIO_push(b64bio, mbio); int bytes_stored = i2d_PKCS12_bio(bio, p12); BIO_flush(mbio2); BIO_get_mem_data(mbio, (unsigned char *)p12_data_tmp); p12_data = (unsigned char*)OPENSSL_malloc(bytes_stored + 1); strncpy(p12_data, p12_data_tmp, bytes_stored); p12_data[bytes_stored] = '\0'; bytes_stored gives me 4030 bytes, but, when I try to print or save the p12_data, I am able to get only 3000 bytes and the program stops. What am I doing wrong? Thanks in advance --Smith __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reloading the CRL
The way I did it was to delete my SSL_CTX and build a new one. On Sep 9, 2004, at 7:38 AM, Ralf Haferkamp wrote: Hi, I am currently trying to implement CRL checking inside a server. I am now facing the problem, that I would like to trigger a reload of the CRL from disc if it has been updated, without restarting the server application. How can that be done. Is there any possiblity to remove a CRL for the X509_STORE, and trigger a reload? How do others solve this problem? -- regards, Ralf Haferkamp SUSE LINUX AG, Maxfeldstrasse 5, D-90409 Nuernberg T: +49-911-74053-0 F: +49-911-74053575 - [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Key generation question
On Thu, Sep 09, 2004, Steve Hay wrote: Dr. Stephen Henson wrote: On Thu, Sep 09, 2004, Steve Hay wrote: I've no idea what the ASN1_TYPE *param is, or where to get one from. I had a look at EVP_CIPHER_param_to_asn1(), but it says that the cipher IV in the ctx passed to it must be set when the call is made, which seems to be a chicken-and-egg problem to me -- I haven't got the cipher IV yet ;) Any clues how to use PKCS5_v2_PBE_keyivgen() would be greatly appreciated. The function itself is intended to be used to generate or supply various paramaters in an appropriate DER structure. The password based encryption functions are intended to be called via the EVP_PBE_CipherInit() interface which is very similar to EVP_CipherInit(). The ASN1_TYPE parameter comes from various places depending on the PBE algorithm in use. For PKCS#5 v2.0 PKCS5_pbe2_set() is used. This is primarily to allow the PBE stuff to be used in appropriate ASN1 structures. The IV is generated randomly and included in the structure. Currently there's no way to supply your own IV but that will be fixed at some point... I'm afraid I don't know what password based encryption is, so I don't know if this is the right thing to even be trying to do. It doesn't sound like what I wanted... It one of various standards which convert a password into a key (and sometimes and IV). For various reasons it is not advisable to use a password directly as a key. Alternatively you can get at the guts of the function by using PKCS5_PBKDF2_HMAC_SHA1(). Then you have to generate your own salt and pass it to the function along with the password and interation count. Sounds a little more hopeful. Where do I get the salt from? Would randomly generating it lead to the same encryption/decryption problem as with the IV above? Would hard-coding something in the source code suffice or is that not advisable? However, PKCS5_PBKDF2_HMAC_SHA1() only seems to generate a key, not an IV, but I already have a key -- it's the IV that I want! It may be worth taking a step back and reconsidering what I'm trying to achieve. I'm just trying to create a program to encrypt (and later decrypt) a plain text file. The user chooses (or more likely randomly generates) a key and specifies this as the key to use when *building* the program. I then discovered that the encryption/decryption functions require an IV too, but still don't really know what an IV is... At the moment I'm trying to generate the IV, and also getting a new key, from the key that the user has supplied, and I'm getting lost in all sorts of things that I don't understand and wasn't expecting to encounter -- passwords, IV's, salt, PKCS#5, etc :( How is the key user supplied? Will then just input some human readable string or generate a random value in some way? Is it necessary/advisable to generate a key+IV in this way, or would it in fact suffice to have the user supply the IV too and just use the given key+IV? The IV is an initial value used by some ciphersuites. Unlike the key it is not sensitive information and can be included along with the message itself. So you might generate a random IV, write it out to a file, use it to initialize an encryption context then write out the encrypted data. At the other end you would read the IV from the file and use that. A salt is designed to avoid certain attacks on password based encryption. Specifically if the same password is used multiple times or if the password is vaguely guessable. Again you can generate a random value and prepend that to the data. Using a fixed value removes the protection a salt provides. Some password based encryption algorithms generate an IV too, others Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reloading the CRL
On Thu, Sep 09, 2004, Ralf Haferkamp wrote: Hi, I am currently trying to implement CRL checking inside a server. I am now facing the problem, that I would like to trigger a reload of the CRL from disc if it has been updated, without restarting the server application. How can that be done. Is there any possiblity to remove a CRL for the X509_STORE, and trigger a reload? How do others solve this problem? The CRL checking in OpenSSL 0.9.7X is a new addition and is currently somewhat primitive. If you don't want to recreate the SSL_CTX you can alternatively supply your own method to lookup CRLs by redefining the get_crl callback in the relevant X509_STORE. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Key generation question
Charles B Cranston wrote: Perhaps one way to think of the IV is that it is part of the key. That is, the IV and key are used to encrypt, and then the (same) IV and the (same) key can decrypt. IOW I could hard-code the IV into my source code, or use one supplied by the user at build time (as with the key). As long as they're both the same for the encrypt as for the decrypt then it'll work. (And by the same token, the PKCS5_pbe2_set() function is definitely no good for me because the IV won't be the same each time.) It's just that if the IV is sent in clear text (included in the structure...) then it is not secret. I don't think that this is an issue for me -- nothing's being sent anywhere. The IV would be as secret as the key in either of the above scenarios. One popular algorithm is to use MD5 to make a 128 bit hash of a password string, then use 64 bits of it as an IV and the other 64 bits of it as a DES key. So the IV and the key are innately related. Of course you could use the first and second 64 bits of an SHA1 hash just as well. In these cases, the IV can be regenerated from the password string at decrypt time, as long as it is the same string :-) I assume that this is the sort of thing that the PKCS5_PBKDF2_HMAC_SHA1() function is doing, except that it only seems to output a key, not an IV as well. Am I missing something here? Is there any function in OpenSSL to generate a key+IV from some given data (in my case, the key supplied by the user), or do I have to resort to hard-coding an IV or asking the user for that too? IV is used in cipher block chaining, that is, the output from block N is used as part of the input for block N+1, and the IV is the initial shift in at the very beginning: clear clear clear block 1 block 2 block 3 | | | v v v +--+--+ +--+--+ +--+--+ IV -| DES ++ DES ++ DES +--- +--+--+ +--+--+ +--+--+ | | | v v v cipher cipher cipher 3 block 1 block 2 block 3 You can find a diagram like this in any good book on encryption.. Look under Cipher Block Chaining. So, given that you are doing chaining, the IV supplies the startup value for the chain. Thanks for the info! - Steve Radan Computational Ltd. The information contained in this message and any files transmitted with it are confidential and intended for the addressee(s) only. If you have received this message in error or there are any problems, please notify the sender immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Radan Computational Ltd. The recipient(s) of this message should check it and any attached files for viruses: Radan Computational will accept no liability for any damage caused by any virus transmitted by this email. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with SMIME_read_PKCS7()
On Thu, Sep 09, 2004, Hellan.Kim KHE wrote: Using OpenSSL 0.9.7c I'm trying to parse an S/MIME encoded (signed) PKCS#7, but I simply can't get it to work with SMIME_read_PKCS7(). I have the data in a memory BIO and I always get the error: error:0D06B08E:asn1 encoding routines:ASN1_d2i_bio:not enough data However, if I flush the data to a file and create a file BIO like: BIO* mybio = BIO_new_file(C:\\myfile.p7m, rb); ...and use that BIO instead, everything works fine. I suspect some problems with the CR/LF characters for the following reasons: If I look at the data that I feed to the memory BIO, it only contains LF characters to separate the Base64 lines. This BIO, as mentioned earlier, can not be parsed by SMIME_read_PKCS7(). But if I write the data to a file, Windows automatically replaces LF with CRLF. This (BIO) file is parsed by SMIME_read_PKCS7() without problems. You need to tell the memory BIO what to do when it runs out of data. By default it will just signal that it needs more data which can cause problems with some APIs that cannot retry failed reads. In this case you need to tell the application that when no more data is available that EOF has been reached. You do this with BIO_set_mem_eof_return(). See the BIO_s_mem() manual page for more details. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Key generation question
On Thu, Sep 09, 2004, Charles B Cranston wrote: Perhaps one way to think of the IV is that it is part of the key. That is, the IV and key are used to encrypt, and then the (same) IV and the (same) key can decrypt. It's just that if the IV is sent in clear text (included in the structure...) then it is not secret. One popular algorithm is to use MD5 to make a 128 bit hash of a password string, then use 64 bits of it as an IV and the other 64 bits of it as a DES key. So the IV and the key are innately related. Of course you could use the first and second 64 bits of an SHA1 hash just as well. In these cases, the IV can be regenerated from the password string at decrypt time, as long as it is the same string :-) Just using the password hash as a key (this is still used from time to time) is vulnerable to dictionary or substitution attacks so it isn't recommended. Its primary weakness is that the same password always produces the same key and IV. If part of the plaintext is known (for example its a fixed or predictable header) then an attacker can produce a huge dictionary of ciphertexts in advance based on large numbers of common passwords of this plaintext. Then when the ciphertext is received the attacker compares it against the table and, if successful, can rapidly recover the password with a single dictionary lookup. For this reason a salt is used which is a random value which is used along with the password to derive the key. One simple way is to concatenate the salt with the password before passing it through a digest algorithm. This avoids the attack because the salt is generated each time and the same password will produce different keys. The attacker must not know the salt in advance: so using a fixed value for the salt is out. That's pretty much what PKCS#5 v1.0 uses. Newever applications should really use something like PKCS#5 v2.0 PBES2 which is known to be resistant to various attacks. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Server attack ?
I get these messages across all of my exposed servers. People are knocking on the door to see if they can get in. Sometimes it's an automated scan to gather data to see who is running what version of SSH. (Ref: http://www.openssh.org/usage/index.html) But, I think that the question is better asked on a SSH list about why the connection was left open for that long. http://www.openssh.org/list.html r, Lance www.newparticles.com Robby wrote: Hello All, in my server system log (/var/log/messages) i read: Sep 7 13:05:39 sshd[18706]: Did not receive identification string from \ 144.16.93.115 Sep 7 14:01:58 sshd[21432]: Connection closed by 144.16.93.115 Does 144.16.93.115 stand in my server about 1 h? I use OpenSSL/0.9.6h. Do you think it's time to upgrade? Thank you in advance. Robby __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Key generation question
Dr. Stephen Henson wrote: On Thu, Sep 09, 2004, Steve Hay wrote: I'm afraid I don't know what password based encryption is, so I don't know if this is the right thing to even be trying to do. It doesn't sound like what I wanted... It one of various standards which convert a password into a key (and sometimes and IV). For various reasons it is not advisable to use a password directly as a key. The thing that I'm converting into a key+IV is random bytes to start with, so I suspect there is virtually no distinction between password and key in my case, which could be why I'm getting confused. Alternatively you can get at the guts of the function by using PKCS5_PBKDF2_HMAC_SHA1(). Then you have to generate your own salt and pass it to the function along with the password and interation count. Sounds a little more hopeful. Where do I get the salt from? Would randomly generating it lead to the same encryption/decryption problem as with the IV above? Would hard-coding something in the source code suffice or is that not advisable? However, PKCS5_PBKDF2_HMAC_SHA1() only seems to generate a key, not an IV, but I already have a key -- it's the IV that I want! It may be worth taking a step back and reconsidering what I'm trying to achieve. I'm just trying to create a program to encrypt (and later decrypt) a plain text file. The user chooses (or more likely randomly generates) a key and specifies this as the key to use when *building* the program. I then discovered that the encryption/decryption functions require an IV too, but still don't really know what an IV is... At the moment I'm trying to generate the IV, and also getting a new key, from the key that the user has supplied, and I'm getting lost in all sorts of things that I don't understand and wasn't expecting to encounter -- passwords, IV's, salt, PKCS#5, etc :( How is the key user supplied? Will then just input some human readable string or generate a random value in some way? The key supplied by the user is just random bytes, probably generated with openssl rand ... or Perl's built-in rand() function or similar. In fact, the user can opt to not specify any key at all, in which case the build process for this program will generate one automatically using one of those means. The key is then written into a .h header file and built into the program. Is it necessary/advisable to generate a key+IV in this way, or would it in fact suffice to have the user supply the IV too and just use the given key+IV? The IV is an initial value used by some ciphersuites. Unlike the key it is not sensitive information and can be included along with the message itself. So you might generate a random IV, write it out to a file, use it to initialize an encryption context then write out the encrypted data. At the other end you would read the IV from the file and use that. Ah, that rings a bell. I think I've seen other software that writes out the IV as the first X bytes of the encrypted data; the decrypt operation then reads it back from there. Is there any harm in having a fixed IV? A salt is designed to avoid certain attacks on password based encryption. Specifically if the same password is used multiple times or if the password is vaguely guessable. My key isn't going to be guessable, but many files could be encrypted by the same program, i.e. all using the same key, so it sounds like I should be thinking of my key as a password and generating the real key from it using a salt after all. Again you can generate a random value and prepend that to the data. Using a fixed value removes the protection a salt provides. So what's the best way to do it? At the moment I have roughly this to initialise the EVP_CIPHER_CTX: EVP_BytesToKey(cipher_func, EVP_md5(), NULL, user_key, KEY_LEN, 1, key, iv) EVP_CIPHER_CTX_init(ctx) EVP_CipherInit_ex(ctx, cipher_func, NULL, NULL, NULL, crypt_mode) EVP_CIPHER_CTX_set_key_length(ctx, KEY_LEN) EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, crypt_mode) That's no good because EVP_BytesToKey() doesn't work for variable key length cipher's with non-default key lengths (and uses an old PKCS#5 standard?). So one solution would be simply to replace EVP_BytesToKey() above with this: if (encrypting) generate random salt else read salt from data PKCS5_PBKDF2_HMAC_SHA1(user_key, KEY_LEN, salt, saltlen, iter, KEY_LEN, key) The iv would have to generated/read from data as per the salt since PKCS5_PBKDF2_HMAC_SHA1() doesn't seem to create an IV. Presumably the iter value needs to be treated similarly too to ensure it is the same for decryption as for encryption, or can iter safely be hard-coded in the program? Another approach might have been to replace the whole initialisation with something like: EVP_CIPHER_CTX_init(ctx) if (encrypting) generate random salt else read salt from data pbe2 = PKCS5_pbe2_set(cipher_func, iter, salt, saltlen)
Re: problems storing a P12 in base64 format
A PKCS12 object is encrypted with a shared secret. When I use the function i2d_PKCS12_fp() to write to a file, it works, but, when I use this to store in a BIO and convert this into base64, it does only 2/3rds of it. Why is this? Any thoughts or pointers? Thanks On Thu, 9 Sep 2004 08:32:36 -0700, Smith Baylor [EMAIL PROTECTED] wrote: BIO *mbio, *b64bio, *bio; mbio = BIO_new(BIO_s_mem()); b64bio = BIO_new(BIO_f_base64()); bio = BIO_push(b64bio, mbio); int bytes_stored = i2d_PKCS12_bio(bio, p12); BIO_flush(mbio2); BIO_get_mem_data(mbio, (unsigned char *)p12_data_tmp); p12_data = (unsigned char*)OPENSSL_malloc(bytes_stored + 1); strncpy(p12_data, p12_data_tmp, bytes_stored); p12_data[bytes_stored] = '\0'; bytes_stored gives me 4030 bytes, but, when I try to print or save the p12_data, I am able to get only 3000 bytes and the program stops. What am I doing wrong? Thanks in advance --Smith __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
A little help please!!!
Hi everybody,
I just started studying the OpenSSL library and I already have a problem...
I´m using minGW and the OpenSSL package from http://www.slproweb.com/products/Win32OpenSSL.html
onWindows 2000.
I´m having problems when I try to compile a simple application, like the one below:
#include "openssl/bio.h"#include "openssl/ssl.h"#include "openssl/err.h"
int main(){
SSL_load_error_strings();ERR_load_BIO_strings();OpenSSL_add_all_algorithms();
return 1;}
I get these error messages:
undefined reference to ´SSL_load_error_strings´undefined reference to ´ERR_load_BIO_strings´undefined reference to ´OpenSSL_add_all_algorithms´
I´ve been told to use the -llibssl32.a, -llibeay32.a commands, but nothing changed...
I use the following command to compile a file:
gcc -o test test.c
If anyone knows anything about this, P.L.E.A.S.E. help!!!
Thanks!!!
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
Re: problems storing a P12 in base64 format
On Thu, Sep 09, 2004, Smith Baylor wrote: A PKCS12 object is encrypted with a shared secret. When I use the function i2d_PKCS12_fp() to write to a file, it works, but, when I use this to store in a BIO and convert this into base64, it does only 2/3rds of it. Why is this? Any thoughts or pointers? Thanks On Thu, 9 Sep 2004 08:32:36 -0700, Smith Baylor [EMAIL PROTECTED] wrote: BIO *mbio, *b64bio, *bio; mbio = BIO_new(BIO_s_mem()); b64bio = BIO_new(BIO_f_base64()); bio = BIO_push(b64bio, mbio); int bytes_stored = i2d_PKCS12_bio(bio, p12); BIO_flush(mbio2); BIO_get_mem_data(mbio, (unsigned char *)p12_data_tmp); p12_data = (unsigned char*)OPENSSL_malloc(bytes_stored + 1); strncpy(p12_data, p12_data_tmp, bytes_stored); p12_data[bytes_stored] = '\0'; bytes_stored gives me 4030 bytes, but, when I try to print or save the p12_data, I am able to get only 3000 bytes and the program stops. What am I doing wrong? At least one problem is that you need to call BIO_flush() on the BIO chain (bio in your example above) not the memory BIO. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A little help please!!!
compile with:
gcc -o test test.c -lcrypto
- Original Message -
From: Marcos Paraiso [EMAIL PROTECTED]
Date: Thu, 9 Sep 2004 15:25:09 -0300 (ART)
Subject: A little help please!!!
To: [EMAIL PROTECTED]
Hi everybody,
I just started studying the OpenSSL library and I already have a problem...
I´m using minGW and the OpenSSL package from
http://www.slproweb.com/products/Win32OpenSSL.html
on Windows 2000.
I´m having problems when I try to compile a simple application, like
the one below:
#include openssl/bio.h
#include openssl/ssl.h
#include openssl/err.h
int main(){
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
return 1;
}
I get these error messages:
undefined reference to ´SSL_load_error_strings´
undefined reference to ´ERR_load_BIO_strings´
undefined reference to ´OpenSSL_add_all_algorithms´
I´ve been told to use the -llibssl32.a, -llibeay32.a commands, but
nothing changed...
I use the following command to compile a file:
gcc -o test test.c
If anyone knows anything about this, P.L.E.A.S.E. help!!!
Thanks!!!
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: problems storing a P12 in base64 format
Changed code to: bio = BIO_new(BIO_f_base64()); BIO_push(bio, mbio); int bytes_stored = i2d_PKCS12_bio(bio, p12); BIO_flush(bio); No effect still. I was also searching the archives and found this: http://www.mail-archive.com/[EMAIL PROTECTED]/msg36055.html This person was seeing only 9 bytes out of expected 13. I could not see a resolution to the above problem and I am leading to believe that my problem could be very similar to his. Thanks On Thu, 9 Sep 2004 20:56:20 +0200, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Sep 09, 2004, Smith Baylor wrote: A PKCS12 object is encrypted with a shared secret. When I use the function i2d_PKCS12_fp() to write to a file, it works, but, when I use this to store in a BIO and convert this into base64, it does only 2/3rds of it. Why is this? Any thoughts or pointers? Thanks On Thu, 9 Sep 2004 08:32:36 -0700, Smith Baylor [EMAIL PROTECTED] wrote: BIO *mbio, *b64bio, *bio; mbio = BIO_new(BIO_s_mem()); b64bio = BIO_new(BIO_f_base64()); bio = BIO_push(b64bio, mbio); int bytes_stored = i2d_PKCS12_bio(bio, p12); BIO_flush(mbio2); BIO_get_mem_data(mbio, (unsigned char *)p12_data_tmp); p12_data = (unsigned char*)OPENSSL_malloc(bytes_stored + 1); strncpy(p12_data, p12_data_tmp, bytes_stored); p12_data[bytes_stored] = '\0'; bytes_stored gives me 4030 bytes, but, when I try to print or save the p12_data, I am able to get only 3000 bytes and the program stops. What am I doing wrong? At least one problem is that you need to call BIO_flush() on the BIO chain (bio in your example above) not the memory BIO. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A little help please!!!
You may need to include -I /cygdrive/c/openssl/include or something
like that for including the necessary header files.
On Thu, 9 Sep 2004 20:59:23 +0200, Dunceor hmm [EMAIL PROTECTED] wrote:
compile with:
gcc -o test test.c -lcrypto
- Original Message -
From: Marcos Paraiso [EMAIL PROTECTED]
Date: Thu, 9 Sep 2004 15:25:09 -0300 (ART)
Subject: A little help please!!!
To: [EMAIL PROTECTED]
Hi everybody,
I just started studying the OpenSSL library and I already have a problem...
I´m using minGW and the OpenSSL package from
http://www.slproweb.com/products/Win32OpenSSL.html
on Windows 2000.
I´m having problems when I try to compile a simple application, like
the one below:
#include openssl/bio.h
#include openssl/ssl.h
#include openssl/err.h
int main(){
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
return 1;
}
I get these error messages:
undefined reference to ´SSL_load_error_strings´
undefined reference to ´ERR_load_BIO_strings´
undefined reference to ´OpenSSL_add_all_algorithms´
I´ve been told to use the -llibssl32.a, -llibeay32.a commands, but
nothing changed...
I use the following command to compile a file:
gcc -o test test.c
If anyone knows anything about this, P.L.E.A.S.E. help!!!
Thanks!!!
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: problems storing a P12 in base64 format
On Thu, Sep 09, 2004, Smith Baylor wrote: Changed code to: bio = BIO_new(BIO_f_base64()); BIO_push(bio, mbio); int bytes_stored = i2d_PKCS12_bio(bio, p12); BIO_flush(bio); No effect still. I was also searching the archives and found this: http://www.mail-archive.com/[EMAIL PROTECTED]/msg36055.html This person was seeing only 9 bytes out of expected 13. I could not see a resolution to the above problem and I am leading to believe that my problem could be very similar to his. Ah I can see your problem. bytes_stored tells you the number of bytes the i2d_PKCS12_bio() has written not the amount of data in the memory BIO. The return value of BIO_get_mem_data() gives that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A little help please!!!
I used the command -- gcc -o test test.c -lcrypto -- and the following message was prompted:
C:\MinGW\bin\..\lib\gcc-lib\mingw32\3.2.3\..\..\..\..\mingw32\bin\ld.exe: cannot find -lcrypto
This is the structure of MinGW on my HD:
C:\MinGW\BinC:\MinGW\includeC:\MinGW\libC:\MinGW\minGWC:\MinGW\minGW32I really don´t have a clue about what should I do...
Dunceor hmm [EMAIL PROTECTED] wrote:
compile with:gcc -o test test.c -lcrypto- Original Message -From: Marcos Paraiso <[EMAIL PROTECTED]>Date: Thu, 9 Sep 2004 15:25:09 -0300 (ART)Subject: A little help please!!!To: [EMAIL PROTECTED]Hi everybody,I just started studying the OpenSSL library and I already have a problem...I´m using minGW and the OpenSSL package fromhttp://www.slproweb.com/products/Win32OpenSSL.htmlon Windows 2000.I´m having problems when I try to compile a simple application, likethe one below:#include "openssl/bio.h"#include "openssl/ssl.h"#include "openssl/err.h"int main(){SSL_load_error_strings();ERR_load_BIO_strings();OpenSSL_add_all_algorithms();return 1;}I get these error messages:undefined reference to
´SSL_load_error_strings´undefined reference to ´ERR_load_BIO_strings´undefined reference to ´OpenSSL_add_all_algorithms´I´ve been told to use the -llibssl32.a, -llibeay32.a commands, butnothing changed...I use the following command to compile a file:gcc -o test test.cIf anyone knows anything about this, P.L.E.A.S.E. help!!!Thanks!!!Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
Re: Reloading the CRL
My app does not have the ability of removing CRLs at runtime, although it can add new ones. When I've determined that the CRL database needs refreshed for OpenSSL, I just call X509_STORE_add_crl(cert_store, crl) for all CRLs (regardless of whether or not they're already added to the X509_STORE) and treat the error of X509_R_CERT_ALREADY_IN_HASH_TABLE as normal and recoverable. Austin - Original Message - From: Ralf Haferkamp [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 09, 2004 9:38 AM Subject: Reloading the CRL Hi, I am currently trying to implement CRL checking inside a server. I am now facing the problem, that I would like to trigger a reload of the CRL from disc if it has been updated, without restarting the server application. How can that be done. Is there any possiblity to remove a CRL for the X509_STORE, and trigger a reload? How do others solve this problem? -- regards, Ralf Haferkamp SUSE LINUX AG, Maxfeldstrasse 5, D-90409 Nuernberg T: +49-911-74053-0 F: +49-911-74053575 - [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: A little help please!!!
try -L/path/to/crypto/lib in front of -lcrypto
LDB
Marcos Paraiso wrote:
I used the command -- gcc -o test test.c -lcrypto -- and the
following message was prompted:
C:\MinGW\bin\..\lib\gcc-lib\mingw32\3.2.3\..\..\..\..\mingw32\bin\ld.exe:
cannot find -lcrypto
This is the structure of MinGW on my HD:
C:\MinGW\Bin
C:\MinGW\include
C:\MinGW\lib
C:\MinGW\minGW
C:\MinGW\minGW32
I really don´t have a clue about what should I do...
Dunceor hmm [EMAIL PROTECTED] wrote:
compile with:
gcc -o test test.c -lcrypto
- Original Message -
From: Marcos Paraiso
Date: Thu, 9 Sep 2004 15:25:09 -0300 (ART)
Subject: A little help please!!!
To: [EMAIL PROTECTED]
Hi everybody,
I just started studying the OpenSSL library and I already have a
problem...
I´m using minGW and the OpenSSL package from
http://www.slproweb.com/products/Win32OpenSSL.html
on Windows 2000.
I´m having problems when I try to compile a simple application, like
the one below:
#include openssl/bio.h
#include openssl/ssl.h
#include openssl/err.h
int main(){
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
return 1;
}
I get these error messages:
undefined reference to ´SSL_load_error_strings´
undefined reference to ´ERR_load_BIO_strings´
undefined reference to ´OpenSSL_add_all_algorithms´
I´ve been told to use the -llibssl32.a, -llibeay32.a commands, but
nothing changed...
I use the following command to compile a file:
gcc -o test test.c
If anyone knows anything about this, P.L.E.A.S.E. help!!!
Thanks!!!
Yahoo! Acesso Grátis - navegue de graça com conexão de qualidade!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Yahoo! Acesso Grátis
http://br.rd.yahoo.com/mail/taglines/*http://br.acesso.yahoo.com/ -
navegue de graça com conexão de qualidade!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
