Re: WG: Apache SSL
On 2004.10.22 at 19:11:23 +0200, Webmaster wrote: Greetings, try to compile Apache+ mod_ssl+openssl yourself? Wrong idea. Debian provides quite useful packages. At least, libapache-mod-ssl package work for me without any problem. I've not tried apache-ssl, but it should be same quality. I think that use of ordinary apache + mod-ssl should be preferred over apache-ssl package Better to advise to read debian/specific documentation. Typically it is located in /usr/share/doc/package-name/README.Debian Betreff: Apache SSL I'm attempting to install Apache-ssl on Debian 3.1 but I can't seem to install a new certificate. I'm following the directions at __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: WG: Apache SSL
On Wed, 27 Oct 2004, Victor B. Wagner wrote: At least, libapache-mod-ssl package work for me without any problem. I've not tried apache-ssl, but it should be same quality. The one in Woody has dysfunctional session cache when used together with client authentication. Client cert makes the encoded session structure too big and it is not stored in cache. Arne __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: WG: Apache SSL
Arne Ansper wrote: The one in Woody has dysfunctional session cache when used together with client authentication. Client cert makes the encoded session structure too big and it is not stored in cache. The original query said Debian 3.1 which is Sarge, not Woody. +Thomas -- Thomas Anders (thomas.anders at blue-cable.de) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CSR signing
ok so ive generated a CSR and key using... [EMAIL PROTECTED]:~$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) [EMAIL PROTECTED]:~$ openssl req -new -key server.key -out server.csr [...] then i did cat server.key server.csr rtest.pem is this right?? then... /usr/local/ssl/bin/openssl x509 -req -in ./rtest.pem -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./ronanscert.pem to sign the pem with my own CA root Cert now when i cat ronanscert.pem -BEGIN CERTIFICATE- [snip] -END CERTIFICATE- this so far looks good right now i need the cert for a windows box so i need to pkcs12 it what is the private key i need to put in the file ronanscert.pem?? is it the one i geretaed for the server or is it the CA root key??? im a bit confused... i know this is gonna be very simple for some of you but im still pickin this up... any help is much appreciated! -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: CSR signing
Why did you concatenate the server.key and the server.csr? Why don't you use the csr to produce the certificate??? -Ursprüngliche Nachricht- Von: Ronan [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. Oktober 2004 12:28 An: [EMAIL PROTECTED] Betreff: CSR signing ok so ive generated a CSR and key using... [EMAIL PROTECTED]:~$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) [EMAIL PROTECTED]:~$ openssl req -new -key server.key -out server.csr [...] then i did cat server.key server.csr rtest.pem is this right?? then... /usr/local/ssl/bin/openssl x509 -req -in ./rtest.pem -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./ronanscert.pem to sign the pem with my own CA root Cert now when i cat ronanscert.pem -BEGIN CERTIFICATE- [snip] -END CERTIFICATE- this so far looks good right now i need the cert for a windows box so i need to pkcs12 it what is the private key i need to put in the file ronanscert.pem?? is it the one i geretaed for the server or is it the CA root key??? im a bit confused... i know this is gonna be very simple for some of you but im still pickin this up... any help is much appreciated! -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: CSR signing
On Wed, Oct 27, 2004, Ronan wrote: [EMAIL PROTECTED] wrote: Why did you concatenate the server.key and the server.csr? Why don't you use the csr to produce the certificate??? because all the examples in the http://www.openssl.org/docs/apps/x509.html# use .pem files The CSR is a PEM file anyway so you could use that directly. im just following the tutorials i can find on the web and the man pages... if ive read them wrong its cause im not 100% sure of what im doing so in place of the pem file counld i just use... /usr/local/ssl/bin/openssl x509 -req -in ./server.csr -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./ronanscert.pem would this give me what i need??? I'd suggest you use the CA.pl script instead. That should make things much easier. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: AW: CSR signing
As far as I understood, using openssl req... the produced format is PEM, independant what file extension you use. So normally this should work. Sorry for this kind of vague information but I didn't use openssl for a while. Thomas -Ursprüngliche Nachricht- Von: Ronan [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. Oktober 2004 12:57 An: [EMAIL PROTECTED] Betreff: Re: AW: CSR signing [EMAIL PROTECTED] wrote: Why did you concatenate the server.key and the server.csr? Why don't you use the csr to produce the certificate??? because all the examples in the http://www.openssl.org/docs/apps/x509.html# use .pem files im just following the tutorials i can find on the web and the man pages... if ive read them wrong its cause im not 100% sure of what im doing so in place of the pem file counld i just use... /usr/local/ssl/bin/openssl x509 -req -in ./server.csr -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./ronanscert.pem would this give me what i need??? ronan -Ursprüngliche Nachricht- Von: Ronan [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 27. Oktober 2004 12:28 An: [EMAIL PROTECTED] Betreff: CSR signing ok so ive generated a CSR and key using... [EMAIL PROTECTED]:~$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) [EMAIL PROTECTED]:~$ openssl req -new -key server.key -out server.csr [...] then i did cat server.key server.csr rtest.pem is this right?? then... /usr/local/ssl/bin/openssl x509 -req -in ./rtest.pem -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./ronanscert.pem to sign the pem with my own CA root Cert now when i cat ronanscert.pem -BEGIN CERTIFICATE- [snip] -END CERTIFICATE- this so far looks good right now i need the cert for a windows box so i need to pkcs12 it what is the private key i need to put in the file ronanscert.pem?? is it the one i geretaed for the server or is it the CA root key??? im a bit confused... i know this is gonna be very simple for some of you but im still pickin this up... any help is much appreciated! -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: AW: CSR signing
As far as I understood, using openssl req... the produced format is PEM, independant what file extension you use. So normally this should work. Sorry for this kind of vague information but I didn't use openssl for a while. OpenSSL indeed does not use the name of a file. -outform der controls the format (and -inform), both default to pem. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
compiling openssl-0.9.7e fails under Win32
Hi, Trying to compile openssl-0.9.7e under Win32 platform, MS VC++ .NET 2002. nmake -f ms\ntdll.mak fails with: cl /Fotmp32dll\n_pkey.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 /Fdout32dll -DOPENSSL_NO_KRB5 -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPT O -c .\crypto\asn1\n_pkey.c n_pkey.c crypto\asn1\n_pkey.c(96) : error C2370: 'NETSCAPE_ENCRYPTED_PKEY_it' : redefinition; different storage class crypto\asn1\n_pkey.c(93) : see declaration of 'NETSCAPE_ENCRYPTED_PKEY_it' crypto\asn1\n_pkey.c(106) : error C2370: 'NETSCAPE_PKEY_it' : redefinition; different storage class crypto\asn1\n_pkey.c(103) : see declaration of 'NETSCAPE_PKEY_it' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. - Anyone has fixed version? I'm able to compile openssl-0.9.7d successfully.. Regards, Tnis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: CSR signing
I'd suggest you use the CA.pl script instead. That should make things much easier. i have a csr (in pem format(by default)) and a key I want to sign the csr with my domains root CA I want then to change it to pkcs12 format Finally i want to install it onto an Active Directory (win 2000 advanced) machine so i can ssl to the AD using the CA.pl and my current key and csr copy mycsr.csr to newreq.pem and run # /home/local/ssl/misc/CA.pl -sign Signed certificate is in newcert.pem its not there is no newcert.pem is this what im after? /usr/local/ssl/bin/openssl x509 -req -in ./CSR.csr -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./signedcert.pem well it does output signedcert.pem but it gives me this message unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). Signature ok im in csh atm Is this a problem...?? help! Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Regards Ronan McGlue == Analyst/Programmer Information Services Queens University Belfast BT7 1NN __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: CSR signing
The more randomness you put into the random number generator, the better keys you will get. I've been know to use something as simple as (df; date) RANDFILE the theory being that it is hard to predict the exact amount of free file space on (random date in the past) and that the output of date is always changing, but clearly one could do better. You might also investigate the possibility of patches to your operating system to implement /dev/random which uses things like Ethernet packet arrival times to generate random numbers. I know there is a patch for Solaris, we are using it. Linux has it built in. Ronan wrote: I'd suggest you use the CA.pl script instead. That should make things much easier. i have a csr (in pem format(by default)) and a key I want to sign the csr with my domains root CA I want then to change it to pkcs12 format Finally i want to install it onto an Active Directory (win 2000 advanced) machine so i can ssl to the AD using the CA.pl and my current key and csr copy mycsr.csr to newreq.pem and run # /home/local/ssl/misc/CA.pl -sign Signed certificate is in newcert.pem its not there is no newcert.pem is this what im after? /usr/local/ssl/bin/openssl x509 -req -in ./CSR.csr -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./signedcert.pem well it does output signedcert.pem but it gives me this message unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). Signature ok im in csh atm Is this a problem...?? help! Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl-0.9.7 MSVCR70 compatibility problem
Hi, I'm trying to use OpenSSL ver 0.9.7 e/d version under Windows XP. I'm using MS VC++ .NET 2002 which links libeay32.dll to MSVCR70* runtime. I'm using /MD (multi-threaded DLL) switch. The problem is that libeay32.dll crashes on certain functions, for example with rsa_sign(). Compiling libeay32.dll with /MDd (debug) gives another failure points like bss_file.c: file_write(BIO*, ) - fwrite.c:fwrite(void*,) . Applications are compiled with the same /MD switch. Anyone using openssl with .NET 2002 successfully? I cannot switch to other VC++ versions because of Visibroker 6 library. Regards, Tnis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: compiling openssl-0.9.7e fails under Win32
Hello, I use MXCV .NET 2003 and it compile ok. Regards Hendro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tõnis Sent: Rabu, 27 Oktober 2004 20:36 To: [EMAIL PROTECTED] Subject: compiling openssl-0.9.7e fails under Win32 Hi, Trying to compile openssl-0.9.7e under Win32 platform, MS VC++ .NET 2002. nmake -f ms\ntdll.mak fails with: cl /Fotmp32dll\n_pkey.obj -Iinc32 -Itmp32dll /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 /Fdout32dll -DOPENSSL_NO_KRB5 -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPT O -c .\crypto\asn1\n_pkey.c n_pkey.c crypto\asn1\n_pkey.c(96) : error C2370: 'NETSCAPE_ENCRYPTED_PKEY_it' : redefinition; different storage class crypto\asn1\n_pkey.c(93) : see declaration of 'NETSCAPE_ENCRYPTED_PKEY_it' crypto\asn1\n_pkey.c(106) : error C2370: 'NETSCAPE_PKEY_it' : redefinition; different storage class crypto\asn1\n_pkey.c(103) : see declaration of 'NETSCAPE_PKEY_it' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. - Anyone has fixed version? I'm able to compile openssl-0.9.7d successfully.. Regards, Tõnis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: CSR signing
On Wed, Oct 27, 2004, Ronan wrote: I'd suggest you use the CA.pl script instead. That should make things much easier. i have a csr (in pem format(by default)) and a key I want to sign the csr with my domains root CA Where is this root CA and key? If it has been created by OpenSSL you can concatenate the key and certificate into a PEM file and supply that new when you call CA.pl -newca. If the root CA and key are from some other source and managed by (for example) some Windows CA you are best sending the CSR to that and getting it to sign the result. I want then to change it to pkcs12 format CA.pl -pkcs12 will do that. Finally i want to install it onto an Active Directory (win 2000 advanced) machine so i can ssl to the AD Now I can't help with AD.. using the CA.pl and my current key and csr copy mycsr.csr to newreq.pem and run # /home/local/ssl/misc/CA.pl -sign Signed certificate is in newcert.pem its not there is no newcert.pem is this what im after? Did it come up with any other error message before that? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.7 MSVCR70 compatibility problem
On Wed, Oct 27, 2004, Tõnis wrote: Hi, I'm trying to use OpenSSL ver 0.9.7 e/d version under Windows XP. I'm using MS VC++ .NET 2002 which links libeay32.dll to MSVCR70* runtime. I'm using /MD (multi-threaded DLL) switch. The problem is that libeay32.dll crashes on certain functions, for example with rsa_sign(). Compiling libeay32.dll with /MDd (debug) gives another failure points like bss_file.c: file_write(BIO*, ) - fwrite.c:fwrite(void*,) . Applications are compiled with the same /MD switch. Anyone using openssl with .NET 2002 successfully? I cannot switch to other VC++ versions because of Visibroker 6 library. Crashing during a BIO operation is the typical symptom of a runtime library mismatch. Are any external libraries you link to compatible with the /MD switch? Have you tried a simple program first to see if that compiles properly? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[OpenSSL 0.9.7d] SSL_connect() problem on Linux.
Hi, I wrote a simple https client on *nix system, and it worked fine on solaris(including x86) and linux 2.4.8. Recently I have tested my code on Linux kernel 2.6.8. But some box gave me 'time out' while did SSL_connect(). After I did SSL_get_error(), I found it was SSL_ERROR_SYSCALL. It happend on some sites, not all of site. As I checked linux boxes running on Linux kernel 2.6.8, I found that some boxes' kernel used POSIX message queues in kernel configuration, and those were the boxes which gave me problem. Is there any body who had similar problem as mine? David Choi __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: make install fails on solaris sparc 8 for 0.9.7e
interestingly enough, when i run exactly the same script on a fresh copy of openssl-0.9.7d, it works without a single problem. On Wed, 27 Oct 2004 18:23:00 -0400, empty body [EMAIL PROTECTED] wrote: running the following: ./config --prefix=$PREFIX --openssldir=$PREFIX --install_prefix=$INSTALL_PREFIX \ make \ make test \ sudo mkdir -p ${INSTALL_PREFIX}${PREFIX} \ sudo chown root:sys ${INSTALL_PREFIX}${PREFIX} \ sudo chmod 755 ${INSTALL_PREFIX}${PREFIX} \ sudo make install it fails during make install with the following: making install in crypto/krb5... installing fips... making install in fips/sha1... sh: syntax error at line 2: `;' unexpected *** Error code 2 make: Fatal error: Command failed for target `install' Current working directory /xxx/openssl-0.9.7e/fips/sha1 *** Error code 1 make: Fatal error: Command failed for target `install' Current working directory /xxx/openssl-0.9.7e/fips *** Error code 1 make: Fatal error: Command failed for target `install_sw' interestingly enough, if i manually go into that Makefile and comment out offending lines (see below), the same error will happen under fips/dsa, fips/dh, fips/aes, etc. install: @if test -n $(EXHEADER); then \ for i in $(EXHEADER) ; \ do \ (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; \ fi any ideas? thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Generating ASN1 buffers from PEM key and cert files
Right now I have a .cert and .key pair of files, however I would like to be able to get the ASN1 style buffers so that my C program can call SSL_CTX_use_certificate_ASN1 and SSL_CTX_use_RSAPrivateKey_ASN1 I have tried to use the output of: openssl asn1parse -in test.key -out test.key.der openssl asn1parse -in test.cert -out test.cert.der But I get the following: 1083804592:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 1083804592:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509 1083804592:error:140AC00D:SSL routines:SSL_CTX_use_certificate_ASN1:ASN1 lib:ssl_rsa.c:556: Any ideas as to how I can get the ASN1 data so that I can put it on a char buffer? Thanks, Alberto -- Alberto AlonsoGlobal Gate Systems LLC. (512) 260-2523http://www.ggsys.net Hardware, consulting, collocation, monitoring and remote backups __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]