Using OpenSSL with VC++.Net 2003
Title: Using OpenSSL with VC++.Net 2003 I've tried to use libeay32.dll and libeay32.lib in my VC 7.1 project and got this error on startup: --- TestDLL.exe - Ordinal Not Found --- The ordinal 3236 could not be located in the dynamic link library LIBEAY32.dll. --- OK --- Does anyone knows why? Thank you, Milan
Re: Using OpenSSL with VC++.Net 2003
On Fri, Nov 12, 2004, Milan Tomic wrote: > > I've tried to use libeay32.dll and libeay32.lib in my VC 7.1 > project and got this error on startup: > > --- > TestDLL.exe - Ordinal Not Found > --- > The ordinal 3236 could not be located in the dynamic link library > LIBEAY32.dll. > --- > OK > --- > Well this might be a version conflict. That is you've got a version of libeay32.dll somewhere on your system that has been compiled with different options from the one you've linked against. Try dumpbin /exports libeay32.dll and see if 3236 is present. Though that's a bit odd because 3236 is EVP_des_ede3_ecb which should be present in all versions. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie setup
Hello, I am new to the Apache & SSL. I am setting a Fedora Core 2 box, with Apache 2.0 and openssl. Under the HTTP configuration tools, when I enable the SSL, it asked me to enter the path for 4 files: server.key, server.crt, ca.crt, ca-bundle.crt. I searched with Google and found the instructions to creat the first two, .key, and .crt. However, I can't find the instructions to create the ca.crt (Certificate Chain File) and ca-bundle.crt (Certificate Authority File). The configuration utility won't let me leave it blank. Can someone tell me where or how to get those files? Also, how can I setup the HTTP so when the browser point to that folder, only https is allowed? Thanks! Sunny __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Hardware Acclerator for Mod exp calculations
On November 11, 2004 05:32 pm, fiero b wrote: > I am having an API provided by hardwarwe crypto for > public key mod exponent calculations. > Please let me know what is the best way to hook up > this Mod exp routine into the openssl public key > operations so that DH,RSA will make use of the > Hardware Mod exp rather than software Mod exp. Take a look at the "atalla" engine implementation as an example. In CVS snapshots, it's in engines/e_atalla.c, and in 0.9.7 it's in crypto/engine/hw_atalla.c. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ Greedy Genghis George, Guru of God and Guns. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie setup
ca.crt and ca-bundle.crt contain the CA certs i.e. certs that were used to sign and verify the other certs. The certs of Verising, Twahte etc. You need them in case the client of you server authenticates himself with some cert, so you can verify his cert with those among CA certs. You must have ca-bundle somewhere in /usr/share/ but you need it only if you want clients to authenticate themselves explicitly with the certificates. I personally run my own CA, so I do not need any of those files, but I have setup the directory with hashed references to my CA cert files and CRLs, that are distributed among all my servers. ** Hello, I am new to the Apache & SSL. I am setting a Fedora Core 2 box, with Apache 2.0 and openssl. Under the HTTP configuration tools, when I enable the SSL, it asked me to enter the path for 4 files: server.key, server.crt, ca.crt, ca-bundle.crt. I searched with Google and found the instructions to creat the first two, .key, and .crt. However, I can't find the instructions to create the ca.crt (Certificate Chain File) and ca-bundle.crt (Certificate Authority File). The configuration utility won't let me leave it blank. Can someone tell me where or how to get those files? Also, how can I setup the HTTP so when the browser point to that folder, only https is allowed? Thanks! Sunny __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie setup
Take a look at FAQ www.modssl.org Basically speaking, in order to provide both regular HTTP and HTTPS you must run two virtual servers in your apache that listen different ports 80 and 443 respectively, so, I do not see other way, that setup a redirect (url rewrite) from the HTTP location to HTTPS location. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Can you add to the DN after the certificate request is made?
Ok I can get x509 to accept the extension now, something like this extensions = extend [extend] #basicConstraints = critical,CA:true 1.3.6.1.4.1..1002 = DER:06:09:2B:06:01:04:01:D6:1F:87:6A openssl x509 -in test.crt -text -noout X509v3 extensions: 1.3.6.1.4.1..1002: ..+...j This would be acceptable if I could figure out how to make 1.3.6.1.4.1..1002 = va1=48837774. Give what I've heard and seen so far I don't think what I want to do will work. I'm going back over the documentation again to see what I what I'm missing. Maybe someone can explain why I should expect this to work with out patching openssl? BTW I found this tool which might be useful to the openssl user community http://www.rtner.de/software/oid.html Thanks to the authors of the above code! Peter Gutman Matthias Gärtner Thank you all! --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Thu, Nov 11, 2004, Charles Cranston wrote: > > > First of all let me apologize for the red herring > of > > suggesting using command line options. I keep re- > > running into the "man req" section on "-subj" > while > > forgetting that without the private key this is > not > > useful for changing the subject name in a CSR. > > > > If you haven't already stumbled onto this you > might > > want to take a look at the file "openssl.txt" in > > the directory "doc" in the OpenSSL source > distribution. > > Let me quote a section that is not too far from > the top: > > > > The syntax of raw extensions is governed by the > extension code: it can > > for example contain data in multiple sections. > The correct syntax to > > use is defined by the extension code itself: > check out the certificate > > policies extension for an example. > > > > In addition it is also possible to use the word > DER > > to include arbitrary data in any extension. > > > > 1.2.3.4=critical,DER:01:02:03:04 > > 1.2.3.4=DER:01020304 > > > > The value following DER is a hex dump of the DER > > encoding of the extension. Any extension can be > placed > > in this form to override the default behaviour. > > For example: > > > > basicConstraints=critical,DER:00:01:02:03 > > > > WARNING: DER should be used with caution. It is > possible > > to create totally invalid extensions unless care > is taken. > > > > WARNING: I HAVE NEVER TRIED THIS SO I CANNOT SWEAR > THAT IT WILL > > SUCCEED! But the clear implication is that if you > have registered > > the extension object ID you can cause arbitrary > bytes to be placed > > in the extension. In the above 1.2.3.4 would be > the object ID of > > the extension, while 00,01,02 etc are the data. > > > > Clearly this is somewhat more painful even than > Assembly > > Language, but it's what I had to do on my homemade > computer > > that had 512 bytes of memory. An alternative > would be to > > write code to take a saner format for the data you > want to > > put into the extensions, but at least this is an > approach > > that does not require change to the source code. > > > > If you do decide to write code to process your > extension, > > the documentation at the bottom of that file > should be useful. > > It is titled "X509V3 Extension code: programmers > guide". > > > > If there is some showstopper here that I haven't > seen, > > please post so I haven't sent ray down yet another > blind > > alley... > > > > Well technically the stuff you put with DER > shouldn't be arbitrary data. It > should be a well formatted DER structure. Some > applications (not based on > OpenSSL) will reject an extensions (and possibly the > whole certificate) if the > contents are not well formed. > > You can use OpenSSL 0.9.8 to do the encoding for you > with its mini-ASN1 > compiler. Then when its produced the right encoding > it can be place into the > DER option for earlier versions. > > You can also hand code it. Again this isn't as > horrible as it sounds. To > take a simple case the ASN1 OCTET STRING of length > up to 127 bytes is formed > like this: > > 0x04, len, (content). > > So the bytes 1, 2, 3, 4 would be: > > 1.2.3.4=DER:04:04:01:02:03:04 > > That will put this into a certificate extension. > Whether this is of any use > depends on what the OP wants to do with the data > when its there... > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: > see homepage > OpenSSL project core developer and freelance > consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
Re: Can you add to the DN after the certificate request is made?
On Fri, Nov 12, 2004, ray v wrote: > Ok I can get x509 to accept the extension now, > something like this > > extensions = extend > > [extend] > #basicConstraints = critical,CA:true > 1.3.6.1.4.1..1002 = > DER:06:09:2B:06:01:04:01:D6:1F:87:6A > > openssl x509 -in test.crt -text -noout > > X509v3 extensions: > 1.3.6.1.4.1..1002: > ..+...j > > This would be acceptable if I could figure out how to > make 1.3.6.1.4.1..1002 = va1=48837774. Give what > I've heard and seen so far I don't think what I want > to do will work. > > I'm going back over the documentation again to see > what I what I'm missing. Maybe someone can explain why > I should expect this to work with out patching > openssl? > > BTW I found this tool which might be useful to the > openssl user community > For the first bit you need 1.3.6.1.4.1..1002 to be recognized as 'val1'. If you add the OID in openssl.cnf and openssl reads from that file it will work. The second bit you can't directly do because the extension type isn't recogized. If you include the option -certopt ext_parse that will look a bit better. However if you just want some text to appear in a cerfiicate there are easier ways to do it. For exampole there's an old extension called "netscape comment" which you can just place some text into. So if you did: nsComment=val1=something, val2=somethingelse in the extensions section that will appear. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Microsoft PFX format support
I've started to look at this in the archives and it appears the Microsoft PFX format can't be easily manipulated with the existing OpenSSL library functions. As it stands, my attempts to access the data fails at a call to PKCS12_verify_mac() where the same call works for other P12 files. Is there some way of loading a PFX that I'm missing or has anyone already written a routine to deal with the differences in format? The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No feedback with EVP_aes_256_xxx() functions
dear list, i'm trying to develop a stable aes 256 bit cipher code with the EVP routines. everything works fine, but i dont seem to get feedback when using EVP_aes_256_cbc/cfb/ofb() modes, although i use an IV of 32 bytes. the order of my function callings is as follows: EVP_CIPHER_CTX_init(); EVP_EncryptInit_ex(); EVP_EncryptUpdate(); EVP_EncryptFinal_ex(); the same applies for the decryption routine with the corresponding functions. when the plaintext repeats the ciphertext does too, what really shouldnt be the case with feedback mode. any ideas? thanks a lot best regards Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt neu bei WEB.DE FreeMail: http://freemail.web.de/?mc=021193 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Adding custom extensions (x509_extension) to your certificate
Hi all! I'm writting this up to help those that my wish to insert thier own values into the extension section of a certificate for use on internal applications. I do not know yet what the outcome will be when using these extension with main stream compliant applications. In the begining I didn't quite know what to ask being new to openssl. I just new I needed to add three fields and equate each to a value. I needed to do this on a certificate request that my CA didn't generate. I needed my information to appear in the x509 extension of the newly created certificate. --wanted to thank the guys who help me out! Special thanks to Dr. Stephen Henson and Charles Cranston for patiently answer my obviously newbie questions. Thanks for the guidance! Anyways, I was all over the map with my questions, everything from modifying the DN to add my fields, to trying to patch the openssl code. You can't modify the DN if you don't create the key and request yourself. Patching the openssl code won't work because we would have to maintain a special version of openssl for all in house systems. I would be nice if openssl could read OID information from an external database. What follows is how I got it to work for me. So here's my example certificate output ---example - RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ac:5a:a9:d8:a9:bf:2c:71:98:2f:b2:07:3d:18: bc:b5:92:18:2e:ed:1e:89:aa:5a:98:44:a2:9a:21: 34:08:b3:ed:7b:9c:05:bf:eb:19:fe:6d:08:59:aa: 87:7b:d0:f6:b4:88:8d:47:e4:f0:0f:39:ce:bf:7f: df:d9:fc:a2:3e:ac:b5:16:fe:76:e6:0b:99:24:65: 3e:e2:39:fb:15:d4:9a:85:7e:38:a1:de:13:68:03: 08:b2:1c:f5:37:6b:7b:1a:1a:6c:97:58:c9:00:0f: 83:fa:ca:8d:6a:14:c6:60:56:5d:92:be:59:fc:fc: a6:7a:9a:d1:b7:a2:24:be:89 Exponent: 65537 (0x10001) X509v3 extensions:<--- x509 ext 1.3.6.1.4.1..1002: <--my OID user_id=test <--my field + val - --extfile extensions = extend [extend] 1.3.6.1.4.1.11039.1002 = DER::70:72:6F:76:69:xx:xx:xx:xx:xx:xx:xx:xx:65:73:74:0A openssl command I used... openssl x509 -req -extfile extfile -days 180 -CA certs/ca.crt -CAkey private/ca.key -CAcreateserial -in test.csr -out test.crt Here's the tool I used to convert my DER: section into HEX http://sec.angrypacket.com/code/hex0r.pl thanks [EMAIL PROTECTED] Hopefully this helps someone! thanks again to the group! cheers! __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
3DES output
The documentation for 3DES (specifically DES_ede3_cbc_encrypt) doesn't talk about unusual data lengths. I found that, with some lengths (4 is a simple example) the function writes more data out than the length specifies. 1218 also gave me problems. Is there any documentation on what "safe" lengths are, where the function will never write past the end of the buffer? Intuitively, I'd guess 8 byte chunks. But is there anything more official? -- Ken Goldman [EMAIL PROTECTED] 914-784-7646 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie setup
Thanks for the reply. I check the /usr/share/ but I can't find the ca.crt or ca-bundle.crt. I did find a ca.1ssl.gz file. If I can't find it, can you please tell me how to create my own CA? Thanks! On Fri, 12 Nov 2004 22:22:30 +0300, Nikolas Mirin <[EMAIL PROTECTED]> wrote: > ca.crt and ca-bundle.crt contain the CA certs i.e. certs that were > used to sign and verify the other certs. The certs of Verising, Twahte etc. > You need them in case the client of you server authenticates himself with > some cert, > so you can verify his cert with those among CA certs. > > You must have ca-bundle somewhere in /usr/share/ > but you need it only if you want clients to authenticate themselves > explicitly with > the certificates. > > I personally run my own CA, so I do not need any of those files, but I have > setup the directory with hashed references to my CA cert files and CRLs, that > are distributed among all my servers. > > ** > > > Hello, > > I am new to the Apache & SSL. I am setting a Fedora Core 2 box, with > Apache 2.0 and openssl. Under the HTTP configuration tools, when I > enable the SSL, it asked me to enter the path for 4 files: server.key, > server.crt, ca.crt, ca-bundle.crt. > > I searched with Google and found the instructions to creat the first > two, .key, and .crt. However, I can't find > the instructions to create the ca.crt (Certificate Chain File) and > ca-bundle.crt (Certificate Authority File). The configuration utility > won't let me leave it blank. > > Can someone tell me where or how to get those files? > > Also, how can I setup the HTTP so when the browser point to that > folder, only https is allowed? > > Thanks! > > Sunny > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Solaris make install problems with 0.9.7.e
I also had a problem with installing fips/des; the Makefile in des had a space after the \ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Microsoft PFX format support
On Fri, Nov 12, 2004, Bibbs, Christopher wrote: > I've started to look at this in the archives and it appears the Microsoft > PFX format can't be easily manipulated with the existing OpenSSL library > functions. As it stands, my attempts to access the data fails at a call to > PKCS12_verify_mac() where the same call works for other P12 files. > > Is there some way of loading a PFX that I'm missing or has anyone already > written a routine to deal with the differences in format? > The formats are compatible: the only difference is the file extension. If you are getting mac verify errors then it could be that the password is wrong or the file has been corrupted somehow. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Doubt regarding cert-chain validation
Hi all, I hava a doubt regarding X509_verify_cert. What I understand from the documentation of "verify" is that we need to pass all the trusted certs and all the un-trusted certs. X509_verify_cert will construct the cert chain upto the ROOT CA and then validates the chain and finally verify the self-certificate. What I understand is that this function expects the ROOT CA to be self-signed and it MUST be present in the trusted list. My specific question is.. 1. Is it MUST that the Root CA be self-signed. The reason is that the trust anchor up to which the application MAY verify need not be the ROOT CA. Is there any standard that indicates that the chain MUST be verified up to the ROOT CA. Is there any way where I can indicate the function to return success even if the chain is not complete. Awaiting your valuable responses Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
