Re: Certificate validation failure, Successful
Richard A. Faulk Jr. wrote: I just tried setting the crl file to DER encoding and specified that files with .crl extensions are application/x-x509-crl. I am still receiving the certificate validation failure error on the Cisco concentrator. Is there anything else that I need to do? Am I doing something wrong? You are referring to the VPN-3000 series aren't you? And running a 1 year old release? It works for us... Jason PS: use curl -i http://site/file.crl | more to view what the cert really looks like. It should be Content-type: application/x-x509-crl and the contents should be binary. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
how to create a cacert.pem that is not self signed
hello i am trying to set up my own CA i used CA.pl -newca but if i try to verify cacert.pem i have an error self signed certificate How do i make a not self signed certificate ? thank you __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
certificate request like RFC1421
Hi, how can I create a certificate request with openssl like this? Is there an easy way? -BEGIN PRIVACY-ENHANCED MESSAGE- Proc-Type: 4,MIC-ONLY Content-Domain: RFC822 Originator-Certificate: MIIB8zCCAX0CAQAwDQYJKoZIhvcNAQEEBQAwZjELMAkGA1UEBhMCZGUxEjAQBgNV BAoTCUlUU0cgVEVTVDEWMBQGA1UECxMNREFLLVNjaG5laWRlcjETMBEGA1UECxMK Qk4xMjM0NTY3ODEWMBQGA1UEAxMNREFLLVNjaG5laWRlcjAeFw0wNDExMDIxNjA4 NTBaFw0wNTExMDIxNjA4NTBaMGYxCzAJBgNVBAYTAmRlMRIwEAYDVQQKEwlJVFNH IFRFU1QxFjAUBgNVBAsTDURBSy1TY2huZWlkZXIxEzARBgNVBAsTCkJOMTIzNDU2 NzgxFjAUBgNVBAMTDURBSy1TY2huZWlkZXIweTAKBgRVCAEBAgIDAANrADBoAmEA 77v42P9ysEP0+IAX0Oph0arwi8pLWPNT2IMxeeQu+1A2OfiMEEQ7VJZreildK3jJ SzUxLxXBqCKKg/G2T6wM0i9+py61huu7wYEhd77kq9oAnRW0It13ZmhV7FSo90dx AgMBAAEwDQYJKoZIhvcNAQEEBQADYQCzO+AtGEUgzyyasXSJhbTjt+1Ft0Pt+zWQ 3ANlAns8aG8PC5UJnhSoKtG0XjYRTvoiE5cm6qNxPKNFCmbrW9dWNpULSiJk6KQ0 ChTgQKnWxwhtxgy11HHjW4jwMKAGkRA= MIC-Info: RSA-MD5,RSA, qgjqFz5xrWS/0x68DlXqtsG8rYYONjIlv3nfE0aNZQCAFhzrfa1+zqj8yqxzQIF8 I4FkHWz7PKdt7JNXS3IB186h+wcajYiQAF9UasY3JDBcTvsJW5XI59EHOvC96P8W MDAwMDQ3MTEgICBEQUstU2NobmVpZGVyIA0K -END PRIVACY-ENHANCED MESSAGE- Thank you! Ronald Schneider Germany __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reverse engineering program protocol under ssl
http://www.rtfm.com/ssldump/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Wed, Nov 24, 2004, Florin Angelescu wrote: On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: On Tue, Nov 23, 2004, Florin Angelescu wrote: Hello I am trying to set up an ssl acces to ldap following http://www.openldap.org/faq/data/cache/185.html i created my ca and signed the certificates for the server and client but i still get a 'self signed error' i checked and i saw that it was because of cacert.pem which is selfsigned question : how to solve this ??? (do i have to sign the CA certificate by another CA ? and how ? ) thank you very much Firstly I'd suggest you use CA.pl instead of CA.sh which is older. What is giving you the error? If its a client then you'd need to include a command line switch or configuration option telling it to include 'cacert.pem' in its trusted list of CAs. Steve. -- Thank you for answering. The error is given by ldapsearch ( and ldap.conf sldap.conf are well configured). The error is also reported by openssl. self signed certificate in certification chain (the CA certificate) The problem is not that you have a self signed CA it is that the software doesn't trust it. The configuration or command line options should provide a means of specifying a file or directory containing trusted CAs. You should change them to include 'cacert.pem'. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Wednesday 24 November 2004 11:44, Dr. Stephen Henson wrote: On Wed, Nov 24, 2004, Florin Angelescu wrote: On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: On Tue, Nov 23, 2004, Florin Angelescu wrote: Hello I am trying to set up an ssl acces to ldap following http://www.openldap.org/faq/data/cache/185.html i created my ca and signed the certificates for the server and client but i still get a 'self signed error' i checked and i saw that it was because of cacert.pem which is selfsigned question : how to solve this ??? (do i have to sign the CA certificate by another CA ? and how ? ) thank you very much Firstly I'd suggest you use CA.pl instead of CA.sh which is older. What is giving you the error? If its a client then you'd need to include a command line switch or configuration option telling it to include 'cacert.pem' in its trusted list of CAs. Steve. -- Thank you for answering. The error is given by ldapsearch ( and ldap.conf sldap.conf are well configured). The error is also reported by openssl. self signed certificate in certification chain (the CA certificate) The problem is not that you have a self signed CA it is that the software doesn't trust it. The configuration or command line options should provide a means of specifying a file or directory containing trusted CAs. You should change them to include 'cacert.pem'. Steve. i used CA.pl -newcert i thought it does everything for me here is what i got ldap misc # openssl verify demoCA/cacert.pem demoCA/cacert.pem: /C=BE/ST=BEGLIUM/L=BRUSSELS/O=CAAMI_CA1/OU=CCI/CN=CAAMI_CA1/[EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate OK __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cacert.pem selfsigned certificate problem
On Wed, Nov 24, 2004, Florin Angelescu wrote: On Wednesday 24 November 2004 11:44, Dr. Stephen Henson wrote: On Wed, Nov 24, 2004, Florin Angelescu wrote: On Tuesday 23 November 2004 16:57, Dr. Stephen Henson wrote: On Tue, Nov 23, 2004, Florin Angelescu wrote: Hello I am trying to set up an ssl acces to ldap following http://www.openldap.org/faq/data/cache/185.html i created my ca and signed the certificates for the server and client but i still get a 'self signed error' i checked and i saw that it was because of cacert.pem which is selfsigned question : how to solve this ??? (do i have to sign the CA certificate by another CA ? and how ? ) thank you very much Firstly I'd suggest you use CA.pl instead of CA.sh which is older. What is giving you the error? If its a client then you'd need to include a command line switch or configuration option telling it to include 'cacert.pem' in its trusted list of CAs. Steve. -- Thank you for answering. The error is given by ldapsearch ( and ldap.conf sldap.conf are well configured). The error is also reported by openssl. self signed certificate in certification chain (the CA certificate) The problem is not that you have a self signed CA it is that the software doesn't trust it. The configuration or command line options should provide a means of specifying a file or directory containing trusted CAs. You should change them to include 'cacert.pem'. Steve. i used CA.pl -newcert i thought it does everything for me here is what i got ldap misc # openssl verify demoCA/cacert.pem demoCA/cacert.pem: /C=BE/ST=BEGLIUM/L=BRUSSELS/O=CAAMI_CA1/OU=CCI/CN=CAAMI_CA1/[EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate OK If you do: openssl verify -CAfile demoCA/cacert.pem demoCA/cacert.pem or openssl verify -CAfile demoCA/cacert.pem newcert.pem (or whatever the server certificate is called) it should the be OK. If OpenSSL just trusted any certificate created by CA.pl then anyone could create a certificate that your system would trust and that would be a rather large security hole. So you have to tell the OpenSSL applications which CAs they should trust. That's what the -CAfile command line option above is doing. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Reverse engineering program protocol under ssl
From: Peter Sylvester http://www.rtfm.com/ssldump/ Thank you for your reply Peter, Unfortunately I already looked into this, and found that I would need the server keys. All I have is the client application, and a production server that it communicates back to. Thanks again, Kenny -- Outgoing mail is certified Virus Contaminated: [EMAIL PROTECTED](P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Checked by AVG Anti-Virus. Version: 7.0.290 / Virus Database: 265.4.1 - Release Date: 19/11/2004 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Reverse engineering program protocol under ssl
From: Charles B Cranston MacDermid, Kenny wrote: I'm looking to locally reverse engineer a network protocol that's encrypted using ssl. Another method would be to use a man-in-the-middle attack on a third machine, but that machine would need access to the private key of the certificate to be used. Somewhere around I have a generic man-in-the-middle Unix program that I wrote to try to debug some early IMAP problems on the Handspring Visor, but it doesn't have any SSL. I don't actually have access to the server, or the private key it is using. Also I'm guessing the client is smart enough to check the server certificate, so I'm guessing a generic man-in-the-middle is out. Thank you for the reply Charles, Kenny -- Outgoing mail is certified Virus Contaminated: [EMAIL PROTECTED](P^)7CC)7$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Checked by AVG Anti-Virus. Version: 7.0.290 / Virus Database: 265.4.1 - Release Date: 19/11/2004 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reverse engineering program protocol under ssl
On Wed, Nov 24, 2004, MacDermid, Kenny wrote: From: Charles B Cranston MacDermid, Kenny wrote: I'm looking to locally reverse engineer a network protocol that's encrypted using ssl. Another method would be to use a man-in-the-middle attack on a third machine, but that machine would need access to the private key of the certificate to be used. Somewhere around I have a generic man-in-the-middle Unix program that I wrote to try to debug some early IMAP problems on the Handspring Visor, but it doesn't have any SSL. I don't actually have access to the server, or the private key it is using. Also I'm guessing the client is smart enough to check the server certificate, so I'm guessing a generic man-in-the-middle is out. I haven't followed this thread too closely. Does the client use OpenSSL? If so you only need to replace the DLL with one that logs the data handled by SSL_read() and SSL_write(). If CryptoAPI is used there are various ways to obtain the unencrypted premaster secret and use that to decrypt the session. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Reverse engineering program protocol under ssl
in openssl/apps/s_client;c you find: if (c_debug) { con-debug=1; BIO_set_callback(sbio,bio_dump_cb); BIO_set_callback_arg(sbio,bio_c_out); } if (c_msg) { SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_c_out); } This and s_cb.c might help you. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
serializing certificates
Is there a way to force a serial number on a created certificate? I have written an automated job that creates a signing certificate every 7 days but for some reason the serial numbers in the certificates is always 0. Any thoughts? Thank you in advance Michael Weiner signature.asc Description: This is a digitally signed message part
RE: serializing certificates
Sounds to me like you're using openssl req rather than openssl ca Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Weiner Sent: 24 November 2004 14:12 To: [EMAIL PROTECTED] Subject: serializing certificates Is there a way to force a serial number on a created certificate? I have written an automated job that creates a signing certificate every 7 days but for some reason the serial numbers in the certificates is always 0. Any thoughts? Thank you in advance Michael Weiner __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serializing certificates
In message [EMAIL PROTECTED] on Wed, 24 Nov 2004 09:11:40 -0500, Michael Weiner [EMAIL PROTECTED] said: hunter Is there a way to force a serial number on a created hunter certificate? I have written an automated job that creates a hunter signing certificate every 7 days but for some reason the hunter serial numbers in the certificates is always 0. Any thoughts? What version of OpenSSL, what command are you using? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serializing certificates
Seems to me I saw an option to set the serial number from the command line appear in openssl req but it might be recently added (e.g., check to see if the version you are using is too old to have it implemented!). I've been doing the write-even- number-of-hex-digits-to-file since I started, so I guess it could be that -set_serial n was recently added, or recently documented (:-), or that I just missed it first time around. See if -set_serial n works. Michael Weiner wrote: Is there a way to force a serial number on a created certificate? I have written an automated job that creates a signing certificate every 7 days but for some reason the serial numbers in the certificates is always 0. Any thoughts? -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serializing certificates
On Wed, 2004-11-24 at 15:36 +0100, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Wed, 24 Nov 2004 09:11:40 -0500, Michael Weiner [EMAIL PROTECTED] said: hunter Is there a way to force a serial number on a created hunter certificate? I have written an automated job that creates a hunter signing certificate every 7 days but for some reason the hunter serial numbers in the certificates is always 0. Any thoughts? What version of OpenSSL, what command are you using? i apologize, that would be *quite* useful to you. I am running openssl-0.9.7a presently and using the following command sequence: 1) openssl genrsa -out key.pem 2048 2) openssl req -new -x509 -key key.pem -out cert.pem -days 7 3) openssl x509 -in cert.pem -inform PEM -out cert.cer -outform DER Thanks again Michael Weiner signature.asc Description: This is a digitally signed message part
Re: serializing certificates
On Wed, 2004-11-24 at 09:53 -0500, Charles B Cranston wrote: Seems to me I saw an option to set the serial number from the command line appear in openssl req but it might be recently added (e.g., check to see if the version you are using is too old to have it implemented!). I've been doing the write-even- number-of-hex-digits-to-file since I started, so I guess it could be that -set_serial n was recently added, or recently documented (:-), or that I just missed it first time around. See if -set_serial n works. man req shows that that *is* a valid option. Thank you Charles! Michael Weiner signature.asc Description: This is a digitally signed message part
Re: Reverse engineering program protocol under ssl
You're quite welcome. I'm sure the journalling-DLL approach would work just as well. Just for information, if you have administrative access to the server and it is based on Windows, you might be able to save the certificate and key as a .pfx file, then use the OpenSSL pkcs12 command to extract the key. If you have the key, you could use a very simple man in the middle program that just passes the data through. It would not know what it is seeing, but later you could postprocess the dump with the known key and decrypt the traffic. Under Unix a man in the middle program can be done one of three ways: A1: forever { if nonblockingread(a) write(b) if nonblockingread(b) write(a) } A2: forever { select(a,b) if (select(hastraffic,a) and select(canwrite,b) {read(a) write(b)} if (select(hastraffic,b) and select(canwrite,a) {read(b) write(a)} } B: fork(another) forever { blockingread(a) write(b) } another: forever { blockingread(b) write(a) } I belive the one I wrote followed pattern A2. If you just copy and journal bytes any of these would work fine. Now, if you want to actually do SSL on the links, so the man in the middle program is getting decrypted data, one of these might be easier given the restrictions of the OpenSSL read and write primitives. I believe there are some difficulties with nonblocking IO. Are there also some difficulties with select? For the fork case, I suspect using different processes is more safe than using different threads. Is the OpenSSL stuff thread-safe? MacDermid, Kenny wrote: From: Charles B Cranston MacDermid, Kenny wrote: I'm looking to locally reverse engineer a network protocol that's encrypted using ssl. Another method would be to use a man-in-the-middle attack on a third machine, but that machine would need access to the private key of the certificate to be used. Somewhere around I have a generic man-in-the-middle Unix program that I wrote to try to debug some early IMAP problems on the Handspring Visor, but it doesn't have any SSL. I don't actually have access to the server, or the private key it is using. Also I'm guessing the client is smart enough to check the server certificate, so I'm guessing a generic man-in-the-middle is out. Thank you for the reply Charles, Kenny -- An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street... Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serializing certificates
David C. Partridge wrote: Sounds to me like you're using openssl req rather than openssl ca Is there a way to force a serial number on a created certificate? I have written an automated job that creates a signing certificate every 7 days but for some reason the serial numbers in the certificates is always 0. Any thoughts? If this is the case, use the '-set_serial' option. -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] Tel.: +39 (0)11 564 7081 http://security.polito.it Fax:+39 178 270 2077 Mobile: +39 (0)347 7222 365 Politecnico di Torino (EuroPKI) Certification Authority Informations: Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o smime.p7s Description: S/MIME Cryptographic Signature
RE: Reverse engineering program protocol under ssl
From: MacDermid, Kenny Sent: Wednesday, November 24, 2004 8:33 AM To: [EMAIL PROTECTED] Subject: RE: Reverse engineering program protocol under ssl From: Peter Sylvester http://www.rtfm.com/ssldump/ Thank you for your reply Peter, Unfortunately I already looked into this, and found that I would need the server keys. All I have is the client application, and a production server that it communicates back to. I would assume the client is simply checking that the server certificate matches the hostname and is properly signed by a trusted root. My application performs a man in the middle by first examining known root stores and adding its own CA. The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL_read() - SSL_ERROR_SYSCALL / EOF
On 11/23/04 10:47 PM, Dr. Stephen Henson sat at the `puter and typed: On Tue, Nov 23, 2004, Louis LeBlanc wrote: SNIP Does the connection seem otherwise OK and you just get this error after all data has been transferred? Yes. The connection is established at the socket level - nonblocking initially, then the SSL connection is established. Error checking is *very* thorough in this stage, so I'm pretty sure if it comes through, everything went ok. Once the SSL connection is established, the socket is set back to blocking. Its possible that the system is being impolite and forcibly closing the connection at the socket level. You mean the server? Why would it do this with my client and not any of the browsers I've pointed at it? Once again, this is probably the only system the client can't fetch from. I don't have any trouble fetching from Apache on Linux, Solaris, FreeBSD, Windows, and no trouble fetching from IIS, Zope, or Netscape servers either. Why would IBM Apache (Websphere, I think) be any different? Thank you for the response. If this added info gives you any ideas, I'd love to hear them. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Xerox does it again and again and again and ... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL_read() - SSL_ERROR_SYSCALL / EOF
On Wed, Nov 24, 2004, Louis LeBlanc wrote: On 11/23/04 10:47 PM, Dr. Stephen Henson sat at the `puter and typed: On Tue, Nov 23, 2004, Louis LeBlanc wrote: SNIP Does the connection seem otherwise OK and you just get this error after all data has been transferred? Yes. The connection is established at the socket level - nonblocking initially, then the SSL connection is established. Error checking is *very* thorough in this stage, so I'm pretty sure if it comes through, everything went ok. Once the SSL connection is established, the socket is set back to blocking. What I mean was does this error occur just after the inital connection, during the transfer of data or after all data has been transferred? Its possible that the system is being impolite and forcibly closing the connection at the socket level. You mean the server? Why would it do this with my client and not any of the browsers I've pointed at it? If the error occurs after transfer of all data then the browsers might tolerate the impoliteness. Once again, this is probably the only system the client can't fetch from. I don't have any trouble fetching from Apache on Linux, Solaris, FreeBSD, Windows, and no trouble fetching from IIS, Zope, or Netscape servers either. Why would IBM Apache (Websphere, I think) be any different? Thank you for the response. If this added info gives you any ideas, I'd love to hear them. Have you tried connecting using s_client? I suggest you try it with -bugs and possibly also restricting the ciphersuites in use too and possibly the SSL protocols too. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: serializing certificates
On Wed, Nov 24, 2004, Michael Weiner wrote: On Wed, 2004-11-24 at 15:36 +0100, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Wed, 24 Nov 2004 09:11:40 -0500, Michael Weiner [EMAIL PROTECTED] said: hunter Is there a way to force a serial number on a created hunter certificate? I have written an automated job that creates a hunter signing certificate every 7 days but for some reason the hunter serial numbers in the certificates is always 0. Any thoughts? What version of OpenSSL, what command are you using? i apologize, that would be *quite* useful to you. I am running openssl-0.9.7a presently and using the following command sequence: 1) openssl genrsa -out key.pem 2048 2) openssl req -new -x509 -key key.pem -out cert.pem -days 7 3) openssl x509 -in cert.pem -inform PEM -out cert.cer -outform DER If the certificates have exactly the same details and serial number that may well cause problems because issuer name and serial number must be unique. If you use the latest version of OpenSSL then instead of the 0 serial number (which is frowned upon by some specifications) it will by default use a 64 bit random number. You can still force the serial number to be anything using the -set_serial option. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL and Symbian
Hello! I'm writing you because I would like to know if anyone has compiled OpenSSL for Symbian and, in that case, how I could do it. Regards, Antonio. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Reverse engineering program protocol under ssl
Actually, I'm trying to do this very thing. I had not heard of ssldump and now I'm kicking myself. You should definitely use this ssldump thing. What I was eventually going to do, which you could do also, is find out what address is the call to SSL_verify or whatever that checks the integrity of signed certificates, and replace it with a move $1,%eax or something... you get the point. Or search for certificate like strings in the executable or use something like pedump. (Im assuming this is a windows program, linux programmers don't encrypt their protocols), and then you can pull out the certificate that the client uses to make sure its talking to the right server instead of to, in this case, ssldump. Unfortunately, I'm too far gone to use ssldump, I already have a complete TCP stack and though it annoys me to find out that yes, such a program like I am writing exists, it can't be quite as hardcore can it? Good luck though. - Peter __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Reverse engineering program protocol under ssl
From: Charles B Cranston MacDermid, Kenny wrote: I'm looking to locally reverse engineer a network protocol that's encrypted using ssl. Another method would be to use a man-in-the-middle attack on a third machine, but that machine would need access to the private key of the certificate to be used. Somewhere around I have a generic man-in-the-middle Unix program that I wrote to try to debug some early IMAP problems on the Handspring Visor, but it doesn't have any SSL. I don't actually have access to the server, or the private key it is using. Also I'm guessing the client is smart enough to check the server certificate, so I'm guessing a generic man-in-the-middle is out. If you can't compromise either the client or the server in some way, you cannot decrypt the data. That's the whole point of SSL. You will have to get the data out of the client application directly. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL and Symbian
Maybe could you contact the author of symbssl (symbssl.sf.net) On Wed, Nov 24, 2004 at 06:04:39PM +0100, Antonio Ruiz Martínez wrote: Hello! I'm writing you because I would like to know if anyone has compiled OpenSSL for Symbian and, in that case, how I could do it. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL_read() - SSL_ERROR_SYSCALL / EOF
On 11/24/04 05:33 PM, Dr. Stephen Henson sat at the `puter and typed: On Wed, Nov 24, 2004, Louis LeBlanc wrote: On 11/23/04 10:47 PM, Dr. Stephen Henson sat at the `puter and typed: On Tue, Nov 23, 2004, Louis LeBlanc wrote: SNIP Does the connection seem otherwise OK and you just get this error after all data has been transferred? Yes. The connection is established at the socket level - nonblocking initially, then the SSL connection is established. Error checking is *very* thorough in this stage, so I'm pretty sure if it comes through, everything went ok. Once the SSL connection is established, the socket is set back to blocking. What I mean was does this error occur just after the inital connection, during the transfer of data or after all data has been transferred? Oh. Sorry. The problem occurs just after the connection is established and request headers are sent, with the very first call to SSL_read(). It looks to me like my client is trying to read the headers, and gets the EOF. Its possible that the system is being impolite and forcibly closing the connection at the socket level. You mean the server? Why would it do this with my client and not any of the browsers I've pointed at it? If the error occurs after transfer of all data then the browsers might tolerate the impoliteness. Not the case. Perhaps I'm botching something in the request . . . Not sure why it would be bad for just this one server . . . Once again, this is probably the only system the client can't fetch from. I don't have any trouble fetching from Apache on Linux, Solaris, FreeBSD, Windows, and no trouble fetching from IIS, Zope, or Netscape servers either. Why would IBM Apache (Websphere, I think) be any different? Thank you for the response. If this added info gives you any ideas, I'd love to hear them. Have you tried connecting using s_client? I suggest you try it with -bugs and possibly also restricting the ciphersuites in use too and possibly the SSL protocols too. Now that sheds a little light. It comes through fine even without the -bugs parameter, so it looks like my app isn't handling something right. Is there something I can do prior to the SSL_read() to verify that it's set up correctly? In the meantime, I'll run back to the client code and get it to reproduce the behavior with the s_server feature. Perhaps it will be a little more verbose than the server. Thanks a lot! Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ QOTD: I drive my car quietly, for it goes without saying. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
certificate based sign-on
Hello all, I am working with a client and they do not support certificate based sign-on rather they support password authentication using SSH. I installed openSSH and tried connecting and here is what I received as an error: How do I solve this problem while still using an automated file transfer methodology? thank you, as root sftp -v -v -v -v [EMAIL PROTECTED] Connecting to xxx. OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.6l 04 Nov 2003 debug1: Reading configuration data /usr/local/etc/ssh_config debug3: cipher ok: aes128-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcf our,aes192-cbc,aes256-cbc] debug3: cipher ok: 3des-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfou r,aes192-cbc,aes256-cbc] debug3: cipher ok: blowfish-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,ar cfour,aes192-cbc,aes256-cbc] debug3: cipher ok: cast128-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arc four,aes192-cbc,aes256-cbc] debug3: cipher ok: arcfour [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour ,aes192-cbc,aes256-cbc] debug3: cipher ok: aes192-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcf our,aes192-cbc,aes256-cbc] debug3: cipher ok: aes256-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcf our,aes192-cbc,aes256-cbc] debug3: ciphers ok: [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192 -cbc,aes256-cbc] debug2: ssh_connect: needpriv 0 debug1: Connecting to ftp1.anthem.com [162.95.80.193] port 22. debug1: Connection established. debug1: identity file /home/root/.ssh/id.ras_pub type -1 debug3: Not a RSA1 key file /home/root/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-BEGIN' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: missing keytype debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-END' debug3: key_read: missing keytype debug1: identity file /home/root/.ssh/id_rsa type 1 debug1: Remote protocol version 2.0, remote software version VShell_2_1_0_129 VS hell debug1: no match: VShell_2_1_0_129 VShell debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.8p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED] ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED] ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1,diffie-hellman-group-excha nge-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish -cbc,3des-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish -cbc,3des-cbc,arcfour debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server-client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client-server aes128-cbc hmac-md5 none
SSL23_WRITE:ssl handshake failure
Title: Message slapd.conf TLSCertificateFile /etc/openldap/cert.pemTLSCertificateKeyFile /etc/openldap/key.pem ldap.conf TLS_CACERT /etc/openldap/cert.pem command [EMAIL PROTECTED] tameem]# openssl s_client -connect localhost:389 -CAfile /etc/openldap/cert.pem -key /etc/openldap/key.pem -state -debug result CONNECTED(0003)SSL_connect:before/connect initializationswrite to 0816EDF8 [081704A0] (148 bytes = 148 (0x94)) - 80 92 01 03 01 00 69 00-00 00 20 00 00 39 00 00 ..i... ..9..0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..50020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../...0030 - 00 80 00 00 66 00 00 05-00 00 04 01 00 80 08 00 f...0040 - 80 00 00 63 00 00 62 00-00 61 00 00 15 00 00 12 ...c..b..a..0050 - 00 00 09 06 00 40 00 00-65 00 00 64 00 00 60 00 [EMAIL PROTECTED]..`.0060 - 00 14 00 00 11 00 00 08-00 00 06 04 00 80 00 00 0070 - 03 02 00 80 d6 89 f4 35-6c b0 92 02 27 23 b2 3d ...5l...'#.=0080 - be cb 6f 8b 8c 53 00 5d-da 67 f5 bf 3d 1a 2d c6 ..o..S.].g..=.-.0090 - e6 1e 18 9c SSL_connect:SSLv2/v3 write client hello Aread from 0816EDF8 [08175A00] (7 bytes = 0 (0x0))12531:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.:226: i'm running slapd in 255th debug mode which is listening on 389 port. The Server TLS trace is as follows daemon: activity on 1 descriptorsdaemon: new connection on 9daemon: added 9rdaemon: activity on:daemon: select: listen=6 active_threads=0 tvp=NULLdaemon: activity on 1 descriptorsdaemon: activity on: 9rdaemon: read activity on 9connection_get(9)connection_get(9): got connid=1connection_read(9): checking for input on id=1ber_get_nextldap_read: want=8, got=8 : 80 92 01 03 01 00 69 00 ..i.ber_get_next on fd 9 failed errno=34 (Numerical result out of range)connection_read(9): input error=-2 id=1, closing.connection_closing: readying conn=1 sd=9 for closeconnection_close: conn=1 sd=9daemon: removing 9daemon: select: listen=6 active_threads=0 tvp=NULLdaemon: activity on 1 descriptorsdaemon: select: listen=6 active_threads=0 tvp=NULL can any one please help me proceed? anticipating early help regards thanks Tameem Ahmed Khan (Project Engineer)Wipro Technologies26, Hosur Main Road, Bommanahalli,Bangalore 560068, Karnataka, India.Tel : 91-80-25732296 Extn: 5222 Fax: 91-80-25732696Mob : 0-9886764101mail: [EMAIL PROTECTED]Web : http://www.wipro.com "Sweat more in peace to bleed less in war" Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments.