Re: connecting to proxy using SSL
I am indeed using the savardd patch (actually an update of the sweeheng patch - your first link). Could one get the error messages I displayed if the proxy I'm trying to use doesn't support SSL (the connect method)? -J On Sun, 12 Dec 2004 15:50:00 +0800, Ng Pheng Siong <[EMAIL PROTECTED]> wrote: > On Sun, Dec 12, 2004 at 02:32:28AM -0500, Justin Miller wrote: > > What I'm trying to do is use stunnel to connect to an HTTPS proxy with > > gaim (which doesn't have native https support). > > First two google hits for "stunnel proxy": > > http://www.stunnel.org/patches/desc/proxy_sweeheng.html > http://www.stunnel.org/patches/desc/connect-proxy_savardd.html > > "Use stunnel through a https proxy that supports the CONNECT protocol." > > Have you looked at these? > > Cheers. > > -- > > > Ng Pheng Siong <[EMAIL PROTECTED]> > > http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog > http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL question
Hi all ! I don't anderstand how CRL are verified, someone can explain me a little please. CRL are not included in the certificate but a link to the CRL is included in the certificate issuer, no ? If a certificate contains a link, how the pointed CRL is verified ? TIA Frédéric. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CRL question
CRLs are signed by the CA certificate whose subsidiary certificates are mentioned (or not) in the CRL. So a CRL is verified just like any other signed document. You need any certificates in the chain, which may or may not be supplied along with the CRL, see PKCS#7 format and/or the openssl crl2pkcs7 command at http://www.openssl.org/docs/apps/crl2pkcs7.html In addition you need an independently trusted copy of the root certificate, just like with verifying ANY certificate or signing. PAILLETTE Frédéric wrote: Hi all ! I don't anderstand how CRL are verified, someone can explain me a little please. CRL are not included in the certificate but a link to the CRL is included in the certificate issuer, no ? If a certificate contains a link, how the pointed CRL is verified ? Bonne chance mon ami -- "An Internet-connected Windows machine is tantamount to a toddler carrying a baggie of $100 bills down a city street..." Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Different values when parsing extensions
Hi all. I add the such extension to CSR with config file authorityInfoAccess = CA Issuers;email:[EMAIL PROTECTED] parsing my config file and using X509V3_EXT_REQ_add_confcall but when I have manualy parsed the request with such code ext - authorityInfoAccess extension method = X509V3_EXT_get(ext); p = ext->value->data; if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, ASN1_ITEM_ptr(method->it)); else ext_str = method->d2i(NULL, &p, ext->value->length); if(method->i2v) if(!(nval = method->i2v(method, ext_str, NULL))) { for (j = 0; j < sk_CONF_VALUE_num(nval); j++) { valcnf = sk_CONF_VALUE_value(nval, j); printf("%s:%s\n",valcnf->name,valcnf->value); } } and I've got the next value of this extension: "CA Issuers - email:[EMAIL PROTECTED]" valcnf->name = CA Issuers - email valcnf->value = [EMAIL PROTECTED] but I need that value "CA Issuers;email:[EMAIL PROTECTED]"!The value that I have assumed in config file. By the way, when I copying "CA Issuers - email:[EMAIL PROTECTED]" to config file: authorityInfoAccess = CA Issuers - email:[EMAIL PROTECTED] X509V3_EXT_REQ_add_conf come into obscurity. The same situation with keyUsage, I am writing to config - "keyCertSign", and I've got "Certificate Sign".How to get the same value with that I've pointed in the config file? Any suggestions? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Different values when parsing extensions
On Mon, Dec 13, 2004, Zerg wrote: > Hi all. > I add the such extension to CSR with config file > authorityInfoAccess = CA Issuers;email:[EMAIL PROTECTED] > parsing my config file and > using X509V3_EXT_REQ_add_confcall > > but when I have manualy parsed the request with such code > > ext - authorityInfoAccess extension > method = X509V3_EXT_get(ext); > p = ext->value->data; > if(method->it) ext_str = ASN1_item_d2i(NULL, &p, ext->value->length, > ASN1_ITEM_ptr(method->it)); > else ext_str = method->d2i(NULL, &p, ext->value->length); > if(method->i2v) > if(!(nval = method->i2v(method, ext_str, NULL))) > { > for (j = 0; j < sk_CONF_VALUE_num(nval); j++) > { > valcnf = sk_CONF_VALUE_value(nval, j); > printf("%s:%s\n",valcnf->name,valcnf->value); > } > } > > and I've got the next value of this extension: > "CA Issuers - email:[EMAIL PROTECTED]" > > valcnf->name = CA Issuers - email > valcnf->value = [EMAIL PROTECTED] > > but I need that value "CA Issuers;email:[EMAIL PROTECTED]"!The value that I > have assumed in config file. > By the way, when I copying "CA Issuers - email:[EMAIL PROTECTED]" to config > file: > authorityInfoAccess = CA Issuers - email:[EMAIL PROTECTED] > X509V3_EXT_REQ_add_conf come into obscurity. > The same situation with keyUsage, I am writing to config - > "keyCertSign", and I've got "Certificate Sign".How to get the same value > with that I've pointed in the config file? > Any suggestions? > The textual representation is a human readable version of the encoded extension: in general it isn't the same format as used in the config file (which is less readable and restricted in various ways). What are you trying to do? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to Decrypt RSA signature using public key
I have a RSA signature S (128 byte integer ) and modulus n (also 128 byte integer) I need to calculate ( S**3 ) MOD n All I need is to perform exponent ( S**3 ) and MOD operation on 128 byte integers. I tried the following command: openssl rsautl -in signature.bin -out decrsign.bin -inkey RSAPubkey.pem -pubin -decrypt but got an error A private key is need for this operation Any idea how to decrypt this key ? Andrus. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Different values when parsing extensions
> The textual representation is a human readable version of the encoded > extension: in general it isn't the same format as used in the config file > (which is less readable and restricted in various ways). > > What are you trying to do? The hole task is CA. I have to implement some additional function to PHP that works with openssl. I have function that construct ther CSR, one of arguments is array of extensions in such format (format of config file) "keyUsage"=>"cRLSign,keyCertSign" "basicConstraints"=>"critical,CA:true", "extendedKeyUsage"=>"OCSPSigning,codeSigning", "authorityInfoAccess" =>"caIssuers;email:[EMAIL PROTECTED]", "certificatePolicies"=>"1.3.6.1.4.1.20781.1.1" The CSR can be formed by client and than is transfered to RA.In this moment there have to be the possibility to change the CSR(if it incorrect). After changing, nonsigned CSR(we don't know the private key of client) is resending to CA. To change the CSR require to parse it first, then form the new CSR with mentioned function. I want after parsing the CSR get the associative massive and than pass this massive to function that constructing new CSR. The format of argument-extensions must be corresponding in this two functions. How way can I archieve this? Thank you for help. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to Decrypt RSA signature using public key
Andrus wrote: I have a RSA signature S (128 byte integer ) and modulus n (also 128 byte integer) I need to calculate ( S**3 ) MOD n All I need is to perform exponent ( S**3 ) and MOD operation on 128 byte integers. I tried the following command: openssl rsautl -in signature.bin -out decrsign.bin -inkey RSAPubkey.pem -pubin -decrypt try "openssl rsautl -verify ..." Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Different values when parsing extensions
> To change the CSR require to parse it first, then form the new CSR with > mentioned function. > I want after parsing the CSR get the associative massive and than pass this > massive to function that constructing new CSR. > The format of argument-extensions must be corresponding in this two > functions. > How way can I archieve this? > Thank you for help. Write a little program that uses the libcrypto etc and that outputs the data in the form you need may be an option. If you like to parse some information in xml like the following, I can give you a hint. An example of a csr (without extensions) but the corresponding certs has them. 0 (countryName)2.5.4.6 FR (organizationName)2.5.4.10 EdelWeb (organizationalUnitName)2.5.4.11 Service EdelPKI (commonName)2.5.4.3 Peter SYLVESTER <[EMAIL PROTECTED]> (rsaEncryption)1.2.840.113549.1.1.1 30:81:98:02:81:90:06:85:6a:e4:f6:2e:11:73:b1:5d:4d:e1:6e:6e:af:ba:21:c1:46:9b:c4:fa:26:02:e1:b1:53:a6:dc:18:d6:b9:b6:c2:ec:0a:50:ae:ca:c0:ad:f2:0f:dd:24:ea:fa:9d:61:01:9d:0e:b5:01:9f:24:b1:c1:64:e3:d5:3a:24:fd:f2:84:66:c4:d7:ae:3a:75:57:fc:92:cb:30:14:87:06:53:1a:ee:ff:78:a6:62:fc:27:03:09:a4:66:6d:9d:91:be:ac:bc:23:44:f6:21:3a:36:9b:9f:3f:41:86:10:9b:06:76:b5:93:c1:31:8e:32:eb:0f:1e:ae:1d:05:0b:00:ed:2a:e9:d7:92:31:73:37:e8:cd:76:5d:8c:ac:59:4f:02:03:01:00:01 (sha1WithRSAEncryption)1.2.840.113549.1.1.5 03:60:dc:91:8c:69:fb:b2:f7:1d:1c:8b:38:f0:cf:e3:65:e4:ca:84:c4:c5:5c:f8:b7:a6:e3:12:b2:ad:b8:ff:33:2d:b5:a9:46:6c:2a:cf:cd:43:a8:5e:ce:75:3e:fa:a6:8e:3a:3b:05:29:27:03:92:f5:ee:52:5d:a9:ef:1e:b4:a7:e8:a9:be:9d:48:b8:77:ed:11:71:a9:47:51:1a:bc:d0:24:96:55:7b:7d:7a:f0:11:64:5b:b1:3c:10:8f:ac:43:eb:dd:de:af:3b:5a:a5:97:5a:aa:31:9e:46:de:0b:a2:47:fb:79:c3:58:69:a7:68:56:ed:d7:08:38:77:b8:69:44:d6:5a:c3:b2:13:0b:14:35:a8:75:35:4a:d7 Since this had no extensions, here an output of the generated cert. 2 10971639765603 (sha1WithRSAEncryption)1.2.840.113549.1.1.5 (countryName)2.5.4.6 FR (organizationName)2.5.4.10 EdelWeb (organizationalUnitName)2.5.4.11 Service EdelPKI (commonName)2.5.4.3 EdelPKI EdelWeb PersGEN (Oct 7 15:46:44 2004 GMT)041007154644Z (Dec 16 15:46:44 2006 GMT)061216154644Z (countryName)2.5.4.6 FR (organizationName)2.5.4.10 EdelWeb (organizationalUnitName)2.5.4.11 Service EdelPKI (commonName)2.5.4.3 Peter SYLVESTER <[EMAIL PROTECTED]> (rsaEncryption)1.2.840.113549.1.1.1 30:81:98:02:81:90:06:85:6a:e4:f6:2e:11:73:b1:5d:4d:e1:6e:6e:af:ba:21:c1:46:9b:c4:fa:26:02:e1:b1:53:a6:dc:18:d6:b9:b6:c2:ec:0a:50:ae:ca:c0:ad:f2:0f:dd:24:ea:fa:9d:61:01:9d:0e:b5:01:9f:24:b1:c1:64:e3:d5:3a:24:fd:f2:84:66:c4:d7:ae:3a:75:57:fc:92:cb:30:14:87:06:53:1a:ee:ff:78:a6:62:fc:27:03:09:a4:66:6d:9d:91:be:ac:bc:23:44:f6:21:3a:36:9b:9f:3f:41:86:10:9b:06:76:b5:93:c1:31:8e:32:eb:0f:1e:ae:1d:05:0b:00:ed:2a:e9:d7:92:31:73:37:e8:cd:76:5d:8c:ac:59:4f:02:03:01:00:01 (X509v3 Subject Alternative Name)2.5.29.17 [EMAIL PROTECTED] (countryName)2.5.4.6 FR (organizationName)2.5.4.10 EdelWeb (commonName)2.5.4.3 Peter SYLVESTER (X509v3 Key Usage)2.5.29.15 TRUE e0 (X509v3 Extended Key Usage)2.5.29.37 (E-mail Protection)1.3.6.1.5.5.7.3.4 (TLS Web Client Authentication)1.3.6.1.5.5.7.3.2 (X509v3 CRL Distribution Points)2.5.29.31 http://edelpki.edelweb.fr/crl/EdelPKI-EdelWeb-PersGEN.crl (X509v3 Subject Key Identifier)2.5.29.1
Re: Problem compiling tests for openssl-0.9.7b
Pierre wrote: Pierre wrote: Richard Levitte - VMS Whacker wrote: In message <[EMAIL PROTECTED]> on Fri, 18 Apr 2003 02:42:22 +0200, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> said: pierre42d> >In message <[EMAIL PROTECTED]> on pierre42d> Wed, 16 Apr 2003 07:23:56 +0200, "[EMAIL PROTECTED]" pierre42d> <[EMAIL PROTECTED]> said: pierre42d> > [...] pierre42d> >pierre42d> On my system "rm" is in /usr/local/bin pierre42d> >pierre42d> Why is an absolute path used ? pierre42d> > pierre42d> >Probably to avoid problems with alternate (non-compatible pierre42d> >or outright dangerous) variants of rm, and possibly to pierre42d> >avoid $PATH problems. pierre42d> pierre42d> I understand but it's an attitude a little bit paranoid, pierre42d> isn't it ? :-) Yes it is, and considering that we aren't as precausious in the Makefiles, it does look a bit silly. However, /bin/rm has been in there for quite a while, so I may have missed something... I'll ponder over this. The problem is always there with 0.9.7c . I can make a patch for this if you want. The problem is always there with 0.9.7d . The problem is always there with 0.9.7e. -- Pierre. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: connecting to proxy using SSL
The error messages I posted in my first message were from the 'openssl s_client' command. I suppose I might try setting up a web server/proxy on one of my home machines, and trying it that way. Then I'd have direct access to the proxy itself... something I could control. On Tue, 14 Dec 2004 10:22:52 +0800, Ng Pheng Siong <[EMAIL PROTECTED]> wrote: > On Mon, Dec 13, 2004 at 08:40:25AM -0500, Justin Miller wrote: > > Could one get the error messages I displayed if the proxy I'm trying > > to use doesn't support SSL (the connect method)? > > I suppose you can "telnet your-proxy port-whatever" then type "CONNECT ..." > by hand to see if your proxy supports that protocol. > > Also, you can use "openssl s_client" to talk to your proxy as if it is an > SSL end point and see if it is giving you the same error you're seeing. > > HTH. > > -- > Ng Pheng Siong <[EMAIL PROTECTED]> > > http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog > http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Signing OCSP request
Hello All, I wanted to sign the an OCSP request and found out the function OCSP_request_sign What I see from its parameters is that it takes OCSP request object and other parameters and sign the request, what I wanted to know that if I want to sign the OCSP request from CAPI or some other toolkit and then add the signature to OCSP request then what I will have to do. I want to do this as I can manage to sign with smartcard using CAPI any suggestions that if it is easy to go for PKCS#11 based signing with OpenSSL. Regards, Muhammad Aftab Alam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: connecting to proxy using SSL
On Mon, Dec 13, 2004 at 08:40:25AM -0500, Justin Miller wrote: > Could one get the error messages I displayed if the proxy I'm trying > to use doesn't support SSL (the connect method)? I suppose you can "telnet your-proxy port-whatever" then type "CONNECT ..." by hand to see if your proxy supports that protocol. Also, you can use "openssl s_client" to talk to your proxy as if it is an SSL end point and see if it is giving you the same error you're seeing. HTH. -- Ng Pheng Siong <[EMAIL PROTECTED]> http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog http://www.sqlcrypt.com -+- Database Engine with Transparent AES Encryption __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]