SSL (or alike) over UDP

2005-01-14 Thread Eduardo Pérez 
Do you know if it's possible to use SSL (or some other protocol) over
UDP running totally in user space.

I'd like to prevent TCP disconnects (SSL over TCP has this problem)

I'd also like to use reliable delivery and a stream unreliable delivery
protocol over the same connection-oriented base secure protocol.

It would be like using IPSEC totally in user space but without anything
to do with IP.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)

2005-01-14 Thread Shaun Lipscombe 
* Bernhard Froehlich wrote:

> Shaun Lipscombe wrote:
> 
> ><>[...]
> >One last question... it's to do with client certificates. If I have two
> >websites, say, and they both require client certificates signed by the
> >CA "ABC. Ltd" there is nothing stopping a client certificate being used
> >for authorization to access both sites even though those two sites may
> >not be aware of each other. Is it up to the webserver to go through the
> >certificate, once its been shown as being valid, and seeing whether
> >access should be granted or is there something I've missed. I created
> >two sites that have a CA "in common" in its acceptable CA list and I can
> >now access both sites with the same certificate. What can I do to avoid
> >such a circumstance?
> 
> You should not mix up the fact "The user has a valid certificate" and 
> "The user has access to something".

Yes this is what I did. Thanks to you and Bernhard Froehlich I have now
got it all clear in my brain :-)

Shaun
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL (or alike) over UDP

2005-01-14 Thread Brad Hards 
On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote:
> Do you know if it's possible to use SSL (or some other protocol) over
> UDP running totally in user space.
Not possible to use SSL. Some other protocol is potentially possible, but you 
haven't told us what you are trying to accomplish, so it hard to tell what is 
appropriate.

> I'd also like to use reliable delivery and a stream unreliable delivery
> protocol over the same connection-oriented base secure protocol.
To do what?

> It would be like using IPSEC totally in user space but without anything
> to do with IP.
I'm still confused. What security problem are you trying to solve.

Brad


pgpLnmA0Z94YR.pgp
Description: PGP signature

Re: SSL (or alike) over UDP

2005-01-14 Thread [EMAIL PROTECTED] 
Dear all,

There is IETF Internet Draft proposed by E. Rescorla that allows TLS over
UDP
here is the link:
http://www.ietf.org/internet-drafts/draft-rescorla-dtls-02.txt

-Ibrahim

Original Message:
-
From: Brad Hards [EMAIL PROTECTED]
Date: Fri, 14 Jan 2005 21:19:24 +1100
To: openssl-users@openssl.org
Subject: Re: SSL (or alike) over UDP


On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote:
> Do you know if it's possible to use SSL (or some other protocol) over
> UDP running totally in user space.
Not possible to use SSL. Some other protocol is potentially possible, but
you 
haven't told us what you are trying to accomplish, so it hard to tell what
is 
appropriate.

> I'd also like to use reliable delivery and a stream unreliable delivery
> protocol over the same connection-oriented base secure protocol.
To do what?

> It would be like using IPSEC totally in user space but without anything
> to do with IP.
I'm still confused. What security problem are you trying to solve.

Brad



mail2web - Check your email from the web at
http://mail2web.com/ .


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)

2005-01-14 Thread Victor B. Wagner 
On 2005.01.13 at 13:55:37 +0100, Dr. Stephen Henson wrote:
> It doesn't. You can do that of course but the preferred technique is the same
> as every other environment: create a private key on the microsoft box, sign a
> request with it, send request to the CA and install the resulting certificate.
> 
> For MSIE you can use Xenroll for that.

Do someone have some example cgi-scripts for minimal CA, which he can share
with others?

Old SSLeay FAQ mentions msie-enroll.tar, but all URL I've found for it
are invalid now.

I think that problem of creating minimal certificate authority for
limited number of clients is common enough, and most people wouldn't
like no install big and complicated products such as OpenCA or pyCA to
do the job, which openssl ca command would do just fine. 

Only thing is to have proper interface with various browsers users use
to access CA.

BTW, it is not clear for me how to create DSA certificates from xenroll.
(really I oo need GOST94 certificates, not DSA)

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)

2005-01-14 Thread Vsevolod Stakhov 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Victor B. Wagner wrote:
| On 2005.01.13 at 13:55:37 +0100, Dr. Stephen Henson wrote:
|
|>It doesn't. You can do that of course but the preferred technique is
the same
|>as every other environment: create a private key on the microsoft box,
sign a
|>request with it, send request to the CA and install the resulting
certificate.
|>
|>For MSIE you can use Xenroll for that.
| BTW, it is not clear for me how to create DSA certificates from xenroll.
| (really I oo need GOST94 certificates, not DSA)
You can use such kind of script for IE:


VBScript Certificate Enrollment Control Sample






Certificate Enrollment Control Request Sample








AFAIK for GOST certificates you should use OID 1.2.643.2.2.4 for algorithm.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB59EKhLKMVkIXtlERAgvZAJ9A1T0WDLlSEGdsb2BX3pyjNzQvtQCgk0bS
HDunYdWMXR4ve1GNmpyzAao=
=dRbM
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: The time of the openssl-ciphers is constant?

2005-01-14 Thread Tyler Durden 
The stablishing of the a symmetric key it has in the handshake and I
am calculating the time of the handshake and the time to sent data.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)

2005-01-14 Thread Victor B. Wagner 
On 2005.01.14 at 17:02:51 +0300, Vsevolod Stakhov wrote:
> |>For MSIE you can use Xenroll for that.
> | BTW, it is not clear for me how to create DSA certificates from xenroll.
> | (really I oo need GOST94 certificates, not DSA)
> 
> You can use such kind of script for IE:

I see that this script does only half of the work - it does send
request, but doesn't get signed certificate and install it into
appropriate store. 

> MsgBox("Creating PKCS #10 " & strDN)
> strReq = Enroll.createPKCS10( strDN, "1.3.6.1.4.1.311.2.1.21")

What this OID means. It seems that it is not OID of algorithm, but
rather OID of CSP or something aloke

> 
> AFAIK for GOST certificates you should use OID 1.2.643.2.2.4 for algorithm.

Things are a bit more complicated than this.  I definitely know that I
need other oid for algorithm. There is more than one implementations of
GOST, which are not compatible and so has distinct OIDS.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)

2005-01-14 Thread Dr. Stephen Henson 
On Fri, Jan 14, 2005, Victor B. Wagner wrote:

> On 2005.01.14 at 17:02:51 +0300, Vsevolod Stakhov wrote:
> > |>For MSIE you can use Xenroll for that.
> > | BTW, it is not clear for me how to create DSA certificates from xenroll.
> > | (really I oo need GOST94 certificates, not DSA)
> > 
> > You can use such kind of script for IE:
> 
> I see that this script does only half of the work - it does send
> request, but doesn't get signed certificate and install it into
> appropriate store. 
> 
> > MsgBox("Creating PKCS #10 " & strDN)
> > strReq = Enroll.createPKCS10( strDN, "1.3.6.1.4.1.311.2.1.21")
> 
> What this OID means. It seems that it is not OID of algorithm, but
> rather OID of CSP or something aloke
> 

Its just an OID that gets put in an extended key usage extension request IIRC.
Unless you are copying extensions from the request it will be ignored by
OpenSSL.

> > 
> > AFAIK for GOST certificates you should use OID 1.2.643.2.2.4 for algorithm.
> 
> Things are a bit more complicated than this.  I definitely know that I
> need other oid for algorithm. There is more than one implementations of
> GOST, which are not compatible and so has distinct OIDS.
> 

Does a GOST CSP exist?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)

2005-01-14 Thread Victor B. Wagner 
On 2005.01.14 at 17:38:29 +0100, Dr. Stephen Henson wrote:

> 
> Does a GOST CSP exist?

At least two of them. One is developed by CryptoPro, and other by
CryptoCom. There is third major vendor of certified Russian cryptography
on the market, but I don't know if they have their own CSP
implementation.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7_verify and SMIME_write_PKCS7 speed issue

2005-01-14 Thread Dr. Stephen Henson 
On Fri, Jan 07, 2005, Perry L. Jones wrote:

> I have some code that is useing PKCS7_verify and SMIME_write_PKCS7 and 
> on large files these functions are noticable slow.  I have looked 
> through the openssl code and see that these function are only reading 
> and writing from arrays that are only 4096 bytes in size.  I need to 
> speed up these function and would like to know if I can just incress 
> this buffer size of if theres is some other trick to making them faster?
> 
> I am currently using openssl version 0.9.7d
> 

I've noticed that using detached content with a memory BIO and PKCS7_verify
(this will occur with cleartext signed data) has a number of inefficiencies
which can be resolved fairly easily.

I've committed a fix which will appear in the next snapshots.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Using OpenSSL on unix to manage certs for Windows boxes (CSR's and PKCS12)

2005-01-14 Thread Dr. Stephen Henson 
On Fri, Jan 14, 2005, Victor B. Wagner wrote:

> On 2005.01.14 at 17:38:29 +0100, Dr. Stephen Henson wrote:
> 
> > 
> > Does a GOST CSP exist?
> 
> At least two of them. One is developed by CryptoPro, and other by
> CryptoCom. There is third major vendor of certified Russian cryptography
> on the market, but I don't know if they have their own CSP
> implementation.
> 

Then if you want to use it with Xenroll you'll have to at least set the CSP
name in the script. You may need to also set some CSP specific paramaters, if
the particular CSP needs them.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: SSL (or alike) over UDP

2005-01-14 Thread David Schwartz 

> On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote:
> > Do you know if it's possible to use SSL (or some other protocol) over
> > UDP running totally in user space.

> Not possible to use SSL. Some other protocol is potentially
> possible, but you
> haven't told us what you are trying to accomplish, so it hard to
> tell what is
> appropriate.

It's certainly possible. SSL doesn't care how the bytes get from one 
end to
the other. Any reliable stream protocol will work, including TCP, pipes, or
one implemented over UDP.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: SSL (or alike) over UDP

2005-01-14 Thread Peter 'Luna' Runestig 
On Fri, 14 Jan 2005 21:10 pm, Eduardo Pérez wrote:
> Do you know if it's possible to use SSL (or some other protocol) over
> UDP running totally in user space.

The OpenVPN project  runs OpenSSL over UDP, works
great.

-- 
Peter 'Luna' Runestig (fd. Altberg), Sweden <[EMAIL PROTECTED]>
PGP Key ID: 0xD07BBE13
Fingerprint: 7B5C 1F48 2997 C061 DE4B  42EA CB99 A35C D07B BE13
AOL Instant Messenger Screen name: PRunestig
Yahoo! Messenger profile name: altberg
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

displaying subjectAltName extension unsupported

2005-01-14 Thread Kraemmer Thomas 
Title: displaying subjectAltName extension unsupported






Is there a way to display the subjectAltName:othername extension properly with openssl?



Doing so with either openssl 0.9.7e or the current snapshot only yields an incomplete output.

The contents of the othername extension are not shown but marked as unsupported:


secure# openssl x509 -text -in mscert.cer

---snip---

    X509v3 Subject Alternative Name:

    othername:, email:[EMAIL PROTECTED]

---snip---



thanks,

Thomas Kraemmer

Re: displaying subjectAltName extension unsupported

2005-01-14 Thread Dr. Stephen Henson 
On Sat, Jan 15, 2005, Kraemmer Thomas wrote:

> Is there a way to display the subjectAltName:othername extension
> properly with openssl?
> 
> 
> Doing so with either openssl 0.9.7e or the current snapshot only yields
> an incomplete output.
> The contents of the othername extension are not shown but marked as
> unsupported:
> 
> secure# openssl x509 -text -in mscert.cer
> ---snip---
> X509v3 Subject Alternative Name:
> othername:,
> email:[EMAIL PROTECTED]
> ---snip---
> 

The 'otherName' option can't in general be output because the format of the
extension field 'value' is determined by the 'type-id' OID.

It would be possible (though it doesn't at present) to handle specific OIDs and
display those in an appropriate manner as well as performing some generic
action in other cases: for example printing out string types and ASN1 parsing
the rest.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]