Re: Batch mode for ENGINE_load_private_key
Bartek Palak wrote: Hi All, Hello Bartek, Does anybody know how to make function ENGINE_load_private_key working in batch (not interactive) mode? You can implement an own UI_METHOD doesn't ask for the pass phrase. Bye Goetz -- DMCA: The greed of the few outweighs the freedom of the many smime.p7s Description: S/MIME Cryptographic Signature
OpenSSL 0.9.8 and C89 compliance
Hi all! After upgrading to OpenSSL 0.9.8 I received a lot of warnings about 'long long' datatype not supported by C89 (I compile with -ansi). Now I have to compile with -std=c99 instead. I guess this is done intentionally (I mean breaking C89? ) Best Regards Steffen Fiksdal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl 0.9.8: 3rd level certificates verification problem
I run into invalid CA certificate (X509_V_ERR_INVALID_CA) error when I was trying to verify a third level certificates with OpenSSL 0.9.8. It seems that the code in check_chain_extensions() function in crypto/x509/x509_vfy.c file assumes that either certificate must be directly signed by CA certificate or it must have EXFLAG_PROXY flag (see code around lines 504-520 and must_be_ca flag processing above). Note that second level certificates are verified correctly and the same third level certificates verified just fine with OpenSSL 0.9.6/0.9.7 I would appreciate if someone can check if this is an expected behavior for OpenSSL (and then I will have to find a workaround) or it is a bug (and then I'll be a happy camper waiting for next OpenSSL release). Thank you in advance, Aleksey Sanin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.8 and C89 compliance
Steffen Fiksdal writes: After upgrading to OpenSSL 0.9.8 I received a lot of warnings about 'long long' datatype not supported by C89 (I compile with -ansi). Which files did you get that warning on (I'd be happy to take a look at a build log), and what compiler (including the version)? A small detail: ANSI C is C99 these days (as far as I understand).. I guess this is done intentionally (I mean breaking C89? ) Not really, but it depends a bit on who tested and on what. With compilers that don't complain about 'long long' or that believe ANSI C == C99, you don't get that kind of warning. In other words, it's easy to miss. I'll happily correct this for 0.9.8a if I can. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.8: 3rd level certificates verification problem
Aleksey Sanin writes: I run into invalid CA certificate (X509_V_ERR_INVALID_CA) error when I was trying to verify a third level certificates with OpenSSL 0.9.8. It seems that the code in check_chain_extensions() function in crypto/x509/x509_vfy.c file assumes that either certificate must be directly signed by CA certificate or it must have EXFLAG_PROXY flag (see code around lines 504-520 and must_be_ca flag processing above). Note that second level certificates are verified correctly and the same third level certificates verified just fine with OpenSSL 0.9.6/0.9.7 I'm not sure what you mean with second level and third level, so let me explain in my own words. A chain of certificates, from CA you trust to the certificate you hold has to look like one of these: (CAx = CA (number x), EE = End Entitity, PRx = Proxy (number x)) CA1 - ... - CAn - EE CA1 - ... - CAn - EE - PR1 - ... - PRn (you can have only one CA and only one PR) So it's correct that a EE certificate has to be signed by a CA and that any CA has to be signed by a CA (itself or another). It's also correct that a proxy certificate has to be signed by the EE certificate or another proxy certificate. What in all this do you call third level certificate? I'd be happy to look at your chain of certificates if needed. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.8 and C89 compliance
Steffen Fiksdal writes: After upgrading to OpenSSL 0.9.8 I received a lot of warnings about 'long long' datatype not supported by C89 (I compile with -ansi). Which files did you get that warning on (I'd be happy to take a look at a build log), and what compiler (including the version)? A small detail: ANSI C is C99 these days (as far as I understand).. I use gcc 3.2.3 on a Linux 2.4 box. In gcc 3.2.3 the -ansi flag means compliance with C89. If this has changed in later gcc's I don't know. I receive: warning: ISO C89 does not support 'long long'. This applies to several header files, among those sha.h: #define SHA_LONG64 unsigned long long I guess this is done intentionally (I mean breaking C89? ) Not really, but it depends a bit on who tested and on what. With compilers that don't complain about 'long long' or that believe ANSI C == C99, you don't get that kind of warning. In other words, it's easy to miss. I'll happily correct this for 0.9.8a if I can.a I don't know is this is wrong, but my compiler says that -ansi is C89 ... Best Regards Steffen Fiksdal __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.8: 3rd level certificates verification problem
Thanks for quick response and explanations! You are right, the second certificate in the chain did not have CA ext flag set and 0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem. Very strange that I missed this till now :( Thanks again, Aleksey __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Re[2]: openssl-0.9.8 will not compile on MinGW
Yes this work's Good Bugfix. And how can we inform the maintainers, so that he can correct the build files? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Yaroslavsky Sent: Friday, July 08, 2005 5:19 AM To: Alex Yaroslavsky Subject: Re[2]: openssl-0.9.8 will not compile on MinGW Hello, Alex! AY Then I just ran the rest of the mingw32.bat file You need only this part, not all the bat file. Sorry. AY echo Building the libraries AY mingw32-make -f ms/mingw32a.mak AY if errorlevel 1 goto end AY echo Generating the DLLs and input libraries dllwrap --dllname AY libeay32.dll --output-lib out/libeay32.a --def ms/libeay32.def AY out/libcrypto.a -lwsock32 -lgdi32 if errorlevel 1 goto end dllwrap AY --dllname libssl32.dll --output-lib out/libssl32.a --def AY ms/ssleay32.def out/libssl.a out/libeay32.a if errorlevel 1 goto end AY echo Done compiling OpenSSL AY :end -- Bye, Alex. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.8: 3rd level certificates verification problem
Aleksey Sanin writes: Thanks for quick response and explanations! You are right, the second certificate in the chain did not have CA ext flag set and 0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem. Yup, it's true, OpenSSL has become tougher on non-compliant CA certificates. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with AES_cbc_encrypt
Hi, I am a novice user of OpenSSL using openssl 0.9.7. The problem is when I give say 10 bytes of data to AES_cbc_encrypt(with AES_ENCRYPT), I get 16 bytes of encrypted data and when I pass the same 16 bytes of encrypted data to AES_cbc_encrypt(with AES_DECRYPT)I get 16 bytes of decrypted data. How can I determine the actual data decryption length. Please HelpBhupendra K Joshi [EMAIL PROTECTED] wrote: Hello, Can anyone help me with finding the length of encrypted and decrypted data via AES_cbc_encrypt? or else send me some test programs which have used AES_cbc_encrypt. Bhupendra Sell on Yahoo! Auctions - No fees. Bid on great items. Sell on Yahoo! Auctions - No fees. Bid on great items.
Re: Problem with AES_cbc_encrypt
Bhupendra K Joshi writes: The problem is when I give say 10 bytes of data to AES_cbc_encrypt(with AES_ENCRYPT), I get 16 bytes of encrypted data and when I pass the same 16 bytes of encrypted data to AES_cbc_encrypt(with AES_DECRYPT) I get 16 bytes of decrypted data. How can I determine the actual data decryption length. You have to encode the length into the data you encrypt, and after decryption, you have to use that encoded length to determine the length of the decrypted plain text. It might be easier for you to use the EVP API. It will add som padding which also contains length information, so you will get decryped plain text with the length you expect. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re[4]: openssl-0.9.8 will not compile on MinGW
Hello, Frank! FB Yes this work's Good Bugfix. And how can we inform the maintainers, so that FB he can correct the build files? I'm new here, so I don't know how it works. I think what needs to be done is the prerl - asm line added to the bat file (like all other asm creation) and the created asm file added to all the needed places in the perl script that creates the makefile for mingw. Another thing to consider here is that there is another cpu detection file there x86_64cpuid.pl and should be added somehow to the compilation process too (for people that need it). -- Bye, Alex. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Ephemeral keying
Hi, I have some questions on ephemeral keying. 1. In the man page for SSL_CTX_set_tmp_dh_callback the example shows that the same params are used for all connections. Is it safe? 2. I have seen the man page for dhparam. The generators can be 2 or 5. Why only two generators are used? Which one is preferred out of 2 and 5? 3. I have seen some implementations like PostgreSQL hard coding the dh params in case a file generated using dhparam is not available. Is it safe to do it? 4. Will the callback supplied to SSL_CTX_set_tmp_rsa_callback be called for each connection or will it be called only once in the life time of the application? If it is called only once then does it mean the same key is used for all connections? The example in the man page for SSL_CTX_set_tmp_rsa_callback shows that only one time the key is generated. 5. The man page for SSL_CTX_set_tmp_rsa_callback says that we need to seed the PRNG. How do we do that typically? Thanks JB __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with AES_cbc_encrypt
Thank You Richard What I was thinking was to append the length at the start to the plain text and then send it for encryption and while after decryption read the length and only send that much data. Richard Levitte [EMAIL PROTECTED] wrote: Bhupendra K Joshi writes: The problem is when I give say 10 bytes of data to AES_cbc_encrypt(with AES_ENCRYPT), I get 16 bytes of encrypted data and when I pass the same 16 bytes of encrypted data to AES_cbc_encrypt(with AES_DECRYPT) I get 16 bytes of decrypted data. How can I determine the actual data decryption length.You have to encode the length into the data you encrypt, and after decryption, you have to use that encoded length to determine the length of the decrypted plain text. It might be easier for you to use the EVP API. It will add som padding which also contains length information, so you will get decryped plain text with the length you expect. Cheers,Richard -Please consider sponsoring my work on free software.See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED]http://richard.levitte.org/ "When I became a man I put away childish things, includingthe fear of childishness and the desire to be very grown up."-- C.S. Lewis __OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Discover Yahoo! Use Yahoo! to plan a weekend, have fun online & more. Check it out!
Re: Ephemeral keying
Jagannadha Bhattu wrote: Hi, I have some questions on ephemeral keying. 1. In the man page for SSL_CTX_set_tmp_dh_callback the example shows that the same params are used for all connections. Is it safe? Hardness of (computational) Diffie-Hellman problem does not suffer from using the same group (that is, parameters). Well, unless someone could force parties into using a known-weak group. 2. I have seen the man page for dhparam. The generators can be 2 or 5. Why only two generators are used? Which one is preferred out of 2 and 5? A reasonable requirement here would be computational Diffie-Hellman (CDH) problem is hard enough for the group defined by parameters (modulus and generator). 3. I have seen some implementations like PostgreSQL hard coding the dh params in case a file generated using dhparam is not available. Is it safe to do it? see #1 4. Will the callback supplied to SSL_CTX_set_tmp_rsa_callback be called for each connection or will it be called only once in the life time of the application? If it is called only once then does it mean the same key is used for all connections? The example in the man page for SSL_CTX_set_tmp_rsa_callback shows that only one time the key is generated. 5. The man page for SSL_CTX_set_tmp_rsa_callback says that we need to seed the PRNG. How do we do that typically? Thanks JB __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Certificate for Smart Card Logon
Title: Certificate for Smart Card Logon Hello, I am trying to generate a certificate to be used for Windows Smart Card Logon from my Internal Certificate Server. I know that I need the UPN in the otherName of the SubjectAltName extension. The OID for the UPN is 1.3.6.1.4.1.311.20.2.3. My Certificate Server however will allow me only to provide this extension in the form of a base-64 encoded blob at the time of the certificate request. Can openssl be used to generate just this extension in this format? Thanks, Nabil
SSL_read timeout
Hi there, Is there a way to return form a blocking SSL_read call after a given amount of time, like recv() can? Thanks Alexandre Brizard -- RTFM Yeah, if there was a DECENT manual in the first place. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.8: 3rd level certificates verification problem
On Fri, Jul 08, 2005 at 10:52:47AM +0200, Richard Levitte wrote: Aleksey Sanin writes: Thanks for quick response and explanations! You are right, the second certificate in the chain did not have CA ext flag set and 0.9.8 did not like it while 0.9.6/0.9.7 ignore this problem. Yup, it's true, OpenSSL has become tougher on non-compliant CA certificates. Should we call not allowing CA certs with CA:FALSE or a Key Usage that does not include certificate signing less buggy, rather than tougher? -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Loading a PKCS7 SignedData structure with d2i_PKCS7_fp
Thanks once again for the help, Steve. I've gotten beyond the segmentation fault using your suggestions. Now I'm getting the following error on the PKCS7_verify call: error:2106906D:PKCS7 routines:PKCS7_dataInit:unknown digest type Once again, I suspect it's something I'm doing. Given a file pt2.out, which has a DER-encoded SignedData, and a file data.out, which has the detached data whose signature is in the SignedData structure, the following command works: $ openssl smime -verify -inform DER -in pt2.out -content data.out -noverify Verification successful Right now I'm not concerned with verifying the certs, just the signature itself. Here's my code to (I think) do the same thing the openssl command above does, and gives the error I pasted above: main() { int ret; unsigned long err; FILE *fp = fopen(pt2.out,rb); BIO *Out, *In; PKCS7 *p7 = NULL; ERR_load_PKCS7_strings(); ERR_load_X509_strings(); p7 = d2i_PKCS7_fp(fp,NULL); fclose(fp); if (p7==NULL) { printf(NULL pkcs7\n); return -1; } In = BIO_new_file(data.out,rb); Out = BIO_new_file(data2.out,wb); ret = PKCS7_verify(p7,NULL,NULL,In,Out,PKCS7_NOVERIFY); printf(Call returned %d\n,ret); err = ERR_get_error(); printf(%d: %s\n,err,ERR_error_string(err,NULL)); } All I'm trying to do right now is verify the signature, which was created with some crypto hardware on Windows via the CryptoAPI. It's just a proof of concept. Any ideas on why I'm getting the unknown digest type error? Thanks in advance, Fred On 7/7/05, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Jul 07, 2005, Fred Anderson wrote: Steve, Thanks for the reply. I was able to verify the signature using openssl smime like you suggested, and the d2i_PKCS7_fp function is returning a non-null value. I'm thinking now that the problem may be in the BIO structures I'm creating and passing to the verify function. Here's what I have: int ret; FILE *fp = fopen(pt2.out,rb); int fd = open(data.out,O_RDONLY); BIO *In, *Out; PKCS7 *p7 = NULL; p7 = d2i_PKCS7_fp(fp,NULL); In = BIO_new_fd(fd,BIO_NOCLOSE); Out = BIO_new(BIO_s_null()); ret = PKCS7_verify(p7,NULL,NULL,In,Out,0); printf(Call returned %d\n,ret); where 'fd' is a file descriptor to a file containing the data (detached) for the signature I wish to verify. As the code stands, the PKCS7_verify is segfaulting. My apologies if this is basic stuff; I'm still a beginner with OpenSSL coding and having a hard time finding docs to explain the usage of the calls and how the calls all tie together. You might find it easier to use: BIO *foo = BIO_new_file(filename, rb); which is a BIO version of fopen. Also you need to include a trusted certificate store which includes the CAs you trust. If you include the flag PKCS7_NOVERIFY it wont try to verify the signers certificates: that's not useful for anything other than debugging because anyone could create a PKCS#7 structure it would then verify as OK. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.8: 3rd level certificates verification problem
Victor Duchovni writes: Should we call not allowing CA certs with CA:FALSE or a Key Usage that does not include certificate signing less buggy, rather than tougher? Sure :-). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question about ssl
at page 72 in rfc2246 :The following cipher specifications are carryovers from SSL Version 2.0. These are assumed to use RSA for key exchange and authentication. my question was about this note. Mr Tveit, pleas explain more for me about "signature be omitted entirely" in anonymous key exchange, or give me its reference. thank you for your attention.Jostein Tveit [EMAIL PROTECTED] wrote: amineh salehi <[EMAIL PROTECTED]>writes: in the ciphersuites defined for it in "rfc2246"( TLS1.0), there isn't diffi-helman key exchange, why? RFC 2246 specifies many DH key exchange cipher suites. Have alook at page 61. What is the soulotion for vulnerability in anonymous key exchange pointed by Bruce Schneier (analysis of ssl,1996) ?Do you mean "Analysis of the SSL 3.0 protocol" by Wagner andSchneier?If this is the paper you are talking about, you may have an oldversion. The version revised April 15, 1997, states that this wasa typo in the standard, and that the designers intended that thesignature be omitted entirely.-- Jostein Tveit <[EMAIL PROTECTED]>__OpenSSL Project http://www.openssl.orgUse r Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Sell on Yahoo! Auctions - No fees. Bid on great items.
Marco Klasmeyer is out of the office.
I will be out of the office starting 08.07.2005 and will not return until 25.07.2005. I will respond to your message when I return. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question about ssl
amineh salehi [EMAIL PROTECTED] writes: at page 72 in rfc2246 :The following cipher specifications are carryovers from SSL Version 2.0. These are assumed to use RSA for key exchange and authentication. my question was about this note. The lines you quoted is at page 66 of RFC2246. DH key exchange is not a part of SSL v2.0. The only defined cipher suites in the SSL v2.0 standard [1] is the ones which are listed as carryovers from SSL Version 2.0 in RFC2246. See Appendix C.4 in the SSL V2.0 standard and Appendix E of RFC2246. Mr Tveit, pleas explain more for me about signature be omitted entirely in anonymous key exchange, or give me its reference. thank you for your attention. The original published paper [2] is different from the revised version [3]. Please read chapter 4.5 of both documents. [1] http://wp.netscape.com/eng/security/SSL_2.html [2] http://www.schneier.com/paper-ssl.pdf [3] http://www.schneier.com/paper-ssl-revised.pdf Regards, -- Jostein Tveit [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl-users] Dynamic engine / smart card support for CSR generation
Bonjour, Hodie post. Non. Iul. MMV est, Robinson, Richard L (Rick) scripsit: I get errors indicating the engine (pkcs11) is not known. This sort of makes sense if the engine was discarded ones the previous command was exited. I have tried various engine IDs but have had not luck. Use the autoconfig feature of OpenSSL. Update your openssl.cnf file, by adding this: - openssl_conf = openssl_init [openssl_init] oid_section = new_oids engine = engine_section [ engine_section ] dynamic = dynamic_section [ dynamic_section ] engine_id = dynamic SO_PATH = /usr/lib/opensc/engine_pkcs11.so ID = pkcs11 LIST_ADD = 1 NO_VCHECK = 1 LOAD = EMPTY - adjust the commands to your specific case, then set the environment variable OPENSSL_CONF to point to this openssl.cnf file, and you'll be able to use 'openssl req' as usual. I don't know how the change of ENGINE id will perform with the rest, but you should now go a little farther. -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Protocol Problem
Hi, Im a newbie in OpenSSL. I wrote me a SSLClient and a SSLServer for testing OpenSSL under Window2K. Im using winsockets. My problem is, when I send the SSL Hello message to the server (with SSL_connect) I get an error (SSL_ERROR_SSL). The errorcode says me, thats an protocol error. What is wrong on my code? Client: struct sockaddr_in port; /* server's address information */ bool res = false; m_Sock = (SOCKET)socket (AF_INET, SOCK_STREAM, 0); if (m_Sock 0) return -1; std::string serverIp = 127.0.0.1; int portnum = 16688; //Hier muss noch das Lesen der Konfiguration rein m_SSLMethod = SSLv2_client_method(); m_SSLContext = SSL_CTX_new(m_SSLMethod); port.sin_family = AF_INET; port.sin_addr.S_un.S_addr = inet_addr(serverIp.c_str()); port.sin_port = htons(portnum); memset((port.sin_zero),0,8); if (connect(m_Sock, (struct sockaddr *)port,sizeof(struct sockaddr)) != 0) return -1; //SSL Verbindung aufbauen m_SSLConnection = SSL_new(m_SSLContext); if ( !m_SSLConnection ) { closesocket(m_Sock); return ERR_get_error(); } // if if (SSL_set_fd(m_SSLConnection,m_Sock)) printf(Juhu\n); int err2 = SSL_connect(m_SSLConnection); if ( err2 1) { int err = SSL_get_error(m_SSLConnection,err2); and server: struct sockaddr_in sa_serv; struct sockaddr_in sa_client; bool res = false; unsigned int listen_sd; unsigned int sd; int client_len; char buf [4096]; // Winsock version const int m_iWSVer = 0x0202; WSADATA wsaData; if ( WSAStartup(m_iWSVer,wsaData) ) return WSAGetLastError(); // Initialize SSL SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); listen_sd = (SOCKET)socket (AF_INET, SOCK_STREAM, 0); if (listen_sd 0) return -1; std::string serverIp = 127.0.0.1; int portnum = 16688; //Hier muss noch das Lesen der Konfiguration rein SSL_METHOD* pSSLMethod = SSLv2_server_method(); SSL_CTX* pSSLContext = SSL_CTX_new(pSSLMethod); sa_serv.sin_family = AF_INET; sa_serv.sin_addr.S_un.S_addr = inet_addr(serverIp.c_str()); sa_serv.sin_port = htons(portnum); memset((sa_serv.sin_zero),0,8); if (bind(listen_sd, (struct sockaddr *)sa_serv,sizeof(struct sockaddr)) != 0) { int err = WSAGetLastError(); return -1; } if (listen(listen_sd,5)) return -1; client_len = sizeof(sa_client); sd = accept(listen_sd,(struct sockaddr *)sa_client,client_len); if (sd 0) return -1; //close(listen_sd); //SSL Verbindung aufbauen SSL* pSSLConnection = SSL_new(pSSLContext); if ( !pSSLConnection ) { //closesocket(m_Sock); return ERR_get_error(); } // if if (SSL_set_fd(pSSLConnection,sd)) printf(Juhu\n); //if ( SSL_connect(m_SSLConnection) == -1 ) int err_2 = SSL_accept(pSSLConnection); if (err_2 1) .. Thank you for your help.
Re: Protocol Problem
Check out the openssl s_client and openssl s_server command line tools. These will help you isolate which side might be causing the problem. On Jul 8, 2005, at 9:15 AM, Ertel, Holger wrote: Hi, I’m a newbie in OpenSSL. I wrote me a SSLClient and a SSLServer for testing OpenSSL under Window2K. I’m using winsockets. My problem is, when I send the SSL Hello message to the server (with SSL_connect) I get an error (SSL_ERROR_SSL). The errorcode says me, that’s an protocol error. What is wrong on my code? smime.p7s Description: S/MIME cryptographic signature
enviroment variable
Which are the variable I have to set when I install openssl 0.9.8 on my debian system? And how have I to set them? I can't use the apt because it stops at 0.9.7 version and I need to use the newer one. bye pana __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Trying to build a reduced OpenSSL library on Cygwin/mingw
OK, I found out what the problem was: line endings. I run my Cygwin mounts in binmode, and I used WinZip to extract the .tar.gz, so Makefile.org had \r\n line endings. Apparently, perl (as of v5.8.7, built for cygwin-thread-multi-64int) was seeing the \r\n line endings. This is normal for people like me who have our Cygwin mounts in binmode. In this situation, the Configure script will not remove any entries from the SDIRS variable because the Configure script is searching for a backslash followed by an end-of-line (and it would be seeing a backslash followed by carriage-return followed by end-of-line). I just did a d2u on Makefile.org, and now Configure (and make) work fine. Also, if I had unpacked using gzip/tar instead of WinZip, there wouldn't have been \r\n line endings to begin with. To prevent this problem from happening to other people, I recommend one of the following options (in order of my personal preference): 1) Put a statement in the readme for Windows/Cygwin users that they should unpack with gzip/tar instead of WinZip if they mount in binmode. 2) Have the Configure script open its file explicitly as a text file. I believe this can be done by passing O_TEXT to an open function. 3) Have the Configure script expect an optional \r whenever it's searching for \n (or $). Happy coding! -Steve _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate for Smart Card Logon
Nabil Ghadiali wrote: Hello, I am trying to generate a certificate to be used for Windows Smart Card Logon from my Internal Certificate Server. I know that I need the UPN in the otherName of the SubjectAltName extension. The OID for the UPN is 1.3.6.1.4.1.311.20.2.3. My Certificate Server however will allow me only to provide this extension in the form of a base-64 encoded blob at the time of the certificate request. Can openssl be used to generate just this extension in this format? should be possible using the openssl asn1parse -genstr ... option (see manpage). Note: you need openssl = 0.9.8 for this. Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Marco Klasmeyer is out of the office.
I will be out of the office starting 08.07.2005 and will not return until 25.07.2005. I will respond to your message when I return. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Apache API and ssl certificates.
Hello, Know anyone how to extract clearly information about certificate of client into C module in apache. For example extract the name of CA that signed the client certificate and use it. Thanks, Fran. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem with new OIDs
Hello everybody, I'm new in this list and I have a question, maybe a newbie question for most of the users, but I'm in a big trouble and need help on this matter. This is the problem: I have to add 3 new OIDs to my issued certificates, so I added them in the openssl.cnf config file this way: in the new oids section I have this: direccion = 2.5.4.9 nit = 1.3.6.1.4.1.4710.1.3.2 cedula = 1.3.6.1.4.1.4710.1.3.1 In the policy match section I have this: direccion= optionalcedula= optionalnit = optional In the [ req_distinguished_name ] section I have this: direccion= Direccioncedula= Cedulanit= Nit I guess this is ok, but after issuing my certificate, I'm getting undesired characters in the values of these new OIDs for example, this certificate has the 3 new OIDs I need, when I open the certificate in Windows (the OS we need to use) I get this output in the subject: Número de serie = 9 1.3.6.1.4.1.4710.1.3.2 = 1---The 2 first characters are garbage 1.3.6.1.4.1.4710.1.3.1 = 1---The 2 first characters are garbage STREET = cra 23---The 2 first characters are garbage CN = Prueba 1 cert OU = Internet O = Ubiquando L = Bogota S = Cundinamarca What should I do to avoid these annoying characters in the value of my special OIDs?? Am I doing something wrong when I add the OIDs? In the [ req_distinguished_name ] section I have also done this: direccion= UTF8:Direccioncedula= UTF8:Cedulanit= UTF8:Nit But this doesn't change this strange behaviour. What do you recommend me? is it posiblefor the requests I receive in PEM that contain latin characters like á, ñ, etc. The request are being generated with openssl and the -utf8 option I'm attaching my openssl.cnf file Thanks a lot for any help, Johnny Correo Yahoo!Comprueba qué es nuevo, aquíhttp://correo.yahoo.es openssl.cnf Description: 3327650371-openssl.cnf
RE: [openssl-users] Dynamic engine / smart card support for CSR generation
I am still running into a few problems and am hoping for a little more debugging assistance. I created these entries in my configuration file (certsc.cnf): engine = engine_section [ engine_section ] smartcard = smartcard_engine [ smartcard_engine ] engine_id = smartcard SO_PATH = /usr/lib/opensc/engine_pkcs11.so MODULE_PATH = /usr/lib/pkcs11/opensc-pkcs11.so ID = smartcard LIST_ADD = 1 NO_VCHECK = 1 LOAD = EMPTY And then I made the following OpenSSL call... --- openssl req \ -config $ConfigFile \ -engine smartcard \ -newkey rsa:1024 # -new \ -sha1 \ -key id_45 \ -keyform engine \ -text \ -out certsc.csr --- But received these error message... invalid engine smartcard 6779:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:379:id=smartcard 6779:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:153:filename(libsmartcard.so): libsmartcard.so: cannot open shared object file: No such file or directory 6779:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 6779:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:365: It seems as if the engine 'smartcard' is not recognized. Any suggestions would be greatly appreciated. Regards, Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erwann ABALEA Sent: Friday, July 08, 2005 9:08 AM To: openssl-users@openssl.org Subject: Re: [openssl-users] Dynamic engine / smart card support for CSR generation Bonjour, Hodie post. Non. Iul. MMV est, Robinson, Richard L (Rick) scripsit: I get errors indicating the engine (pkcs11) is not known. This sort of makes sense if the engine was discarded ones the previous command was exited. I have tried various engine IDs but have had not luck. Use the autoconfig feature of OpenSSL. Update your openssl.cnf file, by adding this: - openssl_conf = openssl_init [openssl_init] oid_section = new_oids engine = engine_section [ engine_section ] dynamic = dynamic_section [ dynamic_section ] engine_id = dynamic SO_PATH = /usr/lib/opensc/engine_pkcs11.so ID = pkcs11 LIST_ADD = 1 NO_VCHECK = 1 LOAD = EMPTY - adjust the commands to your specific case, then set the environment variable OPENSSL_CONF to point to this openssl.cnf file, and you'll be able to use 'openssl req' as usual. I don't know how the change of ENGINE id will perform with the rest, but you should now go a little farther. -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Confused! need help
I am trying to install the latest OpenSSl on linux (fedora). what directories should i use for my install? what should be the file paths in openssl.cfg? thanks HS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How Install HTTPS ?
I made SSL keys by open ssl but i can not use them on my server for runnig HTTPS. Iusing CPanel and my server is linux. help me please. thanks. Sell on Yahoo! Auctions - No fees. Bid on great items.