Re: Doubt regarding x509_verify_cert
The Bridge CA is a CA(hub) to bridge the two different CAs, so no need to have a Self-signed certificate for BridgeCA. If you are relying party in Root CA1 domain and if you want to create a certificate path, you will probably have: SelfCert1byRootCA1, CrossCertFromRootCA1toBridgeCA, CrossCertFromBridgeCAtoRootCA2, UserCertByRootCA2 - Original Message - From: Suram Chandra Sekhar [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Friday, December 09, 2005 10:22 PM Subject: Doubt regarding x509_verify_cert Hi, I have a doubt regarding the x509_verify_cert. I used openssl to generate two Root CA certificates (Self signed) say Root CA1, Root CA2. I got two self-certificates say SelfCert1 from Root CA1 and SelfCert2 from Root CA2. In an effort to simulate a bridge CA, one more root CA is generated say BridgeCA. I simulated a cross certification to RootCA1 by BridgeCA (Say CCofRootCA1ByBridgeCA with Issuer as BridgeCA, Subject: RootCA1, PubKey of RootCA1). Now I try to verfiy SelfCert1, CCofRootCA1ByBridgeCA, BridgeCA using x509_verify_cert. This function is throwing an error saying unable to find the local issuer cert for SelfCert1. My question is 1. Is the above scenario correct. 2. If so why should it fail. I expect it to work because The issuer name of SelfCert1(RootCA1) is the subject name in CCofRootCA1ByBridgeCA whose IssuerName, BridgeCA is the subjectName in BridgeCA which is self-signed. Awaiting your valuable responses... Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Decryption and encryption of packet using openssl command line
hmmmtough to imagine but no body seems to know it or it might be to simple.On 12/9/05, Riaz Farnaz [EMAIL PROTECTED]
wrote:Hi,I have a query about how to use the openssl command line to decrypt and encrypt my packet. Below is an ipsec encrypted packet which i decrypt and print on the console. When I try to do the same with openssl command line it gives a different value
Before decryption (below is a complete packet which I have split for understandability)START: 4500 0060 9f80 4000 8032 d65e c0a8 01a2 [EMAIL PROTECTED]
0010: c0a8 019a --- IP Packet 9e40 cf04 0002 --- SPI and Sequence number
9971 4c73 [EMAIL PROTECTED]0020: 7842 49c1 --- IV 7b13 3576 8c17 21c8 65a9 8d00 xBI.{.5v..!.e...
0030: 1e99 1b74 3e86 6476 07e7 f8e8 04f0 0e5d ...t.dv...]0040: 8d63 41d9 cdb0 1304 c800 0b6e bfbb c069 .cAn...i0050: e594 b4d5 ---
Encrypted packet b330 d80f 84cc 0106 57b8 0eaf .0..W... -- Authentication data
ENDAfter DecryptionSTART
IP_PACKET not shown: 9e40 cf04 0002 --- SPI and sequence number 9971 4c73 7842 49c1 [EMAIL PROTECTED] ---
IVSTART OF DECRYPTED PACKET0010: 0def 01bb a8cc c11d d59f 3997 5019 faf0 ..9.P...0020: 7452 1503 0100 1228 ce83 baef 8a8b tR...(..
0030: b4e9 a6b8 03b5 8392 da04 3a 01 0203 0306 ..:. --- padding, pad length and next header field
END OF DECRYPTED PACKET0040: b330 d80f 84cc 0106 57b8 0eaf .0..W... ---Authentication data
END: cbcc d7dc c448 fd53 4dce d67f d2c3 6fe0 .H.SM.o.0010: 5838 0444 --
Cipher keyThe command that I am using for decryption of the packet is -- openssl enc -des3 -in input_pkt -out out_pkt -nopad -d -K 7de79edfe7046acd223f6a72b6bb354c4a6888f672d61cbb -iv 43990d51bba59ece
The input packet I am passing as an array in a c file and printing the ascii into a file name input_packet. Below is the code for it#include stdio.h#include sys/types.h#include sys/stat.h
#include fcntl.h#include stdlib.hint main(){ unsigned char in_packet[]={ 0x7b,0x13, 0x35,0x76, 0x8c,0x17, 0x21,0xc8, 0x65,0xa9, 0x8d,0x00, 0x1e,0x99, 0x1b,0x74, 0x3e,0x86, 0x64,0x76, 0x07,0xe7, 0xf8,0xe8, 0x04,0xf0, 0x0e,0x5d, 0x8d,0x63, 0x41,0xd9, 0xcd,0xd0, 0x13,0x04, 0xc8,0x00, 0x0b,0x6e, 0xbf,0xbb, 0xc0,0x69, 0xe5,0x94, 0xb4, 0xd5};
unsigned int i=0; FILE *fd_d; fd_d = fopen(input_pkt,r+); printf(sizeof in_packet is : %d\n,sizeof(in_packet)); if(fd_d == NULL) {
printf(fd not created\n); return 1; } while(i (sizeof(in_packet))) { fprintf(fd_d,%c,in_packet[i]); printf(%x,in_packet[i]);
i++; } printf(\nvalue of i is %d\n,i); fclose(fd_d); return 0;}Can any one help me out. the packet after decryption should look like the above. I think many of you might have used this functionality and it shouldn't a difficult thing for you folks to answer.
Thanks a lot in advance.
Thread safety
Hello, I'm trying to write an interface to OpenSSL using BIO pairs. For testing purposes, I'm doing communication locally in two seperate threads (one accessing a server context, the other a client context) so I figured I should worry about thread safety. I read in the OpenSSL documentation that one could find out if thread support was enabled using this: #define OPENSSL_THREAD_DEFINES #include openssl/opensslconf.h #if defined(THREADS) // thread support enabled #else // no thread support #endif If I stick to this it appears that I have no thread support here on my system (Win32), but I see no mention of that OPENSSL_THREAD_DEFINES macro in opensslconf.h, or anywhere else. Also, I see that OPENSSL_THREADS is defined in opensslconf.h so I'm basically wondering if this part of the documentation is out of date and if this OPENSSL_THREADS means that thread support is enabled. If so, are the callbacks defined in th-lock.c still valid ? I get a few warnings when I compile those with my project, but C is like alcohol and cigarettes - you never watch the warnings. Next question: I'll probably do all the locking manually since the threads themselves aren't defined at the C code level for my app (I'm not sure if thread support will work transparently with OpenSSL for user level threads). So I'm wondering if just locking all access to the C module in which OpenSSL routines are called should be sufficient or are there particular sequences of calls that should be made atomically (that OpenSSL thread support would usually deal with) ? Thanks for reading and eventually for answering. -- Alain Damiral, Université Catholique de Louvain - student alain.damiral'at'student.info.ucl.ac.be __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
errors in DTLS implementation in openssl0.9.8a
Openssl 0.9.8a is incorrectly encoding the DTLS version as 0x01,0x00 instead of 0xfe,0xff $ ./openssl s_client -dtls1 -debug CONNECTED(0003) write to 0x5d3640 [0x5dd3f8] (119 bytes = 119 (0x77)) - 16 01 00 00 00 00 00 00-00 00 00 00 6a 01 00 00 j... Openssl 0.9.8a is incorrectly encoding the ChangeCipherSpec message as 3 bytes instead of 1 byte, including a 2 byte message sequence number. $ ./openssl s_client -dtls1 -debug snipped write to 0x5d3640 [0x5e2d80] (16 bytes = 16 (0x10)) - 14 01 00 00 00 00 00 00-00 00 03 00 03 01 00 03 The first 13 bytes are the record header followed by the CCS which is 3 bytes: 01 00 03 There is no MSN in the CCS. I had a lengthy discussion with Eric on this topic and he was very clear that the CCS has no MSN and he did not want to add it to the CCS. I also discovered it is very easy to crash openssl or make the handshake fail using the -mtu argument (testing on windows xp). ./openssl s_server -dtls1 -debug -mtu 100 ./openssl s_client -dtls1 -debug -mtu 100 - server Segmentation fault (core dumped) ./openssl s_server -dtls1 -debug -mtu 128 ./openssl s_client -dtls1 -debug -mtu 128 - server 888:error:143F8412:SSL routines:DTLS1_READ_BYTES:sslv3 alert bad certificate - client 4052:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:s3_clnt.c ./openssl s_server -dtls1 -debug -mtu 256 ./openssl s_client -dtls1 -debug -mtu 256 - server DTLS1_READ_BYTES:sslv3 alert bad certificate - client 3080:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:s3_clnt.c ./openssl s_server -dtls1 -debug -mtu 512 ./openssl s_client -dtls1 -debug -mtu 512 - server SSL3_GET_FINISHED:digest check failed - client handshake failure __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
