Re: Installing a certificate chain
The only certificates that must be sent are the server identification and the certs up to (but not including) the trust anchor. (Since the client already has the trust anchor, it will verify against its local copy of the root CA, not the copy of the root CA that came from the connection.) Sending the extra certificate doesn't hurt, though. -Kyle H On 2/27/06, Brian Candler [EMAIL PROTECTED] wrote: On Mon, Feb 27, 2006 at 07:36:16PM +, Brian Candler wrote: Ah. I had just used -cert ../server.example.com-cert.pem (where this file contains all the certificates). So now I've added -CAfile as well, pointing to the same file: #!/bin/sh cd content openssl s_server -cert ../server.example.com-cert.pem \ -CAfile ../server.example.com-cert.pem \ -key ../server.example.com-key.pem \ -WWW And it works. I've removed the sub-CA certificate and its symlink from /etc/ssl/certs, but the client can still verify the chain: As a follow-up for the benefit of the list archive: to get this to work in Apache+mod_ssl I just had to uncomment SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt from httpd.conf, and point it at a file containing the sub-CA's certificate (signed by the root CA) and the root CA's own self-signed certificate. Regards, Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Installing a certificate chain
Hi, This question might be slightly silly and out of place but this conversation brought it up to me. I don't remember seeing the answer... Is it possible to send several chains, each rooted by a different CA ? And then let the client determine if he trusts one of those CAs. Cheers, - Alain Kyle Hamilton wrote: The only certificates that must be sent are the server identification and the certs up to (but not including) the trust anchor. (Since the client already has the trust anchor, it will verify against its local copy of the root CA, not the copy of the root CA that came from the connection.) Sending the extra certificate doesn't hurt, though. -Kyle H On 2/27/06, Brian Candler [EMAIL PROTECTED] wrote: On Mon, Feb 27, 2006 at 07:36:16PM +, Brian Candler wrote: Ah. I had just used -cert ../server.example.com-cert.pem (where this file contains all the certificates). So now I've added -CAfile as well, pointing to the same file: #!/bin/sh cd content openssl s_server -cert ../server.example.com-cert.pem \ -CAfile ../server.example.com-cert.pem \ -key ../server.example.com-key.pem \ -WWW And it works. I've removed the sub-CA certificate and its symlink from /etc/ssl/certs, but the client can still verify the chain: As a follow-up for the benefit of the list archive: to get this to work in Apache+mod_ssl I just had to uncomment SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt from httpd.conf, and point it at a file containing the sub-CA's certificate (signed by the root CA) and the root CA's own self-signed certificate. Regards, Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: calling SSL_library_init multiple times
Thanks Nils and Andrew for the replies. -JBOn 2/27/06, Nils Larsch [EMAIL PROTECTED] wrote: Jagannadha Bhattu G wrote: Hi, Can I call SSL_library_init multiple times in my code under different threads?as SSL_library_init() initializes global tables it should onlybe called from one thread a time and of course no other thread should use the global data while SSL_library_init() is running.Ideally it should be run once before the threads using ssl arecreated. From the documented return values,it always returns 1 but this doesn't mean it's reentrant Cheers,Nils__OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: Installing a certificate chain
Actually, there's a paper that was pointed out to me not too long ago (by Philipp Gühring of CAcert.org) -- it /should/ be possible, however there's a severe lack of support in the current implementations. http://www.dfn-pca.de/bibliothek/reports/pki-linking/report-linking-final-1.0.2.pdf (CC:AT-NC-SA) I would like to see support made much more available. -Kyle H On 2/28/06, Alain Damiral [EMAIL PROTECTED] wrote: Hi, This question might be slightly silly and out of place but this conversation brought it up to me. I don't remember seeing the answer... Is it possible to send several chains, each rooted by a different CA ? And then let the client determine if he trusts one of those CAs. Cheers, - Alain Kyle Hamilton wrote: The only certificates that must be sent are the server identification and the certs up to (but not including) the trust anchor. (Since the client already has the trust anchor, it will verify against its local copy of the root CA, not the copy of the root CA that came from the connection.) Sending the extra certificate doesn't hurt, though. -Kyle H On 2/27/06, Brian Candler [EMAIL PROTECTED] wrote: On Mon, Feb 27, 2006 at 07:36:16PM +, Brian Candler wrote: Ah. I had just used -cert ../server.example.com-cert.pem (where this file contains all the certificates). So now I've added -CAfile as well, pointing to the same file: #!/bin/sh cd content openssl s_server -cert ../server.example.com-cert.pem \ -CAfile ../server.example.com-cert.pem \ -key ../server.example.com-key.pem \ -WWW And it works. I've removed the sub-CA certificate and its symlink from /etc/ssl/certs, but the client can still verify the chain: As a follow-up for the benefit of the list archive: to get this to work in Apache+mod_ssl I just had to uncomment SSLCertificateChainFile /usr/local/etc/apache/ssl.crt/ca.crt from httpd.conf, and point it at a file containing the sub-CA's certificate (signed by the root CA) and the root CA's own self-signed certificate. Regards, Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
WTLS / x9.68 certificates
Hello guys, I'm started to dig into mobile PKI and have stated, what openssl does not support WTLS / x9.68 standards. Don't want to invent another one bicycle, so can somebody point me to any available solution to generate WTLS or (better) x9.68 certificate? Thanks in advance. Regards, Dmitrij __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl-users] Re: openssl req -x509 does not create serial-number 0
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think that part of the difficulty here is the words used. Our experience in other areas is overwhelmingly in favor of serial number being a sample from a counter that starts at 0 or 1 and is incremented by 1 every time it's consulted. So we see a field described as a serial number and ask why it isn't behaving properly. It's too bad the standard calls this attribute a serial number rather than, say, certificate unique identifier, but the term is fixed now. - -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Open-source executable: $0.00. Source: $0.00 Control: priceless! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFEBFyts/NR4JuTKG8RAvwvAJkBaF0r/EWrlN94kzBXyhdYDukKLQCfVOIr P337Skc1EMAy4i1wowAXiDQ= =nhvt -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: calling SSL_library_init multiple times
The first sentence of the explanation below seems to infer that its ok to call ssl_library_init() from each thread that might want to access the SSL library. I dont think thats what was intended. I think the last sentence is more accurate if you have a multi-threaded application, and youve hooked the static and dynamic mutex functions to allow OpenSSL to correctly operate in a multi-threaded environment, then SSL_library_init() should only be called once, during application initialization. This single call will initialize the library for all threads. This is my interpretation of from what I have gleaned from the docs and sources. Randy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jagannadha Bhattu G Sent: Tuesday, February 28, 2006 1:42 AM To: openssl-users@openssl.org Subject: Re: calling SSL_library_init multiple times Thanks Nils and Andrew for the replies. -JB On 2/27/06, Nils Larsch [EMAIL PROTECTED] wrote: Jagannadha Bhattu G wrote: Hi, Can I call SSL_library_init multiple times in my code under different threads? as SSL_library_init() initializes global tables it should only be called from one thread a time and of course no other thread should use the global data while SSL_library_init() is running. Ideally it should be run once before the threads using ssl are created. From the documented return values, it always returns 1 but this doesn't mean it's reentrant Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl-users] Re: openssl req -x509 does not create serial-number 0
Bonjour,
Hodie pr. Kal. Mar. MMVI est, Mark H. Wood scripsit:
I think that part of the difficulty here is the words used. Our
experience in other areas is overwhelmingly in favor of serial number
being a sample from a counter that starts at 0 or 1 and is incremented by
1 every time it's consulted.
That's not really incompatible with something random, from the
outside. Just keep an internal counter, pack it properly into a
128bit structure, encrypt it with an AES key, et voilà, you have a
random serial number, and you're sure you won't have any duplicate.
A command-line version (for the CA.{pl,sh} utility) could be this
script:
- genserial.sh
#! /bin/sh
COUNTER=`cat counter`
echo -n $COUNTER | openssl enc -K `od -t x1 -A n aeskey.bin | sed 's/ //g'`
-aes-128-ecb -iv | od -t x1 -A n | sed 's/ //g' serial
echo obase=16; ibase=16; $COUNTER+1 | bc counter
-
For this to work, you have to generate a random AES key:
dd if=/dev/urandom of=aeskey.bin bs=1 count=16
and initialize your counter file:
echo 1 counter (or any value you want)
Call this script to generate a serial number based on the counter, and
increment the counter for the next one. Just tell 'openssl ca' to use
the generated serial, as what is done by default by CA.{pl,sh}.
The iv parameter value is not important, because we use the ECB mode,
but the software needs one to be set, so just make it happy.
This simple script doesn't allow you to generate 2^128 different
serial numbers, you'll only get 16^16 different ones, but for a
home-made CA, that should be enough.
So we see a field described as a serial
number and ask why it isn't behaving properly. It's too bad the standard
calls this attribute a serial number rather than, say, certificate
unique identifier, but the term is fixed now.
The standard goes back to 1988 for the final X.509 v1, and at that
time, the described X.509 collision attack didn't exist.
Then, somewhere between 1988 and 1997, X.509v2 came in, adding the
subjectUniqueIdentifier field (a UniqueIdentifier is a BIT STRING),
which was replaced in 1997 (X.509v3) by the subjectKeyIdentifier
extension.
The subjectUniqueIdentifier and subjectKeyIdentifier are really meant
to be unique by themselves (wether it's truely unique or not is left
to the implementor), but the serialNumber is not unique alone, by
definition.
--
Erwann ABALEA [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Upgrade OpenSSL Questions
I am upgrading from 0.9.7a to 0.9.7i on fedora 3 core with apache 1.3.33. The make process was successful but I have a few questions before I run make install. Will there be any concerns with installing openSSL 0.9.7i on Fedora 3 with a current installation of 0.9.7a using Apache 1.3.33. Will I need to reinstall the certificates on my sites? What mod_ssl version will I need and how do I find out what version and change it? -- View this message in context: http://www.nabble.com/Upgrade-OpenSSL-Questions-t1200543.html#a3168275 Sent from the OpenSSL - User forum at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
__attribute__
Hello, I just wanted to point out that in the bio.h header file there is a define called __attribute__ in version openssl-0.9.8a that conficts with a similiar define in the apr.h header file that is in the newest apache httpd server (httpd-2.2.0). To compile apache, I edit bio.h to comment out the __attribute__ define. I am compiling on AIX, btw. Sincerely, Maverick Merritt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Compiled on windows but lacking symbols
Hey guys, I've tried a precompiled windows version of 0.9.7.c openssl and it was lacking symbols for these 3 fnc : ERR_print_errors_fp BIO_new_socket OPENSSL_add_all_algorithms_noconf (or conf) Then I've decided on compiling my own version using mingw... which worked. But it's still lacking those symbols. Then I've found out about libeay32 which has them. So I've got to compile my application using -leay32 -lssl. Quite weird, no ? Thanks for your support, Chandi __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Compiled on windows but lacking symbols
This brings up a really interesting point. What is the appropriate separation of functions? What can I presume is in each library? (eay32 is crypto stuff. ssl32 should be the BIO and SSL session management stuff?) -Kyle H On 2/28/06, Chandi Bernier [EMAIL PROTECTED] wrote: Hey guys, I've tried a precompiled windows version of 0.9.7.c openssl and it was lacking symbols for these 3 fnc : ERR_print_errors_fp BIO_new_socket OPENSSL_add_all_algorithms_noconf (or conf) Then I've decided on compiling my own version using mingw... which worked. But it's still lacking those symbols. Then I've found out about libeay32 which has them. So I've got to compile my application using -leay32 -lssl. Quite weird, no ? Thanks for your support, Chandi __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Compiled on windows but lacking symbols
On Tue, Feb 28, 2006, Kyle Hamilton wrote: This brings up a really interesting point. What is the appropriate separation of functions? What can I presume is in each library? (eay32 is crypto stuff. ssl32 should be the BIO and SSL session management stuff?) libssl or its equivalent is the SSL/TLS library. Everything else is libcrypto. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
error in CRYPTO_mem_leaks_fp
Hi My application written (in cpp) using openssl 0.9.7e is having some memory leaks. I try the standard way to find the memory leak using //In the Beginning CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); //In the End CRYPTO_mem_leaks_fp(stderr); but my CRYPTO_mem_leaks_fp(stderr); statement is throwing a Access Violation error. I use the debug version to follow the stack and my stack trace is CRYPTO_mem_leaks_fp CRYPTO_mem_leaks lh_doall_arg doall_util_fn func_arg(a-data,arg); // Error inside this method Can anyone help me resolve this problem so that I can understand my memory leakage problem? Thanks -Venkata __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to get To-Be-Signed portion of certificate with openssl api ?
Hi All, I have a quick question. How can I get To-Be-Signed portion of certificate with openssl api ? In case of using JDK, X509Certificat class and getTBSCertificate() method seem to be available for the same purpose. I'm not familiar with the openssl api, and I couldn't find the appropriate api due to the luck of sample codes on the internet. Regards, Tatsuya Tsurukawa [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to get To-Be-Signed portion of certificate with openssl api ?
You're looking for X.509 encoding of the CSR. Thus, you'd be looking
at the X509_* series of functions.
Since it's a request, the subset of functions would be X509_REQ_*. To
decode it, you want d2i_X509_REQ_{bio|fp}().
I have to doublecheck the functions that can be used to get info out
of it, though. You could, however, look at the 'req', 'ca', and
'x509' programs to see what they do.
-Kyle H
On 2/28/06, Tatsuya Tsurukawa
[EMAIL PROTECTED] wrote:
Hi All,
I have a quick question.
How can I get To-Be-Signed portion of certificate with openssl api ?
In case of using JDK, X509Certificat class and getTBSCertificate() method
seem to be available for the same purpose.
I'm not familiar with the openssl api, and I couldn't find the appropriate
api due to the luck of sample codes on the internet.
Regards,
Tatsuya Tsurukawa
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
