question regarding us of openssh with openssl-0.9.7i
Hi, I am facing a problem when using openssh-3.9 with openssl-0.9.7i. Both ssh and sshd are crashing. I have compiled openssl with fips. But openssh has not been changed at all. Openssh does not use the fips api at all. But when I try to open an ssh connection both the ssh client and the ssh daemon on the server are crashing. I have installed the following openssl libraries : 1. libcrypto.so.0.9.7 2. libcrypto.so.0.9.7.sha1 3. libssl.so.0.9.7 Please note that openssh is not at all using FIPS mode. Has anybody tested openssh with openssl- 0.9.7i and was there any problem with the same. Thanks in advance for your reply -Basavaraj __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Choice of CAs in SSL/TLS handshake
On 3/7/06, Olaf Gellert [EMAIL PROTECTED] wrote: Samy Thiyagarajan wrote: Hi, May be changing the verification of the depth level solve this issue. ( I mean check the chain only upto User CA 1 and not upto the Root CA ) In this case it should not report about missing valid root. Im not sure. this is just an idea. Good idea. But unfortunately it does not work out. I removed the root-certificate from the SSLCACertificateFile. The Server now only allows the user CA 1 (otherwise it still offers the root CA as valid CA). And I shortened the verifyDepth to one. But the server denies access saying: [Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error (20): unable to get local issuer certificate Seems that verifyDepth still requires a self-signed root certificate (so the chain has to reach the toplevel in the given number of steps). Hm... Any other proposals? :-) Cheers, Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Hi Olaf, I think you can use the mod_ssl SSLRequire directive. This directive specifies a general access requirement which has to be fulfilled in order to allow access. It's a very powerful directive because the requirement specification is an arbitrarily complex boolean expression containing any number of access checks. Example that should work for you: SSLRequire %{SSL_CLIENT_I_DN} eq /C=foo/O=bar/CN=CA1 cf http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23 Regards -- Nicolas Margaine __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
A little help would be appreicated
Hi folks, I've entered the big complex world of Certificates and I need a little help. I've got a Windows XP network and a Linux server. We wish to use certs to sign electronic forms with MS Infopath 2003. I've read up on how to make a CA cert using openssl and I can make on the Linux Server the user certs for our employees and I put these on a secure shared folder for them. I have to make .p12 certs as Infopath needs a private key seemingly. But after I import a user's cert into their MMC into the Personal store, and look in the General tab, the user cert says its not trusted. It says This CA Root certficate is not trusted. Ok, so I put into the Trusted Root CA store, the Server's cert. Still the Personal cert says its not trusted. So at this point I'm stuck. I thought it would trust the user cert because it would look in the Trusted Root CA store and see the Server's cert in there. Can someone point out the 'obvious thing' I'm not seeing. :-) If it helps, here is how I generated the certs. 1st, the CA. openssl req -config openssl.cnf -new -x509 -keyout ECS_CA/private/cakey.pem -out ECS_CA/cacert.pem -days 3650 Then I used the following commands to generate the users certs on the Server: openssl req -new -key ECS_CA\private\cakey.pem -out stuarth.csr openssl ca -policy policy_anything -out stuarth.cer -infiles stuarth.csr Infopath needs a cert with a private key so the .p12 format is required. openssl x509 -in stuarth.cer -out stuarth_certx509.pem openssl pkcs12 -export -in stuarth_certx509.pem -inkey ECS_CA\private\cakey.pem -out stuarth.p12 and it is stuarth.p12 which I import into mmc - Personal. -- Stuart Halliday ECS Technology ltd Registered in Scotland - #212513 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: A little help would be appreicated
Its not the server cert you need in the trusted certs store - it's the CA root cert. And you'll need any intermediate CA certs in the regular CA store D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stuart Halliday Ok, so I put into the Trusted Root CA store, the Server's cert. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: A little help would be appreicated
Its not the server cert you need in the trusted certs store - it's the CA root cert. Surely that's what I've got? I created a CA cert I thought. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: A little help would be appreicated
See the certificate subject (owner) and issuer: For a CA, these 2 fields will be same. For server cert, the issuer field will contain the DN of the signing authority - this CA, or any intermediate CA. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Stuart Halliday Sent: Wednesday, March 08, 2006 5:06 PM To: openssl-users@openssl.org Subject: RE: A little help would be appreicated Its not the server cert you need in the trusted certs store - it's the CA root cert. Surely that's what I've got? I created a CA cert I thought. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Choice of CAs in SSL/TLS handshake
On Tue, Mar 07, 2006, Olaf Gellert wrote: Samy Thiyagarajan wrote: Hi, May be changing the verification of the depth level solve this issue. ( I mean check the chain only upto User CA 1 and not upto the Root CA ) In this case it should not report about missing valid root. Im not sure. this is just an idea. Good idea. But unfortunately it does not work out. I removed the root-certificate from the SSLCACertificateFile. The Server now only allows the user CA 1 (otherwise it still offers the root CA as valid CA). And I shortened the verifyDepth to one. But the server denies access saying: [Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error (20): unable to get local issuer certificate Seems that verifyDepth still requires a self-signed root certificate (so the chain has to reach the toplevel in the given number of steps). Hm... Any other proposals? :-) There are several options. One is to turn off chain verification. That would mean that the verify function no longer uses untrusted CAs from the peer and you place the rest of the chain in the trusted store. Unfortunately there isn't a verify flag to do that directly so you'd have to override the standard verify function and replace it with exactly the same code *except* it would pass a NULL for the set of unstrusted certificates. A second option is to add a purpose setting which rejects any and all cas while keeping the standard behaviour for non-CAs. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Choice of CAs in SSL/TLS handshake
Another easy way is to use self signed certs of the acceptable CAs. Dr. Stephen Henson wrote: On Tue, Mar 07, 2006, Olaf Gellert wrote: Samy Thiyagarajan wrote: Hi, May be changing the verification of the depth level solve this issue. ( I mean check the chain only upto User CA 1 and not upto the Root CA ) In this case it should not report about missing valid root. Im not sure. this is just an idea. Good idea. But unfortunately it does not work out. I removed the root-certificate from the SSLCACertificateFile. The Server now only allows the user CA 1 (otherwise it still offers the root CA as valid CA). And I shortened the verifyDepth to one. But the server denies access saying: [Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error (20): unable to get local issuer certificate Seems that verifyDepth still requires a self-signed root certificate (so the chain has to reach the toplevel in the given number of steps). Hm... Any other proposals? :-) There are several options. One is to turn off chain verification. That would mean that the verify function no longer uses untrusted CAs from the peer and you place the rest of the chain in the trusted store. Unfortunately there isn't a verify flag to do that directly so you'd have to override the standard verify function and replace it with exactly the same code *except* it would pass a NULL for the set of unstrusted certificates. A second option is to add a purpose setting which rejects any and all cas while keeping the standard behaviour for non-CAs. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorite'; die Liste mit zuruckgerufenen Zertifikaten finden Sie da auch. smime.p7s Description: S/MIME Cryptographic Signature
Re: Choice of CAs in SSL/TLS handshake
On Wed, Mar 08, 2006, Peter Sylvester wrote: Another easy way is to use self signed certs of the acceptable CAs. I'm not sure that would work because the path building algorithm first tries to construct as much of the path as possible from the set of unstrusted CAs with the exception of the root. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: A little help would be appreicated
When you create the user .P12 files, then include the CA certificate into it, i.e. use a certfile that contains the user cert and the self signed CA certificate. The p12 file contain thus the private key of a user, the user's X509 certificate and the X509 certificate of the CA. Thanks for that. But how? What openssl command merges 2 certfificates? I can't find one. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: A little help would be appreicated
See the certificate subject (owner) and issuer: For a CA, these 2 fields will be same. For server cert, the issuer field will contain the DN of the signing authority - this CA, or any intermediate CA. Then I do have a CA type. The 'Issued to' and Issued from' fields are the same. ie: 'MyServer Root Certificate Authority'. This cert is in my Trusted Root CA store. In my Personal store in MMC I have a cert which is labelled: Issued by 'MyServer Root Certificate Authority' and Issued to 'Stuart Halliday'. So why doesn't it work? I'm really confused. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: A little help would be appreicated
On Wed, Mar 08, 2006 at 01:20:15PM +, Stuart Halliday wrote: When you create the user .P12 files, then include the CA certificate into it, i.e. use a certfile that contains the user cert and the self signed CA certificate. The p12 file contain thus the private key of a user, the user's X509 certificate and the X509 certificate of the CA. Thanks for that. But how? What openssl command merges 2 certfificates? I can't find one. man pkcs12 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Fwd: Changing session key, IV HMAC key regulary
Hi, Can somebody help me with this? Thanks JB-- Forwarded message --From: Jagannadha Bhattu G [EMAIL PROTECTED] Date: Mar 6, 2006 6:49 PMSubject: Changing session key, IV HMAC key regularyTo: openssl-users@openssl.org Hi, Can some one let me know if the SSL protocol specification mandates changes to these values frequently in an ongoing connection? If not how to enable it using APIs? Thanks JB
Re: A little help would be appreicated
On Wed, Mar 08, 2006, Stuart Halliday wrote: If it helps, here is how I generated the certs. 1st, the CA. openssl req -config openssl.cnf -new -x509 -keyout ECS_CA/private/cakey.pem -out ECS_CA/cacert.pem -days 3650 Then I used the following commands to generate the users certs on the Server: openssl req -new -key ECS_CA\private\cakey.pem -out stuarth.csr openssl ca -policy policy_anything -out stuarth.cer -infiles stuarth.csr Infopath needs a cert with a private key so the .p12 format is required. openssl x509 -in stuarth.cer -out stuarth_certx509.pem openssl pkcs12 -export -in stuarth_certx509.pem -inkey ECS_CA\private\cakey.pem -out stuarth.p12 and it is stuarth.p12 which I import into mmc - Personal. It looks like you are using the same key for the user certificates and the CA! Instead of manually entering commands use the CA.pl script instead. That is intended to just do the right thing when given some simple options. Don't use the CA.pl in the release version of 0.9.8 though: pick a recent snapshot or use 0.9.7. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Choice of CAs in SSL/TLS handshake
Dr. Stephen Henson wrote: On Wed, Mar 08, 2006, Peter Sylvester wrote: Another easy way is to use self signed certs of the acceptable CAs. I'm not sure that would work because the path building algorithm first tries to construct as much of the path as possible from the set of unstrusted CAs with the exception of the root. But the self signed certs of the CAs are the roots in this case, aren't they. We are talking about how to configure an, Apache mod_ssl for client certs? The so called root in the example would not even be visible. As far as I understood, the real CA hierarchy was Root CA |- User CA 1 - User Certificate 1 |- User CA 2 - User Certificate 2 I want to tell a webserver to accept certificates from User CA 1 but not from User CA 2 All what has to be set in mod_ssl or in s_server is a self signed cert of CA 1 Unless one also want to allow certs for the root. So you set the root and the self signed cert for CA 1. In this case a client could indeed send an CA 2 cert together with the CA 2 intermediate. But in this case the verifydepth would work I think. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. smime.p7s Description: S/MIME Cryptographic Signature
Re: Fwd: Changing session key, IV HMAC key regulary
Jagannadha Bhattu G wrote: Hi, Can somebody help me with this? Thanks JB -- Forwarded message -- From: *Jagannadha Bhattu G* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Date: Mar 6, 2006 6:49 PM Subject: Changing session key, IV HMAC key regulary To: openssl-users@openssl.org mailto:openssl-users@openssl.org Hi, Can some one let me know if the SSL protocol specification mandates changes to these values frequently in an ongoing connection? If not how to enable it using APIs? Thanks JB This would be a renegotiation. You can do it via a SSL_renegotiate()/SSL_do_handshake() sequence. -jb __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Choice of CAs in SSL/TLS handshake
On Wed, Mar 08, 2006, Peter Sylvester wrote: Dr. Stephen Henson wrote: On Wed, Mar 08, 2006, Peter Sylvester wrote: Another easy way is to use self signed certs of the acceptable CAs. I'm not sure that would work because the path building algorithm first tries to construct as much of the path as possible from the set of unstrusted CAs with the exception of the root. But the self signed certs of the CAs are the roots in this case, aren't they. We are talking about how to configure an, Apache mod_ssl for client certs? The so called root in the example would not even be visible. As far as I understood, the real CA hierarchy was Root CA |- User CA 1 - User Certificate 1 |- User CA 2 - User Certificate 2 I want to tell a webserver to accept certificates from User CA 1 but not from User CA 2 All what has to be set in mod_ssl or in s_server is a self signed cert of CA 1 Unless one also want to allow certs for the root. So you set the root and the self signed cert for CA 1. In this case a client could indeed send an CA 2 cert together with the CA 2 intermediate. But in this case the verifydepth would work I think. Yes but the client will still send the user certificate, one intermediate CA and optionally the root CA. OpenSSL will use those to build as much of the path as possible and try to complete it using the trusted store. When it can't find the root CA in that store it will fail. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: problem with converting pfx to pem and Verisign Intermediate CA
Quoting Dr. Stephen Henson [EMAIL PROTECTED]: On Mon, Mar 06, 2006, [EMAIL PROTECTED] wrote: Can you give the full error message? It looks like it is the wrong intermediate CA being sent. With the server cert do: openssl x509 -in cert.pem -issuer -noout that should match: openssl x509 -in intermediate.pem -subject -noout Is this server on the internet somewhere? If so I can work out which intermediate CA you need. solved. the tech at verisign gave our web guy the wrong intermediate, I talked to someone else and had the correct one within 5 minutes. thanks! brian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: A little help would be appreicated
Hi Stephen, There have been a few email messages on the list recently concerning negative attributes of 0.9.8, with recommendations of using 0.9.7.x versions. Are we to assume that later versions of 0.9.7.x are really preferred for creating robust solutions with OpenSSL, instead of 0.9.8-based versions? (at least for now). Let me know if I have interpreted the email incorrectly. Thanks! Randy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Wednesday, March 08, 2006 5:33 AM To: openssl-users@openssl.org Subject: Re: A little help would be appreicated On Wed, Mar 08, 2006, Stuart Halliday wrote: If it helps, here is how I generated the certs. 1st, the CA. openssl req -config openssl.cnf -new -x509 -keyout ECS_CA/private/cakey.pem -out ECS_CA/cacert.pem -days 3650 Then I used the following commands to generate the users certs on the Server: openssl req -new -key ECS_CA\private\cakey.pem -out stuarth.csr openssl ca -policy policy_anything -out stuarth.cer -infiles stuarth.csr Infopath needs a cert with a private key so the .p12 format is required. openssl x509 -in stuarth.cer -out stuarth_certx509.pem openssl pkcs12 -export -in stuarth_certx509.pem -inkey ECS_CA\private\cakey.pem -out stuarth.p12 and it is stuarth.p12 which I import into mmc - Personal. It looks like you are using the same key for the user certificates and the CA! Instead of manually entering commands use the CA.pl script instead. That is intended to just do the right thing when given some simple options. Don't use the CA.pl in the release version of 0.9.8 though: pick a recent snapshot or use 0.9.7. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Wildcard ssl certificate using subjectAltName
BTW, when I want to extract this DNS (e.g. in the case of authentication/identity validation) as a char* string, I'm trying this: GENERAL_NAME* gen = X509_get_ext_d2i (cert, NID_dNSDomain, NULL, NULL); if (gen gen-type == GEN_DNS) { char* buf = i2s_ASN1_OCTET_STRING(X509V3_EXT_get_nid(NID_dNSDomain), (gen-d.dNSName) ); ... } Everything goes OK with obtaining GENERAL_NAME* structure and it's GEN_DNS type check, until the point of conversion. The 'buf' stays NULL, even when replacing the X509V3_EXT_METHOD* with NID_subject_alt_name or just NULL. Many people talk about such a task of extracting dNSName, but could anybody show it? Regards, --plef-- -- View this message in context: http://www.nabble.com/Wildcard-ssl-certificate-using-subjectAltName-t1103260.html#a3302896 Sent from the OpenSSL - User forum at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [unclassified] A little help would be appreicated
Ok, I've now created a .p12 file with the CA.cer and a user's .cer I can import this into MMC and it makes no difference. my user cert is still not trusted. -- Stuart Halliday ECS Technology ltd Registered in Scotland - #212513 -Original Message- From: Peter Sylvester [EMAIL PROTECTED] To: Stuart Halliday [EMAIL PROTECTED] Date: Wed, 08 Mar 2006 11:47:54 +0100 Subject: [unclassified] A little help would be appreicated When you create the user .P12 files, then include the CA certificate into it, i.e. use a certfile that contains the user cert and the self signed CA certificate. The p12 file contain thus the private key of a user, the user's X509 certificate and the X509 certificate of the CA. When a user imports this, he will be asked to establish trust to its own CA, which should be ok. Alternatively, you can just import the CA cert (the cert, not the private key). -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
EC_GFp_mont_method error with _EC_SECG_PRIME_160R1
I'm getting a EC_R_POINT_IS_NOT_ON_CURVE when using _EC_SECG_PRIME_160R1 for the following public key: X:7B AE 41 B9 06 CF B6 FC D4 5B 8C 17 2F B8 30 59 E0 29 30 1C Y:FB 5C 39 C6 76 15 AB E4 B3 86 86 BA 8D 56 7D 49 08 A3 E8 1E Z:1 If I modify the function EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) line 109 as follows: #if 0 meth = EC_GFp_mont_method(); #else meth = EC_GFp_simple_method(); #endif It runs without errors. Any thoughts? Steven Pauly Pitney Bowes GMS
Re: A little help would be appreicated
It looks like you are using the same key for the user certificates and the CA! Oops. Sorry, I typed in the wrong key in the example. Instead of manually entering commands use the CA.pl script instead. That is intended to just do the right thing when given some simple options. Don't use the CA.pl in the release version of 0.9.8 though: pick a recent snapshot or use 0.9.7. I've downloaded openssl-0.9.8-stable-SNAP-20060308.tar.gz and only found a 'CA.pl.in' file. There is no CA.pl file. But judging by its version number inside, its not been updated since 1998! Have I got the wrong file? -- Stuart Halliday ECS Technology ltd Registered in Scotland - #212513 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: EC_GFp_mont_method error with _EC_SECG_PRIME_160R1
I had been setting the x and y coordinates with BN_bin2bn, not with EC_POINT_set_affine_coordinates_GFp . Some of the point setup had not been performed. Everything is good now. Steven Pauly Pitney Bowes GMS Nils Larsch [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/08/2006 12:52 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: EC_GFp_mont_method error with _EC_SECG_PRIME_160R1 [EMAIL PROTECTED] wrote: I'm getting a EC_R_POINT_IS_NOT_ON_CURVE when using _EC_SECG_PRIME_160R1 for the following public key: X:7B AE 41 B9 06 CF B6 FC D4 5B 8C 17 2F B8 30 59 E0 29 30 1C Y:FB 5C 39 C6 76 15 AB E4 B3 86 86 BA 8D 56 7D 49 08 A3 E8 1E Z:1 If I modify the function EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) line 109 as follows: #if 0 meth = EC_GFp_mont_method(); #else meth = EC_GFp_simple_method(); #endif It runs without errors. Any thoughts? strange, I just wrote a very simple test program with your point and it works ... What did you exactly do ? Does ectest etc. run without errors ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
X509 cetificate! HELP!D!=!-!)
Hi, I am trying to generate certificate that i,ll be using for a ipsec segment between a OBSD 3.8 and a Windows worstation. I'm using ISAKMPD for this on the OBSD side and the security filter on Windows. If I use a pre-shared key everything is fine but with the certificate I'm almost became mad. I'd like to know how to create X.509 certificate with subjectAltName.If anybody has a How to, it will be welcome. ( If i understand well, I need one CA one for the daemon and one per user that will connect.) Thx Doug2die4 BTW I'm using openssl v0.9.7g and Certpatch is not include anymore __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: X509 cetificate! HELP!D!=!-!)
On Wed, Mar 08, 2006 at 03:10:23PM -0500, Doug Frippon wrote: Hi, I am trying to generate certificate that i,ll be using for a ipsec segment between a OBSD 3.8 and a Windows worstation. I'm using ISAKMPD for this on the OBSD side and the security filter on Windows. If I use a pre-shared key everything is fine but with the certificate I'm almost became mad. I'd like to know how to create X.509 certificate with subjectAltName. Did you try: http://www.google.com/search?q=openssl+subjectaltname You'll see lots of pages there explaining how to do it. If you want a simplified solution, I suggest TinyCA: http://tinyca.sm-zone.net/ This really just the openssl CA, but with a perl GUI (gtk) wrapper around it. You can easily configure it so that it prompts you for a subjectAltName at the time that each certificate is signed; this can contain either a domain name, an IP address, or an E-mail address. If you want it *really* easy, then just burn a CD of roCA: http://www.intrusion-lab.net/roca/ This is a bootable Knoppix (Linux) CD with TinyCA pre-installed. Just add a USB flash pen and you have a standalone fully-functioning openssl CA with fluffy GUI, without installing anything. I find a second USB pen is useful for copying CSRs to the CA and copying the certificates back again. HTH, Brian. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Fwd: Changing session key, IV HMAC key regulary
Thanks JimmyOn 3/8/06, jimmy [EMAIL PROTECTED] wrote: Jagannadha Bhattu G wrote: Hi, Can somebody help me with this? Thanks JB -- Forwarded message -- From: *Jagannadha Bhattu G* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Date: Mar 6, 2006 6:49 PM Subject: Changing session key, IV HMAC key regulary To: openssl-users@openssl.org mailto:openssl-users@openssl.org Hi, Can some one let me know if the SSL protocol specification mandates changes to these values frequently in an ongoing connection? If not how to enable it using APIs? Thanks JBThis would be a renegotiation. You can do it via aSSL_renegotiate()/SSL_do_handshake() sequence. -jb__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
9.8a Debug version
Hi, I am currently using the debug version of Open SSL 9.7e. I am encountering some problems in getting the debug version of 9.8a. I currently have the dlls for the 9.8a but I don't have the pdb files. I would need to use RSA-PSS using the new dell and perform some debug operations. Can anyone please post the *.pdb files for 9.8a debug version? Thanks. Venkata __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]