RE: errno=5 in SSL_read( )
I think the issue is wrt to clearing the error queue.
Whenever
you attempt to get the error number, we need to
call ERR_clear_error()
to clear it. Certain openssl API's call it internally,
and some do not,
now am not clear as to why or on what basis. So, before
calling SSL_read,
ensure you call the above mentioned function..this
worked for me..I think
it doesnt matter if the underlying fd is
b/nb..
--Gayathri
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On
Behalf Of Haridharan NattamaiSent: Thursday, April 20, 2006
10:05 AMTo: openssl-users@openssl.orgSubject: Re:
errno=5 in SSL_read( )Gayathri,Thanks for your
message.I could see from your snippet you have used BIO in non blocking
mode. But my application must be in such a way that it must wait to read the
data. Do you have any idea on trying this for blocking mode.
thanks,Haridharan
On 4/20/06, Gayathri
Sundar <[EMAIL PROTECTED]>
wrote:
I too faced similar
problem when I pumped heavy data via smart bits..
this piece of code
worked for me..btw the underlying bio in non blocking..
do
{ ERR_clear_error(); nbytesread
= SSL_read(pSSLObject,pBuffer,BufSize); if(nbytesread
> 0 ) {
totalbytesread += nbytesread;
pBuffer = pBuffer + nbytesread;
BufSize -= nbytesread; }
if(errno == EAGAIN || errno == EINTR || errno ==
ENOMEM) { return
(SSL_ERROR_NONE); } else
if(!nbytesread) {
return (-1 * SSL_ERROR_ZERO_RETURN);
} else
{ err =
SSL_get_error(pSSLObject,nbytesread);
break; } }while(SSL_pending(pSSLObject)
&& (BufSize > 0));
-Original
Message-From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]]On Behalf Of Haridharan
NattamaiSent: Wednesday, April 19, 2006 6:59 PMTo:
openssl-users@openssl.orgSubject: errno=5 in
SSL_read( )Hi,I'm using openssl v0.9.7i. When
I try to receive a huge amount of data sometimes I get
errno=5(SSL_ERROR_SYSCALL) and the exact response code is "EOF was
observed that violates the protocol". At some cases when this error
occurs, I get TCP ZeroWindowViolation in ethereal's trace log. I like to
know what could be the reason and how can I override this. Thanks
in advance.Haridharan
RE: Problems running application
Sorry for the lack of information. I really didn't know how to describe it. But I could solve the problem. I found out (quite after I wrote my first message) that the openssl version on my server was different from my development environment. So I corrected it and it worked fine. Thanks for the reply. --- David Schwartz <[EMAIL PROTECTED]> escreveu: > > > I wrote an application (C++) using openssl. On my test > environment it > > works fine, but when i try to run it on my server I get this > message: > > "OpenSSL_Uplink (0050A010,07): no OpenSSL_Applink". > > > > I thought it could be something related to installation of > openssl, > > but I have the same version on both sites. > > > > Does anyone know what can be happening? > > Thanks, > > Googling this error turned up tons of information, including: > > Note that debug and release libraries are NOT interchangeable. If > you built > OpenSSL with /MD your application must use /MD and cannot use /MDd. > As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL > .DLLs > compiled with some specific run-time option [we insist on the > default /MD] > can be deployed with application compiled with different option or > even > different compiler. But there is a catch! Instead of re-compiling > OpenSSL > toolkit, as you would have to with prior versions, you have to > compile small > C snippet with compiler and/or options of your choice. The snippet > gets > installed as /include/openssl/applink.c and should be > either > added to your application project or simply #include-d in one [and > only one] > of your application source files. Failure to link this shim module > into your > application manifests itself as fatal "no OPENSSL_Applink" run-time > error. > An explicit reminder is due that in this situation [mixing compiler > options] > it is as important to add CRYPTO_malloc_init prior first call to > OpenSSL. > > You don't mention any number of useful things. For example, what > platform > is this? And what exactly is giving you this error and in what way > is it > giving it to you? > > Strange to ask us why an application *you* wrote would be giving > you a > particular error message without saying how or whether you got that > information from OpenSSL. For example, if you said, "the OpenSSL > function > 'foo' returned the error 'bar'" that would be a good start for an > error > report. But to say, "my program gave me error 'qux'" doesn't really > give any > clue. > > DS > > > __ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] > Vanessa Campos [EMAIL PROTECTED] ICQ 35381281 "Efetivamente, para o homem, enquanto homem, nada tem valor a menos que ele possa executa-lo com entusiasmo" Max Weber ___ Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. http://br.info.mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Refreshing a self signed root certificate
I have an openssl CA. I have previously created a self signed Root certificate. However this certificate has now expired. How can I “refresh” the certificate ( i.e. create a new one with a later expiry date ), but still use the old private key so that all the other certificates issued with it can be re-issued in turn ? I have tried the following: openssl req -x509 -key F:\MyCAs\MyRootCA\private\cakey.pem -keyform PEM -out cacert2.pem -outform PEM But after prompting for my password, it just hangs. The openssl installation I am using is from 2004.
Singing with certificate
Hi, For our customers we make backups (like everyone else). However, legal restrictions apply to the specific branche we work in. We are required to encrypt the data. In the past I was using simple DES3 encryption, but now I would like to use the customers secure certificate to encrypt the data with (like email). The customer has a .p12 certificate that they install in Windows. I first need to export the public key from that in a usuable format. Then I want to encrypt the data on the fly (as I did in the past). My command to encrypt using DES was: tar -cvzf - 2>/dev/null | openssl des3 -salt -k | dd of= 2>/dev/null Now I'm looking for the command to use their public key :) Thanks in advance... -- Rory Vieira Deno Software B.V. rory dot vieira at deno-software dot nl http colon slash slash www deno-software dot nl Kanaaldijk 5a 5683CR Best T. +31 (0)499-374220 F. +31 (0)499-374294 - Dit bericht en de eventuele bijlagen zijn uitsluitend bestemd voor de beoogde ontvanger. Inzage, gebruik en verspreiding van de inhoud ervan is aan hem of haar voorbehouden. Indien u niet de beoogde ontvanger of diens gemachtigde bent, dan is inzage, gebruik en verspreiding derhalve niet toegestaan. In geval van onjuiste adressering wordt u verzocht zo spoedig mogelijk contact op te nemen met de afzender van dit bericht en zorg te dragen voor onmiddellijke verwijdering van dit bericht uit uw systemen. Dit bericht is niet beschermd tegen manipulatie door derden. Voor de door u ontvangen inhoud kunnen wij dan ook geen aansprakelijkheid aanvaarden en evenmin kunt u er rechten aan ontlenen. - The information in this e-mail and any files transmitted is intended exclusively for the addressee. If you are not the intended recipient then would you please contact us immediately? In that case we also request you to destroy the e-mail and to neither use the contents nor disclose them in any matter to third parties. The information provided in this e-mail message is forwarded through the Internet. E-mail traffic through Internet does not guarantee confidentiality. Therefore the content should be verified. We deny any responsibility for damages as a result of the use of e-mail messages. - __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Refreshing a self signed root certificate
openssl req -new -x509 -key F:\MyCAs\MyRootCA\private\cakey.pem -keyform PEM -out cacert2.pem -outform PEM seems to work…
Re: Singing with certificate
What key are you singing in? Rory Vieira <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 04/20/2006 09:34 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Singing with certificate Hi, For our customers we make backups (like everyone else). However, legal restrictions apply to the specific branche we work in. We are required to encrypt the data. In the past I was using simple DES3 encryption, but now I would like to use the customers secure certificate to encrypt the data with (like email). The customer has a .p12 certificate that they install in Windows. I first need to export the public key from that in a usuable format. Then I want to encrypt the data on the fly (as I did in the past). My command to encrypt using DES was: tar -cvzf - 2>/dev/null | openssl des3 -salt -k | dd of= 2>/dev/null Now I'm looking for the command to use their public key :) Thanks in advance... -- Rory Vieira Deno Software B.V. rory dot vieira at deno-software dot nl http colon slash slash www deno-software dot nl Kanaaldijk 5a 5683CR Best T. +31 (0)499-374220 F. +31 (0)499-374294 - Dit bericht en de eventuele bijlagen zijn uitsluitend bestemd voor de beoogde ontvanger. Inzage, gebruik en verspreiding van de inhoud ervan is aan hem of haar voorbehouden. Indien u niet de beoogde ontvanger of diens gemachtigde bent, dan is inzage, gebruik en verspreiding derhalve niet toegestaan. In geval van onjuiste adressering wordt u verzocht zo spoedig mogelijk contact op te nemen met de afzender van dit bericht en zorg te dragen voor onmiddellijke verwijdering van dit bericht uit uw systemen. Dit bericht is niet beschermd tegen manipulatie door derden. Voor de door u ontvangen inhoud kunnen wij dan ook geen aansprakelijkheid aanvaarden en evenmin kunt u er rechten aan ontlenen. - The information in this e-mail and any files transmitted is intended exclusively for the addressee. If you are not the intended recipient then would you please contact us immediately? In that case we also request you to destroy the e-mail and to neither use the contents nor disclose them in any matter to third parties. The information provided in this e-mail message is forwarded through the Internet. E-mail traffic through Internet does not guarantee confidentiality. Therefore the content should be verified. We deny any responsibility for damages as a result of the use of e-mail messages. - __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Singing with certificate
Stephen, What key are you singing in? I'm not sure what you mean... The customer get's a .p12 certificate from the branche organisation which they install in Windows. I still need to extract the public key from that though. I'll probably need windows to export it to DER format (eg cert.cer). The exported public key should be used for encryption, so they can decode with the private key... I do appologize for the inproper subject... It should've been 'Encrypting with certificate'... Cheers, -- Rory Vieira Deno Software B.V. rory dot vieira at deno-software dot nl http colon slash slash www deno-software dot nl Kanaaldijk 5a 5683CR Best T. +31 (0)499-374220 F. +31 (0)499-374294 - Dit bericht en de eventuele bijlagen zijn uitsluitend bestemd voor de beoogde ontvanger. Inzage, gebruik en verspreiding van de inhoud ervan is aan hem of haar voorbehouden. Indien u niet de beoogde ontvanger of diens gemachtigde bent, dan is inzage, gebruik en verspreiding derhalve niet toegestaan. In geval van onjuiste adressering wordt u verzocht zo spoedig mogelijk contact op te nemen met de afzender van dit bericht en zorg te dragen voor onmiddellijke verwijdering van dit bericht uit uw systemen. Dit bericht is niet beschermd tegen manipulatie door derden. Voor de door u ontvangen inhoud kunnen wij dan ook geen aansprakelijkheid aanvaarden en evenmin kunt u er rechten aan ontlenen. - The information in this e-mail and any files transmitted is intended exclusively for the addressee. If you are not the intended recipient then would you please contact us immediately? In that case we also request you to destroy the e-mail and to neither use the contents nor disclose them in any matter to third parties. The information provided in this e-mail message is forwarded through the Internet. E-mail traffic through Internet does not guarantee confidentiality. Therefore the content should be verified. We deny any responsibility for damages as a result of the use of e-mail messages. - __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Refreshing a self signed root certificate
A word of warning, this was done to satisfy some test data. In fact you shouldn’t be doing this at all…you should create a new private key.. The only reason to preserve the old private key is if there is something out there signed with it and if this is the root CA and its public cert has expired you really shouldn’t allow anything out there to remain valid anyway. By issuing a new cert with the old key you are actually allowing old certificates possibly to validate… From: John Francis [mailto:[EMAIL PROTECTED] Sent: 20 April 2006 15:30 To: 'openssl-users@openssl.org' Subject: RE: Refreshing a self signed root certificate openssl req -new -x509 -key F:\MyCAs\MyRootCA\private\cakey.pem -keyform PEM -out cacert2.pem -outform PEM seems to work…
Re: Singing with certificate
Rory Vieira wrote: Hi, For our customers we make backups (like everyone else). However, legal restrictions apply to the specific branche we work in. We are required to encrypt the data. In the past I was using simple DES3 encryption, but now I would like to use the customers secure certificate to encrypt the data with (like email). The customer has a .p12 certificate that they install in Windows. I first need to export the public key from that in a usuable format. Then I want to encrypt the data on the fly (as I did in the past). My command to encrypt using DES was: tar -cvzf - 2>/dev/null | openssl des3 -salt -k | dd of= 2>/dev/null Now I'm looking for the command to use their public key :) Thanks in advance... As far as I know there is no tool in openssl you can just drop in to use a public key to encrypt a stream. If someone knows better please tell. There is the smime-tool which can encrypt files, but I don't think this is what you want/need. One way to work around this problem (other than writing your own tool) might be a sequence of shell commands which may work like this: * Generate a key from /dev/random and store it in a file * Use this key to do openssl des3 ... like you did before * Encrypt the key using openssl smime with you client's certificate * Delete the unencrypted key (this might not be as trivial as it sounds if secutity requirements are high) This way your customer could use the reverse procedure (decrypt key with openssl smime and decrypt data with the key) to recover the data. Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: Singing with certificate
C'mon guys, lighten up. It's a joke, a pun.see in music, there are keysthe key of F has one flat, the key of D has two sharps, etc. Don't have your head so far down in the nuts and bolts...time for a vacationand leave your email and cellphone behind. Rory Vieira wrote: Stephen, What key are you singing in? I'm not sure what you mean... The customer get's a .p12 certificate from the branche organisation which they install in Windows. I still need to extract the public key from that though. I'll probably need windows to export it to DER format (eg cert.cer). The exported public key should be used for encryption, so they can decode with the private key... I do appologize for the inproper subject... It should've been 'Encrypting with certificate'... Cheers, -- Stewart Dean, Unix System Admin, Henderson Computer Resources Center of Bard College, Annandale-on-Hudson, New York 12504 [EMAIL PROTECTED] voice: 845-758-7475, fax: 845-758-7035 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Singing with certificate
Quoting Stewart Dean <[EMAIL PROTECTED]>: > C'mon guys, lighten up. It's a joke, a pun.see in music, there are > keysthe key of F has one flat, the key of D has two sharps, etc. > Don't have your head so far down in the nuts and bolts...time for a > vacationand leave your email and cellphone behind. the posters native language is not english it seems but Dutch. (.nl email address) > > Rory Vieira wrote: > > Stephen, > > > >> What key are you singing in? > >> > >> > > I'm not sure what you mean... > > The customer get's a .p12 certificate from the branche organisation > > which they install in Windows. > > I still need to extract the public key from that though. I'll probably > > need windows to export it to DER format (eg cert.cer). > > The exported public key should be used for encryption, so they can > > decode with the private key... > > > > I do appologize for the inproper subject... It should've been > > 'Encrypting with certificate'... > > > > Cheers, > > > > -- > > Stewart Dean, Unix System Admin, Henderson Computer Resources > Center of Bard College, Annandale-on-Hudson, New York 12504 > [EMAIL PROTECTED] voice: 845-758-7475, fax: 845-758-7035 > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems building 0.9.8a on Intel Mac
Marko Asplund wrote:
On 2006-04-14, at 12.26, Nils Larsch wrote:
try a recent snapshot from the stable branch and let openssl
build shared libraries (see first problem mentioned in the
PROBLEM file).
i tried the workaround described in the PROBLEMS file with
openssl-0.9.8-stable-SNAP-20060417. openssl binary seems to compile fine
but i still get errors building the tests:
...
making all in test...
cc -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common -c -o bntest.o
bntest.c
( :; LIBDEPS="${LIBDEPS:--L.. -lssl -L.. -lcrypto }";
LDCMD="${LDCMD:-cc}"; LDFLAGS="${LDFLAGS:--DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -fno-common}";
LIBPATH=`for x in $LIBDEPS; do if echo $x | grep '^ *-L' > /dev/null
2>&1; then echo $x | sed -e 's/^ *-L//'; fi; done | uniq`; LIBPATH=`echo
$LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH
${LDCMD} ${LDFLAGS} -o ${APPNAME:=bntest} bntest.o ${LIBDEPS} )
/usr/bin/ld: Undefined symbols:
_BN_GF2m_add
_BN_GF2m_arr2poly
_BN_GF2m_mod
_BN_GF2m_mod_div
_BN_GF2m_mod_exp
_BN_GF2m_mod_inv
_BN_GF2m_mod_mul
_BN_GF2m_mod_solve_quad
_BN_GF2m_mod_sqr
_BN_GF2m_mod_sqrt
_BN_generate_prime_ex
collect2: ld returned 1 exit status
make[2]: *** [link_app.] Error 1
make[1]: *** [bntest] Error 2
make: *** [build_tests] Error 1
here's the build procedure i'm using:
cp apps/Makefile apps/Makefile.dist
cp test/Makefile test/Makefile.dist
sed -e 's/LIBCRYPTO=-L.. -lcrypto/LIBCRYPTO=..\/libcrypto.a/
s/LIBSSL=-L.. -lssl/LIBSSL=..\/libssl.a/' apps/Makefile.dist >
apps/Makefile
sed -e 's/LIBCRYPTO=-L.. -lcrypto/LIBCRYPTO=..\/libcrypto.a/
s/LIBSSL=-L.. -lssl/LIBSSL=..\/libssl.a/' test/Makefile.dist >
test/Makefile
./config --prefix=/Users/aspa/tmp/098a
did you tried "./config --prefix=... shared" ?
Cheers,
Nils
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: Refreshing a self signed root certificate
>The only reason to preserve the old private key is >if there is something out there signed with it and >if this is the root CA and its public cert has expired >you really shouldn't allow anything out there to remain >valid anyway. By issuing a new cert with the old key you >are actually allowing old certificates possibly to validate. Maybe I'm being dense, but I can't see the harm. If those old certificates are still inside their validity period, what harm is there in having them validate? They're *valid*, after all. The only arguments I can see are all related to more time to compromise the same private key, for example: 1) The original private key might have gotten out somehow or misplaced somewhere. Revalidating the same key gives more time for the mislayed key to get in evil hands. 2) The original private key might have been stored somewhere with poor encryption, say with a simple English word or small number of digits encrypting it. Having the same key be valid for longer allows more time for an attack on the key's encoding. 3) There might be a slow leak somewhere gradually giving information about the key, say by some kind of timing attack. 4) The PK algorithm itself can be broken given enough time to derive the private key. Reusing a key gives more time for that. There may be some reason I'm not thinking of, but that valid certificates will validate doesn't seem to be a problem. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Refreshing a self signed root certificate
On Thu, Apr 20, 2006 at 04:42:53PM +0100, John Francis wrote: > A word of warning, this was done to satisfy some test data. > > > > In fact you shouldn't be doing this at all.you should create a new private > key.. > > > > The only reason to preserve the old private key is if there is something out > there signed with it and if this is the root CA and its public cert has > expired you really shouldn't allow anything out there to remain valid > anyway. By issuing a new cert with the old key you are actually allowing old > certificates possibly to validate. Those would be old certificates, whose expiration time post-dates the expiration time of the CA. Usually that is not a problem and sometimes (a CA signing a 1 year certificate in the last year of the CA's validity) it allows one to make up for harmless procedural errors. Generally a CA's lifetime is a reasonable multiple of the maximum lifetime of the certificates it signs, and a new CA cert is minted distributed to the world at large, and then used well before before the old CA becomes invalid. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Singing with certificate
What key are you singing in? I'm not sure what you mean... Some of us got it. -- Wes Kussmaul CIO The Village Group 738 Main Street Waltham, MA 02451 781-647-7178 My uncle likes to say that the world’s biggest troubles started when the serpent said, “Try this fruit, and by the way if a bunch of people collectively calling themselves Arthur Andersen signs something it’s the same as if a person named Arthur Andersen signed it.” I don’t get the serpent and fruit part. Must be some Swiss mythology thing. He can be a bit obscure. P.K. Iggy _How I Like Fixed The Internet_ (Tales from the Great Infodepression of 2009 and the prosperity that followed) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
question about ssl certs
Hi, all. I'm hoping somebody can clarify the confusion for me. Do certs need to be guarded or not? Because what happens if you're doing client-side authentication and a server asks you for your cert, caches it and that server is later compromised? What will prevent somebody from stealing my cert and going around pretending to be me? Thank you. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question about ssl certs
> What will prevent somebody from stealing my cert and > going around pretending to be me? "Okay, if you're Susan, this this blob: xx" Without your *private* key, they cannot do that. Therefore, they cannot pretend to be you. If they did, it be like accepting a passport or driver's license without seeing if it's your picture. /r$ -- SOA Appliances Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: question about ssl certs
> > What will prevent somebody from stealing my cert and > > going around pretending to be me? > > "Okay, if you're Susan, this this blob: xx" Sign. The challenge is "sign this blob" > Without your *private* key, they cannot do that. Therefore, they cannot > pretend to be you. If they did, it be like accepting a passport or > driver's license without seeing if it's your picture. > > > /r$ > > -- > SOA Appliances > Application Integration Middleware __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Phantom Domain Name Mismatch?
What would be some possible causes of the following error message that I am getting on our IMAP clients (Thunderbird 1.5 and Outlook 2003) when they retrieve the SSL certificate from the IMAP server: "You have attempted to establish a connection to imap.cis.uab.edu. However, the security certificate presented belongs to imap.cis.uab.edu." The names match perfectly, yet it is still warning me. Maybe I missed something when I created the signing request and then signed it. Here's what I did: On the IMAP server: openssl genrsa -out imap.key openssl req -new -nodes -key imap.key -out imap.csr On our local CA: openssl ca -policy local_ca_policy -out imapcert.pem -infiles imap.csr And put the resulting imapcert.pem back in the location where the IMAP server is expecting to find the public certificate. Any immediate possibilities come to mind? -- Fran Fabrizio Senior Systems Analyst Department of Computer and Information Sciences University of Alabama at Birmingham http://www.cis.uab.edu/ 205.934.0653 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: question about ssl certs
> Hi, all. I'm hoping somebody can clarify the confusion for me. > > Do certs need to be guarded or not? Almost never. > Because what happens if > you're doing client-side > authentication and a server asks you for your cert, caches it and > that server is later > compromised? Nothing. > What will prevent somebody from stealing my cert > and going around pretending to be > me? Conceptually, the cert proves that you are you, not that whoever presents it is you. Procedurally, the cert associates a particular private key with a particular identity. Since they don't have your private key, proving that the holder of the private key is you (which is what the certificate does) doesn't help them. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
multiple IP addresses
Hello, Is BIO_do_connect() smart enough to try to connect to all IP addresses if a name resolves to more than one? For example, the name "www.microsoft.com" resolves to eight different IP addresses. Will they all be tried by BIO_do_connect? is there a way to do this? Do I need to keep calling BIO_do_connect to keep trying? -Joe __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: multiple IP addresses
On Thu, 2006-04-20 at 14:53 -0700, Joseph Bruni wrote: > Is BIO_do_connect() smart enough to try to connect to all IP addresses > if a name resolves to more than one? Isn't that a round robin DNS setup? Maybe not __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
