Re: Need some help debugging SSL error thrown from STunnel using OpenSSL-FIPS
On Wed, Jun 07, 2006, David Gillingham wrote: Hello all, I've been tasked to internally investigate a system that utilizes STunnel and OpenSSL to create a secure wrapper for a propietary protocol. Additionally, this solution must eventually be FIPS 140-2 compliant. 608008D: error:0608008D:digital envelope routines:EVP_DigestInit:disabled for fips That's the problem. I'd guess that this is due to a certificate using an algorithm that isn't allowed in FIPS mode: probably MD5. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
1095 bit key ??
hi all i generated a self signed certificate and i found this : Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1095 bit) Modulus (1095 bit): 4b:e9:e4:a6:3a:30:bc:0b:99:56:c6:b5:19:da:73: 79:f4:7f:35:15:d6:3f:4c:8d:e2:08:ab:43:c0:84: 0c:a2:69:98:5a:28:3a:fe:81:ac:ec:14:cb:97:8b: 48:b7:e6:b2:a9:fb:84:cf:88:77:2a:3b:6d:bf:e7: ed:7a:c7:92:34:75:9d:c8:6c:90:6e:8a:40:4d:66: 13:95:bb:6d:4c:d6:29:9c:46:6c:b1:f6:2d:39:09: 95:d8:cf:02:87:60:9c:af:79:d8:8e:9c:69:6f:26: af:8b:e1:26:d4:07:3f:7b:59:b1:52:0f:ce:3d:b4: ae:bd:0e:57:5b:39:72:17:ee:6b:64:25:8d:31:b0: b0:a1 Exponent: 65537 (0x10001) what is 1095 bit key means?? although i opted for 2048 bit __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 1095 bit key ??
On Thu, Jun 08, 2006 at 06:32:54PM +0200, Marek Marcola wrote: Hello, i generated a self signed certificate and i found this : Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1095 bit) Modulus (1095 bit): 4b:e9:e4:a6:3a:30:bc:0b:99:56:c6:b5:19:da:73: 79:f4:7f:35:15:d6:3f:4c:8d:e2:08:ab:43:c0:84: 0c:a2:69:98:5a:28:3a:fe:81:ac:ec:14:cb:97:8b: 48:b7:e6:b2:a9:fb:84:cf:88:77:2a:3b:6d:bf:e7: ed:7a:c7:92:34:75:9d:c8:6c:90:6e:8a:40:4d:66: 13:95:bb:6d:4c:d6:29:9c:46:6c:b1:f6:2d:39:09: 95:d8:cf:02:87:60:9c:af:79:d8:8e:9c:69:6f:26: af:8b:e1:26:d4:07:3f:7b:59:b1:52:0f:ce:3d:b4: ae:bd:0e:57:5b:39:72:17:ee:6b:64:25:8d:31:b0: b0:a1 Exponent: 65537 (0x10001) what is 1095 bit key means?? Interesting, can you send private key for this certificate, provided that you will be not use this key of course :-) Also any non-anecdotal evidence that a 2048 bit key was actually requested? Not sure how the private key will help, the *modulus* is 1095 bits, and it is the same for the private and public keys. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 1095 bit key ??
hi now on regeneration and changing the key is working fine. so may be i misspelt and incidently added 1095 (if thats the case .. then i m sorry for being silly) in else case heres my private key : -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,A7C341355547B565 lOJoiNoFcvBmlxQbXiR+KQxw66ct9mxQ1KVIzB2HD/oGOxGgso5Cd5W7+2gA5hJ/ Y/SBke/xdEjzn9dsMi8cQM11Gj/CoczBYL30ec4x+YNBm8TiKe3mzX1utdzuOEIS dTk3zzMwQ47/JLW7qGC0HjghuZRJ3EiGRWGhYmqViCLjKSdhR6feGmjsHk7AwIGD XrzWKNyBmBxVqa3S92f59KCI7jx3kKggmko/V1leXsqBIgLQYQAiFo33f26M2hJI 9adSuoiuUJK5S575GhPqBQEJpb7JgQ5RrbyvPhPrR3bcK+R9FGlA3RW1LrFYE1P8 ogZLFUI+0GPuKymhKC7Lci7vif0VmtHUTHJ5Tzd6yBw39vWhxuL+ocJuQvToCnKc 2BjDSYQmc5qBAJVo8eo0FK6MLvNK8Bq1o0ai/eWkT9n/nlo8guCKj/FehSs1GJYA wtqVvHmgsbcTVJQB0YYw2Xu9ikHLtttULOz63/yoGVDxCON+3lzcBr9MWV23e16R Ma+o4Zq8JADgl7c0xrc9bzcfHnxpRr6pD0nAyEndF2MKuHeMJBofZWZL639gs4X/ Zz0KMPJpnJNePkaVzLIIe3q+SLLFJgqyEL4PELIPsEVFDtzBbm9mibj5u0JYRNU1 USu4bftCphd6VJ27PekQ23JFJpp0E8yo2ifnsnX+sMXDXy/JribOBu6g+bd8MBJ/ ZpUIAwSCoUAqg2s/gmLXxXVJN3j5aokF8Ywb76y4dmhaPGS8GTq4TcmW2VULBK8g W9G+ZrZl9cJh/ifXLu6dPZAsQTUqe4Gt3sRXw199BoDnpizNk3JqYVMbDVewm5yw jaF6Fa3KjmaCZWhYm43ThIjHK33hCGzP -END RSA PRIVATE KEY- On 6/8/06, Victor Duchovni [EMAIL PROTECTED] wrote: On Thu, Jun 08, 2006 at 06:32:54PM +0200, Marek Marcola wrote: Hello, i generated a self signed certificate and i found this : Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1095 bit) Modulus (1095 bit): 4b:e9:e4:a6:3a:30:bc:0b:99:56:c6:b5:19:da:73: 79:f4:7f:35:15:d6:3f:4c:8d:e2:08:ab:43:c0:84: 0c:a2:69:98:5a:28:3a:fe:81:ac:ec:14:cb:97:8b: 48:b7:e6:b2:a9:fb:84:cf:88:77:2a:3b:6d:bf:e7: ed:7a:c7:92:34:75:9d:c8:6c:90:6e:8a:40:4d:66: 13:95:bb:6d:4c:d6:29:9c:46:6c:b1:f6:2d:39:09: 95:d8:cf:02:87:60:9c:af:79:d8:8e:9c:69:6f:26: af:8b:e1:26:d4:07:3f:7b:59:b1:52:0f:ce:3d:b4: ae:bd:0e:57:5b:39:72:17:ee:6b:64:25:8d:31:b0: b0:a1 Exponent: 65537 (0x10001) what is 1095 bit key means?? Interesting, can you send private key for this certificate, provided that you will be not use this key of course :-) Also any non-anecdotal evidence that a 2048 bit key was actually requested? Not sure how the private key will help, the *modulus* is 1095 bits, and it is the same for the private and public keys. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 1095 bit key ??
Hello, what is 1095 bit key means?? Interesting, can you send private key for this certificate, provided that you will be not use this key of course :-) Also any non-anecdotal evidence that a 2048 bit key was actually requested? Not sure how the private key will help, the *modulus* is 1095 bits, and it is the same for the private and public keys. Private key has also p and q prime numbers. With this information we may check if they are really prime (maybe due to some software bug they are not), we can calculate modulus by hand to check for example that prime numbers are ok calculated modulus is ok but there is a bug in procedure which (for example) reads private key from file or from buffer. Some checking may be done. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 1095 bit key ??
Hello, in else case heres my private key : -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,A7C341355547B565 lOJoiNoFcvBmlxQbXiR+KQxw66ct9mxQ1KVIzB2HD/oGOxGgso5Cd5W7+2gA5hJ/ Y/SBke/xdEjzn9dsMi8cQM11Gj/CoczBYL30ec4x+YNBm8TiKe3mzX1utdzuOEIS dTk3zzMwQ47/JLW7qGC0HjghuZRJ3EiGRWGhYmqViCLjKSdhR6feGmjsHk7AwIGD XrzWKNyBmBxVqa3S92f59KCI7jx3kKggmko/V1leXsqBIgLQYQAiFo33f26M2hJI 9adSuoiuUJK5S575GhPqBQEJpb7JgQ5RrbyvPhPrR3bcK+R9FGlA3RW1LrFYE1P8 ogZLFUI+0GPuKymhKC7Lci7vif0VmtHUTHJ5Tzd6yBw39vWhxuL+ocJuQvToCnKc 2BjDSYQmc5qBAJVo8eo0FK6MLvNK8Bq1o0ai/eWkT9n/nlo8guCKj/FehSs1GJYA wtqVvHmgsbcTVJQB0YYw2Xu9ikHLtttULOz63/yoGVDxCON+3lzcBr9MWV23e16R Ma+o4Zq8JADgl7c0xrc9bzcfHnxpRr6pD0nAyEndF2MKuHeMJBofZWZL639gs4X/ Zz0KMPJpnJNePkaVzLIIe3q+SLLFJgqyEL4PELIPsEVFDtzBbm9mibj5u0JYRNU1 USu4bftCphd6VJ27PekQ23JFJpp0E8yo2ifnsnX+sMXDXy/JribOBu6g+bd8MBJ/ ZpUIAwSCoUAqg2s/gmLXxXVJN3j5aokF8Ywb76y4dmhaPGS8GTq4TcmW2VULBK8g W9G+ZrZl9cJh/ifXLu6dPZAsQTUqe4Gt3sRXw199BoDnpizNk3JqYVMbDVewm5yw jaF6Fa3KjmaCZWhYm43ThIjHK33hCGzP -END RSA PRIVATE KEY- In decrypted form please :-) Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 1095 bit key ??
On Thu, Jun 08, 2006 at 06:56:33PM +0200, Saurabh Arora wrote: in else case heres my private key : -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,A7C341355547B565 lOJoiNoFcvBmlxQbXiR+KQxw66ct9mxQ1KVIzB2HD/oGOxGgso5Cd5W7+2gA5hJ/ Y/SBke/xdEjzn9dsMi8cQM11Gj/CoczBYL30ec4x+YNBm8TiKe3mzX1utdzuOEIS dTk3zzMwQ47/JLW7qGC0HjghuZRJ3EiGRWGhYmqViCLjKSdhR6feGmjsHk7AwIGD XrzWKNyBmBxVqa3S92f59KCI7jx3kKggmko/V1leXsqBIgLQYQAiFo33f26M2hJI 9adSuoiuUJK5S575GhPqBQEJpb7JgQ5RrbyvPhPrR3bcK+R9FGlA3RW1LrFYE1P8 ogZLFUI+0GPuKymhKC7Lci7vif0VmtHUTHJ5Tzd6yBw39vWhxuL+ocJuQvToCnKc 2BjDSYQmc5qBAJVo8eo0FK6MLvNK8Bq1o0ai/eWkT9n/nlo8guCKj/FehSs1GJYA wtqVvHmgsbcTVJQB0YYw2Xu9ikHLtttULOz63/yoGVDxCON+3lzcBr9MWV23e16R Ma+o4Zq8JADgl7c0xrc9bzcfHnxpRr6pD0nAyEndF2MKuHeMJBofZWZL639gs4X/ Zz0KMPJpnJNePkaVzLIIe3q+SLLFJgqyEL4PELIPsEVFDtzBbm9mibj5u0JYRNU1 USu4bftCphd6VJ27PekQ23JFJpp0E8yo2ifnsnX+sMXDXy/JribOBu6g+bd8MBJ/ ZpUIAwSCoUAqg2s/gmLXxXVJN3j5aokF8Ywb76y4dmhaPGS8GTq4TcmW2VULBK8g W9G+ZrZl9cJh/ifXLu6dPZAsQTUqe4Gt3sRXw199BoDnpizNk3JqYVMbDVewm5yw jaF6Fa3KjmaCZWhYm43ThIjHK33hCGzP -END RSA PRIVATE KEY- To be useful, this would have to be un-encrypted. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 1095 bit key ??
On Thu, Jun 08, 2006 at 07:05:36PM +0200, Marek Marcola wrote: Also any non-anecdotal evidence that a 2048 bit key was actually requested? Not sure how the private key will help, the *modulus* is 1095 bits, and it is the same for the private and public keys. Private key has also p and q prime numbers. With this information we may check if they are really prime (maybe due to some software bug they are not), we can calculate modulus by hand to check for example that prime numbers are ok calculated modulus is ok but there is a bug in procedure which (for example) reads private key from file or from buffer. The modulus should be the product of the two numbers, prime or not, so if the two numbers are large enough, so is the modulus. Either: - The two primes are too small. (Not really a primality problem per-se). OR - The product is calculated incorrectly. OR - The user did not ask for a 2048 bit key. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 1095 bit key ??
here it is :: -- Private-Key: (1095 bit) modulus: 4b:e9:e4:a6:3a:30:bc:0b:99:56:c6:b5:19:da:73: 79:f4:7f:35:15:d6:3f:4c:8d:e2:08:ab:43:c0:84: 0c:a2:69:98:5a:28:3a:fe:81:ac:ec:14:cb:97:8b: 48:b7:e6:b2:a9:fb:84:cf:88:77:2a:3b:6d:bf:e7: ed:7a:c7:92:34:75:9d:c8:6c:90:6e:8a:40:4d:66: 13:95:bb:6d:4c:d6:29:9c:46:6c:b1:f6:2d:39:09: 95:d8:cf:02:87:60:9c:af:79:d8:8e:9c:69:6f:26: af:8b:e1:26:d4:07:3f:7b:59:b1:52:0f:ce:3d:b4: ae:bd:0e:57:5b:39:72:17:ee:6b:64:25:8d:31:b0: b0:a1 publicExponent: 65537 (0x10001) privateExponent: 27:e6:f9:58:a6:9d:97:3a:41:8f:6b:43:26:23:bd: 2f:0d:65:0f:f2:3a:7b:6b:31:e8:ed:c5:98:07:49: 61:9a:bd:06:67:dd:5d:a5:09:64:6b:73:42:d0:95: 55:d3:d4:5f:75:19:cf:e5:86:45:9c:dd:40:02:ef: 55:d4:83:b2:46:00:cc:be:d3:26:c9:b9:8b:6d:76: 5a:3f:35:65:63:da:53:42:d0:f7:10:8f:6f:14:4a: 69:1a:4c:eb:52:7d:41:6d:64:87:42:01:c0:39:9f: f2:df:a2:fa:bb:24:44:b8:51:ac:06:52:a2:e6:35: a1:24:62:cd:24:13:c8:7b:db:73:a2:39:60:c1:77: d0:01 prime1: 0c:23:ed:fc:fb:89:3e:f4:2c:0e:d7:4e:6e:b7:eb: 19:0c:e4:0b:35:03:d8:c1:2f:c2:6a:37:8f:16:72: 55:96:e3:a5:94:1d:69:b7:22:0d:67:3e:8f:30:fb: fd:45:a9:4c:ad:cf:78:2b:23:1c:a8:4c:f6:ff:7e: c4:cc:86:ee:72:41:1b:10:b1 prime2: 06:40:c4:cc:d8:09:39:05:17:fd:68:07:34:80:19: c7:fe:a6:09:69:60:66:b6:a9:5c:74:e2:01:a6:bd: 46:95:cd:9d:fe:d9:e1:bc:d8:7b:ae:b6:a6:8c:8f: 9a:74:c1:62:a0:8b:11:0f:3d:2b:75:b1:63:87:4a: 4c:d1:e4:22:46:60:c4:1a:f1 exponent1: 02:72:a4:23:a4:1b:f2:23:8d:56:98:b6:e9:c0:0f: 99:07:6e:5b:8c:1e:f0:6f:53:4f:e1:d6:bd:f5:0a: ac:93:35:e7:46:cb:ff:6a:bb:64:f4:72:3a:b0:e7: be:13:73:a5:50:4e:4a:ae:77:ef:e9:47:4b:6e:0c: 83:65:b1:b7:16:36:66:5c:a1 exponent2: 00:c7:55:fa:70:38:8d:ca:2d:97:97:b9:b5:f6:f1: be:ee:dd:fc:34:0c:16:1e:4e:ee:bd:7b:5b:5b:49: 1c:9e:10:f1:c8:c7:97:0d:ae:23:90:b9:1b:fa:4a: f3:9f:f0:68:f8:b6:f8:93:de:39:28:39:c3:bc:18: 2b:82:c3:96:e5:0e:ad:bc:f1 coefficient: 04:21:5e:47:55:12:e8:b0:21:4c:98:f6:f2:ad:03: 9f:88:73:4e:ec:28:35:dd:cc:b1:4c:9f:e5:da:a8: a0:b5:89:fc:d9:da:50:83:9d:cf:f4:e5:ad:d2:b0: 60:22:b8:78:31:53:07:68:92:a3:2f:e9:78:53:01: 26:34:b8:3e:e1:8a:26:d2:da -BEGIN RSA PRIVATE KEY- MIICgwIBAAKBiUvp5KY6MLwLmVbGtRnac3n0fzUV1j9MjeIIq0PAhAyiaZhaKDr+ gazsFMuXi0i35rKp+4TPiHcqO22/5+16x5I0dZ3IbJBuikBNZhOVu21M1imcRmyx 9i05CZXYzwKHYJyvediOnGlvJq+L4SbUBz97WbFSD849tK69DldbOXIX7mtkJY0x sLChAgMBAAECgYkn5vlYpp2XOkGPa0MmI70vDWUP8jp7azHo7cWYB0lhmr0GZ91d pQlka3NC0JVV09RfdRnP5YZFnN1AAu9V1IOyRgDMvtMmybmLbXZaPzVlY9pTQtD3 EI9vFEppGkzrUn1BbWSHQgHAOZ/y36L6uyREuFGsBlKi5jWhJGLNJBPIe9tzojlg wXfQAQJFDCPt/PuJPvQsDtdObrfrGQzkCzUD2MEvwmo3jxZyVZbjpZQdabciDWc+ jzD7/UWpTK3PeCsjHKhM9v9+xMyG7nJBGxCxAkUGQMTM2Ak5BRf9aAc0gBnH/qYJ aWBmtqlcdOIBpr1Glc2d/tnhvNh7rramjI+adMFioIsRDz0rdbFjh0pM0eQiRmDE GvECRQJypCOkG/IjjVaYtunAD5kHbluMHvBvU0/h1r31CqyTNedGy/9qu2T0cjqw 574Tc6VQTkqud+/pR0tuDINlsbcWNmZcoQJFAMdV+nA4jcotl5e5tfbxvu7d/DQM Fh5O7r17W1tJHJ4Q8cjHlw2uI5C5G/pK85/waPi2+JPeOSg5w7wYK4LDluUOrbzx AkUEIV5HVRLosCFMmPbyrQOfiHNO7Cg13cyxTJ/l2qigtYn82dpQg53P9OWt0rBg Irh4MVMHaJKjL+l4UwEmNLg+4Yom0to= -END RSA PRIVATE KEY- On 6/8/06, Victor Duchovni [EMAIL PROTECTED] wrote: On Thu, Jun 08, 2006 at 06:56:33PM +0200, Saurabh Arora wrote: in else case heres my private key : -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,A7C341355547B565 lOJoiNoFcvBmlxQbXiR+KQxw66ct9mxQ1KVIzB2HD/oGOxGgso5Cd5W7+2gA5hJ/ Y/SBke/xdEjzn9dsMi8cQM11Gj/CoczBYL30ec4x+YNBm8TiKe3mzX1utdzuOEIS dTk3zzMwQ47/JLW7qGC0HjghuZRJ3EiGRWGhYmqViCLjKSdhR6feGmjsHk7AwIGD XrzWKNyBmBxVqa3S92f59KCI7jx3kKggmko/V1leXsqBIgLQYQAiFo33f26M2hJI 9adSuoiuUJK5S575GhPqBQEJpb7JgQ5RrbyvPhPrR3bcK+R9FGlA3RW1LrFYE1P8 ogZLFUI+0GPuKymhKC7Lci7vif0VmtHUTHJ5Tzd6yBw39vWhxuL+ocJuQvToCnKc 2BjDSYQmc5qBAJVo8eo0FK6MLvNK8Bq1o0ai/eWkT9n/nlo8guCKj/FehSs1GJYA wtqVvHmgsbcTVJQB0YYw2Xu9ikHLtttULOz63/yoGVDxCON+3lzcBr9MWV23e16R Ma+o4Zq8JADgl7c0xrc9bzcfHnxpRr6pD0nAyEndF2MKuHeMJBofZWZL639gs4X/ Zz0KMPJpnJNePkaVzLIIe3q+SLLFJgqyEL4PELIPsEVFDtzBbm9mibj5u0JYRNU1 USu4bftCphd6VJ27PekQ23JFJpp0E8yo2ifnsnX+sMXDXy/JribOBu6g+bd8MBJ/ ZpUIAwSCoUAqg2s/gmLXxXVJN3j5aokF8Ywb76y4dmhaPGS8GTq4TcmW2VULBK8g W9G+ZrZl9cJh/ifXLu6dPZAsQTUqe4Gt3sRXw199BoDnpizNk3JqYVMbDVewm5yw jaF6Fa3KjmaCZWhYm43ThIjHK33hCGzP -END RSA PRIVATE KEY- To be useful, this would have to be un-encrypted. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 1095 bit key ??
Hello, After some calculations: Private-Key: (1095 bit) modulus: 4b:e9:e4:a6:3a:30:bc:0b:99:56:c6:b5:19:da:73: 79:f4:7f:35:15:d6:3f:4c:8d:e2:08:ab:43:c0:84: 0c:a2:69:98:5a:28:3a:fe:81:ac:ec:14:cb:97:8b: 48:b7:e6:b2:a9:fb:84:cf:88:77:2a:3b:6d:bf:e7: ed:7a:c7:92:34:75:9d:c8:6c:90:6e:8a:40:4d:66: 13:95:bb:6d:4c:d6:29:9c:46:6c:b1:f6:2d:39:09: 95:d8:cf:02:87:60:9c:af:79:d8:8e:9c:69:6f:26: af:8b:e1:26:d4:07:3f:7b:59:b1:52:0f:ce:3d:b4: ae:bd:0e:57:5b:39:72:17:ee:6b:64:25:8d:31:b0: b0:a1 Correct ( = prime1*prime2). prime1: 0c:23:ed:fc:fb:89:3e:f4:2c:0e:d7:4e:6e:b7:eb: 19:0c:e4:0b:35:03:d8:c1:2f:c2:6a:37:8f:16:72: 55:96:e3:a5:94:1d:69:b7:22:0d:67:3e:8f:30:fb: fd:45:a9:4c:ad:cf:78:2b:23:1c:a8:4c:f6:ff:7e: c4:cc:86:ee:72:41:1b:10:b1 Prime. prime2: 06:40:c4:cc:d8:09:39:05:17:fd:68:07:34:80:19: c7:fe:a6:09:69:60:66:b6:a9:5c:74:e2:01:a6:bd: 46:95:cd:9d:fe:d9:e1:bc:d8:7b:ae:b6:a6:8c:8f: 9a:74:c1:62:a0:8b:11:0f:3d:2b:75:b1:63:87:4a: 4c:d1:e4:22:46:60:c4:1a:f1 Prime. RSA key looks good (and this is most important), so this may be some command line bad parameter. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need some help debugging SSL error thrown from STunnel using OpenSSL-FIPS
I was able to convert the key as you instructed, and I overwrote the old RSA private key from my server.pem file with the new PKCS8 one. I am now a getting a different error message. From these new messages, I'm guessing OpenSSL is expecting a file in PKCS12 format, but that my file does not match this format. Is my understanding correct? Error log follows. BEGIN STUNNEL LOG 2006.06.08 17:49:38 LOG7[1120:616]: Certificate: server.pem 2006.06.08 17:49:38 LOG7[1120:616]: Key file: server.pem 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 906700D : error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 2306A075 : error:2306A075:PKCS12 routines:PKCS12_DECRYPT_D2I:pkcs12 pbe crypt error 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 23077073 : error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error 2006.06.08 17:49:42 LOG3[1120:616]: SSL_CTX_use_RSAPrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm 2006.06.08 17:49:42 LOG3[1120:616]: Server is down END STUNNEL LOG __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need some help debugging SSL error thrown from STunnel using OpenSSL-FIPS
On Thu, Jun 08, 2006, David Gillingham wrote: I was able to convert the key as you instructed, and I overwrote the old RSA private key from my server.pem file with the new PKCS8 one. I am now a getting a different error message. From these new messages, I'm guessing OpenSSL is expecting a file in PKCS12 format, but that my file does not match this format. Is my understanding correct? Error log follows. BEGIN STUNNEL LOG 2006.06.08 17:49:38 LOG7[1120:616]: Certificate: server.pem 2006.06.08 17:49:38 LOG7[1120:616]: Key file: server.pem 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 906700D : error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 2306A075 : error:2306A075:PKCS12 routines:PKCS12_DECRYPT_D2I:pkcs12 pbe crypt error 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 23077073 : error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error 2006.06.08 17:49:42 LOG3[1120:616]: SSL_CTX_use_RSAPrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm 2006.06.08 17:49:42 LOG3[1120:616]: Server is down END STUNNEL LOG That error means that the PBE table has not been initialized in the application. A call to OpenSSL_add_all_algorithms() would have automatically done that so I'd guess that the table is being initialized in a customized way, possible to reduce the number of algorithms added. A call to PKCS5_PBE_add() is needed in any case in the application. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
subjectAltName extension of type dNSName
Hello,My secure client application performs post-connection fully-qualified-domain-name authentication. According to RFC 2818, "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used." My code to retrieve the common name from the subject field is:X509 *cert = [code not shown] char pName[ 256 ]; X509_NAME *subj; subj = X509_get_subject_name( cert ); X509_NAME_get_text_by_NID( subj, NID_commonName, pName, 256); My question: how do I retrieve the subjectAltName extension of type dNSName?Thanks,-David __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: subjectAltName extension of type dNSName
On Thu, Jun 08, 2006 at 11:40:04AM -0700, david kine wrote: My code to retrieve the common name from the subject field is: X509 *cert = [code not shown] char pName[ 256 ]; X509_NAME *subj; subj = X509_get_subject_name( cert ); X509_NAME_get_text_by_NID( subj, NID_commonName, pName, 256); The encoding of the resulting buffer is not necessarily correct, you are getting the raw ASN.1 string contents, not its UTF8 representation. While the CN is not typically encoded for hostnames, this code is not robust. More robust logic can be found in the Postfix 2.3 snapshot release, currently: 2.3-20060604 http://www.postfix.org/download.html The function tls_text_name() in src/tls/tls_verify.c handles CommonName extraction. This extracts the first commonName. Some suggest it should be the last, others say you should match *any* CommonName in the DN. This is a mess, the DNS name extension is a lot cleaner. Code to insist that there is only CN is present #ifdef 0. Code to look at DNSNames is in verify_extract_peer(), in src/tls/tls_client.c -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need some help debugging SSL error thrown from STunnel using OpenSSL-FIPS
Dr. Henson-- Adding in a call to OpenSSL_add_all_algorithms() fixed the error. Thanks for the assistance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: subjectAltName extension of type dNSName
Hello Victor,Thank you very much, the code you provide is extremely useful!One more question: how do I, using the CA.pl script, generate a certificate with a subjectAltName extension of type dNSName? The ones I have already generated do not have this field set.I suppose there is an openssl.cnf file setting for this purpose? I notice the line "#subjectAltName=email:copy" in the system's openssl.cnf file.Thanks,-DavidVictor Duchovni [EMAIL PROTECTED] wrote: On Thu, Jun 08, 2006 at 11:40:04AM -0700, david kine wrote: My code to retrieve the common name from the subject field is: X509 *cert = [code not shown] char pName[ 256 ]; X509_NAME *subj; subj = X509_get_subject_name( cert ); X509_NAME_get_text_by_NID( subj, NID_commonName, pName, 256);The encoding of the resulting buffer is not necessarily correct, you aregetting the raw ASN.1 string contents, not its UTF8 representation. Whilethe CN is not typically encoded for hostnames, this code is not robust.More robust logic can be found in the Postfix 2.3 snapshot release,currently: 2.3-20060604http://www.postfix.org/download.htmlThe function tls_text_name() in src/tls/tls_verify.c handles CommonNameextraction. This extracts the first commonName. Some suggest it shouldbe the last, others say you should match *any* CommonName in the DN. Thisis a mess, the DNS name extension is a lot cleaner. Code to insist thatthere is only CN is present "#ifdef 0".Code to look at DNSNames is in verify_extract_peer(), in src/tls/tls_client.c-- Viktor.__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
CAs and SubjectAltNames
Didn't see a response to this the first time around, thought I'd give it another shot. I'm trying to create a CA that has the email address _only_ in SubjectAltNames (to follow PKIX valid certificate recommendations). This seems to be a bit tricky. Currently, I can get a req that looks right, but when I self-sign, it gets messed up. My config looks like: ... [ req ] req_extensions = v3_req ... [ v3_req ] subjectAltName = email:move [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always basicConstraints = CA:true subjectAltName=email:move I create the key and csr like this: openssl req -new -keyout private/cakey.pem -out careq.pem -config \ ./openssl.cnf Then I self-sign it like this: openssl ca -create_serial -out cacert.pem -days 365 -batch -keyfile \ private/cakey.pem -selfsign -extensions v3_ca -config ./openssl.cnf \ -infiles careq.pem The req looks like this: Requested Extensions: X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] The cert however looks like this: X509v3 extensions: X509v3 Subject Key Identifier: 19:FA:AB:62:DA:7D:7F:DA:A1:B1:F2:A7:51:7C:0B:DE:35:16:13:F2 X509v3 Authority Key Identifier: keyid:19:FA:AB:62:DA:7D:7F:DA:A1:B1:F2:A7:51:7C:0B:DE:35:16:13:F2 X509v3 Basic Constraints: CA:TRUE As you can see, it's disappeared. I've also tried setting subjectAltName=email:copy in v3_ca and then I get this in the cert: X509v3 Subject Alternative Name: EMPTY Which is unexpected. openssl 0.9.8b, Debian unstable Any help would be appreciated. -- Phil Dibowitz P: 310-360-2330 C: 213-923-5115 Unix Admin, Ticketmaster.com signature.asc Description: OpenPGP digital signature
Re: CAs and SubjectAltNames
On Thu, Jun 08, 2006, Phil Dibowitz wrote: Didn't see a response to this the first time around, thought I'd give it another shot. I'm trying to create a CA that has the email address _only_ in SubjectAltNames (to follow PKIX valid certificate recommendations). This seems to be a bit tricky. Currently, I can get a req that looks right, but when I self-sign, it gets messed up. My config looks like: ... [ req ] req_extensions = v3_req ... [ v3_req ] subjectAltName = email:move [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always basicConstraints = CA:true subjectAltName=email:move I create the key and csr like this: openssl req -new -keyout private/cakey.pem -out careq.pem -config \ ./openssl.cnf Then I self-sign it like this: openssl ca -create_serial -out cacert.pem -days 365 -batch -keyfile \ private/cakey.pem -selfsign -extensions v3_ca -config ./openssl.cnf \ -infiles careq.pem The req looks like this: Requested Extensions: X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] The cert however looks like this: X509v3 extensions: X509v3 Subject Key Identifier: 19:FA:AB:62:DA:7D:7F:DA:A1:B1:F2:A7:51:7C:0B:DE:35:16:13:F2 X509v3 Authority Key Identifier: keyid:19:FA:AB:62:DA:7D:7F:DA:A1:B1:F2:A7:51:7C:0B:DE:35:16:13:F2 X509v3 Basic Constraints: CA:TRUE As you can see, it's disappeared. I've also tried setting subjectAltName=email:copy in v3_ca and then I get this in the cert: X509v3 Subject Alternative Name: EMPTY Which is unexpected. openssl 0.9.8b, Debian unstable Any help would be appreciated. You have to explicitly enable copying extensions from a certificate request to a certificate in the config file. This is off by default because it is potentially dangerous for the unwary. See the docs for more info. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: subjectAltName extension of type dNSName
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 david kine schrieb: Hello David, One more question: how do I, using the CA.pl script, generate a certificate with a subjectAltName extension of type dNSName? The ones I have already generated do not have this field set. I suppose there is an openssl.cnf file setting for this purpose? I notice the line #subjectAltName=email:copy in the system's openssl.cnf subjectAltName=DNS:your.domain.org Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEiKPv2iGqZUF3qPYRAum+AJ9TRnaoHrpM5KBxYpnTAQzA6u4FwgCeNl6c 3HqW6isS6WJy9S98ORT/Q5E= =CAzJ -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CAs and SubjectAltNames
Dr. Stephen Henson wrote: You have to explicitly enable copying extensions from a certificate request to a certificate in the config file. This is off by default because it is potentially dangerous for the unwary. See the docs for more info. Thanks, though I'm not sure which docs you're referring to - don't see anything to that effect in 'man ca'... Hmmm I think the 'noemailDN' option will do what I want upon more perusing of the man page... -- Phil Dibowitz P: 310-360-2330 C: 213-923-5115 Unix Admin, Ticketmaster.com signature.asc Description: OpenPGP digital signature
Re: CAs and SubjectAltNames
Phil Dibowitz wrote: Dr. Stephen Henson wrote: You have to explicitly enable copying extensions from a certificate request to a certificate in the config file. This is off by default because it is potentially dangerous for the unwary. See the docs for more info. Thanks, though I'm not sure which docs you're referring to - don't see anything to that effect in 'man ca'... Hmmm I think the 'noemailDN' option will do what I want upon more perusing of the man page... Upon trying this, it doesn't work. It works for the Subject but not the Issuer. They should match... :/ I'll keep looking for the doc you mention -- Phil Dibowitz P: 310-360-2330 C: 213-923-5115 Unix Admin, Ticketmaster.com signature.asc Description: OpenPGP digital signature
Re: subjectAltName extension of type dNSName
On Fri, Jun 09, 2006 at 12:25:52AM +0200, Goetz Babin-Ebell wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 david kine schrieb: Hello David, One more question: how do I, using the CA.pl script, generate a certificate with a subjectAltName extension of type dNSName? The ones I have already generated do not have this field set. I suppose there is an openssl.cnf file setting for this purpose? I notice the line #subjectAltName=email:copy in the system's openssl.cnf subjectAltName=DNS:your.domain.org For multiple values: subjectAltName = @alt_names [ alt_names ] DNS.1 = host1.example.com DNS.2 = host2.example.com DNS.3 = host3.example.com DNS.4 = host4.example.com DNS.5 = host5.example.com DNS.6 = host6.example.com DNS.7 = host7.example.com DNS.8 = host8.example.com DNS.9 = host9.example.com DNS.10 = host10.example.com DNS.11 = host11.example.com DNS.12 = host12.example.com DNS.13 = host13.example.com DNS.14 = host14.example.com DNS.15 = host15.example.com DNS.16 = host16.example.com DNS.17 = host17.example.com DNS.18 = host18.example.com DNS.19 = host19.example.com -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CAs and SubjectAltNames
On Thu, Jun 08, 2006, Phil Dibowitz wrote: Dr. Stephen Henson wrote: You have to explicitly enable copying extensions from a certificate request to a certificate in the config file. This is off by default because it is potentially dangerous for the unwary. See the docs for more info. Thanks, though I'm not sure which docs you're referring to - don't see anything to that effect in 'man ca'... Hmmm I think the 'noemailDN' option will do what I want upon more perusing of the man page... Look for the copy_extensions option in the ca manual page. You need OpenSSL 0.9.8 or later for that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
