error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Hey guys. :) I'm getting an error with PHP 5.1.6 that I've compiled against OpenSSL 0.9.8c... Here's the code. Pretty simple: ? $mysock = fsockopen(tls://smtp.gmail.com, 587, $errno, $errstr, 30); ? However, I get the following error: Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number in /root/test.php on line 2 Warning: fsockopen(): Failed to enable crypto in /root/test.php on line 2 Warning: fsockopen(): unable to connect to tls://smtp.gmail.com:587 (Unknown error) in /root/test.php on line 2 I'm running on Debian 3.1 (Sarge), if that matters. I configured OpenSSL as follows: ./config --prefix=/usr --openssldir=/usr/lib/ssl shared zlib And PHP as follows: './configure' \ '--with-apxs=/usr/sbin/apxs' \ '--with-jpeg-dir=/usr' \ '--with-png-dir=/usr' \ '--with-zlib-dir=/usr' \ '--with-curl=/usr' \ '--with-gd' \ '--enable-ftp' \ '--enable-sockets' \ '--with-mysql=/usr/local' \ '--enable-track-vars' \ '--with-imap-ssl' \ '--with-kerberos' \ '--with-imap' \ '--with-openssl=/usr' Any ideas what could be causing this? :) I've searched for the answer and went through every link I could find basically on Google... I see that a lot of people have had this problem, but I haven't seen a single solution. Thanks in advance, guys! It's really appreciated! Dave __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Reading in memory DER using BIO
Hello, Is there a way that i can get an X509 cert from an array holding a cert in DER format. So my question is How do i read a DER using a BIO cause the cert in is memory and not in a file (for file i know there are d2i functions that return X509). You may use something like that: /** * Create X509 certificate object from buf in DER format. * * @paramcertreturn X509 object with created certificate * @parambuf buffer with certificate in DER format * @paramlen size of buffer * @return 0 on success, -1 on error */ int der2cert(X509 ** cert, char *buf, int len) { BIO *mem; if ((mem = BIO_new_mem_buf(buf, len)) == NULL) { goto err; } *cert = d2i_X509_bio(mem, NULL); BIO_free(mem); if (*cert == NULL) { goto err; } return (0); err: return (-1); } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Reading in memory DER using BIO
Hello, Is there a way that i can get an X509 cert from an array holding a cert in DER format. So my question is How do i read a DER using a BIO cause the cert in is memory and not in a file (for file i know there are d2i functions that return X509). You may use something like that: /** * Create X509 certificate object from buf in DER format. * * @paramcertreturn X509 object with created certificate * @parambufbuffer with certificate in DER format * @paramlensize of buffer * @return0 on success, -1 on error */ int tls_der2cert(X509 ** cert, char *buf, int len) { BIO *mem; if ((mem = BIO_new_mem_buf(buf, len)) == NULL) { goto err; } *cert = d2i_X509_bio(mem, NULL); BIO_free(mem); if (*cert == NULL) { goto err; } return (0); err: return (-1); } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Warning in sha.h not able to use on HP-UX.
Hi All, I have ported OPENSSL on VxWorks (host is HP-UX and target is VxWorks) I want to use SHA-512, When I compile I am getting the following warnings h/openssl/sha.h:179: warning: ANSI C does not support `long long' h/openssl/sha.h:180: warning: ANSI C does not support `long long' h/openssl/sha.h:180: warning: ANSI C does not support `long long' h/openssl/sha.h:182: warning: ANSI C does not support `long long' Warning are in typedef struct SHA512state_st { SHA_LONG64 h[8]; SHA_LONG64 Nl,Nh; union { SHA_LONG64 d[SHA_LBLOCK]; unsigned char p[SHA512_CBLOCK]; } u; unsigned int num,md_len; } SHA512_CTX; I tried considering SHA_LONG64 as unsigned long and #define U64(C) C##UL Then I started getting lot of warnings in file sha512.c Warning are of type: sha512.c:61: warning: large integer implicitly truncated to unsigned type sha512.c:114: warning: right shift count = width of type Please can any one tell me how do I use/fix this. Thanks in advance, Jaya. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Warning in sha.h not able to use on HP-UX.
Hello, I have ported OPENSSL on VxWorks (host is HP-UX and target is VxWorks) I want to use SHA-512, When I compile I am getting the following warnings h/openssl/sha.h:179: warning: ANSI C does not support `long long' h/openssl/sha.h:180: warning: ANSI C does not support `long long' h/openssl/sha.h:180: warning: ANSI C does not support `long long' h/openssl/sha.h:182: warning: ANSI C does not support `long long' Warning are in typedef struct SHA512state_st { SHA_LONG64 h[8]; SHA_LONG64 Nl,Nh; union { SHA_LONG64 d[SHA_LBLOCK]; unsigned char p[SHA512_CBLOCK]; } u; unsigned int num,md_len; } SHA512_CTX; I tried considering SHA_LONG64 as unsigned long and #define U64(C) C##UL Then I started getting lot of warnings in file sha512.c Warning are of type: sha512.c:61: warning: large integer implicitly truncated to unsigned type sha512.c:114: warning: right shift count = width of type OpenSSL implementation of SHA384/SHA512 requires that SHA_LONG64 must be defined as 64-bit type (sizeof(SHA_LONG64) must be 8). You should find such type in compiler to get this work. For example you may use uint64_t (if such type is defined). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Warning in sha.h not able to use on HP-UX.
Hi All, First I would like to thank you very much. I just tested if I can use uint64_. I think I can use it. So Instead of unsigned long long can I use uint64_t? Regards, Jaya. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Thursday, September 14, 2006 3:28 PM To: openssl-users@openssl.org Subject: Re: Warning in sha.h not able to use on HP-UX. Hello, I have ported OPENSSL on VxWorks (host is HP-UX and target is VxWorks) I want to use SHA-512, When I compile I am getting the following warnings h/openssl/sha.h:179: warning: ANSI C does not support `long long' h/openssl/sha.h:180: warning: ANSI C does not support `long long' h/openssl/sha.h:180: warning: ANSI C does not support `long long' h/openssl/sha.h:182: warning: ANSI C does not support `long long' Warning are in typedef struct SHA512state_st { SHA_LONG64 h[8]; SHA_LONG64 Nl,Nh; union { SHA_LONG64 d[SHA_LBLOCK]; unsigned char p[SHA512_CBLOCK]; } u; unsigned int num,md_len; } SHA512_CTX; I tried considering SHA_LONG64 as unsigned long and #define U64(C) C##UL Then I started getting lot of warnings in file sha512.c Warning are of type: sha512.c:61: warning: large integer implicitly truncated to unsigned type sha512.c:114: warning: right shift count = width of type OpenSSL implementation of SHA384/SHA512 requires that SHA_LONG64 must be defined as 64-bit type (sizeof(SHA_LONG64) must be 8). You should find such type in compiler to get this work. For example you may use uint64_t (if such type is defined). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Warning in sha.h not able to use on HP-UX.
Hello, First I would like to thank you very much. I just tested if I can use uint64_. I think I can use it. So Instead of unsigned long long can I use uint64_t? Yes, sha512 requires unsigned 64-bit integer. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: errors in DTLS implementation in openssl0.9.8a
There seems to be some confusion on the version number for DTLS. Here is what RFC4347 says: version The version of the protocol being employed. This document describes DTLS Version 1.0, which uses the version { 254, 255 }. The version value of 254.255 is the 1's complement of DTLS Version 1.0. This maximal spacing between TLS and DTLS version numbers ensures that records from the two protocols can be easily distinguished. It should be noted that future on-the-wire version numbers of DTLS are decreasing in value (while the true version number is increasing in value.) This paragraph is confusing. It first says This document describes DTLS Version 1.0, which uses the version { 254, 255 }. . Then it says The version value of 254.255 is the 1's complement of DTLS Version 1.0. My interpretation of this is that the version number is { 254,255 }. However, openssl 0.9.8 appear to interpret this as saying the version is { 01, 00 } Can the authors please clarify? thanks, Rob List:openssl-users Subject: Re: errors in DTLS implementation in openssl0.9.8a From:Prashant Kumar pkix2005 () yahoo ! com Date:2005-12-13 14:52:05 Message-ID: 20051213145205.74076.qmail () web52008 ! mail ! yahoo ! com [Download message RAW] 16 01 00 for a DTLS handshake is the right code 16, Content type, and it is a handshake DTLS version is 01 00 Thanks, Prashant. Eduardo Pérez Ureta [EMAIL PROTECTED] wrote: Maybe you can try: http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1245 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335703 This patch may fix the segmentation fault that I also confirm on openssl-0.9.8a running on linux-2.6.14/686 Some developer should review that patch. (I'll try it later if nobody has) On 2005-12-10 16:38:16 +, robert dugal wrote: Openssl 0.9.8a is incorrectly encoding the DTLS version as 0x01,0x00 instead of 0xfe,0xff $ ./openssl s_client -dtls1 -debug CONNECTED(0003) write to 0x5d3640 [0x5dd3f8] (119 bytes = 119 (0x77)) - 16 01 00 00 00 00 00 00-00 00 00 00 6a 01 00 00 j... Openssl 0.9.8a is incorrectly encoding the ChangeCipherSpec message as 3 bytes instead of 1 byte, including a 2 byte message sequence number. $ ./openssl s_client -dtls1 -debug write to 0x5d3640 [0x5e2d80] (16 bytes = 16 (0x10)) - 14 01 00 00 00 00 00 00-00 00 03 00 03 01 00 03 The first 13 bytes are the record header followed by the CCS which is 3 bytes: 01 00 03 There is no MSN in the CCS. I had a lengthy discussion with Eric on this topic and he was very clear that the CCS has no MSN and he did not want to add it to the CCS. I also discovered it is very easy to crash openssl or make the handshake fail using the -mtu argument (testing on windows xp). ./openssl s_server -dtls1 -debug -mtu 100 ./openssl s_client -dtls1 -debug -mtu 100 - server Segmentation fault (core dumped) ./openssl s_server -dtls1 -debug -mtu 128 ./openssl s_client -dtls1 -debug -mtu 128 - server 888:error:143F8412:SSL routines:DTLS1_READ_BYTES:sslv3 alert bad certificate - client 4052:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:s3_clnt.c ./openssl s_server -dtls1 -debug -mtu 256 ./openssl s_client -dtls1 -debug -mtu 256 - server DTLS1_READ_BYTES:sslv3 alert bad certificate - client 3080:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:s3_clnt.c ./openssl s_server -dtls1 -debug -mtu 512 ./openssl s_client -dtls1 -debug -mtu 512 - server SSL3_GET_FINISHED:digest check failed - client handshake failure
What's the difference between openssl 0.9.8c and 0.9.7k
I need to install openSSL so I can build Apache_2.0.59 with SSL enabled. I saw Openssl 0.9.8c and 0.9.7k were released on the same day. What's the difference between this two versions? Which one should I choose for building Apache 2? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What's the difference between openssl 0.9.8c and 0.9.7k
Hong Ye wrote: I need to install openSSL so I can build Apache_2.0.59 with SSL enabled. I saw Openssl 0.9.8c and 0.9.7k were released on the same day. What's the difference between this two versions? Which one should I choose for building Apache 2? This would probably be more appropriate on an Apache newsgroup, but AFAIK Apache 2 compiles with 0.9.8* as well as with 0.9.7*. Now it's your choice. I guess that maintenance for the 0.9.7 branch will terminate before the 0.9.8 branch, so if you have no reason against 0.9.8c I'd advise you to use that one. Hope it helps Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
RE: Attribute Certificate with OpenSSL?
First - thank you! At least it was something. I went through the Web sit and the code distro itself. Web site shows how to use their command x509AT. Great. There's no AT-related README though, no documentation, no edits or patch-format changes. Thus hard to figure out the scope of changes involved. The Web page states that it is beta code. References to Lopez and Montenegro pages are dead. I.e. dead unmaintained project. So OpenSSL did not pick the Attribute Certificate extensions that Lopez and Montenegro added? Is there an alternative distro supporting AT? Is there (official?) work going on on (cleanly :-) adding support for Attribute Certs to OpenSSL? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saurabh Arora Sent: Wednesday, September 13, 2006 17:58 To: openssl-users@openssl.org Subject: Re: Attribute Certificate with OpenSSL? On 9/14/06, Mouse [EMAIL PROTECTED] wrote: Did anybody use OpenSSL successfully for creating and processing Attribute Certificates? very much .. chek dis link.. http://openpmi.sourceforge.net/ Is there any helpful HOWTO or TFM? download openssl distro(patched to support AC) frm d same link. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RV: Attribute Certificate with OpenSSL?
Hello, I developed a beta API code for OpenSSL that may help you. Find a description. Tell me if you are interested or anybody wants to help me to improve it. Take into account that is a very very beta code. Apart from that, Jose Antonio Montenegro and Javier Lopez from Malaga University have been working on authorization for a very long time with very good results. I think that OpenPMI is not an unmaintained project. Try to contact the authors through http://www.lcc.uma.es/LCC?-f=indexlang.lcc-l=english Regards, Daniel Attribute Certificates APIs Attribute Certificate Generation API Library Functions Functions to get information * #define PEM_read_X509AC(fp,x,cb,u) (X509AC *)PEM_ASN1_read( \ (char *(*)())d2i_X509AC,PEM_STRING_X509AC,fp,(char **)x,cb,u) Read an attribute certificate in PEM format from a file pointer. X509AC_ISSUER_SERIAL* X509_get_basecertID(X509 *x) Takes a X509 certificate and extracts the X509AC_ISSUER_SERIAL structure (or base cert ID) X509_NAME *X509AC_get_issuer_name(X509AC *a) Obtain the X509_NAME of the issuer placed in a-info-issuer-d.v1Form when the attribute certificate is version 1, and from a-info-issuer-d.v2Form-issuer when the attribute certificate is version 2. X509_NAME *X509AC_get_holder_entity_name(X509AC *a) Search a-info-holder-entity (stack of GENERAL_NAME) for a valid DirectoryName X509AC_ISSUER_SERIAL *X509AC_get_holder_baseCertID(X509AC *a) Returns a-info-holder-baseCertID structure of type X509AC_ISSUER_SERIAL. ASN1_BIT_STRING *X509AC_get_holder_objectDigestInfo(X509AC *a) Returns a-info-holder-objectDigestInfo structure of type ASN1_BIT_STRING. X509AC_ISSUER_SERIAL *X509AC_get_issuer_baseCertID(X509AC *a) Returns a-info-issuer-d.v2Form-baseCertID. This parameter is only available when the certificate is of version 2. For version 1 this parameter is not present. ASN1_BIT_STRING *X509AC_get_issuer_objectDigestInfo(X509AC *a) Returns a-info-issuer-d.v2Form-digest. This parameter is only available when the certificate is of version 2. For version 1 this parameter is not present. long X509AC_get_version(X509AC *a) int X509AC_set_version(X509AC *a, long version) Get and set the version of the certificate. ***Functions to set information *** There are three ways of providing holder information. The first one is to set the entity (GENERAL_NAME) structure with a valid directory name (X509_NAME), the second one is to set the BaseCertId structure that contains a name (X509_NAME), serial number and/or UniqueID info of the certificate that belongs to the holder the third is to set the ObjectDigestInfo. ASN1_SEQUENCE(X509AC_HOLDER) = { ASN1_IMP_OPT(X509AC_HOLDER, baseCertID, X509AC_ISSUER_SERIAL, 0), ASN1_IMP_SEQUENCE_OF_OPT(X509AC_HOLDER, entity, GENERAL_NAME, 1), ASN1_IMP_OPT(X509AC_HOLDER, objectDigestInfo, X509AC_OBJECT_DIGESTINFO, 2) } ASN1_SEQUENCE_END(X509AC_HOLDER) int X509AC_set_holder_entity_name(X509AC* a, X509_NAME *name) Places a X509_NAME into a-info-holder-entity. int X509AC_set_holder_serialNumber(X509AC *x, ASN1_INTEGER *serial) Set the serial number in a-info-holder-baseCertID-serial. int X509AC_set_holder_name(X509AC* a, X509_NAME *name) Set the name into a-info-holder-baseCertID-issuer structure. int X509AC_set_holder_objectDigestInfo(X509AC *a, X509AC_OBJECT_DIGESTINFO *odig) Set the object digest info of the basecertID structure for the holder of the attribute certificate. int X509AC_set_holder_baseCertID(X509AC* a, X509AC_ISSUER_SERIAL *bci) Set the whole Base Cert ID structure. There are two ways of providing issuer information that depends on the version of the attribute certificate. The first one is to set the v1Form (GENERAL_NAME) structure with a valid directory name (X509_NAME), the other one is to set the v2Form that can be a BaseCertId structure that contains a name (X509_NAME), serial number and/or uniqueID info of the certificate that belongs to the holder or a X509_NAME or an objectDigestInfo. ASN1_CHOICE(X509AC_ISSUER) = { ASN1_SEQUENCE_OF(X509AC_ISSUER, d.v1Form, GENERAL_NAME), ASN1_IMP(X509AC_ISSUER, d.v2Form, X509AC_V2FORM, 0) } ASN1_CHOICE_END(X509AC_ISSUER) ASN1_SEQUENCE(X509AC_V2FORM) = { ASN1_SEQUENCE_OF_OPT(X509AC_V2FORM, issuer, GENERAL_NAME), ASN1_IMP_OPT(X509AC_V2FORM, baseCertID, X509AC_ISSUER_SERIAL, 0), ASN1_IMP_OPT(X509AC_V2FORM, digest, X509AC_OBJECT_DIGESTINFO, 1) } ASN1_SEQUENCE_END(X509AC_V2FORM) int X509AC_set_issuer_baseCertID(X509AC* a, X509AC_ISSUER_SERIAL *bci) Takes a baseCertID structure and set the issuer info of the attribute certificate. int X509AC_set_issuer_name(X509AC* a, X509_NAME *name) Set the name into the issuer information space. Depending on the version of the certificate it will be inserted in v1Form or in v2From-issuer. ***General tools to fill up some of
RE: Attribute Certificate with OpenSSL?
Hello, I developed a beta API code for OpenSSL that may help you. Find enclosed a pdf document with the description. Tell me if you are interested or anybody wants to help me to improve it. Take into account that is a very very beta code. Apart from that, Jose Antonio Montenegro and Javier Lopez from Malaga University have been working on authorization for a very long time with very good results. I think that OpenPMI is not an unmaintained project. Try to contact the authors through http://www.lcc.uma.es/LCC?-f=indexlang.lcc-l=english Regards, Daniel -- Daniel Diaz Sanchez Telecommunication Engineer Researcher / Teaching Assistant Dep. Ing. Telemática Universidad Carlos III de Madrid Av. Universidad, 30 28911 Leganés (Madrid/Spain) Tel: (+34) 91-624-8817, Fax: -8749 Web: www.it.uc3m.es/dds web: http://www.it.uc3m.es/pervasive Mail: dds[at].it.uc3m.es Skype: dds.it.uc3m.es -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Mouse Enviado el: jueves, 14 de septiembre de 2006 15:49 Para: openssl-users@openssl.org Asunto: RE: Attribute Certificate with OpenSSL? First - thank you! At least it was something. I went through the Web sit and the code distro itself. Web site shows how to use their command x509AT. Great. There's no AT-related README though, no documentation, no edits or patch-format changes. Thus hard to figure out the scope of changes involved. The Web page states that it is beta code. References to Lopez and Montenegro pages are dead. I.e. dead unmaintained project. So OpenSSL did not pick the Attribute Certificate extensions that Lopez and Montenegro added? Is there an alternative distro supporting AT? Is there (official?) work going on on (cleanly :-) adding support for Attribute Certs to OpenSSL? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saurabh Arora Sent: Wednesday, September 13, 2006 17:58 To: openssl-users@openssl.org Subject: Re: Attribute Certificate with OpenSSL? On 9/14/06, Mouse [EMAIL PROTECTED] wrote: Did anybody use OpenSSL successfully for creating and processing Attribute Certificates? very much .. chek dis link.. http://openpmi.sourceforge.net/ Is there any helpful HOWTO or TFM? download openssl distro(patched to support AC) frm d same link. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Attribute Certificates APIs.pdf Description: Adobe PDF document
Re: Attribute Certificate with OpenSSL?
On 9/14/06, Mouse [EMAIL PROTECTED] wrote: First - thank you! At least it was something. I went through the Web sit and the code distro itself. Web site shows how to use their command x509AT. Great. There's no AT-related README though, no documentation, no edits or patch-format changes. Thus hard to figure out the scope of changes involved. welcome to the world of openssl The Web page states that it is beta code. References to Lopez and Montenegro pages are dead. I.e. dead unmaintained project. hmm.. workin in my browser So OpenSSL did not pick the Attribute Certificate extensions that Lopez and Montenegro added? Is there an alternative distro supporting AT? Is there (official?) work going on on (cleanly :-) adding support for Attribute Certs to OpenSSL? this was d closest i came across.. i was to work on Attribute Certificate too but by then my job period expired ( i wish i cud have), though i worked on X509 custom certs in good detail and have written few HOWTO tutorials and articles on the same. will ask my boss to upload for the community. apart we can only request the community to keep contributing HowTo's ... __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Attribute Certificate with OpenSSL?
Your API looks good - perhaps your code combined with x509AT from Univ. of Malaga can provide the complete coverage? And yes - I'd like to take a look at your code (assuming it's under GPL, or OpenSSL license). I'll check with my bosses to see if they'd approve more active participation. Thank you! Regards, Uri -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Diaz Sanchez Sent: Thursday, September 14, 2006 10:00 To: openssl-users@openssl.org Subject: RE: Attribute Certificate with OpenSSL? Hello, I developed a beta API code for OpenSSL that may help you. Find enclosed a pdf document with the description. Tell me if you are interested or anybody wants to help me to improve it. Take into account that is a very very beta code. Apart from that, Jose Antonio Montenegro and Javier Lopez from Malaga University have been working on authorization for a very long time with very good results. I think that OpenPMI is not an unmaintained project. Try to contact the authors through http://www.lcc.uma.es/LCC?-f=indexlang.lcc-l=english Regards, Daniel -- Daniel Diaz Sanchez Telecommunication Engineer Researcher / Teaching Assistant Dep. Ing. Telemática Universidad Carlos III de Madrid Av. Universidad, 30 28911 Leganés (Madrid/Spain) Tel: (+34) 91-624-8817, Fax: -8749 Web: www.it.uc3m.es/dds web: http://www.it.uc3m.es/pervasive Mail: dds[at].it.uc3m.es Skype: dds.it.uc3m.es -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Mouse Enviado el: jueves, 14 de septiembre de 2006 15:49 Para: openssl-users@openssl.org Asunto: RE: Attribute Certificate with OpenSSL? First - thank you! At least it was something. I went through the Web sit and the code distro itself. Web site shows how to use their command x509AT. Great. There's no AT-related README though, no documentation, no edits or patch-format changes. Thus hard to figure out the scope of changes involved. The Web page states that it is beta code. References to Lopez and Montenegro pages are dead. I.e. dead unmaintained project. So OpenSSL did not pick the Attribute Certificate extensions that Lopez and Montenegro added? Is there an alternative distro supporting AT? Is there (official?) work going on on (cleanly :-) adding support for Attribute Certs to OpenSSL? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saurabh Arora Sent: Wednesday, September 13, 2006 17:58 To: openssl-users@openssl.org Subject: Re: Attribute Certificate with OpenSSL? On 9/14/06, Mouse [EMAIL PROTECTED] wrote: Did anybody use OpenSSL successfully for creating and processing Attribute Certificates? very much .. chek dis link.. http://openpmi.sourceforge.net/ Is there any helpful HOWTO or TFM? download openssl distro(patched to support AC) frm d same link. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
problem with openssl 0.9.8c
I installed openssl 0.9.8c on Solais sparcv9. Then I built Apache 2.0.59 using openSSL 0.9.8c. When I start Apache, I saw errors in Apache's error log: [Thu Sep 14 14:19:44 2006] [notice] Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8c config ured -- resuming normal operations [Thu Sep 14 14:19:45 2006] [notice] child pid 19774 exit signal Segmentation fault (11) [Thu Sep 14 14:19:45 2006] [notice] child pid 19773 exit signal Segmentation fault (11) [Thu Sep 14 14:19:45 2006] [notice] child pid 19772 exit signal Segmentation fault (11) [Thu Sep 14 14:19:45 2006] [notice] child pid 19771 exit signal Segmentation fault (11) I believe this errors are caused by openssl 0.9.8c because Apache works fine if I built it with older version of openSSL, like 0.9.7.g. Any ideas about how to trouble shoot the problem? Thanks, Hong __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Any UK-like PKI laws in Canda?
This is sorta tangentially off-topc, but I'm not sure where else to ask. As many of you probably heard, the UK is activating a portion of a 6-year-old law that allows them to sieze private keys: http://news.zdnet.com/2100-1009_22-6073654.html?tag=nl http://news.zdnet.com/2100-1009_22-6105680.html I'm wondering if anyone has heard of similar happenings in Canada (yes, I'm aware of the increasingly rediculous PKI stance the US gov't has taking). Looking through their laws: http://www.solutions.gc.ca/pki-icp/guidedocs/guidedocs_e.asp And specifically, their PKI Confidentiality Certificate Policy: http://www.cra-arc.gc.ca/eservices/pki/ext-cp-conf-e.html And things seem pretty sane... but I thought I'd see if anyone out there had heard of any existing or purposed the gov't can request your private keys at any time in Canada. Thanks, -- Phil Dibowitz P: 310-360-2330 C: 213-923-5115 Unix Admin, Ticketmaster.com I don't need a reference, I have you! - Pippenger, to me. signature.asc Description: OpenPGP digital signature
Re: Importing RSA Public Key generated by JRE
Hello, I am attempting to import a RSA Public Key file generated by JRE 5.0 using OpenSSL. As I understand it, JRE's RSA Public Key is in X.509's SubjectPublicKeyInfo structure. Then you should try d2i_RSA_PUBKEY(). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Support for octet (file) import by the built-in ASN.1 compiler, from openssl.cnf?
Hello, Does anyone know if there is some syntactical sugar that will allow us to import binary data from a file, from within openssl.cnf? Specifically, I want to experiment with importing photo-ids (jpegs) into the a cert/req. I found, and am able to use, the new arbitrary-oid/built-in compiler for ASN1 (strings in this case): 1.2.3.4.5=critical,ASN1:UTF8String:abcd but am wondering is its possible to do something like 1.2.3.4.5=critical,ASN1:OctetFile:/home/my.jpg The above was just a (not documented) guess on my part and so did not work. Is this possible currently? Thanks, Ken __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need help with certs for Cisco EasyVPN
John, Please provide the openSSL invocations with complete command line options you are using to generate the certificates. I hope to God you aren't using some front end script to run openSSL or we won't ever get anywhere. Ted - Original Message - From: John A. Kilpatrick [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Wednesday, September 13, 2006 10:03 AM Subject: Need help with certs for Cisco EasyVPN I really could use some help and I'm hoping someone out there has done what I need to do before and can clue me in. All I am trying to do is use certificates with a VPN profile in the Cisco VPN client. However any cert that I sign with OpenSSL is marked as an RA cert by the Cisco VPN client and not useable in a profile. However the Microsoft CA software signs the same cert is acceptable to the client and the certificate signed by the Microsoft CA software is installed in the Cisco store and thus useable by the client. I tried making a new root certificate and manually setting the serial number to 1 (instead of zero due to that issue about Cisco not thinking zero is valid) but it didn't help. I am getting pretty frustrated since Cisco doesn't support OpenSSL and getting someone there with a clue has been fruitless. If someone has been able to make this work (either generating the req yourself and signing it or signing a req generated by the client) please contact me - I could really use the help. I can provide sample certs that work and don't work to see what the story is if that would help. Thanks, John -- John A. Kilpatrick [EMAIL PROTECTED]Email| http://www.hypergeek.net/ [EMAIL PROTECTED] Text pages| ICQ: 19147504 remember: no obstacles/only challenges __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]