WG: [Openca-Users] After 100000 certificate issued...

2006-09-19 Thread thomas.beckmann 
I found this in the OpenCA-Users mailinglist.

Any ideas or suggestions?

Regards

Thomas

 -Ursprüngliche Nachricht-
 Von: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] Im 
 Auftrag von Diego de Felice
 Gesendet: Montag, 18. September 2006 23:32
 An: Ideas, tips and discussions about OpenCA installation and 
 management.
 Betreff: [Openca-Users] After 10 certificate issued...
 
  I've tested OpenCA (an old version to be honest) by issuing 
 more than 10 certificates. The response times of course 
 are a bit degraded.
 I can say that the global functionality of OpenCA are not so 
 much influenced (only some pages regardings searches, but I 
 think they can be simply fixed). The most terrible issue 
 however is OpenSSL and its index.txt! With 10 and more 
 certificates the index.txt file is about 19 megabytes and for 
 every certificate you must wait a lot of seconds and this is 
 more and more notable when this number grows. I know this is 
 not to OpenCA related, but someone knows if there is a 
 project to enhance index.txt in a more performing solution 
 ? Is the nextgen OpenCA less dependent from the command line openssl ?
 
  Thanks in advance.
 
 --
 Diego de Felice
 
 --
 ---
 Take Surveys. Earn Cash. Influence the Future of IT Join 
 SourceForge.net's Techsay panel and you'll get the chance to 
 share your opinions on IT  business topics through brief 
 surveys -- and earn cash 
 http://www.techsay.com/default.php?page=join.phpp=sourceforge
CID=DEVDEV
 ___
 Openca-Users mailing list
 Openca-Users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openca-users
 
 
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: WG: [Openca-Users] After 100000 certificate issued...

2006-09-19 Thread Peter Sylvester 

[EMAIL PROTECTED] wrote:

I found this in the OpenCA-Users mailinglist.

Any ideas or suggestions?

  
use the 'openssl ca' command with an empty index.txt file for each new 
certificate.
and then manages the files differently, i.e. copy the content into a 
database.
Or don't use the ca at all and use x509 and for revocation, just create 
an index.txt

with the revoked certs.


--
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité; 
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. 



smime.p7s
Description: S/MIME Cryptographic Signature

Get Information about SSL Handshake

2006-09-19 Thread Hubert Gressl 



Hello 
Everybody!

I got my server and 
client running. I want to do some testing and need some information about the 
ssl handshake... whitch mechanism is used and if diffie-hellman is used what 
size of the primary secret is used?

I was able to get 
information about the cipher with SSL_get_cipher_version() and 
SSL_get_cipher_name() for a established connection but I couldn't figure out to 
get the information about the handshake.

Thanks a lot for any 
suggestions!

Hubert

RE: How do I remove padding during AES encryption/ decryption

2006-09-19 Thread Marek Marcola 
Hello,
 Thanks for the reply. I have my sample test case like this.
 
 #define KEYSIZE 256
 #define AES_BLOCK_SIZE 32
AES block size for this implementation is 16 bytes
(of course AES standard talks about block size 24 and 32
bytes - Nb variable - but this implementation use
only 16 byte AES block)

 void  test_main()
 {
 char key[KEYSIZE+1];
 int I,keylen;
 char data[AES_BLOCK_SIZE] ;
 char cbuf[AES_BLOCK_SIZE];
 char pbuf[AES_BLOCK_SIZE];
 
  
 strcpy(key,2ea24d27bc6e40e70b0a2ab08b0831675cf1274834f98a58709edeeb56af
 f547);
  
 strcpy(data,000
 0);
I guess that this strings should be converted from hex form to
binary for using (something like 0x41 = 'A')

 keylen = strlen(key);
 
 {
   AES_KEY ctx;
   unsigned char iv[AES_BLOCK_SIZE];
   memset(cbuf, 0,AES_BLOCK_SIZE);
   AES_set_encrypt_key(key, KEYSIZE, ctx);
   AES_cbc_encrypt(data, cbuf, AES_BLOCK_SIZE, ctx, iv,
 AES_ENCRYPT);
iv is not initialized here and you should check return code of
AES_set_encrypt_key() - this function accept key length of 128,192,256.
Here this works good but checking error code is good practise.
 
 
   for (i =0 ; i sizeof(data) ; i++)
  printf(%d...input = %d \n,data[i],i);
   printf(\n);
 
   for (i =0 ; i sizeof(cbuf); i++)
 printf(%d...encoded data =%d \n,cbuf[i],i);
   printf(\n);
 }
 
 {
   AES_KEY ctx;
   int len,pad,flag =0;
   unsigned char iv[AES_BLOCK_SIZE];
   memset(pbuf, 0,AES_BLOCK_SIZE);
   memset(iv, 0, AES_BLOCK_SIZE);
iv should have the same value as in encrypting.
   AES_set_decrypt_key(key, KEYSIZE, ctx);
check error code
   AES_cbc_encrypt(cbuf,pbuf, AES_BLOCK_SIZE, ctx, iv,
 AES_DECRYPT);
 }
 
 }
 
 Please can any tell me what could be the problem with this code?
There are many problems with using AES_cbc*().
If we are talking of padding - this functions do not support
normal padding - i suggest add proper padding on encryption
yourself and remove padding after decryption.
This functions should take properly padded data rounded to
16 bytes.

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Get Information about SSL Handshake

2006-09-19 Thread Marek Marcola 
Hello, 
 Hello Everybody!
  
 I got my server and client running. I want to do some testing and need
 some information about the ssl handshake... whitch mechanism is used
 and if diffie-hellman is used what size of the primary secret is used?
  
 I was able to get information about the cipher with
 SSL_get_cipher_version() and SSL_get_cipher_name() for a established
 connection but I couldn't figure out to get the information about the
 handshake.
Peer RSA/DSA parameters used in handshake may be printed
for example with code:

EVP_PKEY *pkey;
X509 *cert;

cert = SSL_get_peer_certificate(ssl);

if ((cert != NULL)  ((pkey = X509_get_pubkey(cert)) != NULL)) {
   if (pkey-type == EVP_PKEY_RSA  pkey-pkey.rsa != NULL 
pkey-pkey.rsa-n != NULL) {
  printf(RSA-%d\n, BN_num_bits(pkey-pkey.rsa-n));
   }
   if (pkey-type == EVP_PKEY_DSA  pkey-pkey.dsa != NULL
pkey-pkey.dsa-p != NULL) {
  printf(DSA-%d\n, BN_num_bits(pkey-pkey.dsa-p));
   }
}

if (cert != NULL) {
   X509_free(cert);
}

Best regards,
-- 
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Runtime link problems on HP-UX

2006-09-19 Thread Daniel Young 








Hi all,



Im writing an XML-RPC client call under a Tuxedo app
on HP-UX 11 and having run-time troubles due to an Oracle .so being picked up
instead of OpenSSL libraries.



My app statically links in the XML-RPC library, libcurl, libssl
and libcrypto, but at run-time it seg-faults with the following trace:



#0
0xc2433570:0 in BN_div+0x120 ()

 from
/u01/app/oracle/OraHome_1/lib/libnnz10.so

#1
0x409f1e70:0 in BN_nnmod+0x30 ()

#2 0x409f7de0:0
in S_BN_mod_inverse+0x300 ()

#3
0x409ff2b0:0 in BN_MONT_CTX_set_locked+0x3d0 ()

#4
0x40a19740:0 in RSA_eay_public_decrypt+0x440 ()

#5
0x4088a6f0:0 in RSA_public_decrypt+0x70 ()

#6
0x4088bfd0:0 in RSA_verify+0x130 ()

#7
0x408d1380:0 in EVP_VerifyFinal+0x200 ()

#8
0x40a45bb0:0 in ASN1_item_verify+0x190 ()

#9
0x409479f0:0 in X509_verify+0x50 () #10 0x40936f90:0 in
internal_verify+0xab0 ()

#11 0x409338e0:0 in
X509_verify_cert+0xbd0 ()

#12 0x40838a20:0 in
ssl_verify_cert_chain+0x230 ()

#13 0x40809460:0 in
ssl3_connect+0x4ed0 ()

#14 0x408301a0:0 in
SSL_connect+0x90 ()

#15 0x40824ab0:0 in
ssl23_connect+0x1440 ()

#16 0x408301a0:0 in
SSL_connect+0x90 ()

#17 0x407acbf0:0 in
Curl_ossl_connect_step2 (conn=0x6070cf40,

 sockindex=0,
timeout_ms=0x9fffcf10) at ssluse.c:1391



Actually the error was originally in BN_set_word but I
renamed that, and then in BN_mod_inverse and I renamed that (to
S_BN_mod_inverse as you can see above) The BN_ functions are being
picked up from Oracles libnnz10.so instead of libcrypto.a which
Ive statically linked in.



At link time, $ORAHOME/lib is included with a L flag,
and it is required. Ive tried changing the order of libraries on
the command line, and also tried -a,archive_shared flags on the
linker to give static libs a higher preference than shared. Ive
also tried temporarily removing $ORAHOME/lib from my SHLIB_PATH and
LD_LIBRARY_PATH environment variables. However, nothing I do seems to get
around this problem.



Does anybody have an idea how I can link my app correctly to
avoid this problem? 



Does Oracle use openSSL internally (and hence the
conflict)? Has anybody had troubles with this before?



If I cant fix the linking, should I perform some
preprocessor trickery to put the OpenSSL bn.h functions in some namespace, or
would the Oracle/OpenSSL overlap be so great that this will be too hard and
encompass more than just the functions in bn.h?





Any help or hints would be much appreciated,





cheers,




 
  
  Daniel Young
  Senior Software Engineer
  
  
  
  
  
  
  
  
   




 


 


Level 13, 175 Eagle Street
BrisbaneQLD
4000
T. +61 7 3406 1939
F. +61 7 3406 1999
www.synyati.com.au

   
  
  
  
 


This email message and information contained in or attached to
this message may be privileged, confidential, and protected from disclosure and
is intended only for the person or entity to which it is addressed. Any review,
retransmission, dissemination, printing or other use of, or taking of any
action in reliance upon, this information by persons or entities other than the
intended recipient is prohibited. If you received this message in error, please
immediately inform the sender by reply e-mail and delete the message and any
attachments.

Re: Get Information about SSL Handshake

2006-09-19 Thread Hubert Gressl 
Thank you very much this works fine but how do I get the information if
diffie hellman (DH) is used to negotiate the key?

I wanted to compare the differnce in cpu consumption and time delay if
session reuse is used or not! (Keyexchange with Diffie Hellman)
Therefore I set:
 
SSL_CTX_set_session_cache_mode( ctx, SSL_SESS_CACHE_OFF );

If I connect to the server there is a delay fore about 20 seconds but the
server doesn't consume any cpu in this time, just the client... Shouldn't
the server waste some CPU while computing his key? 

Do you the approximate delay if session reuse is not used?
Furthermore, it would be great to display the DH secret length somehow?

Thanks a lot for any suggestions!
Best Regards
Hubert


-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Marek Marcola
Gesendet: Dienstag, 19. September 2006 22:00
An: openssl-users@openssl.org
Betreff: Re: Get Information about SSL Handshake

Hello, 
 Hello Everybody!
  
 I got my server and client running. I want to do some testing and need 
 some information about the ssl handshake... whitch mechanism is used 
 and if diffie-hellman is used what size of the primary secret is used?
  
 I was able to get information about the cipher with
 SSL_get_cipher_version() and SSL_get_cipher_name() for a established 
 connection but I couldn't figure out to get the information about the 
 handshake.
Peer RSA/DSA parameters used in handshake may be printed for example with
code:

EVP_PKEY *pkey;
X509 *cert;

cert = SSL_get_peer_certificate(ssl);

if ((cert != NULL)  ((pkey = X509_get_pubkey(cert)) != NULL)) {
   if (pkey-type == EVP_PKEY_RSA  pkey-pkey.rsa != NULL 
pkey-pkey.rsa-n != NULL) {
  printf(RSA-%d\n, BN_num_bits(pkey-pkey.rsa-n));
   }
   if (pkey-type == EVP_PKEY_DSA  pkey-pkey.dsa != NULL
pkey-pkey.dsa-p != NULL) {
  printf(DSA-%d\n, BN_num_bits(pkey-pkey.dsa-p));
   }
}

if (cert != NULL) {
   X509_free(cert);
}

Best regards,
--
Marek Marcola [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

subjectinfoaccess?

2006-09-19 Thread laura 
hi,

  I want to use SIA(subjectinfoaccess) to get the url of caRepository. but i 
can't find the accessmethod. it should be nid_ad_caRepository defined in 
rfc3280. does openssl support it?


   

laura
[EMAIL PROTECTED]
  2006-09-20


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

BN_bin2bn() gets coredump in 0.9.7k

2006-09-19 Thread sivabalakrishnan 



Hi,

I have compiled 64-bit OpenSSL 0.9.7k on HP-UX 
11.23 PA architecture withoptimization level +O3 (default). When i 
test BN_bin2bn() function in cryto library with the following test 
program, it gets coredump.

Here is my test 
program.=#include 
stdio.h#include openssl/rsa.h

int main() { RSA *public; 
unsigned int bits, len; char *buf, *uu; unsigned char 
*blob;

 public = RSA_generate_key(1024, 35, 
NULL, NULL);

 bits = 
BN_num_bits(public-n); printf("%u", bits); buf = 
BN_bn2dec(public-e); printf(" %s", buf); 
OPENSSL_free(buf); buf = BN_bn2dec(public-n); printf(" 
%s", buf); OPENSSL_free(buf);

 return 
0;}=

But the problem does not occur with +O1 
optimization level compilation. 
Also when the same test program is linked with OpenSSL 0.9.8c 64bit 
library compiled with +O3 optimization level, it executes successfully. 
The reason would be CVS check-in 12579 and 13128, which are only appliedin 
0.9.8 series.

Why these changes are not applied to 0.9.7 trunk ???

Can any body know about this issue..? 

Thanks
-Siva.