RE: BIGNUM library

[Edward Chan]

Is there a specification on the format of a BIGNUM that someone can
point me to?  Is there a standard encoding/format that everyone adheres
to?  Or would different libraries have their own encodings?  I hope not.

 

Thanks,

Ed

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Edward Chan
Sent: Monday, April 16, 2007 4:27 PM
To: openssl-users@openssl.org
Subject: BIGNUM library

 

How easy or difficult would it be to extract just the BIGNUM library
from OpenSSL?  Are there any documents on how to do this?

 

Thanks,

Ed

BIGNUM library

[Edward Chan]

How easy or difficult would it be to extract just the BIGNUM library
from OpenSSL?  Are there any documents on how to do this?

 

Thanks,

Ed

RE: RSA Key exchange and FIPS compliance

[David Schwartz]

> We use OpenSSL for encryption within our application.
> I am now enhancing our application to become FIPS compliant.
> The OpenSSL FIPS Security Policy lists RSA key wrapping and
> key establishment as non-approved. But the policy states that
> it is included when 80 to 150 bits of encryption strength are
> used. So how do I provide a key exchange if I want FIPS compliance?

TLS is FIPS approved if you only used FIPS-allowed algorithms within it.
OpenSSL does this in FIPS mode.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RE: renewing certificate

[David Schwartz]

> The problem is with installing it on the server. It is a windows
> 2003 server with II6, however the certificate isn't being handled
> by IIS. I have no real clue how this thing was set up so I'm
> grasping at straws. Gotta love clients that hire college kids to
> do work, then are stuck when the kid moves on and no one knows
> how he did what he did.

You're almost certainly posting to the wrong list. The problem is, since you
don't know what piece of software you need to deal with, you don't know what
the right list would be.

I would suggest that you first recognize that your problem is that you don't
know what piece of software is managing the certificate or providing it to
the web server. So you should try to provide information that might help
someone to determine that.

For example:

1) What process owns port 445 on your machine?

2) What headers do you get in a secure connection and how do they differ
from the headers in an insecure connection?

3) Can you find your key/certificate in your filesystem anywhere? If so,
what path? Or is it in the system certificate store?

4) Are there any administration pages or the like that you know of that
relate to the secure web server at all? What are there names? What text is
on them?

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

RSA Key exchange and FIPS compliance

[Gatfield, Geoffrey]

Hello,

We use OpenSSL for encryption within our application. I am now enhancing
our application to become FIPS compliant. The OpenSSL FIPS Security
Policy lists RSA key wrapping and key establishment as non-approved. But
the policy states that it is included when 80 to 150 bits of encryption
strength are used. So how do I provide a key exchange if I want FIPS
compliance?

 

Any help is appreciated.

 

Thanks

Geoff

RE: renewing certificate

[Bart Heller]

I have the renewed cert, I just can't figure out how to get it on the server. 
If IIS was managing the certificate and the websites on this server I'd be 
fine, but that isn't the case. I'm grasping at straws trying to follow up 
undocumented work by a college kid for this client. Yay for me!



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Angus
Sent: Tuesday, April 17, 2007 3:54 AM
To: openssl-users@openssl.org
Subject: Re: renewing certificate

You might try the customer service dept. of the supplier who is providing your 
cert. Most are very good and will be able to help you do only what you need -- 
without a large number of time consuming extra steps.

Bill Angus, MA
- Original Message -
From: Bart Heller
To: openssl-users@openssl.org
Sent: Monday, April 16, 2007 12:11 PM
Subject: renewing certificate

Hey everyone. I'm still not so into this so here I go again.

I am trying to rewenew an expeired certificate on a windows server 2003 
machine. None of the steps in the RenewCert.txt document seem to apply. I did 
not set this server up originally and I need lots of help trying to figure this 
thing out.

Here is the list of things I need to know:

How to revoke the existing certificate - If you browse to the URL this server 
hosts, the certificate date is still the expired one.
How to update the certificate on the server so the URL the outside world sees 
is up to date.

I have the CSR and private key saved in a separate folder from the original 
install so I hope that helps.

Thanks!!

And no obviously I'm not a webadmin, so bear with me please.

RE: renewing certificate

[Bart Heller]

The problem is with installing it on the server. It is a windows 2003 server 
with II6, however the certificate isn't being handled by IIS. I have no real 
clue how this thing was set up so I'm grasping at straws. Gotta love clients 
that hire college kids to do work, then are stuck when the kid moves on and no 
one knows how he did what he did.



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Monday, April 16, 2007 4:52 PM
To: openssl-users@openssl.org
Subject: RE: renewing certificate


> I am trying to rewenew an expeired certificate on a windows
> server 2003 machine. None of the steps in the RenewCert.txt
> document seem to apply. I did not set this server up originally
> and I need lots of help trying to figure this thing out.

Is your problem obtaining the renewed certificate or installing it on the
server? If the latter, why are you asking on an OpenSSL list? These are
questions about how to operate whatever web server software you are using.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: renewing certificate

[Bill Angus]

You might try the customer service dept. of the supplier who is providing your 
cert. Most are very good and will be able to help you do only what you need -- 
without a large number of time consuming extra steps. 

Bill Angus, MA
  - Original Message - 
  From: Bart Heller 
  To: openssl-users@openssl.org 
  Sent: Monday, April 16, 2007 12:11 PM
  Subject: renewing certificate


  Hey everyone. I'm still not so into this so here I go again.

   

  I am trying to rewenew an expeired certificate on a windows server 2003 
machine. None of the steps in the RenewCert.txt document seem to apply. I did 
not set this server up originally and I need lots of help trying to figure this 
thing out. 

   

  Here is the list of things I need to know:

   

  How to revoke the existing certificate - If you browse to the URL this server 
hosts, the certificate date is still the expired one.

  How to update the certificate on the server so the URL the outside world sees 
is up to date. 

   

  I have the CSR and private key saved in a separate folder from the original 
install so I hope that helps.

   

  Thanks!!

   

  And no obviously I'm not a webadmin, so bear with me please.

RE: renewing certificate

[David Schwartz]

> I am trying to rewenew an expeired certificate on a windows
> server 2003 machine. None of the steps in the RenewCert.txt
> document seem to apply. I did not set this server up originally
> and I need lots of help trying to figure this thing out.

Is your problem obtaining the renewed certificate or installing it on the
server? If the latter, why are you asking on an OpenSSL list? These are
questions about how to operate whatever web server software you are using.

DS


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Clent certificates & MSIE

[Roehl, Dan]

We have noticed that there is some coupling between a user's profile and
his/her installed client certificates (which sort of makes sense). The
client certificates are stored under the "personal" certificate store by
default. Where/what in the users win profile does the reference to the
personal certificate store get saved?

 

 Thanks

renewing certificate

[Bart Heller]

Hey everyone. I'm still not so into this so here I go again.

I am trying to rewenew an expeired certificate on a windows server 2003 
machine. None of the steps in the RenewCert.txt document seem to apply. I did 
not set this server up originally and I need lots of help trying to figure this 
thing out.

Here is the list of things I need to know:

How to revoke the existing certificate - If you browse to the URL this server 
hosts, the certificate date is still the expired one.
How to update the certificate on the server so the URL the outside world sees 
is up to date.

I have the CSR and private key saved in a separate folder from the original 
install so I hope that helps.

Thanks!!

And no obviously I'm not a webadmin, so bear with me please.

Re: openssl smime -enc speed question

[Harald Latzko]

Hello,

Am 14.04.2007 um 00:04 schrieb Dr. Stephen Henson:


'tis done.

I found a quiet period to look into it and test it a little. Check  
out the new

-stream option in the smime utility for OpenSSL 0.9.9.
Support in the API is quite simple too, just include the  
PKCS7_STREAM flag in
the calls to PKCS7_{sign,encrypt} and SMIME_write_PKCS7() see the  
docs for more
info or the new examples in demos/smime. Chaining isn't possible  
using that
method however (e.g. sign & encrypt) that would need major API  
changes.
Encrypting and signing works as expected, really great job. This  
feature enables encrypting and signing very big files.


Is support planned for verifying and decryption? First simple tries  
with changing PKCS7_decrypt and PKCS7_verify were not successful for  
me (I don't really understand the backgrounds of the openSSL sources).


Regards,
Harald

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: openssl smime -enc speed question

[Harald Latzko]

Hello,

Am 14.04.2007 um 00:04 schrieb Dr. Stephen Henson:

Sorry to have given you false hopes. The issue that all the data  
has to
be in working memory to be encrypted is indeed starting to become  
a real
annoyance in some practical circumstances. So perhaps if Stephen  
Henson
should develop the feature further one day we can volunteer as  
testers?  ;-)

'tis done.
I found a quiet period to look into it and test it a little. Check  
out the new

-stream option in the smime utility for OpenSSL 0.9.9.
Support in the API is quite simple too, just include the  
PKCS7_STREAM flag in
the calls to PKCS7_{sign,encrypt} and SMIME_write_PKCS7() see the  
docs for more
info or the new examples in demos/smime. Chaining isn't possible  
using that
method however (e.g. sign & encrypt) that would need major API  
changes.

Any problems let me know. Money back if not completely satisfied :-)
Thank you very much for the great work. I'm testing at the moment  
with encoding files, resulting in an extremely good performance using  
hardware engines.

If anything is open or unclear, I will reply to this message.

Regards,
Harald Latzko

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: PKCS7_encrypt leads to a segfault

[Florian MANACH]

According to an argument of the command line :
cipher=EVP_aes_256_cbc() or cipher=EVP_des_ede3_cbc()


Florian Manach
NUMLOG
[EMAIL PROTECTED]
(+33)0130791616

Dr. Stephen Henson a écrit :

On Fri, Apr 13, 2007, Florian MANACH wrote:


Hello Steve and thank you for the answer.
You were right. I was linking with 0.9.7.
I've just installed the 0.9.8e and unfortunately, the segfault still 
remain :


Here is the new core dump :

#0  0x400cd204 in EVP_CIPHER_nid () from 
/usr/local/ssl/lib/libcrypto.so.0.9.8
#1  0x400cd22b in EVP_CIPHER_type () from 
/usr/local/ssl/lib/libcrypto.so.0.9.8

#2  0x4014b0b0 in __JCR_LIST__ () from /usr/local/ssl/lib/libcrypto.so.0.9.8
#3  0x4006591c in OBJ_obj2nid () from /usr/local/ssl/lib/libcrypto.so.0.9.8
#4  0x40106322 in PKCS7_set_cipher () from 
/usr/local/ssl/lib/libcrypto.so.0.9.8
#5  0x401062c8 in PKCS7_set_cipher () from 
/usr/local/ssl/lib/libcrypto.so.0.9.8
#6  0x40108f02 in PKCS7_encrypt () from 
/usr/local/ssl/lib/libcrypto.so.0.9.8

#7  0xb398 in ?? ()
#8  0x4000ab80 in _dl_runtime_resolve () at dl-runtime.c:196
#9  0x0804a410 in main (argc=Cannot access memory at address 0x9
---

It's very strange, I took a look at the openssl's smime utility to make 
this soft, and I'm reading a book where the way to do a pkcs7 encryption 
is the same as mine.


I really don't understand what's going on.



That implies it doesn't like the "cipher" argument you are passing to
PKCS7_encrypt(). Your example only has a parameter for that: what value are
you actually passing?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]