Re: Threshold secrect sharing implementation
Hello Geiza, Someone knows where I can find an implementation of a Threshold secrect sharing ? http://point-at-infinity.org// has the implementation for Threshold Secret Sharing using Polynomial Interpolation. Regards, ViSolve Security Consulting Group. http://www.visolve.com/security/ Affordable Open Source Solutions for your Business. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: It is Memory leak ??
Hi DS Thank You very much for your help. I am stuck here. I create SSL connection as following: fd = accept(...); ssl = SSl_new(ctx); SSL_get_fd(ssl, fd); I spin off a thread for each connection using thread, pthread_detach.. I do not use BIO at all. Do I have to follow exactly TLS closue ?? Send close notify, then wait for close_notify form Server/client ??? I use TLS in my application. I also call Thread_setup(int) in the Network Security with OpenSSL book, but never call Thread_clenup(void) because Thread_setup(int) is called onetime only at initialization only. Thank again TD -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Tuesday, April 17, 2007 15:21 To: openssl-users@openssl.org Subject: RE: It is Memory leak ?? > Hi DS > How do we handle closure in openssl??? . I just call: [snip] > But sometimes I receive return 0 for both call. I do not know why, so > I just call one time > SSL_shutdown(ssl); > SSl_free(ssl); > close(sock); > > Please help. It depends on how you created the SSL connection in the first place. You may also need to free one or more BIOs. How did you create/open the SSL connection? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Open SSL server and JSee client
I have a JSEE client that needs to talk to a server that implements openssl 0.9.8d. Mutual authentication is required. Even though I added the JVM parameters used to load the client certificate, I keep getting handshake failure. Just wonder this is a well known problem and what's the appropriate workaround Below are the JVM parameters : -Djavax.net.debug=all,data,trustManager -Djavax.net.ssl.keyStore=D:\Test\AmberPointAgent2 -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=D:\Test\AmberPointAgent -Djavax.net.ssl.trustStorePassword=password -Dcom.sun.net.ssl.dhKeyExchangeFix=true Thanks Lan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: renewing certificate
This is well and good, except the website and certificate aren't being managed by IIS, but some other open source app that I can find even less information on than openssl. The common thread between them is they both have the same instructions on how to create/install/renew the certificate using openssl command line options. Which unfortunately aren't working, most likely due to the fact I don't have enough info on this and don't know how to use either program. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark H. Wood Sent: Tuesday, April 17, 2007 9:20 AM To: openssl-users@openssl.org Subject: Re: renewing certificate I went to www.microsoft.com and searched for "IIS install certificate". The first hit led me to: http://msdn2.microsoft.com/en-us/library/ms751408.aspx with step-by-step instructions. (Ignore the leading part about 'makecert', of course -- you already have a certificate.) -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: renewing certificate
Just to let everyone know, this project is on hold for the forseeable future. We are looking at an alternative way to setup the reverse proxy and certificate that falls more into the realm of what we as Microsoft guys are familiar with. I.E. IIS based sites and certs. Thanks for the input though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark H. Wood Sent: Tuesday, April 17, 2007 9:20 AM To: openssl-users@openssl.org Subject: Re: renewing certificate I went to www.microsoft.com and searched for "IIS install certificate". The first hit led me to: http://msdn2.microsoft.com/en-us/library/ms751408.aspx with step-by-step instructions. (Ignore the leading part about 'makecert', of course -- you already have a certificate.) -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Open SSL server and JSee client
What is the java error? But in the meantime, since you didn't mention it, there are a few steps you could verify: 1) Since you are using a local keystore, can I assume that you added the certificate to it using the keystore command? 2) By 'mutual authentication' do you mean that the server must authenticate the client's (self-signed) certificate? If so, has it been added to the server's local certificate file? 3) If the server must authenticate multiple certificates, is it calling SSL_CTX_use_certificate_chain_file during init? Later . . . Jim [EMAIL PROTECTED] wrote: > > I have a JSEE client that needs to talk to a server that implements > openssl 0.9.8d. Mutual authentication is required. Even though I added > the JVM parameters used to load the client certificate, I keep getting > handshake failure. Just wonder this is a well known problem and what’s > the appropriate workaround > > Below are the JVM parameters : > > -Djavax.net.debug=all,data,trustManager > -Djavax.net.ssl.keyStore=D:\Test\AmberPointAgent2 > -Djavax.net.ssl.keyStorePassword=password > -Djavax.net.ssl.trustStore=D:\Test\AmberPointAgent > -Djavax.net.ssl.trustStorePassword=password > -Dcom.sun.net.ssl.dhKeyExchangeFix=true > > Thanks > > Lan > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise private information. If you have > received it in error, please notify the sender immediately and delete > the original. Any other use of the email by you is prohibited. > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Open SSL server and JSee client
Jim,
Here's how I obtain my keystore files:
1. I have a client certificate information in p12 format. I then
imported it into a keystore file as key entry using sun security tool-
pkcs12import (xws-security).
2. I also have the trusted Key store file that I imported the .pem file
as trusted entry using the keytool utility
3. server (openSSL) requires the client certificate to be sent in. The
client certificate that I send in is signed by the root certificate
which exists on the server. Therefore the client should be trusted
Below is the debug trace:
trigger seeding of SecureRandom
done seeding SecureRandom
JsseJce: Using cipher AES/CBC/NoPadding from provider SunJCE
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1176916508 bytes = { 130, 86, 33, 206, 109, 117, 37,
96, 234, 191, 235, 56, 229, 90, 43, 166, 20, 202, 189, 44, 123, 159, 53,
248, 13, 50, 13, 127 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5,
TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 67
: 01 00 00 3F 03 01 46 26 52 1C 82 56 21 CE 6D 75
...?..F&R..V!.mu
0010: 25 60 EA BF EB 38 E5 5A 2B A6 14 CA BD 2C 7B 9F
%`...8.Z+,..
0020: 35 F8 0D 32 0D 7F 00 00 18 00 05 00 04 00 2F 00
5..2../.
0030: 0A 00 13 00 09 00 12 00 03 00 11 00 32 00 01 00
2...
0040: 02 01 00 ...
main, WRITE: TLSv1 Handshake, length = 67
[write] MD5 and SHA1 hashes: len = 89
: 01 03 01 00 30 00 00 00 20 00 00 05 00 00 04 01 0...
...
0010: 00 80 00 00 2F 00 00 0A 07 00 C0 00 00 13 00 00
/...
0020: 09 06 00 40 00 00 12 00 00 03 02 00 80 00 00 11
[EMAIL PROTECTED]
0030: 00 00 32 00 00 01 00 00 02 46 26 52 1C 82 56 21
..2..F&R..V!
0040: CE 6D 75 25 60 EA BF EB 38 E5 5A 2B A6 14 CA BD
.mu%`...8.Z+
0050: 2C 7B 9F 35 F8 0D 32 0D 7F ,..5..2..
main, WRITE: SSLv2 client hello message, length = 89
main, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1176916541 bytes = { 45, 229, 111, 4, 214, 4, 165,
223, 225, 54, 122, 132, 33, 91, 145, 240, 233, 49, 201, 33, 9, 181, 230,
193, 255, 149, 175, 33 }
Session ID: {2, 18, 90, 147, 29, 80, 116, 91, 86, 137, 193, 208, 108,
46, 253, 8, 116, 148, 142, 161, 214, 52, 109, 80, 5, 46, 143, 80, 163,
109, 41, 137}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
** SSL_RSA_WITH_RC4_128_SHA
[read] MD5 and SHA1 hashes: len = 74
: 02 00 00 46 03 01 46 26 52 3D 2D E5 6F 04 D6 04
...F..F&R=-.o...
0010: A5 DF E1 36 7A 84 21 5B 91 F0 E9 31 C9 21 09 B5
...6z.![...1.!..
0020: E6 C1 FF 95 AF 21 20 02 12 5A 93 1D 50 74 5B 56 .!
..Z..Pt[V
0030: 89 C1 D0 6C 2E FD 08 74 94 8E A1 D6 34 6D 50 05
...l...t4mP.
0040: 2E 8F 50 A3 6D 29 89 00 05 00..P.m)
main, READ: TLSv1 Handshake, length = 1119
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=clldc-s-6132.americas.shell.com
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: SunJSSE RSA public key:
public exponent:
010001
modulus:
9afb9a44 afcf2f0b b3c3f393 e0f85e70 f0ef360f 85ac5da1 ed544578
1f932a01
cc169455 99b2afa2 0018350a ce20c32f 8f690585 bd1c5bf8 7d716371
35f1beaa
046e05d0 6f1de025 d3802157 1feeab55 9dfce57f babafbe5 b66e7553
2038971d
b7b7c4cd 66e65a60 ea1bff9d 52b82b82 f72bcf6a 0ba6d4c5 445345d6
880a775b
Validity: [From: Tue Apr 03 07:59:53 PDT 2007,
To: Thu Apr 02 09:09:53 PDT 2009]
Issuer: CN=root.CRLL7GW1.americas.shell.com
SerialNumber: [71243ff9 a5ad8a62]
Certificate Extensions: 4
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: DF E4 67 63 0A 25 4B 94 7B 7E 4C CD FC CD 5E 93
..gc.%K...L...^.
0010: E3 EA AC DF
]
]
[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
: 49 1C 70 5F 48 41 09 95 DB 37 7B A7 82 B0 6F 92
I.p_HA...7o.
0010: 4C EA E9 B9L...
]
]
[3]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
]
Algorithm: [SHA1withRSA]
Signature:
: 5E 20 62 30 FB B1 A4 C6 5D 22 6C 03 B0 04 DB 5C ^
b0]"l\
0010: 1E F7 63 0C 12 49 0F D7 5E 60 57 20 40 7A 9F 40 ..c..I..^`W
@z.@
0020: B5 70 17 F3 13 D9 8D 61 BB 2A 01 D0 B3 1F A0 F4
.p.a.*..
0030: D1 AF 83 DD 44 DF 5E 32 8B C4 E8 50 E3 6E AE F7
D.^2...P.n..
0
Open SSL server and JSee client
I have a JSEE client that needs to talk to a server that implements openssl 0.9.8d. Mutual authentication is required. Even though I added the JVM parameters used to load the client certificate, I keep getting handshake failure. Just wonder this is a well known problem and what's the appropriate workaround Below are the JVM parameters : -Djavax.net.debug=all,data,trustManager -Djavax.net.ssl.keyStore=D:\Test\AmberPointAgent2 -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=D:\Test\AmberPointAgent -Djavax.net.ssl.trustStorePassword=password -Dcom.sun.net.ssl.dhKeyExchangeFix=true Thanks Lan This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: Open SSL server and JSee client
Hello,
> 3. server (openSSL) requires the client certificate to be sent in. The
> client certificate that I send in is signed by the root certificate
> which exists on the server. Therefore the client should be trusted
>
>
> Below is the debug trace:
>
> trigger seeding of SecureRandom
> done seeding SecureRandom
> JsseJce: Using cipher AES/CBC/NoPadding from provider SunJCE
> %% No cached client session
> *** ClientHello, TLSv1
> RandomCookie: GMT: 1176916508 bytes = { 130, 86, 33, 206, 109, 117, 37,
> 96, 234, 191, 235, 56, 229, 90, 43, 166, 20, 202, 189, 44, 123, 159, 53,
> 248, 13, 50, 13, 127 }
> Session ID: {}
> Cipher Suites: [SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5,
> TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA]
> Compression Methods: { 0 }
> ***
> [write] MD5 and SHA1 hashes: len = 67
> : 01 00 00 3F 03 01 46 26 52 1C 82 56 21 CE 6D 75
> ?..F&R..V!.mu
> 0010: 25 60 EA BF EB 38 E5 5A 2B A6 14 CA BD 2C 7B 9F
> %`...8.Z+,..
> 0020: 35 F8 0D 32 0D 7F 00 00 18 00 05 00 04 00 2F 00
> 5..2../.
> 0030: 0A 00 13 00 09 00 12 00 03 00 11 00 32 00 01 00
> .2...
> 0040: 02 01 00 ...
> main, WRITE: TLSv1 Handshake, length = 67
> [write] MD5 and SHA1 hashes: len = 89
> : 01 03 01 00 30 00 00 00 20 00 00 05 00 00 04 01 0...
>
> 0010: 00 80 00 00 2F 00 00 0A 07 00 C0 00 00 13 00 00
> ./...
> 0020: 09 06 00 40 00 00 12 00 00 03 02 00 80 00 00 11
> [EMAIL PROTECTED]
> 0030: 00 00 32 00 00 01 00 00 02 46 26 52 1C 82 56 21
> ...2..F&R..V!
> 0040: CE 6D 75 25 60 EA BF EB 38 E5 5A 2B A6 14 CA BD
> ..mu%`...8.Z+
> 0050: 2C 7B 9F 35 F8 0D 32 0D 7F ,..5..2..
> main, WRITE: SSLv2 client hello message, length = 89
Client write ssl2 client_hello with some cipher proposition.
> main, READ: TLSv1 Handshake, length = 74
> *** ServerHello, TLSv1
> RandomCookie: GMT: 1176916541 bytes = { 45, 229, 111, 4, 214, 4, 165,
> 223, 225, 54, 122, 132, 33, 91, 145, 240, 233, 49, 201, 33, 9, 181, 230,
> 193, 255, 149, 175, 33 }
> Session ID: {2, 18, 90, 147, 29, 80, 116, 91, 86, 137, 193, 208, 108,
> 46, 253, 8, 116, 148, 142, 161, 214, 52, 109, 80, 5, 46, 143, 80, 163,
> 109, 41, 137}
> Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
> Compression Method: 0
OpenSSL server response server_hello with selected by server crypto
parameters (cipher suite, cookie ...)
> %% Created: [Session-1, SSL_RSA_WITH_RC4_128_SHA]
> ** SSL_RSA_WITH_RC4_128_SHA
> [read] MD5 and SHA1 hashes: len = 74
> : 02 00 00 46 03 01 46 26 52 3D 2D E5 6F 04 D6 04
> F..F&R=-.o...
> 0010: A5 DF E1 36 7A 84 21 5B 91 F0 E9 31 C9 21 09 B5
> 6z.![...1.!..
> 0020: E6 C1 FF 95 AF 21 20 02 12 5A 93 1D 50 74 5B 56 .!
> ...Z..Pt[V
> 0030: 89 C1 D0 6C 2E FD 08 74 94 8E A1 D6 34 6D 50 05
> l...t4mP.
> 0040: 2E 8F 50 A3 6D 29 89 00 05 00..P.m)
> main, READ: TLSv1 Handshake, length = 1119
> *** Certificate chain
> chain [0] = [
> [
> Version: V3
> Subject: CN=clldc-s-6132.americas.shell.com
> Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
>
..
..
..
> 0410: B6 E5 EF 71 4C 4E 87 B7 07 E4 F9 D7 86 B2 D8 A6
> qLN..
> 0420: E4 07 95 9D 89 76 70 D9 CC 55 AE 0D CC B3 CF 03
> ..vp..U..
> 0430: 4D 4B 68 AD AF F0 A8 CD 02 0B 71 30 2D 6D D6 27
> MKh...q0-m.'
> 0440: 8A 9D 2A 9D 82 AE 44 6E 58 CE A6 AB 22 C2 B0 66
> ...*...DnX..."..f
> 0450: 2E 12 D8 0F 7D 86 2F 66 70 91 8B C6 92 B3 AA ../fp..
OpenSSL server response with Certificate packet (server certificate)
> main, READ: TLSv1 Handshake, length = 61
> *** CertificateRequest
> Cert Types: RSA, DSS, Type-64,
> Cert Authorities:
>
> [read] MD5 and SHA1 hashes: len = 57
> : 0D 00 00 35 03 01 02 40 00 2F 00 2D 30 2B 31 29
> [EMAIL PROTECTED]/.-0+1)
> 0010: 30 27 06 03 55 04 03 13 20 72 6F 6F 74 2E 43 52 0'..U...
> root.CR
> 0020: 4C 4C 37 47 57 31 2E 61 6D 65 72 69 63 61 73 2E
> LL7GW1.americas.
> 0030: 73 68 65 6C 6C 2E 63 6F 6D shell.com
OpenSSL request for client authentication (certificate_request packet).
In this packet server may send list of acceptable CA's, in this
case server tells clients that only certificate issued by:
CN=root.CRLL7GW1.americas.shell.com
are acceptable for authentication and client should have/use
only such certificate.
> *** ServerHelloDone
> [read] MD5 and SHA1 hashes: len = 4
> : 0E 00 00 00
> *** Certificate chain
Server ends this part of communication.
> JsseJCE: Using JSSE internal implementation for cipher
> RSA/ECB/PKCS1Padding
> *** ClientKeyExchange, RSA PreMa
Re: Open SSL server and JSee client
[EMAIL PROTECTED] wrote:
>Jim,
>Here's how I obtain my keystore files:
>
>1. I have a client certificate information in p12 format. I then
>imported it into a keystore file as key entry using sun security tool-
>pkcs12import (xws-security).
>2. I also have the trusted Key store file that I imported the .pem file
>as trusted entry using the keytool utility
>
>3. server (openSSL) requires the client certificate to be sent in. The
>client certificate that I send in is signed by the root certificate
>which exists on the server. Therefore the client should be trusted
>
>
>Below is the debug trace:
>
>trigger seeding of SecureRandom
>done seeding SecureRandom
>JsseJce: Using cipher AES/CBC/NoPadding from provider SunJCE
>%% No cached client session
>*** ClientHello, TLSv1
>
Marek did a nice job of breaking down the handshake. But it appears
that your problem is defined by the 'no IV' message. I did a quick
search on it and didn't find much that was helpful. Some of the
responses posted links to sites that explain what an Initialization
Vector is:
http://www.ciphersbyritter.com/NEWS6/CBCIV.HTM
http://en.wikipedia.org/wiki/Initialization_vector
http://www.trumpetpower.com/Papers/Crypto/Playfair
If you have any control over the server, there is some OpenSSL
information on IVs in the DES doc:
http://www.openssl.org/docs/crypto/des.html
However, I believe that unless someone here has something to add, your
best bet is to check out the JSSE Java Cryptography Extension forums.
Later . . . Jim
>... no IV for cipher
>main, WRITE: TLSv1 Change Cipher Spec, length = 1
>JsseJCE: Using JSSE internal implementation for cipher RC4
>*** Finished
>verify_data: { 250, 0, 28, 224, 143, 7, 113, 110, 246, 8, 118, 140 }
>***
>[write] MD5 and SHA1 hashes: len = 16
>: 14 00 00 0C FA 00 1C E0 8F 07 71 6E F6 08 76 8C
>..qn..v.
>Plaintext before ENCRYPTION: len = 36
>: 14 00 00 0C FA 00 1C E0 8F 07 71 6E F6 08 76 8C
>..qn..v.
>0010: 6C 89 0D 5C 7A 89 05 83 4D 24 29 E6 0F 40 30 00
>l..\z...M$)[EMAIL PROTECTED]
>0020: 0F 39 8D F5.9..
>main, WRITE: TLSv1 Handshake, length = 36
>main, READ: TLSv1 Alert, length = 2
>main, RECV TLSv1 ALERT: fatal, handshake_failure
>main, called closeSocket()
>main, handling exception: javax.net.ssl.SSLHandshakeException: Received
>fatal alert: handshake_failure
>javax.jms.JMSSecurityException: Failed to connect via SSL to
>[ssl://clldc-s-6132:7243]: Received fatal alert: handshake_failure
> at
>com.tibco.tibjms.TibjmsxLinkSSL.connect(TibjmsxLinkSSL.java:429)
> at
>com.tibco.tibjms.TibjmsConnection._create(TibjmsConnection.java:688)
> at
>com.tibco.tibjms.TibjmsConnection.(TibjmsConnection.java:1955)
> at
>com.tibco.tibjms.TibjmsQueueConnection.(TibjmsQueueConnection.java
>:37)
> at
>com.tibco.tibjms.TibjmsxCFImpl._createImpl(TibjmsxCFImpl.java:187)
> at
>com.tibco.tibjms.TibjmsxCFImpl._createConnection(TibjmsxCFImpl.java:240)
> at
>com.tibco.tibjms.TibjmsQueueConnectionFactory.createQueueConnection(Tibj
>msQueueConnectionFactory.java:79)
> at Sender.main(Sender.java:39)
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] On Behalf Of Jim Sansing
>Sent: Wednesday, April 18, 2007 8:57 AM
>To: openssl-users@openssl.org
>Subject: Re: Open SSL server and JSee client
>
>What is the java error?
>
>But in the meantime, since you didn't mention it, there are a few steps
>you could verify:
>
>1) Since you are using a local keystore, can I assume that you added the
>certificate to it using the keystore command?
>
>2) By 'mutual authentication' do you mean that the server must
>authenticate the client's (self-signed) certificate? If so, has it been
>added to the server's local certificate file?
>
>3) If the server must authenticate multiple certificates, is it calling
>SSL_CTX_use_certificate_chain_file during init?
>
>Later . . . Jim
>
>
>[EMAIL PROTECTED] wrote:
>
>>I have a JSEE client that needs to talk to a server that implements
>>openssl 0.9.8d. Mutual authentication is required. Even though I added
>>the JVM parameters used to load the client certificate, I keep getting
>>handshake failure. Just wonder this is a well known problem and what's
>>the appropriate workaround
>>
>>Below are the JVM parameters :
>>
>>-Djavax.net.debug=all,data,trustManager
>>-Djavax.net.ssl.keyStore=D:\Test\AmberPointAgent2
>>-Djavax.net.ssl.keyStorePassword=password
>>-Djavax.net.ssl.trustStore=D:\Test\AmberPointAgent
>>-Djavax.net.ssl.trustStorePassword=password
>>-Dcom.sun.net.ssl.dhKeyExchangeFix=true
>>
>>Thanks
>>
>>Lan
>>
>>This message is for the designated recipient only and may contain
>>privileged, proprietary, or otherwise private information. If you have
>>received it in error, please notify the sender immediately and delete
>>the original. Any other use of the email by you is prohibited.
>>
>>
>___
Re: Open SSL server and JSee client
Hello,
> But it appears
> that your problem is defined by the 'no IV' message. I did a quick
> search on it and didn't find much that was helpful.
> >... no IV for cipher
> >main, WRITE: TLSv1 Change Cipher Spec, length = 1
> >JsseJCE: Using JSSE internal implementation for cipher RC4
> >*** Finished
This looks ok because server in server_hello response message:
*** ServerHello, TLSv1
RandomCookie: GMT: 1176916541 bytes = { 45, 229, 111, 4, 214, 4, 165,
223, 225, 54, 122, 132, 33, 91, 145, 240, 233, 49, 201, 33, 9, 181, 230,
193, 255, 149, 175, 33 }
Session ID: {2, 18, 90, 147, 29, 80, 116, 91, 86, 137, 193, 208, 108,
46, 253, 8, 116, 148, 142, 161, 214, 52, 109, 80, 5, 46, 143, 80, 163,
109, 41, 137}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
selects SSL_RSA_WITH_RC4_128_SHA which means that for symmetric
encryption RC4 will be used which is not block cipher (RC4 is stream
cipher). IV is used when block cipher in CBC mode is used (like DES or
AES) but here server tells client to use RC4 and IV is not needed.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: Open SSL server and JSee client
If IV is not required for cipher when we use RC4,does anyone have idea
on what might be the problem?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola
Sent: Wednesday, April 18, 2007 1:17 PM
To: openssl-users@openssl.org
Subject: Re: Open SSL server and JSee client
Hello,
> But it appears
> that your problem is defined by the 'no IV' message. I did a quick
> search on it and didn't find much that was helpful.
> >... no IV for cipher
> >main, WRITE: TLSv1 Change Cipher Spec, length = 1
> >JsseJCE: Using JSSE internal implementation for cipher RC4
> >*** Finished
This looks ok because server in server_hello response message:
*** ServerHello, TLSv1
RandomCookie: GMT: 1176916541 bytes = { 45, 229, 111, 4, 214, 4, 165,
223, 225, 54, 122, 132, 33, 91, 145, 240, 233, 49, 201, 33, 9, 181, 230,
193, 255, 149, 175, 33 }
Session ID: {2, 18, 90, 147, 29, 80, 116, 91, 86, 137, 193, 208, 108,
46, 253, 8, 116, 148, 142, 161, 214, 52, 109, 80, 5, 46, 143, 80, 163,
109, 41, 137}
Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Compression Method: 0
selects SSL_RSA_WITH_RC4_128_SHA which means that for symmetric
encryption RC4 will be used which is not block cipher (RC4 is stream
cipher). IV is used when block cipher in CBC mode is used (like DES or
AES) but here server tells client to use RC4 and IV is not needed.
Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
This message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: BIGNUM library
I was talking to the MS support guy who wrote that article. He said he has spoken with the engineers and assures me that it is not possible with DH keys. But if someone knows otherwise, I'd really love some sample code. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Tuesday, April 17, 2007 4:40 PM To: openssl-users@openssl.org Subject: Re: BIGNUM library On Tue, Apr 17, 2007, Edward Chan wrote: > The problem with CryptoAPI is that it doesn't give you direct access to > the shared secret. But I suspect it is wrong since the > encryption/decryption fails (I encrypt something, and decrypt it, to > make sure it is the same as the original). > It doesn't give you *direct* access to the shared secret or indeed other types of symmetric or asymmetric keys but there are back door ways of getting hold of the key anyway. One way is to encrypt the key using a public key to which you know the corresponsing private key and then obtaining the unencrypted result using OpenSSL. Another trick is in an MS KB article somewhere which relies on using a key with an exponent of 1. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
create a certificate
Hi, I'm new to OpenSSL and i'm currently trying to create a certificate. I have on my computer perl installed and i try CA.pl -newcert. but i get the following message : 'openssl' is not recognized as an internal or external command operable program or batch file. Certificate is in newcert.pem, private key is in newkey.pem if i try CA -newcert, i get nothing as message. Howcan i create a certificate and thus a private key name "test" for example ? thanks a lot, -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
