RE: Certificates, users and machines
> > and you've just multiplied your public key computation > > load by a factor of three of four. > No, you "merely" double it. One - check that the identity cert is > valid, two > - that the attribute cert that *you* are interested in (out of a > dozen that > may be attached to this identity cert) is OK. Not even that, because you save the cost of determining authorization some other way. The other common way is some kind of secure connection to an authorization box. one extra PK computation is probably less costly than that. (And if you cache the certificate's validity, you only need to do that once on a given server for a given user.) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to compile on AIX 5.1
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Huffman Sent: Friday, May 25, 2007 6:29 PM To: openssl-users@openssl.org Subject: Unable to compile on AIX 5.1 I have been unsuccessful in compiling openssl-0.9.8 on AIX 5.1 (32-bit ppc) using gcc (GCC) 4.0.0 My configure setting is: ./config no-shared The configure completes successfully. I start the make command and the app appears to compile but stops at this point in the process. /usr/bin/perl asm/ppc.pl aix_ppc32.s cc -I.. -I../.. -I../../include -DOPENSSL_THREADS -qthreaded -DDSO_DLFCN -DHAVE_DLFCN_H -q32 -O -DB_ENDIAN -qmaxmem=16384 -c -o aix_ppc32.o aix_ppc32.s cc: unrecognized option '-qthreaded' cc: unrecognized option '-q32' cc: unrecognized option '-qmaxmem=16384 Thosae are options for the ibm VAC/XLC compiler. Can you run Configure and specify the platform to force it, or do you have vac/xlc installed and it just not in your path before a symlinked cc-->gcc? NOTICE: This E-mail may contain confidential information. If you are not the addressee or the intended recipient please do not read this E-mail and please immediately delete this e-mail message and any attachments from your workstation or network mail system. If you are the addressee or the intended recipient and you save or print a copy of this E-mail, please place it in an appropriate file, depending on whether confidential information is contained in the message. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Unable to compile on AIX 5.1
I have been unsuccessful in compiling openssl-0.9.8 on AIX 5.1 (32-bit
ppc) using gcc (GCC) 4.0.0
My configure setting is:
./config no-shared
The configure completes successfully. I start the make command and the
app appears to compile but stops at this point in the process.
/usr/bin/perl asm/ppc.pl aix_ppc32.s
cc -I.. -I../.. -I../../include -DOPENSSL_THREADS -qthreaded
-DDSO_DLFCN -DHAVE_DLFCN_H -q32 -O -DB_ENDIAN -qmaxmem=16384 -c -o
aix_ppc32.o aix_ppc32.s
cc: unrecognized option '-qthreaded'
cc: unrecognized option '-q32'
cc: unrecognized option '-qmaxmem=16384
The process table shows:
21 A root 13512 6266 0 60 20 2ab7 272 11:08:36
pts/0 0:00 cc -I.. -I../.. -I../../include -DOPENSSL_THREADS -qthreaded
-DDSO_DLFCN -DHAVE_DLFCN_H -q32 -O -DB
_ENDIAN -qmaxmem=16384 -c -o aix_ppc32.o aix_ppc32.s
21 A root 14844 15734 0 60 20 173a 592 11:08:35
pts/0 0:00 /usr/bin/sh -ec target=all; [ -n "objects md2 md4 md5 sha
hmac ripemd des aes rc2 rc4 idea bf cast bn ec rsa dsa ecdsa dh ecdh
dso engine buffer bio stack lhash rand err evp asn1 pem x509 x509v3
conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 store pqueue" ] && for i in
objects md2 md4 md5 sha hmac ripemd des aes rc2 rc4 idea bf cast bn
ec rsa dsa ecdsa dh ecdh dso engine buffer bio stack lhash rand err
evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
store pqueue ; do (cd $i && echo "making $target in crypto/$i..." &&
make -e TOP=../.. DIR=$i INCLUDES='-I.. -I../.. -I../../include' $target
) || exit 1; done;
21 A root 14984 13512 60 90 20 389f 396 11:08:36
pts/0 6:14 /usr/bin/as -u -mCOM -o aix_ppc32.o aix_ppc32.s
21 A root 15734 16252 0 60 20 359f 480 11:08:35
pts/0 0:00 make -e PLATFORM PROCESSOR CC CFLAG AS ASFLAG AR PERL RANLIB
SDIRS LIBRPATH INSTALL_PREFIX INSTALLT
OP OPENSSLDIR MAKEDEPEND DEPFLAG MAKEDEPPROG SHARED_LDFLAGS
KRB5_INCLUDES LIBKRB5 EXE_EXT SHARED_LIBS SHLIB_EXT SHLIB_TARGET
PEX_LIBS EX_LIBS CPUID_OBJ BN_ASM DES_ENC AES_ASM_OBJ BF_EN
C CAST_ENC RC4_ENC RC5_ENC SHA1_ASM_OBJ MD5_ASM_OBJ RMD160_ASM_OBJ THIS
MAKEFILE MAKEOVERRIDES TOP DIR all
21 A root 16252 16398 0 60 20 2d22 588 11:08:35
pts/0 0:00 /bin/sh -ec dir=crypto; target=all; if echo " crypto ssl
engines apps test tools " | grep " $dir "
>/dev/null 2>/dev/null; then if [ -d "$dir" ]; then (?cd $dir && echo
"making $target in $dir..." && TOP= && unset TOP ${LIB+LIB}
${LIBS+LIBS}? ${INCLUDE+INCLUDE} ${INCLUDES+INCLUDE
S}? ${DIR+DIR} ${DIRS+DIRS} ${SRC+SRC}?? ${LIBSRC+LIBSRC}
${LIBOBJ+LIBOBJ} ${ALL+ALL}? ${EXHEADER+EXHEADER} ${HEADER+HEADER}??
${GENERAL+GENERAL} ${CFLAGS+CFLAGS}?? ${ASFLAGS+ASFLAGS}
${AFLAGS+AFLAGS}?? ${LDCMD+LDCMD} ${LDFLAGS+LDFLAGS}??
${SHAREDCMD+SHAREDCMD} ${SHAREDFLAGS+SHAREDFLAGS}?
${SHARED_LIB+SHARED_LIB} ${LIBEXTRAS+LIBEXTRAS} && make -e
PLATFORM='aix-cc' P
ROCESSOR='' CC='cc' CFLAG='-DOPENSSL_THREADS -qthreaded -DDSO_DLFCN
-DHAVE_DLFCN_H -q32 -O -DB_ENDIAN -qmaxmem=16384' ??? AS='cc'
ASFLAG='-DOPENSSL_THREADS -qthreaded -DDSO_DLFCN -DHA
VE_DLFCN_H -q32 -O -DB_ENDIAN -qmaxmem=16384 -c'??? AR='ar -X 32 r'
PERL='/usr/bin/perl' RANLIB='/usr/bin/ranlib'? SDIRS='objects md2 md4
md5 sha hmac ripemd des aes rc2 rc4 idea bf
cast bn ec rsa dsa ecdsa dh ecdh dso engine buffer bio stack lhash
rand err evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui
krb5 store pqueue' LIBRPATH='/usr/local/s
sl/lib'? INSTALL_PREFIX=''?? INSTALLTOP='/usr/local/ssl'
OPENSSLDIR='/usr/local/ssl'? MAKEDEPEND='$${TOP}/util/domd $${TOP} -MD
makedepend' DEPFLAG='-DOPENSSL_NO_DEPRECATED -DOPENSSL_
NO_CAMELLIA -DOPENSSL_NO_GMP -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5
-DOPENSSL_NO_RFC3779 '? MAKEDEPPROG='makedepend'???
SHARED_LDFLAGS='-q32'?? KRB5_INCLUDES='' LIBKRB5=''? EXE_EXT='' SHAR
ED_LIBS=''? SHLIB_EXT='.so.0.9.8' SHLIB_TARGET='aix-shared'? PEX_LIBS=''
EX_LIBS=''? CPUID_OBJ=''??? BN_ASM='aix_ppc32.o' DES_ENC='des_enc.o
fcrypt_b.o' ? AES_ASM_OBJ='aes_core.o aes_c
bc.o'??? BF_ENC='bf_enc.o' CAST_ENC='c_enc.o'? RC4_ENC='rc4_enc.o'
RC5_ENC='rc5_enc.o'? SHA1_ASM_OBJ=''??? MD5_ASM_OBJ=''???
RMD160_ASM_OBJ=''?? THIS=${THIS:-build_crypto} MAKEFILE=Mak
efile MAKEOVERRIDES= TO
P=.. DIR=$dir $target ) || exit 1; fi; fi
21 A root 16398 16890 0 60 20 1988 472 11:08:35
pts/0 0:00 make
240001 A root 16890 14340 0 60 20 7a3 584 16:56:05
pts/0 0:00 ksh
Any help would be appreciated.
David Huffman
Storix, Inc.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
RE: Certificates, users and machines
> For both the responses I got, it looks like the server need > to access the information (whether identity or attribute or > whatever) present in the certificate and use that to decide > the permissions for the peer that represented this certificate. > Is my understanding correct? Partially so. An Attribute Certificate is a _separate_ certificate that becomes meaningful only when presented together with the identity cert. Its purpose is to be able to add and remove certified attributes to an identity cert, without having to re-issue the identity cert itself. > I also agree that this is authorization problem. I was just > trying to get information on whether certificate handling in > openssl restricts me from issuing certificates to a group > instead of individuals. I guees I know it now. The answer is - yes it does [restrict]. > Sounds good. Now, my server will be expecting a few specfic > attributes in the certificate presented by peer, in order to > regulate access to different services, right? That would be one way of doing it... In design you should balance the expense of the authorization process against convenience of its use. I.e. are you going to authorize users based on credentials vouched by a 3rd party? If not - then somehting like a local policy server is a more elegant and computationally cheaper solution. > So the question is > which APIs in openssl allow me to access this information in > the certificate? I'm afraid OpenSSL hasn't implemented Attribute Cert support yet. So the above discussion is moot from practical point of view. You'd need to search on the Net for one of a couple of OpenSSL enhancements that implement it (still in development stage), or use a policy server-based approach. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Certificates, users and machines
> Well, the Subject Distinguished Name should have the > Organization... Can you envision long-lived certs issued by gov't - like passports? In that case, Organization would not have the same semantics. But this is less relevant for our discussion. > ...but I strongly disagree with you if you think > access permissions belong anywhere in a cert. It appears to be convenient to have _separate_ certs - called ATRIBUTE certs - that carry that information. More convenient than other means of conveying this same information. In the above example - "identity cert" is your passport issued by (for the sake of the argument) USA, "attribute cert issued by a different authority" is your visa to enter (for the sake of the argument) India issued by Indian consulate and with life-time shorter than your passport. > Attribute certs are a lousy way to encode security policy. Matter of taste. > You really only need signed assertions if the relying party > has no trusted method of communication with the policy server > (file/db/etc). Of course. Just like you really only need identity certs if the relying party has no trusted method of communicating with authentication server. I.e. if everything in your shop (and other shops you're communicating with) is Kerberized - you don't need PKI. > Revocation is a pain, certificate status is a > pain, Of course. That's true for *all* the PK issues - be it identity or attribute certs. > and you've just multiplied your public key computation > load by a factor of three of four. No, you "merely" double it. One - check that the identity cert is valid, two - that the attribute cert that *you* are interested in (out of a dozen that may be attached to this identity cert) is OK. > Much better to check whether the authenticated party has > permission to do what's requested at the time of the request. Authentication and authorization are very disticnt and different things. Nonetheless, checking permissions is not that different from checking authenticity. For example - what means are there to check authenticity? And to check authorization? > Group membership is questionable -- the OU is certainly a > kind of group, but for the purposes of access control a party > may belong to many groups, and a robust policy might restrict > access to certain hours during certain days of the week. The idea is that credentials that are long-lived and are meaningful more-or-less universally (identity and - to a lesser extent - employment) seem to fit well in the identity cert. Credentials that have shorter life, but still somewhat persistent (and meaningful across localities) - would fit in the attribute certs. And credentials that are not meaningful outside of local environment and/or are very short-lived - probably are better served by online query to the policy server. > ...[from a different post]...Authentication involve untrusted > networks, passwords which can be stolen or forgotten etc. But > once you trust authentication, decisions about authorization > of authenticated users for certain operation are typically > within your server system. If the only credential necessary for authorization decision is requestor's identity, and all the policy information is readily available online - then yes. Imagine a situation in the future: you are coming to a car dealer and present your identity cert plus an attribute cert issued by a bank that says "owner of identity cert X has been approved for a loan for a new car in amount of up to $XX valid till XXX". __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl question on Network Security with OpenSSL book example
Hello,
I loaded the key file into the SSL_CTX and that
appeared to work i.e client.key. Is this correct?
I used the book and thought that CERTFILE,client.pem
was being used in the
function:SSL_CTX_use_PrivateKey_file.
if
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
{
ERR_print_errors_fp(stderr);
printf("Error loading private key file!");
}
Thanks,
Garyc
--- gary clark <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I managed to get past the problem of loading the
> certificate:
>
> I am now calling the below:
> if
> (SSL_CTX_use_PrivateKey_file( if
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
{
ERR_print_errors_fp(stderr);
printf("Error loading private key file!");
}>
> I see the following error:
>
> error:0906D06C:PEM routines:PEM_read_bio:no start
> line.\crypto\pem\pem_lib.c"647 Expecting: ANY
> PRIVATE
> KEY
>
> I must apologise for any inconvenience on this in
> advance. I'm just learning to crawl at the moment.
>
> Thanks,
> Garyc
>
> --- gary clark <[EMAIL PROTECTED]> wrote:
>
> > My Bad. I missed the SSL_library_init() call.
> >
> > Sorry.
> >
> > Thanks,
> > Garyc
> > --- david kine <[EMAIL PROTECTED]> wrote:
> >
> > > Did you call
> > > "SSL_library_init()","SSL_load_error_strings()",
> > > etc.?
> > >
> > > gary clark <[EMAIL PROTECTED]> wrote:
> Hello,
> > >
> > > After performing the following:
> > >
> > > SSL_CTX * ctx =
> > SSL_CTX_new(SSLv23_client_method());
> > >
> > > Huh! Dumped the result of theh failure and
> > > errorcode.
> > >
> > > The ctx value is:
> > >
> > > ctx=0x0
> > >
> > > OPENSSL_Uplink(100EA000,07): no OPENSSL_Applink
> > >
> > > The above failure of
> ERR_print_errors_fp(stderr);
> > >
> > > Could somebody be so kind to enlighten me on
> what
> > > I'm
> > > doing wrong?
> > >
> > > Thanks,
> > > Garyc
> > > --- gary clark wrote:
> > >
> > > > Hello,
> > > >
> > > > Running Windows and built using VC++.
> > > >
> > > > I have discovered that my SSL_CTX * is null
> > > > when attempting to call:
> > > >
> > > > SSL_CTX * ctx =
> > > SSL_CTX_new(SSLv23_client_method());
> > > >
> > > > why would this happen? Its a little confusing
> it
> > > > builds fine.
> > > >
> > > > Thanks,
> > > > Garyc
> > > >
> > > > SSL_CTX * ctx =
> > > > --- gary clark wrote:
> > > >
> > > > >
> > > > > Hello,
> > > > >
> > > > > Took the client and server code from the
> > Network
> > > > > Security with OpenSSL chapter 5. Built the
> > > server
> > > > > and
> > > > > client code non-secure. This part worked
> like
> > a
> > > > > charm.
> > > > >
> > > > > Having a problem building the secure
> version.
> > > I'm
> > > > > using Windows VC++ and windows and
> attempting
> > to
> > > > use
> > > > > the 5.5 client. I would like to know where
> the
> > > > > "client.pem" file and the function provided
> > > > > "seed_prng" appears to use a unix
> /dev/random
> > > what
> > > > > do
> > > > > I use for windows?
> > > > >
> > > > > I attempted to use the client.pem file that
> > the
> > > > > openssl-0.9.8e provides. It failed to load
> the
> > > > > certificate. Is that a valid certificate to
> > use?
> > > > >
> > > > > Much appreciate any help in advance on this.
> > > > >
> > > > > Thanks,
> > > > > Garyc
> > > > >
> > > > > SSL_CTX * setup_client_ctx(void)
> > > > > {
> > > > > SSL_CTX * ctx;
> > > > >
> > > > > ctx = SSL_CTX_new(SSLv23_method());
> > > > >
> > > > > if
> > > > >
> > >
> (SSL_CTX_use_certificate_chain_file(ctx,CERTFILE)
> > > > !=
> > > > > 1)
> > > > > printf("Error loading certificate file!");
> > > > > if
> > > > >
> > > >
> > >
> >
>
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
> > > > > printf("Error loading private key file!");
> > > > >
> > > > > printf("Successful!");
> > > > > return ctx;
> > > > > }
> > > > >
> > > >
> > >
> >
>
__
> > > > > OpenSSL Project
> > > > > http://www.openssl.org
> > > > > User Support Mailing List
> > > > > openssl-users@openssl.org
> > > > > Automated List Manager
> > > > > [EMAIL PROTECTED]
> > > > >
> > > >
> > > >
> > >
> >
>
__
> > > > OpenSSL Project
> > > > http://www.openssl.org
> > > > User Support Mailing List
> > > > openssl-users@openssl.org
> > > > Automated List Manager
> > > > [EMAIL PROTECTED]
> > > >
> > >
> > >
> >
>
__
> > > OpenSSL Project http://www.openssl.org
> > > User Support Mailing List
> > openssl-users@openssl.org
> > > Automated List Manager [EMAIL PROTECTED]
> > >
> > >
> > >
> > > -
> > > Bored stiff? Loosen up...
> > > Download and play hundreds of games for free on
> > > Yahoo! Games.
> >
> >
>
__
> > OpenSSL
Re: openssl question on Network Security with OpenSSL book example
Hello,
I managed to get past the problem of loading the
certificate:
I am now calling the below:
if
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
{
ERR_print_errors_fp(stderr);
printf("Error loading private key file!");
}
I see the following error:
error:0906D06C:PEM routines:PEM_read_bio:no start
line.\crypto\pem\pem_lib.c"647 Expecting: ANY PRIVATE
KEY
I must apologise for any inconvenience on this in
advance. I'm just learning to crawl at the moment.
Thanks,
Garyc
--- gary clark <[EMAIL PROTECTED]> wrote:
> My Bad. I missed the SSL_library_init() call.
>
> Sorry.
>
> Thanks,
> Garyc
> --- david kine <[EMAIL PROTECTED]> wrote:
>
> > Did you call
> > "SSL_library_init()","SSL_load_error_strings()",
> > etc.?
> >
> > gary clark <[EMAIL PROTECTED]> wrote: Hello,
> >
> > After performing the following:
> >
> > SSL_CTX * ctx =
> SSL_CTX_new(SSLv23_client_method());
> >
> > Huh! Dumped the result of theh failure and
> > errorcode.
> >
> > The ctx value is:
> >
> > ctx=0x0
> >
> > OPENSSL_Uplink(100EA000,07): no OPENSSL_Applink
> >
> > The above failure of ERR_print_errors_fp(stderr);
> >
> > Could somebody be so kind to enlighten me on what
> > I'm
> > doing wrong?
> >
> > Thanks,
> > Garyc
> > --- gary clark wrote:
> >
> > > Hello,
> > >
> > > Running Windows and built using VC++.
> > >
> > > I have discovered that my SSL_CTX * is null
> > > when attempting to call:
> > >
> > > SSL_CTX * ctx =
> > SSL_CTX_new(SSLv23_client_method());
> > >
> > > why would this happen? Its a little confusing it
> > > builds fine.
> > >
> > > Thanks,
> > > Garyc
> > >
> > > SSL_CTX * ctx =
> > > --- gary clark wrote:
> > >
> > > >
> > > > Hello,
> > > >
> > > > Took the client and server code from the
> Network
> > > > Security with OpenSSL chapter 5. Built the
> > server
> > > > and
> > > > client code non-secure. This part worked like
> a
> > > > charm.
> > > >
> > > > Having a problem building the secure version.
> > I'm
> > > > using Windows VC++ and windows and attempting
> to
> > > use
> > > > the 5.5 client. I would like to know where the
> > > > "client.pem" file and the function provided
> > > > "seed_prng" appears to use a unix /dev/random
> > what
> > > > do
> > > > I use for windows?
> > > >
> > > > I attempted to use the client.pem file that
> the
> > > > openssl-0.9.8e provides. It failed to load the
> > > > certificate. Is that a valid certificate to
> use?
> > > >
> > > > Much appreciate any help in advance on this.
> > > >
> > > > Thanks,
> > > > Garyc
> > > >
> > > > SSL_CTX * setup_client_ctx(void)
> > > > {
> > > > SSL_CTX * ctx;
> > > >
> > > > ctx = SSL_CTX_new(SSLv23_method());
> > > >
> > > > if
> > > >
> > (SSL_CTX_use_certificate_chain_file(ctx,CERTFILE)
> > > !=
> > > > 1)
> > > > printf("Error loading certificate file!");
> > > > if
> > > >
> > >
> >
>
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
> > > > printf("Error loading private key file!");
> > > >
> > > > printf("Successful!");
> > > > return ctx;
> > > > }
> > > >
> > >
> >
>
__
> > > > OpenSSL Project
> > > > http://www.openssl.org
> > > > User Support Mailing List
> > > > openssl-users@openssl.org
> > > > Automated List Manager
> > > > [EMAIL PROTECTED]
> > > >
> > >
> > >
> >
>
__
> > > OpenSSL Project
> > > http://www.openssl.org
> > > User Support Mailing List
> > > openssl-users@openssl.org
> > > Automated List Manager
> > > [EMAIL PROTECTED]
> > >
> >
> >
>
__
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List
> openssl-users@openssl.org
> > Automated List Manager [EMAIL PROTECTED]
> >
> >
> >
> > -
> > Bored stiff? Loosen up...
> > Download and play hundreds of games for free on
> > Yahoo! Games.
>
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> openssl-users@openssl.org
> Automated List Manager
> [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: openssl question on Network Security with OpenSSL book example
My Bad. I missed the SSL_library_init() call.
Sorry.
Thanks,
Garyc
--- david kine <[EMAIL PROTECTED]> wrote:
> Did you call
> "SSL_library_init()","SSL_load_error_strings()",
> etc.?
>
> gary clark <[EMAIL PROTECTED]> wrote: Hello,
>
> After performing the following:
>
> SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
>
> Huh! Dumped the result of theh failure and
> errorcode.
>
> The ctx value is:
>
> ctx=0x0
>
> OPENSSL_Uplink(100EA000,07): no OPENSSL_Applink
>
> The above failure of ERR_print_errors_fp(stderr);
>
> Could somebody be so kind to enlighten me on what
> I'm
> doing wrong?
>
> Thanks,
> Garyc
> --- gary clark wrote:
>
> > Hello,
> >
> > Running Windows and built using VC++.
> >
> > I have discovered that my SSL_CTX * is null
> > when attempting to call:
> >
> > SSL_CTX * ctx =
> SSL_CTX_new(SSLv23_client_method());
> >
> > why would this happen? Its a little confusing it
> > builds fine.
> >
> > Thanks,
> > Garyc
> >
> > SSL_CTX * ctx =
> > --- gary clark wrote:
> >
> > >
> > > Hello,
> > >
> > > Took the client and server code from the Network
> > > Security with OpenSSL chapter 5. Built the
> server
> > > and
> > > client code non-secure. This part worked like a
> > > charm.
> > >
> > > Having a problem building the secure version.
> I'm
> > > using Windows VC++ and windows and attempting to
> > use
> > > the 5.5 client. I would like to know where the
> > > "client.pem" file and the function provided
> > > "seed_prng" appears to use a unix /dev/random
> what
> > > do
> > > I use for windows?
> > >
> > > I attempted to use the client.pem file that the
> > > openssl-0.9.8e provides. It failed to load the
> > > certificate. Is that a valid certificate to use?
> > >
> > > Much appreciate any help in advance on this.
> > >
> > > Thanks,
> > > Garyc
> > >
> > > SSL_CTX * setup_client_ctx(void)
> > > {
> > > SSL_CTX * ctx;
> > >
> > > ctx = SSL_CTX_new(SSLv23_method());
> > >
> > > if
> > >
> (SSL_CTX_use_certificate_chain_file(ctx,CERTFILE)
> > !=
> > > 1)
> > > printf("Error loading certificate file!");
> > > if
> > >
> >
>
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
> > > printf("Error loading private key file!");
> > >
> > > printf("Successful!");
> > > return ctx;
> > > }
> > >
> >
>
__
> > > OpenSSL Project
> > > http://www.openssl.org
> > > User Support Mailing List
> > > openssl-users@openssl.org
> > > Automated List Manager
> > > [EMAIL PROTECTED]
> > >
> >
> >
>
__
> > OpenSSL Project
> > http://www.openssl.org
> > User Support Mailing List
> > openssl-users@openssl.org
> > Automated List Manager
> > [EMAIL PROTECTED]
> >
>
>
__
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
>
>
> -
> Bored stiff? Loosen up...
> Download and play hundreds of games for free on
> Yahoo! Games.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: openssl question on Network Security with OpenSSL book example
Did you call "SSL_library_init()","SSL_load_error_strings()", etc.?
gary clark <[EMAIL PROTECTED]> wrote: Hello,
After performing the following:
SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
Huh! Dumped the result of theh failure and errorcode.
The ctx value is:
ctx=0x0
OPENSSL_Uplink(100EA000,07): no OPENSSL_Applink
The above failure of ERR_print_errors_fp(stderr);
Could somebody be so kind to enlighten me on what I'm
doing wrong?
Thanks,
Garyc
--- gary clark wrote:
> Hello,
>
> Running Windows and built using VC++.
>
> I have discovered that my SSL_CTX * is null
> when attempting to call:
>
> SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
>
> why would this happen? Its a little confusing it
> builds fine.
>
> Thanks,
> Garyc
>
> SSL_CTX * ctx =
> --- gary clark wrote:
>
> >
> > Hello,
> >
> > Took the client and server code from the Network
> > Security with OpenSSL chapter 5. Built the server
> > and
> > client code non-secure. This part worked like a
> > charm.
> >
> > Having a problem building the secure version. I'm
> > using Windows VC++ and windows and attempting to
> use
> > the 5.5 client. I would like to know where the
> > "client.pem" file and the function provided
> > "seed_prng" appears to use a unix /dev/random what
> > do
> > I use for windows?
> >
> > I attempted to use the client.pem file that the
> > openssl-0.9.8e provides. It failed to load the
> > certificate. Is that a valid certificate to use?
> >
> > Much appreciate any help in advance on this.
> >
> > Thanks,
> > Garyc
> >
> > SSL_CTX * setup_client_ctx(void)
> > {
> > SSL_CTX * ctx;
> >
> > ctx = SSL_CTX_new(SSLv23_method());
> >
> > if
> > (SSL_CTX_use_certificate_chain_file(ctx,CERTFILE)
> !=
> > 1)
> > printf("Error loading certificate file!");
> > if
> >
>
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
> > printf("Error loading private key file!");
> >
> > printf("Successful!");
> > return ctx;
> > }
> >
>
__
> > OpenSSL Project
> > http://www.openssl.org
> > User Support Mailing List
> > openssl-users@openssl.org
> > Automated List Manager
> > [EMAIL PROTECTED]
> >
>
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> openssl-users@openssl.org
> Automated List Manager
> [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
-
Bored stiff? Loosen up...
Download and play hundreds of games for free on Yahoo! Games.
Re: openssl question on Network Security with OpenSSL book example
Hello,
After performing the following:
SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
Huh! Dumped the result of theh failure and errorcode.
The ctx value is:
ctx=0x0
OPENSSL_Uplink(100EA000,07): no OPENSSL_Applink
The above failure of ERR_print_errors_fp(stderr);
Could somebody be so kind to enlighten me on what I'm
doing wrong?
Thanks,
Garyc
--- gary clark <[EMAIL PROTECTED]> wrote:
> Hello,
>
> Running Windows and built using VC++.
>
> I have discovered that my SSL_CTX * is null
> when attempting to call:
>
> SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
>
> why would this happen? Its a little confusing it
> builds fine.
>
> Thanks,
> Garyc
>
> SSL_CTX * ctx =
> --- gary clark <[EMAIL PROTECTED]> wrote:
>
> >
> > Hello,
> >
> > Took the client and server code from the Network
> > Security with OpenSSL chapter 5. Built the server
> > and
> > client code non-secure. This part worked like a
> > charm.
> >
> > Having a problem building the secure version. I'm
> > using Windows VC++ and windows and attempting to
> use
> > the 5.5 client. I would like to know where the
> > "client.pem" file and the function provided
> > "seed_prng" appears to use a unix /dev/random what
> > do
> > I use for windows?
> >
> > I attempted to use the client.pem file that the
> > openssl-0.9.8e provides. It failed to load the
> > certificate. Is that a valid certificate to use?
> >
> > Much appreciate any help in advance on this.
> >
> > Thanks,
> > Garyc
> >
> > SSL_CTX * setup_client_ctx(void)
> > {
> > SSL_CTX * ctx;
> >
> > ctx = SSL_CTX_new(SSLv23_method());
> >
> > if
> > (SSL_CTX_use_certificate_chain_file(ctx,CERTFILE)
> !=
> > 1)
> > printf("Error loading certificate file!");
> > if
> >
>
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
> > printf("Error loading private key file!");
> >
> > printf("Successful!");
> > return ctx;
> > }
> >
>
__
> > OpenSSL Project
> > http://www.openssl.org
> > User Support Mailing List
> > openssl-users@openssl.org
> > Automated List Manager
> > [EMAIL PROTECTED]
> >
>
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> openssl-users@openssl.org
> Automated List Manager
> [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: openssl question on Network Security with OpenSSL book example
Hello,
Running Windows and built using VC++.
I have discovered that my SSL_CTX * is null
when attempting to call:
SSL_CTX * ctx = SSL_CTX_new(SSLv23_client_method());
why would this happen? Its a little confusing it
builds fine.
Thanks,
Garyc
SSL_CTX * ctx =
--- gary clark <[EMAIL PROTECTED]> wrote:
>
> Hello,
>
> Took the client and server code from the Network
> Security with OpenSSL chapter 5. Built the server
> and
> client code non-secure. This part worked like a
> charm.
>
> Having a problem building the secure version. I'm
> using Windows VC++ and windows and attempting to use
> the 5.5 client. I would like to know where the
> "client.pem" file and the function provided
> "seed_prng" appears to use a unix /dev/random what
> do
> I use for windows?
>
> I attempted to use the client.pem file that the
> openssl-0.9.8e provides. It failed to load the
> certificate. Is that a valid certificate to use?
>
> Much appreciate any help in advance on this.
>
> Thanks,
> Garyc
>
> SSL_CTX * setup_client_ctx(void)
> {
> SSL_CTX * ctx;
>
> ctx = SSL_CTX_new(SSLv23_method());
>
> if
> (SSL_CTX_use_certificate_chain_file(ctx,CERTFILE) !=
> 1)
> printf("Error loading certificate file!");
> if
>
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
> printf("Error loading private key file!");
>
> printf("Successful!");
> return ctx;
> }
>
__
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> openssl-users@openssl.org
> Automated List Manager
> [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Adding Exteded Key Usage extensions to a CSR
Greetings, I have a method that creates a certificate signing request. I need to add extended key usage extensions to my request that specify the OIDs for both server and client, i.e. 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2. The documentation is not helping me understand how to do this and I cannot seem to find any specific examples. What calls must I make in order to first create the extension and specify the OIDs, and second add the extension to the request? Thanks -- View this message in context: http://www.nabble.com/Adding-Exteded-Key-Usage-extensions-to-a-CSR-tf3817702.html#a10808226 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl question on Network Security with OpenSSL book example
Hello,
Took the client and server code from the Network
Security with OpenSSL chapter 5. Built the server and
client code non-secure. This part worked like a charm.
Having a problem building the secure version. I'm
using Windows VC++ and windows and attempting to use
the 5.5 client. I would like to know where the
"client.pem" file and the function provided
"seed_prng" appears to use a unix /dev/random what do
I use for windows?
I attempted to use the client.pem file that the
openssl-0.9.8e provides. It failed to load the
certificate. Is that a valid certificate to use?
Much appreciate any help in advance on this.
Thanks,
Garyc
SSL_CTX * setup_client_ctx(void)
{
SSL_CTX * ctx;
ctx = SSL_CTX_new(SSLv23_method());
if
(SSL_CTX_use_certificate_chain_file(ctx,CERTFILE) !=
1)
printf("Error loading certificate file!");
if
(SSL_CTX_use_PrivateKey_file(ctx,CERTFILE,SSL_FILETYPE_PEM)!=1)
printf("Error loading private key file!");
printf("Successful!");
return ctx;
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: RE: Certificates, users and machines
On 2007.05.25 at 08:16:19 -0400, Mouse wrote: > I'm driving at Attribute Certificates. They are supposed to have shorter > life than identity certs, but still long enough to be usable. I've seen project to add attribute certificates to OpenSSL. http://openpmi.sourceforge.net/ You can try to download patches from this project and adapt to use in yu environment. It seems that they have very preliminary version which must be cleaned up to work on all platforms OpenSSL supports. > The question of whether attribute certs are better or worse for > authorization than e.g. flat files is similar to whether cert-based identity > authentication is better or worse than e.g. LDAP-based one or flat files > e.g. Unix /etc/passwd. Typically requirements for authorization and authentication are very different. Authentication involve untrusted networks, passwords which can be stolen or forgotten etc. But once you trust authentication, decisions about authorization of authenticated users for certain operation are typically within your server system. But if there are RFCs for attribute certifications, TLS authorization extensions etc, there should be situation when cryptography-based authorization is needed. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificates, users and machines
Thank you very much for the response. For both the responses I got, it looks like the server need to access the information (whether identity or attribute or whatever) present in the certificate and use that to decide the permissions for the peer that represented this certificate. Is my understanding correct? > > Yes. The problem of granting access based on membership in a > > group is an authorization problem. > > This doesn't have > > anything to do with certificates -- permissions and roles > > change independently of binding of key to identity. LDAP, > > flat files, /etc/group, etc. I also agree that this is authorization problem. I was just trying to get information on whether certificate handling in openssl restricts me from issuing certificates to a group instead of individuals. I guees I know it now. > Mostly correct. Often is convenient to have not only identity - but also > "attributes" of it certified. I.e. for the sake of the argument identity > "Michael" may have an attribute "employee of Tenebras", and another > attribute "permitted access to dev repository A12". > I'm driving at Attribute Certificates. They are supposed to have shorter > life than identity certs, but still long enough to be usable. > > > You could have a hierarchy, with a subordinate CA for each > > role or group, if you want to manage it that way. I wouldn't. > > He would have to have attribute CA's for each attribute - not necessarily > for each value of the attribute. I.e. an attribute CA "Personnel Department" > could issue attribute certificates "employed in position X", " granted > access to resource Y"... Sounds good. Now, my server will be expecting a few specfic attributes in the certificate presented by peer, in order to regulate access to different services, right? So the question is which APIs in openssl allow me to access this information in the certificate? Also, it will be really great if someone could explain the default certificate verification process in openssl. Thank you once again for your response. ~ Urjit DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
Much appreciated Endhy. Garyc --- Endhy Aziz <[EMAIL PROTECTED]> wrote: > I wrote : > "One of the chapter, "Designing With SSL" may help > ". > > Should be : > One of the chapter, "Coding With SSL" may help > > Regards, > > --Endhy > > > > > > > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificates, users and machines
Mouse wrote: > I.e. for the sake of the argument identity > "Michael" may have an attribute "employee of Tenebras", and another > attribute "permitted access to dev repository A12". Well, the Subject Distinguished Name should have the Organization, but I strongly disagree with you if you think access permissions belong anywhere in a cert. The question of whether attribute certs are better or worse for authorization than e.g. flat files is similar to whether cert-based identity authentication is better or worse than e.g. LDAP-based one or flat files e.g. Unix /etc/passwd. Attribute certs are a lousy way to encode security policy. You really only need signed assertions if the relying party has no trusted method of communication with the policy server (file/db/etc). Revocation is a pain, certificate status is a pain, and you've just multiplied your public key computation load by a factor of three of four. Much better to check whether the authenticated party has permission to do what's requested at the time of the request. Group membership is questionable -- the OU is certainly a kind of group, but for the purposes of access control a party may belong to many groups, and a robust policy might restrict access to certain hours during certain days of the week. If you seriously consider this, then the idea of putting access controls in certificates really looks absurd. - Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Certificates, users and machines
> > ... is it necessary to > > issue ONE certificate to EACH individual. > > Yes. The problem of granting access based on membership in a > group is an authorization problem. Correct. > This doesn't have > anything to do with certificates -- permissions and roles > change independently of binding of key to identity. LDAP, > flat files, /etc/group, etc. Mostly correct. Often is convenient to have not only identity - but also "attributes" of it certified. I.e. for the sake of the argument identity "Michael" may have an attribute "employee of Tenebras", and another attribute "permitted access to dev repository A12". I'm driving at Attribute Certificates. They are supposed to have shorter life than identity certs, but still long enough to be usable. > You could have a hierarchy, with a subordinate CA for each > role or group, if you want to manage it that way. I wouldn't. He would have to have attribute CA's for each attribute - not necessarily for each value of the attribute. I.e. an attribute CA "Personnel Department" could issue attribute certificates "employed in position X", " granted access to resource Y"... The question of whether attribute certs are better or worse for authorization than e.g. flat files is similar to whether cert-based identity authentication is better or worse than e.g. LDAP-based one or flat files e.g. Unix /etc/passwd. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: AW: Database file structure
domi schrieb: Hello Bruno and Thomas, Number 1 and 4-6 are definitively right as long as I know. I think that number 2 and 3 are correct too. But I‘m not quiet sure. Thomas would you be so kind and tell me in what format the time is written? Or just give me link where I can find the information; my search wasn’t succesful. Thanks in advance and best regards Dominic Have a look at http://www.mail-archive.com/openssl-users@openssl.org/msg45982.html Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: AW: Database file structure
Hello Bruno and Thomas, Number 1 and 4-6 are definitively right as long as I know. I think that number 2 and 3 are correct too. But I‘m not quiet sure. Thomas would you be so kind and tell me in what format the time is written? Or just give me link where I can find the information; my search wasn’t succesful. Thanks in advance and best regards Dominic thomas.beckmann wrote: > > Bruno, > > A database line is structured as followed: > > 1. state of the cert (V=valid, R=revoked, E=expired where the state is not > changes automatically if a cert expires) > 2. end of validity > 3. revocation time (empty when the cert ist not revoked) > 4. serial number in hex > 5. Where the cert can be found (only value is "unknown" today) > 6. Name of certificate holder (normally the DN) > > Regards > > Thomas > >> -Ursprüngliche Nachricht- >> Von: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Im Auftrag von Bruno >> Costacurta >> Gesendet: Donnerstag, 24. Mai 2007 17:30 >> An: openssl-users@openssl.org >> Betreff: Database file structure >> >> Dears, >> >> just for curiosity, >> what are the structure & description of the database file >> (often) called 'index' and which corresponds in fact to the >> parameter 'database' in openssl.cnf ? >> Please find a sample hereafter as it's mainly human readable. >> >> Thanks for any info. >> Bye, >> Bruno >> >> ... >> V100221212735Z 03 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=acer9100 radius >> client/[EMAIL PROTECTED] >> V100523143810Z 04 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno >> @Acme.org >> V100523144327Z 05 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno >> @Acme.org >> V100523151137Z 06 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=Bruno >> Acme/[EMAIL PROTECTED]/description=test only >> V100523151243Z 07 unknown /C=BE/ST=Brussels >> Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno >> @Acme.org/description=for >> apache2 SSL server & client >> ... >> >> -- >> PGP key ID: 0x2e604d51 >> Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html >> Key fingerprint = 713F 7956 9441 7DEF 58ED 1951 7E07 569B 2E60 4D51 >> -- >> > > Atos Origin GmbH, Theodor-Althoff-Str. 47, D-45133 Essen, Postfach 100 > 123, D-45001 Essen > Telefon: +49 201 4305 0, Fax: +49 201 4305 689095, www.atosorigin.de > Dresdner Bank AG, Hamburg: Kto. 0954411200, BLZ 200 800 00, Swift Code > DRESDEFF200, IBAN DE6920080954411200 > Geschäftsführer: Dominique Illien, Handelsregister Essen HRB 19354, > Ust.-ID.-Nr.: DE147861238 > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/Database-file-structure-tf3810867.html#a10801535 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificates, users and machines
Urjit Gokhale wrote: It seems that you are making the common mistake of conflating authentication with authorization. Certs are useful in binding pubkeys to identities and subsequently in verifying possession of the private key by being able to perform decryption. The SSL protocol has provision for client_auth, which means that the server and client must each present a cert. If this is the case, need_client_auth is communicated in the handshake, along with a list of DNs of CAs trusted by the server. The client must present a cert or cert chain which is rooted in one of those CAs. > ... is it necessary to issue ONE certificate to EACH individual. Yes. The problem of granting access based on membership in a group is an authorization problem. This doesn't have anything to do with certificates -- permissions and roles change independently of binding of key to identity. LDAP, flat files, /etc/group, etc. You could have a hierarchy, with a subordinate CA for each role or group, if you want to manage it that way. I wouldn't. - Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificates, users and machines
Hello, > I would like to have your opinion on one scenario, and my approach to > provide needed functionality: > 1) I have a server that listens to connection requests from the clients over > the internet (meaning anyone and everyone who knows my ip/port can send me > connection request. I am not behind a proxy). > 2) I trust a CA (my_ca). So I have this CA's root certificate, which I can > use to verify client certificates. > 3) I wish to service client requests coming only from a particular group. So > I need client authentication. > > Now, if I do not specify any certificate verification callback in the > server, any and every client who has a certificate signed by 'my_ca' will be > able to connect to me, because by default (I believe) openssl will only > verify that the client certificate is authentic (signed by trusted CA). Is > this understanding right? Yes. > Assuming that this is true, I will 'have to' specify a callback that will > actually validate the certificate presented by the client, by looking at > information other than the public key present in the certificate, right? How > do I retrieve this information from the certificate? Could someone point me > to APIs which retrieve this information from the certificate? You can do this in SSL callback or after SSL netgotiation. After SSL_accept() returns, you are sure that SSL client authentication end successful (provided that you configured SSL server to request that :-) and that certificate is verified (valid time, signature ...). After that you can in your application get client certificate from SSL object: cert = SSL_get_peer_certificate(ssl); and next get some info from cert: name = X509_get_subject_name(cert); name = X509_get_issuer_name(cert); serial = ASN1_INTEGER_get(X509_get_serialNumber(cert)); some info may be converted to text and printed: X509_NAME_oneline(name, buf, sizeof(buf)); X509_NAME_oneline(name, buf, sizeof(buf)); with this info you may decide to accept certificate or not to accept ... If you decided to not accept: shutdown SSL connection. > considering that retrieving and validating certificate information is > possible, can I (rather the trusted CA my_ca) issue ONE unique certificate > to a bunch of people(this means giving the same private-public key to all > these people), such that they represent a group that my server is interested > in entertaining? This question arises as I need to clarify if it is possible > to issue ONE certificate to multiple individuals, or is it necessary to > issue ONE certificate to EACH individual. Of course you can issue one certificate and give it to some people for authentication purpose. Technically this will work. But with certificate you must give private key too (in reality this key is used to client authentication is SSL). If in one place this private key will be compromised than you have to generate new key/certificate and give it to ALL users. If in one place this private key will be compromised than you have to disable this certificate on server and this will disable your ALL clients. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificates, users and machines
Still no response :-( Could someone please help me clarify my doubts? thanks, ~ Urjit - Original Message - From: "Urjit Gokhale" <[EMAIL PROTECTED]> To: Sent: Thursday, May 24, 2007 4:28 PM Subject: Re: Certificates, users and machines > Thanks for your reply. > I would like to have your opinion on one scenario, and my approach to > provide needed functionality: > 1) I have a server that listens to connection requests from the clients over > the internet (meaning anyone and everyone who knows my ip/port can send me > connection request. I am not behind a proxy). > 2) I trust a CA (my_ca). So I have this CA's root certificate, which I can > use to verify client certificates. > 3) I wish to service client requests coming only from a particular group. So > I need client authentication. > > Now, if I do not specify any certificate verification callback in the > server, any and every client who has a certificate signed by 'my_ca' will be > able to connect to me, because by default (I believe) openssl will only > verify that the client certificate is authentic (signed by trusted CA). Is > this understanding right? > > Assuming that this is true, I will 'have to' specify a callback that will > actually validate the certificate presented by the client, by looking at > information other than the public key present in the certificate, right? How > do I retrieve this information from the certificate? Could someone point me > to APIs which retrieve this information from the certificate? > > considering that retrieving and validating certificate information is > possible, can I (rather the trusted CA my_ca) issue ONE unique certificate > to a bunch of people(this means giving the same private-public key to all > these people), such that they represent a group that my server is interested > in entertaining? This question arises as I need to clarify if it is possible > to issue ONE certificate to multiple individuals, or is it necessary to > issue ONE certificate to EACH individual. > > > Thanks, > ~ Urjit > > > - Original Message - > From: "Kyle Hamilton" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, May 16, 2007 4:45 PM > Subject: Re: Certificates, users and machines > > > > A certificate binds the public key of a public/private (asymmetric) > > key pair with additional information. > > A certificate is trusted by some trusting authority. In most cases, > > this is a certifying authority (CA) -- and the asymmetric signature > > by the CA is an assertion that the CA believes that the binding is > > correct. > > > > The additional information can relate to the user, or the user > > +machine, or machine itself, or literally any other combination. For > > purposes of your question, though, it relates to these three options. > > > > The certificate is never, ever used in isolation. It is used in > > conjunction with the private key, at a minimum, but it may also be > > used with protocol data. (i.e., machine address.) > > > > I am unable to provide you with sample code for this purpose. > > However, I must warn that there exist software proxies which are > > capable of masking the true originating host. (If you wish to be > > certain that a connection is from a host in your IP range, for > > example, you must ensure that a proxy software is not in place on > > that host.) You can perform such a check by getting the peer's > > address on the connection in question... and then verifying that the > > host is valid. (You can do this from information stored in the > > certificate, or from information stored in a database that only the > > verifier has access to.) > > > > You may also verify a given computer based on its IP, versus > > information stored in the certificate and signed by your CA. Again, > > the 'proxy' problem asserts itself, but such an attack might be more > > sophisticated. > > > > Regardless, there exist no 100% guarantees. You must weigh the value > > of any given attack versus the cost of that attack, and set your > > policies appropriately.) > > > > I hope this information helps. > > > > -Kyle H > > > > On May 16, 2007, at 3:33 AM, Urjit Gokhale wrote: > > > > > Hello everyone, > > > > > > I have some doubts about certificates, which I wish to get > > > clarification on. > > > > > > Here is my understanding about certificates: > > > * Certificates bind the public key with some other information like > > > the name= > > > of the owner(user), who generated the certificate, the validity > > > period etc. > > > * The certificates are signed by some entity (CA), just to assure > > > that assoc= > > > iation between the public key and the other information is correct. > > > This hel= > > > ps in identifying the authenticity of the certificate. > > > > > > Now, I state what *I believe* is true in case of PKI and certificates: > > > 1) A private key-public key pair created, can be > > > a) given to a specific user, > > > b) stored on a specific machine. (By some authority ?) > >
Re: I'm volunteering to write some documentation
On Fri, May 25, 2007, Peter Kuykendall wrote: > Kyle Hamilton wrote: > > This is OK if your key happens to be text, but I'm stuck on how to pass > a binary key. After figuring out the basic syntax, my new problem is > that the real key is random binary stuff, and I don't know if there is a > way to pass it on the command line. There isn't a command line option to do this in OpenSSL 0.9.8. Tha HMAC option was added largely for consistency with the FIPS build 0.9.7 which makes use of this option. OpenSSL 0.9.9 has more general MAC support but that is experimental and not documented yet. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: I'm volunteering to write some documentation
Kyle Hamilton wrote: What is it that you're trying to do with the CLI? We might be able to assist with that. Thanks Kyle. I'm actually doing 2 separate things. I'll list the 2nd one in a separate thread. I'm using openssl version 0.9.8e This task is simply to generate a sha1 HMAC across some binary data. I could not figure out the command line syntax to invoke that function and also how to pass it the parameters. After a couple of hours of reading source code and experimenting, I found the following syntax: to generate an HMAC across the binary file myfile.bin, using the key "MYKEY" (ASCII), the syntax is: openssl sha1 -hmac MYKEY myfile.bin This is OK if your key happens to be text, but I'm stuck on how to pass a binary key. After figuring out the basic syntax, my new problem is that the real key is random binary stuff, and I don't know if there is a way to pass it on the command line. I have scrutinized the source code and as far as I can tell there's just no way to pass an argument to tell it to read the key from a file. Nor is there a way to tell it to interpret the key as ASCII hex, e.g.: openssl sha1 -hmac 0102030405060708090a0b0c0d0e0f myfile.bin or: openssl sha1 -hmac 0x0102030405060708090a0b0c0d0e0f myfile.bin The code to parse that does not seem to exist in openssl, at least where it is parsing the HMAC key command line argument (dgst.c line 197). So I'm wondering if I can work around this by invoking some shell functionality to parse the ASCII hex. Does Linux or Windows have some shell functionality that has the shell parse the ASCII hex parameter and feed it in as binary? Or maybe there is some other way? As for documentation, write it up and email it as an attachment to [EMAIL PROTECTED] rt is the request tracker, and it'll make it possible to keep track of its status. Great, thanks! I could not find even any mention of the existence of hmac functionality in any of the man pages or command line help. I'm more than happy to write up whatever I can find and figure out on this. -Kyle H On 5/24/07, Peter Kuykendall <[EMAIL PROTECTED]> wrote: I'm trying to use a couple of simple functions of the openssl CLI and can't figure it out from the docs nor the mailing list archives. Since it seems that I'm going to have to review the source code to understand the proper syntax, I'd like to expand the documentation to share this knowledge after I discover it. How can I make this contribution? Thanks - Pete __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: I'm volunteering to write some documentation
What is it that you're trying to do with the CLI? We might be able to assist with that. As for documentation, write it up and email it as an attachment to [EMAIL PROTECTED] rt is the request tracker, and it'll make it possible to keep track of its status. -Kyle H On 5/24/07, Peter Kuykendall <[EMAIL PROTECTED]> wrote: I'm trying to use a couple of simple functions of the openssl CLI and can't figure it out from the docs nor the mailing list archives. Since it seems that I'm going to have to review the source code to understand the proper syntax, I'd like to expand the documentation to share this knowledge after I discover it. How can I make this contribution? Thanks - Pete __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Where does openssl store public keys?
Hello, > When I generate a key pair with an openssl genrsa command I get a private > key. But where is the corresponding public key stored? After genrsa private and public key are stored in the same file. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: Database file structure
Bruno, A database line is structured as followed: 1. state of the cert (V=valid, R=revoked, E=expired where the state is not changes automatically if a cert expires) 2. end of validity 3. revocation time (empty when the cert ist not revoked) 4. serial number in hex 5. Where the cert can be found (only value is "unknown" today) 6. Name of certificate holder (normally the DN) Regards Thomas > -Ursprüngliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von Bruno > Costacurta > Gesendet: Donnerstag, 24. Mai 2007 17:30 > An: openssl-users@openssl.org > Betreff: Database file structure > > Dears, > > just for curiosity, > what are the structure & description of the database file > (often) called 'index' and which corresponds in fact to the > parameter 'database' in openssl.cnf ? > Please find a sample hereafter as it's mainly human readable. > > Thanks for any info. > Bye, > Bruno > > ... > V 100221212735Z 03 unknown /C=BE/ST=Brussels > Region/L=Brussels/O=Acme.org/CN=acer9100 radius > client/[EMAIL PROTECTED] > V 100523143810Z 04 unknown /C=BE/ST=Brussels > Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno > @Acme.org > V 100523144327Z 05 unknown /C=BE/ST=Brussels > Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno > @Acme.org > V 100523151137Z 06 unknown /C=BE/ST=Brussels > Region/L=Brussels/O=Acme.org/CN=Bruno > Acme/[EMAIL PROTECTED]/description=test only > V 100523151243Z 07 unknown /C=BE/ST=Brussels > Region/L=Brussels/O=Acme.org/CN=pc34ghz.org/emailAddress=bruno > @Acme.org/description=for > apache2 SSL server & client > ... > > -- > PGP key ID: 0x2e604d51 > Key : http://www.costacurta.org/keys/bruno_costacurta_pgp_key.html > Key fingerprint = 713F 7956 9441 7DEF 58ED 1951 7E07 569B 2E60 4D51 > -- > Atos Origin GmbH, Theodor-Althoff-Str. 47, D-45133 Essen, Postfach 100 123, D-45001 Essen Telefon: +49 201 4305 0, Fax: +49 201 4305 689095, www.atosorigin.de Dresdner Bank AG, Hamburg: Kto. 0954411200, BLZ 200 800 00, Swift Code DRESDEFF200, IBAN DE6920080954411200 Geschäftsführer: Dominique Illien, Handelsregister Essen HRB 19354, Ust.-ID.-Nr.: DE147861238 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Where does openssl store public keys?
Bernhard Froehlich wrote: > > If you want to generate a key pair you may be better off using openssl > req with the -newkey option, which also generates a certificate request > for the newly generated key. > > Hope it helps. > Ted > ;) > > Thank you for your reply but the question was not that. I have no problems with using openssl for generating certificate requests or other things, I just wanted to know where it stores another password. I'm asking more out of curiosity. :) Regards, leseul -- View this message in context: http://www.nabble.com/Where-does-openssl-store-public-keys--tf3809376.html#a10798781 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
I'm volunteering to write some documentation
I'm trying to use a couple of simple functions of the openssl CLI and can't figure it out from the docs nor the mailing list archives. Since it seems that I'm going to have to review the source code to understand the proper syntax, I'd like to expand the documentation to share this knowledge after I discover it. How can I make this contribution? Thanks - Pete __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Where does openssl store public keys?
leseul schrieb: When I generate a key pair with an openssl genrsa command I get a private key. But where is the corresponding public key stored? There seems to be an openssl command pkey (http://www.openssl.org/docs/apps/pkey.html) for this, but my version does not know it. A workaround seems to be using "openssl req -key -noout -pubkey -new". You may have to enter dummy data for a certificate request, then your public key is printed. If you want to generate a key pair you may be better off using openssl req with the -newkey option, which also generates a certificate request for the newly generated key. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
