openssl faulty installation

2007-09-15 Thread Eli Shemer 
Hey there,

I've recently installed openssl and I cannot create keys or certs with it
for some reason.

If any more information needed for analyzing please let me know.

 

Make test produced this at the end:

 

test normal x509v1 certificate

sh ./tx509 2>/dev/null

testing X509 conversions

p -> d

make[1]: *** [test_x509] Error 1

make[1]: Leaving directory `/home/app/openssl-0.9.8e/test'

make: *** [tests] Error 2

 

real example

[EMAIL PROTECTED]:~/openssl-0.9.8e/apps$ ./openssl genrsa -des3 -out privkey.pem
2048

Generating RSA private key, 2048 bit long modulus


+++

.+++

e is 65537 (0x10001)

Illegal instruction

[EMAIL PROTECTED]:~/openssl-0.9.8e/apps$

RE: [openssl-users] Bad CRL being generated - Help

2007-09-15 Thread Bynum, Don 
That is an interesting and accurate observation.  i agree that the issuer and 
authority should be the same, that I can fix.  Another question though:  if i 
had not included the issuer in the cert or in the CRL, i.e. only have the 
authority keyid present (which are the same in the CRL and the cert) do you 
think that the problem would still have been there?
 
Regards,
Don Bynum
 
Donald E. Bynum
Director, Architecture & Integration

O: 703.668.5616   |  M: 301.367.2072  |  www.networksolutions.com
 



From: [EMAIL PROTECTED] on behalf of Erwann ABALEA
Sent: Sat 9/15/2007 14:37
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Bad CRL being generated - Help



Bonsoir,

Hodie XVII Kal. Oct. MMVII est, Bynum, Don scripsit:
>i have been setting up a CA and have one hurdle which I cannot figure
>out.  I have geberated a CRL (currently with no revoked certs).  It is
>regerenced in the CRL Distribution Points extension of the end entity
>certs.  I can open the CRL with IE by browsing to the CRL URI.  I can
>import it into Firefox.  However, when browsing to a site (IE or FF)  with
>a cert from the CA of the CRL, I get an error saying that the CRL is
>invalid.
>
>You can see this for yourself :
>[1]http://crl1.networksolutions.com/SiteSafeSSL.crl
>A test site for this is at [2]https://www.netsol-test-site-4.com 
>  

Taken from the CRL:

Issuer: /CN=SiteSafe SSL/O=Network Solutions LLC/C=US
CRL extensions:
X509v3 Authority Key Identifier:

keyid:2A:CB:BC:20:CE:C6:DF:9A:1C:AD:A5:C6:38:86:BB:5C:01:32:A6:B4
DirName:/C=US/O=Network Solutions LLC/CN=SiteSafe
serial:0A

The Issuer and authorityKeyIdentifier/DirName should point to the same
authority, i.e. should have the same exact name. Order is important,
and it's reversed, here.

I think that usual software don't use the DirName and/or serial part
of the authorityKeyIdentifier extension, only the keyId (and in fact,
I made some tests a few months ago, Firefox didn't follow the keyId,
when IE did). So I assume that the validating software uses the Issuer
field of the CRL to check if it has been signed by the same CA.
My guess is that the real name of your CA is the one we can see in the
extension, not the one set in the Issuer field. Could you check it?

--
Erwann ABALEA <[EMAIL PROTECTED]>
__
OpenSSL Project http://www.openssl.org 
 
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]


<>

Re: [openssl-users] Bad CRL being generated - Help

2007-09-15 Thread Erwann ABALEA 
Bonsoir,

Hodie XVII Kal. Oct. MMVII est, Bynum, Don scripsit:
>i have been setting up a CA and have one hurdle which I cannot figure
>out.  I have geberated a CRL (currently with no revoked certs).  It is
>regerenced in the CRL Distribution Points extension of the end entity
>certs.  I can open the CRL with IE by browsing to the CRL URI.  I can
>import it into Firefox.  However, when browsing to a site (IE or FF)  with
>a cert from the CA of the CRL, I get an error saying that the CRL is
>invalid.
> 
>You can see this for yourself :
>[1]http://crl1.networksolutions.com/SiteSafeSSL.crl
>A test site for this is at [2]https://www.netsol-test-site-4.com

Taken from the CRL:

Issuer: /CN=SiteSafe SSL/O=Network Solutions LLC/C=US
CRL extensions:
X509v3 Authority Key Identifier: 

keyid:2A:CB:BC:20:CE:C6:DF:9A:1C:AD:A5:C6:38:86:BB:5C:01:32:A6:B4
DirName:/C=US/O=Network Solutions LLC/CN=SiteSafe
serial:0A

The Issuer and authorityKeyIdentifier/DirName should point to the same
authority, i.e. should have the same exact name. Order is important,
and it's reversed, here.

I think that usual software don't use the DirName and/or serial part
of the authorityKeyIdentifier extension, only the keyId (and in fact,
I made some tests a few months ago, Firefox didn't follow the keyId,
when IE did). So I assume that the validating software uses the Issuer
field of the CRL to check if it has been signed by the same CA.
My guess is that the real name of your CA is the one we can see in the
extension, not the one set in the Issuer field. Could you check it?

-- 
Erwann ABALEA <[EMAIL PROTECTED]>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Bad CRL being generated - Help

2007-09-15 Thread Bynum, Don 
i have been setting up a CA and have one hurdle which I cannot figure out.  I 
have geberated a CRL (currently with no revoked certs).  It is regerenced in 
the CRL Distribution Points extension of the end entity certs.  I can open the 
CRL with IE by browsing to the CRL URI.  I can import it into Firefox.  
However, when browsing to a site (IE or FF)  with a cert from the CA of the 
CRL, I get an error saying that the CRL is invalid.
 
You can see this for yourself :  
http://crl1.networksolutions.com/SiteSafeSSL.crl
A test site for this is at https://www.netsol-test-site-4.com
 
I can give you the CA cert if you wish so that you can complete the chain.
 
What is wrong with the CRL such that it is deemed invalid?
 
Regards,
Don Bynum
 
Donald E. Bynum
Director, Architecture & Integration

O: 703.668.5616   |  M: 301.367.2072  |  www.networksolutions.com