Re: How to create certificate for Dell DRAC4
Hi, I just wrote a brief how-to detailing how to fix this (common?) problem: http://wejn.org/how-to-upload-certificate-to-DRAC4.html Hope it helps. -- M.S. Amyangshu wrote: > > Can anyone help me with the process to sign the Dell Remote Access > Controller (DRAC4) CSR correctly using OpenSSL. I tried with the following > commands: > > openssl x509 -req -days 1825 -in csr.txt -signkey ca.key -out drac.crt > openssl base64 -in drac.crt -out drac64.crt > > But when uploading the certificate to the DRAC, it fails with following > error: > > Description: Security error - the certificate could not be uploaded > Errorrcode: 0x000A0004 > > Thank you in advance. > > --Amyangshu > -- View this message in context: http://www.nabble.com/How-to-create-certificate-for-Dell-DRAC4-tf2407852.html#a13229970 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Signature verification fails with block type is not 01
Has anyone seen this behavior? Any help would be appreciated. Thanks in advance, Regards Ashith -Original Message- From: Belliappa, Ashith Muddiana (HP Software) Sent: Wednesday, October 17, 2007 11:37 AM To: 'openssl-users@openssl.org' Subject: RE: Signature verification fails with block type is not 01 Hello, I used the below mentioned test program. Theses were the results from the same. There was a core file created. The pstack of core is shown below. bash-2.03# openssl genrsa -out rsa.pem 2048 Generating RSA private key, 2048 bit long modulus .^C bash-2.03# cksum openssl 3693318708 2633912 openssl bash-2.03# ldd openssl libsocket.so.1 =>/usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libdl.so.1 =>/usr/lib/libdl.so.1 libc.so.1 => /usr/lib/libc.so.1 libmp.so.2 =>/usr/lib/libmp.so.2 /usr/platform/SUNW,Sun-Fire-280R/lib/libc_psr.so.1 bash-2.03# ls -l /usr/lib/libsocket.so.1 /usr/lib/libnsl.so.1 /usr/lib/libc.so.1 /usr/lib/libmp.so.2 /usr/platform/SUNW,Sun-Fire-280R/lib/libc_psr.so.1 -rwxr-xr-x 1 root bin 1158072 Jul 31 2006 /usr/lib/libc.so.1 -rwxr-xr-x 1 root bin24968 Jan 6 2000 /usr/lib/libmp.so.2 -rwxr-xr-x 1 root bin 920100 Jul 31 2006 /usr/lib/libnsl.so.1 -rwxr-xr-x 1 root bin70864 Nov 3 2001 /usr/lib/libsocket.so.1 lrwxrwxrwx 1 root root 33 Oct 3 2006 /usr/platform/SUNW,Sun-Fire-280R/lib/libc_psr.so.1 -> ../../sun4u-us3/lib/libc_psr.so.1 bash-2.03# ls -la total 6000 drwxr-xr-x 2 root other646 Oct 17 04:50 . drwxr-xr-x 3 root other385 Oct 17 04:45 .. -rw--- 1 root other 383792 Oct 17 04:50 core -rw-r--r-- 1 root other 0 Oct 17 04:50 file.sig -rw-r--r-- 1 root other 15 Oct 17 04:50 file.txt -rwxr-xr-x 1 root other2633912 Oct 15 20:01 openssl -rw-r--r-- 1 root other 0 Oct 17 04:47 rsa.pem -rw-r--r-- 1 root other350 Oct 15 20:02 test_client.sh -rwxr-xr-x 1 root other 2332 Oct 15 20:01 test_rsa.sh -rw-r--r-- 1 root other 2097 Oct 15 20:01 test_server.sh bash-2.03# pstack core core 'core' of 7979:openssl genrsa -out rsa.pem 2048 000b5428 bn_mul_add_words (1f4ea8, 1ec470, 8, 7b55419a, 6432bff9, 5f6d1513) + 94 000b7f80 BN_from_montgomery (1eb76c, 1ec420, 1f, 1eb648, 0, 0) + 1bc 000b7d84 BN_mod_mul_montgomery (1eb76c, 1eb76c, 1eb76c, 1ec3d0, 1eb648, 0) + 68 00152178 BN_mod_exp_mont (1eb744, 161, 1eb730, 0, 1eb648, 1ec3d0) + 398 000b4e7c BN_is_prime_fasttest_ex (1db508, , 1eb648, 1db508, ffbef684, 3) + 41c 000b48d8 BN_generate_prime_ex (0, 400, 0, 0, 0, ffbef684) + 2c8 000c4908 rsa_builtin_keygen (1e10f0, 800, 1db468, ffbef684, 400, 1) + 1ec 0004fb44 genrsa_main (1, 18e5c4, 1e0148, 10001, ffbefc24, ffbefd38) + 668 000367cc do_cmd (1e0f60, 4, ffbefc18, f, 1e0fe8, 36ba4) + 40 0003657c main (5, ffbefc14, 1e0f60, ffbefb7c, 1c5010, 1843e0) + 2b0 00036190 _start (0, 0, 0, 0, 0, 0) + 108 bash-2.03# showrev -p |grep 112438 Patch: 112438-02 Obsoletes: Requires: Incompatibles: Packages: SUNWcarx, SUNWcsr, SUNWhea, SUNWmdb, SUNWmdbx Patch: 112438-03 Obsoletes: Requires: Incompatibles: Packages: SUNWcarx, SUNWcsr, SUNWhea, SUNWmdb, SUNWmdbx bash-2.03# uname -a SunOS test.hp.com 5.8 Generic_117350-39 sun4u sparc SUNW,Sun-Fire-280R Regards Ashith -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Friday, October 12, 2007 11:48 PM To: openssl-users@openssl.org Subject: RE: Signature verification fails with block type is not 01 Hello, > Does anyone have a separate test program where we can test only the > signature verification? # openssl genrsa -out rsa.pem 2048 # openssl rsa -in rsa.pem -text -noout # openssl rsa -in rsa.pem -pubout -out rsa-pub.pem # openssl rsa -in rsa-pub.pem -pubin -text -noout # echo test test test > file.txt # openssl dgst -sign rsa.pem < file.txt > file.sig # openssl dgst -verify rsa-pub.pem -signature file.sig < file.txt Verified OK Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
AW: ocsp behind proxy
Sorry for not aksing my question clearly! I'm using following code to make an ocsp revocation check: OCSP_request_add0_id(req, id); if(!OCSP_parse_url(ocsp_url, &host, &port, &path, &use_ssl)){ // error } cbio = BIO_new_connect(host); if(!cbio){ // error } BIO_set_conn_port(cbio, port); if(BIO_do_connect(cbio)<=0){ // error } resp = OCSP_sendreq_bio(cbio, path, req); Do I have to make some settings to bio (like authentication, ...) if my client uses a proxy server to connect to the internet? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Rodney Thayer Gesendet: Mittwoch, 17. Oktober 2007 19:34 An: openssl-users@openssl.org Betreff: Re: ocsp behind proxy Christian Wiesbauer wrote: > I want to know if an ocsp revocation check works with openssl if I'm using a > proxy? OCSP isn't HTTP so what kind of proxy do you mean? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Changing the expiry date of a cert
> > "Is it possible to extend the expiry of this certificate > > without changing any other fields in the certificate?" > > > > to which it seems that the answer is > > > > "Yes", > > How could the answer be anything other than yes? All too easily. Because as you ourself point out, such a change would invalidate the signature. And if a new signature is acquired - for all practical purposes it is a new certificate, regardless of how much in common it happens to have with the old one. > Could there > be some mysterious force that compels you to change other fields? I never heard that there was a "minimal change" that was allowed without invalidating the cert. :-) > Or you can argue that the answer is "no", since you have to > at least change the signature and you pretty much have to > change the serial number. Exactly! > And the OP replies: > > > Yes. Thats what I was trying to ask. So, how can > > I change the expiry date of an existing certificate > > without changing any other field ? Is > > there any openssl command that I may use ? > > Did you not read or understand my answer? There is no > difference between changing the date on the old certificate > and issuing a new certificate. If one wants to preserve the old serial number and old signatures - the answer is "no-how, no way". If one wants to have the same cert with a new expiration date - then just get a new cert with that one change (like David described). > Just issue a new certificate the same way you issued the > original one, changing only the expiration date (and the > signature, if you want). Tell everyone you changed the > expiration date on the original, they won't be able to tell > that you're lying. Yes! :-) And how can the signature not be changed? It's a different stream of bits (from the original cert), so it necessarily requires a new (different) signature. > Sorry if this sounds like insane ranting. I'm really > trying to be helpful, but it seems like it didn't sink > in the first time. :-) Let's see how the 2nd iteration goes. :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Changing the expiry date of a cert
This was a certificate authority certificate. As such, the renewal has to have the same key and DN as the original in order to continue being a CA for previously signed certificates. Jim On Oct 17, 2007, at 5:54 PM, David Schwartz wrote: It seems to me that the OP is indeed asking something else entirely different from the question which you yourself seem to have posed and then immediately failed to answer. He's asking "Is it possible to extend the expiry of this certificate without changing any other fields in the certificate?" to which it seems that the answer is "Yes", How could the answer be anything other than yes? Could there be some mysterious force that compels you to change other fields? Or you can argue that the answer is "no", since you have to at least change the signature and you pretty much have to change the serial number. And the OP replies: Yes. Thats what I was trying to ask. So, how can I change the expiry date of an existing certificate without changing any other field ? Is there any openssl command that I may use ? Did you not read or understand my answer? There is no difference between changing the date on the old certificate and issuing a new certificate. If you know how to issue a new certificate, you know how to change the date on an existing one because THERE IS NO DIFFERENCE BETWEEN THESE TWO THINGS other than philsophical differences. If you issue a new certificate that is the same as the old except for the serial number, how will anyone know you didn't just change the serial number on the old one? Will they somehow be the same bits and not new bits? IT MAKES NO DIFFERENCE. The question, as asked, is purely philosophical. Just issue a new certificate the same way you issued the original one, changing only the expiration date (and the signature, if you want). Tell everyone you changed the expiration date on the original, they won't be able to tell that you're lying. If you don't know how to or can't issue a new certificate with a new expiration date, then you can't change the expiration date on the old one either. Why? BECAUSE THEY'RE THE SAME THING. They're just two different ways of saying the same thing. If your driver's license expires, you can change the expiration date on the license and reprint it. Or you can get a new license with a new expiration date. The difference is -- wait for it -- nothing at all. It's the same thing. The same procedure to "issue a new license with a new expiration date" can be said to "reissue the original license with a new expiration date". The only thing that makes it "new" or "reissued" is the difference between the two licenses which is just the expiration date! Sorry if this sounds like insane ranting. I'm really trying to be helpful, but it seems like it didn't sink in the first time. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Changing the expiry date of a cert
> It seems to me that the OP is indeed asking something else entirely > different from the question which you yourself seem to have posed and > then immediately failed to answer. He's asking > > "Is it possible to extend the expiry of this certificate without > changing any other fields in the certificate?" > > to which it seems that the answer is > > "Yes", How could the answer be anything other than yes? Could there be some mysterious force that compels you to change other fields? Or you can argue that the answer is "no", since you have to at least change the signature and you pretty much have to change the serial number. And the OP replies: > Yes. Thats what I was trying to ask. So, how can I change the > expiry date of an existing certificate without changing any > other field ? Is there any openssl command that I may use ? Did you not read or understand my answer? There is no difference between changing the date on the old certificate and issuing a new certificate. If you know how to issue a new certificate, you know how to change the date on an existing one because THERE IS NO DIFFERENCE BETWEEN THESE TWO THINGS other than philsophical differences. If you issue a new certificate that is the same as the old except for the serial number, how will anyone know you didn't just change the serial number on the old one? Will they somehow be the same bits and not new bits? IT MAKES NO DIFFERENCE. The question, as asked, is purely philosophical. Just issue a new certificate the same way you issued the original one, changing only the expiration date (and the signature, if you want). Tell everyone you changed the expiration date on the original, they won't be able to tell that you're lying. If you don't know how to or can't issue a new certificate with a new expiration date, then you can't change the expiration date on the old one either. Why? BECAUSE THEY'RE THE SAME THING. They're just two different ways of saying the same thing. If your driver's license expires, you can change the expiration date on the license and reprint it. Or you can get a new license with a new expiration date. The difference is -- wait for it -- nothing at all. It's the same thing. The same procedure to "issue a new license with a new expiration date" can be said to "reissue the original license with a new expiration date". The only thing that makes it "new" or "reissued" is the difference between the two licenses which is just the expiration date! Sorry if this sounds like insane ranting. I'm really trying to be helpful, but it seems like it didn't sink in the first time. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Changing the expiry date of a cert
On Wed, Oct 17, 2007 at 09:49:15PM +0100, G.W. Haywood wrote: > "Is it possible to extend the expiry of this certificate without > changing any other fields in the certificate?" > > to which it seems that the answer is > > "Yes", Actually it is "no", because the certificate needs a new signature block. But the more interesting question is what verifiers will make of the new cert, and the answe is that they won't trust it unless reconfigured to do so. > although one might add that the resulting certificate could be viewed > by some as a different certificate. In that case, the next question > would be "Is it valid?", to which the answer would also presumably be > > "Yes". If the signature block is not updated (new cert generated with nearly identical fields), the cert is invalid. If a new valid cert is generated, it is untrusted. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Changing the expiry date of a cert
Yes. Thats what I was trying to ask. So, how can I change the expiry date of an existing certificate without changing any other field ? Is there any openssl command that I may use ? On 10/17/07, G.W. Haywood <[EMAIL PROTECTED]> wrote: > > Hi there, > > On Wed, 17 Oct 2007, David Schwartz wrote: > > > The OP wrote: > > > > > I have a private CA certificate created using openssl command line. > > > The issue is that the certificate expires on 19th Oct, 2007. > > > The question is that "Is it possible to extend the expiry of this > > > certificate without changing any other fields in the certificate?" > > > Basically, I want to continue using this CA Cert to sign end-user > > > certs for a longer time. > > > Any help will be appreciated. Thanks. > > > > This question comes up a lot and I still have no idea what anyone is > asking. > > It seems fairly clear to me. > > > It seems like it's largely a philosophical question, like am I the same > > person I was ten years ago even though only 1% of the molecules are the > > same. > > I don't think the OP asked anything like that. > > > Some might consider the resulting certificate to be the original > certificate > > with a later expiry date. Some might consider it to be a brand new > > certificate that just happens to share some common values with the > previous > > certificate. > > I don't think the OP asked whether it would still be the old certificate > or > if it would be a new certificate. He just asked if he can change the > date, > and only the date, on his existing certificate. > > > What possible difference does it make whether you consider the resulting > > certificate a "new certificate" or "the original certificate with a > later > > expiration date"? > > I don't think, in this thread, that anyone else considered that > difference. > > > Or are you asking something else entirely? And if so, what? > > It seems to me that the OP is indeed asking something else entirely > different from the question which you yourself seem to have posed and > then immediately failed to answer. He's asking > > "Is it possible to extend the expiry of this certificate without > changing any other fields in the certificate?" > > to which it seems that the answer is > > "Yes", > > although one might add that the resulting certificate could be viewed > by some as a different certificate. In that case, the next question > would be "Is it valid?", to which the answer would also presumably be > > "Yes". > > Have I understood? > > -- > > 73, > Ged. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
Re: PKCS#7 without certificates??
[EMAIL PROTECTED] wrote: I've a problem. I need to cypher a buffer of bytes with pkcs7 format but I can't use certificates,i need encrypt using only a key or password. I have searched but I do not find anything to do it. Read the syntax for PKCS#7: ftp://ftp.rsasecurity.com/pub/pkcs/ascii/pkcs-7.asc For enveloped data: EnvelopedData ::= SEQUENCE { version Version, recipientInfos RecipientInfos, encryptedContentInfo EncryptedContentInfo } where RecipientInfos ::= SET OF RecipientInfo and RecipientInfo ::= SEQUENCE { version Version, issuerAndSerialNumber IssuerAndSerialNumber, keyEncryptionAlgorithm KeyEncryptionAlgorithmIdentifier, encryptedKey EncryptedKey } Obviously for signed and enveloped data the sender needs a cert, too. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Changing the expiry date of a cert
Hi there, On Wed, 17 Oct 2007, David Schwartz wrote: > The OP wrote: > > > I have a private CA certificate created using openssl command line. > > The issue is that the certificate expires on 19th Oct, 2007. > > The question is that "Is it possible to extend the expiry of this > > certificate without changing any other fields in the certificate?" > > Basically, I want to continue using this CA Cert to sign end-user > > certs for a longer time. > > Any help will be appreciated. Thanks. > > This question comes up a lot and I still have no idea what anyone is asking. It seems fairly clear to me. > It seems like it's largely a philosophical question, like am I the same > person I was ten years ago even though only 1% of the molecules are the > same. I don't think the OP asked anything like that. > Some might consider the resulting certificate to be the original certificate > with a later expiry date. Some might consider it to be a brand new > certificate that just happens to share some common values with the previous > certificate. I don't think the OP asked whether it would still be the old certificate or if it would be a new certificate. He just asked if he can change the date, and only the date, on his existing certificate. > What possible difference does it make whether you consider the resulting > certificate a "new certificate" or "the original certificate with a later > expiration date"? I don't think, in this thread, that anyone else considered that difference. > Or are you asking something else entirely? And if so, what? It seems to me that the OP is indeed asking something else entirely different from the question which you yourself seem to have posed and then immediately failed to answer. He's asking "Is it possible to extend the expiry of this certificate without changing any other fields in the certificate?" to which it seems that the answer is "Yes", although one might add that the resulting certificate could be viewed by some as a different certificate. In that case, the next question would be "Is it valid?", to which the answer would also presumably be "Yes". Have I understood? -- 73, Ged. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS#7 without certificates??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] schrieb: > Hello all!! Hello Lidia, > I've a problem. I need to cypher a buffer of bytes with pkcs7 format but > I can't use certificates,i need encrypt using only a key or password. Are you really sure PKCS#7 supports encrypting of data without a certificate ? I know it was designed as a successor for PEM, which supports encrypting with symetric keys, but if PKCS#7 supports it, I don't know. But I'm almost sure that if you use PKCS#7 with public keys, you need a certificate. > I have searched but I do not find anything to do it. It may be possible that PKCS#7 does not support encrypting without a certificate. It also may be possible that OpenSSL does only support PKCS#7 with certificates. > I work with c, and the function PKCS7_encrypt() needs > certificates...There is some another function that generates pkcs7 > format without need of certificates? > > If this isn't possible..., there is another PKCS format that allows to > cipher any type of data only with a password? (PKCS5,PKCS11,PKCS12...) PKCS#11 defines the interface to hardware modules but not a file format. PKCS#12 is used to store private keys and their certificates in a file. It may be possible to use it to encrypt other data. But there is no (higher level) interface to do it. You could use other encryption formats. OpenPGP comes to mind. Bye Goetz - -- DMCA: The greed of the few outweights the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHFoDO2iGqZUF3qPYRAsVLAJ4315wN9cupdVbJScJlSwZ4HQag8ACfZ3gl qSwBSgGKBFtLlBphsUOLYY0= =coEP -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Changing the expiry date of a cert
> I have a private CA certificate created using openssl command line. > The issue is that the certificate expires on 19th Oct, 2007. > The question is that "Is it possible to extend the expiry of this > certificate without changing any other fields in the certificate?" > Basically, I want to continue using this CA Cert to sign end-user > certs for a longer time. > Any help will be appreciated. Thanks. This question comes up a lot and I still have no idea what anyone is asking. It seems like it's largely a philosophical question, like am I the same person I was ten years ago even though only 1% of the molecules are the same. Some might consider the resulting certificate to be the original certificate with a later expiry date. Some might consider it to be a brand new certificate that just happens to share some common values with the previous certificate. What possible difference does it make whether you consider the resulting certificate a "new certificate" or "the original certificate with a later expiration date"? Or are you asking something else entirely? And if so, what? DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: VeriSign certificate with openssl
Thanks, much. - Dennis Wolfgang Riedel wrote: Hi Dennis, you want (maybe) -BEGIN CERTIFICATE- MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -END CERTIFICATE- hth, Wolfgang Dennis Kim schrieb: Hi All, verify error:num=2:unable to get issuer certificate issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority' verify return:0 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PEM_read_PrivateKey does not return private key
On Wed, Oct 17, 2007 at 12:43:03PM -0700, Jim Fox wrote: > > >I have a private CA certificate created using openssl command line. The > >issue is that the certificate expires on 19th Oct, 2007. The question is > >that "Is it possible to extend the expiry of this certificate without > >changing any other fields in the certificate?" Basically, I want to > >continue > >using this CA Cert to sign end-user certs for a longer time. > >Any help will be appreciated. Thanks. > > > > Use the same key and the same DN and the cert will continue > to act as a valid CA for any other certs you have signed. Also the same serial number and authority identifier in v3 extensions if present in the expiring CA cert, for example: ... Serial Number: c5:30:80:16:44:78:d9:12 ... X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: F1:EF:77:42:18:C4:D6:E2:6D:1C:3D:A8:02:BE:E2:F3:E4:6E:50:40 X509v3 Authority Key Identifier: keyid:F1:EF:77:42:18:C4:D6:E2:6D:1C:3D:A8:02:BE:E2:F3:E4:6E:50:40 DirName: serial:C5:30:80:16:44:78:D9:12 ... If any of this information changes, certificates will fail verification. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Segmentation fault in application creating too many threads.
The stack trace showing a null sha1 transform kindof caught my attention here, I wouldnt go by the the GDB call trace coz its obviously a memory leak and the gdb stack could have been corrupted, many a times I see 0x0 in the frames but when you actually try to print the ctx address it would be valid. CTX is definitely valid here, prabhu, earlier I was assuming you are using the linux sha1 in the kernel which is a loadable module, and I realise your just using plain openssl from userspace and linking with libcrypto. Linux sha1 has a limitation on the sha1_tfm structure, perhaps libcrypto sha1 is also the same way? Its obvious that you have ran out of sha1_tfms which is why when you actually sleep it helps as other threads would have released theirs. If you dont mind sending ur client code snipped, I could debug.. my email id would be [EMAIL PROTECTED] Thanks --Gayathri Even reducing the thread stack size didn't help. I observe that the thread creation as such is not a problem. I create about 1000 threads , delay in each thread the SSL_connect for about 10 sec. Once the delay expires and each client make connections to the server the seg fault occurs. You know, looking back at your original trace, it seems I may have jumped to conclusions. It's hard to be sure because I don't know what OpenSSL version you are using, so the line numbers don't tell me anything, but check this out: #0 SHA1_Init (c=0x0) at sha_locl.h:150 #1 0x405b2bb0 in init (ctx=0x0) at m_sha1.c:72 #2 0x405afc91 in EVP_DigestInit_ex (ctx=0x4d606230, type=0x4061f620, impl=0x0) at digest.c:207 #3 0x405ac08e in ssleay_rand_add (buf=0x0, num=0, add= 2.5863007356866632e-306) at md_rand.c:263 #4 0x405ace6e in RAND_add (buf=0x8a269f8, num=144861688, entropy=0) at rand_lib.c:151 I'm guessing frame #2 is this: return ctx->digest->init(ctx); Which calls this: static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } Notice that 'init' was called with a NULL context. But the context cannot have been NULL in frame 2 because if it was ctx->digest would have faulted. So it looks like the stack in frame #2 cannot have lead to the stack in frame #1. This is not a memory exhaustion issue or a failure to check for NULL. It looks like stack corruption. The real puzzle is why stack corruption would only occur with a large number of threads. I'm thinking perhaps there's some concurrency issue with ssleay_rand_add, but I've been over it twice and I don't see any issue. The md context would be unique for each thread, so it should be safe. Maybe someone will read this and it will resonate with something they know? If you can, please tell us what version of OpenSSL this was. This will allow people to understand the line numbers better and make sure they're not looking at code that has whatever bit you already fixed. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PEM_read_PrivateKey does not return private key
I have a private CA certificate created using openssl command line. The issue is that the certificate expires on 19th Oct, 2007. The question is that "Is it possible to extend the expiry of this certificate without changing any other fields in the certificate?" Basically, I want to continue using this CA Cert to sign end-user certs for a longer time. Any help will be appreciated. Thanks. Use the same key and the same DN and the cert will continue to act as a valid CA for any other certs you have signed. However, any site that has cached your CA cert will have to get the new one. Theirs will expire soon. Jim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Changing the expiry date of a cert
Hi, I have a private CA certificate created using openssl command line. The issue is that the certificate expires on 19th Oct, 2007. The question is that "Is it possible to extend the expiry of this certificate without changing any other fields in the certificate?" Basically, I want to continue using this CA Cert to sign end-user certs for a longer time. Any help will be appreciated. Thanks.
Re: PEM_read_PrivateKey does not return private key
Hi, I have a private CA certificate created using openssl command line. The issue is that the certificate expires on 19th Oct, 2007. The question is that "Is it possible to extend the expiry of this certificate without changing any other fields in the certificate?" Basically, I want to continue using this CA Cert to sign end-user certs for a longer time. Any help will be appreciated. Thanks.
RSA Error in d2i_PrivateKey()
Hello There, I am trying to read the following RSA private key using Openssl command line RSA utility but having no success; This key was generated using another non-Openssl library(SSLeay based). I am attaching below a snapshot of the error I get with RSA command line tool and a hexdump of the same RSA key; Can someone please help me understand what could be the issue here and let me know if there is a workaround to it. Also attaching the hexdump of RSA Pvt. Key as an attachment to this email. Thanks in advance! -- regards, Shanku Roy OpenSSL> rsa -inform DER -in ../../phoneKey-lsc.pvt -text unable to load Private Key 20158:error:0D078094:asn1 encoding routines:ASN1_ITEM_EX_D2I:sequence length mismatch:tasn_dec.c:476:Type=RSA 20158:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:99: error in rsa OpenSSL> OpenSSL> asn1parse -inform DER -in ../../phoneKey-lsc.pvt 0:d=0 hl=4 l= 895 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :01 7:d=1 hl=3 l= 129 prim: INTEGER :929DC42B5DB09BA5F5217FB377D801917BE388D5061E1FF92BEF87141CCF890FEE3A0C725B97A04D411F268C673B6F720B341AED3CAD26FA5FD457EC5A2A421E3B265AEA3FB8A4209EA56F1E7C261075636452628FC4E9362BCE6A4C920F14EDFDD414FED00CD692048E5AE3BEFBCB768A9B38065742BF15AF49E0DF3622D235 139:d=1 hl=2 l= 3 prim: INTEGER :010001 144:d=1 hl=3 l= 128 prim: INTEGER :0B02E24AC77C8E1406B6FF5A4133EDDA394DBB6714508AE231D489768F3B5EF5DD546ABEE3F61D49F00C1FD2387894DDC29B7287C4A5F1CA9E4488328795B73D6757AF81820A3C366DCA315B6B2B78AECE6CFD1C28C6195A383002CD1F0F09AF717BF44699232D2DDD7371982D6B5313627927BC170399154125B176FDA0A361 275:d=1 hl=2 l= 43 prim: INTEGER :19F9F2F09CA69E0B21763ABD41EB181F52363C6E037254D2200B190AE2B7BB170A73195812D68BCC4CFF6D 320:d=1 hl=2 l= 43 prim: INTEGER :1980766E5E9E516BCDBD923DF07E5BA5928BC17DEFDE890156B674608CF407F9D4EA5C069FFE938A176197 365:d=1 hl=3 l= 128 prim: INTEGER :0B02E24AC77C8E1406B6FF5A4133EDDA394DBB6714508AE231D489768F3B5EF5DD546ABEE3F61D49F00C1FD2387894DDC29B7287C4A5F1CA9E4488328795B73D6757AF81820A3C366DCA315B6B2B78AECE6CFD1C28C6195A383002CD1F0F09AF717BF44699232D2DDD7371982D6B5313627927BC170399154125B176FDA0A361 496:d=1 hl=3 l= 128 prim: INTEGER :0B02E24AC77C8E1406B6FF5A4133EDDA394DBB6714508AE231D489768F3B5EF5DD546ABEE3F61D49F00C1FD2387894DDC29B7287C4A5F1CA9E4488328795B73D6757AF81820A3C366DCA315B6B2B78AECE6CFD1C28C6195A383002CD1F0F09AF717BF44699232D2DDD7371982D6B5313627927BC170399154125B176FDA0A361 627:d=1 hl=2 l= 43 prim: INTEGER :08C5ADF06F811CB12AA7972B581A1C4DE28D0B238DFEEE5E7DAD1B9892391F0895F6372D79968FD7213DBB 672:d=1 hl=3 l= 224 cons: SEQUENCE 675:d=2 hl=3 l= 221 cons: SEQUENCE 678:d=3 hl=2 l= 43 prim: INTEGER :38A8D5DF16C4D47D227AB5637D2DCF362137ED76A1633DAB282B85F14576C789A4A991AC2F3F78CB57097F 723:d=3 hl=3 l= 128 prim: INTEGER :0B02E24AC77C8E1406B6FF5A4133EDDA394DBB6714508AE231D489768F3B5EF5DD546ABEE3F61D49F00C1FD2387894DDC29B7287C4A5F1CA9E4488328795B73D6757AF81820A3C366DCA315B6B2B78AECE6CFD1C28C6195A383002CD1F0F09AF717BF44699232D2DDD7371982D6B5313627927BC170399154125B176FDA0A361 854:d=3 hl=2 l= 43 prim: INTEGER :33DD7FE4C55BB0AF767FB137E5E366C15AA63FB19E9623CE7EF16F08E06307A61D575B47504809FD6CAED6 OpenSSL> OpenSSL> version OpenSSL 0.9.8e 23 Feb 2007 OpenSSL> 00 01 02 03 04 05 06 07 - 08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF 30 82 03 7F 02 01 01 02 - 81 81 00 92 9D C4 2B 5D 0.+] 0010 B0 9B A5 F5 21 7F B3 77 - D8 01 91 7B E3 88 D5 06 !..w...{ 0020 1E 1F F9 2B EF 87 14 1C - CF 89 0F EE 3A 0C 72 5B ...+:.r[ 0030 97 A0 4D 41 1F 26 8C 67 - 3B 6F 72 0B 34 1A ED 3C ..MA.&.g;or.4..< 0040 AD 26 FA 5F D4 57 EC 5A - 2A 42 1E 3B 26 5A EA 3F .&._.W.Z*B.;&Z.? 0050 B8 A4 20 9E A5 6F 1E 7C - 26 10 75 63 64 52 62 8F .. ..o.|&.ucdRb. 0060 C4 E9 36 2B CE 6A 4C 92 - 0F 14 ED FD D4 14 FE D0 ..6+.jL. 0070 0C D6 92 04 8E 5A E3 BE - FB CB 76 8A 9B 38 06 57 .Zv..8.W 0080 42 BF 15 AF 49 E0 DF 36 - 22 D2 35 02 03 01 00 01 B...I..6".5. 0090 02 81 80 0B 02 E2 4A C7 - 7C 8E 14 06 B6 FF 5A 41 ..J.|.ZA 00A0 33 ED DA 39 4D BB 67 14 - 50 8A E2 31 D4 89 76 8F 3..9M.g.P..1..v. 00B0 3B 5E F5 DD 54 6A BE E3 - F6 1D 49 F0 0C 1F D2 38 ;^..TjI8 00C0 78 94 DD C2 9B 72 87 C4 - A5 F1 CA 9E 44 88 32 87 xr..D.2. 00D0 95 B7 3D 67 57 AF 81 82 - 0A 3C 36 6D CA 31 5B 6B ..=gW<6m.1[k 00E0 2B 78 AE CE 6C FD 1C 28 - C6 19 5A 38 30 02 CD 1F +x..l..(..Z80... 00F0 0F 09 AF 71 7B F4 46 99 - 23 2D 2D DD 73 71 98 2D ...q{.F.#--.sq.- 0100 6B 53 13 62 79 27 BC 17 - 03 99 15 41 25 B1 76 FD kS.by'.A%.v. 0110 A0 A3 61 02 2B 19 F9 F2 - F0 9C A6 9E 0B 21 76 3A ..a.+!v: 0120 BD 41 EB 18 1F 52 36 3C - 6E 03 72 54 D2 20 0B 19 .A...R6http://mail.
RE: Segmentation fault in application creating too many threads.
> Even reducing the thread stack size didn't help. > I observe that the thread creation as such is not > a problem. I create about 1000 threads , delay in > each thread the SSL_connect for about 10 sec. > Once the delay expires and each client make connections > to the server the seg fault occurs. You know, looking back at your original trace, it seems I may have jumped to conclusions. It's hard to be sure because I don't know what OpenSSL version you are using, so the line numbers don't tell me anything, but check this out: > #0 SHA1_Init (c=0x0) at sha_locl.h:150 > #1 0x405b2bb0 in init (ctx=0x0) at m_sha1.c:72 > #2 0x405afc91 in EVP_DigestInit_ex (ctx=0x4d606230, > type=0x4061f620, impl=0x0) at digest.c:207 > #3 0x405ac08e in ssleay_rand_add (buf=0x0, num=0, > add= 2.5863007356866632e-306) at md_rand.c:263 > #4 0x405ace6e in RAND_add (buf=0x8a269f8, > num=144861688, entropy=0) at rand_lib.c:151 I'm guessing frame #2 is this: return ctx->digest->init(ctx); Which calls this: static int init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } Notice that 'init' was called with a NULL context. But the context cannot have been NULL in frame 2 because if it was ctx->digest would have faulted. So it looks like the stack in frame #2 cannot have lead to the stack in frame #1. This is not a memory exhaustion issue or a failure to check for NULL. It looks like stack corruption. The real puzzle is why stack corruption would only occur with a large number of threads. I'm thinking perhaps there's some concurrency issue with ssleay_rand_add, but I've been over it twice and I don't see any issue. The md context would be unique for each thread, so it should be safe. Maybe someone will read this and it will resonate with something they know? If you can, please tell us what version of OpenSSL this was. This will allow people to understand the line numbers better and make sure they're not looking at code that has whatever bit you already fixed. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ocsp behind proxy
Christian Wiesbauer wrote: > I want to know if an ocsp revocation check works with openssl if I'm using a > proxy? OCSP isn't HTTP so what kind of proxy do you mean? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Question about IP
Thank you -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Hamilton Sent: Wednesday, October 17, 2007 11:17 AM To: openssl-users@openssl.org Subject: Re: Question about IP OpenSSL shouldn't care at all about the client's IP address. If your application server is providing cache services to OpenSSL, then that might cause issues if it breaks the server-defined caching rules. -Kyle H On 10/17/07, Jurden, James <[EMAIL PROTECTED]> wrote: > > > I configured OpenSSL with our application server, but it seems when I > connect my lpatop the next day the connection fails. It seems that my > IP address changes because of dhcp, but the server does not seem to > care. If I restart the server, I can then connect my client. Does > OpenSSL somehow cacvhe my client Ip address. I originally configured > this connection using my clients dns name. I assume OpenSSL attempts > to resolve my client name to address and discovers I have a different Ip so it fails. Anyone seen this? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PEM_read_PrivateKey does not return private key
Hi, I searched for this function on net and got lot of threads, but couldn't solve my problem. My problem is as follows.. I have generated a RSA key using OenSSL and stored it in a PEM file. When i try to read it using above function , the structure returned to me by PEM_read_PrivateKey is NULL( i mean it does not contain anything). Anybody having any idea about this issue?? I tried even the DER format, tried to convert it into binary format and read using d2i_RSA_PUBKEY, but no luck. Any help is highly appreciated. Thanks & Regards Shalmi -- View this message in context: http://www.nabble.com/PEM_read_PrivateKey-does-not-return-private-key-tf4633115.html#a13230138 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Question about IP
OpenSSL shouldn't care at all about the client's IP address. If your application server is providing cache services to OpenSSL, then that might cause issues if it breaks the server-defined caching rules. -Kyle H On 10/17/07, Jurden, James <[EMAIL PROTECTED]> wrote: > > > I configured OpenSSL with our application server, but it seems when I > connect my lpatop the next day the connection fails. It seems that my IP > address changes because of dhcp, but the server does not seem to care. If I > restart the server, I can then connect my client. Does OpenSSL somehow > cacvhe my client Ip address. I originally configured this connection using > my clients dns name. I assume OpenSSL attempts to resolve my client name to > address and discovers I have a different Ip so it fails. Anyone seen this? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Question about IP
I configured OpenSSL with our application server, but it seems when I connect my lpatop the next day the connection fails. It seems that my IP address changes because of dhcp, but the server does not seem to care. If I restart the server, I can then connect my client. Does OpenSSL somehow cacvhe my client Ip address. I originally configured this connection using my clients dns name. I assume OpenSSL attempts to resolve my client name to address and discovers I have a different Ip so it fails. Anyone seen this?
Re: PKCS#7 without certificates??
2007/10/17, [EMAIL PROTECTED] <[EMAIL PROTECTED] >: > > Hello all!! > > I've a problem. I need to cypher a buffer of bytes with pkcs7 format > but I can't use certificates,i need encrypt using only a key or > password. > > I have searched but I do not find anything to do it. > > I work with c, and the function PKCS7_encrypt() needs > certificates...There is some another function that generates pkcs7 > format without need of certificates? > > If this isn't possible..., there is another PKCS format that allows to > cipher any type of data only with a password? (PKCS5,PKCS11,PKCS12...) > > Someone can help me? > > Thank! > > I think you are misunderstanding something. PKCS stands for Public Key Cryptography Standards. So, these are standards for using with public (or asymmetric) criptography, which are based on the existance of two keys (one public and one private) ... Certificates are used to bind the public key and its holder. Public Key Cryptography is rarely used to cipher data (is slow), but to distribute the symmetric key used for cipher/decipher. More info: http://en.wikipedia.org/wiki/Public_key_certificate So, if you just want to encrypt some data, i guess you need symmetric criptography. Then, you could posibly need asymmetric cryptography to distribute the key used, and for that you'll need certificates if you want to do it securely. Saludos, -- Jorge Fernandez
ocsp behind proxy
Hi, I want to know if an ocsp revocation check works with openssl if I'm using a proxy? Thanks, Christian Wiesbauer
Re: Segmentation fault in application creating too many threads.
Even reducing the thread stack size didn't help. I observe that the thread creation as such is not a problem. I create about 1000 threads , delay in each thread the SSL_connect for about 10 sec. Once the delay expires and each client make connections to the server the seg fault occurs. Regards, Prabhu. S On 10/17/07, David Schwartz <[EMAIL PROTECTED]> wrote: > > > > > This is really one of those "don't do that then" things. > > > Thread-per-connection is well-known to break down at about 750 > > > connections. > > > Just curious at how the number 750 was calculated or deduced. And > > is this a linux-specific limit? > > On Windows, it's usually more like 800 on older versions and 1,200 on > newer > versions. On Linux, it's usually around 700 if you don't monkey with the > thread stack size and around 1,000 if you do. > > > Also, isn't this limit dependent on the number of available > > CPUs/cores and system > > memory? > > You would think so, but it doesn't seem to be. It depends upon exactly > what's causing the limit and usually that's something architectural rather > than something that scales. > > For example, with Linux, it's often address space. That won't be an issue > on > a 64-bit OS, but on a 32-bit OS, more cores or memory won't change it. On > Windows, it's often architectural limits on how much memory can be locked > for I/O or how many events can fit in the process' queue. Most likely any > reasonable machine will already max those limits out, so more memory won't > increase them. > > A user-space threading library might change the dynamics. But I wouldn't > bother -- thread-per-connection is just wrong for too many reasons. > > DS > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
AES key changes in openssl
Hi, I have written my own aes decrypt 256 function and I found something strange. When I use my function and AES_decrypt I have the same results. But when I use the whole openssl (I use wget with openssl support) I see that I receive different results. I suppose that there are some key changes (key->rd_key) during SSL handshake without using AES_set_decrypt_key. Can someone confirm that? If yes, why does it work that way? Thanks, Koza -- View this message in context: http://www.nabble.com/AES-key-changes-in-openssl-tf4640395.html#a13253169 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS#7 without certificates??
Hello all!! I've a problem. I need to cypher a buffer of bytes with pkcs7 format but I can't use certificates,i need encrypt using only a key or password. I have searched but I do not find anything to do it. I work with c, and the function PKCS7_encrypt() needs certificates...There is some another function that generates pkcs7 format without need of certificates? If this isn't possible..., there is another PKCS format that allows to cipher any type of data only with a password? (PKCS5,PKCS11,PKCS12...) Someone can help me? Thank! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: VeriSign certificate with openssl
Hi Dennis, you want (maybe) -BEGIN CERTIFICATE- MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -END CERTIFICATE- hth, Wolfgang Dennis Kim schrieb: Hi All, verify error:num=2:unable to get issuer certificate issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority' verify return:0 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]