Error loading CA private key
Hello, I am running the foll. commands for setting up openldap with openssl. And getting the error listed below. Please help. Also I checked out changing openssl.cnf line to private_key = $dir/private/cakey.pem # The private key [EMAIL PROTECTED] misc]# ./CA.pl -newca CA certificate filename (or enter to create) Mail server, CSE [EMAIL PROTECTED] misc]# ls CA.pl CA.sh c_hash c_info c_issuer c_name demoCA [EMAIL PROTECTED] misc]# openssl req -newkey rsa:1024 -nodes -days 365 -keyout newreq.pem -out newreq.pem Generating a 1024 bit RSA private key ...++ .++ writing new private key to 'newreq.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:Maharashtra Locality Name (eg, city) []:Mumbai Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [EMAIL PROTECTED] misc]# ./CA.pl -sign Using configuration from /usr/local/openssl/openssl.cnf unable to load CA private key 14024:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY Signed certificate is in newcert.pem thanks and regards, Suresh -- View this message in context: http://www.nabble.com/Error-loading-CA-private-key-tp15760184p15760184.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Error loading CA private key
Hello, I am running the foll. commands for setting up openldap with openssl. And getting the error listed below. Please help. Also I checked out changing openssl.cnf line to private_key = $dir/private/cakey.pem # The private key [EMAIL PROTECTED] misc]# ./CA.pl -newca CA certificate filename (or enter to create) Mail server, CSE [EMAIL PROTECTED] misc]# ls CA.pl CA.sh c_hash c_info c_issuer c_name demoCA [EMAIL PROTECTED] misc]# openssl req -newkey rsa:1024 -nodes -days 365 -keyout newreq.pem -out newreq.pem Generating a 1024 bit RSA private key ...++ .++ writing new private key to 'newreq.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:Maharashtra Locality Name (eg, city) []:Mumbai Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [EMAIL PROTECTED] misc]# ./CA.pl -sign Using configuration from /usr/local/openssl/openssl.cnf unable to load CA private key 14024:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY Signed certificate is in newcert.pem thanks and regards, Suresh
Fwd: [Fwd: Re: How to handle dead sessions with SSL_write]
From: Gayathri Sundar [EMAIL PROTECTED] Date: Fri, Feb 29, 2008 at 9:35 AM Subject: [Fwd: Re: How to handle dead sessions with SSL_write] Original Message Subject: Re: How to handle dead sessions with SSL_write From:Gayathri Sundar [EMAIL PROTECTED] Date:Fri, February 29, 2008 7:34 am To: openssl-users@openssl.org -- Hello, It is the job of TCP to return to SSL that the underlying FD is closed. If you attempt to do a socket write on an Invalid FD then some -ve value will be returned with errno set appropriately. Make sure you select on POLLINVAL and POLLERR, so that SSL_Write is first of all not even called in ur case. SSL does not take care of FD timeouts, it should be taken care of by the application making use of SSL, noting special is required, just start a timer everytime u establish a new TCP connection and restart it each time some data is sent over that. what ur facing is a TCP issue and not SSL. Find out why TCP returns valid bytes to SSL_write indicating that some bytes were written on that socket. Thanks --Gayathri I am developing client/server app and client should be mobile, thus connection can be easily lost. The problem is that i can't find a way to detect this lose of connection with openssl. For example, i send a request to the server from client and immediately remove the cable from client laptop. Connection disappears, but ssl_write, that server uses keeps returning positive values. It looks like openssl thinks there is a congestion in the network or smth like that, thus it tries to resend the packet again and again. Also it looks like there is no ssl timeout, because server been sending data for 2 minutes without even trying to assume that connection is down. Does anybody know how to deal with such scenarios? Thanks in advance. -- Sergey __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc.
OpenSSL error:
hi i am getting the following error when i run the command: gcc -o client client.o -lcrypto -lssl In function 'main': undefined reference to 'init_OpenSSL' undefined reference to 'handle_error' --- what shud i do? please help! -- View this message in context: http://www.nabble.com/OpenSSL-error%3A-tp15764487p15764487.html Sent from the OpenSSL - User mailing list archive at Nabble.com.
FIPS for WinCE
Hi, I am currently attempting to build a version of the OpenSSL library for WinCE with FIPS enabled (non-FIPS works great :-) ). The version I am using is 0.9.8f from openssl-fips-1.1.2. So the main question I was hoping to get answered before I spend more time trying to make it work is whether it is even possible to have FIPS enabled OpenSSL on the WinCE platform? In the FIPS 1.1.1 documentation it mentions that Windows CE is not a supported platform but doesn't mention a reason. Also if someone has gotten it to work then any additional information regarding this is greatly appreciated. Thank you for your help on this! Best regards, Jari Niskala
Does anybody already made a DTLS renegotiation?
When the server receives a ClientHello as a response to the HelloRequest, the message sequence number (msg_hdr.seq) doesnt match with the expected value (d1-handshake_read_seq). The code where we verify it is at d1_both.c file, at line 645 from openssl-0.9.8g release. Thanks, João Pedro Patriarca
Error reading certificate request in newreq.pem
Hii all, Now I am trying to install client side certificate for openldap,which is another machine(than LDAP). I am using the same CA which we created for the server.The PATH variable was set correctly. When i run the following command, /usr/local/ssl/misc/CA.sh -sign It is asking for PEM pass phrase,which I entered the same as for our server(because we are using the same CA cert as server for client as well) Then it is giving the following error: Error reading certificate request in newreq.pem 3308:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expect ing: CERTIFICATE REQUEST Signed certificate is in newcert.pem Also,the result of certificate request command is newreq.pem,which is there in the same directory. Anyone please help me soon...This is really urgent. Padmavathi Devi T Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Experience certainty. IT Services Business Solutions Outsourcing =-=-= Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
Re: FIPS for WinCE
Jari Niskala wrote: So the main question I was hoping to get answered before I spend more time trying to make it work is whether it is even possible to have FIPS enabled OpenSSL on the WinCE platform? In the FIPS 1.1.1 documentation it mentions that Windows CE is not a supported platform but doesn’t mention a reason. Well, Andy Polyakov is the expert on that topic and the source of that assertion in the User Guide, but as I recall the issue is that WinCE requires cross-compilation. The fipsld step of generating the in-core digest is dependent on the ability to execute the binary in the target environment, and hence is generally not possible when cross compiling. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Definition of ECDSA_SIG_seq_tt
On Sun, Mar 02, 2008, Skanda Nagaraja wrote: Hi, I am trying to port some ECDSA specific code from openssl. A structure named ECDSA_SIG_seg_tt gets called by another structure ECDSA_SIG_it. These two structures are used in crypto/asn1/tasn_enc.c and crypto/asn1/tasn_dec.c. Is it possible that some pointers be given on the definition of this (ECDSA_SIG_seq_tt) structure? Thanks. Any help would be appreciated. That structure is part of an ASN1 module. It is defined in crypto/ecdsa/ecs_asn1.c The purpose is to translate the BIGNUM version of the signature (r,s values) into the DER version. If you don't need that you can avoid that structure altogether but you'll have to remove any appropriate ASN1 encode/decode routines. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
gLite proxy certificate support.
Hello. I'm trying to use gLite (VOMS) proxy certificates with CN=proxy at the subject tail and X509v3 Key Usage extension to authenticate a client to a server. Plain certificates signed by CA work well. When I'm trying to use gLite-generated proxy certificate, the server responses Unknown ca (verification error 20). I use X509_STORE_set_flags(x509_store, X509_V_FLAG_ALLOW_PROXY_CERTS) for server security context. My OpenSSL version is 0x0090807fL . Does anybody know how to use grid proxy certificates in the right way? Have anybody tried http://www.openssl.org/docs/HOWTO/proxy_certificates.txt to use gLite proxies? Thank you. Vladimir. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
gLite proxy certificate support.
Hello. I'm trying to use gLite (VOMS) proxy certificates with CN=proxy at the subject tail and X509v3 Key Usage extension to authenticate a client to a server. Plain certificates signed by CA work well. When I'm trying to use gLite-generated proxy certificate, the server responses Unknown ca (verification error 20). I use X509_STORE_set_flags(x509_store, X509_V_FLAG_ALLOW_PROXY_CERTS) for server security context. My OpenSSL version is 0x0090807fL . Does anybody know how to use grid proxy certificates in the right way? Have anybody tried http://www.openssl.org/docs/HOWTO/proxy_certificates.txt to use gLite proxies? Thank you. Vladimir. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: gLite proxy certificate support.
On Mon, Mar 03, 2008 at 06:31:47PM +0300, Vladimir Voznesensky wrote: Hello. I'm trying to use gLite (VOMS) proxy certificates with CN=proxy at the subject tail and X509v3 Key Usage extension to authenticate a client to a server. Plain certificates signed by CA work well. When I'm trying to use gLite-generated proxy certificate, the server responses Unknown ca (verification error 20). I use X509_STORE_set_flags(x509_store, X509_V_FLAG_ALLOW_PROXY_CERTS) for server security context. My OpenSSL version is 0x0090807fL . Does anybody know how to use grid proxy certificates in the right way? Have anybody tried http://www.openssl.org/docs/HOWTO/proxy_certificates.txt to use gLite proxies? What are you using to create the proxy certificate? voms-proxy-init? -Ian Thank you. Vladimir. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: gLite proxy certificate support.
In message [EMAIL PROTECTED] on Mon, 03 Mar 2008 18:31:47 +0300, Vladimir Voznesensky [EMAIL PROTECTED] said: vovic Hello. vovic vovic I'm trying to use gLite (VOMS) proxy certificates with CN=proxy at the subject tail and X509v3 Key Usage extension to authenticate a client to a server. vovic Plain certificates signed by CA work well. vovic When I'm trying to use gLite-generated proxy certificate, the server responses Unknown ca (verification error 20). vovic I use X509_STORE_set_flags(x509_store, X509_V_FLAG_ALLOW_PROXY_CERTS) for server security context. vovic My OpenSSL version is 0x0090807fL . vovic vovic Does anybody know how to use grid proxy certificates in the right way? vovic Have anybody tried vovic http://www.openssl.org/docs/HOWTO/proxy_certificates.txt vovic to use gLite proxies? OpenSSL supports proxy certificates according to RFC 3820, and thus require that there is a proxyCertInfo extension to be accepted as such. You're talking about older style proxy certificates, which have not been implemented in OpenSSL, and quite honestly, I hope noone does. Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How can I create libeay32.dll and ssleay32.dll with visual stadio 2005?
Hello, I hope to create libeay32.dll and ssleay32.dll with visual stadio 2005. But I don't know how to do it. Please help me! _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
openssl.cnf - two questions
Dear people, 1. I seem to remember that you could place an include statement in de openssl.cnf file. I wonder if I am mistaken, since that does not work. 2. Secondly, is there a proper description of the contents of the openssl.cnf file, especially with the specific openssl.cnf words.The distributed openssl.cnf is quite outdated (it still uses nsComment and the like) and the used statements are not always clear. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl.cnf - two questions
Dear people, 1. I seem to remember that you could place an include statement in de openssl.cnf file. I wonder if I am mistaken, since that does not work. 2. Secondly, is there a proper description of the contents of the openssl.cnf file, especially with the specific openssl.cnf words.The distributed openssl.cnf is quite outdated (it still uses nsComment and the like) and the used statements are not always clear. Thanks for any positive advice. Frans de Boer. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: gLite proxy certificate support.
Ian, I use glite-voms-proxy-init, but it seems to be the same tool as voms-proxy-init. Ian Alderman wrote: On Mon, Mar 03, 2008 at 06:31:47PM +0300, Vladimir Voznesensky wrote: Hello. I'm trying to use gLite (VOMS) proxy certificates with CN=proxy at the subject tail and X509v3 Key Usage extension to authenticate a client to a server. Plain certificates signed by CA work well. When I'm trying to use gLite-generated proxy certificate, the server responses Unknown ca (verification error 20). I use X509_STORE_set_flags(x509_store, X509_V_FLAG_ALLOW_PROXY_CERTS) for server security context. My OpenSSL version is 0x0090807fL . Does anybody know how to use grid proxy certificates in the right way? Have anybody tried http://www.openssl.org/docs/HOWTO/proxy_certificates.txt to use gLite proxies? What are you using to create the proxy certificate? voms-proxy-init? -Ian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How can I create libeay32.dll and ssleay32.dll with visual stadio 2005?
You can either build these from the source, or get the binaries. If you prefer to build from the source, download the source from http://www.openssl.org/source and read INSTALL.W32 If you prefer to get the precompiled libraries, you can get them from http://www.openssl.org/related/binaries.html HTH ~ Urjit - Original Message - From: learning openssl To: openssl-users@openssl.org Sent: Tuesday, March 04, 2008 1:59 AM Subject: How can I create libeay32.dll and ssleay32.dll with visual stadio 2005? Hello, I hope to create libeay32.dll and ssleay32.dll with visual stadio 2005. But I don't know how to do it. Please help me! -- Express yourself instantly with MSN Messenger! MSN Messenger DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
Re: gLite proxy certificate support.
Dear Richard, Does OpenSSL accept 1.3.6.1.4.1.3536.1.222 extension as proxyCertInfo in CN=1234567890 proxies? Thanks. Richard Levitte wrote: In message [EMAIL PROTECTED] on Mon, 03 Mar 2008 18:31:47 +0300, Vladimir Voznesensky [EMAIL PROTECTED] said: vovic Hello. vovic vovic I'm trying to use gLite (VOMS) proxy certificates with CN=proxy at the subject tail and X509v3 Key Usage extension to authenticate a client to a server. vovic Plain certificates signed by CA work well. vovic When I'm trying to use gLite-generated proxy certificate, the server responses Unknown ca (verification error 20). vovic I use X509_STORE_set_flags(x509_store, X509_V_FLAG_ALLOW_PROXY_CERTS) for server security context. vovic My OpenSSL version is 0x0090807fL . vovic vovic Does anybody know how to use grid proxy certificates in the right way? vovic Have anybody tried vovic http://www.openssl.org/docs/HOWTO/proxy_certificates.txt vovic to use gLite proxies? OpenSSL supports proxy certificates according to RFC 3820, and thus require that there is a proxyCertInfo extension to be accepted as such. You're talking about older style proxy certificates, which have not been implemented in OpenSSL, and quite honestly, I hope noone does. Cheers, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: gLite proxy certificate support.
I've tried. It seems not to support. Ok, thank you. Vladimir Voznesensky wrote: Dear Richard, Does OpenSSL accept 1.3.6.1.4.1.3536.1.222 extension as proxyCertInfo in CN=1234567890 proxies? Thanks. Richard Levitte wrote: In message [EMAIL PROTECTED] on Mon, 03 Mar 2008 18:31:47 +0300, Vladimir Voznesensky [EMAIL PROTECTED] said: vovic Hello. vovic vovic I'm trying to use gLite (VOMS) proxy certificates with CN=proxy at the subject tail and X509v3 Key Usage extension to authenticate a client to a server. vovic Plain certificates signed by CA work well. vovic When I'm trying to use gLite-generated proxy certificate, the server responses Unknown ca (verification error 20). vovic I use X509_STORE_set_flags(x509_store, X509_V_FLAG_ALLOW_PROXY_CERTS) for server security context. vovic My OpenSSL version is 0x0090807fL . vovic vovic Does anybody know how to use grid proxy certificates in the right way? vovic Have anybody tried vovic http://www.openssl.org/docs/HOWTO/proxy_certificates.txt vovic to use gLite proxies? OpenSSL supports proxy certificates according to RFC 3820, and thus require that there is a proxyCertInfo extension to be accepted as such. You're talking about older style proxy certificates, which have not been implemented in OpenSSL, and quite honestly, I hope noone does. Cheers, Richard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to decrypt encrypted PCSK8 witch NULL-Byte (0x00) in binary-password
Thank you for you quick response :). But passing in passwords with '-passin file:somthing.txt' causes problems with newlines in password. Openssl read only first line :( and that will trun the NULL-byte-problem to a NEWLINE-problem. Any other suggestions? Thanks in advance :) Fabian You can make openssl to read password from file: -passin file:something.txt Should to the trick Regards, Grzegorz On Sat, Mar 1, 2008 at 7:49 PM, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hello I've got problems to decrypt a PKCS8 encrypted private-key with the openssl-application (not library), because the password is binary and contains NULL-bytes (0x00). The PKCS8-object is valid. sample-password: (hex) '0A 0B 91 00 17 F4 8E 4D FA BD 31 3D 72 43 ED A1' sample-cmd: passwd=cat 'binary_password_file.bin' (cat as example, also ussed other ways) export passwd openssl pkcs8 -in filename.pkcs8 -inform DER -passin env:passwd -outform DER (Using '-passin file:passwdfile' or '-passin stdin' causes problems with 0x0A, cause these options read only the first line) Platforms: Windows and Unix and I prefer not to write a C-programm to use openssl-library. Can anyone help me to decrypt a pkcs8-encrypted rsa-key, using a password, which contains NULL-Bytes ... please :)? thx Fabian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]