how to create Certificate chain
I want to know the steps to create a certificate chain using the openssl command prompt. Kindly tell me the step by step instructions to do so. -- View this message in context: http://www.nabble.com/how-to-create-Certificate-chain-tp19722970p19722970.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to convert certificate from .pem to .der format
I want to know the openssl APIs to convert a certificate from .pem to .der format. I know about the openssl command which does the same. But Can you tell me how to do it in a Cprogram using openssl or any other method -- View this message in context: http://www.nabble.com/How-to-convert-certificate-from-.pem-to-.der-format-tp19722997p19722997.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
CA.pl resign certificate problem
Hi, If I'd like to sign a certificate for a server for which I had previously signed a certificate with a different server key how can I do this from the same CA using the builtin CA.pl script? It has saved something about the first time that a cert was signed for server x and now just gives an error if I try and sign a new cert for the same FQDN, what do I need to clean out? Reason being, I have lost the original host and wish to create a new server, with new server key but using the original FQDN... thanks for any ideas, Andy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL Version Compatabitlity issues
Hi I am facing issues in running my application on two different Linux distributions having different OpenSSL versions. The application “foo” is built on SUSE 9 and is intended to be executed on RHEL 4, 5, SUSE 9 and 10. The application”foo” links implicit dynamic with OpenSSL libraries on the SUSE 9, OpenSSL version here is 0.9.7d. When I try to run the application on RHEL 5 where in the OpenSSL version is 0.9.8b. I am getting following error. === Error Log *** glibc detected *** /bin/foo: free(): invalid pointer: 0x0a0fbfd0 *** === Backtrace: = /lib/libc.so.6[0xc3ab16] /lib/libc.so.6(cfree+0x90)[0xc3e030] /bin/foo[0x81081c3] /bin/foo[0x8107031] /bin/foo[0x805a87f] /bin/foo[0x805b34d] /bin/foo[0x8106bc5] /bin/foo[0x8103dd8] /bin/foo[0x8118335] /bin/foo[0x8119c1e] /bin/foo[0x8115c8f] /bin/foo[0x81292e3] /bin/foo[0x810263f] /bin/foo[0x805c767] /bin/foo[0x814b3fc] /lib/libpthread.so.0[0x11545b] /lib/libc.so.6(clone+0x5e)[0xca2c4e] === Memory map: 0011-00123000 r-xp 08:01 4784177 /lib/libpthread-2.5.so 00123000-00124000 r-xp 00012000 08:01 4784177 /lib/libpthread-2.5.so 00124000-00125000 rwxp 00013000 08:01 4784177 /lib/libpthread-2.5.so 00125000-00127000 rwxp 00125000 00:00 0 00127000-00168000 r-xp 08:01 4784342 /lib/libssl.so.0.9.8b 00168000-0016c000 rwxp 0004 08:01 4784342 /lib/libssl.so.0.9.8b 0016c000-00198000 r-xp 08:01 370418 /usr/lib/libgssapi_krb5.so.2.2 00198000-00199000 rwxp 0002c000 08:01 370418 /usr/lib/libgssapi_krb5.so.2.2 0019a000-001bf000 r-xp 08:01 4784161 /lib/libm-2.5.so 001bf000-001c r-xp 00024000 08:01 4784161 /lib/libm-2.5.so 001c-001c1000 rwxp 00025000 08:01 4784161 /lib/libm-2.5.so 001c3000-001dd000 r-xp 08:01 4784146 /lib/ld-2.5.so 001dd000-001de000 r-xp 00019000 08:01 4784146 /lib/ld-2.5.so 001de000-001df000 rwxp 0001a000 08:01 4784146 /lib/ld-2.5.so 001df000-002fb000 r-xp 08:01 4784340 /lib/libcrypto.so.0.9.8b 002fb000-0030d000 rwxp 0011c000 08:01 4784340 /lib/libcrypto.so.0.9.8b 0030d000-00311000 rwxp 0030d000 00:00 0 00311000-0032 r-xp 08:01 4784179 /lib/libresolv-2.5.so 0032-00321000 r-xp e000 08:01 4784179 /lib/libresolv-2.5.so 00321000-00322000 rwxp f000 08:01 4784179 /lib/libresolv-2.5.so 00322000-00324000 rwxp 00322000 00:00 0 00324000-00326000 r-xp 08:01 4784215 /lib/libkeyutils-1.2.so 00326000-00327000 rwxp 1000 08:01 4784215 /lib/libkeyutils-1.2.so 00327000-0033 r-xp 08:01 4784169 /lib/libnss_files-2.5.so 0033-00331000 r-xp 8000 08:01 4784169 /lib/libnss_files-2.5.so 00331000-00332000 rwxp 9000 08:01 4784169 /lib/libnss_files-2.5.so 00332000-00336000 r-xp 08:01 4784167 /lib/libnss_dns-2.5.so 00336000-00337000 r-xp 3000 08:01 4784167 /lib/libnss_dns-2.5.so 00337000-00338000 rwxp 4000 08:01 4784167 /lib/libnss_dns-2.5.so 008f5000-00985000 r-xp 08:01 370432 /usr/lib/libkrb5.so.3.3 00985000-00988000 rwxp 0008f000 08:01 370432 /usr/lib/libkrb5.so.3.3 00988000-0099e000 r-xp 08:01 4784319 /lib/libselinux.so.1 0099e000-009a rwxp 00015000 08:01 4784319 /lib/libselinux.so.1 009a-009db000 r-xp 08:01 4784224 /lib/libsepol.so.1 009db000-009dc000 rwxp 0003a000 08:01 4784224 /lib/libsepol.so.1 009dc000-009e6000 rwxp 009dc000 00:00 0 009e6000-009f1000 r-xp 08:01 4784130 /lib/libgcc_s-4.1.2-20080102.so.1 009f1000-009f2000 rwxp a000 08:01 4784130 /lib/libgcc_s-4.1.2-20080102.so.1 00b04000-00b0b000 r-xp 08:01 4784181 /lib/librt-2.5.so 00b0b000-00b0c000 r-xp 6000 08:01 4784181 /lib/librt-2.5.so 00b0c000-00b0d000 rwxp 7000 08:01 4784181 /lib/librt-2.5.so 00bbd000-00bbe000 r-xp 00bbd000 00:00 0 [vdso] 00bd2000-00d0f000 r-xp 08:01 4784153 /lib/libc-2.5.so 00d0f000-00d11000 r-xp 0013d000 08:01 4784153 /lib/libc-2.5.so 00d11000-00d12000 rwxp 0013f000 08:01 4784153 /lib/libc-2.5.so 00d12000-00d15000 rwxp 00d12000 00:00 0 00deb000-00df3000 r-xp 08:01 370434 /usr/lib/libkrb5support.so.0.1 00df3000-00df4000 rwxp 7000 08:01 370434 /usr/lib/libkrb5support.so.0.1 00e09000-00e1b000 r-xp 08:01 364812 /usr/lib/libz.so.1.2.3 00e1b000-00e1c000 rwxp 00011000 08:01 364812 /usr/lib/libz.so.1.2.3 00ee8000-00eea000 r-xp 08:01 4784331 /lib/libcom_err.so.2.1 00eea000-00eeb000 rwxp 1000 08:01 4784331 /lib/libcom_err.so.2.1 00f45000-00f47000 r-xp 08:01 4784159 /lib/libdl-2.5.so 00f47000-00f48000 r-xp 1000 08:01 4784159 /lib/libdl-2.5.so 00f48000-00f49000 rwxp 2000 08:01 4784159 /lib/libdl-2.5.so 00f4b000-00f7 r-xp 08:01 370422 /usr/lib/libk5crypto.so.3.1 00f7-00f71000 rwxp 00025000 08:01 370422 /usr/lib/libk5crypto.so.3.1 08048000-08193000 r-xp 08:01
Re: question about dtls server with multiple client
Hi, I have exactly the same problem as you. Did you do any progress with this problem? I have some simple results of my experiments with this problem. When one connection between server and client is established and other client tries to connect, then SSL_read(ssl_01) returns error: SSL_ERROR_WANT_READ. But when I try to accept this attempt with SSL_accept(ssl_02), then this function call fails and returns error: SSL_ERROR_SSL. I hope it will not be necessary to have extra socket for every DTLS connection. Any documentation for using DTLS with OpenSSL library is really missing. Best Regard, Jiri Hi all, I am trying to implement simple client-server application over UDP/DTLS with one server handling multiple clients. I found the simple server-client sample code for dtls, but haven't been able to figure out how can a single server listening on a specific port can handle multiple client requests to that port? I guess server reads data from socket using 'SSL_read'. How does it figure out from which client the packet has come? What is the best way for server to store/handle multiple SSL information of each client? I have been stuck with this problem for sometime now. And I really appreciate if anybody can throw some light on it. Thanking you, bikcupid smime.p7s Description: S/MIME cryptographic signature
query regarding Fedora and SSL
Hi All, I am using Fedora Linux. How to determine the kind of sockets that the SSL code uses. I need to work on those sockets. And then how to know the socket calls that are specific to Fedora version of linux? Regards, Prashanth
Article on PKI and OpenSSL
Hello, my name is Alessandro Tani, together with my colleague Iarno Pagliani, we made a guide (http://www.homeworks.it/Html/OpenSSL_PKI_Articolo_Eng.html) on how to create a PKI infrastructure with OpenSSL on Debian platform, to provide digital certificates for programs like Postfix, Courier, Apache and people to be able to digitally sign and encrypt their emails. We'd love to know your opinion about the article we have achieved. We apologize right now for our English, if you find errors or inaccuracies, both in the article and in the language, we would be very grateful if you could have the report. We will immediately fix the inaccuracies. You can find our article on URL: http://www.homeworks.it/Html/OpenSSL_PKI_Articolo_Eng.html Thank you very much, Alessandro Tani -- Alessandro Tani Via Maria del Rio, 3 - 42100 Reggio Emilia (ITALY) Email: [EMAIL PROTECTED] Tel: +39 0522 337434 - Mobile: +39 388 1884341 Internet: http://www.homeworks.it __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Article on PKI and OpenSSL
On Tue September 30 2008, Alessandro Tani wrote: Hello, my name is Alessandro Tani, together with my colleague Iarno Pagliani, we made a guide (http://www.homeworks.it/Html/OpenSSL_PKI_Articolo_Eng.html) on how to create a PKI infrastructure with OpenSSL on Debian platform, to provide digital certificates for programs like Postfix, Courier, Apache and people to be able to digitally sign and encrypt their emails. We'd love to know your opinion about the article we have achieved. We apologize right now for our English, if you find errors or inaccuracies, both in the article and in the language, we would be very grateful if you could have the report. We will immediately fix the inaccuracies. You can find our article on URL: http://www.homeworks.it/Html/OpenSSL_PKI_Articolo_Eng.html I did notice one thing - You have a 16 year certificate - Later you suggest using a USB stick to hold it - USB sticks only have a reliable data retention period of ten years. Add to your administrative routine the task of reading that USB stick every 5 years and re-writing it to a new stick. Mike Thank you very much, Alessandro Tani __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Installation Steps for OpenSSL on AIX Unix
Greetings, We would like to install the latest stable version of the OpenSSL software on our AIX 5.3 Unix server to support a product known as Cloverleaf Integrator (an interface engine). We have downloaded a tarball from the official OpenSSL website and opened it up using Winzip. We cannot find any explicit installation instructions for our Unix platform. At least it is not apparent at this point. Please advise. Thank you. Bob Richardson Allina Hospitals and Clinics IS Data Integration - Cloverleaf Phone: 612-262-0041 CDT This message contains information that is confidential and may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message.
Client Certificates
Hello all, I'm having a little trouble testing out some web services for a client. They have provided us with a couple of pfx certificate files to allow us to authenticate to their web servers. I can import this into IE and connect to the site without any trouble but when I try and use s_client I get handshake errors I'm using the following command: openssl s_client -connect weburl.com/pageIWant:443 -cert TEST35.pem and get the following. Loading 'screen' into random state - done CONNECTED(0694) depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU =www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign verify error:num=20:unable to get local issuer certificate verify return:0 3704:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:.\ssl\s3_pkt.c:1057:SSL alert number 48 3704:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188: I've converted the pfx to a pem with whichever command Google gave me. I'm guessing that this is a problem with the client certificate rather than the server certificate. Does anyone have any pointers? I've had a good Google around and can't quite seem to find anything specific. Many thanks in advance. Felix __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Installation Steps for OpenSSL on AIX Unix
I think you are attempting to install from the source code. This installation is highly platform dependent and varies from platform to platform. Having said that OpenSSL uses the GNU make system. The basic steps are: Unzip/untar Enter new directory Run ./configure Run make Run make install Personally I would guess IBM has a better option, I would talk to them 1st. Sent from my Verizon Wireless BlackBerry -Original Message- From: Richardson, Robert H [EMAIL PROTECTED] Date: Tue, 30 Sep 2008 08:34:28 To: openssl-users@openssl.org Subject: Installation Steps for OpenSSL on AIX Unix Greetings, We would like to install the latest stable version of the OpenSSL software on our AIX 5.3 Unix server to support a product known as Cloverleaf Integrator (an interface engine). We have downloaded a tarball from the official OpenSSL website and opened it up using Winzip. We cannot find any explicit installation instructions for our Unix platform. At least it is not apparent at this point. Please advise. Thank you. Bob Richardson Allina Hospitals and Clinics IS Data Integration - Cloverleaf Phone: 612-262-0041 CDT This message contains information that is confidential and may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message.
Trouble with bidirectional shutdown
I have an application which is occasionally hanging. I have tracked it down to an SSL_shutdown call. The value (0) returned from the shutdown call indicates that the shutdown is not finished. The shutdown man page indicates that a second call to SSL_shutdown should cause a bidirectional shutdown, and I thought this is indeed what the application calls for. However, when I make the second call to SSL_shutdown, the value returned is still 0 (shutdown not finished) rather than 1 (shutdown complete) or -1 (shutdown not successful). Is this recently added bahavior? Does the SSL handle need to have certain properties in order to get a bidirectional shutdown? -- Solveig Viste Instantiations VA Smalltalk Support
Re: How to convert certificate from .pem to .der format
praveens wrote: I want to know the openssl APIs to convert a certificate from .pem to .der format. I know about the openssl command which does the same. But Can you tell me how to do it in a Cprogram using openssl or any other method Hi, load your x509 file using loaded = PEM_read_X509(f, NULL, NULL, NULL); // load in pem with f = fopen( fileName,rb); and loaded a X509* save it : BIO *out=NULL; if ((out=BIO_new(BIO_s_file())) == NULL) return -1; if(BIO_write_filename(out, filename2) = 0) return -1; if (! i2d_X509_bio(out, loaded)) // save it in der. return -1; return 0; // success filename is the file's name of pem certificate, filename2 is the file's name for der certificate. (joke)You can also use syscall (/joke) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to convert certificate from .pem to .der format
There is an apps directory in the openssl source tarball. That is a gud starting point to dig for the api's ur looking for. -ugen praveens wrote: I want to know the openssl APIs to convert a certificate from .pem to .der format. I know about the openssl command which does the same. But Can you tell me how to do it in a Cprogram using openssl or any other method -- View this message in context: http://www.nabble.com/How-to-convert-certificate-from-.pem-to-.der-format-tp19722997p19748370.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Installation Steps for OpenSSL on AIX Unix
Hello, [EMAIL PROTECTED] wrote on 09/30/2008 03:34:28 PM: Greetings, We would like to install the latest stable version of the OpenSSL software on our AIX 5.3 Unix server to support a product known as Cloverleaf Integrator (an interface engine). We have downloaded a tarball from the official OpenSSL website and opened it up using Winzip. We cannot find any explicit installation instructions for our Unix platform. At least it is not apparent at this point. If you want to compile your own version of OpenSSL you may try: (32-bit version with gcc) $ gzip -dc openssl-0.9.8e.tar.gz | tar xf - $ cd openssl-0.9.8e $ ./Configure threads --prefix=/usr/local/security/openssl-0.9.8e aix-gcc $ make $ make test $ make install $ file apps/openssl apps/openssl: executable (RISC System/6000) or object module not stripped (64-bit version with gcc) $ gzip -dc openssl-0.9.8e.tar.gz | tar xf - $ cd openssl-0.9.8e $ ./Configure threads --prefix=/usr/local/security/openssl-0.9.8e aix64-gcc -maix64 $ make $ make test $ make install $ file apps/openssl apps/openssl: 64-bit XCOFF executable or object module not stripped (32-bit version with IBM XL C) $ ./Configure threads --prefix=/usr/local/security/openssl-0.9.8e aix-cc $ file apps/openssl apps/openssl: executable (RISC System/6000) or object module not stripped (64-bit version with IBM XL C) $ ./Configure threads --prefix=/usr/local/security/openssl-0.9.8e aix64-cc $ file apps/openssl apps/openssl: executable (RISC System/6000) or object module not stripped or you may download current binary distribution from: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp and then: # pwd /var/tmp/sw # mkdir openssl; cd openssl # gzip -dc ../openssl.9.8.601.tar.Z | tar xvf - # installp -ac -Y -d /var/tmp/sw/openssl all Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Installation Steps for OpenSSL on AIX Unix
Thank you for your excellent suggestions. I will pass these on to our Unix Admin group here at Allina. Bob Richardson Allina Hospitals and Clinics IS Data Integration - Cloverleaf Phone: 612-262-0041 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 30, 2008 2:32 PM To: openssl-users@openssl.org Subject: Re: Installation Steps for OpenSSL on AIX Unix Hello, [EMAIL PROTECTED] wrote on 09/30/2008 03:34:28 PM: Greetings, We would like to install the latest stable version of the OpenSSL software on our AIX 5.3 Unix server to support a product known as Cloverleaf Integrator (an interface engine). We have downloaded a tarball from the official OpenSSL website and opened it up using Winzip. We cannot find any explicit installation instructions for our Unix platform. At least it is not apparent at this point. If you want to compile your own version of OpenSSL you may try: (32-bit version with gcc) $ gzip -dc openssl-0.9.8e.tar.gz | tar xf - $ cd openssl-0.9.8e $ ./Configure threads --prefix=/usr/local/security/openssl-0.9.8e aix-gcc $ make $ make test $ make install $ file apps/openssl apps/openssl: executable (RISC System/6000) or object module not stripped (64-bit version with gcc) $ gzip -dc openssl-0.9.8e.tar.gz | tar xf - $ cd openssl-0.9.8e $ ./Configure threads --prefix=/usr/local/security/openssl-0.9.8e aix64-gcc -maix64 $ make $ make test $ make install $ file apps/openssl apps/openssl: 64-bit XCOFF executable or object module not stripped (32-bit version with IBM XL C) $ ./Configure threads --prefix=/usr/local/security/openssl-0.9.8e aix-cc $ file apps/openssl apps/openssl: executable (RISC System/6000) or object module not stripped (64-bit version with IBM XL C) $ ./Configure threads --prefix=/usr/local/security/openssl-0.9.8e aix64-cc $ file apps/openssl apps/openssl: executable (RISC System/6000) or object module not stripped or you may download current binary distribution from: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp and then: # pwd /var/tmp/sw # mkdir openssl; cd openssl # gzip -dc ../openssl.9.8.601.tar.Z | tar xvf - # installp -ac -Y -d /var/tmp/sw/openssl all Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] This message contains information that is confidential and may be privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Error Encrytping Symmetric key with RSA Public Key
Hi group, I have written a simple program to test my understanding of the OpenSSL APIs. And of course I have a problem with one of them. My problem is that when I use RSA_public_encrypt to encrypt my Symmetric key is get the following error: Testing RSA encryption of Symmertic key 145 Encrypt In bytes: 128, 149 Encript failed: Code: 67555438 error:0406D06E rsa routines:RSA_padding_add_PKCS1_type_2 data too large for key size The program first generates a Symmetric key, then uses it to encrypt and decrypt some simple text that the user inputs. Next it create an RSA Key and a public RSA key. then the same with these keys. The last thing tested is the encryption of the Symmetric Key using the RSA keys which fails. The error message does not make any sense to me since the Sym key is only 128 bytes. I would appreciate any help with my problem. All of the code is here: http://64.124.13.3/_OpenSSL_/Keys/ Thanks for your time. -- William Estrada [EMAIL PROTECTED] Mt-Umunhum-Wireless.net ( http://Mt-Umunhum-Wireless.net ) Ymessenger: MrUmunhum __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Error Encrytping Symmetric key with RSA Public Key
The answer is in: data too large for key size According to Secure Programming Cookbook, when using RSA PKCS #1 v1.5 padding you can only encrypt messages up to 11 bytes smaller than the modulus size in bytes. If you are using RSA-1024, then that is (1024/8)-11=117 bytes. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Estrada Sent: September 30, 2008 4:31 PM To: openssl-users@openssl.org Subject: Error Encrytping Symmetric key with RSA Public Key Hi group, I have written a simple program to test my understanding of the OpenSSL APIs. And of course I have a problem with one of them. My problem is that when I use RSA_public_encrypt to encrypt my Symmetric key is get the following error: Testing RSA encryption of Symmertic key 145 Encrypt In bytes: 128, 149 Encript failed: Code: 67555438 error:0406D06E rsa routines:RSA_padding_add_PKCS1_type_2 data too large for key size The program first generates a Symmetric key, then uses it to encrypt and decrypt some simple text that the user inputs. Next it create an RSA Key and a public RSA key. then the same with these keys. The last thing tested is the encryption of the Symmetric Key using the RSA keys which fails. The error message does not make any sense to me since the Sym key is only 128 bytes. I would appreciate any help with my problem. All of the code is here: http://64.124.13.3/_OpenSSL_/Keys/ Thanks for your time. -- William Estrada [EMAIL PROTECTED] Mt-Umunhum-Wireless.net ( http://Mt-Umunhum-Wireless.net ) Ymessenger: MrUmunhum __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Trouble with bidirectional shutdown
Solveig Viste wrote: I have an application which is occasionally hanging. I have tracked it down to an SSL_shutdown call. The value (0) returned from the shutdown call indicates that the shutdown is not finished. As happens with non-blocking sockets, sometimes the operation does not complete and you have to retry the operation later. The shutdown man page indicates that a second call to SSL_shutdown should cause a bidirectional shutdown, A subsequent retry of the operation will complete if and only if whatever the first shutdown was waiting for has happened. and I thought this is indeed what the application calls for. However, when I make the second call to SSL_shutdown, the value returned is still 0 (shutdown not finished) rather than 1 (shutdown complete) or -1 (shutdown not successful). Did you check the error code? Was it WANT_READ or WANT_WRITE? Did you wait for the appropriate operation to be ready? Is this recently added bahavior? Does the SSL handle need to have certain properties in order to get a bidirectional shutdown? You need to handle an organized shutdown the way you handle any other operation on a non-blocking connection that might take time to complete. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Error Encrytping Symmetric key with RSA Public Key
Bill, You are 100% right. I increased my buffer from 1024 to 1115 and it works fine now. I guess I should RTFM more? Thanks. Bill Colvin wrote: The answer is in: data too large for key size According to Secure Programming Cookbook, when using RSA PKCS #1 v1.5 padding you can only encrypt messages up to 11 bytes smaller than the modulus size in bytes. If you are using RSA-1024, then that is (1024/8)-11=117 bytes. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Estrada Sent: September 30, 2008 4:31 PM To: openssl-users@openssl.org Subject: Error Encrytping Symmetric key with RSA Public Key Hi group, I have written a simple program to test my understanding of the OpenSSL APIs. And of course I have a problem with one of them. My problem is that when I use RSA_public_encrypt to encrypt my Symmetric key is get the following error: Testing RSA encryption of Symmertic key 145 Encrypt In bytes: 128, 149 Encript failed: Code: 67555438 error:0406D06E rsa routines:RSA_padding_add_PKCS1_type_2 data too large for key size The program first generates a Symmetric key, then uses it to encrypt and decrypt some simple text that the user inputs. Next it create an RSA Key and a public RSA key. then the same with these keys. The last thing tested is the encryption of the Symmetric Key using the RSA keys which fails. The error message does not make any sense to me since the Sym key is only 128 bytes. I would appreciate any help with my problem. All of the code is here: http://64.124.13.3/_OpenSSL_/Keys/ Thanks for your time. -- William Estrada [EMAIL PROTECTED] Mt-Umunhum-Wireless.net ( http://Mt-Umunhum-Wireless.net ) Ymessenger: MrUmunhum __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]