Re: Problems verifying certificates generated by Microsoft Certificate Authority and timestamping
Hi, I've been trying to get Time Stamping working where the CA issuing the Time Stamping certificate is issued by a Microsoft Windows Server 2003 Enterprise CA. I've had success in terms of being able to actually sign the digest and I actually have a certificate with the purpose of Time Stamp Signing as YES. I am however having issues when I try to verify a token against the certificate. error 34 at 0 depth lookup:unhandled critical extension This also happens when: openssl verify -Cafile ca.cer tsatest.cer tsatest.cer: /C=AU/ST=NSW/L=Sydney/O=Test TSA/OU=TSA/CN=Mr Test/emailAddress=tes t...@test.com.au error 34 at 0 depth lookup:unhandled critical extension OK Sure I can get this to ignore the critical extension: openssl verify -ignore_critical -CAfile ca.cer tsatest.cer tsatest.cer: OK There is no way however to do this using the "ts" commands for verifying RFC3161 tokens/responses. Whilst I could modify the ts.c and set the ignore_critical flag in the X509 STORE, according to RFC3280. Line from the verify help page for openssl: "Normally if an unhandled critical extension is present which is not supported by OpenSSL the certificate is rejected (as required by RFC3280 et al). If this option is set critical extensions are ignored." I'm guessing this has something to do with these stupid application extensions it has put on the certificate when generated from the Microsoft CA: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation 1.3.6.1.4.1.311.21.7: 0..&+.7.Y../...z.=...z...@..d... X509v3 Extended Key Usage: critical Time Stamping 1.3.6.1.4.1.311.21.10: critical 0.0 Does anyone out there have any experience with generating certificates from Microsoft CA without these unknown extensions? I'm guessing in this case it's the 1.3.6.1.4.1.311.21.10. Application Policies extension -- same encoding as szOID_CERT_POLICIES szOID_APPLICATION_CERT_POLICIES 1.3.6.1.4.1.311.21.10 ^^ from some Microsoft page. Any ideas?? Thanks, Brad
Re: TLS compatibility problem -- can connect to server with NSS but not OpenSSL.
On Tue, Jun 02, 2009 at 01:25:32PM +0100, David Woodhouse wrote: > On Mon, 2009-06-01 at 17:15 -0400, Victor Duchovni wrote: > > > I found another strange behaviour that I didn't expect -- the _order_ of > > > the certificates in the cafile seems to be important. > > > > Yes, the TLS protocol requires the trust chain to be delivered bottom-up. > > That makes sense, but we're talking about the order of the certificates > in the cafile, not on the wire. OpenSSL really ought to get that right. The CAfile is for verification, not for sending alon the trust chain of a given certificate. DO NOT append your CAfile to your certificate, instead include just the leaf cert, then the issuing CAs bottom-up in the right order. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS w/LDAP - SOLVED
On Tue, Jun 02, 2009 at 03:49:13PM +0200, Steffen DETTMER wrote: > (OT) > > * Michael S. Zick wrote on Sun, May 31, 2009 at 08:05 -0500: > > A more general solution would be: > > > > # Am I running as user 0 (root)? > > uid=$(/usr/bin/id -u) 2>/dev/null > > if [ $uid == 0 ] ; then > > BTW, shouldn't it be just one "=" (to be compliant with POSIX and > /usr/bin/test)? Yes, and quotes are required, just in case "id -u" fails, and the "uid" value is empty: if [ "$uid" = 0 ] Michael must have had [[ ]] in mind, but forgot the outer "[]". [[ $uid == 0 ]] note, the "==" is actually a pattern match when the second operand is not quoted. $ [[ foo == f* ]] && echo match || echo no match match $ [[ foo == "f*" ]] && echo match || echo no match no match For numeric equality: [[ $uid -eq 0 ]] but, when comparing with 0, this returns true also when $uid is not a number. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re:Re: about ec_point and ec_group
在2009-06-02,"Victor B. Wagner" 写道: >On 2009.06.01 at 22:05:48 +0800, jazeltq wrote: > >>hello, >> where can i find the definition of ec_point_st and ec_group_st >>what i found are: >>typedef struct ec_point_st EC_POINT; >>typedef struct ec_group_st >>111 /* >>112 EC_METHOD *meth; >>113 -- field definition >>114 -- curve coefficients >>115 -- optional generator with associated information (order, >>cofactor) >>116 -- optional extra data (precomputed table for fast computation of >>multiples of generator) >>117 -- ASN1 stuff >>118 */ >>119 EC_GROUP; >>does anyone know ? thank you > >These are hidden structures. They are defined in the internal include why use the hidden structures? >file ec_lcl.h, which present in the OpenSSL sources, but not included in which directory include file ec_lcl.h, is it in the ec directory ?but in my sources i can't find it. >the compiled distribution. > >Idea is that members of these structures are accessable only from within >libcrypto library. > >Users or the library shouldn't look inside these structures, they only >should operate via APIs, declared in the ec.h > >API could be incomplete. When dealing with other newer parts of OpenSSL >API (especially EVP_PKEY_CTX API) I've encountered situations where >neccessary API calls are missing. In this case best approach is to >design new API function which provides neccessary functionality and >sumbit a patch. I just want to study the ecc, and want to know it deeply, > > >__ >OpenSSL Project http://www.openssl.org >User Support Mailing Listopenssl-users@openssl.org >Automated List Manager majord...@openssl.org
Re: Security Vulnerability issue in openssl 9.8 version
On Tue, Jun 02, 2009 at 12:33:46AM -0700, rajanchittil wrote: > > Hi All, > > Recently i got a security vulnerability issue alert reported in > http://www.vupen.com/english/advisories/2009/1377. Are you using DTLS? If you application is not using DTLS (very few are), you don't need to patch anything. DTLS support in OpenSSL does not appear to be very mature at this time, and I don't expect that very many users are impacted by this issue. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Security Vulnerability issue in openssl 9.8 version
I have used the following patch for this vulnerability issue http://cvs.openssl.org/chngview?cn=18187 http://cvs.openssl.org/chngview?cn=18206 http://cvs.openssl.org/chngview?cn=18154 Is this is the correct patch which solve the vulnerability issue in openssl 0.9.8h and openssl 0.9.8k Please help Thanks Rajan On Tue, Jun 2, 2009 at 1:03 PM, rajanchittil wrote: > > Hi All, > > Recently i got a security vulnerability issue alert reported in > http://www.vupen.com/english/advisories/2009/1377. > > Is this vulnerability issue affects openssl 9.8h and openssl 9.8k . And i > have also noticed that the patches > provided http://cvs.openssl.org/chngview?cn=18188, make a build break in > openssl 9.8h . > > Can you please specify whether this vulnerability affects openssl 9.8h and > openssl9.8k and the security patches to fix this three vulnerability issue > in openssl 9.8h and openssl 9.8k. > > Thanks > > Rajan > -- > View this message in context: > http://www.nabble.com/Security-Vulnerability-issue-in-openssl-9.8-version-tp23827720p23827720.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org >
RE: Spam on this list
Hi, > > >> I would like to request that this list become moderated > as it is now > > >> inundated by spam. I have a strict quota for email > lists at work (which > > >> also > > >> includes the spam) and after the quota is up I get no > more emails for > > >> the rest of the month. Last month it stopped on the 20th. > > as you have a local policy issue I guess its better adjusted > locally - I'd > advise that you change your subscription to a daily digest. > then you get > just 1 email per day. I don't see any option to get a daily digest. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS w/LDAP - SOLVED
(OT) * Michael S. Zick wrote on Sun, May 31, 2009 at 08:05 -0500: > A more general solution would be: > > # Am I running as user 0 (root)? > uid=$(/usr/bin/id -u) 2>/dev/null > if [ $uid == 0 ] ; then BTW, shouldn't it be just one "=" (to be compliant with POSIX and /usr/bin/test)? oki, Steffen --[ End of message ]--->8=== About Ingenico: Ingenico is the world’s leading provider of payment solutions, with over 15 million terminals deployed across the globe. Delivering the very latest secure electronic payment technologies, transaction management and the widest range of value added services, Ingenico is shaping the future direction of the payment solutions market. Leveraging on its global presence and local expertise, Ingenico is reinforcing its leadership by taking banks and businesses beyond payment through offering comprehensive solutions, a true source of differentiation and new revenues streams. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[RANT] Loading a client certificate makes my head hurt.
Q: My application takes a filename for a client certificate on the
command line. What is the OpenSSL function to load and use it?
A: Well, we make this lots of fun for you -- it would be boring if there
was just one function which you could pass the filename to. You have
to write 230 lines of code instead First you have to check for
yourself what type of file it is -- is it a PKCS#12 file, is it a PEM
file with a key in it, or is it a TPM key 'blob'?
No, there's no function which determines that for you -- you have to
do it yourself. And depending on the answer, you have to do three
entirely different things to load the key.
To make things even more fun, those three file types have _wildly_
different ways to handle their passphrase/PIN:
For a PEM file, you can't tell OpenSSL the passphrase in advance --
if the user gave it on the command line, you have to manually
override the user interface function that OpenSSL will call, and make
your replacement function return the pre-set passphrase. Or if you
_do_ ask the user, you've got no way to easily tell whether the user
got the passphrase wrong; if they get it wrong (and type 4 or more
characters) then the 'load key' function will fail and you have to
compare against a special error code, which may differ from version
to version of OpenSSL because it has internal function names. Just
for variety, if the user enters a wrong passphrase with _fewer_ than
4 characters, they'll get _no_ feedback and will just be asked again.
For a PKCS#12 file, it's the other way round -- you _have_ to give
the passphrase in advance, so you have to ask the user for it
yourself. Even if the file isn't actually encrypted -- because you
don't know that yet.
For a TPM file it's saner -- you can _either_ set the PIN in advance
or otherwise OpenSSL will ask the user for it _if_ necessary. But
you do have to jump through various other hoops to use the TPM
'engine', instead of just pointing OpenSSL at the file and having
everything handled for you.
Have I got any parts of the above answer wrong? Is there anyone out
there who thinks that this is a _sensible_ state of affairs?
This is my load_certificate() function -- could it be simpler? Surely
OpenSSL ought to provide a function with basically equivalent
functionality, rather than leaving it to the client application?
Am I missing something?
(Unless specified on the command line, vpninfo->cert_type will be
CERT_TYPE_UNKNOWN. When the autodetection is _working_ there's no real
need to specify it on the command line, of course.)
static int pem_pw_cb(char *buf, int len, int w, void *v);
static int load_pkcs12_certificate(struct openconnect_info *vpninfo, PKCS12
*p12);
static int load_tpm_certificate(struct openconnect_info *vpninfo);
static int load_certificate(struct openconnect_info *vpninfo)
{
vpninfo->progress(vpninfo, PRG_TRACE,
"Using certificate file %s\n", vpninfo->cert);
if (vpninfo->cert_type == CERT_TYPE_PKCS12 ||
vpninfo->cert_type == CERT_TYPE_UNKNOWN) {
FILE *f;
PKCS12 *p12;
f = fopen(vpninfo->cert, "r");
if (!f) {
vpninfo->progress(vpninfo, PRG_ERR,
"Failed to open certificate file
%s\n",
vpninfo->cert);
return -ENOENT;
}
p12 = d2i_PKCS12_fp(f, NULL);
fclose(f);
if (p12)
return load_pkcs12_certificate(vpninfo, p12);
/* Not PKCS#12 */
if (vpninfo->cert_type == CERT_TYPE_PKCS12) {
vpninfo->progress(vpninfo, PRG_ERR, "Read PKCS#12
failed\n");
report_ssl_errors(vpninfo);
return -EINVAL;
}
/* Clear error and fall through to see if it's a PEM file... */
ERR_clear_error();
}
/* It's PEM or TPM now, and either way we need to load the plain cert:
*/
if (!SSL_CTX_use_certificate_file(vpninfo->https_ctx, vpninfo->cert,
SSL_FILETYPE_PEM)) {
vpninfo->progress(vpninfo, PRG_ERR,
"Load certificate failed\n");
report_ssl_errors(vpninfo);
return -EINVAL;
}
if (vpninfo->cert_type == CERT_TYPE_UNKNOWN) {
FILE *f = fopen(vpninfo->sslkey, "r");
char buf[256];
if (!f) {
vpninfo->progress(vpninfo, PRG_ERR,
"Failed to open certificate file
%s\n",
vpninfo->cert);
return -ENOENT;
}
buf[2
Re: Spam on this list
Hi, > >> I would like to request that this list become moderated as it is now > >> inundated by spam. I have a strict quota for email lists at work (which > >> also > >> includes the spam) and after the quota is up I get no more emails for > >> the rest of the month. Last month it stopped on the 20th. as you have a local policy issue I guess its better adjusted locally - I'd advise that you change your subscription to a daily digest. then you get just 1 email per day. alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: TLS compatibility problem -- can connect to server with NSS but not OpenSSL.
On Mon, 2009-06-01 at 17:15 -0400, Victor Duchovni wrote: > > I found another strange behaviour that I didn't expect -- the _order_ of > > the certificates in the cafile seems to be important. > > Yes, the TLS protocol requires the trust chain to be delivered bottom-up. That makes sense, but we're talking about the order of the certificates in the cafile, not on the wire. OpenSSL really ought to get that right. The problem turned out to be that OpenSSL was picking the _wrong_ certificates. http://rt.openssl.org/Ticket/Display.html?id=1942&user=guest&pass=guest -- dwmw2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Spam on this list
On 2009.06.02 at 12:15:54 +0100, Rob Stradling wrote: > openssl-build for reporting build errors with the OpenSSL sources. May be I should make our autobuilder post results of automated builds and test on 50+ platforms there? Now I typically first investigate test failures myself and then send request to r...@. > openssl-api for asking questions about how to use the OpenSSL C API. It is better to write documentation for those parts of API which are not documented yet. Especially such important and widely-used things as X509_STORE. > openssl-cmd for asking questions about how to use the OpenSSL command-line > tool. There is less reason separate list, because cmdline utility is better documenteted than API. > openssl-users for anything else. Splitting lists typically doesn't help. It helps to split moderated web-forums where moderator is able to move message from one forum to another, more relevant. User asking question never knows right place to ask. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Spam on this list
Rob Stradling wrote: > Is it time to divide openssl-users into several lists? > > Maybe something like... > openssl-fips for matters pertaining to OpenSSL/FIPS. > openssl-build for reporting build errors with the OpenSSL sources. > openssl-api for asking questions about how to use the OpenSSL C API. > openssl-cmd for asking questions about how to use the OpenSSL command-line > tool. > openssl-users for anything else. > > On Tuesday 02 June 2009 09:02:51 Mark wrote: > >> Hi, >> >> I would like to request that this list become moderated as it is now >> inundated by spam. I have a strict quota for email lists at work (which >> also >> includes the spam) and after the quota is up I get no more emails for >> the rest of the month. Last month it stopped on the 20th. >> >> Hi, so far we have been able to not have SPAM on the list (which is partly moderated). This is an open list for the discussion of user problems. Users may be more or less experienced so that not all questions may be of interest for anyone, yet they are worth to be considered and answered. Actually I think that the amount and the size of the mails are quite acceptable. WRT to splitting up this list I am afraid that we would see the same effect as with openssl-dev; a lot of posts are just sent to both lists as it is not always clear for everyone where some certain topics should be discussed. Best regards, Lutz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Spam on this list
Is it time to divide openssl-users into several lists? Maybe something like... openssl-fips for matters pertaining to OpenSSL/FIPS. openssl-build for reporting build errors with the OpenSSL sources. openssl-api for asking questions about how to use the OpenSSL C API. openssl-cmd for asking questions about how to use the OpenSSL command-line tool. openssl-users for anything else. On Tuesday 02 June 2009 09:02:51 Mark wrote: > Hi, > > I would like to request that this list become moderated as it is now > inundated by spam. I have a strict quota for email lists at work (which > also > includes the spam) and after the quota is up I get no more emails for > the rest of the month. Last month it stopped on the 20th. > > Mark. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing Listopenssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Spam on this list
Hi, I would like to request that this list become moderated as it is now inundated by spam. I have a strict quota for email lists at work (which also includes the spam) and after the quota is up I get no more emails for the rest of the month. Last month it stopped on the 20th. Mark. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Hi all
I am a beginner. I want to use TLS in my project. Could please tell me how to initialize openssl stack in order to use TLS, and its apis. Thanks in advance
[FWD] Openssl-0.9.8i build fails with Aix5.3 64 bit
Forwarded to openssl-users for discussion Best regards, Lutz - Forwarded message from "Jaiman, Yateendra" - Subject: Openssl-0.9.8i build fails with Aix5.3 64 bit Date: Mon, 1 Jun 2009 18:26:51 +0530 Thread-Topic: Openssl-0.9.8i build fails with Aix5.3 64 bit Thread-Index: AcnZQxWkTI+KJDUGSpakHdq0cjGSSQJdR8Ew From: "Jaiman, Yateendra" To: r...@openssl.org HI, When I m executing this command I got this error, ./openssl req -engine LunaCA3 -new -nodes -key server.key -out server.req -days 120 can't use that engine 389234:error:2606B08C:engine routines:ENGINE_finish:dsa not implemented:e_lunaca3.c:670:DSO not set 389234:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:eng_table.c:161: Enter pass phrase for server.key: unable to load Private Key 389234:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:466: 389234:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425: Any help will be appreciated... Thanks Yateendra Jaiman From: Jaiman, Yateendra Sent: Wednesday, May 20, 2009 5:34 PM To: 'r...@openssl.org' Subject: Openssl-0.9.8e/i build fails with Aix5.3 64 bit Hi, I am Building Openssl-0.9.8e/Openssl-0.9.8i On AIX 5.3 64 bit. Steps that I am following are: 1. ./Configure aix64-gcc -maix64 -lpthreads no-mdc2 no-rc5 no-idea --prefix=/usr/local/ssl/ --openssldir=/usr/local/ssl/ 2. make 3. make test 4. make install Runs fine. When I am executing ./Openssl engine -t command from /usr/local/ssl/bin directory. The Out put Looks like this. (dynamic) Dynamic engine loading support [ unavailable ] (4758cca) IBM 4758 CCA hardware engine support [ unavailable ] (aep) Aep hardware engine support [ unavailable ] (atalla) Atalla hardware engine support [ unavailable ] (cswift) CryptoSwift hardware engine support [ unavailable ] (LunaCA3) Luna CA3 engine support [ unavailable ] (chil) CHIL hardware engine support [ unavailable ] (nuron) Nuron hardware engine support [ unavailable ] (sureware) SureWare hardware engine support [ unavailable ] (ubsec) UBSEC hardware engine support [ unavailable ] I have checked my gcc version. Output put of installed RPM on my system bash-3.2# rpm -qa cdrecord-1.9-7 mkisofs-1.13-4 conserver-8.1.7-2 info-4.6-1 gdbm-1.8.3-1 libgcc-4.0.0-1 gdbm-devel-1.8.3-1 libstdc++-devel-4.0.0-1 make-3.80-1 bash-3.2-1 expat-2.0.1-2 AIX-rpm-5.3.8.0-2 perl-IO-Multiplex-1.10-1 libxml2-2.6.17-3 osinstall-1.0-1 tk-8.5.6-1 perl-Crypt-Blowfish-2.10-1 libgcc-4.2.4-1 libstdc++-4.2.4-1 libstdc++-devel-4.2.4-1 gcc-4.2.4-1 gcc-cpp-4.2.4-1 gcc-c++-4.2.4-1 gettext-0.10.40-8 gdb-6.8-1 tcl-8.5.6-1 perl-5.8.8-1 perl-Crypt-CAST5-0.05-1 perl-Digest-CRC-0.14-1 perl-Crypt-CBC-2.29-1 egd-0.8-1 zlib-1.2.3-5 zlib-devel-1.2.3-5 dos2unix-3.1-1 prngd-0.9.29-1 zip-2.3-3 unzip-5.51-1 vim-common-6.3-1 vim-enhanced-6.3-1 I want to install Openssl with Apache on AIX 5.3 .So please provide me some details regarding this matter. Thanks&Regards, Yateendra Jaiman Software Engineer HSM-Integrations SafeNet InfoTech Pvt Ltd. 25 Years of Information Security Leadership The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it. - End forwarded message - -- Lutz Jaenicke jaeni...@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: sslv3 alert certificate unknown
Dave,
This explains the problems I have.
Indeed, it appears I need to install my home generated certificate in a
TrustManager.
I indeed get the SSL exception on the java side.
Thanks for the pointer
Frank
On 02/06/2009 03:07, "Dave Thompson"
wrote:
>> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton
>> Sent: Friday, 29 May, 2009 20:29
>
>> "certificate unknown" means that the Java side sent an alert
>> to state that there's a problem with the certificate, but
>> it's not going to tell you what it is. It probably it
>> relates to the fact that the CA that you're using on your
>> openssl server isn't in the Java trust store.
>>
> More precisely, in the Java trust store _being used_.
> Java can support multiple trust (or key) stores if you want.
>
>> (The most correct and appropriate alert in this case would be
>> "unknown CA", but many implementations won't send the correct
>> code due to security policies that the developers make on
>> behalf of their API
>> clients.)
>>
>> -Kyle H
>>
>> On Fri, May 29, 2009 at 7:12 AM, Vyncke, Frank
>> wrote:
>
>>> I don't know exactly what this error means, so it hard to
>> check what I
>>> am doing wrong. I presume I will have to setup some
>> parameters on the
>>> JAVA side (the only thing I do different now versus the plain http
>>> setup is to change the URL to https).
>>>
> Meaning you use URL("https",...).openConnection -> HttpsURLConnection ?
> (And don't set[Default]SSLSocketFactory?) That should use the (system)
> default SSLSocketFactory, which under the standard configuration uses
> a SSLContext which has a default (X.509/PKIX) TrustManager which uses
> the store in /lib/security/jssecacerts if present else cacerts
> (and a null X.509 KeyManager, which is usually okay for web clients).
>
> Your client should have gotten javax.net.ssl.SSLHandshakeException
> referencing/caused by sun.security.validator.ValidatorException
> and sun.security.provider.certpath.SunCertPathBuilderException .
> You might check to see if this was reported, or why not.
>
>>> Any body an idea, and/or info on the things I need to setup on the
>>> JAVA side ? I am using JAVA JRE 1.6
>>>
> See JSSERefGuide in the docs package under 'security' for (very!)
> full details. In brief, there are number of possibilities:
>
> - add the CAcert(s) you want to use to the default truststore(s)
> -- assuming you have access on the client machine(s) and this
> doesn't interfere with (endanger?) any other Java app(s) there
>
> - put the CAcert(s) you want to use in your own truststore
> (per-app or per-user or whatever) and configure to use that
>
> - get for your server and use a cert under a 'wellknown' CA
> that is already in the distributed cacerts -- may cost money
>
> - have your client(s) request/allow anonymous ciphersuite(s)
> and your server use no certificate at all -- loses the benefit
> of server authentication
>
> - write your own TrustManager and/or CertPathValidator to do
> whatever you want (get certs or other auth data from other
> sources like LDAP or DNS or whatever, and accept or reject
> the server based on other information than the certs or
> fetched data such as hardcoding, manual choice, ...)
> -- quite a bit more complicated
>
> Note that HttpsURLConnection also verifies that the server
> cert's name matches the desired (requested) URL.host.
> I'm not sure of the exact (default) rules since I use the
> lower-level SSL[Server]Socket which leaves this check to me.
> According to the docs this can be overridden by writing
> and setting your own HostnameVerifier .
>
>
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Security Vulnerability issue in openssl 9.8 version
Hi All, Recently i got a security vulnerability issue alert reported in http://www.vupen.com/english/advisories/2009/1377. Is this vulnerability issue affects openssl 9.8h and openssl 9.8k . And i have also noticed that the patches provided http://cvs.openssl.org/chngview?cn=18188, make a build break in openssl 9.8h . Can you please specify whether this vulnerability affects openssl 9.8h and openssl9.8k and the security patches to fix this three vulnerability issue in openssl 9.8h and openssl 9.8k. Thanks Rajan -- View this message in context: http://www.nabble.com/Security-Vulnerability-issue-in-openssl-9.8-version-tp23827720p23827720.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL Handshake question
Hello, I apologize if this is an obvious NOOB question - my Google-Fu is not up to snuff on this one: We're running OpenSSL 0.9.8j 07 Jan 2009 and Server version: Apache/2.0.63 on a Sunfire 280R running Solaris 9. Clients are having intermittent problems successfully completing the SSL Handshake. Running a trace on the wire revealed that the successful handshakes looked like this: Client -> Server: Client Hello Server -> Client: Server Hello Server -> Client: Certificate Client -> Server: Client Key Exchange And so on, all good. On the failures the exchange looks like this: Client -> Server: Client Hello Server -> Client: Server Hello, Certificate, Server Hello Done Client -> Server: Fatal, Description: Certificate Unknown In running repeated tests using a java test client, we have many successful handshakes ( we close the socket after each one ) and then we'll hit a series of several failed ones, say 4-10 in a row, then it's all good again. I'm trying to understand why the server would answer some requests with a "Server Hello, Certificate, Server Hello Done" all wrapped up in one packet ( the ones that are failing ), where most of the time it splits that out over several packets. The test "Client Hello" requests seem identical. Any insights would be much appreciated. Thanks, Steve
OpenSSL FIPS Mode problem
Hi All, When loading OpenSSL FIPS DLLs, and using FIPS_mode_set function, the following error is being returned: 9220:error:2D06906F:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match nonpic relocated:.\fips\fips.c:236: As i understand it, the DLL could not be loaded to the appropriate address in memory, therefore, the validation process could not be completed. I tried to use different base-address for the DLL (as described in the user guide) which solved the problem for now, but because my application can load other DLLs dynamically I cannot guarantee that the new base address will always be free for the FIPS DLL usage. Does OpenSSL FIPS version has other ways for solving the above error? Thanks, -- Lior Aharoni
