RE: unable to load Private Key: mobilefish self-CA instructions
> From: owner-openssl-us...@openssl.org On Behalf Of Llenlleawg > Sent: Saturday, 12 December, 2009 15:17 > Here is a brief outline of what I'm trying to do. I'm trying > to create a > certificate signed by my own CA and private key. > > I followed the steps on the following site to setup my own CA. > > http://www.mobilefish.com/developer/openssl/openssl_quickguide > _create_ca.html > > and then followed the steps on this page to try to create the > certificate. > > http://www.mobilefish.com/developer/openssl/openssl_quickguide > _ca_certificate.html > > My problem is when I get to step 7 on the second page. I receive the > following error when I run the command in step 7. > > C:\OpenSSL\bin>openssl rsa < newreq.pem > newkey.pem > unable to load Private Key > 6068:error:0906D06C:PEM routines:PEM_read_bio:no start > line:.\crypto\pem\pem_lib.c:650:Expecting: ANY PRIVATE KEY > They appear to have been confused/misled and not tested. Some older versions of 'CA.pl newreq' (and newreq-nodes), in particular 0.9.7d which they identify and I happen to have to hand on an old system, incorrectly says at the end: Request (and private key) is in newreq.pem but in fact the request is in newreq.pem and the privkey is in newkey.pem. As they should be, because a CSR does not, and in general for security MUST not, contain the privkey. If you just skip their step 7 it looks like it should work. Aside: their description at the top of the page isn't quite correct. Assuming kRSA, as they apparently do, the browser (client) doesn't choose and send the actual sessionkey, rather the premaster secret which is used to derive the sessionkeys (there are actually two, encryption and MAC). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Installing new version of openssl on system with old version
Hi - I'm new to the list and openssl. I have a linux system with openssl-0.9.7a. I want to install the latest, openssl-0.9.8l, without breaking any old dependencies. I installed the new version in the default directory of /usr/local/ssl which is a different directory from the old version. If I type 'openssl version' at the command line, I see the old version. I assume I have to change some links to point to the new version, but I'm not sure which ones. Can anyone help? Randy G.
Re: Unable to load CRL
On Mon, Dec 14, 2009, Radha krishna Meduri -X (radmedur - HCL at Cisco) wrote:
>
> Hi Patrick
>
> We are using following code snippet to load CRL's.
>
> X509_CRL *pCRL, *pTempCRL = 0;
> pCRL = d2i_X509_CRL_fp( pfCrlFile, &pTempCRL );
>
> if( !pCRL )
> {
> rewind(pfCrlFile);
> pCRL = PEM_read_X509_CRL(pfCrlFile, &pTempCRL, NULL, 0);
> }
>
> rewind(pfCrlFile);
>
> if( !pCRL )
> {
> logEvent( MLOG_ERROR, RADIUS_C_SERVER, "Unable to read CRL file" );
> break;
> }
>
> Ultimately we are getting "Unable to read CRL file" if we are loading
> DER format CRL. Did you see anything wrong there?
>
Is the fp opened in binary mode? Text mode translation on that fp will corrupt
the CRL loading in DER mode.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Unable to load CRL
A couple of things:
1: You don't need pTempCRL - just set that parameter to NULL.
2: You may want to call ERR_get_error(3) in your "if (!pCRL)" statement,
since that will tell you MUCH more interesting information about what has gone
wrong. (Don't forget to call ERR_load_crypto_strings if you want to decode the
errors)
Have fun.
Patrick.
On December 14, 2009 01:27:08 am Radha krishna Meduri -X (radmedur - HCL at
Cisco) wrote:
> Hi Patrick
>
> We are using following code snippet to load CRL's.
>
> X509_CRL *pCRL, *pTempCRL = 0;
> pCRL = d2i_X509_CRL_fp( pfCrlFile, &pTempCRL );
>
> if( !pCRL )
> {
> rewind(pfCrlFile);
> pCRL = PEM_read_X509_CRL(pfCrlFile, &pTempCRL, NULL, 0);
> }
>
> rewind(pfCrlFile);
>
> if( !pCRL )
> {
> logEvent( MLOG_ERROR, RADIUS_C_SERVER, "Unable to read CRL file" );
> break;
> }
>
> Ultimately we are getting "Unable to read CRL file" if we are loading
> DER format CRL. Did you see anything wrong there?
>
> Thanks
> Radhakrishna.
>
> -Original Message-
> From: owner-openssl-us...@openssl.org
> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Patrick Patterson
> Sent: Friday, December 11, 2009 8:32 PM
> To: openssl-users@openssl.org
> Subject: Re: Unable to load CRL
>
> Hi Rahhakrishna:
>
> Sounds like you are using PEM_read_crl(), or some such, to read in your
> CRL. Since the CRL is actually in DER format, you should probably read
> the file in, and then use the Openssl d2i_X509_CRL (look up the man page
> - there's even a form of that function that allows you to read the DER
> encoded CRL function directly from a file) functions instead.
>
> (of course, your application should probably detect which type of file
> it is looking at, and then "do the right thing".)
>
> Since it looks like you're building applications to support the 787, you
> may want to also take a look at the ATA Spec42 guidance on building PKI
> applications in the air transport industry.
>
> Best Regards,
>
> Patrick Patterson
> Chief PKI Architect
> Carillon Information Security Inc.
> http://www.carillon.ca
>
> Radha krishna Meduri -X (radmedur - HCL at Cisco) wrote:
> > Thanks for your support. Yes I have read it already. I am able to read
> >
> > crl file with switch "-inform DER" but my application is failing to
> > read it while loading CRL from gui. I am trying to find out the issue.
> >
> > My application was using API's to read CRL's.
> >
> > Thanks
> > Radhakrishna.
> >
> > -Original Message-
> > From: owner-openssl-us...@openssl.org
> > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Eisenacher,
> > Patrick
> > Sent: Friday, December 11, 2009 5:37 PM
> > To: 'openssl-users@openssl.org'
> > Subject: RE: Unable to load CRL
> >
> > Hi Radhakrishna,
> >
> >> -Original Message-
> >> From: owner-openssl-us...@openssl.org On Behalf Of Radhakrishna
> >> Meduri
> >>
> >> -X (radmedur - HCL at Cisco)
> >>
> >> Hi Patrick Eisenacher
> >>
> >> I converted this crl to PEM format which worked like charm.
> >> Is there any
> >> restriction like CRL's should be in PEM for mat only?
> >
> > nope, as always you can feed it in either PEM- or DER-encoded. PEM is
> > openssl's default format. If your CRL is in DER-encoded (binary)
> > format, you need to add "-inform DER" to openssl's crl command.
> >
> > Did you read the "command options" on the link below?
> >
> > HTH,
> > Patrick Eisenacher
> >
> >> -Original Message-
> >> From: owner-openssl-us...@openssl.org On Behalf Of Eisenacher,
> >> Patrick
> >>
> >> Hi Radhakrishna,
> >>
> >> -Original Message-
> >>
> >>> From: owner-openssl-users On Behalf Of Radha krishna Meduri -X
> >>>
> >>> I am not able to load the crl in text format and I am getting
> >>> following error while issuing following command "openssl crl -in
> >>
> >> abcd.crl -text"
> >>
> >>> unable to load CRL
> >>> 28950:error:0906D06C:PEM routines:PEM_read_bio:no start
> >>> line:pem_lib.c:642:Expecting: X509 CRL
> >>>
> >>> Any idea what could be issue?
> >>
> >> that means that abcd.crl has no proper PEM-encoding (base64 plus
> >> header and footer). The error messages states that openssl can't find
> >>
> >> the header. For more info about the header and footer, see
> >> http://www.openssl.org/docs/apps/crl.html#NOTES
> >
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing Listopenssl-users@openssl.org
> > Automated List Manager majord...@openssl.org
> > __
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing Listopenssl-users@openssl.org
> > Automated List Manager majord...@openssl.org
>
> __
> OpenSSL Project http://www.
Re: Question to SSL_SESSION
Can anybody help me?
Thanks
> -Ursprüngliche Nachricht-
> Von: "Dirk Menstermann"
> Gesendet: 09.12.09 18:22:46
> An: openssl-users@openssl.org
> Betreff: Question to SSL_SESSION
> Hello,
>
> I have a problem with the saving SSL_SESSION objects. As there seems to be no
> SSL_SESSION_dup function I have created one:
>
> SSL_SESSION* SSL_SESSION_dup (SSL_SESSION *sslSession)
> {
> SSL_SESSION *newSession = (SSL_SESSION *) ASN1_dup ((int(*)(void
> *in,unsigned char **pp)) i2d_SSL_SESSION,
>
> (void*(*) (void **a, const unsigned char
> **pp, long length)) d2i_SSL_SESSION,
>
> (char *) sslSession);
> return (newSession);
> }
>
> When I compare the sslSession with the newSession object, the member
> sess_cert of the new object that should store the certificate chain is NULL.
> In case of a later session hit and when the server certificate will no be
> sent again I have no information about the certificate chain, which I would
> like to have.
>
> Any ideas?
>
> Thanks
>
> ___
> Preisknaller: WEB.DE DSL Flatrate für nur 16,99 Euro/mtl.!
> http://produkte.web.de/go/02/
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
__
GRATIS für alle WEB.DE-Nutzer: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://movieflat.web.de
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
