Need help on creating certs
Hi Team, I am getting the following error while creating certs using openssl command. Please help me to create a cert using openssl. C:\OpenSSL\binopenssl -inkey mykeyfile.pem -in -mycertfile.pem -out myCert.p1 -export openssl:Error: '-inkey' is an invalid command. Standard commands asn1parse ca cipherscrlcrl2pkcs7 dgst dh dhparamdsadsaparam ec ecparamencengine errstr gendh gendsa genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 prime rand reqrsarsautl s_client s_server s_time sess_idsmime speed spkac verify versionx509 Message Digest commands (see the `dgst' command for more details) md2md4md5rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbcaes-128-ecbaes-192-cbcaes-192-ecbaes-256-cbc aes-256-ecbbase64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb desdes-cbc des-cfbdes-ecbdes-ededes-ede-cbcdes-ede-cfb des-ede-ofbdes-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofbdes3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2rc2-40-cbc rc2-64-cbc rc2-cbcrc2-cfbrc2-ecbrc2-ofb rc4rc4-40 Thanks Prasad
problems building on mingw
I'm running Windows 7, with MSys 1.0.11 and MinGW 5.1.6. I'm attempting to build OpenSSL 0.9.8m, but it's failing. I started by untarring openssl-0.9.8m.tar.gz: tar -xzf openssl-0.9.8m.tar.gz This causes a ton of warnings about inability to create symlinks. Trying anyway, I enter the new directory, and call: ./config make This dies with an error that doesn't appear to be related to the missing symlinks: make[1]: Entering directory `/d/Projects/unused/openssl-0.9.8m/crypto' make[1]: *** No rule to make target `../include/openssl/bio.h', needed by `crypt lib.o'. Stop. make[1]: Leaving directory `/d/Projects/unused/openssl-0.9.8m/crypto' make: *** [build_crypto] Error 1 Is there a general procedure for compiling with MSys/Mingw?
Re: Need help on creating certs
I think it should be just -key. Thanks Regards Chaitra Shankar prasad kasthuri wrote: Hi Team, I am getting the following error while creating certs using openssl command. Please help me to create a cert using openssl. C:\OpenSSL\binopenssl -inkey mykeyfile.pem -in -mycertfile.pem -out myCert.p1 -export openssl:Error: '-inkey' is an invalid command. Standard commands asn1parse ca cipherscrlcrl2pkcs7 dgst dh dhparamdsadsaparam ec ecparamencengine errstr gendh gendsa genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 prime rand reqrsarsautl s_client s_server s_time sess_idsmime speed spkac verify versionx509 Message Digest commands (see the `dgst' command for more details) md2md4md5rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbcaes-128-ecbaes-192-cbcaes-192-ecbaes-256-cbc aes-256-ecbbase64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb desdes-cbc des-cfbdes-ecbdes-ededes-ede-cbcdes-ede-cfb des-ede-ofbdes-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofbdes3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2rc2-40-cbc rc2-64-cbc rc2-cbcrc2-cfbrc2-ecbrc2-ofb rc4rc4-40 Thanks Prasad __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL Wrong version number OpenSSL 0.9.8g
Hi, I'm trying to connect to an epp server via sslv3 in php. OpenSSL version is OpenSSL 0.9.8g. I have got correct certificates. I'm able to establish new connection, but server only sends to me hello and after it does not anwser any posts. Instead it returns to me these warnings: SSL operation failed with code 1. OpenSSL Error messages: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number SSL operation failed with code 1. OpenSSL Error messages: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac SSL operation failed with code 1. OpenSSL Error messages: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version I think my client uses bad handshake version. How can I force it to use only sslv3 handskahe ? Thanks for any advice, Podbor -- View this message in context: http://old.nabble.com/SSL-%22Wrong-version-number%22-OpenSSL-0.9.8g-tp27716269p27716269.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problem with verifying of PKCS7-structure signed with ECDSA-certificate
Hello! I try to check signature on PKCS7-structure(see attached file pkcs7.bin). The following sequence of commands is performed: openssl pkcs7 -in pkcs7.bin -inform DER -outform PEM -out pkcs7.PEM openssl smime -verify -in pkcs7.PEM -inform pem -noverify 1pkcs7.data Verification failure 3980:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:.\crypto\pkcs7\pk7_smime.c:378: OpenSSL says that it cannot find signer certificate. But output of command openssl asn1parse -inform DER -in pkcs7.bin shows that certificate is present. What's wrong? Sincerelly, Alexei Soloview. pkcs7.bin Description: Binary data
Re: OpenSSL 0.9.8m renegotiation alerts?
On Fri, Feb 26, 2010, Victor Duchovni wrote: On Fri, Feb 26, 2010 at 02:45:19AM +0100, Dr. Stephen Henson wrote: On Thu, Feb 25, 2010, Victor Duchovni wrote: If I field a patched server, and sufficiently many unpatched pre-0.9.8m OpenSSL clients attempt re-negotiation under normal conditions, I have a resource starvation problem and unhappy users who are more annoyed at stuck connections than failed ones. It would under normal circumstances (for some value of normal) require a specific request to renegotiate from the client code or setting of renegotiation values in an SSL BIO. I don't know how many clients do that: I suspect (and hope!) not many. In the not entirely rare case when servers dynamically request client certs based on the requested URL (server triggers renegotiation and asks for the initially not requested client certs), I assume there is no hanging connection, as the renegotiation is server-initiated... By default if a patched server attempts to renegotiate with an unpatched client the connection fails with a fatal alert. The reasoning being the server doesn't realise that this makes it vulnerable to the MiTM attack. If legacy renegotiation is permissible then it succeeds. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problem with verifying of PKCS7-structure signed with ECDSA-certificate
On Fri, Feb 26, 2010, Alexei Soloview wrote: Hello! I try to check signature on PKCS7-structure(see attached file pkcs7.bin). The following sequence of commands is performed: openssl pkcs7 -in pkcs7.bin -inform DER -outform PEM -out pkcs7.PEM openssl smime -verify -in pkcs7.PEM -inform pem -noverify 1pkcs7.data Verification failure 3980:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:.\crypto\pkcs7\pk7_smime.c:378: OpenSSL says that it cannot find signer certificate. But output of command openssl asn1parse -inform DER -in pkcs7.bin shows that certificate is present. What's wrong? The PKCS#7 structure is broken. In OpenSSL 1.0 you can see this clearly with the command: openssl -cmsout -in pkcs7.bin -inform DER -noout -print The signerInfo structure points to the signer's certificate: signerInfos: version: 1 d.issuerAndSerialNumber: issuer: CN=CSCA, O=assa abloy itg, C=de serialNumber: 1 While the certificate itself has: issuer: C=de, O=assa abloy itg, CN=CSCA The ordering is reversed: order is significant in DNs so the two do not match. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CFB change (was Re: OpenSSL version 0.9.8m release)
With 0.9.8m I'm getting some failures to read PEM files (and do some other thnigs, I think) that 0.9.8l is happy with. The PEM files are created by BouncyCastle, I think (though I imagine 0.9.8l could be persuaded to write similarly failing files). they begin something like: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CFB,9ab9883444955f24fc4d9ac26efa955d They seem to be caused by this change, so what's the story behind it? i.e., how worried should I be that software's currently writing files that are rejected by the new code in OpenSSL? Author: steve steve Date: Mon Feb 15 19:40:45 2010 + The block length for CFB mode was incorrectly coded as 1 all the time. It should be the number of feedback bits expressed in bytes. For CFB1 mode set this to 1 by rounding up to the nearest multiple of 8. diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h index ef6c432..72105b0 100644 --- a/crypto/evp/evp_locl.h +++ b/crypto/evp/evp_locl.h @@ -127,9 +127,9 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \ #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \ iv_len, cbits, flags, init_key, cleanup, \ set_asn1, get_asn1, ctrl) \ -BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \ - key_len, iv_len, flags, init_key, cleanup, set_asn1, \ - get_asn1, ctrl) +BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, \ + (cbits + 7)/8, key_len, iv_len, \ + flags, init_key, cleanup, set_asn1, get_asn1, ctrl) #define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \ iv_len, cbits, flags, init_key, cleanup, \ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CFB change (was Re: OpenSSL version 0.9.8m release)
On Fri, Feb 26, 2010, Bruce Stephens wrote: With 0.9.8m I'm getting some failures to read PEM files (and do some other thnigs, I think) that 0.9.8l is happy with. The PEM files are created by BouncyCastle, I think (though I imagine 0.9.8l could be persuaded to write similarly failing files). they begin something like: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CFB,9ab9883444955f24fc4d9ac26efa955d They seem to be caused by this change, so what's the story behind it? i.e., how worried should I be that software's currently writing files that are rejected by the new code in OpenSSL? Author: steve steve Date: Mon Feb 15 19:40:45 2010 + The block length for CFB mode was incorrectly coded as 1 all the time. It should be the number of feedback bits expressed in bytes. For CFB1 mode set this to 1 by rounding up to the nearest multiple of 8. diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h index ef6c432..72105b0 100644 --- a/crypto/evp/evp_locl.h +++ b/crypto/evp/evp_locl.h @@ -127,9 +127,9 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \ #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \ iv_len, cbits, flags, init_key, cleanup, \ set_asn1, get_asn1, ctrl) \ -BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \ - key_len, iv_len, flags, init_key, cleanup, set_asn1, \ - get_asn1, ctrl) +BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, \ + (cbits + 7)/8, key_len, iv_len, \ + flags, init_key, cleanup, set_asn1, get_asn1, ctrl) #define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \ iv_len, cbits, flags, init_key, cleanup, \ Didn't realise anyone was using CFB for that. Is that some default or does it have to be specifically requested? I had been reading SP800-38a which says in 5.2: For the CFB mode, the total number of bits in the plaintext must be a multiple of a parameter, denoted s, that does not exceed the block size The parameter s is the number of feedback bits which would be 128 for CFB-128. The result of that change is to pad any incomplete final block using standard block padding rules. Though checking information in other places and looking at the algorithm this is clearly *not* a requirement because the last complete block can be used to produce a final incomplete block. I'll revert that change. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CFB change
Dr. Stephen Henson st...@openssl.org writes: [...] Didn't realise anyone was using CFB for that. Is that some default or does it have to be specifically requested? It was explicitly requested, though I'm not sure for any positive reason in this case (more because we'd used that cipher and mode elsewhere, I think). I don't have any reason to think it's a default anywhere (well, I know some Isode software uses it, but apart from us...). I had been reading SP800-38a which says in 5.2: For the CFB mode, the total number of bits in the plaintext must be a multiple of a parameter, denoted s, that does not exceed the block size The parameter s is the number of feedback bits which would be 128 for CFB-128. The result of that change is to pad any incomplete final block using standard block padding rules. Though checking information in other places and looking at the algorithm this is clearly *not* a requirement because the last complete block can be used to produce a final incomplete block. I'll revert that change. OK, thanks. That sounds reasonable behaviour, and might avoid problems with BouncyCastle (presuming they don't make a similar change, of course). [...] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Error copiling ssl: undefined reference
Hello: I'm trying to use the SSL libreries. When I try to comipile my code y always obtain the same error: cli.c:(.text+0x20): undefined reference to `SSL_library_init' cli.c:(.text+0x25): undefined reference to `SSLv2_client_method' cli.c:(.text+0x30): undefined reference to `SSL_load_error_strings' cli.c:(.text+0x3e): undefined reference to `SSL_CTX_new' cli.c:(.text+0x6f): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x150): undefined reference to `SSL_new' cli.c:(.text+0x183): undefined reference to `SSL_set_fd' cli.c:(.text+0x191): undefined reference to `SSL_connect' cli.c:(.text+0x1ad): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x1c7): undefined reference to `SSL_get_current_cipher' cli.c:(.text+0x1cf): undefined reference to `SSL_CIPHER_get_name' cli.c:(.text+0x1ed): undefined reference to `SSL_get_peer_certificate' cli.c:(.text+0x222): undefined reference to `X509_get_subject_name' cli.c:(.text+0x23a): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x279): undefined reference to `CRYPTO_free' cli.c:(.text+0x287): undefined reference to `X509_get_issuer_name' cli.c:(.text+0x29f): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x2de): undefined reference to `CRYPTO_free' cli.c:(.text+0x2ec): undefined reference to `X509_free' cli.c:(.text+0x30a): undefined reference to `SSL_write' cli.c:(.text+0x326): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x352): undefined reference to `SSL_read' cli.c:(.text+0x36e): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x3b6): undefined reference to `SSL_shutdown' cli.c:(.text+0x3d2): undefined reference to `SSL_free' cli.c:(.text+0x3e0): undefined reference to `SSL_CTX_free' I'm trying with differets codes from the web and with the examples in demos/ssl In the includes y put the includes: #include openssl/crypto.h #include openssl/x509.h #include openssl/pem.h #include openssl/ssl.h #include openssl/err.h And the all the files are in /usr/includes/openssl Any idea? thanks _ Ibex 35, comparadores de hipotecas, Euribor, foros de bolsa. ¡Nuevo MSN Dinero! http://dinero.es.msn.com/
Re: Another memory growing on AIX
I was working with 128 SSL connections at the time. On Solaris, the memory size when it stopped growing was bigger than AIX. However, on Solaris, the memory stopped growing after about 2 or 3 iterations of stopping and starting the SSL connections (maybe within half an hour). -David -- From: Mike Brennan psu...@pittstate.edu Sent: Thursday, February 25, 2010 11:53 AM To: openssl-users@openssl.org Subject: Another memory growing on AIX Greetings: I ran across David's thread memory growing when using SSL connections in last month's archive: http://marc.info/?l=openssl-usersm=126288242608221w=2 My own experience is quite similar. My application essentially makes connections to a database server over https. Only one connection is active in the process at any moment, but it potentially retrieves thousands of database records, one record per connection. The application gets its own memory usage at various points by calling getrusage() and that's where all my observations about memory size and allocation come from. The process's memory footprint increases linerally with connections, and this linear growth is quite constant. As David reports, memory seems to be allocated in multiples of 4K, but the linear memory growth is around 136 bytes per connection. I've confirmed this up to 24,000 connections. Based on rusage(), every increase in process memory size occurs after calling SSL_connect(), but before SSL_connect() returns. Only a single SSL_CTX is created and is used for all connections. I've freed objects as best as I know how, eg. X509_free(), SSL_free(). Session caching is turned off: SSL_CTX_set_session_cache_mode(our_ctx, SSL_SESS_CACHE_OFF); This is on AIX 5.3. Upgrading from openssl-0.9.8h to openssl-0.9.8l didn't change anything. David's suggestion that this may be an AIX-specific problem is interesting, but I've got other non-ssl apps that run continually for months, constantly allocating and freeing memory, and they don't get very large. David concluded the thread by reporting (http://marc.info/?l=openssl-usersm=126411839411028w=2) that the process stopped growing after 5 days. I'd be more interested in knowing how many connections than how many days. David apparently gave up on resolving this, and I probably will too. But it sure would be nice to find a fix. -Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Error copiling ssl: undefined reference
Hello: I'm trying to use the SSL libreries. When I try to comipile my code y always obtain the same error: cli.c:(.text+0x20): undefined reference to `SSL_library_init' cli.c:(.text+0x25): undefined reference to `SSLv2_client_method' cli.c:(.text+0x30): undefined reference to `SSL_load_error_strings' cli.c:(.text+0x3e): undefined reference to `SSL_CTX_new' cli.c:(.text+0x6f): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x150): undefined reference to `SSL_new' cli.c:(.text+0x183): undefined reference to `SSL_set_fd' cli.c:(.text+0x191): undefined reference to `SSL_connect' cli.c:(.text+0x1ad): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x1c7): undefined reference to `SSL_get_current_cipher' cli.c:(.text+0x1cf): undefined reference to `SSL_CIPHER_get_name' cli.c:(.text+0x1ed): undefined reference to `SSL_get_peer_certificate' cli.c:(.text+0x222): undefined reference to `X509_get_subject_name' cli.c:(.text+0x23a): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x279): undefined reference to `CRYPTO_free' cli.c:(.text+0x287): undefined reference to `X509_get_issuer_name' cli.c:(.text+0x29f): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x2de): undefined reference to `CRYPTO_free' cli.c:(.text+0x2ec): undefined reference to `X509_free' cli.c:(.text+0x30a): undefined reference to `SSL_write' cli.c:(.text+0x326): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x352): undefined reference to `SSL_read' cli.c:(.text+0x36e): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x3b6): undefined reference to `SSL_shutdown' cli.c:(.text+0x3d2): undefined reference to `SSL_free' cli.c:(.text+0x3e0): undefined reference to `SSL_CTX_free' I'm trying with differets codes from the web and with the examples in demos/ssl In the includes y put the includes: #include openssl/crypto.h #include openssl/x509.h #include openssl/pem.h #include openssl/ssl.h #include openssl/err.h And the all the files are in /usr/includes/openssl Any idea? thanks _ ¿Aún no sabes qué móvil eres? ¡Descúbrelo aquí! http://www.quemovileres.com/
Re: Error copiling ssl: undefined reference
Do you link against correct libraries? Try linking with ssleay and libeay. -Anand On Fri, Feb 26, 2010 at 12:08 PM, xabi esteban xab...@msn.com wrote: Hello: I'm trying to use the SSL libreries. When I try to comipile my code y always obtain the same error: cli.c:(.text+0x20): undefined reference to `SSL_library_init' cli.c:(.text+0x25): undefined reference to `SSLv2_client_method' cli.c:(.text+0x30): undefined reference to `SSL_load_error_strings' cli.c:(.text+0x3e): undefined reference to `SSL_CTX_new' cli.c:(.text+0x6f): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x150): undefined reference to `SSL_new' cli.c:(.text+0x183): undefined reference to `SSL_set_fd' cli.c:(.text+0x191): undefined reference to `SSL_connect' cli.c:(.text+0x1ad): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x1c7): undefined reference to `SSL_get_current_cipher' cli.c:(.text+0x1cf): undefined reference to `SSL_CIPHER_get_name' cli.c:(.text+0x1ed): undefined reference to `SSL_get_peer_certificate' cli.c:(.text+0x222): undefined reference to `X509_get_subject_name' cli.c:(.text+0x23a): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x279): undefined reference to `CRYPTO_free' cli.c:(.text+0x287): undefined reference to `X509_get_issuer_name' cli.c:(.text+0x29f): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x2de): undefined reference to `CRYPTO_free' cli.c:(.text+0x2ec): undefined reference to `X509_free' cli.c:(.text+0x30a): undefined reference to `SSL_write' cli.c:(.text+0x326): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x352): undefined reference to `SSL_read' cli.c:(.text+0x36e): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x3b6): undefined reference to `SSL_shutdown' cli.c:(.text+0x3d2): undefined reference to `SSL_free' cli.c:(.text+0x3e0): undefined reference to `SSL_CTX_free' I'm trying with differets codes from the web and with the examples in demos/ssl In the includes y put the includes: #include openssl/crypto.h #include openssl/x509.h #include openssl/pem.h #include openssl/ssl.h #include openssl/err.h And the all the files are in /usr/includes/openssl Any idea? thanks http://www.messengergamesclub.com/spain/ -- Navega con el navegador más seguro de todos. ¡Descárgatelo ya!http://www.vivelive.com/internetexplorer8
Re: Need help on creating certs
You are not using any valid command. Error clearly explains that command '-incommand' is not valid command, and gives you output of valid commands. Look at, http://openssl.org/docs/apps/ca.html# openssl x509 openssl ca openssl req simple expample to get you started. openssl genrsa -out private_key.pem 1024 openssl req -new -x509 -key private_key.pem -out certificate.pem -Anand On Fri, Feb 26, 2010 at 4:08 AM, Chaitra chaitra.shan...@globaledgesoft.com wrote: I think it should be just -key. Thanks Regards Chaitra Shankar prasad kasthuri wrote: Hi Team, I am getting the following error while creating certs using openssl command. Please help me to create a cert using openssl. C:\OpenSSL\binopenssl -inkey mykeyfile.pem -in -mycertfile.pem -out myCert.p1 -export openssl:Error: '-inkey' is an invalid command. Standard commands asn1parse ca cipherscrlcrl2pkcs7 dgst dh dhparamdsadsaparam ec ecparamencengine errstr gendh gendsa genrsa nseq ocsp passwd pkcs12 pkcs7 pkcs8 prime rand reqrsarsautl s_client s_server s_time sess_idsmime speed spkac verify versionx509 Message Digest commands (see the `dgst' command for more details) md2md4md5rmd160 sha sha1 Cipher commands (see the `enc' command for more details) aes-128-cbcaes-128-ecbaes-192-cbcaes-192-ecbaes-256-cbc aes-256-ecbbase64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb desdes-cbc des-cfbdes-ecbdes-ededes-ede-cbcdes-ede-cfb des-ede-ofbdes-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofbdes3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2rc2-40-cbc rc2-64-cbc rc2-cbcrc2-cfbrc2-ecbrc2-ofb rc4rc4-40 Thanks Prasad __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Error copiling ssl: undefined reference
I don't understand you. I put the libreries in the includes #include openssl/ssl.h #include but i'din't put nothing more. How i could link with this libreries? I didn't found any example. Thanks Date: Fri, 26 Feb 2010 12:39:57 -0500 Subject: Re: Error copiling ssl: undefined reference From: anand.apa...@gmail.com To: openssl-users@openssl.org Do you link against correct libraries? Try linking with ssleay and libeay. -Anand On Fri, Feb 26, 2010 at 12:08 PM, xabi esteban xab...@msn.com wrote: Hello: I'm trying to use the SSL libreries. When I try to comipile my code y always obtain the same error: cli.c:(.text+0x20): undefined reference to `SSL_library_init' cli.c:(.text+0x25): undefined reference to `SSLv2_client_method' cli.c:(.text+0x30): undefined reference to `SSL_load_error_strings' cli.c:(.text+0x3e): undefined reference to `SSL_CTX_new' cli.c:(.text+0x6f): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x150): undefined reference to `SSL_new' cli.c:(.text+0x183): undefined reference to `SSL_set_fd' cli.c:(.text+0x191): undefined reference to `SSL_connect' cli.c:(.text+0x1ad): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x1c7): undefined reference to `SSL_get_current_cipher' cli.c:(.text+0x1cf): undefined reference to `SSL_CIPHER_get_name' cli.c:(.text+0x1ed): undefined reference to `SSL_get_peer_certificate' cli.c:(.text+0x222): undefined reference to `X509_get_subject_name' cli.c:(.text+0x23a): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x279): undefined reference to `CRYPTO_free' cli.c:(.text+0x287): undefined reference to `X509_get_issuer_name' cli.c:(.text+0x29f): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x2de): undefined reference to `CRYPTO_free' cli.c:(.text+0x2ec): undefined reference to `X509_free' cli.c:(.text+0x30a): undefined reference to `SSL_write' cli.c:(.text+0x326): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x352): undefined reference to `SSL_read' cli.c:(.text+0x36e): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x3b6): undefined reference to `SSL_shutdown' cli.c:(.text+0x3d2): undefined reference to `SSL_free' cli.c:(.text+0x3e0): undefined reference to `SSL_CTX_free' I'm trying with differets codes from the web and with the examples in demos/ssl In the includes y put the includes: #include openssl/crypto.h #include openssl/x509.h #include openssl/pem.h #include openssl/ssl.h #include openssl/err.h And the all the files are in /usr/includes/openssl Any idea? thanks Navega con el navegador más seguro de todos. ¡Descárgatelo ya! _ Ibex 35, comparadores de hipotecas, Euribor, foros de bolsa. ¡Nuevo MSN Dinero! http://dinero.es.msn.com/
Re: Error copiling ssl: undefined reference
Those are the header you included. But you need to link against libs after compilation. What platform(win/linux) and What tool(studio/shell)? -Anand On Fri, Feb 26, 2010 at 1:59 PM, xabi esteban xab...@msn.com wrote: I don't understand you. I put the libreries in the includes #include openssl/ssl.h #include but i'din't put nothing more. How i could link with this libreries? I didn't found any example. Thanks -- Date: Fri, 26 Feb 2010 12:39:57 -0500 Subject: Re: Error copiling ssl: undefined reference From: anand.apa...@gmail.com To: openssl-users@openssl.org Do you link against correct libraries? Try linking with ssleay and libeay. -Anand On Fri, Feb 26, 2010 at 12:08 PM, xabi esteban xab...@msn.com wrote: Hello: I'm trying to use the SSL libreries. When I try to comipile my code y always obtain the same error: cli.c:(.text+0x20): undefined reference to `SSL_library_init' cli.c:(.text+0x25): undefined reference to `SSLv2_client_method' cli.c:(.text+0x30): undefined reference to `SSL_load_error_strings' cli.c:(.text+0x3e): undefined reference to `SSL_CTX_new' cli.c:(.text+0x6f): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x150): undefined reference to `SSL_new' cli.c:(.text+0x183): undefined reference to `SSL_set_fd' cli.c:(.text+0x191): undefined reference to `SSL_connect' cli.c:(.text+0x1ad): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x1c7): undefined reference to `SSL_get_current_cipher' cli.c:(.text+0x1cf): undefined reference to `SSL_CIPHER_get_name' cli.c:(.text+0x1ed): undefined reference to `SSL_get_peer_certificate' cli.c:(.text+0x222): undefined reference to `X509_get_subject_name' cli.c:(.text+0x23a): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x279): undefined reference to `CRYPTO_free' cli.c:(.text+0x287): undefined reference to `X509_get_issuer_name' cli.c:(.text+0x29f): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x2de): undefined reference to `CRYPTO_free' cli.c:(.text+0x2ec): undefined reference to `X509_free' cli.c:(.text+0x30a): undefined reference to `SSL_write' cli.c:(.text+0x326): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x352): undefined reference to `SSL_read' cli.c:(.text+0x36e): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x3b6): undefined reference to `SSL_shutdown' cli.c:(.text+0x3d2): undefined reference to `SSL_free' cli.c:(.text+0x3e0): undefined reference to `SSL_CTX_free' I'm trying with differets codes from the web and with the examples in demos/ssl In the includes y put the includes: #include openssl/crypto.h #include openssl/x509.h #include openssl/pem.h #include openssl/ssl.h #include openssl/err.h And the all the files are in /usr/includes/openssl Any idea? thanks http://www.messengergamesclub.com/spain/ -- Navega con el navegador más seguro de todos. ¡Descárgatelo ya!http://www.vivelive.com/internetexplorer8 -- Navega con el navegador más seguro de todos. ¡Descárgatelo ya!http://www.vivelive.com/internetexplorer8
Re: Error copiling ssl: undefined reference
xabi esteban wrote: I don't understand you. I put the libreries in the includes #include openssl/ssl.h #include but i'din't put nothing more. How i could link with this libreries? I didn't found any example. you're confusing include files with libraries. you need to tell the linker the appropriate paths to find .so or .a library files. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Error copiling ssl: undefined reference
I am using in a shell in Ubuntu Linux thanks Date: Fri, 26 Feb 2010 14:47:22 -0500 Subject: Re: Error copiling ssl: undefined reference From: anand.apa...@gmail.com To: openssl-users@openssl.org Those are the header you included. But you need to link against libs after compilation. What platform(win/linux) and What tool(studio/shell)? -Anand On Fri, Feb 26, 2010 at 1:59 PM, xabi esteban xab...@msn.com wrote: I don't understand you. I put the libreries in the includes #include openssl/ssl.h #include but i'din't put nothing more. How i could link with this libreries? I didn't found any example. Thanks Date: Fri, 26 Feb 2010 12:39:57 -0500 Subject: Re: Error copiling ssl: undefined reference From: anand.apa...@gmail.com To: openssl-users@openssl.org Do you link against correct libraries? Try linking with ssleay and libeay. -Anand On Fri, Feb 26, 2010 at 12:08 PM, xabi esteban xab...@msn.com wrote: Hello: I'm trying to use the SSL libreries. When I try to comipile my code y always obtain the same error: cli.c:(.text+0x20): undefined reference to `SSL_library_init' cli.c:(.text+0x25): undefined reference to `SSLv2_client_method' cli.c:(.text+0x30): undefined reference to `SSL_load_error_strings' cli.c:(.text+0x3e): undefined reference to `SSL_CTX_new' cli.c:(.text+0x6f): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x150): undefined reference to `SSL_new' cli.c:(.text+0x183): undefined reference to `SSL_set_fd' cli.c:(.text+0x191): undefined reference to `SSL_connect' cli.c:(.text+0x1ad): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x1c7): undefined reference to `SSL_get_current_cipher' cli.c:(.text+0x1cf): undefined reference to `SSL_CIPHER_get_name' cli.c:(.text+0x1ed): undefined reference to `SSL_get_peer_certificate' cli.c:(.text+0x222): undefined reference to `X509_get_subject_name' cli.c:(.text+0x23a): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x279): undefined reference to `CRYPTO_free' cli.c:(.text+0x287): undefined reference to `X509_get_issuer_name' cli.c:(.text+0x29f): undefined reference to `X509_NAME_oneline' cli.c:(.text+0x2de): undefined reference to `CRYPTO_free' cli.c:(.text+0x2ec): undefined reference to `X509_free' cli.c:(.text+0x30a): undefined reference to `SSL_write' cli.c:(.text+0x326): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x352): undefined reference to `SSL_read' cli.c:(.text+0x36e): undefined reference to `ERR_print_errors_fp' cli.c:(.text+0x3b6): undefined reference to `SSL_shutdown' cli.c:(.text+0x3d2): undefined reference to `SSL_free' cli.c:(.text+0x3e0): undefined reference to `SSL_CTX_free' I'm trying with differets codes from the web and with the examples in demos/ssl In the includes y put the includes: #include openssl/crypto.h #include openssl/x509.h #include openssl/pem.h #include openssl/ssl.h #include openssl/err.h And the all the files are in /usr/includes/openssl Any idea? thanks Navega con el navegador más seguro de todos. ¡Descárgatelo ya! Navega con el navegador más seguro de todos. ¡Descárgatelo ya! _ ¿Aún no sabes qué móvil eres? ¡Descúbrelo aquí! http://www.quemovileres.com/
Re: Error copiling ssl: undefined reference
xabi esteban wrote: I am using in a shell in Ubuntu Linux try adding -lssl to your link options. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Need help on creating certs
From: owner-openssl-us...@openssl.org On Behalf Of prasad kasthuri Sent: Thursday, 25 February, 2010 14:44 To: openssl-users@openssl.org Subject: Need help on creating certs I am getting the following error while creating certs using openssl command. Please help me to create a cert using openssl. C:\OpenSSL\binopenssl -inkey mykeyfile.pem -in -mycertfile.pem -out myCert.p1 -export openssl:Error: '-inkey' is an invalid command. The first 'word' to the openssl commandline utility must be a command, and as the error says -inkey is not a command. If you have an input file named mycertfile.pem, you probably have a cert in it, and are NOT creating one. That combination of input and output files with -export would make sense for creating a *PKCS12* (transport blob) *FROM* a cert and corresponding keypair. If so, the command you want is pkcs12. However naming a pkcs12 as ending in .p1 is legal as far as OpenSSL is concerned, but very misleading and quite likely to cause problems down the road. If you actually want to *create* a cert you have several options with OpenSSL. The simplest is to create a selfsigned cert with req -new (or -newkey+) -x509 + (that is, the req command with the -new or -newkey option, and the -x509 option, and other options as appropriate. Alternatively you can create a CSR (Certificate Signing Request) with req or with other software, and generate a cert from it (more than just signing, despite the name) with x509 -req + or also record/manage it with ca +. Each of these has a number of options (slightly different!) as to various important fields that go into the (CSR and) cert. You need to give more detail about what you are doing. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Crash in BIO_set_fp()
From: owner-openssl-us...@openssl.org On Behalf Of Michael Boman Sent: Thursday, 25 February, 2010 15:26 if (options-xmlOutput != 0) { fileBIO = BIO_new(BIO_s_file()); BIO_set_fp(fileBIO, options-xmlOutput, BIO_NOCLOSE); // - Crashing here } Help suggestions are most welcome. Your screenshots look like Windows; if so, what compiler/runtime and OpenSSL build are you using and could you have the wrong-MSVC-runtime issue? http://www.openssl.org/support/faq.html#PROG2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Verify with RSA Public Key Fails
Hi, everyone. In Openssl 0.9.8i, I'm trying to take an RSA public exponent and public modulus, assemble them into an RSA key, and use that to verify a signature for a message. However, EVP_VerifyFinal() always fails, apparently because of the wrong use of padding. My code: RSA * RsaKeyPtr = RSA_new(); EVP_PKEY * EvpKeyPtr = EVP_PKEY_new(); RsaKeyPtr-n = BN_bin2bn(ModulusPtr, ModulusLength, NULL); // Public modulus n RsaKeyPtr-e = BN_bin2bn(Exponent, sizeof(Exponent), NULL); // Public key exponent e EvpKeyPtr-type = EVP_PKEY_RSA; if(EVP_PKEY_assign_RSA(EvpKeyPtr, RsaKeyPtr)) { EVP_MD_CTX_init(MDContext); if(EVP_VerifyInit_ex(MDContext, EvpMdPtr, NULL)) { if(EVP_VerifyUpdate(MDContext, MessagePtr, MessageLength)) { if(EVP_VerifyFinal(MDContext, SignaturePtr, SignatureLength, EvpKeyPtr)) { ... The call stack looks like: RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING); ... RSA_eay_public_decrypt() RSA_padding_check_PKCS1_type_1() and that last function fails. Am I assembling the RSA key incorrectly? The modulus and exponent are each 1024 bits long and the message and signature are each 128 bytes long Thanks very much, Paul ___ Paul A. Suhler | Firmware Engineer | Quantum Corporation | Office: 949.856.7748 | paul.suh...@quantum.com -- The information contained in this transmission may be confidential. Any disclosure, copying, or further distribution of confidential information is not permitted unless such privilege is explicitly granted in writing by Quantum. Quantum reserves the right to have electronic communications, including email and attachments, sent across its networks filtered through anti virus and spam software programs and retain such messages in order to comply with applicable data security and retention requirements. Quantum is not responsible for the proper and complete transmission of the substance of this communication or for any delay in its receipt.