Re: AES128 CBC
Hello Anthony, thank you for you fast reply. I visited your blog and analyzed your example. There is one question left. You added the comment Call when needed to your function EVP_EncryptUpdate(). What does that mean? In my case I want to encrypt a string containing 292 bytes. After calling EVP_EncryptUpdate_ex() the variable out_len = 288. Do I have to call EVP_EncryptUpdate_ex() again to encrypt the remaining 4 bytes? I thought the remaining bytes will be encrypted by calling EVP_EncryptFinal_ex() Rudy1 Anthony Gabrielson-4 wrote: Hello, This seems to be a pretty typical question that gets posted often. I have a simple example that I think hits it. Anyway, its the first entry into a blog that I'm starting to building up. If your interested the code and (a brief) explanation is available here: http://agabrielson.wordpress.com/2010/07/15/openssl-an-example-from-the-command-line/#more-4 One note - I didn't use the ex function; I used the older version. It should give you a slightly easier place to start from. Anthony - Original Message - From: Rudy1 r...@compumatica.eu To: openssl-users@openssl.org Sent: Thursday, July 15, 2010 5:37:38 AM Subject: AES128 CBC I'm using the openssl crypto lib first time and I don't know how to encrypt text larger than blocksize (16 byte) . For example I want to encrypt a string of size 292 bytes. I call EVP_EncryptUpdate () one time and 288 bytes will be encrypted and finally I call EVP_EncryptFinal_ex(). Do I really encrypt the whole string correctly? Or do I have to call EVP_EncryptUpdate () for every blocksize chunk of my string? How large is the encrypted string? I would expect 304 bytes (288 + 16). Is this correct? Rudy1 View this message in context: AES128 CBC Sent from the OpenSSL - User mailing list archive at Nabble.com. -- View this message in context: http://old.nabble.com/AES128-CBC-tp29170995p29180726.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Help creating certificate chain
Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing. So far I've created a Root CA I created an intermediate CA and signed it's certificate with the Root CA I created an end user certificate and signed it with the intermediate CA. Now I want to be able to just import the Root CA and have all end user certificates be verified. I tried running: openssl verify -CAfile ../root/ca-cert.crt user.crt and it returns with error 20 at 0 depth lookup:unable to get local issuer certificate Thanks for any help.
RE: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate)
Date: Thu, 15 Jul 2010 18:15:32 +0200 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) On Thu, Jul 15, 2010, Luis Neves wrote: some progress: openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert /home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/CC0003.pem -resp_text using CC0003.pem instead of C0002.pem returns GOOD (will try to check why) but still returning the 11323:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:unable to get issuer certificate /home/oracle/lneves.pem: good This Update: Jul 15 15:29:50 2010 GMT error For each certificate do this: openssl x509 -in cert.pem -subject -issuer -noout The subject of the one you pass to -issuer should match the issuer of the one you pass to cert. You need a root CA and the rest of the chain passed to -CApath. Ok, using your tip I confirmed that CA certificate is the CC0003.pem Ive include it at the end of ca-bundle.crt, pem encoded like the others on this file and used it as openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert /home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/ca-bundle.crt -resp_text and still the same error. if I try to make tests with Apache, the problem gets wrost I get this on error_log [Fri Jul 16 09:42:33.783916 2010] [debug] [pid 10145] ssl_util_ocsp.c(79): [client 10.14.148.50:45551] connecting to OCSP responder 'ocsp.auc.cartaodecidadao.pt' [Fri Jul 16 09:42:33.858348 2010] [debug] [pid 10145] ssl_util_ocsp.c(105): [client 10.14.148.50:45551] sending request to OCSP responder [Fri Jul 16 09:42:34.076188 2010] [debug] [pid 10145] ssl_util_ocsp.c(209): [client 10.14.148.50:45551] OCSP response header: Date: Fri, 16 Jul 2010 08:31:30 GMT [Fri Jul 16 09:42:34.076237 2010] [debug] [pid 10145] ssl_util_ocsp.c(209): [client 10.14.148.50:45551] OCSP response header: Server: Apache [Fri Jul 16 09:42:34.076264 2010] [debug] [pid 10145] ssl_util_ocsp.c(209): [client 10.14.148.50:45551] OCSP response header: X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 [Fri Jul 16 09:42:34.076300 2010] [debug] [pid 10145] ssl_util_ocsp.c(209): [client 10.14.148.50:45551] OCSP response header: Expires: Fri, 16 Jul 2010 08:33:30 GMT [Fri Jul 16 09:42:34.076327 2010] [debug] [pid 10145] ssl_util_ocsp.c(209): [client 10.14.148.50:45551] OCSP response header: Cache-Control: max-age=120 [Fri Jul 16 09:42:34.076365 2010] [debug] [pid 10145] ssl_util_ocsp.c(209): [client 10.14.148.50:45551] OCSP response header: Content-Length: 2530 [Fri Jul 16 09:42:34.076404 2010] [debug] [pid 10145] ssl_util_ocsp.c(209): [client 10.14.148.50:45551] OCSP response header: Connection: close [Fri Jul 16 09:42:34.076442 2010] [debug] [pid 10145] ssl_util_ocsp.c(209): [client 10.14.148.50:45551] OCSP response header: Content-Type: application/ocsp-response [Fri Jul 16 09:42:34.076490 2010] [debug] [pid 10145] ssl_util_ocsp.c(252): [client 10.14.148.50:45551] OCSP response: got 2530 bytes, 2530 total [Fri Jul 16 09:42:34.076606 2010] [debug] [pid 10145] ssl_util_ocsp.c(235): [client 10.14.148.50:45551] OCSP response: got EOF [Fri Jul 16 09:42:34.077905 2010] [error] [pid 10145] SSL Library Error: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) [Fri Jul 16 09:42:34.077980 2010] [error] [pid 10145] failed to verify the OCSP response [Fri Jul 16 09:42:34.078124 2010] [error] [pid 10145] [client 10.14.148.50:45551] Certificate Verification: Error (50): application verification failure [Fri Jul 16 09:42:34.078339 2010] [info] [pid 10145] [client 10.14.148.50:45551] SSL library error 1 in handshake (server beehive.cm-lisboa.net:443) [Fri Jul 16 09:42:34.078503 2010] [info] [pid 10145] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Fri Jul 16 09:42:34.078552 2010] [info] [pid 10145] [client 10.14.148.50:45551] Connection closed to child 1 with abortive shutdown (server beehive.cm-lisboa.net:443) and I cannot access my test page on the server. By the way, I am using sef-signed certs on the test system beehive.cm-lisboa.net and another problem: If I dont specify the OCSP responder on httpd.conf I get this error on the error_log [Fri Jul 16 09:47:59.813771 2010] [debug] [pid 10312] ssl_engine_ocsp.c(78): [client 10.14.148.50:43894] no OCSP responder specified in certificate and no default configured [Fri Jul 16 09:47:59.813866 2010] [error] [pid 10312] [client 10.14.148.50:43894] Certificate Verification: Error (50): application verification failure [Fri Jul 16 09:47:59.814090 2010] [info] [pid 10312] [client
Is there a limit on CN length?
Hi I've very recently decided to create my own Cert Authority in order to produce certificates to replace all the built in self-signed ones on devices such as routers,switches etc. I'm having problems with the certificate signing requests generated by Dell iDRAC6 management interfaces. The hostname is quite long and the FQDN totals 57 characters. The last 7 or so characters are being chopped off from the CSR. Is this a Dell specific problem or are there some hard limits I should know about? Many thanks, Alex __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is there a limit on CN length?
On Fri, Jul 16, 2010 at 10:50:02AM +0100, Alexander Fisher wrote: Hi I've very recently decided to create my own Cert Authority in order to produce certificates to replace all the built in self-signed ones on devices such as routers,switches etc. I'm having problems with the certificate signing requests generated by Dell iDRAC6 management interfaces. The hostname is quite long and the FQDN totals 57 characters. The last 7 or so characters are being chopped off from the CSR. RFC3280 says the maximum length of the common name should be 64. But not every implementation respects it. OpenSSL does. And it throws an error if the limit is exceeded. Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate)
On Fri, Jul 16, 2010, Luis Neves wrote: Ok, using your tip I confirmed that CA certificate is the CC0003.pem Ive include it at the end of ca-bundle.crt, pem encoded like the others on this file and used it as openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert /home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/ca-bundle.crt -resp_text and still the same error. Your certificate chain needs to be complete. That is it has to include the root CA (one with issuer and subject the same) and all intermediate certificates of the responder certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: AES128 CBC
Hi Rudy, I added call when needed because EncryptUpdate can be called more than once, as long as EncryptFinal hasn't already been called. Once EncryptFinal has been called your saying you have all the data you expect for that iteration. So if your 292 bytes were coming in an iterations of N bytes you would just keep calling EncryptUpdate every N bytes once the final iteration came in you would finalize with EncryptFinal and move on to the next step in your code. By your codes description, and my example, each is only needed once since all the data is already there. That make sense? Anthony On Jul 16, 2010, at 3:10 AM, Rudy1 wrote: Hello Anthony, thank you for you fast reply. I visited your blog and analyzed your example. There is one question left. You added the comment Call when needed to your function EVP_EncryptUpdate(). What does that mean? In my case I want to encrypt a string containing 292 bytes. After calling EVP_EncryptUpdate_ex() the variable out_len = 288. Do I have to call EVP_EncryptUpdate_ex() again to encrypt the remaining 4 bytes? I thought the remaining bytes will be encrypted by calling EVP_EncryptFinal_ex() Rudy1 Anthony Gabrielson-4 wrote: Hello, This seems to be a pretty typical question that gets posted often. I have a simple example that I think hits it. Anyway, its the first entry into a blog that I'm starting to building up. If your interested the code and (a brief) explanation is available here: http://agabrielson.wordpress.com/2010/07/15/openssl-an-example-from-the-command-line/#more-4 One note - I didn't use the ex function; I used the older version. It should give you a slightly easier place to start from. Anthony - Original Message - From: Rudy1 r...@compumatica.eu To: openssl-users@openssl.org Sent: Thursday, July 15, 2010 5:37:38 AM Subject: AES128 CBC I'm using the openssl crypto lib first time and I don't know how to encrypt text larger than blocksize (16 byte) . For example I want to encrypt a string of size 292 bytes. I call EVP_EncryptUpdate () one time and 288 bytes will be encrypted and finally I call EVP_EncryptFinal_ex(). Do I really encrypt the whole string correctly? Or do I have to call EVP_EncryptUpdate () for every blocksize chunk of my string? How large is the encrypted string? I would expect 304 bytes (288 + 16). Is this correct? Rudy1 View this message in context: AES128 CBC Sent from the OpenSSL - User mailing list archive at Nabble.com. -- View this message in context: http://old.nabble.com/AES128-CBC-tp29170995p29180726.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: AES128 CBC
On Thu July 15 2010, Anthony Gabrielson wrote: On Jul 15, 2010, at 6:18 PM, Michael S. Zick wrote: Interesting blog. One quick question on the first linked-to source at the top: quote memset(plaintext,0,sizeof(plaintext)); in_len = strlen(ciphertext); end-quote How did you get strlen to ignore any embedded zeros in the ciphertext? Mike Hi Mike - that was a good catch. I wrote the code quickly and moved on to my objective - and that was a mistake. Anyway, I updated the code and made the necessary updates. Thanks for pointing that out, I appreciate it. I understand since I write a lot for my own site and wish people would point out the oopses. That page you linked to that explains the acronyms bares repeating from time to time. Good article. Mike Anthony__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is there a limit on CN length?
On 16-07-2010 12:40, Christian Hohnstaedt wrote: On Fri, Jul 16, 2010 at 10:50:02AM +0100, Alexander Fisher wrote: Hi I've very recently decided to create my own Cert Authority in order to produce certificates to replace all the built in self-signed ones on devices such as routers,switches etc. I'm having problems with the certificate signing requests generated by Dell iDRAC6 management interfaces. The hostname is quite long and the FQDN totals 57 characters. The last 7 or so characters are being chopped off from the CSR. RFC3280 says the maximum length of the common name should be 64. But not every implementation respects it. OpenSSL does. And it throws an error if the limit is exceeded. While RFC3280 may be repeating this limit (which appears to be a historic X.400 directory holdover), this particular limit has always been a bad idea to enforce or implement at all: 1. For the original/historic use of this element holding a natural persons full name (as listed in a phone directory, hence the CCITT/ITU-T standardization interest), the problem is that many people around the world have full names exceeding this arbitrary limit. 2. For the common SSL use of placing the fully qualified domain name of a server in this element (rather than the official SubjectAltName element), a 64 character limit conflicts rather harshly with the DNS limit of 63 characters between each dot. Thus a perfectly valid DNS name such as www.llanfairpwllgwyngyllgogerychwyrndrobwantysiliogogogoch.co.uk could easily exceed this limit. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Issue with clients Operating System on certs
I sent this situation off to the help team but maybe it is either that stupid or that hard. I have installed 2 SSL Certs on my server. I am using a naming convention for apache configuration for each cert. Server: Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11 httpd-vhost.conf ___ NameVirtualHost *:443 VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ServerA.crt SSLCertificateKeyFile C:\\certs\\ ServerA.key ServerName www. ServerA.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerA.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerA ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log CustomLog logs/access-ssl-www. ServerA.com common /VirtualHost VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ ServerB.crt SSLCertificateKeyFile C:\\certs\\ ServerB.key ServerName www. ServerB.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerB.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerB ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log CustomLog logs/access-ssl-www. ServerB.com common /VirtualHost Here is where my senerio goes very weird. A computer with windows 7 browses to both location and everything is perfect. A computer with windows XP browses to the siteA no issue. But if they go to siteB, the cert for Site A is used on SiteB's load every time no matter what computer they are on. The siteB does show the proper site but the cert is the wrong cert. This fails in Firefox, IE, Safari, Google Chrome on windows XP. Any suggestions ? Does this make sense what I am saying? Richard L. Buskirk Senior Software Developer
Re: Issue with clients Operating System on certs
Hi, You Apache configuration uses SNI (Server Name Indication) which is not supported on Windows XP using IE, Safari and Chrome. The client must be running under Windows Vista and higher in order for SNI to work. That being said, you are saying in your message that Firefox fails to support SNI under XP and that surprises me because it's supposed to work starting from 2.0 and up, independently from the OS. What version of Firefox are using under XP? -- Mounir IDRASSI IDRIX http://www.idrix.fr On 7/16/2010 3:31 PM, Richard Buskirk wrote: I sent this situation off to the help team but maybe it is either that stupid or that hard. I have installed 2 SSL Certs on my server. I am using a naming convention for apache configuration for each cert. *Server:* Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11 *httpd-vhost.conf* ___ NameVirtualHost *:443 VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ServerA.crt SSLCertificateKeyFile C:\\certs\\ ServerA.key ServerName www. ServerA.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerA.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerA ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log CustomLog logs/access-ssl-www. ServerA.com common /VirtualHost VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ ServerB.crt SSLCertificateKeyFile C:\\certs\\ ServerB.key ServerName www. ServerB.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerB.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerB ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log CustomLog logs/access-ssl-www. ServerB.com common /VirtualHost Here is where my senerio goes very weird. A computer with windows 7 browses to both location and everything is perfect. A computer with windows XP browses to the siteA no issue. But if they go to siteB, the cert for Site A is used on SiteB’s load every time no matter what computer they are on. The siteB does show the proper site but the cert is the wrong cert. This fails in Firefox, IE, Safari, Google Chrome on windows XP. Any suggestions ? Does this make sense what I am saying? Richard L. Buskirk Senior Software Developer __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Issue with clients Operating System on certs
On 16-07-2010 15:31, Richard Buskirk wrote: I sent this situation off to the help team but maybe it is either that stupid or that hard. I have installed 2 SSL Certs on my server. I am using a naming convention for apache configuration for each cert. Server: Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11 httpd-vhost.conf ___ NameVirtualHost *:443 VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ServerA.crt SSLCertificateKeyFile C:\\certs\\ ServerA.key ServerName www. ServerA.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerA.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerA ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log CustomLog logs/access-ssl-www. ServerA.com common /VirtualHost VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ ServerB.crt SSLCertificateKeyFile C:\\certs\\ ServerB.key ServerName www. ServerB.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerB.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerB ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log CustomLog logs/access-ssl-www. ServerB.com common /VirtualHost Here is where my senerio goes very weird. A computer with windows 7 browses to both location and everything is perfect. A computer with windows XP browses to the siteA no issue. But if they go to siteB, the cert for Site A is used on SiteB's load every time no matter what computer they are on. The siteB does show the proper site but the cert is the wrong cert. This fails in Firefox, IE, Safari, Google Chrome on windows XP. Any suggestions ? Does this make sense what I am saying? It looks like you are trying to serve up two different certificates on the same IP address (all addresses of your sever=*) and port (443), depending on the DNS name the browser used to locate the server. This is a very recent extension to the SSL/TLS protocols and is probably only implemented by a few very new browsers, such as the IE version in Windows 7. Older browsers not implementing this recent standard just have no way of telling the server which certificate they want, and so the server uses the first one in its configuration. There are two standard solutions to this problem (until most of the worlds SSL clients implement the extensions): A) Give your server two IP addresses (such as 10.0.0.1 and 10.0.0.2), make www.ServerA.com point to 10.0.0.1 and www.ServerB.com point to 10.0.0.2. Finally, in your Apache config, specify those addresses in place of the * for the different configurations. Benefit: Traditional. Problem: Uses more IPv4 addresses. B) Get the CA to issue a single certificate valid for both server names (e.g. by specifying both names in various certificate fields). Then tell Apache to do normal virtual hosting but with a single SSL certificate. Benefit: Uses only one IPv4 address per server. Problem: Not all combinations of server names can be combined in a single certificate if compatibility with many browser implementations is needed. Others on this list can probabably say which combinations are technically possible, and how. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate)
good news and bad news! good news first, Ive added all the correct certificates to the certificate chain, now the following command works ok: openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert /home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/ca-bundle.crt -resp_text Response verify OK /home/oracle/lneves.pem: good great!!! now the bad news... using apache to make the same test, i now have this errors: [Fri Jul 16 16:02:27.399755 2010] [debug] [pid 21783] ssl_util_ocsp.c(79): [client 10.14.148.50:54752] connecting to OCSP responder 'ocsp.auc.cartaodecidadao.pt' [Fri Jul 16 16:02:27.614470 2010] [debug] [pid 21783] ssl_util_ocsp.c(105): [client 10.14.148.50:54752] sending request to OCSP responder [Fri Jul 16 16:02:28.566401 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Date: Fri, 16 Jul 2010 14:51:24 GMT [Fri Jul 16 16:02:28.566469 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Server: Apache [Fri Jul 16 16:02:28.566505 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5 [Fri Jul 16 16:02:28.566542 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Expires: Fri, 16 Jul 2010 14:53:24 GMT [Fri Jul 16 16:02:28.566576 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Cache-Control: max-age=120 [Fri Jul 16 16:02:28.566617 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Content-Length: 2530 [Fri Jul 16 16:02:28.566643 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Connection: close [Fri Jul 16 16:02:28.566682 2010] [debug] [pid 21783] ssl_util_ocsp.c(209): [client 10.14.148.50:54752] OCSP response header: Content-Type: application/ocsp-response [Fri Jul 16 16:02:28.566720 2010] [debug] [pid 21783] ssl_util_ocsp.c(252): [client 10.14.148.50:54752] OCSP response: got 1127 bytes, 1127 total [Fri Jul 16 16:02:28.569926 2010] [debug] [pid 21783] ssl_util_ocsp.c(252): [client 10.14.148.50:54752] OCSP response: got 1403 bytes, 2530 total [Fri Jul 16 16:02:28.569991 2010] [debug] [pid 21783] ssl_util_ocsp.c(235): [client 10.14.148.50:54752] OCSP response: got EOF [Fri Jul 16 16:02:28.578764 2010] [error] [pid 21783] SSL Library Error: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted [Fri Jul 16 16:02:28.578810 2010] [error] [pid 21783] failed to verify the OCSP response [Fri Jul 16 16:02:28.578927 2010] [error] [pid 21783] [client 10.14.148.50:54752] Certificate Verification: Error (50): application verification failure [Fri Jul 16 16:02:28.579150 2010] [info] [pid 21783] [client 10.14.148.50:54752] SSL library error 1 in handshake (server beehive.cm-lisboa.net:443) [Fri Jul 16 16:02:28.579236 2010] [info] [pid 21783] SSL Library Error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [Fri Jul 16 16:02:28.579275 2010] [info] [pid 21783] [client 10.14.148.50:54752] Connection closed to child 1 with abortive shutdown (server beehive.cm-lisboa.net:443) besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder directive? Shouldnt the mod_ssl code discover automatically the responder address from the client certificate itself?? Date: Fri, 16 Jul 2010 13:18:16 +0200 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) On Fri, Jul 16, 2010, Luis Neves wrote: Ok, using your tip I confirmed that CA certificate is the CC0003.pem Ive include it at the end of ca-bundle.crt, pem encoded like the others on this file and used it as openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert /home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/ca-bundle.crt -resp_text and still the same error. Your certificate chain needs to be complete. That is it has to include the root CA (one with issuer and subject the same) and all intermediate certificates of the responder certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org _ Hotmail: Free, trusted
RE: Issue with clients Operating System on certs
This makes sense to me. Mounir IDRASSI talked about the SNI which made sense but the solution was not an option. Your suggestion is a little complex to setup in my load balancer, but very doable and does not create a OS or Browser requirement. I am very new to this list but you guys rock, I guess I was expecting the typical list responses, not intellegent ones like you guys gave. Thank you. Richard L. Buskirk Senior Software Developer Indatus -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, July 16, 2010 10:07 AM To: openssl-users@openssl.org Subject: Re: Issue with clients Operating System on certs On 16-07-2010 15:31, Richard Buskirk wrote: I sent this situation off to the help team but maybe it is either that stupid or that hard. I have installed 2 SSL Certs on my server. I am using a naming convention for apache configuration for each cert. Server: Windows server 2008, Apache/2.2.14 (Win32) mod_ssl/2.2.14 OpenSSL/0.9.8k PHP/5.2.11 httpd-vhost.conf ___ NameVirtualHost *:443 VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ServerA.crt SSLCertificateKeyFile C:\\certs\\ ServerA.key ServerName www. ServerA.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerA.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerA ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerA.log CustomLog logs/access-ssl-www. ServerA.com common /VirtualHost VirtualHost *:443 SSLEngine on SSLCertificateFile C:\\certs\\ ServerB.crt SSLCertificateKeyFile C:\\certs\\ ServerB.key ServerName www. ServerB.com SSLOptions StrictRequire SSLProtocol all -SSLv2 ServerAdmin notice@ ServerB.com DocumentRoot C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\www\\html\\ ServerB ErrorLog C:\\Program Files (x86)\\Apache Software Foundation\\Apache2.2\\logs\\ssl-access- ServerB.log CustomLog logs/access-ssl-www. ServerB.com common /VirtualHost Here is where my senerio goes very weird. A computer with windows 7 browses to both location and everything is perfect. A computer with windows XP browses to the siteA no issue. But if they go to siteB, the cert for Site A is used on SiteB's load every time no matter what computer they are on. The siteB does show the proper site but the cert is the wrong cert. This fails in Firefox, IE, Safari, Google Chrome on windows XP. Any suggestions ? Does this make sense what I am saying? It looks like you are trying to serve up two different certificates on the same IP address (all addresses of your sever=*) and port (443), depending on the DNS name the browser used to locate the server. This is a very recent extension to the SSL/TLS protocols and is probably only implemented by a few very new browsers, such as the IE version in Windows 7. Older browsers not implementing this recent standard just have no way of telling the server which certificate they want, and so the server uses the first one in its configuration. There are two standard solutions to this problem (until most of the worlds SSL clients implement the extensions): A) Give your server two IP addresses (such as 10.0.0.1 and 10.0.0.2), make www.ServerA.com point to 10.0.0.1 and www.ServerB.com point to 10.0.0.2. Finally, in your Apache config, specify those addresses in place of the * for the different configurations. Benefit: Traditional. Problem: Uses more IPv4 addresses. B) Get the CA to issue a single certificate valid for both server names (e.g. by specifying both names in various certificate fields). Then tell Apache to do normal virtual hosting but with a single SSL certificate. Benefit: Uses only one IPv4 address per server. Problem: Not all combinations of server names can be combined in a single certificate if compatibility with many browser implementations is needed. Others on this list can probabably say which combinations are technically possible, and how. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Help creating certificate chain
All of the CA certificates in the chain of trust need to be included in the CA file passed to the -CAfile option. To do this, simply concatenate all of the PEM-encoded CA certificates into one file (e.g. 'cat PEM-encoded root CA cert PEM-encoded intermediate CA cert cafile.pem' -- could be 'cat ../root/ca-cert.crt ../int/ca-cert.crt cafile.pem'). Then use the following command 'openssl verify -CAfile cafile user.crt'. Hope this helps. -Ryan Smith From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Hugo Garza Sent: Thursday, July 15, 2010 12:27 PM To: openssl-users@openssl.org Subject: Help creating certificate chain Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing. So far I've created a Root CA I created an intermediate CA and signed it's certificate with the Root CA I created an end user certificate and signed it with the intermediate CA. Now I want to be able to just import the Root CA and have all end user certificates be verified. I tried running: openssl verify -CAfile ../root/ca-cert.crt user.crt and it returns with error 20 at 0 depth lookup:unable to get local issuer certificate Thanks for any help.
Re: Help creating certificate chain
On 15-07-2010 21:26, Hugo Garza wrote: Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing. So far I've created a Root CA I created an intermediate CA and signed it's certificate with the Root CA I created an end user certificate and signed it with the intermediate CA. Now I want to be able to just import the Root CA and have all end user certificates be verified. I tried running: openssl verify -CAfile ../root/ca-cert.crt user.crt and it returns with error 20 at 0 depth lookup:unable to get local issuer certificate Thanks for any help. All of the certificates in the chain from user.crt to ca-cert.crt (inclusive) need to be provided as input. It is your choice if the intermediary cert is included in ca-cert.crt or in user.crt. In a real application/protocol (such as SSL), the intermediary cert would typically be included in the appropriate protocol or message field. SSL/TLS puts the list of certificates in the Certificate handshake message, S/MIME (CMS/PKCS#7) puts the list of certificates in the certificates member of the SignedData ASN.1 structure. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help creating certificate chain
On Thu, Jul 15, 2010, Hugo Garza wrote: Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing. So far I've created a Root CA I created an intermediate CA and signed it's certificate with the Root CA I created an end user certificate and signed it with the intermediate CA. Now I want to be able to just import the Root CA and have all end user certificates be verified. I tried running: openssl verify -CAfile ../root/ca-cert.crt user.crt and it returns with error 20 at 0 depth lookup:unable to get local issuer certificate In a real world situation the user certificate and all intermediates would be presented and only the root CA trusted. With the verify command you'd do: openssl verify -CAfile root.pem -untrusted intermediate.pem user.pem where intermediate.pem has any intermediate CA certificates concatenated together, just the one in your case. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help creating certificate chain
Thanks Jakob, I just tried what you said by concatinating the Root and Intermediate certificates to the user.crt file and tried running openssl verify -CAfile ../root/ca-cert.crt user.crt But it still fails with, error 20 at 0 depth lookup:unable to get local issuer certificate. I would prefer this method and just having everyone install the root CA certificate into their trust store rather than having to install every combination of Root and Intermediate CA's that are created in the future. On Fri, Jul 16, 2010 at 12:19 PM, Jakob Bohm jb-open...@wisemo.com wrote: On 15-07-2010 21:26, Hugo Garza wrote: Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing. So far I've created a Root CA I created an intermediate CA and signed it's certificate with the Root CA I created an end user certificate and signed it with the intermediate CA. Now I want to be able to just import the Root CA and have all end user certificates be verified. I tried running: openssl verify -CAfile ../root/ca-cert.crt user.crt and it returns with error 20 at 0 depth lookup:unable to get local issuer certificate Thanks for any help. All of the certificates in the chain from user.crt to ca-cert.crt (inclusive) need to be provided as input. It is your choice if the intermediary cert is included in ca-cert.crt or in user.crt. In a real application/protocol (such as SSL), the intermediary cert would typically be included in the appropriate protocol or message field. SSL/TLS puts the list of certificates in the Certificate handshake message, S/MIME (CMS/PKCS#7) puts the list of certificates in the certificates member of the SignedData ASN.1 structure. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OCSP_basic_verify:certificate verify error ( Verify error:unable to get local issuer certificate)
Hi Luis: See reply inline: On July 16, 2010 11:05:46 am Luis Neves wrote: snip besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder directive? Shouldnt the mod_ssl code discover automatically the responder address from the client certificate itself?? From your other mail: openssl x509 -in /home/oracle/lneves.pem -noout -text snip a bunch of certificate contents stuff 2.5.29.46: 0h0f.d.b.`http://pki.cartaodecidadao.pt/publico/lrc/cc_sub- ec_cidadao_autenticacao_crl0003_delta_p0005.crl Authority Information Access: OCSP - URI:http://ocsp.auc.cartaodecidadao.pt/publico/ocsp The part that catches my eye is the incorrect decoding for authorityInfoAccess. First of all, 2.5.29.46 is NOT AIA, but according to: http://www.alvestrand.no/objectid/2.5.29.46.html It is Freshest CRL. This is NOT the OID for AIA, thus the application should NOT be able to find the OCSP information. Fix the CA that generated this certificate to generate correct PKIX RFC5280 certificates, and at least part of your problem should go away. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help creating certificate chain
Hello Stephen, thank you for your comment that made the verification pass. But I'm a bit confused now. Just as a demo I moved these certs to my windows computer and installed the Root CA into my current user's Trusted Root Certificate Authorities folder using the MMC certificates snap in. Then I double click the inter CA certificate and Windows says it's OK. But when I double click the users certificate it says that it doesn't have enough information to verify the certificate. This is strange to me, because I can visit lots of websites that I know I don't have the intermediate CA installed it all works. For instance I can visit gmail and it says the root is Class 3 Public Primary Certification Authority by Verisign, and I can see that it's installed in my windows Trusted Root Certificate Authorities. The next certificate is Thawte SGC CA which is no where in my Trusted Root Certificate Authorities and finally is mail.google.com and windows says it's valid. Am I missing some extension when I create the end user certificate or what part of this puzzle is escaping my grasp. On Fri, Jul 16, 2010 at 12:32 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Jul 15, 2010, Hugo Garza wrote: Hello All, I'm trying to get a basic root CA setup with an intermediate CA to handle all the end user certificate signing. So far I've created a Root CA I created an intermediate CA and signed it's certificate with the Root CA I created an end user certificate and signed it with the intermediate CA. Now I want to be able to just import the Root CA and have all end user certificates be verified. I tried running: openssl verify -CAfile ../root/ca-cert.crt user.crt and it returns with error 20 at 0 depth lookup:unable to get local issuer certificate In a real world situation the user certificate and all intermediates would be presented and only the root CA trusted. With the verify command you'd do: openssl verify -CAfile root.pem -untrusted intermediate.pem user.pem where intermediate.pem has any intermediate CA certificates concatenated together, just the one in your case. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help creating certificate chain
Hello Hugo: On July 16, 2010 02:31:53 pm Hugo Garza wrote: Hello Stephen, thank you for your comment that made the verification pass. But I'm a bit confused now. Just as a demo I moved these certs to my windows computer and installed the Root CA into my current user's Trusted Root Certificate Authorities folder using the MMC certificates snap in. Then I double click the inter CA certificate and Windows says it's OK. But when I double click the users certificate it says that it doesn't have enough information to verify the certificate. This is strange to me, because I can visit lots of websites that I know I don't have the intermediate CA installed it all works. For instance I can visit gmail and it says the root is Class 3 Public Primary Certification Authority by Verisign, and I can see that it's installed in my windows Trusted Root Certificate Authorities. The next certificate is Thawte SGC CA which is no where in my Trusted Root Certificate Authorities and finally is mail.google.com and windows says it's valid. Am I missing some extension when I create the end user certificate or what part of this puzzle is escaping my grasp. Yes, you probably are missing the AuthorityInformationAccess extension in the client certificate. This is an X.509 extension that contains, in the caIssuers field, a URI that points to a location that an application that is performing path construction may use to download the certificate for that certificate's issuer. Inside of THAT certificate, there should be another AuthorityInformationAccess extension which points to THAT Certificates issuer all the way up the line to a self signed certificate that SHOULD NOT have an AIA field. For a full description, including the formatting of the certificate to be downloaded, please see RFC5280. As an aside, even with an AIA extension, the OpenSSL library (and by extension, the command line tool) will NOT fetch intermediate certificates for you (which is why you needed to put both certs in the cafile.pem) - this is because it doesn't have any code to be an HTTP or LDAP client (probably a good thing:). If you want to do path construction, you have to write an application that uses OpenSSL for the crypto, but your application has to handle all of the network access. Have fun! -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help creating certificate chain
On Fri, Jul 16, 2010, Hugo Garza wrote: Hello Stephen, thank you for your comment that made the verification pass. But I'm a bit confused now. Just as a demo I moved these certs to my windows computer and installed the Root CA into my current user's Trusted Root Certificate Authorities folder using the MMC certificates snap in. Then I double click the inter CA certificate and Windows says it's OK. But when I double click the users certificate it says that it doesn't have enough information to verify the certificate. This is strange to me, because I can visit lots of websites that I know I don't have the intermediate CA installed it all works. For instance I can visit gmail and it says the root is Class 3 Public Primary Certification Authority by Verisign, and I can see that it's installed in my windows Trusted Root Certificate Authorities. The next certificate is Thawte SGC CA which is no where in my Trusted Root Certificate Authorities and finally is mail.google.com and windows says it's valid. Am I missing some extension when I create the end user certificate or what part of this puzzle is escaping my grasp. What you are missing is that when you visit a website it doesn't just send the user certificate back it also sends intermediate CAs too, the root being optional. What that means is that as long as you have the correct root trusted the certificates presented are sufficient to verify the end entity certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Win CE 6.0 + ARM + openssl
Thank you very much so far with all the input you have given me. I have few more questions. I am going to have to give up on interfacing with the Windows Crypto library and put openssl on my client as well. However, my client will be running Windows CE 6.0 with an ARM processor. Are the installation instructions in INSTALL.WCE still valid? Has anyone compiled openssl for CE 6.0 (Visual C 2005), ARM processor? I've been asked to give a quote on how long it is going to take me and by the looks of the instructions, it doesn't look difficult at all. Can anyone more experienced say otherwise? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Help creating certificate chain
What? No plug for pathfinder? -Original Message- From: owner-openssl-us...@openssl.org on behalf of Patrick Patterson Sent: Fri 7/16/2010 11:58 AM To: openssl-users@openssl.org Subject: Re: Help creating certificate chain Hello Hugo: On July 16, 2010 02:31:53 pm Hugo Garza wrote: Hello Stephen, thank you for your comment that made the verification pass. But I'm a bit confused now. Just as a demo I moved these certs to my windows computer and installed the Root CA into my current user's Trusted Root Certificate Authorities folder using the MMC certificates snap in. Then I double click the inter CA certificate and Windows says it's OK. But when I double click the users certificate it says that it doesn't have enough information to verify the certificate. This is strange to me, because I can visit lots of websites that I know I don't have the intermediate CA installed it all works. For instance I can visit gmail and it says the root is Class 3 Public Primary Certification Authority by Verisign, and I can see that it's installed in my windows Trusted Root Certificate Authorities. The next certificate is Thawte SGC CA which is no where in my Trusted Root Certificate Authorities and finally is mail.google.com and windows says it's valid. Am I missing some extension when I create the end user certificate or what part of this puzzle is escaping my grasp. Yes, you probably are missing the AuthorityInformationAccess extension in the client certificate. This is an X.509 extension that contains, in the caIssuers field, a URI that points to a location that an application that is performing path construction may use to download the certificate for that certificate's issuer. Inside of THAT certificate, there should be another AuthorityInformationAccess extension which points to THAT Certificates issuer all the way up the line to a self signed certificate that SHOULD NOT have an AIA field. For a full description, including the formatting of the certificate to be downloaded, please see RFC5280. As an aside, even with an AIA extension, the OpenSSL library (and by extension, the command line tool) will NOT fetch intermediate certificates for you (which is why you needed to put both certs in the cafile.pem) - this is because it doesn't have any code to be an HTTP or LDAP client (probably a good thing:). If you want to do path construction, you have to write an application that uses OpenSSL for the crypto, but your application has to handle all of the network access. Have fun! -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org winmail.dat
