FW: Libeay32.lib missing crypto engines
Hi, This is Rajesh Kumar from CISCO. We are using the Openssl libraries in our project in the Win 32 enviroment. We were using 0.9.8l version of the library earlier. We are now trying to migrate to 1.0.0a version. While building the 1.0.0a version we found that few crypto-engines are not built as part of libeay32.lib. They are built separately as dll's. In the 0.9.8l version we could see the same getting built as part of the libeay32.lib. Below is the difference highlighted, 0.9.8l version export functions from the libeay32.lib: 3218_ENGINE_load_4758cca 3210_ENGINE_load_aep 3130_ENGINE_load_atalla 2708_ENGINE_load_builtin_engines 3075_ENGINE_load_chil 2617_ENGINE_load_cryptodev 3027_ENGINE_load_cswift 2547_ENGINE_load_dynamic 3055_ENGINE_load_nuron 2657_ENGINE_load_openssl 3532_ENGINE_load_padlock 2498_ENGINE_load_private_key 2479_ENGINE_load_public_key 4046_ENGINE_load_ssl_client_cert 3211_ENGINE_load_sureware 2636_ENGINE_load_ubsec 1.0.0a version: 2475_ENGINE_init 2708_ENGINE_load_builtin_engines 2617_ENGINE_load_cryptodev 2547_ENGINE_load_dynamic 2657_ENGINE_load_openssl 2498_ENGINE_load_private_key 2479_ENGINE_load_public_key 4046_ENGINE_load_ssl_client_cert 2515_ENGINE_new Now we would like to know if there is any way to get the engines as part of the library file itself like the 0.9.8l version? We have our code directly referring to the ENGINE_load_ functions, due to which the linker errors are seen while using the 1.0.0a version. I tried to tweak around the no_static_engine variable in the perl file, but it did not help me much. Could you please help me out with this as this is very critical for our product security. Please let me know if you need any further information. With regards, Rajesh Kumar R
Re: Why does my browser give a warning about a mismatched hostname
I've solved this problem. I created file ip.ext with: subjectAltName=IP:10.5.19.191 To sign certificate I used: openssl ca -notext -extfile ip.ext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem Everything works well! Thanks Jakob Bohm-7 wrote: Depending on the CA you use, you may be able to issue a certificate with CN=some-ILO-name,OU=... AND SubjectAlternativeName: IP:1.2.3.4 If the ILO configuration accepts that cert, then there is a good chance you browser would accept the cert for both https://some-ILO-name/; and https://1.2.3.4/; On 24-07-2010 16:19, michu162 wrote: So what i should do to avoid warnings? CN (some-iLO-2-Subsystem-Name) is included in certificate request, witch is automatically generated by device. I can't upload other certificate (with other CN) because i got alert that certificate doesn't match the request. Is possible to access device via IP without warnings? michu162 wrote: I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name OU = ISS O = Hewlett-Packard Development Company ST = Texas C = US In my CA certificate, witch I used to sign the request I've got: CN = in...@mycompany.com C = US ST = MyState L = myCity E = in...@mycompany.com OU = Infrastructure O = MyCompany SP zoo What should I do to connect to ilo without any warnings? To create my own CA i used: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf To sign my certificate request i used: openssl ca -notext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem My OpenSSL configuration file: # # Establish working directory. dir= /etc/ssl [ ca ] default_ca= CA_default [ CA_default ] serial= $dir/serial database= $dir/index.txt new_certs_dir= $dir/certs certificate= $dir/cacert.pem private_key= $dir/private/cakey.pem default_days= 3650 default_md= md5 preserve= no email_in_dn= no nameopt= default_ca certopt= default_ca policy= policy_match [ policy_match ] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ req ] default_bits= 1024# Size of keys default_keyfile= key.pem# name of generated keys default_md= md5# message digest algorithm string_mask= nombstr# permitted characters distinguished_name= req_distinguished_name req_extensions= v3_req [ req_distinguished_name ] # Variable namePrompt string #- -- 0.organizationName= Organization Name (company) organizationalUnitName= Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName= State or Province Name (full name) countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 commonName= Common Name (hostname, IP, or your name) commonName_max= 64 # Default values for the above, for consistency and less typing. # Variable nameValue # -- 0.organizationName_default= My Company localityName_default= My Town stateOrProvinceName_default= State or Providence countryName_default= US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash Can anyone help me? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- View this message in context:
Re: openssl build error for embedded systems
Hi I think I have found the problem. Looking into speed.c unter /apps I found the two possible errors: 1.) If compiled without DSA RSA at the same time than the variable rsa_result is not defined: from line 510 in speed.c #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) long rsa_count; #endif Therefore since I didn't compile with the flag no-ecdsa OPENSSL_NO_ECDSA is not defined what leads to the excecution of source code from line 2269ff. In here rsa_count is set what leads to an error, since it is not defined previously. So first of all: Is that a development bug? Such error shouldn't happen at all, should it? 2.) The other errors come pretty much from the same problem if flag no-rsa or no-dsa is set than the variables rsa_result and dsa_result are not defined. Therefore using them in the function do_multi leads to the exact same errors = no defined. I made a quickdirty workaround by just replacing the correspondings lines with some dummy code however i don't like to use this version for the next steps. After that workaround it compiled fine. Is there any other solution to do it better? Is this also a (known)bug? Greetings Markus Original-Nachricht Datum: Thu, 22 Jul 2010 13:56:25 +0200 Von: Markus Hofer markus_ho...@gmx.at An: openssl-users@openssl.org Betreff: openssl build error for embedded systems Hi I am currently working on building openssl for an embedded system. Since the only things I need on the embedded system are SHA, MD5 and HMAC(in order to fit net-snmp later on) I’m trying to cut down openssl as much as possible. I am using openssl 0.9.8o So I am doing the following things to compile ~~/work/openssl$ ./config --prefix=/home_vie/mhofer/tmp_openssl --openssldir=/home_vie/mhofer/tmp_openssl/openssl no-threads no-zlib no-shared no-bf no-cast no-dh no-des no-dsa no-md2 no-mdc2 no-rc2 no-rc4 no-rc5 no-rsa; make depend; make the Make process stops with the following output gcc -DMONOLITH -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o speed.o speed.c speed.c: In function âspeed_mainâ: speed.c:2285: error: ârsa_countâ undeclared (first use in this function) speed.c:2285: error: (Each undeclared identifier is reported only once speed.c:2285: error: for each function it appears in.) speed.c: In function âdo_multiâ: speed.c:2839: error: ârsa_resultsâ undeclared (first use in this function) speed.c:2881: error: âdsa_resultsâ undeclared (first use in this function) make[1]: *** [speed.o] Error 1 make[1]: Leaving directory `/home_vie/mhofer/work/openssl/apps' make: *** [build_apps] Error 1 So what might be here the problem? Am I doing smthing wrong I would appreciate your help Best regards Markus -- GMX DSL: Internet-, Telefon- und Handy-Flat ab 19,99 EUR/mtl. Bis zu 150 EUR Startguthaben inklusive! http://portal.gmx.net/de/go/dsl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Sicherer, schneller und einfacher. Die aktuellen Internet-Browser - jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Building openssl without RSA,DSA,DH errors
Hi guys Sorry for the double posts earlier on. I am still trying to build openssl as small as possible. Therefore I want to build openssl without RSA,DSA and DH support.( I am working on that for some days now). U However I have some troubles. I didn't find any related posts to that problem. Building the file from linux command with: ./config --prefix=/home_vie/mhofer/tmp_opensslscratch --openssldir=/home_vie/mhofer/tmp_opensslscratch/openssl no-threads no-zlib no-shared no-bf no-cast no-des no-md2 no-mdc2 no-rc2 no-rc4 no-rc5 no-rsa no-dsa no-dh; make depend; make the build crashes with: gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o eng_cnf.o eng_cnf.c gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o eng_dyn.o eng_dyn.c gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o eng_cryptodev.o eng_cryptodev.c In file included from eng_cryptodev.c:33: ../../include/openssl/dsa.h:71:2: error: #error DSA is disabled. In file included from eng_cryptodev.c:34: ../../include/openssl/rsa.h:74:2: error: #error RSA is disabled. In file included from eng_cryptodev.c:35: ../../include/openssl/dh.h:65:3: error: #error DH is disabled. make[2]: *** [eng_cryptodev.o] Error 1 make[2]: Leaving directory `/home_vie/mhofer/data/openssl-0.9.8o/crypto/engine' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/home_vie/mhofer/data/openssl-0.9.8o/crypto' make: *** [build_crypto] Error 1 I have looked into the correspondig .h files and found the following: e.g for rsa.h #ifdef OPENSSL_NO_RSA #error RSA is disabled. #endif Therefore cleary the compiler terminates with an error. So my questions are: Has anybody encountered a similar problem? If so, is there a already fix for it? If not, is it a bug? I think one solution would be to introduce #ifndef OPENSSL_NO_RSA at the beginning of the files? I woul really appreciate your help Greetings Markus -- Sicherer, schneller und einfacher. Die aktuellen Internet-Browser - jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Man in the middle proxy - Not working
Hi All Requirement:- I want to build a man in the middle proxy application. I have experimented so many methods to achieve this. But my application is failing when I tried some https url's from the browser (IE 8 and Firefox 3.7). I have configured my browser proxy settings to '4433' port. My application is listening on this port, when I connect to this port from my browser, with the URL https://localhost:4433 it is working, only a certificate warning is there. When I try to connect to another secured site, the SSL_accept function is returning -1 and my error code is as follows. 2572:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:.ssls23_srvr.c:391: I am not able to trace out the problem for many days. Anybody please help me to trace out this issue, or send me some sample application. What could be reasons for failure Platforms I am using are : MS Windows XP service pack 2 MS Visual Studio 2008 , VC++ Thanks, Raj Rajmohan SK
Re: Building openssl without RSA,DSA,DH errors
On Mon, Jul 26, 2010, Markus Hofer wrote: Hi guys Sorry for the double posts earlier on. I am still trying to build openssl as small as possible. Therefore I want to build openssl without RSA,DSA and DH support.( I am working on that for some days now). U However I have some troubles. I didn't find any related posts to that problem. Building the file from linux command with: ./config --prefix=/home_vie/mhofer/tmp_opensslscratch --openssldir=/home_vie/mhofer/tmp_opensslscratch/openssl no-threads no-zlib no-shared no-bf no-cast no-des no-md2 no-mdc2 no-rc2 no-rc4 no-rc5 no-rsa no-dsa no-dh; make depend; make the build crashes with: gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o eng_cnf.o eng_cnf.c gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o eng_dyn.o eng_dyn.c gcc -I.. -I../.. -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -march=pentium -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c -o eng_cryptodev.o eng_cryptodev.c In file included from eng_cryptodev.c:33: ../../include/openssl/dsa.h:71:2: error: #error DSA is disabled. In file included from eng_cryptodev.c:34: ../../include/openssl/rsa.h:74:2: error: #error RSA is disabled. In file included from eng_cryptodev.c:35: ../../include/openssl/dh.h:65:3: error: #error DH is disabled. make[2]: *** [eng_cryptodev.o] Error 1 make[2]: Leaving directory `/home_vie/mhofer/data/openssl-0.9.8o/crypto/engine' make[1]: *** [subdirs] Error 1 make[1]: Leaving directory `/home_vie/mhofer/data/openssl-0.9.8o/crypto' make: *** [build_crypto] Error 1 I have looked into the correspondig .h files and found the following: e.g for rsa.h #ifdef OPENSSL_NO_RSA #error RSA is disabled. #endif Therefore cleary the compiler terminates with an error. So my questions are: Has anybody encountered a similar problem? If so, is there a already fix for it? If not, is it a bug? I think one solution would be to introduce #ifndef OPENSSL_NO_RSA at the beginning of the files? I don't think anyone has tried cutting down OpenSSL to that extent. If you disable everything apart from SHA1, MD5 and HMAC almost nothing else will work including SSL/TLS. You could try no-engine as well to get past that point. It would be far easier just ripping out the bits of code you do need, MD5, SHA1 and HMAC. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Simple question about SSL certs
Hi everyone, I am a noob when it comes to SSL and I have an easy question but I don't have the time to look up the answer myself. I am trying to write an LDAP client. I need this client to use SSL as well. I am using the openldap server and C libraries. Here is what the openldap web page says... OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. TLS is defined in RFC4346. I would like to write an LDAP client that when a user connects to an LDAP server with SSL, that the client cert is automatically downloaded to the client. Then a prompt asks the client to accept or reject the cert. Is this possible when using the OpenSSL C libraries? thanks
RE: Simple question about SSL certs
What you are asking for does not make sense. The point of the client cert is to establish the identify of the client. If the server bootstraps this, ANY client can connect and receive the identity. Now, what you MAY want to do is authenticate via a different mechanism (say account and password on a secure web server), and have it push the client cert to you. -Original Message- From: owner-openssl-us...@openssl.org on behalf of Bryan Boone Sent: Mon 7/26/2010 12:55 PM To: openssl-users@openssl.org Subject: Simple question about SSL certs Hi everyone, I am a noob when it comes to SSL and I have an easy question but I don't have the time to look up the answer myself. I am trying to write an LDAP client. I need this client to use SSL as well. I am using the openldap server and C libraries. Here is what the openldap web page says... OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. TLS is defined in RFC4346. I would like to write an LDAP client that when a user connects to an LDAP server with SSL, that the client cert is automatically downloaded to the client. Then a prompt asks the client to accept or reject the cert. Is this possible when using the OpenSSL C libraries? thanks
Re: Simple question about SSL certs
Hi Rene, thanks for the reply. Well I am not sure really how this works. Here is why I am confused. I have two windows LDAP browser clients that I did not write. One is called Jxplorer and the other is called LDAPEditor. I also have a regular openldap server running on a suse box that is using TLS. The Jxplorer client, alows me to manually load the client SSL certs into the program so that I can connect using SSL. the LDAPEditor allows me to put in my user name and password, then check a box that says SSL. When I hit connect, a message pops up and says that I am trying to connect to a LDAP server that is using a self signed cert, and if I want to accept or reject it. I am not sure if you are familiar with LDAP but, unsecured LDAP transferes user name and password in clear text over the network. I need to enable SSL so that the data is encrypted. So if I authenticate before I push the client cert down to the client and ask for acceptance, doesn't that defeat the purpose of SSL? At that point there is no need to use SSL because I have already transfered the user name and password in clear text. So wouldn't it be better for my client program, to download the client cert first. Then prompt a user to accept or reject the cert. Then do the authentication? Obviously having my customer manually upload the client cert to their computer is the best thing, but I would like to mimic the behavior of the LDAPEditor, not the Jxplorer. thanks From: Rene Hollan rene.hol...@watchguard.com To: openssl-users@openssl.org; openssl-users@openssl.org Sent: Mon, July 26, 2010 1:43:19 PM Subject: RE: Simple question about SSL certs What you are asking for does not make sense. The point of the client cert is to establish the identify of the client. If the server bootstraps this, ANY client can connect and receive the identity. Now, what you MAY want to do is authenticate via a different mechanism (say account and password on a secure web server), and have it push the client cert to you. -Original Message- From: owner-openssl-us...@openssl.org on behalf of Bryan Boone Sent: Mon 7/26/2010 12:55 PM To: openssl-users@openssl.org Subject: Simple question about SSL certs Hi everyone, I am a noob when it comes to SSL and I have an easy question but I don't have the time to look up the answer myself. I am trying to write an LDAP client. I need this client to use SSL as well. I am using the openldap server and C libraries. Here is what the openldap web page says... OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism. TLS is defined in RFC4346. I would like to write an LDAP client that when a user connects to an LDAP server with SSL, that the client cert is automatically downloaded to the client. Then a prompt asks the client to accept or reject the cert. Is this possible when using the OpenSSL C libraries? thanks
Re: Simple question about SSL certs
On Jul 26, 2010, at 12:55 PM, Bryan Boone wrote: I would like to write an LDAP client that when a user connects to an LDAP server with SSL, that the client cert is automatically downloaded to the client. Then a prompt asks the client to accept or reject the cert. Is this possible when using the OpenSSL C libraries? Do you mean the client cert (the certificate that the client has, which it uses to prove its identity to the server --- a relatively rare setup) or the server cert (the certificate that the server has, which it uses to prove its identity to the client --- a very common setup)? If the latter, I think what you want to do is set a verify callback on the SSL context using SSL_CTX_set_verify(). The callback will be given the opportunity to decide whether to trust a given certificate, which you can do by prompting the user if you like. Keep in mind that in the general case you actually have a whole chain of certificates to consider --- from the certificate authority (which, in the X.500 world, is what you actually trust) to the server (which you're actually talking to). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
development branches, API changes, and long-term maintenance
Hello. I've browsed through about a year's worth of the openssl-users and openssl-dev mail list archives in search of some information. I think I found most of what I'm looking for, but I want to summarize my questions and my understanding of the current situation for your review: 1) I've seen several questions regarding support for TLS v1.1 and v1.2, and I've seen Dr. Henson patiently repeat that TLS v1.1 functionality is slated for 1.1.0 and probably 1.0.1 as well. (In fact, according to ChangeLog it looks like initial support for TLS v1.1 is in 1.0.1.) I have never seen any definitive statement regarding the plan to back port TLS v1.1 (or v1.2) functionality to the 0.9.8 development branch. It is my assumption, therefore, that there are no plans to do so at this time. Is that correct? 2) It sounds like the intent of the OpenSSL.org team is to support the 0.9.8 development branch well into the foreseeable future (at least a couple of years from now). However, in light of number (1) above, I believe that it will be mostly bug/security-related fixes and minor functionality improvements. Is that correct? (I'm sure it may be a function of paid ($$$) requests for new functionality too.) 3) I've also found references to API changes between the 0.9.8 development branch and the 1.0.x branch that make the libraries incompatible. (It sounds like there may be API changes between the 1.0.x development branch and the 1.1.x branch too.) What I haven't been able to find is a document/web page/email thread that summarizes the scope of and/or the actual changes to the API and the resulting implications one must consider when porting an application to the new version. Is there such a document? If so, where is it? 4) In general, what is the team's philosophy for maintaining development branches into the future? E.g. how many development branches are going to be actively maintained? For what period of time (in general), etc. Thank you. Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Simple question about SSL certs
Again, the purpose of the client cert is to authenticate you to the remote (in this case LDAP) server. It can be used to restrict WHO can access the server REGARDLESS of what credentials (account and password) they might have. It can also be used as a substitute to provide those credentials (at least X509 supports this, whether your LDAP server does is another question). It is NOT necessary to use a client cert to achieve secure communications. A server cert is enough. However, unless your LDAP browser client has a trusted list of CA certificates, one of which signed the LDAP server cert, someone will have to decide whether to trust the server cert provided by the LDAP server. This is why you are prompted for this before authenticating. You are expected to examine it (likely checking its fingerprint), and decide if you are connecting to the REAL LDAP server, or if someone is spoofing it, trying to get you to give up your authentication credentials to them. When you say account and password, I'm guessing you mean a DN and password used to bind with the LDAP server, and which determines what you may or may not read, modify, add, or delete, right? Something like cn=Manager,dc=fubar,dc=com, right? That's not what I was thinking of when I meant authenticate to get a client cert. I was thinking of some COMPLETELY DIFFERENT authentication mechanism you have, that can be used to establish your identity, and then safely provide you with a client cert for use with the LDAP server. That said, I can't see any overwhelming NEED for you to have to use a client cert to contact an LDAP server (unless it is configured that way). One possibility is to have bind information to the LDAP server encoded in the client certificate (say the CN part of the Subject), so you don't have to separately provide credentials, but I'm not sure if your LDAP server supports that. It may simply be the case that your LDAP browser SUPPORTS the use of client certs because the LDAP server might. That does not mean you have to use them unless the LDAP server is configured to require them. -Original Message- From: owner-openssl-us...@openssl.org on behalf of Bryan Boone Sent: Mon 7/26/2010 2:09 PM To: openssl-users@openssl.org Subject: Re: Simple question about SSL certs Hi Rene, thanks for the reply. Well I am not sure really how this works. Here is why I am confused. I have two windows LDAP browser clients that I did not write. One is called Jxplorer and the other is called LDAPEditor. I also have a regular openldap server running on a suse box that is using TLS. The Jxplorer client, alows me to manually load the client SSL certs into the program so that I can connect using SSL. the LDAPEditor allows me to put in my user name and password, then check a box that says SSL. When I hit connect, a message pops up and says that I am trying to connect to a LDAP server that is using a self signed cert, and if I want to accept or reject it. I am not sure if you are familiar with LDAP but, unsecured LDAP transferes user name and password in clear text over the network. I need to enable SSL so that the data is encrypted. So if I authenticate before I push the client cert down to the client and ask for acceptance, doesn't that defeat the purpose of SSL? At that point there is no need to use SSL because I have already transfered the user name and password in clear text. So wouldn't it be better for my client program, to download the client cert first. Then prompt a user to accept or reject the cert. Then do the authentication? Obviously having my customer manually upload the client cert to their computer is the best thing, but I would like to mimic the behavior of the LDAPEditor, not the Jxplorer. thanks From: Rene Hollan rene.hol...@watchguard.com To: openssl-users@openssl.org; openssl-users@openssl.org Sent: Mon, July 26, 2010 1:43:19 PM Subject: RE: Simple question about SSL certs What you are asking for does not make sense. The point of the client cert is to establish the identify of the client. If the server bootstraps this, ANY client can connect and receive the identity. Now, what you MAY want to do is authenticate via a different mechanism (say account and password on a secure web server), and have it push the client cert to you. -Original Message- From: owner-openssl-us...@openssl.org on behalf of Bryan Boone Sent: Mon 7/26/2010 12:55 PM To: openssl-users@openssl.org Subject: Simple question about SSL certs Hi everyone, I am a noob when it comes to SSL and I have an easy question but I don't have the time to look up the answer myself. I am trying to write an LDAP client. I need this client to use SSL as well. I am using the openldap server and C libraries. Here is what the openldap web page says... OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and
Re: development branches, API changes, and long-term maintenance
On Mon, Jul 26, 2010, no_spam...@yahoo.com wrote: I've browsed through about a year's worth of the openssl-users and openssl-dev mail list archives in search of some information. I think I found most of what I'm looking for, but I want to summarize my questions and my understanding of the current situation for your review: 1) I've seen several questions regarding support for TLS v1.1 and v1.2, and I've seen Dr. Henson patiently repeat that TLS v1.1 functionality is slated for 1.1.0 and probably 1.0.1 as well. (In fact, according to ChangeLog it looks like initial support for TLS v1.1 is in 1.0.1.) I have never seen any definitive statement regarding the plan to back port TLS v1.1 (or v1.2) functionality to the 0.9.8 development branch. It is my assumption, therefore, that there are no plans to do so at this time. Is that correct? Yes TLS 1.1 support is now in HEAD (which will be OpenSSL 1.1 in future) and it has been backported to 1.0.1. The new versioning scheme means that only bugfixes and no new features will be backported to stable branches. So it will never officially appear in 0.9.8. 2) It sounds like the intent of the OpenSSL.org team is to support the 0.9.8 development branch well into the foreseeable future (at least a couple of years from now). However, in light of number (1) above, I believe that it will be mostly bug/security-related fixes and minor functionality improvements. Is that correct? (I'm sure it may be a function of paid ($$$) requests for new functionality too.) Yes, OpenSSL 0.9.7 is no longer maintained but 0.9.8 will continue to include bug and security fixes for some time. Currently the only version of OpenSSL that is FIPS 140-2 capable is 0.9.8 and a fair bit of software depends on it so it isn't going away any time soon. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Simple question about SSL certs
O.K. I've done some more research and reread the original question. OP describes two LDAP clients, one of which accepts auth credentials up front, asks if SSL should be used, and offers the LDAP server's cert for verification (likely before sendint auth credentials). The second just works with the installation of a client cert (at least there is no mention of an additional authentication step prompting for auth credentials). I checked openldap and it, at least, supports the notion of binding to the LDAP server with the DN in the Subject of the client cert if configured to use client certs. A regexp mechanism is provided for mapping existing client cert Subject DNs to those the LDAP database already has. I THINK (but am not sure) that the openldap server can be configured to ask for a client cert, and if one is not provided, require usual authentication over the SSL link secured with the server cert alone, but if one IS provided, to try to use the DN in the Subject field to bind with. If that is true, you could conceivably store client certs in your LDAP DB, and deliver them to your users who initially authenticate without them. The flaw in that is that traditionally client certs are generated BY THE CLIENT to ensure that only the client has the private key, then sent for signing, and the signed cert returned to the client. I suppose one could generate the key and cert on the server, and bundle them for transmission to the user, but this is less secure from the user's perspective. -Original Message- From: owner-openssl-us...@openssl.org on behalf of Wim Lewis Sent: Mon 7/26/2010 1:51 PM To: openssl-users@openssl.org Subject: Re: Simple question about SSL certs On Jul 26, 2010, at 12:55 PM, Bryan Boone wrote: I would like to write an LDAP client that when a user connects to an LDAP server with SSL, that the client cert is automatically downloaded to the client. Then a prompt asks the client to accept or reject the cert. Is this possible when using the OpenSSL C libraries? Do you mean the client cert (the certificate that the client has, which it uses to prove its identity to the server --- a relatively rare setup) or the server cert (the certificate that the server has, which it uses to prove its identity to the client --- a very common setup)? If the latter, I think what you want to do is set a verify callback on the SSL context using SSL_CTX_set_verify(). The callback will be given the opportunity to decide whether to trust a given certificate, which you can do by prompting the user if you like. Keep in mind that in the general case you actually have a whole chain of certificates to consider --- from the certificate authority (which, in the X.500 world, is what you actually trust) to the server (which you're actually talking to). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Simple question about SSL certs
Oh sorry, I think I was using the wrong terminology. Let me see if I have this straight. If my client requires a client cert, this is mutual SSL. Here the client proves to the server that it is allowed to communicate with the server via it's client cert. In order to get encrypted network traffic, the server cert is transfered to the client, then the client must accept or reject it. If they accept the server cert, then there is encrypted network traffic. This is known as server side SSL. Is that right? From: Rene Hollan rene.hol...@watchguard.com To: openssl-users@openssl.org; openssl-users@openssl.org Sent: Mon, July 26, 2010 2:31:20 PM Subject: RE: Simple question about SSL certs Again, the purpose of the client cert is to authenticate you to the remote (in this case LDAP) server. It can be used to restrict WHO can access the server REGARDLESS of what credentials (account and password) they might have. It can also be used as a substitute to provide those credentials (at least X509 supports this, whether your LDAP server does is another question). It is NOT necessary to use a client cert to achieve secure communications. A server cert is enough. However, unless your LDAP browser client has a trusted list of CA certificates, one of which signed the LDAP server cert, someone will have to decide whether to trust the server cert provided by the LDAP server. This is why you are prompted for this before authenticating. You are expected to examine it (likely checking its fingerprint), and decide if you are connecting to the REAL LDAP server, or if someone is spoofing it, trying to get you to give up your authentication credentials to them. When you say account and password, I'm guessing you mean a DN and password used to bind with the LDAP server, and which determines what you may or may not read, modify, add, or delete, right? Something like cn=Manager,dc=fubar,dc=com, right? That's not what I was thinking of when I meant authenticate to get a client cert. I was thinking of some COMPLETELY DIFFERENT authentication mechanism you have, that can be used to establish your identity, and then safely provide you with a client cert for use with the LDAP server. That said, I can't see any overwhelming NEED for you to have to use a client cert to contact an LDAP server (unless it is configured that way). One possibility is to have bind information to the LDAP server encoded in the client certificate (say the CN part of the Subject), so you don't have to separately provide credentials, but I'm not sure if your LDAP server supports that. It may simply be the case that your LDAP browser SUPPORTS the use of client certs because the LDAP server might. That does not mean you have to use them unless the LDAP server is configured to require them. -Original Message- From: owner-openssl-us...@openssl.org on behalf of Bryan Boone Sent: Mon 7/26/2010 2:09 PM To: openssl-users@openssl.org Subject: Re: Simple question about SSL certs Hi Rene, thanks for the reply. Well I am not sure really how this works. Here is why I am confused. I have two windows LDAP browser clients that I did not write. One is called Jxplorer and the other is called LDAPEditor. I also have a regular openldap server running on a suse box that is using TLS. The Jxplorer client, alows me to manually load the client SSL certs into the program so that I can connect using SSL. the LDAPEditor allows me to put in my user name and password, then check a box that says SSL. When I hit connect, a message pops up and says that I am trying to connect to a LDAP server that is using a self signed cert, and if I want to accept or reject it. I am not sure if you are familiar with LDAP but, unsecured LDAP transferes user name and password in clear text over the network. I need to enable SSL so that the data is encrypted. So if I authenticate before I push the client cert down to the client and ask for acceptance, doesn't that defeat the purpose of SSL? At that point there is no need to use SSL because I have already transfered the user name and password in clear text. So wouldn't it be better for my client program, to download the client cert first. Then prompt a user to accept or reject the cert. Then do the authentication? Obviously having my customer manually upload the client cert to their computer is the best thing, but I would like to mimic the behavior of the LDAPEditor, not the Jxplorer. thanks From: Rene Hollan rene.hol...@watchguard.com To: openssl-users@openssl.org; openssl-users@openssl.org Sent: Mon, July 26, 2010 1:43:19 PM Subject: RE: Simple question about SSL certs What you are asking for does not make sense. The point of the client cert is to establish the identify of the client. If the server bootstraps this, ANY client can connect and receive the identity. Now, what you MAY want to do is authenticate via a
RE: Simple question about SSL certs
Pretty much correct. When one uses client certs, one has mutual authentication. The thing is, because a client cert can authenticate the client, applications (like LDAP servers) which require authentication (binding in the LDAP sense), MAY (LDAP does) support using this information (typically the subject DN, or some transformed version of it) for authentication. IIRC, openldap can be configured to do this, and fall back to PLAIN authentication (binding) if it fails, still safe over an SSL tunnel. The use of client certs can be made optional or mandatory on the server side, and authenticated or not. (In some scenarios, mere possession of a properly signed client cert may authenticate the endpoint. In others, the actual Subject DN has to be checked (which allows revocation without requiring OCSP or CRL DPs, by simply removing the authentication the Subject DN represents.) Both are possible allowing for distinguishing between I lost the laptop with my client cert and didn't have the private key protected (revoke the cert!) and You are no longer employed here (revoke the cert AND remove the DN from the authentication database).) -Original Message- From: owner-openssl-us...@openssl.org on behalf of Bryan Boone Sent: Mon 7/26/2010 3:10 PM To: openssl-users@openssl.org Subject: Re: Simple question about SSL certs Oh sorry, I think I was using the wrong terminology. Let me see if I have this straight. If my client requires a client cert, this is mutual SSL. Here the client proves to the server that it is allowed to communicate with the server via it's client cert. In order to get encrypted network traffic, the server cert is transfered to the client, then the client must accept or reject it. If they accept the server cert, then there is encrypted network traffic. This is known as server side SSL. Is that right? From: Rene Hollan rene.hol...@watchguard.com To: openssl-users@openssl.org; openssl-users@openssl.org Sent: Mon, July 26, 2010 2:31:20 PM Subject: RE: Simple question about SSL certs Again, the purpose of the client cert is to authenticate you to the remote (in this case LDAP) server. It can be used to restrict WHO can access the server REGARDLESS of what credentials (account and password) they might have. It can also be used as a substitute to provide those credentials (at least X509 supports this, whether your LDAP server does is another question). It is NOT necessary to use a client cert to achieve secure communications. A server cert is enough. However, unless your LDAP browser client has a trusted list of CA certificates, one of which signed the LDAP server cert, someone will have to decide whether to trust the server cert provided by the LDAP server. This is why you are prompted for this before authenticating. You are expected to examine it (likely checking its fingerprint), and decide if you are connecting to the REAL LDAP server, or if someone is spoofing it, trying to get you to give up your authentication credentials to them. When you say account and password, I'm guessing you mean a DN and password used to bind with the LDAP server, and which determines what you may or may not read, modify, add, or delete, right? Something like cn=Manager,dc=fubar,dc=com, right? That's not what I was thinking of when I meant authenticate to get a client cert. I was thinking of some COMPLETELY DIFFERENT authentication mechanism you have, that can be used to establish your identity, and then safely provide you with a client cert for use with the LDAP server. That said, I can't see any overwhelming NEED for you to have to use a client cert to contact an LDAP server (unless it is configured that way). One possibility is to have bind information to the LDAP server encoded in the client certificate (say the CN part of the Subject), so you don't have to separately provide credentials, but I'm not sure if your LDAP server supports that. It may simply be the case that your LDAP browser SUPPORTS the use of client certs because the LDAP server might. That does not mean you have to use them unless the LDAP server is configured to require them. -Original Message- From: owner-openssl-us...@openssl.org on behalf of Bryan Boone Sent: Mon 7/26/2010 2:09 PM To: openssl-users@openssl.org Subject: Re: Simple question about SSL certs Hi Rene, thanks for the reply. Well I am not sure really how this works. Here is why I am confused. I have two windows LDAP browser clients that I did not write. One is called Jxplorer and the other is called LDAPEditor. I also have a regular openldap server running on a suse box that is using TLS. The Jxplorer client, alows me to manually load the client SSL certs into the program so that I can connect using SSL. the LDAPEditor allows me to put in my user name and password, then check a box that says SSL. When I hit connect, a message pops up and says that I am trying to
