How to upgrade openssl from 0.9.7a to 1.0.0d

[Hanumantharao Madala]

Hi All,

How to upgrade openssl software in Linux server.  I mean, I just want to 
upgrade the current version  0.9.7a to 1.0.0d latest one?
What is the procedure, I suppose to follow to implement it in Linux 
environment.., if anything goes wrong, how to revert back to old version? 
Any precautions to follow while upgrading?

uname -a
Linux ELsmp #1 SMP Wed Jul 9 15:39:47 EDT 2008 i686 athlon i386 GNU/Linux

openssl version
OpenSSL 0.9.7a Feb 19 2003

Advanced thanks for your support on this.

Thanks & Regards,
Hanumantharao Madala

Senior Middleware Administrator
Newedge Financial Singapore Pte Ltd
80 Robinson Road  #09-00
Singapore-068898

+ 65 6349 7527 (Desk)
+ 65 9068 0127 (BlackBerry)

Email: hanumantharao.mad...@newedge.com








This electronic communication and its contents are intended for the recipient 
only and may contain confidential, non-public and/or privileged information.  
If you have received this electronic communication in error, do not read, 
duplicate or distribute. Please advise the sender immediately and delete it 
from your system (if permitted by law). 

Newedge makes no representation or warranty that the information contained 
herein is accurate, complete, fair or correct or that any transaction is 
appropriate for any person and it should not be relied on as such. All 
information is subject to change without notice. Nothing herein shall be 
construed as a recommendation or solicitation to purchase or sell any financial 
product or security or as an official confirmation of any transaction. This 
communication is for information purposes only. Any market or other views 
expressed herein are those of the sender only as of the date indicated and not 
necessarily those of Newedge. E-mails may not be secure or error free and 
information could be lost, destroyed, incomplete, delayed, altered, 
intercepted, corrupted or fail to be delivered. Newedge makes no representation 
that this e-mail or any attachments are free of computer virus or other defects 
or inherent risks and accepts no responsibility for any loss or damage or 
liability of 
 any kind arising there from. Newedge reserves the right to retain all 
messages. 

"Newedge" refers to Newedge Group SA and all of its worldwide branches and 
subsidiaries. Newedge Group in France and its foreign branches are authorized 
by the Autoritée ContrôPrudentiel and Autoritées MarchéFinanciers in 
France.  Newedge Group (UK Branch) is also subject to limited regulation by the 
Financial Services Authority for the conduct of its UK business. Newedge Group 
(UK, Frankfurt and Dubai branches) does not deal with, or for, Retail Clients 
(as defined under MiFID and Dubai Financial Services Authority). Only Newedge 
USA, LLC is a member of FINRA and SIPC (SIPC only pertains to 
securities-related transactions and positions). Only Newedge Canada Inc. is a 
member of the CIPF. Not all products or services are available from all Newedge 
organizations or personnel.  

For further information about Newedge and our services, please see our website 
at http://www.newedge.com/";>www.newedge.com. 

RE: [openssl-users] Re: users auth. in XP for HTTPS

[Dave Thompson]

> From: owner-openssl-us...@openssl.org On Behalf Of Erwann ABALEA
> Sent: Tuesday, 30 August, 2011 04:39
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] Re: users auth. in XP for HTTPS
> 
> Hodie III Kal. Sep. MMXI, Jakob Bohm scripsit:
> > On 8/30/2011 3:29 AM, Dave Thompson wrote:
> > >...
> > >That sounds like the keyUsage bit dataEncipherment, and OpenSSL CA
> > >can set it. But SSL never *does* dataEncipherment using a
> > >certificate/key, so this bit should not be needed or make any
> > >difference.
> > Small correction: SSL/TLS never does dataEncipherment with *client*
> > certificates, and always does dataEncipherment with *server*
> > certificates (if any).
> 
> Correction to the correction: TLS always does dataEncipherment with
> server certificate *if* the key exchange algorithm is RSA.
> 
No, SSL/TLS kRSA is defined as *keyEncipherment*, correctly so 
because the only thing encrypted is key material (though not 
strictly the key itself). And aRSA is signing, not certSign or 
crlSign because the handshake data isn't (just) a cert or CRL.
See 2616 and 2459 or successors.

> > So dataEncipherment should be set in the SSL server certificate and
> > clear in the SSL client certificate, as is apparently 
> already the case
> > here, so that part is OK.
> 
The OP said the "only" difference is MS-issued *client* cert has data-enc.
He implied both have sign,non-rep,key-enc, but didn't actually show it.
He has since reported the problem is something entirely different.

> Even if you don't set the dataEncipherment bit in the keyUsage
> extension, it works. TLS libraries are tolerant :)
> 
OpenSSL, at least, is tolerant, because the check is done 
at a low level in the code where the full usage (i.e. 
the key-exchange algorithm selected) isn't available.
It will accept dig-sign OR key-enc for any suite.
It appears it will accept a cert for k[EC]DH that doesn't 
have key-agree as specified, but I'm not set up to test that.

OpenSSL client does fail (unless overridden by callback) 
if the server cert is data-enc *only* (not signing).

IE7 (all I have to hand) seems to accept anything, 
but FF3.6 does require signing and/or *key*-enc
otherwise it gives its ugly Untrusted page with 
(Error code: sec_error_inadequate_key_usage)

Although the 'user-friendly' explanation is poor:
the page says '... was issued by an invalid CA certificate'
and the 'add exception' dialog if you go there 
says 'hasn't been verified by a recognized authority'.
Both of those are misleading at best.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: How to make ca signaturer when I use dh or rc4 etc.

[Dave Thompson]

>   From: owner-openssl-us...@openssl.org On Behalf Of 
>   Sent: Monday, 29 August, 2011 07:57

>   Hello 
>   I try to make ca signature about following case. 
>   1. Kx=DH, ECDH 
>   2. Au=ECDSA 
>   3. Enc=DES(56),3DES(168),RC4(40), rc4(128)

This doesn't make sense. You (normally) use certificates 
in SSL/TLS for key exchange (Kx) and authentication (Au). 
They are not involved in data encryption (or MAC) at all.
Each connection/session uses one Kx method and one Au method 
(or null) and you can't use Kx=DH (even E-DH) with Au=ECDSA.

>   For example I would like to know following cipher zuite. 
>   EDH-RSA-DES-CBC3-SHA 
>   ECDHE-ECDSA-AES256-SHA 
>   RC4-MD5 
>   EXP-DES-CBS-SHA

Those are four different ciphersuites. One uses DH-E and RSA, 
one uses ECDH-E and ECDSA, and two use RSA for both key exchange 
and authentication. (And the last is spelled CBC.)

All but the second would use an endpoint RSA cert, which might 
be issued by a CA using any supported signature algorithm.

>   But I can not find the way.

>   For example, I tried following to make rc4 ca signature 
> but I got errors.

A CA signs many things, none of them ever with RC4. It looks 
like you're trying to create a selfsigned RSA certificate, 
which could be a CA certificate (and key) but might not.

>   OpenSSL> genrsa -out keyRC4-40.pem

>   OpenSSL> rsa -in keyRC4-40.pem  -rc4-40 -out RC4-40.pem

That attempts to encrypt the privatekey locally under rc4-40.
However, the PEM-encrypted logic in OpenSSL doesn't work for 
a stream cipher. It assumes that the IV can also be used as 
the (PBE) salt for 8 bytes, but a stream cipher has no IV,
so it uses garbage instead as the salt, decrypts wrong, and 
isn't caught because a stream cipher needs no padding, so it 
attempts to ASN.1 decode nonsense and fails.

>   OpenSSL> req -new -x509 -key RC4-40.pem -out carc4-40.crt

So any attempt to read in the privatekey, including this, 
fails (with overwhelming probability).

If you use a block cipher or none, this creates a selfsigned 
RSA cert, possibly a CA cert as your filename implies. If it is 
used as a CA cert, the encryption on the CA's private key has 
no relationship whatsoever to the (data/bulk) encryption used 
on an SSL/TLS connection, or even for an endpoint privatekey 
using a cert from that CA. And a CA with a key protected by 
a cipher as weak(ened) as RC4-40 is generally worthless. 

What are you trying to accomplish?



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Req with ECDSA key and CA with RSA key

[Rick Lopes de Souza]

Actually my question continues but a resume of another question is:

Another question is: Is there any problem to use a different kind of key on
the request that the Certificate Authority has?

Does Openssl support ecdsa with sha256 and sha512?
Only above of 1.0.0 ?

On Tue, Aug 30, 2011 at 11:40 AM, Rick Lopes de Souza  wrote:

> Maybe it's a simple question, but i want to know if there is any problem
> that i have a request using a ECDSA key with SHA-256 and i want to issue a
> certificate where the CA uses RSA with SHA 1.
>
> In some tests, a ECDSA with sha1 and a CA with RSA with sha1 it was sucess.
> But with ECDSA sha256 it gives the error:
> Signature verification error
> 2857:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message
> digest algorithm:a_verify.c:141:
>
> I'm using a P-192 ecdsa key.
>
> Another question is: Is there any problem to use a different kind of key on
> the request that the Certificate Authority has?
>
> Thanks,
>
> --
> Rick Lopes de Souza
>
>


-- 
Rick Lopes de Souza

RE: users auth. in XP for HTTPS

[Jean Brico]

I've found a solution.

It seems to be a problem about crl.

I've created a "crl.crl" file, and have installed in XP and 2003 Server (in 
"MMC Certificates - Local computer", in "Autorités intermédiaires" \ "Liste de 
révocation de certificats" - I prefer give here the real name in French, and 
not to translate and give a bad translation).

I've installed ".p12" user file in MMC Certificates "Local user" and "Local 
computer": Perso \ Certificates.

I've installed ".p12" CA file in MMC Certificates "Local user" and "Local 
computer": Autorités de certification racines de confiance \ Certificates.

All now works fine.

Thanks for all.

Best regards.

> From: dthomp...@prinpay.com
> To: openssl-users@openssl.org
> Subject: RE: users auth. in XP for HTTPS
> Date: Mon, 29 Aug 2011 21:29:26 -0400
> 
> > From: owner-openssl-us...@openssl.org On Behalf Of Jean Brico
> > Sent: Sunday, 28 August, 2011 09:40
> 
> > I'va a CA in a Debian host that works fine and use scripts in
> openssl
>   
> > I've a 2003 Server with a HTTPS site. It owns its certificate
> generated by this CA.
> 
> > When a XP client connect to this site with
> "http://www.secure.local";, 
> > a message show me that I try to connect to a secure site.
>   
> > My problem: I modify the configuration of my server: I want now
> clients 
> > to authenticate them.
> 
> (Small aside: authenticate is not reflexive in English. The clients
> authenticate;
> or the server authenticates the clients; or the server verifies the
> clients.)
>   
> > When a XP client connect to this site with
> "http://www.secure.local";, 
> > a message show me that I have to select a certificate to authenticate me. 
> > In this windows, no certificate appears.
>   
> > But a certificate for my user had been generated by the CA, and
> installed 
> > in the web browser. This certificate is too in the MMC with all others 
> > certificates. The certificate is good, with the certificate of the CA.
> 
> If you mean installed using Internet Explorer "Options", that's not really 
> *in* the browser; it's on the browser menu, but it's actually in Windows.
> When you see it in MMC/certmgr, that confirms it's in Windows. And available
> 
> to any program using the Windows store, apparently including your XP client.
>   
> > With a certificate created by Mircosoft CA (with web site
> "certsrv"), 
> > all is fine: the windows show me user certificates. I've only to select 
> > one to connect to secure web site.
> 
> The CA name (issuer) of the Microsoft-issued certificate is presumably 
> different. Is the server configured to request/demand a client certificate 
> using the CA name of the Microsoft CA? Of your Debian CA? Both? Neither? 
> 
> If you can't determine this by looking at the server:
> 
> - with OpenSSL commandline on any machine that can reach the server 
> 'openssl s_client -connect server:port -state -debug' and look at 
> the server's CertificateRequest message to see what it's asking for;
> the format is in RFC 2246 or 4346 but the CertReq message consists 
> almost entirely of a sequence of DNs which are mostly readable.
> 
> - install WireShark (www.wireshark.org) on the Windows client machine 
> and use it to monitor a connection attempt. It will decode the CertReq 
> (and other messages) for you.
>   
> > I've compared the two certificates, and i've only found a
> difference: 
> > in Microsoft user certificate, I've:
> > "use of the key: cypher of data (f0)" (translated from french). 
> > In my certificate generated with openssl, I don't have this line.
> 
> > Here is a part of the file used to generate user certificate:
> > keyUsage = digitalSignature, nonRepudiation,
> keyEncipherment
> 
> > I don't see anything like "cypher of data". What to write to add
> this ? 
> > Is my problem going from tis point ?
> 
> That sounds like the keyUsage bit dataEncipherment, and OpenSSL CA can 
> set it. But SSL never *does* dataEncipherment using a certificate/key, 
> so this bit should not be needed or make any difference.
> 
> I think the problem is more likely 'requested client CA-name(s)'.
> 
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
  

Re: [openssl-dev] openssl.org web site certificate renewed

[Jakob Bohm]

On 8/30/2011 2:42 PM, Erwann ABALEA wrote:

Bonjour,

Hodie III Kal. Sep. MMXI, Lutz Jaenicke scripsit:

I have just installed a new 3 year wildcard "*.openssl.org" certificate
to our web site.
Thanks to GlobalSign for the new donation.

The migration should work more or less unnoted for the users. If you
experience any problems please drop me a message.

Thanks to them, yes.

Maybe you could remove the root CA from file designed by the
SSLCertificateChainFile directive? It's useless to send it to the
client, as you know, and you may gain 1 TCP packet (+ ACK in return)
during the negotiation.
Actually, as an experienced web user I prefer the ability to see the 
self-signed CA certificate, because

it is helpful in 2 situations:

1) The CA has changed/improved the attributes, e.g. by extending the 
expiry date or adding a CRL
location for detecting future root cert revocation (a good precaution 
for CA's to take, coupled with

a pre-generated key compromise CRL stored somewhere off-site but secure).

2) My browser lacks the CA cert, in which case having it at hand 
eliminates one of the two steps
in securely adding it (the other step is to compare the cert hash 
("fingerprint") with a known published

value).

You should also disable SSLv2, and<128bits ciphers.



I think those are there for the "test your key strength" subsite, and 
for bootstrapping users
who are starting from an old pre-2000 floppy/CD and now need to advance 
to modern key
strengths. (Yes, I do have such old OS and browser CDs tucked away 
somewhere from

before everything became downloads).

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to make ca signaturer when I use dh or rc4 etc.

[yyy]

ECDSA keys can be made by:openssl ecparam -genkey -name "name_of_curve" -out eckey.pemwhere "name_of_curve" is name of named curve, list of available curves is at:openssl ecparam -list_curvesThat genkey will generate private key.  (probably it is possible to generate new curves, but I don not know how).That kay can be used to sign data using ECDSA.If necessary, delf signed certificate could be made by:openssl req -x509  -new -key eckey.pem -out eccert.crtIt will ask questions about what to put in certificate (country, organization, common name, etc), that depends on your openssl.cnf file.ECDH requires ECDH parameters, there usually are defaults. That is a part of server configuration. ECDH parameters basically consists of one selected named curve (from the same set as when generating ECDSA key). ECDH is used only if TLS handshake has selected a ECDH ciphersuite.DH requires DH parametrs, there usually are defaults. That is a part of server configuration. DH parameters can be generated by:openssl gendh -out dh.pem "size"where size is "size" of parameters (2048 is considered secure), large sizes takes more time to generate. That file can be specified in server configuration. DH is used only if TLS handshake has selected a DH ciphersuite.Of these ciphersuites, RC4-MD5 and EXP-DES-CBS-SHA uses RSA key exchange and does not use (and cannot use) DH or ECDH, and also cannot use certificate with ECDSA key (such as generated above).EDH-RSA-DES-CBC3-SHA uses DH key exchange and RSA certificate (it will not work with ECDSA certificate)ECDHE-ECDSA-AES256-SHA uses ECDH key exchange and will use ECDSA certificate, it will not use DH.  Citējot 櫻井英明 :  Hello   Thanks for good advice. I would like to know which command that I need to use to make ECDSA key. or how to make Ans I would like to know which command that I need to use dh.   I'm so sorry but would you show me the process about following ?   EDH-RSA-DES-CBC3-SHA   ECDHE-ECDSA-AES256-SHA   RC4-MD5   EXP-DES-CBS-SHAThanks 2011/8/30 yyy Generally ANY CA signature works with ANY ciphersuite. They are not related at all.  You mean: Make a CA, which can sign a certificate, which can be used with these all ciphersuites? In that case any signature method can be used. (ECDSA and RSA ciphersuites will not work with one certificate, but CA should be ok). This should work with any ciphersuite. In this case you will have to make a self signed (root) certificate for CA. It can use any type of public key (either RSA or ECC).   Or, making a certificate, which can be used with these specified ciphersuites? In that case, any signature method can be used (it depends on type of CA key), type of signature on certificate should not affect selection of ciphersuites, useable with that certificate (these only are affected by type of certificates public key).   Or something else?   Citējot 櫻井英明 :Hello Sorry for confuse you.   My exactly purpose are to make ca signatures about following ciphersuites. EDH-RSA-DES-CBC3-SHA   ECDHE-ECDSA-AES256-SHA   RC4-MD5   EXP-DES-CBS-SHA I think my question were confused because I did not understand what command to use.   Please do not care what command that I used.   Would you please teach me what command need to use and how to use ? Thanks   __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org   -- Tavs bezmaksas pasts Inbox.lv

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Req with ECDSA key and CA with RSA key

[Rick Lopes de Souza]

Maybe it's a simple question, but i want to know if there is any problem
that i have a request using a ECDSA key with SHA-256 and i want to issue a
certificate where the CA uses RSA with SHA 1.

In some tests, a ECDSA with sha1 and a CA with RSA with sha1 it was sucess.
But with ECDSA sha256 it gives the error:
Signature verification error
2857:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message
digest algorithm:a_verify.c:141:

I'm using a P-192 ecdsa key.

Another question is: Is there any problem to use a different kind of key on
the request that the Certificate Authority has?

Thanks,

-- 
Rick Lopes de Souza

Re: How to make ca signaturer when I use dh or rc4 etc.

[櫻井英明]

Hello

Thanks for good advice.
I would like to know which command that I need to use to make ECDSA key.
or how to make Ans I would like to know which command that I need to use dh.

I'm so sorry but would you show me the process about following ?

EDH-RSA-DES-CBC3-SHA
ECDHE-ECDSA-AES256-SHA
RC4-MD5
EXP-DES-CBS-SHA

Thanks
2011/8/30 yyy 

> Generally ANY CA signature works with ANY ciphersuite. They are not related
> at all.
>
> You mean:
> Make a CA, which can sign a certificate, which can be used with these all
> ciphersuites?
> In that case any signature method can be used. (ECDSA and RSA ciphersuites
> will not work with one certificate, but CA should be ok). This should work
> with any ciphersuite. In this case you will have to make a self signed
> (root) certificate for CA. It can use any type of public key (either RSA or
> ECC).
>
> Or, making a certificate, which can be used with these specified
> ciphersuites?
> In that case, any signature method can be used (it depends on type of CA
> key), type of signature on certificate should not affect selection of
> ciphersuites, useable with that certificate (these only are affected by type
> of certificates public key).
>
> Or something else?
>
>
>
>
> Citējot *櫻井英明  *:
>
> Hello
> Sorry for confuse you.
>
> My exactly purpose are to make ca signatures about following ciphersuites.
>
> EDH-RSA-DES-CBC3-SHA
> ECDHE-ECDSA-AES256-SHA
> RC4-MD5
> EXP-DES-CBS-SHA
>
> I think my question were confused because I did not understand what command
> to use.
> Please do not care what command that I used.
> Would you please teach me what command need to use and how to use ?
>
> Thanks
>
>
> __
> OpenSSL Project http://www.openssl.org User Support Mailing List
> openssl-users@openssl.org Automated List Manager majord...@openssl.org

Re: [openssl-dev] openssl.org web site certificate renewed

[Erwann ABALEA]

Bonjour,

Hodie III Kal. Sep. MMXI, Lutz Jaenicke scripsit:
> I have just installed a new 3 year wildcard "*.openssl.org" certificate
> to our web site.
> Thanks to GlobalSign for the new donation.
> 
> The migration should work more or less unnoted for the users. If you
> experience any problems please drop me a message.

Thanks to them, yes.

Maybe you could remove the root CA from file designed by the
SSLCertificateChainFile directive? It's useless to send it to the
client, as you know, and you may gain 1 TCP packet (+ ACK in return)
during the negotiation.

You should also disable SSLv2, and <128bits ciphers.

-- 
Erwann ABALEA 
Département R&D
KEYNECTIS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to make ca signaturer when I use dh or rc4 etc.

[yyy]

Generally ANY CA signature works with ANY ciphersuite. They are not related at all.You mean:Make a CA, which can sign a certificate, which can be used with these all ciphersuites?In that case any signature method can be used. (ECDSA and RSA ciphersuites will not work with one certificate, but CA should be ok). This should work with any ciphersuite. In this case you will have to make a self signed (root) certificate for CA. It can use any type of public key (either RSA or ECC). Or, making a certificate, which can be used with these specified ciphersuites?In that case, any signature method can be used (it depends on type of CA key), type of signature on certificate should not affect selection of ciphersuites, useable with that certificate (these only are affected by type of certificates public key). Or something else?    Citējot 櫻井英明 : Hello   Sorry for confuse you. My exactly purpose are to make ca signatures about following ciphersuites. EDH-RSA-DES-CBC3-SHA   ECDHE-ECDSA-AES256-SHA   RC4-MD5   EXP-DES-CBS-SHA I think my question were confused because I did not understand what command to use.   Please do not care what command that I used.   Would you please teach me what command need to use and how to use ? Thanks  

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

openssl.org web site certificate renewed

[Lutz Jaenicke]

Hi!

I have just installed a new 3 year wildcard "*.openssl.org" certificate
to our web site.
Thanks to GlobalSign for the new donation.

The migration should work more or less unnoted for the users. If you
experience any problems please drop me a message.

Best regards,
Lutz
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: hi

[Shashidhar RP]

Hi Gayatri,
   
Can u tell me wat is the cmd to disconnect from the ssl session.
The problem is as follows:

 1) while disconnecting ssl session, in ssl_writepending() there we get an 
exception because we are de-referencing a null pointer.
 2) when we see the code we found that the ssl->version is showing as V2 but 
client->version is V3. we are checking the ssl version and de-referencing the 
pointer which seems to be Null pointer.Actual data is there in V3
 3) To debug that from the client i establised ssl session using below command.
 openssl s_client -connect :443
   for connection from the client.In my gdb it hit on one 
ssl23_get_client_hello().
 4) In order to disconnect this i tried Ctrl-C on the client. I have put a 
break point in ssl_usrdisconnect(). It did not hit there. I have put break 
points in couple of places as well but did not hit.
 5) I think it did not disconnect. Can u suggest on this.



-shashidhar

From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] On 
Behalf Of Gayathri Sundar [suraj...@gmail.com]
Sent: Wednesday, August 24, 2011 10:06 PM
To: openssl-users@openssl.org
Subject: Re: hi

My windows knowlegde is at zero. sorry cant help there ..


On Wed, Aug 24, 2011 at 2:35 AM, Shashidhar RP 
mailto:shashidhar...@hcl.com>> wrote:
hi Gayatri,
  Can you please tell me where can i find the ssl.conf file for 
windows.
will it be the same ssl.conf file or a different .conf file.?
for my linux client i found in "/etc/httpd/conf.d"
I have searched over the net i couldnt find this. For windows will it be 
openssl.conf or some thing else?
Please give the appropriate configuration file and the location it will/might 
be.

-shashidhar



From: owner-openssl-us...@openssl.org 
[owner-openssl-us...@openssl.org] On 
Behalf Of Gayathri Sundar [suraj...@gmail.com]
Sent: Thursday, August 18, 2011 8:14 PM
To: openssl-users@openssl.org
Subject: Re: hi

Hi,

First of all your question is really strange. Please check your client and 
server settings as to which highest ssl version is enabled. Generally SSLv2 
should be disabled and never negotiated.
The code your referring to is a piece of code that would be called when sslv3 
is negotiated during the handshake.

Disable sslv2 on ur client, enable tls on both sides, and you will see that the 
highest common version is selected automatically by the server. Check your 
client hello message on the wire and see what versions are actually sent out.

Thanks
--Gayathri

On Thu, Aug 18, 2011 at 5:46 AM, Shashidhar RP 
mailto:shashidhar...@hcl.com>> wrote:
forgot to mention that

 /* s->version = SSL3_VERSION */
the above line is commented in the code of ssl3_connect ();
is there any issue with this as the client version is updating  and ssl version 
not updating ??



From: owner-openssl-us...@openssl.org 
[owner-openssl-us...@openssl.org] On 
Behalf Of Shashidhar RP [shashidhar...@hcl.com]
Sent: Thursday, August 18, 2011 3:24 PM
To: openssl-users@openssl.org
Subject: hi


Hi ,
  I have a problem while establishing a session using ssl.. I have a client 
and when the session is establised
i found that the client version is V3 but the ssl version is v2, due to which i 
am facing other problem.

I saw the ssl code - s3_cln.c is which i saw a part of this code

   /* s->version = SSL3_VERSION */

  This is there in ssl3_connect code.
Is there any chance of a V2 client becoming V3 and while connect its version is
not updated?
And
where does this version wil be set? and when it can change?

Plz give some I/p on this so that ican move further.


Regards
shashidhar




::DISCLAIMER::
---

The contents of this e-mail and any attachment(s) are confidential and intended 
for the named recipient(s) only.
It shall not attach any liability on the originator or HCL or its affiliates. 
Any views or opinions presented in
this email are solely those of the author and may not necessarily reflect the 
opinions of HCL or its affiliates.
Any form of reproduction, dissemination, copying, disclosure, modification, 
distribution and / or publication of
this message without the prior written consent of the author of this e-mail is 
strictly prohibited. If you have
received this email in error please delete it and notify the sender 
immediately. Before opening any mail and
attachments please check them for viruses and defect.

-

Re: How to make ca signaturer when I use dh or rc4 etc.

[櫻井英明]

Hello
Sorry for confuse you.

My exactly purpose are to make ca signatures about following ciphersuites.

EDH-RSA-DES-CBC3-SHA
ECDHE-ECDSA-AES256-SHA
RC4-MD5
EXP-DES-CBS-SHA

I think my question were confused because I did not understand what command
to use.
Please do not care what command that I used.
Would you please teach me what command need to use and how to use ?

Thanks
 2011/08/30 18:06 "yyy" :

Re: How to make ca signaturer when I use dh or rc4 etc.

[yyy]

What exactly are you trying to do?None of ciphersuites specified in second list, meets the requiremencts specified in first list.(Only second ciphersuite uses ECDSA Au, it also is the only one, not using any variant of DES or RC4)There exists ECDHE-ECDSA ciphersuites usring RC4, but these are not in this list.When generating a key, you tried to generate a RSA key, ECDSA requires ECDSA (or ECC?) key.Generally, key exchange method and authentication method, are independent of simetric cipher method.genrsa -out keyRC4-40.pemgenerated a RSA key of default size (512 bits), it cannot be used with ECDSAnaming it "RC4-40" has no influence on choice of simetric cipherrsa -in keyRC4-40.pem  -rc4-40 -out RC4-40.pemthis was supposed to encrypt that RSA key using RC4-40 algorithm and supplied passphrase(there is no rc4-40 in list of available key encryption algorithms, but it seems to work)req -new -x509 -key RC4-40.pem -out carc4-40.crttried to generate a self signed (RSA) certificateI repeated these steps and everything worked as expected.Did you supply correct passphrase at req (when requested)?Without passphrase it cannot load private key.(512 bit RSA keys are insecure)Choice of ciphersuite depends on server and client configuration, justcertificate with RSA key will work with RSA, DH-RSA and ECDH-RSA ciphersuites;certificate with ECDSA key will work with ECDHE ciphersuites.    Citējot 櫻井英明 : Hello   I try to make ca signature about following case.   1. Kx=DH, ECDH   2. Au=ECDSA   3. Enc=DES(56),3DES(168),RC4(40), rc4(128) For example I would like to know following cipher zuite.   EDH-RSA-DES-CBC3-SHA   ECDHE-ECDSA-AES256-SHA   RC4-MD5   EXP-DES-CBS-SHA But I can not find the way. For example, I tried following to make rc4 ca signature but I got errors. OpenSSL> genrsa -out keyRC4-40.pem   Loading 'screen' into random state - done   Generating RSA private key, 512 bit long modulus   .   .   e is 65537 (0x10001)   OpenSSL> rsa -in keyRC4-40.pem  -rc4-40 -out RC4-40.pem   writing RSA key   Enter PEM pass phrase:   Verifying - Enter PEM pass phrase:   OpenSSL> req -new -x509 -key RC4-40.pem -out carc4-40.crt Enter pass phrase for RC4-40.pem:   unable to load Private Key   4204:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\crypto\asn1\asn1_lib.c:150:   4204:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:.\crypto\asn1\tasn_dec.c:1306:   4204:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:381:Type=RSA   4204:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:.\crypto\rsa\rsa_ameth.c:115:   4204:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:.\crypto\asn1\asn1_lib.c:150:   4204:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:.\crypto\asn1\tasn_dec.c:1306:   4204:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\crypto\asn1\tasn_dec.c:381:Type=PKCS8_PRIV_KEY_INFO   4204:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:.\crypto\pem\pem_pkey.c:132:   error in req Would you teach me the correct process ? Thanks 

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl-users] Re: users auth. in XP for HTTPS

[Erwann ABALEA]

Hodie III Kal. Sep. MMXI, Jakob Bohm scripsit:
> On 8/30/2011 3:29 AM, Dave Thompson wrote:
> >...
> >That sounds like the keyUsage bit dataEncipherment, and OpenSSL CA
> >can set it. But SSL never *does* dataEncipherment using a
> >certificate/key, so this bit should not be needed or make any
> >difference.
> Small correction: SSL/TLS never does dataEncipherment with *client*
> certificates, and always does dataEncipherment with *server*
> certificates (if any).

Correction to the correction: TLS always does dataEncipherment with
server certificate *if* the key exchange algorithm is RSA.

> So dataEncipherment should be set in the SSL server certificate and
> clear in the SSL client certificate, as is apparently already the case
> here, so that part is OK.

Even if you don't set the dataEncipherment bit in the keyUsage
extension, it works. TLS libraries are tolerant :)

-- 
Erwann ABALEA 
Département R&D
KEYNECTIS
11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France
Tél.: +33 1 55 64 22 07
http://www.keynectis.com
-
It works better if you plug it in where it should be.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: users auth. in XP for HTTPS

[Jakob Bohm]

On 8/30/2011 3:29 AM, Dave Thompson wrote:

...
That sounds like the keyUsage bit dataEncipherment, and OpenSSL CA
can set it. But SSL never *does* dataEncipherment using a
certificate/key, so this bit should not be needed or make any
difference.

Small correction: SSL/TLS never does dataEncipherment with *client*
certificates, and always does dataEncipherment with *server*
certificates (if any).

So dataEncipherment should be set in the SSL server certificate and
clear in the SSL client certificate, as is apparently already the case
here, so that part is OK.

I think the problem is more likely 'requested client CA-name(s)'.

Agree.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org