Problems with a setting certificates via OpenSSL in C++ (Windows)
Hi, I am trying to make a simple C++ (64-bit) client program that can establish a SSL connection with a remote server using OpenSSL on windows-7. I can successfully execute the followings to create a new context block; SSL_library_init(); SSL_load_error_strings(); meth=SSLv23_client_method(); ctx=SSL_CTX_new(meth); However, when I try to read the certificate files with SSL_CTX_use_certificate_file, I get errors the funcion returns "3". I tried to search on google and in different forums but was not able to find the exact problem. Please have a look on the attached sample program along with the certifcates, and let me know if I am doing something wrong. Thank you. P.S. I have highlighted the "problem area" in the .cpp file. Kind Regards, Hamid Shahid certs.rar Description: certs.rar
Installing a .pfx wildcard certificate on lunix
Hi - we have a .pfx wildcard certificate we for from godaddy and the website is hosted with rackspace. anyone can shed some light on how this would be possible. i think the only way this can be done is via a .crt or .csr files??? Anyone? -- View this message in context: http://old.nabble.com/Installing-a-.pfx-wildcard-certificate-on-lunix-tp32904636p32904636.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Help in Understanding
Hi Folks, Can somebody please clarify my silly questions ? I need to understand the behavior of TLS client. 1. How do I verify that TLS Client send connection close without sending Closure alert ? 2. Is there any way to decrypt Application data (HTTP data) on wireshark itself ? 3. How would I know whether any memory leak during handshakes on TLS client ? 4. Is it required both side need to send TLS Alert for a failure handshake ? 5. What is Incomplete Close and Pre-mature close ? Thanks in advance. Regards, Rout -- View this message in context: http://old.nabble.com/Help-in-Understanding-tp32906990p32906990.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
stunnel 4.50 released
Dear Users, I have released version 4.50 of stunnel. The ChangeLog entry: Version 4.50, 2011.12.03, urgency: MEDIUM: * New features - Added Android port. - Updated INSTALL.FIPS. * Bugfixes - Fixed internal memory allocation problem in inetd mode. - Fixed FIPS mode on Microsoft Vista, Server 2008, and Windows 7. This fix required to compile OpenSSL FIPS-compliant DLLs with MSVC 9.0, instead of MSVC 10.0. msvcr100.dll was replaced with msvcr90.dll. GPL compatibility issues are explained in the GPL FAQ: http://www.gnu.org/licenses/gpl-faq.html#WindowsRuntimeAndGPL - POP3 server-side protocol negotiation updated to report STLS capability (thx to Anthony Morgan). Home page: http://www.stunnel.org/ Download: ftp://ftp.stunnel.org/stunnel/ SHA-256 hash for stunnel-4.50.tar.gz: 933467009529bae4f338bb20e758e0ea20b0759130e7695ea2193c4f270e5eaf Best regards, Mike PGP.sig Description: This is a digitally signed message part
Re: Problems with a setting certificates via OpenSSL in C++ (Windows)
On Fri, Dec 2, 2011 at 1:55 PM, wrote: > Hi, > > I am trying to make a simple C++ (64-bit) client program that can establish > a SSL connection with a remote server using OpenSSL on windows-7. I can > successfully execute the followings to create a new context block; > > SSL_library_init(); > SSL_load_error_strings(); > meth=SSLv23_client_method(); > ctx=SSL_CTX_new(meth); > > However, when I try to read the certificate files with > SSL_CTX_use_certificate_file, I get errors the funcion returns “3”. I tried > to search on google and in different forums but was not able to find the > exact problem. Please have a look on the attached sample program along with > the certifcates, and let me know if I am doing something wrong. "3" is ERROR_PATH_NOT_FOUND (http://msdn.microsoft.com/en-us/library/cc231199%28v=prot.10%29.aspx). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Help in Understanding
> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout > Sent: Saturday, 03 December, 2011 02:59 Aside: this item was apparently delayed in master.openssl.org from 03.0758Z to 03.1907Z and delivered to my mailhost 03.1914Z. > Can somebody please clarify my silly questions ? I need to > understand the behavior of TLS client. Apparently in relation to RFC2818 which you mentioned earlier. Note that there are MANY TLS clients which are NOT HTTP. > 1.How do I verify that TLS Client send connection close > without sending Closure alert ? What do you mean verify? If you want an OpenSSL client to do it, just close the socket without first doing SSL_shutdown. On Unix if the program exits, or is killed by a signal like ^C or a debugger, that closes all files (normally) which for a TCP socket does socket close (FIN) but no TLS close-alert. On Windows these cases do an 'abnormal' TCP close (RST) and again no TLS close-alert. The peer may treat this the same as FIN without close-alert, or it may not. The server may log these always, sometimes, or never depending on the server and perhaps configuration. If you can't depend on the server, a network trace like wireshark or similar shows it. > 2.Is there any way to decrypt Application data (HTTP > data) on wireshark itself ? If using kRSA and you have/get the server's private key, yes. Edit / Preferences / Protocols / SSL and supply the keyfile. If using ephemeral or anonymous DH or ECDH, it is not generally possible to reconstruct keys from stored and transmitted data, called Perfect Forward Secrecy, although if either end uses OpenSSL with _tmp_[ec]dh_ keys that are known or logged, you could; it appears wireshark doesn't. Similarly for temporary (export) RSA, if the server uses _tmp_rsa_ that is known or logged; I don't know if wireshark does that and didn't bother testing because RSA-export is stupid and obsolete. > 3.How would I know whether any memory leak during > handshakes on TLS client ? Same as memory leak in any program. Try valgrind or similar. Or write your code so it's correct in the first place. > 4.Is it required both side need to send TLS Alert for a > failure handshake ? There are alert codes defined for (all?) handshake errors and preferred practice is to use them, but some programs or devices just close (or even abort) the TCP connection. Despite RFC 748, this cannot always be avoided. For any alert with level=failure, only one end sends it. The other end MUST abort the TLS handshake or connection and (always?) close the TCP connection. For an alert with level=warning, either or both ends may send it. For close-notify, best practice is for both to send, but as 2818 explains this is not always done and not strictly required. For other warnings, generally only one end will detect and send. > 5.What is Incomplete Close and Pre-mature close ? > In the context of 2818, paragraph 2.2 defines them. In other contexts they may mean various other things. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Please Help: Certificate Validation using subjectAltName extension
> From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout > Sent: Saturday, 03 December, 2011 02:56 > My TLS client can validate both CN and SN & i need to test both the > scenario. > > I don't know how to create certificate with "subjectAltName > extension" using openssl commands. > > In the RFC-2818 , there are two ways of Certificate > Validation for Host name > 1)CN (Common Name) > 2)SN( Subject Name) 1. Common Name part of subject name which is the value of Subject. 2. Subject *Alternative* Name which is an extension. > If a subjectAltName extension of type dNSName is present, that MUST > be used as the identity. Otherwise, the (most specific) Common Name > field in the Subject field of the certificate MUST be used. Although > the use of the Common Name is existing practice, it is deprecated and > Certification Authorities are encouraged to use the dNSName instead. > As this says, although a bit tersely. > I created Self-signed certificate using open-ssl commands and my > certificate chain looks like below where CN=10.204.4.69 > openssl genrsa -des3 -out server.key 1024 > openssl req -new -key server.key -out server.csr > openssl x509 -req -days 365 -in server.csr > -signkey server.key -out server.crt > Please tell how to create certificate with "subjectAltName > extension" using openssl commands ? The same way(s) you create a cert with any extension(s). See man req; man x509; man ca; man x509v3_config In x509 -req supply -extfile with the name of a config file, and -extsect with the name of a section in that file unless it is default or pointed to by default.extensions, specifying the extension(s) you want. You want something like subjectAltName=DNS:my.host.example For selfsigned you can save a step (or two) with req -x509 (and -newkey) in which case use -extensions or req.x509_extensions . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Transferring DH public key from server to client
HI I would like to generate my own DH private/public keys and have the client/server exchange these values. The problem I am having is that the openssl build I have is configured to use certificates. Hence the client side is getting the server's DH public value from the certificate. If I need to bypass this, how do I go about this? The client side is retrieving the server's public key value from s->session->sess_cert-> peer_dh_tmp i.e dh_srvr= s->session->sess_cert-> peer_dh_tmp So I thought I would set the s->session->sess_cert-> peer_dh_tmp with my custom values, but I cannot find the code on the server side where this is being set? Any ideas?
