Re: OpenSSL - CryptoAPI - nCipher
> The it is probably DER format. Use d2i_X509_fp instead and make sure you open > the fp in binary mode. > > Steve. Yes, indeed. It worked! Thanks again for your quick reply. Sunjeet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
x509_load_crl_file using unicode paths
Hi, I am currently using openssl on multilingual platforms and I've come across an interesting issue. I am using the function x509_load_crl_file which takes in a path and I've noticed that this call essentially becomes a call to fopen. For unicode paths (utf8 or utf16), the function call fails. Is there an easy way for me to use a unicode path for this function, or must I handle this tedious task my self? Any helpful advice, tips, etc. would be greatly appreciated. Thanks, J __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.1 released
On Wednesday 14 March 2012 11:09:22 OpenSSL wrote: >OpenSSL version 1.0.1 released >=== > >http://www.openssl.org/source/exp/CHANGES. > >The most significant changes are: > > o TLS/DTLS heartbeat support. > o SCTP support. > o RFC 5705 TLS key material exporter. > o RFC 5764 DTLS-SRTP negotiation. > o Next Protocol Negotiation. > o PSS signatures in certificates, requests and CRLs. > o Support for password based recipient info for CMS. > o Support TLS v1.2 and TLS v1.1. > o Preliminary FIPS capability for unvalidated 2.0 FIPS module. > o SRP support. i don't see mention of ABI compat changes, and it seems to not be compatible. did someone forget to update the version string in crypto/opensslv.h ? it still says "1.0.0" ... -mike signature.asc Description: This is a digitally signed message part.
Re: OpenSSL - CryptoAPI - nCipher
On Wed, Mar 14, 2012, Sunjeet Singh wrote: > >> 8. Now, I want to load the certificate into the same SSL Context. > >>At first I tried using the simple- > >>ENGINE_load_ssl_client_cert() > >>on the certificate file generated earlier, but that failed. I can > >> understand why- the certificate is encrypted (self-signed). > >>So it seems like the function that I would want to use instead > >> is- > >>ENGINE_load_ssl_client_certificate() > >>But I'm not entirely sure if the same certificate is supposed to go > >> into the context as "client" certificate and if I am trying to do the > >> right thing. > >> > >> > >> Can someone please point me in the right direction? Hopefully I've > >> included all information that is relevant to my question. > >> > > > > Forget about the ENGINE for this step. You can load the certificate into an > > X509 structure and pass that to the SSL_CTX. > > > > How you do that depends on the certificate format. If it is PEM format you > > can > > use PEM_read_X509. If DER the d2i_X509_fp will do the trick. > > > > Hi Steve, thanks for your reply. While it's definitely helped me take another > step in the right direction, I've run into a problem when using the > PEM_read_X509() function. > > The error string that I get from the function call is "_base = 0x047329a8 > "6632:error:0906D06C:PEM > routines:func(109):reason(108):.\crypto\pem\pem_lib.c:696:Expecting: > CERTIFICATE". > And when I open my foocert.PEM file in a text editor, it is not readable. > The it is probably DER format. Use d2i_X509_fp instead and make sure you open the fp in binary mode. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL - CryptoAPI - nCipher
>> 8. Now, I want to load the certificate into the same SSL Context. >> At first I tried using the simple- >> ENGINE_load_ssl_client_cert() >> on the certificate file generated earlier, but that failed. I can >> understand why- the certificate is encrypted (self-signed). >> So it seems like the function that I would want to use instead >> is- >> ENGINE_load_ssl_client_certificate() >> But I'm not entirely sure if the same certificate is supposed to go >> into the context as "client" certificate and if I am trying to do the right >> thing. >> >> >> Can someone please point me in the right direction? Hopefully I've included >> all information that is relevant to my question. >> > > Forget about the ENGINE for this step. You can load the certificate into an > X509 structure and pass that to the SSL_CTX. > > How you do that depends on the certificate format. If it is PEM format you can > use PEM_read_X509. If DER the d2i_X509_fp will do the trick. > Hi Steve, thanks for your reply. While it's definitely helped me take another step in the right direction, I've run into a problem when using the PEM_read_X509() function. The error string that I get from the function call is "_base = 0x047329a8 "6632:error:0906D06C:PEM routines:func(109):reason(108):.\crypto\pem\pem_lib.c:696:Expecting: CERTIFICATE". And when I open my foocert.PEM file in a text editor, it is not readable. Going back to how I created it: I used the command string- makecert -r -sk fooContainer -sp "nCipher Enhanced Security Provider" -sky exchange foocert.pem When my working code was using software key storage earlier, my .PEM looked like a readable text file of the form- -BEGIN CERTIFICATE- 9w0BA ... TKekJ== -END CERTIFICATE- ...but ofcourse that was created using an "openssl x509" command since my private and public key files were available on the disk. So I guess the question now really is- How do you create a .PEM X509 self-signed certificate for a CAPI key that is stored in a container on the nCipher hardware? This might be the last hurdle for my OpenSSL integration with nCipher. Thank you, Sunjeet __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL FIPS Object Module status update
I've received a number of queries about the reference in the recently released OpenSSL 1.0.1 to "Preliminary FIPS capability for unvalidated 2.0 FIPS module". OpenSSL 1.0.1 is designed to support use of that FIPS 140-2 cryptographic module to provide a "FIPS compatible" API. However, the formal validation of that module is still pending. We think we are very close -- perhaps within a few days -- but as always the timeline is difficult to predict with any certainty. The formal validation will be announced here as soon as it happens. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.net __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1 released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1 of our open source toolkit for SSL/TLS. This new OpenSSL version is a new feature release. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. The most significant changes are: o TLS/DTLS heartbeat support. o SCTP support. o RFC 5705 TLS key material exporter. o RFC 5764 DTLS-SRTP negotiation. o Next Protocol Negotiation. o PSS signatures in certificates, requests and CRLs. o Support for password based recipient info for CMS. o Support TLS v1.2 and TLS v1.1. o Preliminary FIPS capability for unvalidated 2.0 FIPS module. o SRP support. We consider OpenSSL 1.0.1 to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 1.0.1 is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1.tar.gz Size: 4453920 MD5 checksum: 134f168bc2a8333f19f81d684841710b SHA1 checksum: a6476d33fd38c2e7dfb438d1e3be178cc242c907 The checksums were calculated using the following commands: openssl md5 openssl-1.0.1.tar.gz openssl sha1 openssl-1.0.1.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iQEVAwUBT2CkBKLSm3vylcdZAQJv6wgAmrvhkXBB0rOI2Yt5YkgShq7BqqogFJk7 TBCHP6gR133L08e+WibwLc3HZS8eU2oAyyOYjBiTjO2Dyg5jkkslku2pyX9R8iZd vb0k/ZTuzmNO/6dDYwejbYdLjrPmTKWrcofa9GooWhiFBOzi3fbY0pAIWjHBoY07 LK8HxVzqQ+v/fg3ingqNpD5qJ6y13i4S8wzMPRL/4ox3evRSsEZ2ZTRqCfxwIbQk hZHfNL2sCZ+i/BoPKYxezhRweftDKQJtAm17femzymbQ0NVZfKi2i4kcd0GXS4Ow eaeMwpXdAGDGcj/HzaqxH1lEkKDQB+H9fo9MT2gqawjntiRt6K/oyQ== =yHMc -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
