Re: [openssl-users] openssl -check

[Georg Höllrigl]

 


 

Gesendet: Mittwoch, 06. September 2017 um 18:06 Uhr
Von: "Jakob Bohm" 
An: openssl-users@openssl.org
Betreff: Re: [openssl-users] openssl -check

On 06/09/2017 16:18, "Georg Höllrigl" wrote:
> Hello,
> Is there a way to verifiy a cert?
> I'm thinking about some equivalent to
> openssl rsa -noout -in example.key -check
> but for the public part.
> I found some broken certifiate (lines in the PEM encoding got swapped)
> openssl x509 -in broken.cer but see no way to verify...
> compareing with the original cert shows different thumbprint... but
> shouldn't there be some kind of checksum to verify?
The signature on a certificate is a very strong checksum.

For certificates that are not self-signed, openssl x509 -verify should
do it.
 




Agreed. That would be exactly what I had in mind - but it's not working. 

-verify only exists for "openssl req" to check a CSR?

 

I've created an example broken certificate from google:

 

-BEGIN CERTIFICATE-
MIIEhTCCA22gAwIBAgIIfWIk/Ev1U/YwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwODE1MTYwNzUyWhcNMTcxMTA3MTYwNDAw
WjBlMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEUMBIGA1UEAwwLKi5n
b29nbGUuYXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUbeswnWzb
cRDKvHNhuYkL/qTSSSTfEXZ86FSnK8hyNAoLvjZY/EV1kZKHpD/i7ZHxkwDLry/A
pAAzCBcndbZAEv4Y3GIWr5hmfO5pC6dgSoPmB/DEjmiZSq4fs++gcRbOpZJvctY4
XFp7r1pR3yHojoDVLDKpdVMduaeUzSEPhsFOycDPKKCziPGbfMIz8myOeIxlXkxi
0upGCXyMSyM9uw2XNQKZduknZHnFaG7ButMPcd/bcCIOU/7xwh+a9l6Qmi1Ss4Go
0kjL2B9nQ/q+0sXqi9f/W5g3KoR9GE4ho7bOU4iraFTVLo74O1zbjjTX1hU3UM4E
fbKjQz7sProFAgMBAAGjggFTMIIBTzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwIQYDVR0RBBowGIILKi5nb29nbGUuYXSCCWdvb2dsZS5hdDBoBggrBgEF
BQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFH
Mi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5nb29nbGUuY29tL29j
c3AwHQYDVR0OBBYEFEzWPMkeG3KRZe8rEi5J0b3O22IPMAwGA1UdEwEB/wQCMAAw
HwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYDVR0gBBowGDAMBgor
BgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ahhh9odHRwOi8vcGtp
Lmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA6Ty7suanq
5/q7HWaF9dd0aZ1ay3mcTWj0ZqBE4R7UKAh8/dirAamb4Eo22fulHxWYeEdKnLhC
yyr//RuFiAMlkqySQcyBWO3kfEkG3l5GKMRokAEX31n7SSol9DA8+yfl1YmRxd79
7GC9HLwczgqdOzMNr40TMKAjIHcNL7S7UtLdynappkzvE7iA8ljZhymPabwYk3XU
TTr4if+Wt7uLNGqa+Vczur+jkywKXvUBoWukY9dCEsx67UoUyUkk4syGH19pVlDk
zHy4NC1X5b/4aw3XAH/IkgxFzPRiSXDwyEeea71xWEGpaRzGqaEMvU2mAghQIxYD
B2SERYFC9cRX
-END CERTIFICATE-
 

 


At the command line, I won't see a difference from a correct to a broken certificate.

In comparison, when checking a key i get "RSA key ok".


 

Georg

 


 
 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Env variables in config file to add a whole line

[Jakob Bohm]

On 06/09/2017 19:34, Robert Moskowitz wrote:



On 09/06/2017 01:31 PM, Salz, Rich via openssl-users wrote:

…

 $crlDP
 $ocspIAI

This is not supported.  You can only put variables in *values*


OK.  But now I have to work out  values.

Bob


As previously, have a set of "certificate profiles" (other CA
products name), in the form of different [foo_ext] and [policy_foo]
sections in the CA's openssl.cnf, then run "openssl ca -extensions
foo_ext -policy policy_foo ..."

Since each CA needs its own directory anyway, each CA would have its
own openssl.cnf (generated by a script that sets up the CA).

For example, "foo" could be "server" (has crl and ocsp, plus other
relevant settings), "client" (has crl and ocsp, plus different
relevant settings), "ocsp-signer" (no crl, no ocsp, short lifespan,
other relevant settings), "ecu" (has crl and ocsp, plus different
settings again), etc. etc.

Very different certificate purposes should ideally have their own
SubCA's that can be managed differently, and have the CA cert
restricted.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Env variables in config file to add a whole line

[Robert Moskowitz]

On 09/06/2017 01:31 PM, Salz, Rich via openssl-users wrote:

…

 $crlDP
 $ocspIAI
 


This is not supported.  You can only put variables in *values*


OK.  But now I have to work out  values.

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Env variables in config file to add a whole line

[Salz, Rich via openssl-users]

…

$crlDP
$ocspIAI


This is not supported.  You can only put variables in *values* 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Env variables in config file to add a whole line

[Robert Moskowitz]

I got past the error to build the CSR by using:

crlDistributionPoints = $ENV::crlDP
authorityInfoAccess = $ENV::ocspIAI

Just $crlDP failed even though I had this defined in the [ca} section.

The CSR does not use the user_cert or server_cert.  This was 'just' a 
config file syntax issue.  When I try to make the cert I get the following:


crlDP=URI:http://www.htt-consult.com/pki/intermediate.crl.pem
default_crl_days=30
ocspIAI="OCSP;URI:http://ocsp.htt-consult.com;

   openssl ca -config $dir/openssl-intermediate.cnf -days 375\
   -extensions server_cert -notext -md sha256 \
   -in $dir/csr/$serverfqdn.csr.$format\
   -out $dir/certs/$serverfqdn.cert.$format

It works.   But if I DON'T want a CRL or OCSP support and I use:

crlDP=
ocspIAI=

with the same command I get:


Error Loading extension section server_cert
3069510608:error:0E06D06C:configuration file 
routines:NCONF_get_string:no 
value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
3069510608:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid 
null name:crypto/x509v3/v3_utl.c:316:
3069510608:error:22097069:X509 V3 routines:do_ext_nconf:invalid 
extension 
string:crypto/x509v3/v3_conf.c:93:name=crlDistributionPoints,section=
3069510608:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in 
extension:crypto/x509v3/v3_conf.c:47:name=crlDistributionPoints, value=


So I need a way to have a 'null' value for NO CRL or NO OCSP.

I don't want to have to use SED to edit the config file based on what 
the goal is...


thanks

Bob




On 09/06/2017 12:23 PM, Robert Moskowitz wrote:
I am trying to use an environment variable to add a whole line to the 
config file.  This is to control adding (or not providing) CRL and/or 
OCSP support.


export shows:

declare -x crlDP="crlDistributionPoints = 
URI:http://www.htt-consult.com/pki/intermediate.crl.pem;

declare -x default_crl_days="default_crl_days  = 30"
declare -x ocspIAI="authorityInfoAccess = 
OCSP;URI:http://ocsp.htt-consult.com;


The config file starts with:


[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir= $ENV::dir
cadir = $ENV::cadir
format= $ENV::format
crlDP = $ENV::crlDP
default_crl_days  = $ENV::default_crl_days
ocspIAI  = $ENV::ocspIAI


The usr_cert section has:

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
$crlDP
$ocspIAI

Note that the line with "$crlDP" is line 123

When I run the command:

openssl req -config $dir/openssl-intermediate.cnf   -key 
$dir/private/$serverfqdn.key.$format-subj "$DN" -new -sha256 
-out $dir/csr/$serverfqdn.csr.$format


I get the error:

req: Error on line 123 of config file 
"/home/rgm/ca/intermediate/openssl-intermediate.cnf"

unable to find 'distinguished_name' in config
problems making Certificate Request
3070145488:error:0E06D06A:configuration file 
routines:NCONF_get_string:no conf or environment 
variable:crypto/conf/conf_lib.c:272:


note that if I:

grep -n distinguished_name openssl-intermediate.cnf

68:distinguished_name  = req_distinguished_name
78:[ req_distinguished_name ]

So the warning about unable to find 'distinguished_name' in config

Is misleading.  The problem is more likely with line 123 which is only 
the env variable.


I can play around with this and hopefully the variables to work as

crlDistributionPoints = $crlDP

And if $crlDP is empty, it will not put an empty value into the cert.  
But why does what I have not work?


thanks

Bob



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Env variables in config file to add a whole line

[Robert Moskowitz]

I am trying to use an environment variable to add a whole line to the 
config file.  This is to control adding (or not providing) CRL and/or 
OCSP support.


export shows:

declare -x crlDP="crlDistributionPoints = 
URI:http://www.htt-consult.com/pki/intermediate.crl.pem;

declare -x default_crl_days="default_crl_days  = 30"
declare -x ocspIAI="authorityInfoAccess = 
OCSP;URI:http://ocsp.htt-consult.com;


The config file starts with:


[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir= $ENV::dir
cadir = $ENV::cadir
format= $ENV::format
crlDP = $ENV::crlDP
default_crl_days  = $ENV::default_crl_days
ocspIAI  = $ENV::ocspIAI


The usr_cert section has:

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical,nonRepudiation,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
$crlDP
$ocspIAI

Note that the line with "$crlDP" is line 123

When I run the command:

openssl req -config $dir/openssl-intermediate.cnf   -key 
$dir/private/$serverfqdn.key.$format-subj "$DN" -new -sha256 
-out $dir/csr/$serverfqdn.csr.$format


I get the error:

req: Error on line 123 of config file 
"/home/rgm/ca/intermediate/openssl-intermediate.cnf"

unable to find 'distinguished_name' in config
problems making Certificate Request
3070145488:error:0E06D06A:configuration file 
routines:NCONF_get_string:no conf or environment 
variable:crypto/conf/conf_lib.c:272:


note that if I:

grep -n distinguished_name openssl-intermediate.cnf

68:distinguished_name  = req_distinguished_name
78:[ req_distinguished_name ]

So the warning about unable to find 'distinguished_name' in config

Is misleading.  The problem is more likely with line 123 which is only 
the env variable.


I can play around with this and hopefully the variables to work as

crlDistributionPoints = $crlDP

And if $crlDP is empty, it will not put an empty value into the cert.  
But why does what I have not work?


thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ASN1_TIME to time_t

[Dr. Stephen Henson]

On Wed, Sep 06, 2017, Michael Wojcik wrote:

> > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> > Of Dr. Stephen Henson
> > Sent: Wednesday, September 06, 2017 10:26
> > 
> > No but there is a a round about way of achieving the same result. The
> > ASN1_TIME_diff() function will determine the difference between two
> > ASN1_TIME structures and return the result as a number of days and seconds.
> > 
> > So if you set one to the epoch time you can then calculate the time_t from
> > the difference.
> 
> That's almost certainly a much better approach than the one I described in my 
> previous email.
> 
> I assume ASN1_TIME_diff takes into account ASN.1 UTC Time versus Generalized 
> Time, and timezone information. Though it wouldn't be hard to have a few 
> different ASN1_TIME structures for the various permutations.
> 

Yes ASN1_TIME corresponds to the ASN.1 Time structure which ia a choice of
UTCTime and GeneralizedTime it acts in an appropriate way depending on the
type that has been passed in. Timezones should be handled properly though
there was a recent bug fixed: timezones are only rarely encountered in
practice and not legal in many standards (e.g. RFC5280).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl -check

[Jakob Bohm]

On 06/09/2017 16:18, "Georg Höllrigl" wrote:

Hello,
Is there a way to verifiy a cert?
I'm thinking about some equivalent to
openssl rsa -noout -in example.key -check
but for the public part.
I found some broken certifiate (lines in the PEM encoding got swapped)
openssl x509 -in broken.cer but see no way to verify...
compareing with the original cert shows different thumbprint... but 
shouldn't there be some kind of checksum to verify?

The signature on a certificate is a very strong checksum.

For certificates that are not self-signed, openssl x509 -verify should
do it.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ASN1_TIME to time_t

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Jakob Bohm
> Sent: Wednesday, September 06, 2017 09:27
> 
> On 06/09/2017 14:17, Michael Wojcik wrote:
> 
> > struct tm is local time, so you need to adjust for timezone.
>
> It's not as much struct tm, as it is the mktime() API.

Of course you're right.

>  If available, try the BSD/GNU API timegm(), although that is
> officially "obsolete".

We need much wider platform compatibility. It's not a big deal, though.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ASN1_TIME to time_t

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Dr. Stephen Henson
> Sent: Wednesday, September 06, 2017 10:26
> 
> No but there is a a round about way of achieving the same result. The
> ASN1_TIME_diff() function will determine the difference between two
> ASN1_TIME structures and return the result as a number of days and seconds.
> 
> So if you set one to the epoch time you can then calculate the time_t from
> the difference.

That's almost certainly a much better approach than the one I described in my 
previous email.

I assume ASN1_TIME_diff takes into account ASN.1 UTC Time versus Generalized 
Time, and timezone information. Though it wouldn't be hard to have a few 
different ASN1_TIME structures for the various permutations.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ASN1_TIME to time_t

[Dr. Stephen Henson]

On Wed, Sep 06, 2017, Dmitry Belyavsky wrote:

> Dear Matt,
> 
> On Wed, Sep 6, 2017 at 11:16 AM, Matt Caswell  wrote:
> 
> >
> >
> > On 06/09/17 09:12, Dmitry Belyavsky wrote:
> > > Hello,
> > >
> > > Is there a way to convert ASN1_TIME to time_t or smth compatible? Quick
> > > googling does not show good results.
> >
> > In master you can use ASN1_TIME_to_tm() which will give you a struct tm.
> > Not available in released versions yet though.
> >
> 
> Is it implementable via API in 1.0.2?
> 

No but there is a a round about way of achieving the same result. The
ASN1_TIME_diff() function will determine the difference between two ASN1_TIME
structures and return the result as a number of days and seconds.

So if you set one to the epoch time you can then calculate the time_t from the
difference.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] openssl -check

[Georg Höllrigl]

Hello,

 

Is there a way to verifiy a cert?

I'm thinking about some equivalent to

 

openssl rsa -noout -in example.key -check

 

but for the public part.

 

I found some broken certifiate (lines in the PEM encoding got swapped)

 

openssl x509 -in broken.cer but see no way to verify...

 

compareing with the original cert shows different thumbprint... but shouldn't there be some kind of checksum to verify?

 

 

Kind Regards,

Georg
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problem with Last step in setup

[Gerardi, Elio]

Looks like changing to root did it….Sometimes when your string at the screen 
for hours doing other things, the answer passes you by….Thanks for the support

 
Elio Gerardi – Cloud Architect 
Hyperscaler GTM team
Cloud Business Unit

cloud.netapp.com

 

 


NetApp

646.313.3079 Direct Phone

914.419.0396 Mobile Phone


e...@netapp.com 


 
 
 


 
 

On 9/5/17, 1:16 PM, "openssl-users on behalf of Michael Richardson" 
 wrote:


Gerardi, Elio  wrote:
> I am getting the following error when I run the ‘make install’ 
command on
> OPenSSL

> make install

> /Library/Developer/CommandLineTools/usr/bin/make depend &&
> /Library/Developer/CommandLineTools/usr/bin/make _all

> *** Installing development files

> Cannot create directory /usr/local/include: No such file or directory

Probably because you don't have a /usr/local/include, and it isn't
autocreated ("mkdir -p"), and you aren't running this as root.

(maybe you want to install it some place other than /usr/local?)

--
]   Never tell me the odds! | ipv6 mesh 
networks [
]   Michael Richardson, Sandelman Software Works| network architect 
 [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails  
  [



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS

[Porter, Andrew]

Support for DTLS 1.2 was one of the major changes from 1.0.1 to 1.0.2, see

https://www.openssl.org/news/openssl-1.0.2-notes.html

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Salz, Rich via openssl-users
Sent: Wednesday, September 06, 2017 06:49
To: openssl-users@openssl.org
Subject: Re: [openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS


Ø  I am unable to find the openssl-fips module for 1.1.0f. Do you know when it 
will be available?
 We have no date.  Work hasn’t fully started, and isn’t fully funded.  Perhaps 
your company would like to help? :) See our blog for updates (look in the 
archive for postings with FIPS in the title; 
https://www.openssl.org/blog
 )

Ø  Could you please let us know the latest openssl 1.0 version that can be 
compiled with “openssl-fips-2.0.16”?
1.0.2, latest release.
> Also, please let know if that version supports DTLS.
 I think no, but am not positive.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Query on usage of openssl 1.1.0f with openssl-FIPS

[Salz, Rich via openssl-users]

Ø  I am unable to find the openssl-fips module for 1.1.0f. Do you know when it 
will be available?
 We have no date.  Work hasn’t fully started, and isn’t fully funded.  Perhaps 
your company would like to help? :) See our blog for updates (look in the 
archive for postings with FIPS in the title; https://www.openssl.org/blog )

Ø  Could you please let us know the latest openssl 1.0 version that can be 
compiled with “openssl-fips-2.0.16”?
1.0.2, latest release.
> Also, please let know if that version supports DTLS.
 I think no, but am not positive.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ASN1_TIME to time_t

[Jakob Bohm]

On 06/09/2017 14:17, Michael Wojcik wrote:

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Dmitry Belyavsky
Sent: Wednesday, September 06, 2017 04:12
Is there a way to convert ASN1_TIME to time_t or smth compatible? Quick 
googling does not show good results.

We just implemented it ourselves, by parsing the data field of the (1.0.2) 
OpenSSL ASN1_TIME structure into a struct tm and using mktime.

That's not ideal, since it's looking at an internal representation. Also, for 
some reason, 1.0.2 seems to keep the year as a two-digit value for ASN.1 UTC 
Time, with a window centered on 1970, while it uses a 4-digit year for ASN.1 
Generalized Time. The code handles that but it makes me nervous - it's the sort 
of internal detail that seems likely to change.

Really?  I thought the standard window for the two-digit representation
in the DER/BER encoding was centered on 2000, at least in certificates.
But I may be mistaken.


struct tm is local time, so you need to adjust for timezone. With Generalized 
Time you need to parse the offset from UTC; then you adjust your struct tm 
based on the difference between the ASN.1 time's offset and your local offset.

It's not as much struct tm, as it is the mktime() API.  If
available, try the BSD/GNU API timegm(), although that is
officially "obsolete".

Or you could go pure C and use the integer arithmetic that
converts broken-down Gregorian dates to a day count since an
arbitrary base, either the Gauss formula, or something based on:

 ((month < 3u ? month - 3u : month + 9u) * 367u + Yu) / 12u + mday

(Y is a single digit constant, forgot which).

(That particular formula is my reconstruction of how the calendar
was probably designed by the advisor to Julius Caesar: Worst case
year is 367 days, divide equally among 12 months, restart about 20
days before spring equinox, use a historic rounding rule represented
by Y. Of cause with Roman numerals, they would have used (month - 2)).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SSL_CTX_set_cipher_list returns failure for DHE-DSS-AES256-GCM-SHA384

[Benjamin Kaduk via openssl-users]

On 09/06/2017 12:02 AM, mahesh gs wrote:
> Hi All,
>
> I am using openssl version 01.01.00f for providing TLS and DTLS
> security for TCP and SCTP connection for our application. I have query
> regarding the "Ciphers" that are accepted by the
> SSL_CTX_set_cpiher_list API. The list of ciphers that are supported by
> openssl version 01.01.00f that is output of command "openssl ciphers
> -v" is as listed down below. When i try to set these ciphers through
> API "SSL_CTX_set_cipher_list" returns success for some and failure for
> some other ciphers.
>
> For example if i set "ECDHE-RSA-AES256-GCM-SHA384" API returns success
> but if i set "DHE-DSS-AES256-GCM-SHA384" or "RC4-MD5" API returns
> failure. My query is what are the accepted ciphers ? and what is the
> reason behind not accepting some of them?
>

OpenSSL 1.1.0 added a concept of "security level" for ciphers; see
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level
for which levels correspond to bits of security, prohibited message
digests, etc.

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ASN1_TIME to time_t

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
> Dmitry Belyavsky
> Sent: Wednesday, September 06, 2017 04:12

> Is there a way to convert ASN1_TIME to time_t or smth compatible? Quick 
> googling does not show good results.

We just implemented it ourselves, by parsing the data field of the (1.0.2) 
OpenSSL ASN1_TIME structure into a struct tm and using mktime.

That's not ideal, since it's looking at an internal representation. Also, for 
some reason, 1.0.2 seems to keep the year as a two-digit value for ASN.1 UTC 
Time, with a window centered on 1970, while it uses a 4-digit year for ASN.1 
Generalized Time. The code handles that but it makes me nervous - it's the sort 
of internal detail that seems likely to change.

struct tm is local time, so you need to adjust for timezone. With Generalized 
Time you need to parse the offset from UTC; then you adjust your struct tm 
based on the difference between the ASN.1 time's offset and your local offset.

I should really review that code at some point. But for now it appears to work.

Michael Wojcik 
Distinguished Engineer, Micro Focus 



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ASN1_TIME to time_t

[Matt Caswell]

On 06/09/17 09:20, Dmitry Belyavsky wrote:
> Dear Matt,
> 
> On Wed, Sep 6, 2017 at 11:16 AM, Matt Caswell  > wrote:
> 
> 
> 
> On 06/09/17 09:12, Dmitry Belyavsky wrote:
> > Hello,
> >
> > Is there a way to convert ASN1_TIME to time_t or smth compatible? Quick
> > googling does not show good results.
> 
> In master you can use ASN1_TIME_to_tm() which will give you a struct tm.
> Not available in released versions yet though.
> 
> 
> Is it implementable via API in 1.0.2?

Probably (not checked in detail), but you'd have to copy the
implementation into your code. See asn1_time_to_tm() in
crypto/asn1/a_time.c in master.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ASN1_TIME to time_t

[Dmitry Belyavsky]

Dear Matt,

On Wed, Sep 6, 2017 at 11:16 AM, Matt Caswell  wrote:

>
>
> On 06/09/17 09:12, Dmitry Belyavsky wrote:
> > Hello,
> >
> > Is there a way to convert ASN1_TIME to time_t or smth compatible? Quick
> > googling does not show good results.
>
> In master you can use ASN1_TIME_to_tm() which will give you a struct tm.
> Not available in released versions yet though.
>

Is it implementable via API in 1.0.2?


-- 
SY, Dmitry Belyavsky
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ASN1_TIME to time_t

[Matt Caswell]

On 06/09/17 09:12, Dmitry Belyavsky wrote:
> Hello,
> 
> Is there a way to convert ASN1_TIME to time_t or smth compatible? Quick
> googling does not show good results.

In master you can use ASN1_TIME_to_tm() which will give you a struct tm.
Not available in released versions yet though.

Matt

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] ASN1_TIME to time_t

[Dmitry Belyavsky]

Hello,

Is there a way to convert ASN1_TIME to time_t or smth compatible? Quick
googling does not show good results.

Thank you!

-- 
SY, Dmitry Belyavsky
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users