Re: [openssl-users] Unable to install OpenSSL

2018-05-03 Thread Jakob Bohm 

On 04/05/2018 02:16, Lunessia wrote:

Hello everyone,
I've been having various troubles with installing and compiling OpenSSL.
I started with 1.1.1-pre6, and my Perl client will tell me that I 
don't have NASM even if I have it installed (If I use VC-WIN64A) or 
output "If you want to report a building issue, please include the 
output from this command: Perl configdata.pl  
--dump" when I use VC-WIN64I
With 1.0.2o, Perl compiles the program, but however, I can't use Dmake 
to compile it, as Dmake will state:



Please note that VC-WIN64I is for Itanium processors (supported only
on Windows Server 2008 and 2008 R2, with some historic support on old
versions of Windows Server 2003 and Windows XP).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Unable to install OpenSSL

2018-05-03 Thread Lunessia 
Hello everyone,
I've been having various troubles with installing and compiling OpenSSL.
I started with 1.1.1-pre6, and my Perl client will tell me that I don't
have NASM even if I have it installed (If I use VC-WIN64A) or output "If
you want to report a building issue, please include the output from this
command: Perl configdata.pl  --dump" when I use
VC-WIN64I
With 1.0.2o, Perl compiles the program, but however, I can't use Dmake to
compile it, as Dmake will state:

"dmake.exe:  makefile:  line 275:  Warning: -- Found non-white space
character after '[' in [@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS)
-e $(BUILDENV)].
dmake.exe:  makefile:  line 307:  Warning: -- Found non-white space
character after '[' in [[ -z "$(FIPSCANLIB)" ] || $(CC) $(CFLAG) -Iinclude \
-DFINGERPRINT_PREMAIN_DSO_LOAD -o $@  \
$(FIPSLIBDIR)fips_premain.c $(FIPSLIBDIR)fipscanister.o \
libcrypto.a $(EX_LIBS)].
dmake.exe:  makefile:  line 307:  Error: -- New group recipe begin found
within group recipe."

Here are my programs:
A make implementation: Dmake from Perl
Perl 5 with core modules: ActivePerl 5.22.4.2205 with text::template
installed
ANSI C Compiler: MinGW from Perl
A development environment in the form of in the form of development
libraries and C header files: (I'm guessing) Visual Studio 2017 (I can't
use Nmake with it for some reason)
Netwide Assembler: NASM 2.13.03
Operating system: Windows 10 x64

Some of these were found either by the .exe version or by the installer
version.
Also attached is the configdata.pl dump. The makefile has not updated, so I
will not include that unless asked.
Command line (with current working directory = .):

C:\Perl64\bin\perl.exe Configure VC-WIN64I

Perl information:

C:\Perl64\bin\perl.exe
5.22.4 for MSWin32-x64-multi-thread

Enabled features:

aria
asm
async
autoalginit
autoerrinit
autoload-config
bf
blake2
camellia
capieng
cast
chacha
cmac
cms
comp
ct
deprecated
des
dgram
dh
dsa
dso
dtls
dynamic-engine
ec
ec2m
ecdh
ecdsa
engine
err
filenames
gost
hw(-.+)?
idea
makedepend
md4
mdc2
multiblock
nextprotoneg
ocb
ocsp
pic
poly1305
posix-io
psk
rc2
rc4
rdrand
rfc3779
rmd160
scrypt
seed
shared
siphash
sm2
sm3
sm4
sock
srp
srtp
sse2
ssl
static-engine
stdio
tests
threads
tls
ts
ui-console
whirlpool
tls1
tls1-method
tls1_1
tls1_1-method
tls1_2
tls1_2-method
tls1_3
dtls1
dtls1-method
dtls1_2
dtls1_2-method

Disabled features:

afalgeng[not-linux]
asan[default]   OPENSSL_NO_ASAN
crypto-mdebug   [default]   OPENSSL_NO_CRYPTO_MDEBUG
crypto-mdebug-backtrace [default]   OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
devcryptoeng[default]   OPENSSL_NO_DEVCRYPTOENG
ec_nistp_64_gcc_128 [default]   OPENSSL_NO_EC_NISTP_64_GCC_128
egd [default]   OPENSSL_NO_EGD
external-tests  [default]   OPENSSL_NO_EXTERNAL_TESTS
fuzz-libfuzzer  [default]   OPENSSL_NO_FUZZ_LIBFUZZER
fuzz-afl[default]   OPENSSL_NO_FUZZ_AFL
heartbeats  [default]   OPENSSL_NO_HEARTBEATS
md2 [default]   OPENSSL_NO_MD2 (skip crypto\md2)
msan[default]   OPENSSL_NO_MSAN
rc5 [default]   OPENSSL_NO_RC5 (skip crypto\rc5)
sctp[default]   OPENSSL_NO_SCTP
ssl-trace   [default]   OPENSSL_NO_SSL_TRACE
tls13downgrade  [default]   OPENSSL_NO_TLS13DOWNGRADE
ubsan   [default]   OPENSSL_NO_UBSAN
unit-test   [default]   OPENSSL_NO_UNIT_TEST
weak-ssl-ciphers[default]   OPENSSL_NO_WEAK_SSL_CIPHERS
zlib[default]
zlib-dynamic[default]
ssl3[default]   OPENSSL_NO_SSL3
ssl3-method [default]   OPENSSL_NO_SSL3_METHOD

Config target attributes:

AR => "lib",
ARFLAGS => "/nologo",
AS => "ias",
ASFLAGS => "-d debug",
CC => "cl",
CFLAGS => "/W3 /wd4090 /nologo /O2",
CPP => "\$(CC) /EP /C",
HASHBANGPERL => "/usr/bin/env perl",
LD => "link",
LDFLAGS => "/nologo /debug",
MT => "mt",
MTFLAGS => "-nologo",
RANLIB => "CODE(0x4bcc078)",
RC => "rc",
aes_asm_src => "aes_core.c aes_cbc.c aes-ia64.s",
aes_obj => "aes_core.o aes_cbc.o aes-ia64.o",
apps_aux_src => "win32_init.c",
apps_init_src => "../ms/applink.c",
apps_obj => "win32_init.o",
aroutflag => "/out:",
asoutflag => "-o ",
bf_asm_src => "bf_enc.c",
bf_obj => "bf_enc.o",
bin_cflags => "/Zi /Fdapp.pdb",
bin_lflags =>

Re: [openssl-users] Building FIP enabled OpenSSL fails in Yocto-ARM build

2018-05-03 Thread Jayalakshmi bhat 
Hi All,

In addition to the my previous mail, this is additional info

objdump -t libcrypto.so.1.0.0 | grep FIPS_signature
001ad8b0 l O .data  0014  FIPS_signature

readelf -a libcrypto.so.1.0.0 | grep FIPS_signature
11812: 001ad8b020 OBJECT  LOCAL  DEFAULT   23 FIPS_signature


Regards
Jayalakshmi

On Thu, May 3, 2018 at 7:39 PM, Jayalakshmi bhat  wrote:

> Hi All,
>
> I am building FIPS supported OpenSSL in yocto for ARM architecture. I
> tried using openssl-fips-2.0.13 and openssl-fips-2.0.4
>
>
> I am building FIPS externally with the below environmental  settings
>   
>  
> PATH=/yocto/gcc/gcc-linaro-4.9-2016.02-x86_64_arm-linux-
> gnueabihf/bin:$PATH
>
> export PATH
> export FIPS_SIG=/yocto/openssl-fips-2.0.4/util/incore
> export MACHINE=armv71
> export RELEASE=4.9.13
> export SYSTEM=Linux
> export ARCH=arm
> export CROSS_COMPILE=arm-linux-gnueabihf-
> export HOSTCC=gcc
> export FIPSDIR=/yocto/meta/recipes-connectivity/openssl/fips2.0
>
> Build commands for FIPS library
>
> ./config -mfloat-abi=hard
> make
> make install
> 
>
> Then I am building OpenSSL 1.0.2h with the below environment settings
>
> export FIPSDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0"
> export FIPSLIBDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0/lib/"
> export FIPS_SIG="/yocto/meta/recipes-connectivity/openssl/fips2.0/
> bin/incore"
>
> Build command to build OpenSSL.
>
> perl ./Configure ${EXTRA_OECONF} fips shared --with-fipsdir=${FIPSDIR}
> --prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename
> ${libdir}` $target
>
> Build is successful. without any error.  But when I try executing
>
> export OPENSSL_FIPS=1
> openssl -v
>
> I am getting
>
> 3069334736:error:2D06B06F:FIPS 
> routines:FIPS_check_incore_fingerprint:fingerprint
> does not match:fips.c:244
>
> I am not understand what could be going wrong. Any help is appreciated
>
> Regards
> Jayalakshmi
>
>
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread Viktor Dukhovni 


> On May 3, 2018, at 3:06 AM, Anil kumar Reddy  
> wrote:
> 
> The issue is:
> I am unable to find out the exact command lines or c/c++ program functions to 
> prove the SignedCertificate.pem is signed or not. I have spent more than one 
> day on researching, but I am end up with confusion. I do not have any digital 
> certificate chain. 

To verify the signature on a single certificate using a known issuer
public key you call:

X509_verify(X509 *cert, EVP_PKEY *pkey)

with return values <= 0 indicating failure.  To verify a certificate
chain against a set of trust anchors you call:

X509_verify_cert(X509_STORE_CTX *ctx)

where "ctx" is populated with the certificate chain, trust anchors,
CRLs, verification parameters, including some types of subject names
to check...  This is what most applications use to check that something
is signed by a trusted certificate with the right identity and purpose.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Building FIP enabled OpenSSL fails in Yocto-ARM build

2018-05-03 Thread Jayalakshmi bhat 
Hi All,

I am building FIPS supported OpenSSL in yocto for ARM architecture. I tried
using openssl-fips-2.0.13 and openssl-fips-2.0.4


I am building FIPS externally with the below environmental  settings
  
 
PATH=/yocto/gcc/gcc-linaro-4.9-2016.02-x86_64_arm-linux-gnueabihf/bin:$PATH

export PATH
export FIPS_SIG=/yocto/openssl-fips-2.0.4/util/incore
export MACHINE=armv71
export RELEASE=4.9.13
export SYSTEM=Linux
export ARCH=arm
export CROSS_COMPILE=arm-linux-gnueabihf-
export HOSTCC=gcc
export FIPSDIR=/yocto/meta/recipes-connectivity/openssl/fips2.0

Build commands for FIPS library

./config -mfloat-abi=hard
make
make install


Then I am building OpenSSL 1.0.2h with the below environment settings

export FIPSDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0"
export FIPSLIBDIR="/yocto/meta/recipes-connectivity/openssl/fips2.0/lib/"
export
FIPS_SIG="/yocto/meta/recipes-connectivity/openssl/fips2.0/bin/incore"

Build command to build OpenSSL.

perl ./Configure ${EXTRA_OECONF} fips shared --with-fipsdir=${FIPSDIR}
--prefix=$useprefix --openssldir=${libdir}/ssl --libdir=`basename
${libdir}` $target

Build is successful. without any error.  But when I try executing

export OPENSSL_FIPS=1
openssl -v

I am getting

3069334736:error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:244

I am not understand what could be going wrong. Any help is appreciated

Regards
Jayalakshmi
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread Michael Wojcik 
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of morthalan
> Sent: Thursday, May 03, 2018 05:51
> To: openssl-users@openssl.org
> Subject: Re: [openssl-users] How to prove a Certificate is Signed or not
>
> But In my case, I do not have any root certificate. I have only one signed
> certificate (SignedCertificate.pem) and one certificate signing request
> (certReq.pem) .

To process the CSR and create the entity certificate (what you're calling the 
"signed certificate", which is redundant, since all certificates are signed), 
you have to use the CA private key.

The CA private key has a corresponding public key, which you would have 
generated alongside the private key.

Verifying the signature on the entity certificate requires that public key. The 
APIs that verify the signature receive the public key as part of the issuer 
certificate. You *must* have a CA certificate containing the public key that 
corresponds to the private key (you used to sign the entity certificate) in 
order to verify the signature on the entity certificate. It's not optional.

Certificate verification also examines other aspects of the certificate used by 
the issuer to sign the entity certificate, such as its validity dates. So 
that's another reason why you *must* have the issuer certificate.

But then you can't process a CSR without a CA certificate, because when you 
issue the entity certificate, it has to refer to the CA certificate used to 
issue it. So if you've generated an entity certificate, there's a corresponding 
issuing certificate somewhere.

I would strongly recommend you find an introduction to X.509 PKI somewhere 
online before proceeding. X.509 is hideously complicated and fraught with 
difficulties. Trying to code for it without the basic technical background will 
be an exercise in frustration and likely lead to errors that greatly weaken the 
security of your application.

--
Michael Wojcik
Distinguished Engineer, Micro Focus




-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread morthalan 
I got two Ideas. I can verify the certificate by comparing the issuer name

char *s = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
char *i = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
int rc = strcmp(s, i);

verifying with public key 

EVP_PKEY *caPubkey = X509_get_pubkey(signCert);
X509_REQ_verify(certreq, caPubkey);

thanks for the suggestions.





--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread Felipe Gasper 
You could:

- Check subject and issuer for sameness.
- Verify the signature with the certificate’s own key. A positive verification 
indicates self-signed.

> On May 3, 2018, at 7:18 AM, Salz, Rich via openssl-users 
>  wrote:
> 
> 
> 
> On 5/3/18, 4:24 AM, "morthalan"  wrote:
> 
>No, technically not. I am just searching for a simple method just to check 
> a
>certificate is signed by CA or not. 
>Because. Something like signing check, I am not quite sure, I do not have
>proper knowledge on Openssl.
> 
> 
> If you have a cert, and a list of CA's that you trust, look at the verify 
> command.
> 
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread Salz, Rich via openssl-users 
>After the generation of SignedCertificate.pem. I would like to write
function to verify the SignedCertificate.pem, whether it is signed or not.
  
That is still not an accurate description.  By definition, a certificate is 
*signed data.*  It appears as a bitstring in the X509 data structure.

Is this want you want to do?  You have a certificate, and a CA key or 
certificate.  You want to know if the CA's public key generated the signature 
that is in the certificate that you have.  Look at the X509_verify function.  
You will need to take your CA cert (or key) and make a key object, but start 
with that first manpage and follow the references.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread morthalan 
Sorry for the insufficient explanation on what I did.

I have implemented one c++ code(csrReq.cpp) to generate certificate signing
request(certReq.pem) along with private key(csrPkey.pem). Another c++ code
(signcode.cpp)is to read the user data from certReq.pem and generate the
Signed Certificate(SignedCertificate.pem).

Here the public key will be included in certReq.pem. So signcode.cpp will
take the public from from certReq.pem then generate  SignedCertificate.pem
using it. 

After the generation of SignedCertificate.pem. I would like to write
function to verify the SignedCertificate.pem, whether it is signed or not.

Is there any possibility to check the signature of SignedCertificate.pem.



d3x0r wrote
> a root cert is the self signed cert.
> 
> 
> On Thu, May 3, 2018 at 2:50 AM, morthalan 

> morthalaanilreddy@

> 
> wrote:
> 
>> But In my case, I do not have any root certificate. I have only one
>> signed
>> certificate (SignedCertificate.pem) and one certificate signing request
>> (certReq.pem) . So when I use it as below
>>
>> openssl verify -CAfile SignedCertificate.pem SignedCertificate.pem
>>
>> I am getting error  "error 20 at 0 depth lookup:unable to get local
>> issuer
>> certificate".
>> I believe it is for verifying certificate chain trust. Correct me if I am
>> wrong. Is there anyway to manipulate it?
>>
>>
>> Richard Levitte - VMS Whacker-2 wrote
>> > openssl verify -CAfile your_ca_cert.pem SignedCertificate.pem
>> >
>> > Hope that helped
>> >
>> > Cheers,
>> > Richard
>> >
>> > openssl-users mailing list
>> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>>
>>
>>
>> --
>> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users





--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread Salz, Rich via openssl-users 


On 5/3/18, 4:24 AM, "morthalan"  wrote:

No, technically not. I am just searching for a simple method just to check a
certificate is signed by CA or not. 
Because. Something like signing check, I am not quite sure, I do not have
proper knowledge on Openssl.


If you have a cert, and a list of CA's that you trust, look at the verify 
command.
 

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread J Decker 
a root cert is the self signed cert.


On Thu, May 3, 2018 at 2:50 AM, morthalan 
wrote:

> But In my case, I do not have any root certificate. I have only one signed
> certificate (SignedCertificate.pem) and one certificate signing request
> (certReq.pem) . So when I use it as below
>
> openssl verify -CAfile SignedCertificate.pem SignedCertificate.pem
>
> I am getting error  "error 20 at 0 depth lookup:unable to get local issuer
> certificate".
> I believe it is for verifying certificate chain trust. Correct me if I am
> wrong. Is there anyway to manipulate it?
>
>
> Richard Levitte - VMS Whacker-2 wrote
> > openssl verify -CAfile your_ca_cert.pem SignedCertificate.pem
> >
> > Hope that helped
> >
> > Cheers,
> > Richard
> >
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
>
>
> --
> Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread morthalan 
But In my case, I do not have any root certificate. I have only one signed
certificate (SignedCertificate.pem) and one certificate signing request
(certReq.pem) . So when I use it as below

openssl verify -CAfile SignedCertificate.pem SignedCertificate.pem

I am getting error  "error 20 at 0 depth lookup:unable to get local issuer
certificate".
I believe it is for verifying certificate chain trust. Correct me if I am
wrong. Is there anyway to manipulate it?


Richard Levitte - VMS Whacker-2 wrote
> openssl verify -CAfile your_ca_cert.pem SignedCertificate.pem
> 
> Hope that helped
> 
> Cheers,
> Richard
> 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users





--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread Richard Levitte 
openssl verify -CAfile your_ca_cert.pem SignedCertificate.pem

Hope that helped

Cheers,
Richard

In message <1525335799770-0.p...@n7.nabble.com> on Thu, 3 May 2018 01:23:19 
-0700 (MST), morthalan  said:

morthalaanilreddy> No, technically not. I am just searching for a simple method 
just to check a
morthalaanilreddy> certificate is signed by CA or not. 
morthalaanilreddy> Because. Something like signing check, I am not quite sure, 
I do not have
morthalaanilreddy> proper knowledge on Openssl.
morthalaanilreddy> 
morthalaanilreddy> 
morthalaanilreddy> d3x0r wrote
morthalaanilreddy> > 
https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
morthalaanilreddy> > this routine does cert validation but I don't thkn that's 
what you want
morthalaanilreddy> > 
morthalaanilreddy> > this verified on a connection
morthalaanilreddy> > 
https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
morthalaanilreddy> > 
morthalaanilreddy> > which boils down to
morthalaanilreddy> > SSL_get_peer_certificate ,  SSL_get_verify_result
morthalaanilreddy> > 
morthalaanilreddy> > On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <
morthalaanilreddy> 
morthalaanilreddy> > morthalaanilreddy@
morthalaanilreddy> 
morthalaanilreddy> >> wrote:
morthalaanilreddy> > 
morthalaanilreddy> >> Hi everyone,
morthalaanilreddy> >>
morthalaanilreddy> >> I am new to opennssl and now I am completely confused. 
Please help me out
morthalaanilreddy> >> to solve my issue.
morthalaanilreddy> >>
morthalaanilreddy> >> I have implemented a code to sign the given CSR 
certificate
morthalaanilreddy> >> (certReq.pem),
morthalaanilreddy> >> then generate openssl signed Certificate 
(SignedCertificate.pem) using
morthalaanilreddy> >> the
morthalaanilreddy> >> details of certReq,pem. The code is like self signing, 
but I have added
morthalaanilreddy> >> new
morthalaanilreddy> >> functions to enter additional issuer details. Now I have 
two private keys
morthalaanilreddy> >> one from CA, another from CSR, one CSR (certReq.pem) and 
Signed
morthalaanilreddy> >> Certificate
morthalaanilreddy> >> (SignedCertificate.pem). In SignedCertificate.pem, the 
subject details
morthalaanilreddy> >> and
morthalaanilreddy> >> the issuer details are different. There is no problem 
with codes.
morthalaanilreddy> >>
morthalaanilreddy> >> The issue is:
morthalaanilreddy> >> I am unable to find out the exact command lines or c/c++ 
program
morthalaanilreddy> >> functions
morthalaanilreddy> >> to prove the SignedCertificate.pem is signed or not. I 
have spent more
morthalaanilreddy> >> than
morthalaanilreddy> >> one day on researching, but I am end up with confusion. I 
do not have any
morthalaanilreddy> >> digital certificate chain.
morthalaanilreddy> >>
morthalaanilreddy> >>
morthalaanilreddy> >> Could anyone kindly provide any information regarding 
this.
morthalaanilreddy> >>
morthalaanilreddy> >> Thanks in advance,
morthalaanilreddy> >>
morthalaanilreddy> >> --
morthalaanilreddy> >> openssl-users mailing list
morthalaanilreddy> >> To unsubscribe: 
https://mta.openssl.org/mailman/listinfo/openssl-users
morthalaanilreddy> >>
morthalaanilreddy> >>
morthalaanilreddy> > 
morthalaanilreddy> > -- 
morthalaanilreddy> > openssl-users mailing list
morthalaanilreddy> > To unsubscribe: 
https://mta.openssl.org/mailman/listinfo/openssl-users
morthalaanilreddy> 
morthalaanilreddy> 
morthalaanilreddy> d3x0r wrote
morthalaanilreddy> > 
https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
morthalaanilreddy> > this routine does cert validation but I don't thkn that's 
what you want
morthalaanilreddy> > 
morthalaanilreddy> > this verified on a connection
morthalaanilreddy> > 
https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
morthalaanilreddy> > 
morthalaanilreddy> > which boils down to
morthalaanilreddy> > SSL_get_peer_certificate ,  SSL_get_verify_result
morthalaanilreddy> > 
morthalaanilreddy> > On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <
morthalaanilreddy> 
morthalaanilreddy> > morthalaanilreddy@
morthalaanilreddy> 
morthalaanilreddy> >> wrote:
morthalaanilreddy> > 
morthalaanilreddy> >> Hi everyone,
morthalaanilreddy> >>
morthalaanilreddy> >> I am new to opennssl and now I am completely confused. 
Please help me out
morthalaanilreddy> >> to solve my issue.
morthalaanilreddy> >>
morthalaanilreddy> >> I have implemented a code to sign the given CSR 
certificate
morthalaanilreddy> >> (certReq.pem),
morthalaanilreddy> >> then generate openssl signed Certificate 
(SignedCertificate.pem) using
morthalaanilreddy> >> the
morthalaanilreddy> >> details of certReq,pem. The code is like self signing, 
but I have added
morthalaanilreddy> >> new
morthalaanilreddy> >> functions to enter additional issuer details. Now I have 
two private keys
morthalaanilreddy> >> one from CA, another from CSR, one CSR (certReq.pem) and 
Signed
morthalaanilreddy> >> Certificate
morthalaanilreddy> >>

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread J Decker 
Or using the javascript interface

https://www.npmjs.com/package/sack.vfs#interface

https://github.com/d3x0r/sack.vfs/blob/master/tests/tlsTest.js#L28

if( vfs.TLS.validate( {cert:signedCert3, chain:signedCert2+cert} ) )
console.log( "Chain is valid." );

On Thu, May 3, 2018 at 12:36 AM, J Decker  wrote:

> https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
> this routine does cert validation but I don't thkn that's what you want
>
> this verified on a connection https://github.
> com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
>
> which boils down to
> SSL_get_peer_certificate ,  SSL_get_verify_result
>
> On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <
> morthalaanilre...@gmail.com> wrote:
>
>> Hi everyone,
>>
>> I am new to opennssl and now I am completely confused. Please help me out
>> to solve my issue.
>>
>> I have implemented a code to sign the given CSR certificate
>> (certReq.pem), then generate openssl signed Certificate
>> (SignedCertificate.pem) using the details of certReq,pem. The code is like
>> self signing, but I have added new functions to enter additional issuer
>> details. Now I have two private keys one from CA, another from CSR, one CSR
>> (certReq.pem) and Signed Certificate (SignedCertificate.pem). In
>> SignedCertificate.pem, the subject details and the issuer details are
>> different. There is no problem with codes.
>>
>> The issue is:
>> I am unable to find out the exact command lines or c/c++ program
>> functions to prove the SignedCertificate.pem is signed or not. I have spent
>> more than one day on researching, but I am end up with confusion. I do not
>> have any digital certificate chain.
>>
>>
>> Could anyone kindly provide any information regarding this.
>>
>> Thanks in advance,
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] disable session id reuse

2018-05-03 Thread Mody, Darshan (Darshan) 
Hi,

While doing a openssl s_time command I find that by default it tries for 
Session Id Reuse. "Now timing with session id reuse."

In case if we don't want openssl to reuse session id's how can we configure 
openssl in the application for the same.

The application here is acting as a server.

I have set  SSL_CTX_set_session_cache_mode to SSL_SESS_CACHE_OFF

Thanks
Darshan
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread morthalan 
No, technically not. I am just searching for a simple method just to check a
certificate is signed by CA or not. 
Because. Something like signing check, I am not quite sure, I do not have
proper knowledge on Openssl.


d3x0r wrote
> https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
> this routine does cert validation but I don't thkn that's what you want
> 
> this verified on a connection
> https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
> 
> which boils down to
> SSL_get_peer_certificate ,  SSL_get_verify_result
> 
> On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <

> morthalaanilreddy@

>> wrote:
> 
>> Hi everyone,
>>
>> I am new to opennssl and now I am completely confused. Please help me out
>> to solve my issue.
>>
>> I have implemented a code to sign the given CSR certificate
>> (certReq.pem),
>> then generate openssl signed Certificate (SignedCertificate.pem) using
>> the
>> details of certReq,pem. The code is like self signing, but I have added
>> new
>> functions to enter additional issuer details. Now I have two private keys
>> one from CA, another from CSR, one CSR (certReq.pem) and Signed
>> Certificate
>> (SignedCertificate.pem). In SignedCertificate.pem, the subject details
>> and
>> the issuer details are different. There is no problem with codes.
>>
>> The issue is:
>> I am unable to find out the exact command lines or c/c++ program
>> functions
>> to prove the SignedCertificate.pem is signed or not. I have spent more
>> than
>> one day on researching, but I am end up with confusion. I do not have any
>> digital certificate chain.
>>
>>
>> Could anyone kindly provide any information regarding this.
>>
>> Thanks in advance,
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


d3x0r wrote
> https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
> this routine does cert validation but I don't thkn that's what you want
> 
> this verified on a connection
> https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
> 
> which boils down to
> SSL_get_peer_certificate ,  SSL_get_verify_result
> 
> On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <

> morthalaanilreddy@

>> wrote:
> 
>> Hi everyone,
>>
>> I am new to opennssl and now I am completely confused. Please help me out
>> to solve my issue.
>>
>> I have implemented a code to sign the given CSR certificate
>> (certReq.pem),
>> then generate openssl signed Certificate (SignedCertificate.pem) using
>> the
>> details of certReq,pem. The code is like self signing, but I have added
>> new
>> functions to enter additional issuer details. Now I have two private keys
>> one from CA, another from CSR, one CSR (certReq.pem) and Signed
>> Certificate
>> (SignedCertificate.pem). In SignedCertificate.pem, the subject details
>> and
>> the issuer details are different. There is no problem with codes.
>>
>> The issue is:
>> I am unable to find out the exact command lines or c/c++ program
>> functions
>> to prove the SignedCertificate.pem is signed or not. I have spent more
>> than
>> one day on researching, but I am end up with confusion. I do not have any
>> digital certificate chain.
>>
>>
>> Could anyone kindly provide any information regarding this.
>>
>> Thanks in advance,
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
> 
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


d3x0r wrote
> https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
> this routine does cert validation but I don't thkn that's what you want
> 
> this verified on a connection
> https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274
> 
> which boils down to
> SSL_get_peer_certificate ,  SSL_get_verify_result
> 
> On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <

> morthalaanilreddy@

>> wrote:
> 
>> Hi everyone,
>>
>> I am new to opennssl and now I am completely confused. Please help me out
>> to solve my issue.
>>
>> I have implemented a code to sign the given CSR certificate
>> (certReq.pem),
>> then generate openssl signed Certificate (SignedCertificate.pem) using
>> the
>> details of certReq,pem. The code is like self signing, but I have added
>> new
>> functions to enter additional issuer details. Now I have two private keys
>> one from CA, another from CSR, one CSR (certReq.pem) and Signed
>> Certificate
>> (SignedCertificate.pem). In SignedCertificate.pem, the subject details
>> and
>> the issuer details are different. There is no problem with codes.
>>
>> The issue is:
>> I am unable to find out the exact command lines or c/c++ program
>> functions
>> to prove the SignedCertificate.pem is signed or not. I have spent more
>> than
>>

Re: [openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread J Decker 
https://github.com/d3x0r/sack.vfs/blob/master/src/tls_interface.cc#L1538
this routine does cert validation but I don't thkn that's what you want

this verified on a connection
https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L274

which boils down to
SSL_get_peer_certificate ,  SSL_get_verify_result

On Thu, May 3, 2018 at 12:06 AM, Anil kumar Reddy <
morthalaanilre...@gmail.com> wrote:

> Hi everyone,
>
> I am new to opennssl and now I am completely confused. Please help me out
> to solve my issue.
>
> I have implemented a code to sign the given CSR certificate (certReq.pem),
> then generate openssl signed Certificate (SignedCertificate.pem) using the
> details of certReq,pem. The code is like self signing, but I have added new
> functions to enter additional issuer details. Now I have two private keys
> one from CA, another from CSR, one CSR (certReq.pem) and Signed Certificate
> (SignedCertificate.pem). In SignedCertificate.pem, the subject details and
> the issuer details are different. There is no problem with codes.
>
> The issue is:
> I am unable to find out the exact command lines or c/c++ program functions
> to prove the SignedCertificate.pem is signed or not. I have spent more than
> one day on researching, but I am end up with confusion. I do not have any
> digital certificate chain.
>
>
> Could anyone kindly provide any information regarding this.
>
> Thanks in advance,
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to prove a Certificate is Signed or not

2018-05-03 Thread Anil kumar Reddy 
 Hi everyone,

I am new to opennssl and now I am completely confused. Please help me out
to solve my issue.

I have implemented a code to sign the given CSR certificate (certReq.pem),
then generate openssl signed Certificate (SignedCertificate.pem) using the
details of certReq,pem. The code is like self signing, but I have added new
functions to enter additional issuer details. Now I have two private keys
one from CA, another from CSR, one CSR (certReq.pem) and Signed Certificate
(SignedCertificate.pem). In SignedCertificate.pem, the subject details and
the issuer details are different. There is no problem with codes.

The issue is:
I am unable to find out the exact command lines or c/c++ program functions
to prove the SignedCertificate.pem is signed or not. I have spent more than
one day on researching, but I am end up with confusion. I do not have any
digital certificate chain.


Could anyone kindly provide any information regarding this.

Thanks in advance,
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users