RE: DES - 3DES (novice)

2001-10-04 Thread Aaron Kronis 

Thanks Robert.
I think it worked, does this look correct to you?(or anyone) 
-output
Connection from 17f, port e904
SSL connection using RC4-MD5
Client does not have certificate.
Got 23 chars:'Hello World! Encrypt me'
-end---

(is it in fact 3des now? I've been at
http://www.openssl.org/docs/apps/ciphers.html
to see if it looks right. but I can't tell. it reports RC4-MD5
but not DES-CBC3-SHA...I don't understand the syntax in the call.
(can you please explain how RC4-MD5 is on the left of the colon':' and
how it is used with the DES-CBC3-SHA on the right?

If this IS right, then will I need to create a working certificate for
the client next?

SSL_CTX_set_cipher_list(yourCTX, "RC4-MD5:DES-CBC3-SHA");

Thanks very much, I'm sure this is simple and I just need to get these
few answers to move forward.

Aaron

-Original Message-
Here's an example:
  SSL_CTX_set_cipher_list(yourCTX, "RC4-MD5:DES-CBC3-SHA");

HTH,
Rob
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Need to use 3des not des

2001-10-03 Thread Aaron Kronis 

Hello,

I have compiled and run a demo program that encrypts a string of text
and sends it across a socket connection where it is encrypted. This is
obviously using the ssl.h library. 

What I need to do is change the encryption from DES to 3DES.
I cannot yet figure out where to do this. Is there a chance that this
information may be stored in the certificate on the server? I noticed
that it has a field for AU which would have to be ENC to allow for 3des,
but then would I have to generate a new certificate(if so where do I
begin) or is it simply somewhere in the code?
here's some of the code:
  SSL_CTX* ctx; //defined above

...main body...

  SSL_load_error_strings();
  SSLeay_add_ssl_algorithms();

  meth = SSLv23_server_method();

  ctx = SSL_CTX_new (meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(2);
  }
  
  if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(3);
  }
  if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(4);
  }

  if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public
key\n");
exit(5);
  }

/* --- */

  /* TCP connection is ready. Do server side SSL. */

  ssl = SSL_new (ctx);   CHK_NULL(ssl);
  SSL_set_fd (ssl, sd);
  err = SSL_accept (ssl);CHK_SSL(err);

/* Get the cipher - opt */
  
  printf ("SSL connection using %s\n", SSL_get_cipher (ssl));

 
  /* Get client's certificate (note: beware of dynamic allocation) - opt
*/


  client_cert = SSL_get_peer_certificate (ssl);
  if (client_cert != NULL) {
printf ("Client certificate:\n");

str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
Free (str);

str = X509_NAME_oneline (X509_get_issuer_name  (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
Free (str);

/* We could do all sorts of certificate verification stuff here
before
   deallocating the certificate. */

X509_free (client_cert);
  } else
printf ("Client does not have certificate.\n");

..ETC.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]