Certificate creation with openssl.cfg days being ignored
Title: Certificate creation with openssl.cfg days being ignored I have a script that creates all my cert/key pairs for me. The thing though is when creating a self-signed CA it does not read the number of days from the openssl.cfg. Is there a way to put in the openssl.cfg how many days the CA should expire in? This has been a huge problem at the moment and was wondering if someone could quickly respond. I thank you very much! - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
Certificate Problem :)
Title: Certificate Problem :) Dear fellow developers, I am experiencing some problems with a product we released. We rely on a public/private key architecture. The client connects to our server and we check to see if the certificate the client had was signed by us. I do this by checking to see if I can even get a client certificate. From my understanding if the client does not have a trusted certificate signed by the same CA as the server or by a trusted CA the server will not receive the certificate ( from the applications point of view). I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
RE: binaries
Title: Message Paul, Did you post what the problem was during your compile? -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485 -Original Message-From: Paul E. Prak [mailto:[EMAIL PROTECTED]] Sent: Monday, March 25, 2002 5:10 PMTo: [EMAIL PROTECTED]Subject: binaries Hi all, Can I download the binaries for win32somewhere? I tried almost everything to compile but could not fix it. Please help!!! Regards, Paul
RE: binaries
Title: Message Paul, Well someone can't just give you binaries because you would need a build specific to your compiler and the settings you want for your application. You should probably ought to list your problem including platform , compiler and settings. -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485 -Original Message-From: Paul E. Prak [mailto:[EMAIL PROTECTED]] Sent: Monday, March 25, 2002 10:43 PMTo: [EMAIL PROTECTED]Subject: Re: binaries Hi Andrew, Nope I didn't. It is not a problem with the source. My problem is in C++ it acts a bit weird and I do not know the real problem. Regards, Paul. - Original Message - From: Andrew Finnell To: '[EMAIL PROTECTED]' Sent: Monday, March 25, 2002 11:11 PM Subject: RE: binaries Paul, Did you post what the problem was during your compile? -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485 -Original Message-From: Paul E. Prak [mailto:[EMAIL PROTECTED]] Sent: Monday, March 25, 2002 5:10 PMTo: [EMAIL PROTECTED]Subject: binaries Hi all, Can I download the binaries for win32somewhere? I tried almost everything to compile but could not fix it. Please help!!! Regards, Paul
RE: OpenSSL Key Generation GUI for Windows
Title: RE: OpenSSL Key Generation GUI for Windows I was under the impression that on windows OpenSSL uses RAND_screen which will obtain random data from the screen and mouse events? Shouldn't you use that? - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Richard Koenning [mailto:[EMAIL PROTECTED]] Sent: Monday, January 28, 2002 7:39 AM To: [EMAIL PROTECTED] Subject: Re: OpenSSL Key Generation GUI for Windows At 12:55 27.01.2002 +, you wrote: I'm thinking of writing a small GUI application that implements just the 2 following functions of: *Create a self-signed certificate *Create a private key First, is there such an application already around (I can't find any), and secondly, would a random seed made from the current time (date, hour, minutes, seconds, ms) be okay (this would be running under Windows)? No! (regarding the random seed) Netscape has (afaik) used such a seeding (time and process id) in early versions of their browsers. The resulting keys were broken in just one or two hours with a simple PC (today it would probably just minutes). Look into the OpenSSL sources, in crypto/rand is some code for gathering entropy material under windows (iirc). Ciao, Richard Könning -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH, EP LP COM 5 Phone/Fax: +49-89-636-47852 / 47655 E-Mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Anonymous Ciphers
Title: Anonymous Ciphers Good Morning All, I am trying to match up some anonymous ciphers to use between JSSE and OpenSSL. I did a dump of JSSE and came across some anonymous ciphers. I then did a dump of the ciphers built into my build of OpenSSL. I did see any that specifically said anonymous so I must be reading them wrong. Now if I use an anonymous cipher suite I do not need to have a public/private key pair for the server nor the client correct? My main goal is to have encryption but not authentication. I would prefer to use DH anonymous with 3DES. I did not see that for OpenSSL though. It doesn't look to me like I have all the ciphers but I could be wrong. Just thought I would start out the day with a seemingly easy question. I just wanted to consort with you guys/gals first. Thanks! - Andrew JSSE SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 OpenSSL --- EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-64-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export EXP1024-RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export EXP1024-DES-CBC-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export EXP1024-RC2-CBC-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export EXP1024-RC4-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
RE: [jacorb-developer] JDK 1.3.0.2 / JacORB 1.4 w/ jsse 1.0.2 Fix/problem
Title: RE: [jacorb-developer] JDK 1.3.0.2 / JacORB 1.4 w/ jsse 1.0.2 Fix/problem Well I have gotten it to work kind of. I am running a TAO server from which im connecting to with a JacORB client. I see the debug output on the server but OpenSSL(TAO) complains about about 'alert certificate unknown'. Im taking this to mean that the certificate the client sent over is unknown. Well I don't want the JacORB client to send a certificate over. I only want the server to have a public/private key pair. Or better yet all I want is encryption. I must be missing something or doing something wrong. Anyone have an idea? Although this same code worked with JacORB 1.3 it's kind of strange it doesn't work with JacORB 1.4 Just let me know when you get sick of SSL questions. :-) - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Stephan Feder [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 2:51 PM To: Andrew Finnell Cc: '[EMAIL PROTECTED]' Subject: Re: [jacorb-developer] JDK 1.3.0.2 / JacORB 1.4 w/ jsse 1.0.2 Fix/problem First: _Do not remove_ the classes listed under 3. in sun_jsse/README.jsse1_0_2. The whole point of my patch was to make that work again! Now: The JSSE docs clearly state SunX509 as the algorithm for both key and trust managers, and the JSSE classes are found so I suspect that the JSSE provider is not registered. Did you put security.provider.3=com.sun.net.ssl.internal.ssl.Provider into the java.security file? Otherwise you have to also uncomment the line Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider() ); in sun_jsse/SSL(Server)SocketFactory.java. Hope it works Stephan Andrew Finnell wrote: I used some changes mentioned earlier to make JAcORB 1.4 compile with JSSE 1.0.2 and when I try running my application I get a dump like this. Unknown algorithm SunX509?? I believe the changes were suggested by Stephan Fester. If anyone has any ideas let me know. I'm going to try and figure out what's going on. Thanks!! - Andrew StackTrace java.security.NoSuchAlgorithmException: Algorithm SunX509 not available at com.sun.net.ssl.b.a([DashoPro-V1.2-120198]) at com.sun.net.ssl.TrustManagerFactory.getInstance([DashoPro-V1.2-120198] ) ___ jacorb-developer maillist - [EMAIL PROTECTED] http://lists.spline.inf.fu-berlin.de/mailman/listinfo/jacorb-developer
Cryptology Questions
Title: Cryptology Questions Hi all, I was wondering if someone could help me out. I have to speak with some cryptology experts later today and was wondering if some answers could be answered. 1. What is the normal/(most secure) way to store private keys and protect them? Right now I store them in .pem format in a file and encrypt them with DES-CBC. 2. What does it mean if I need someone asks me if we support 'importing X.509 certificate from an external CA'. I thought that you just sign certificates with the CA not import them? Or am I missing something. 3. What is the normal/(most secure) way to validate the presented partners certificates when a SSL connection is established. Now my understanding was the defacto way was to include the ip/hostname in the CN? Is this correct and does it work both ways meaning. Can the server check to see if it's certificates have been move, i.e. if I copy public/private pairs from server a to server b, should server b check the ip/hostname to see if they really belong. And the client should check the certificate obtained from Server A, to see if it's really Server A correct? Ok that's enough with the homework questions. Heh, it's not really homework but im sure that the answers are so easy that it seems like it. :) I bought Eric Rescorla's book 'SSL and TLS' and ive been trying to read that but I don't see where he goes into more detail about 'storing keys' and ensuring safety. Of course I could of just blown right by that chapter, I tend to read books backwards. Now for my own interest. I see many names being thrown around. I'll tell you what I 'think' I know and please correct me if im wrong. RSA is a public key cryptology. I take this to mean that the public and private keys ( i.e. certificate/key ) is encrypted over the wire with RSA? Actual application ( for my example we will say application ) data is encoded into a message and then encrypted with a Message Digest? Which can be either MD5 or SHA-1 for RSA but only SHA-1 for DSS. Now this is where I get confused. RSA is also used like DH, in that it's used to negotiate a session key? Is that correct? So basically RSA does two things while DSS relies on DH to be complete? Let me see if I can translate this cipher: EDH-DSS-DES-CBC3-SHA. I take this to mean that the session key is negotiated with Emperhal DH meaning it's randomly generated on one side and not known by both parties. It uses DSS for public key encryption, DES for the actual data stream. I don't know what CBC3 means. But the Message Digest is SHA. Now what's the difference between encypting with a message digest with SHA but encrypting the data with DES? I thought the message was the data. Also reading in Eric's book he says 1024-bit assymetric keys are about as strong as 80-bit symmertic keys. So why is assymetric used? I assume its because of performance. It would probably take to long if everything was encrypted with 3DES correct? I do apologize for all these questions but I really want to learn SSL and in general Security and Cryptology inside and out but all the different encyptions are throwing me for a loop. I always just thought of cryptology in the terms of using RSA, DES or 3DES but I see there is a lot more to it. THANKS! - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
RE: Cryptology Questions
Title: RE: Cryptology Questions Neff, Thanks for the quick response. You actually helped me understand some aspects that I didnt truely understand before. For example the message digest. I did not know it was a checksum to validate that the data wasn't altered. --- More questions( better questions I guess? ) Regarding brute force attacks on the private key, what other mechanism is there to protect these keys and distribute them for that matter. For instance is it valid to have a server send a client it's public/private key pairs to use. Then reconnect the server with those keys. The security would come into play because the client needs to know the password to decrypt the private key that it was sent. Is this a good way to distribute client public/private keys? Sneaker footing/emailing the keys or methods that aren't automated or easy to use isn't really available to me. As for importing the X.509 certificate, I am focusing on adding it to the certificate chain. How are most certificates stored? Is it just as simple as opening up the certificate.pem(client cert) file and performing some openssl operations to add a cacert.pem(server cert) to the chain? This seems to easy and to prone to attacks. Anyone could just open the file and add there ca. BTW, thanks for the help anyone can give me. I know everyone is busy and I dont demand that people answer :) I just find that mailing lists like these are full of people that have the answers. - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Neff Robert A [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 10:20 AM To: '[EMAIL PROTECTED]' Subject: RE: Cryptology Questions hmmm...a tall order for us busy folks...but I'll help you out some. 1. Provided you are using a strong password to encrypt your key when using DES-CBC you are pretty secure. Remember that if I can get access to, or copy, your .pem file from off your machine I can run a dictionary attack against it, searching for your encryption password. If I find that, I can impersonate you. 2. Importing a certificate to me sounds like you are being asked if you are adding the cert to either your browser's trusted store or your server's cert chain. Some additional info would help clear that up a bit. 3. First, It is very important that, when validating a cert, you first check that the issuer of that cert is trusted by you. OpenSSL does this rather easily for you, once you've informed it of the CA certs you trust. You must do this because I can easily create a certificate containing www.verisign.com as the issuer but would have to somehow convince you to store my fake CA cert within your store. The entire issue of trust within the PKI framework begins with the CA certs you trust. If you don't understand this completely, please read up more on this topic at either Verisign's or RSA's web site. They have decent tutorials on PKI. Second, you then check that the cert has not expired. The notBefore/notAfter time periods contained within the cert indicate what period of time the cert can be valid. Of course, this is how the major CA's make their money, by limiting this period to usually one year from issuance. Third, you check the CN of the cert to ensure that it is indeed the site you are intent on conversing with. You can do additional checks if you wish to enforce certificate extensions. However I've not had much experience using those so I'll defer to others... RSA is an algorithm create to use a public/private key pair where, if using one key for encryption, you use the other for decryption. If I know your public key, I can encrypt data and send it to you, confident that ONLY you can decrypt it. However, it is a slow algorithm compared to the symmetrical ones. That is why it is using only during the SSL handshake for certificate verification and for transferring the SSL session keys. It is not used for bulk data encryption like DES/AES/RC4/etc... Regarding your thoughts on MD5, it is a Message Digest (the MD) of the content being sent. It is not encrypting the data, per say, but rather creating a strong checksum, if you will, of the contents. You can then encrypt the MD with your private key and send it along with your message. Upon receiving your message I would decrypt the MD using your public key, re-compute the MD of the message sent, and compare it to the decrypted MD. If they are identical, I know that a) the message has not been tampered with and b) it could only have been sent by you since only you would have the corresponding private key to encrypt the MD in the first place. I know I've glossed over the many details here but hope this is the clarification you are looking for. If not, ask again. HTH, Rob -Original Message- From: Andrew Finnell [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 9:17 AM To: 'Openssl ([EMAIL PROTECTED])' Subject
RE: ssl-cert-HOWTO.txt for review
Title: RE: ssl-cert-HOWTO.txt for review If openssl can generate random data and spit it out in a file then why use a file to begin with? Can't openssl ( tool ) just generate its random data internally and use that? I think that's a lot safer than spitting it out to a file and prevents less problems with the random data getting deleted/viewed. - Andrew - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -Original Message- From: Marcus Redivo [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 7:14 PM To: [EMAIL PROTECTED] Subject: RE: ssl-cert-HOWTO.txt for review Hello Fiel, Thanks for the comments. At 10:45 AM 12/1/01 -0800, Fiel Cabral wrote: My suggestion is to include info about the RANDFILE variable. I set RANDFILE=$HOME/.rnd in my environment and in the configuration file (the default value: $ENV::HOME/.rnd). If .rnd doesn't exist, I just copy a file to it (usually a binary file or a random-looking log file). I did not mention the RANDFILE, and in fact left it out of the example configuration, because I was under the impression that if I had /dev/*random I did not need it. If this is not true, could someone please correct me? Thanks. Now, the RANDFILE candidate. Using a binary or a log is nowhere near random enough. Fortunately, openssl has a command to create a better random file: # openssl rand -out $HOME/.rnd 1024 (Don't send the output to your console unless you add the -base64 switch, unless you like abstract art... ;) ) BTW, I'm on the list now. Marcus Redivo The Binary Tool Foundry PO Box 2087 Stn Main Sidney BC Canada mailto:[EMAIL PROTECTED] http://www.binarytool.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: certificate problem
Title: RE: certificate problem Lutz, Well sometimes installing additional software is not acceptable as was in my case. Do you have any other suggesstions for people like me? We ship a product that uses OpenSSL and we don't want to install 3rd party apps. While Soo Hom just wants to create certificates with the openssl tool, what would you suggest be done if programatically to generate random bytes if we cannot install a PRNG emulation package? Thanks. - Andrew -Original Message- From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 28, 2001 5:27 AM To: [EMAIL PROTECTED] Subject: Re: certificate problem On Wed, Nov 28, 2001 at 08:47:13AM +0100, [EMAIL PROTECTED] wrote: Solaris does not support the device /dev/urandom which is necessary to seed the PRNG by default. You can either install a package which emulate /dev/urandom or seed the PRNG manually by the following commands : unsigned char seed_buffer [1024] ; RAND_pseudo_byte(seed_buffer, 1024) ; RAND_seed(seed_buffer, 1024) ; ... RSA_generate_key(...) This, with all due respect, is no good advice. Depending on the platform (and maybe even compiler settings), the buffer may be memset to 0. Generating pseudo bytes from it will mix in the PID and have the pool mixed. That might look random, but finally (if somebody finds out your method), the generated keys are weak. I strongly suggest using using one of the alternative PRNG sources described in the FAQ. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU- Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Is the key exchange asymmetric or symmetric?
Title: Message Is openssl's key exhange asymmetric or symmetric. And could someone explain to me what this means? I have been asked this and need to explain it. If there is a site I could go , to learn this stuff I will be more than happy to visit it. Also if anyone could recommend a book about certificates/key's and how to set things up in a secure way. I.e. using a PKI server , a store key and things like that. Thanks!! -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
No start line
Title: Message Could someone tell me what the usual cause of a PEM_read_bio:No start line error is? I am getting this and i think it's causing some problems in my application. Thanks. -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
Moving write buffer
Title: Message In my application , I am doing something simliar to this on the client SSL_use_PrivateKey_file( "blah" ); SSL_use_certificate_file ( "blah" ); SSL_renegotiate ( ssl ); Not after that is done I try send a large amount of data on the server And I get a SSL3_WANT_RETRY error. Debugging the code I see that the error is because of the write buffer has moved and the error is happening in ssl3_write_pending. Now I dont want to enable the mode SSL_ACCEPT_MOVING_WRITE_BUFFER so how do I fix this? It seems to only happen when I do a SSL_renegotiate.. Is there something else im supposed to do to get my current client connect to use different certificates Thanks btw. OpenSSL 0.9.6ais the version im using. -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
PEM_read_bio
Title: Message I am getting an error message , PEM_read_bio: No start line. Now I am assuming this may have to do with the pem certificate im trying to read, but all my certificates are fine. Could anyone give me some insight on what causes this error. Thanks! -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
Algorithms
Title: Message Could someone point me to a list of all the algorithms OpenSSL uses so that I can put it in the reportfor the export beauru? Thanks! Btw, I didnt see anything of Openssl.org about this -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
SSL_get_peer_certificate
Title: Message I'm having a problem getting my server on Solaris 8 ( Built with SunCC 5.2 ) to obtain a certificate from my client. I have set SSL_CTX_set_verify ( ctx , SSL_VERIFY_PEER,0 ) on both client and server. I have created valid certificates to the best of my knownledge. The same exact code works on Windows ( any platform ). I am at a loss at what could be happening. SSL_get_peer_certifiate always returns a null certificate.. Which to the best of my knownledge means the client didnt send one or the verify failed. How could I go about checking what is wrong? Thanks! -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
X509_get_notBefore
Title: Message I've looked in the documentation but is there a way to get a better from from the return of X509_get_notBefore instead of having to print it to a BIO ? I need something I can convert it into a date to compare it with the current time... Something that would return a time_t or the number of seconds or something besides a string. Thanks. -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
PEM_read_privatekey
Title: Message I'm having some difficulty using PEM_read_privatekey. When I link my application with the debug dll ms runtime PEM_read_privateKey works, but if I link against the release dll ms runtime then PEM_read_PrivateKey exceptions out.. Anyone have a clue why this is? -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
No shared cipher in debug mode
Title: Message Hi all, I have come across quite a strange problem. I have an application that when ran through explorer or the command prompt will run with the DSA cipher. Now when I run the application through Visual Studio 6 or through debug in Visual Studio 6 the applicatino fails with a 'No shared cipher' during the HELLO phase.. I do have SSL_CTX_set_cipher_list ( ctx, "ALL") so I dont understand how I could get a no shared cipher problem Has anyone else run into this problem? -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
Determing SSL conection to use in password_Callback
Title: Determing SSL conection to use in password_Callback I have come across a little delima.. I set a password callback on a SSL_CTX, and when I went to write the implementatino I realized I couldn't determine what SSL * connection was currently in use.. And every SSL connection I have uses a different set of certificate/key pairs. So what is the normal way of determining what connection and/or what cert/key pair needs the password? - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
RE: Newbie
Title: RE: Newbie Michael, What I understood from the message was this. He wants to load a file into memory. Encrypt the memory and store that in his database. Right now he is using the openssl tool to do this. He wants to write his own program that will basically write out the encrypted data to his database instead of a file again. Peter am I correct? - Andrew -Original Message- From: Michael Sierchio [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 20, 2001 11:53 AM To: [EMAIL PROTECTED] Subject: Re: Newbie Peter Osborne wrote: Hello All, I'm a newbie at all of this so bear with me. The company I work for needs to encrypt data before it is stored in a database. Currently, how we are doing this is by writing the data to a file, encrypting the data with the openssl command line utility (openssl enc -rc4 -in file1 -out file2 -pass file:sslkey -e), reading the data out of the file and writing it back into the database. I am a big fan of stream ciphers, but not for storing data. I'd use DES-EDE-3K for long term storage. Possibly AES-CBC-256 We would like to use the ssl libraries to do all this and scip all the file stuff command line utilites but I don't know where to start. Does anyone know where I can find some sample code that does simple file encryption/decryption using just a file as the key? I'm unclear by what you mean by the last phrase. How do you intend to use a file as the key? Do you mean storing the contents of the key in a file? Unencrypted? Why bother with encryption, if that's the case? __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
EncryptInit
Title: Message
Dear openssl
people,
In one of my classes methods I do
something similar to this. I got it off the openssl site. When EVP_EncryptInit
is called, it blows away all my memory. My this pointer is invalid and all the
local data becomes garbage. I was wondering if there was anything I needed to
do? Or if anyone knows why this would happen. BTW EVP_EncryptInit returns 1 but
I don't know what that code means, I didn't see it in the docs.
Thanks.unsigned char outbuf[1024];int outlen,
tmplen;unsigned char key[] =
{0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};unsigned char iv[] =
{1,2,3,4,5,6,7,8};char intext[] = "ABCD";EVP_CIPHER_CTX
ctx;EVP_EncryptInit(ctx, EVP_bf_cbc(), key,
iv);-Andrew T.
FinnellSoftware EngineereSecurity Inc(321)
394-2485
[openssl-users] Preverify Password for certificate
Title: [openssl-users] Preverify Password for certificate OpenSSL Ver: 0.9.6b Hello all, I am writing an application and in my code I would like to verify that a stored password I have will work for a certificate. Is there a programatic way to do this? I would assume it's with one of the X509 methods but I cannot find any documentation on this. I could look through the openssl code but I thought I would give this out to you all before I spent the day parsing through the openssl code. So to recap I have a password in string form, and want to test it against a certificate to see if it works for that certificate. Thanks a lot. - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
RE: [openssl-users] Preverify Password for certificate
Title: RE: [openssl-users] Preverify Password for certificate Adas, Thanks, I will try PEM_read_bio_RSAPrivateKey. Yes I was trying to check if the password was valid for a key not a certificate. I am using the password callback, but that excepts a password to be returned. In fact, in that callback I want to check if the password is correct, because if it is not I want to pop up a dialog to ask the user for a different password. Also about the HTML, I have no choice. My mail goes through Exchange server which attaches a server specific signature about itself and converts my email to HTML. I don't like it either but I have no choice.. In fact all the e-mails I write, I only write in plain text, this is how I know the server converts it to HTML anyways.. Sorry. - Andrew -Original Message- From: Adam Hernik [mailto:[EMAIL PROTECTED]] Sent: Monday, September 10, 2001 11:00 AM To: [EMAIL PROTECTED] Subject: RE: [openssl-users] Preverify Password for certificate I am writing an application and in my code I would like to verify that a stored password I have will work for a certificate. Certificate ? Not private key ? Is there a programatic way to do this? I don't know how to do it for certificate with is unencrypted but if you need check password for private key try PEM_read_bio_RSAPrivateKey it should return null if the password is incorrect. Don't forget about password_callback. Adas. ps. I don't like html in mail.
PEM_read_RSAPrivate_Key access violation
Title: PEM_read_RSAPrivate_Key access violation
Hello,
I am trying to use the PEM_read_RSAPrivate_Key method. I do something like this
//-
FILE * fp = fopen ( myprivatekey.pem, r );
if ( PEM_read_RSAPrivate_Key ( fp , NULL, 0, MyPassword ) == NULL )
{
// Wrong password
}
//-
the PEM_read_RSAPrivate_Key method is throwing an access violation and I do not know why. I debuged OpenSSL and the line that is throwing it is the fgets ( buf, len, (FILE*)bp-ptr); Now in my debug session, buf is valid, len is valid ( set at 254 ), and bp-ptr is valid, it returns the same address as the one I created with the fopen. I do not understand how this could happen. Does anyone have any insight? Or know of a different way to use PEM_read_RSAPrivate_Key. Thanks.
bss_file.c
static int MS_CALLBACK file_gets(BIO *bp, char *buf, int size)
{
int ret=0;
buf[0]='\0';
fgets(buf,size,(FILE *)bp-ptr);
if (buf[0] != '\0')
ret=strlen(buf);
return(ret);
}
-
Andrew T. Finnell
Software Engineer
eSecurity Inc
(321) 394-2485
SSLEAY32
Title: SSLEAY32 I have come across a problem I'm not quite sure how to fix. I use d2i_x509 in one of my applications. When I compile on NT I can't find any libssl.lib or libcrypto.lib files all I find is ssleay32.lib so I link against that. It comes up with an undefined symbol _d2i_x509. But if I compile on solaris and link against libssl.so and libcrytp.so it compiles. Why is there a different between the two platforms? - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
RE: SSLEAY32
Title: Message Yes but for some reason d2i_x509 is not exported by ssleay32 nor libeay32.lib. That is what I'm trying to figure out. I link with both of the libraries and call d2i_x509 in one of my methods and during linking I get a undefined symbol for d2i_x509 - Andrew -Original Message-From: Greg Stark [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 28, 2001 4:09 PMTo: [EMAIL PROTECTED]Subject: Re: SSLEAY32 The library names are different for the win32 build. They are libeay32.lib and ssleay32.lib. Greg Stark[EMAIL PROTECTED] - Original Message - From: Andrew Finnell To: Openssl ([EMAIL PROTECTED]) Sent: Tuesday, August 28, 2001 3:40 PM Subject: SSLEAY32 I have come across a problem I'm not quite sure how to fix. I use d2i_x509 in one of my applications. When I compile on NT I can't find any libssl.lib or libcrypto.lib files all I find is ssleay32.lib so I link against that. It comes up with an undefined symbol _d2i_x509. But if I compile on solaris and link against libssl.so and libcrytp.so it compiles. Why is there a different between the two platforms? - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
Creating certificates
Title: Creating certificates OpenSSL Ver: 0.9.6b OS: Solaris 8 CC: CC 5.2 I would like to be able to create certificates without using the openssl tool if possible. I don't like the idea of my program having to call an outside application to create certificates, and I was wondering if there was any documentation on this. OpenSSL.org's site is a little less than helpful for information. These certificates will be used with the ACE/TAO orb. Thanks for the help. - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485
