RE: [ANNOUNCE] OpenSSL 0.9.6g released
I feel it was pretty appropriate. We upgraded to 0.9.6e when we saw the vuln. Now they can do a DOS instead of a Buffer Overflow correct? The consensus in my development team was that was much better to be able to crash the application that be able to obtain access to the box. The only bad thing you could say it the fact that our release date was the same day that g came out.. Oh well. :) - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aleksey Sanin Sent: Friday, August 09, 2002 9:53 PM To: [EMAIL PROTECTED] Subject: Re: [ANNOUNCE] OpenSSL 0.9.6g released The issue here is responsiveness yet maintaining stability and compilability in the releases. There should only have been _ONE_ release, not _THREE_. Please, raise your hands everyone who never was in the same situation! This is the life, move forward! Now OpenSSL team has a stable release and an expirience on how to deal with such situation. Cross your fingers and they will never do it again :) Aleksey Sanin BTW, thanks for creating patches and new release(s) soo quickly! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [ANNOUNCE] OpenSSL 0.9.6g released
See how bad you can slaughter the english language when you don't have coffee? ;-) - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew T. Finnell Sent: Saturday, August 10, 2002 10:45 AM To: [EMAIL PROTECTED] Subject: RE: [ANNOUNCE] OpenSSL 0.9.6g released I feel it was pretty appropriate. We upgraded to 0.9.6e when we saw the vuln. Now they can do a DOS instead of a Buffer Overflow correct? The consensus in my development team was that was much better to be able to crash the application that be able to obtain access to the box. The only bad thing you could say it the fact that our release date was the same day that g came out.. Oh well. :) - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aleksey Sanin Sent: Friday, August 09, 2002 9:53 PM To: [EMAIL PROTECTED] Subject: Re: [ANNOUNCE] OpenSSL 0.9.6g released The issue here is responsiveness yet maintaining stability and compilability in the releases. There should only have been _ONE_ release, not _THREE_. Please, raise your hands everyone who never was in the same situation! This is the life, move forward! Now OpenSSL team has a stable release and an expirience on how to deal with such situation. Cross your fingers and they will never do it again :) Aleksey Sanin BTW, thanks for creating patches and new release(s) soo quickly! __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Token Auth + OpenSSL
Hi, We have an existing application that uses OpenSSL for authentication and encryption between two of our custom built applications. We have this already deployed and one of our customers has asked if they can use a Hardware based Token + PKI Server to authenticate these applications. I was curious if there is anyway to do this without changing our application. Currently out application reads the CA + cert/key from the filesystem from three separate pem files. I was hoping there might be some way to have a process run that would fake these files and then really obtain the cert from a PKI server and the key from the Token ( That is how tokens work right? If not than please enlighten me). Basically they want to stick there token in and has the processes authenticate and take the token out and have them fail. I was also wondering if there might be a PKI solution that could write out PEM files upon acceptance of a token so that our application can still read files. The end goal is to not change our application now but to offer something as a 'workaround' until we integrate other PKI solutions into our product. Thank you for any help. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Default_crl_days
Neff, Nope we have our own script that just uses the openssl tool. Basically we do .\openssl req -config openssl.cfg -newkey dsa:dsaparam.pem -x509 -nodes -out cacert.pem -keyout cakey.pem In our openssl.cfg file the only thing near 30 days is the default_crl_days which is why I thought it might have to do with that. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Neff Robert A Sent: Monday, May 06, 2002 3:54 PM To: '[EMAIL PROTECTED]' Subject: RE: Default_crl_days Andrew, If you are using the makess.bat file to generate your CA cert, I would look at that and check for a param called -days in the X509 command. This also may show you why your certs are expiring. Hope that helps, Rob -Original Message- From: Andrew T. Finnell [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 3:37 PM To: 'OpenSSL User' Subject: Default_crl_days We are having a problem with our certificates becoming invalid in 30 days for our custom application. I looked at the openssl.cfg file we use when creating our self-CA and certificate/key pairs and the only thing that stands out to me is default_crl_days being set to 30 days. Could someone tell me if this would explain the self-signed CA expiring? We do not do any CRL checking so why would this effect anything? Thanks. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Default_crl_days
Chris, Yeah that is what I've had to do. Although I had a default_days set at 365 , creating a CA seemed to ignore this value. All the other certificates picked it up fine though. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Cleeland Sent: Monday, May 06, 2002 5:20 PM To: [EMAIL PROTECTED] Subject: RE: Default_crl_days On Mon, 6 May 2002, Andrew T. Finnell wrote: Nope we have our own script that just uses the openssl tool. Basically we do .\openssl req -config openssl.cfg -newkey dsa:dsaparam.pem -x509 -nodes -out cacert.pem -keyout cakey.pem In our openssl.cfg file the only thing near 30 days is the default_crl_days which is why I thought it might have to do with that. If you don't specify the number of days using -days, I believe it defaults to 30 days (as specified in openssl.cfg). Add -days 365 to that command line and the expiration should be a year from now. You can view the expiration date for an x509 certificate by reading the output of $ openssl x509 -text -in mycert.pem Look for something like this: Validity Not Before: Mar 22 16:22:15 2002 GMT Not After : Mar 22 16:22:15 2003 GMT -cj -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 Donate at http://www.milodesigns.com/donate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificate Problem / get_peer_certificate + ssldump
) Handshake 1 12 2.2465 (0.0017) CSV3.1(103) application_data 1 13 2.2474 (0.0008) SCV3.1(40) application_data 1 14 2.2485 (0.0010) CSV3.1(159) application_data 1 15 2.2500 (0.0014) SCV3.1(52) application_data 1 16 2.2508 (0.0008) SCV3.1(5200) application_data download: 1 26 73.8719 (0.0414) CSV3.1(115) Handshake 1 27 73.8729 (0.0009) SCV3.1(94) Handshake 1 28 73.9787 (0.1058) SCV3.1(1864) Handshake 1 29 73.9789 (0.0002) SCV3.1(336) Handshake 1 30 73.9789 (0.) SCV3.1(35) Handshake 1 31 74.0222 (0.0433) CSV3.1(954) Handshake 1 32 74.0234 (0.0011) SCV3.1(22) Alert 174.0244 (0.0009) SC TCP FIN 1 33 74.0255 (0.0011) CSV3.1(154) Handshake 1 34 74.0255 (0.) CSV3.1(73) Handshake 1 35 74.0255 (0.) CSV3.1(21) ChangeCipherSpec 1 36 74.0255 (0.) CSV3.1(36) Handshake 174.0256 (0.0001) CS TCP FIN - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Rescorla Sent: Monday, April 22, 2002 12:36 PM To: [EMAIL PROTECTED] Subject: Re: Certificate Problem / get_peer_certificate Andrew T. Finnell [EMAIL PROTECTED] writes: I do not know. I do not have access to these machines they are at our client's location. I suppose we could try and get them to install ssldump and run it. Although I am not sure this is an option. ssldump can read data captured with 'tcpdump -s 8192 -w' if that helps at all. In general, this sort of thing is very difficult to diagnose without either ssldump traces or OpenSSL logging info. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate Problem / get_peer_certificate
I am reposting this with a different account. Hopefully my pervious email didn't get sent to a lot of people. I have no control over HTML being put in my other account's email as the Exchange server does this automatically. Sorry. Dear fellow developers, I am experiencing some problems with a product we released. We rely on a public/private key architecture. The client connects to our server and we check to see if the certificate the client had was signed by us. I do this by checking to see if I can even get a client certificate. From my understanding if the client does not have a trusted certificate signed by the same CA as the server or by a trusted CA the server will not receive the certificate ( from the applications point of view). I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificate Problem :)
Michal, This is using the OpenSSL libraries through TCP/IP communications. More specifically, it is through the use of SSLIOP (CORBA). This happens on all Win32 machines - Solaris 6/7. And Win32 - Win32. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michal Bachorik Sent: Monday, April 22, 2002 12:08 PM To: Openssl ([EMAIL PROTECTED]) Subject: Re: Certificate Problem :) On Mon, 22 Apr 2002, Andrew Finnell wrote: Dear fellow developers, I am experiencing some problems with a product we released. We rely on a public/private key architecture. The client connects to our server and we check to see if the certificate the client had was signed by us. I do this by checking to see if I can even get a client certificate. From my understanding if the client does not have a trusted certificate signed by the same CA as the server or by a trusted CA the server will not receive the certificate ( from the applications point of view). I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. what type of connection do you speak of? https or ssh? and what platform you are running on? - Andrew T. Finnell Software Engineer eSecurity Inc (321) 394-2485 -- snail-mail : Michal Bachorik Nedozerskeho 207 Nedozery 972 12 SLOVAKIA phone : +421 862 54 85 220 e-mail : [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificate Problem / get_peer_certificate
Eric, I do not know. I do not have access to these machines they are at our client's location. I suppose we could try and get them to install ssldump and run it. Although I am not sure this is an option. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Rescorla Sent: Monday, April 22, 2002 12:25 PM To: [EMAIL PROTECTED] Subject: Re: Certificate Problem / get_peer_certificate Andrew T. Finnell [EMAIL PROTECTED] writes: I do a SSL_get_peer_certificate and everything works for a while. But all of a sudden I never get a certificate from the client. This causes our server to think the client isn't validated. The only way we seem to be able to fix this is to re-create all new certificates. The certificates are set to expire in a year but the problem occurs within weeks/months of deployment and continues to happen. Does anyone have any insight on how this could be happening? Thank you for your time. What does ssldump say? -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: binaries
What kind of platforms are we looking to have this on? I have somewhat access to a large set of machines including the following: Compilers: -- Visual C++ 6.0 Visual C++ .NET SunCC 5.2 gcc (of course.. ) Platforms: -- Windows NT 4.0 Windows 2000 Windows 2000 Advanced Server Windows XP Professional Sparc Solaris 7 Sparc Solaris 8 Any version of linux, because ofcourse the distro's are free. What kind of support would everyone expect from this? I would like to know what all would Be involved or better yet, what the people from this group would _expect_. Would anyone be Oposed to a small fee for these? Maybe a subscription type fee that would be very minimal in the range of $5/month , or something like that just so the machine's hosting this can be paid for and the time doing this Is paid for. As everyone knows bandwidth is not free nowadays and depending on the traffic received it can cost A pretty penny. I would like some ideas as to what could be done with this and what people would/wouldn't do for These binaries. This could become a great way to alleviate the build pain some people experience. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Richard Levitte - VMS Whacker Sent: Wednesday, March 27, 2002 6:43 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: binaries A note on this: if someone wants to produce OpenSSL binaries in a consistent way and put them out somewhere, I'd be happy to link to them or the directory they're in. Note that consistently means that there should be some kind of note saying exactly how the binaries were produced and what is required to install them. It also means that the production of binaries shouldn't just be on a one-time basis, I don't think that several links to various versions of the otherwise same binary is very useful. Basically, I'm looking for people to commit themselves for some time, and to handle it nicely when they need to do something else (basically, hand it off to someone else that can commit in the same manner). Another note: neither me nor the rest of the OpenSSL team will take *any* responsability for the quality of the binaries. All we'll do is to set up the links. If there are viruses coming with the binaries, blame the one who produced them, not us, or blame yourself for not having an updated virus scanner. I know this sounds harsh, I just don't want the middle man to be attacked. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/ ~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Duplicate Posts
See that is quite strange. My assumption is I don't think it has to do with the Mailing list server itself but rather your Mail Client applications. Why not post the client's everyone is using that is receiving duplicate posts? If they are all the same then it's a safe bet it's the client. I am subscribed multiple times under different accounts and have never received duplicate posts and I use Outlook XP. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Emanuel Dejanu Sent: Monday, March 18, 2002 3:54 AM To: [EMAIL PROTECTED] Subject: RE: Duplicate Posts I have the same problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aarno Syvanen Sent: 18 martie 2002 10:40 To: [EMAIL PROTECTED] Subject: Re: Duplicate Posts Roger F. Borrello, Jr. wrote: Am I the only one getting 4 or 5 copies of posted messages? No, I have the same problem. Aarno __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL
Mike, We are a Software Consulting firm and would like to know what it is you need completed. We would be happy to look over your requirements and come up with a plan. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael Broda Sent: Wednesday, February 20, 2002 4:47 PM To: [EMAIL PROTECTED] Subject: SSL Hi, I am looking for someone who would be interested in doing some contract. I have a small client/server app that needs to use SSL. If you know anyone who can help me please let me know. Thanks. Mike. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL
Sorry folks, that wasn't supposed to go to the whole group. My apologies! - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew T. Finnell Sent: Friday, February 22, 2002 10:24 AM To: [EMAIL PROTECTED] Subject: RE: SSL Mike, We are a Software Consulting firm and would like to know what it is you need completed. We would be happy to look over your requirements and come up with a plan. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael Broda Sent: Wednesday, February 20, 2002 4:47 PM To: [EMAIL PROTECTED] Subject: SSL Hi, I am looking for someone who would be interested in doing some contract. I have a small client/server app that needs to use SSL. If you know anyone who can help me please let me know. Thanks. Mike. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Building crypto library
Hello all, I want to compile an executable that will only support EDH-DSS-DES-CBC3-SHA. I tried configuring with these options: no-idea no-rsa no-cast no-bf no-rc4 no-rc5 no-rc2 no-des but when I go to compile I get errors in evp.h because a union is defined and it is empty because of the all #defines.. Basically I want one application that will support EDH-DSS-DES-CBC3-SHA and another that will support EXP1024-DHE-DSS-DES-CBC-SHA. So I figured I would create two libcrypto builts but I cannot find the configuration options to make it work the way I want. Any ideas? - Andrew T. Finnell ActiveSol.net [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cipher questions...
I was under the impression that we didnt need to use export ciphers anymore? Could someone just glaze over this fact? - Andrew - Original Message - From: David Schwartz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 03, 2002 3:58 AM Subject: Re: Cipher questions... On Wed, 2 Jan 2002 22:53:50 -0600, Vincent Toms wrote: Hello All, I have a question about what ciphers to use in an export ready app. I then watch the connection and it picks one of these ciphers and conducts the interaction successfully. My question is do I need to do any more than use one of these ciphers? I was also thinking of doing some stuff on the server, but for now I'll let the client pick until I figure a better way to check client location from the server. Does any one have suggestions as to what I should do? How do you link to the OpenSSL library? And is this an open-source app? Which license exemption were you aiming for or were you planning to seek a license? DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE:
If you downloaded the files you would realize there are makefiles in the package for NT and Win32 - Andrew - Andrew T. Finnell ActiveSol [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Karpagam R Sent: Wednesday, December 19, 2001 6:28 AM To: [EMAIL PROTECTED] Subject: Hi I need to download OPEN SSL on windows NT version for my project purpose. I really find only the tar files related to linux version in the concerned site. Pls. let me know any URL from wherein i can download OPEN SSL-Windows NT version Regards Thanks R.Karpagam Software Engineer Kshema Technologies ***Confidential Notice This e-mail communication may contain information that is confidential and privileged. The information is intended to be for the use of the addressee only. If you are not the named addressee you should not disseminate, distribute or copy this e-mail: to do so could be a breach of confidence. Kshema Technologies Ltd., # 1, Global Village, Mylasandra, Mysore Road, Bangalore 560059, INDIA. Tel: (91)-80-8603600-17 Fax: (91)-80-8603372 ** __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: problems with private keys... please help! urgent!
Mike, Are the CA of these files self-signed? If they are why not trying regenerating new public/private key pairs. It looks to me like the files you have are corrupted. The error routines:X509_check_private_key:key values mismatch means that the certificate you are loading does not belong to the private key you have specified. If the CA is not self-signed (i.e. from Verisign or Thawte ) then I would still create some temporary self-signed key pairs and try using them to test your overall system setup. If the ones you just generated work then I would say your old files got corrupted. If they don't then I would say that something is wrong with your install/compile of openssl. ( Or something else. :) - Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike K Sent: Tuesday, December 18, 2001 3:34 PM To: [EMAIL PROTECTED] Subject: Re: problems with private keys... please help! urgent! Same problem regarding unable to load key when doing this. I know my pass is correct Any other ideas? Thanks for the help. Is this error the reason why apache wont startssl? -Mike - Original Message - From: Saju Paul [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 11:33 AM Subject: Re: problems with private keys... please help! urgent! If the private key has been created with a password (usually is); then the same password needs to be supplied using the -passin argument. for ex: openssl rsa -noout -modulus -in server.key -passin pass:mypasswd | openssl md5 If the -passin argument is not used; it could be picking up a default passin password from the openssl.cnf file. Check the openssl.cnf for a default passin and make sure it matches the password you used to create the private key. --- - Original Message - From: Mike K [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 2:32 PM Subject: Re: problems with private keys... please help! urgent! It never asked me for a password - Original Message - From: Saju Paul [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 10:23 AM Subject: Re: problems with private keys... please help! urgent! For domain1, I tried to check the md5's of each of the key and crt... The md5 for the crt shows up fine. When I try to get the md5 for the .key, I get this error: # openssl rsa -noout -modulus -in server.key | openssl md5 read RSA key unable to load key d41d8cd98f00b204e9800998ecf8427e I get this error when I use an incorrect password... check your password.. - Original Message - From: Mike K [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, December 18, 2001 1:31 PM Subject: problems with private keys... please help! urgent! Hi all... Before upgrading, one of my virtual domains (ip based) had SSL setup and was working fine. The second domain did not work. The error was odd according to people in IRC support channels, and I was told to upgrade to all of the latest versions. I did that. Now when I try to run startssl, I get errors on BOTH virtual domains. The domain that had once worked produces these errors: [Mon Dec 17 16:41:46 2001] [error] mod_ssl: Init: (.com:443) Unable to configure RSA server private key (OpenSSL library error follows) [Mon Dec 17 16:41:46 2001] [error] OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch The domain2, that I couldn't get to work before the upgrade, produces these errors: [Mon Dec 17 16:45:43 2001] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows) [Mon Dec 17 16:45:43 2001] [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long - For domain1, I tried to check the md5's of each of the key and crt... The md5 for the crt shows up fine. When I try to get the md5 for the .key, I get this error: # openssl rsa -noout -modulus -in server.key | openssl md5 read RSA key unable to load key d41d8cd98f00b204e9800998ecf8427e I get this same unable to load key error for any key I try to get the md5 checksum for Any help in getting both of my virtual domain's (the two that need SSL) working is greatly appreciated. Thanks. -Mike PS: Here is the Virtual Server entry from httpd.conf for domain2... domain1 has the exact same (but updated ip and paths) NamevirtualHost xxx.xxx.xxx.44:443 VirtualHost xxx.xxx.xxx.44:443 SSLEngine On SSLCipherSuite
Re: Echo is openssl
Marcos, However if you look through the openssl source code it has a method that turns echoing off for it's own passphrase obtaining method. You could consult that code on how to turn off the echo. But Lutz is correct console operations have nothing to do with OpenSSL. - Andrew - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 11:55 AM Subject: Re: Echo is openssl On Wed, Dec 12, 2001 at 12:31:30PM +, Marcos D. Marado Torres wrote: Hi there... I posted this problem once, but as I didn't have any reply I'm trying again: I'm working on a SSL server using openSSL. Problem is, when I'm asking for a string to the user, I don't want that string to echo... I tried to do that with the ways I do to telnet connections (sending some chars that are interpreted by terminal) but nothing works with openssl. I'm using openssl libraries for the server, and openssl to the client connection to the server. Your problem has nothing to do with openssl. Sending terminal control sequences should be transparent to TLS/SSL layer around it. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
Marcos, I dont see what obtaining input from the user has to do with OpenSSL? You should be able to take all the openssl code out of your application and still be able to obtain input from the console. Maybe we are confused about what your problem is? - Andrew - Original Message - From: Marcos D. Marado Torres [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 12:19 PM Subject: Re: Echo is openssl Well... So, I don't know. This code works out with telnet connections or used in any other program, but it doesn't work here... Any clue? Regards, Mind Booster On Wed, 12 Dec 2001, Andrew T. Finnell wrote: Marcos, However if you look through the openssl source code it has a method that turns echoing off for it's own passphrase obtaining method. You could consult that code on how to turn off the echo. But Lutz is correct console operations have nothing to do with OpenSSL. - Andrew - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 11:55 AM Subject: Re: Echo is openssl On Wed, Dec 12, 2001 at 12:31:30PM +, Marcos D. Marado Torres wrote: Hi there... I posted this problem once, but as I didn't have any reply I'm trying again: I'm working on a SSL server using openSSL. Problem is, when I'm asking for a string to the user, I don't want that string to echo... I tried to do that with the ways I do to telnet connections (sending some chars that are interpreted by terminal) but nothing works with openssl. I'm using openssl libraries for the server, and openssl to the client connection to the server. Your problem has nothing to do with openssl. Sending terminal control sequences should be transparent to TLS/SSL layer around it. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- === Marcos Marado AKA Mind Booster === Visit Mind Booster NetWorks on: http://mindbooster.cjb.net Mail me to: [EMAIL PROTECTED] === It is so very hard to be an on-your-own-take-care-of-yourself-because-there-is-no-one-else-to-do-it-for- you grown-up. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Echo is openssl
Marcos, We are very willing to help you out but from what you are saying it doesn't make any logical sense. Please describe in a much more detail what you are trying to do. I do not see how console output/input has anything to do with openssl. Thanks - Andrew - Original Message - From: Marcos D. Marado Torres [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 12, 2001 12:41 PM Subject: Re: Echo is openssl I'm working out the server code, but I'm testing it using openssl as the client too. I know that client can turn the echo off, but what I want is that, for that string, echo is taken for user! Something like: --- Tell me your password: --- And client when writes the password it will not echo! On Wed, 12 Dec 2001, Lutz Jaenicke wrote: On Wed, Dec 12, 2001 at 05:17:38PM +, Marcos D. Marado Torres wrote: Yes, it should... But it isn't! Isn't it a problem with openssl? (The client I'm using to connect...). What is the client? In your original mail you are claiming to be working on the server side. Turning off the echo on the client must be done by the client. (stty for the commandline tool, or termio/termios for the programming interface.) Of course, the client software must handle the control sequences sent by the server. (Or the terminal emulator used has an echo off control sequence, that is being directly being honored.) Best regards, Lutz -- === Marcos Marado AKA Mind Booster === Visit Mind Booster NetWorks on: http://mindbooster.cjb.net Mail me to: [EMAIL PROTECTED] === It is so very hard to be an on-your-own-take-care-of-yourself-because-there-is-no-one-else-to-do-it-for- you grown-up. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]