ASN1_IA5STRING to char*
Hi, How do I convert an ASN1_IA5STRING to char* . Thanks in advance, Arun
CRL checks on x509 certificate using get_crl callback vs manually calling store-check_crl
Hi, We are using openssl in our application for secure socket communications. What is the best way to check for revocation status of an x509 certificate using CRLs. 1) Register a callback to store context's get_crl function . In the call back function, load the crl and return. 2) Let openssl first verify that the server certificate is trusted and valid. Get the certificate chain. For each chain in the certificate Get the CRL for the certificate Check if certificate is revoked 3) Is there another suggested method of verifying if a certificate is revoked. There does not seem to be good enough information on this on the net. If some one can describe this in detail, it would help many others implementing secure connections using openssl. Thanks in advance, Regards, Arun
when to use CRYPTO_set_locking_callback and CRYPTO_set_dynlock_create_callback
Hi, We are using openssl 1.0.0d in our multi threaded application. I would like to know when to set CRYPTO_set_locking_callback and when to set CRYPTO_set_dynlock_* callbacks The openssl document says that *dyn* call backs are required to improve performance. From openssl code, it seems only e_chill engine is using them. Pls correct if I am wrong here. Is the application required to set all the callbacks or just CRYPTO_set_locking_callback and CRYPTO_THREADID_set_callback. Also if *dyn* callbacks are set, does the application still need to set CRYPTO_set_locking_callback and CRYPTO_THREADID_set_callback. Thanks in advance, Arun
Re: Additional checks on peer certificate
On Tue, Jun 22, 2010 at 2:17 AM, Marcel Fransen marcel.fran...@quintiq.comwrote: Hi, I want to do some additional checks on the peer certificate, like a hostname check. My first question is how should I get access to the peer certificate in the verify callback: The documentation for X509_STORE_CTX_get_current_cert(ctx); states that in case of no error this may return NULL so I guess I should not just call this one at depth 0, as the certificate does not need to be in an error state (although that seems to work). I guess using SSL_CTX_set_verify(ssl) is also a bad idea and should only be called after the verify (so not from the callback), although I did not test this. I now use X509_STORE_CTX_get_chain when at depth 0 and use the certificate at entry 0 in this stack. Is the correct way to get access to the peer certificate? My second question is on when to do this check in the callback. I now do it when at depth 0 and preverify_ok was 1. This used to work ok until I added an accept an expired certificate option in the callback (when a certain command line option is set). In case of the expired certificate (the initial preverify_ok is 0 in this case) I do the check and return 1. What I now see that after this return the callback now gets called another time for the same certificate but with preverify_ok is 1. So now the additional verification is done twice (still works but is not what I had in mind ;-). So now I guess that I should change the code to only do the additional check when the INITIAL preverify_ok was 1, is this correct? And it is intended behaviour that it works like this (calling the callback again for a certificate that was originally not ok but is made ok by the return code of the callback) so my changes won't break in a future version? Kind regards, Marcel Fransen SSL calls your callback function for two reasons 1) The momen it finds something has gone wrong. This is when your callback was called with preverify set to 0. It is the responsibility of the callback function to decide if that is a fatal error or not. In your case, your callback can get the SSL error and see if it is certificate expired and choose to ignore it by returning 1. When the callback returns 1, then SSL would go ahead with doing further checks on the certificate 2) Once all the internal verifications are done, SSL finally calls your callback with preverify set to 1. This is when you should be doing your additional checks on the certificate like verifying host name etc. Current certificate at depth zero is the peer certificate which is same as getting the chain and querying for certificate at depth zero. Regards, Arun
How to free SSL_METHOD structure
Hi, What is the function to be called to free SSL_METHOD * created using SSLv23_client_method or other similar methods. Thanks, Arun
is openssl library thread safe
Hi, Is openssl library thread safe so that it can be used in an multithreaded environment as is. Thanks, Arun
openssl ocsp responder unauthorised error
Hi, When will an ocsp responder respond with unauthorized error for a ocsp request. It is an windows server 2008 machine. Thanks, Arun
openssl command to add extension
Hi, What is the command to create a certificate signing request with x509 extensions, say a OCSP responder. Thanks, Arun
X509_STORE function to clear error
Hi, What is the function to use to clear any error in X509_STORE_CTX Thanks, Arun
Detect CRL format
Hi, Given a CRL file, how to detect its format. whether it is in PEM encoded format or ASN1. Thanks, Arun
Re: Detect CRL format
Thanks! On Thu, Jun 3, 2010 at 4:54 PM, Dr. Stephen Henson st...@openssl.orgwrote: On Thu, Jun 03, 2010, Mounir IDRASSI wrote: Hi, One simple and efficient method to distinguish between PEM and DER encoding for a CRL or a certificate is to read the first byte : if it's equal to 0x30 then this DER (this is the start of an ASN.1 Sequence) , otherwise it is PEM encoded. This works ONLY if you are sure that the given file is either PEM or DER encoded and that the encoded object is an ASN.1 Sequence. Since the 0x30 byte correspond to the ASCII character '0' there is a slight chance this will fail if the file is PEM format and contains text before the PEM headers. This can be further reduced by checking the length field following the SEQUENCE tag. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
get_crl callback
Hi, Is setting X509_STORE_CTX-get_crl to my-call-back-function a right way of getting a call back to load the crl for the X509 certificate. Thanks, Arun
RE: printing a certificate
Look at openssl-*/apps/x509.c Arun -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dallas Clement Sent: Wednesday, June 02, 2010 9:50 AM To: openssl-users@openssl.org Subject: printing a certificate Hi, Would someone kindly tutor me on how to print out a certificate programmatically? I know how to extract the common name, but was just wondering if there is an API function to just print the whole thing in human readable form? X509 *pX509Peer = SSL_get_peer_certificate( pSsl ); if ( pX509Peer != 0 ) { // Extract the common name from the peer's certificate X509_NAME_get_text_by_NID( X509_get_subject_name( pX509Peer ), NID_commonName, commonName, commonNameBufferSize ); Thanks, Dallas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
get_crl : callback to download CRL
Hi, How do I register the callback to download CRL for the SSL certificate. Thanks, Arun
Certificate revocation check
Hi, How do I check in my code, if a certificate is revoked or not? From what I googled : The x509 certificate contains set of CRL distribution points, ie set of urls. We need to download the crl list . Crl list contains serial numbers of certificates revoked and the date in which they were revoked. If the peer certificate's serial number is present in the crl list, then it should be deemed as revoked. What are the openssl apis to do this. Also is this the right way of checking if a certificate has been revoked? Thanks in advance, Arun