Re: ocsp2.valicert.net
BTW: I also need test signed certificates, signed by the test CAs from the test site you're about to tell me about :-) cj - Original Message - From: Chris Jarshant To: [EMAIL PROTECTED] Sent: Monday, December 02, 2002 5:19 PM Subject: ocsp2.valicert.net All, ocsp2.valicert.net seems to be non-functional. Anyone know of any OCSP Responders I can use to test my OCSP client? I have used openvalidation.org with moderate success (some of their certs don't have the OCSPSigning extended key usage attribute, which openssl promptly rejects). cj
Re: Combine certificates into chain
I was referring to the -setalias, -addtrust, -addreject, -clrtrust, -clrreject, -trustout, etc.. If I get a cert from someone, and it doesn't have the necessary trust/extensions some app requires, I can simply add them. Which to me sounds like those trust settings and/or extensions can't really be trusted, and any app that does so is broken. cj - Original Message - From: Jason Haar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 25, 2002 10:06 PM Subject: Re: Combine certificates into chain On Mon, Nov 25, 2002 at 01:00:18PM -0500, Chris Jarshant wrote: Another asounding fact IMO is that most of the software written today looks for attributes (unsigned of course) like s/mime flags, NsCert garbage, and a host of other extensions that make certs usable for one use or another. Huh? Are you refering to the security hole in IE (and others) that allows people to alter chained certs? That's a separate issue. As far as I'm aware, you *can't* just alter the characteristics of a cert to your whim: you'd break the checksum which *breaks* the signing of that cert. I'd be surprised if any product would be as broken as to allow that... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Converting own CA certificate to pkcs12
- Original Message - From: Vadim Fedukovich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, November 24, 2002 12:46 PM Subject: Re: Converting own CA certificate to pkcs12 On Fri, Nov 22, 2002 at 01:50:37PM -0500, Chris Jarshant wrote: You can't convert a public key certificate into a PKCS12 file - the openssl pkcs12 routine *requires* a private key to be in such a file along with the public key, which you cannot have (CAs don't give out their private keys). cj well, given enough interest one still can do that. Just write the tool. openssl pkcs12 is not the only game in the city and pkcs12 specs allow for just a certificate Yep.. I did that on day 2 of my project, after realizing what 'openssl pkcs12' does (or doesn't do, as in this case) (open source *is* handy after all :-) ) cj __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Combine certificates into chain
- Original Message - From: Sebastian Lisken [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, November 22, 2002 11:45 AM Subject: Combine certificates into chain Hi, I have been issued a certificate by a CA. They make a .pkcs12 file available with a password for the private key and I am beginning to look at it with openssl. I convert it with openssl pkcs12 -nokeys -chain, this gives me a I'm curious. You say your CA gave you a PKCS12 file with a cert in it, *and* a private key in it? Whose private key did they give you? If it's yours, then you've just opened a huge security hole by allowing them access to your private key. If it's someone else's, can you send it to me so I can forge some documents? cj __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP and new ASN.1 routines
As per my previous mail, I am writing code that, given a cert, looks to see if it has an embedded OCSP Responder, in order to try and validate the cert with the given Responder. So, I am writing a routine that, given an X509 *cert, looks for the OCSP Responder (all error checking omitted for brevity) AUTHORITY_INFO_ACCESS *aia; X509 *cert; int i; ACCESS_DESCRIPTION *ad; cert = get_cert(); aia = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL); for (i = 0; i sk_ACCESS_DESCRIPTION_num(aia); i++) { ad = sk_ACCESS_DESCRIPTION_num(aia); if (ad-method-nid == NID_ad_OCSP) { printf("found an OCSP acess description\n"); if (ad-location-type == GEN_URI) { printf("OCSP access is through a URI"); printf("URI is: %s\n", ad-location-d.ia5-data); } } } Unfortunately, the 'nid' field of ad-method is always coming out to 0, even though I am calling X509_get_ext_d2i(), which is supposed to decode the extension for me, in its entirety. What's odd is that the ad-location seems fully decoded, i.e. I can see that it is an IA5STRING and can print out the URI. One other point: I know I am not supposed to access the ad-location-d.ia5-data in that way, but I can't figure out the appropriate way to access the string. Can someone give me some pointers on accessing the OCSP Responder URI and the appropriate ASN1 routines to use? Any help is greatly appreciated. cj
Re: PKCS12 and Private Key
Since PKCS12 is simply a container for keys and/or certs, you can certainly craft a PKCS12 file with just a single key or just a single cert in it. Unfortunately the current openssl pkcs12 command enforces a peculiar limitation that each PKCS12 file must have at least one cert and one private key in it, and they must match each other (i.e. the public key in the cert must be the other half of the private key). Luckily this peculiar limitation is removed in 0.9.8, so pkcs12 becomes usable. - Original Message - From: Michael Krustev [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 14, 2002 10:38 AM Subject: Re: PKCS12 and Private Key No. It's not possible!!! Sorry, PKCS12 structure holds public/private key pair... --- Oliver Wulff [EMAIL PROTECTED] wrote: Hi Is it possible to store only the private key in a p12 file and hold the certificate and ca certificates in another p12 file? If yes, how can I do that? Oliver *** BITTE BEACHTEN *** Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet möglicherweise vertrauliche oder gesetzlich geschützte Daten oder Informationen. Zum Empfang derselben ist (sind) ausschliesslich die genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter Ausschluss jeder Reproduktion zu zerstören und die absendende Person umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems with SSL_peek()
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello I wonder if anyone can clarify the use of SSL_peek() and SSL_read() for me. I'm using SSL_peek() to look at a SSL session and look at the waiting data, but when I request a particular number of bytes from it with SSL_read() i hit problems, the data after what I ask for disappears. Is this because what I am asking for isn't aligned on a record boundary ? Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9scHcjSE+mhJt7Z4RAlD6AJ0d/mba4m6S4dAMDc71eXQpxSHmpACeLEti ztC7qLElPs1F2KL4uPEnGhc= =DpKj -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error: bad magic number
Hello. I am attempting to generate a certificate to be used to secure imap traffic between clients and the server. I have followed the certificate authority's instructions and received a certificate. The problem is that I generated the private key with the command: openssl genrsa -des3 -rand [randfiles] 1024 keyfile.priv but the imap server software requires the private key to be unencrypted (I should not have used the -des3 option). when I attempt to decrypt the private key with the command: openssl des3 -in keyfile.priv -out keyfile.priv.dec -d -k [passwd] I get the error: bad magic number presumably because the string Salted__ does not appear in the file keyfile.priv. I have also used the option -nosalt with no luck. The error there is: 15739:error:0606506D:digital envelope routines:EVP_DecryptFinal:wrong final block length:evp_enc.c:268: the top three lines of the file are: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,[16digit number] if that makes a difference. I am using openssl version 0.9.6g Aug 2002 Can anyone help me decrypt this file? I do not want to generate a new key since I have already paid for the certificate. Thank you for any assistance. - chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS7 detached signatures no longer detached in 0.9.6e
Which shows the -nd flag (and corresponding API, PKCS7_set_detached()) has no effect. Anyone know why? Is this a permanent change? The preferred method for using PKCS#7 is the high level API or the smime utility, the 'sign' utility is rather old and clunky. I'll check to see if this happens with the smime utility. Steve. Steve, Thanks a bunch for the tip. I was just using the sign utility to illustrate the ineffectiveness of the PKCS7_set_detached() API in recent versions of the toolkit. Which High-level APIs were you referring to? If you are referring to the PKCS7_sign() API, I looked into using it, but the problem is that the data I want to sign is only available from running a series of commands in a row. the PKCS7_sign() API only takes one BIO. Perhaps I should investigate writing my own BIO type that can take an array of shell commands, and produces the output from the shell commands when you read from the BIO? for example: BIO b = new my_bio(); b.addCommand(/usr/bin/echo foo); b.addCommand(/usr/bin/echo bar); char *result = b.BIO_read(...); and result would be foobar. If I did this, could I then pass it to PKCS7_sign()? Is it possible for 3rd-party developers such as myself to write my own BIO, without doing so in the openssl environment that openssl API developers have? The other drawback was that I saw a lot of smime-looking things going on in PKCS7_sign(), which is of no use to me, and worries me that it might interfere with what my application is doing. I don't want or need PCKS7-signed objects floating around with smime-looking attributes. Currently I am using something like this: PKCS7_content_new(p7, ...); p7bio = PKCS7_dataInit(...); PKCS7_set_detached(p7); while ((data = get_some_data()) != NULL) { BIO_write(p7bio, data); } PKCS7_dataFinal(p7, p7bio); fp = resulting_signature_file(); PEM_write_PKCS7(fp, p7); Is there a better way? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is anyone using openssl ocsp client?
No, but I'm about to for a large project I'm working on... Will keep the group informed. I will be using the programmatic APIs rather than the command line. Hope it's better documented than the other openssl APIs :-) Bob Kupperstein wrote: I'm interested in feedback about reliability, interoperability and response times with different responders. Thanks, -Bob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: libcrypto stack routines
Ok I finally figured it out: the compare routine's signature needs to be int my_cmp(X509_ATTRIBUTE **a, X509_ATTRIBUTE **b); not int my_cmp(X509_ATTRIBUTE *a, X509_ATTRIBUTE *b); However, my compare routine can only compare a few types of attributes like OCTET_STRINGs and BMPSTRINGs.. It is not a generic, multi-purpose compare routine. If anyone has one or knows of one please let me know!! Chris Jarshant wrote: Is there documentation (aside from looking at the header files) on how to use things like STACK_OF(type) and the sk_*_find() functions? Perhaps I'm going about it wrong, but I can't figure it out. Any help would be most apprecianted. I'm trying to do this: given a STACK_OF(PKCS12_SAFEBAG) instance and a STACK_OF(X509_ATTRIBUTES) instance, I'm trying to find the safebag which has all of the attributes in the given attribute stack. So, here's the code pseudo-code (omitting return values): void find_bag(STACK_OF(PKCS12_SAFEBAG) *bags, STACK_OF(X509_ATTRIBUTES) *attribs) { foreach (s in safebag) { bag_attribs = safebag[s]-attrib; foreach (i in attribs) { attrib = sk_X509_ATTRIBUTE_value(attribs, i); if ((attrib_pos = sk_X509_ATTRIBUTE_find(bag_attribs, attrib)) 0) { printf(couldn't find attrib %d\n, i); return; } else { printf(FOUND attrib at position %d\n, attrib_pos); } } /* all given attributes found in this bag */ printf(bag %d has all the attributes, it's the one you want, s); } The sk_X509_ATTRIBUTE_find() *always* returns -1. I believe this is because the base OpenSSL installation does not include a compare function for the X509_ATTRIBUTE type, so the sk_*_find function can't find an X509_ATTRIBUTE given a STACK_OF them. I tried declaring a compare function myself with the signature: int my_cmp(X509_ATTRIBUTE *a, X509_ATTRIBUTE *b); but when it's called during the sk_*_find invocation, it is passing invalid arguments (i.e. they're not pointers to X509_ATTRIBUTE structures). Anyone have any idea of a better way to do this, or if there is indeed a good X509_ATTRIBUTE compare function I can use when calling the sk_* functions when dealing with X509_ATTRIBUTES? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS12 and private keys
Erwann ABALEA wrote: Probably a limitation of the actual browsers. But you might want to check Mozilla 1.0, which seems to be able to save a bunch of private key/certificate pairs at once. I haven't tested this functionality, but it might be possible that there's only one output file, and that this file is a in PKCS#12 format. I will try this, thanks for the reference. I noticed in MSIE that when you export a single certificate (out of your own certificiate set) it allows a PKCS12 export. However, if you shift-click more than one, the PKCS12 option is greyed out. Also, my app will support multiple keys/certs in a variety of places. For example, the public key cert for user X is in one PKCS12-format file, and the corresponding private key is in a separate PKCS12-format file. Are there any official matching mechanisms? Currently, a user of my app who wishes to sign something with their private key specifies an alias which I map to a friendlyName, then look for their public key cert using that friendlyName, then look for a corresponding private key using the friendlyName. If I can't find a private key with that friendlyName, I use the localKeyID from the public key cert to match. If there is no localKeyID then I error out. Does that sound like a reasonable matching algorithm? Can localKeyIDs be used to match across different files? Well.. I should rephrase.. Is this common, or acceptable practice? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS12 and private keys
Chris Jarshant wrote: Erwann ABALEA wrote: Probably a limitation of the actual browsers. But you might want to check Mozilla 1.0, which seems to be able to save a bunch of private key/certificate pairs at once. I haven't tested this functionality, but it might be possible that there's only one output file, and that this file is a in PKCS#12 format. I will try this, thanks for the reference. I noticed in MSIE that when you export a single certificate (out of your own certificiate set) it allows a PKCS12 export. However, if you shift-click more than one, the PKCS12 option is greyed out. Just download Mozilla 1.1 Beta, imported two of my keys/certs, and exported both of the pair into a single PKCS12 file. It worked! MSIE and NS were both able to import them too, though I still can't re-export them into a single file except from Mozilla. Thanks again for the pointer to an example of multiple private keys. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS12 and private keys
Erwann ABALEA wrote: friendlyName, then look for their public key cert using that friendlyName, then look for a corresponding private key using the friendlyName. If I can't find a private key with that friendlyName, I use the localKeyID from the public key cert to match. If there is no localKeyID then I error out. Does that sound like a reasonable matching algorithm? Can localKeyIDs be used to match across different files? Well.. I should rephrase.. Is this common, or acceptable practice? How is that localKeyID calculated? Is it a hash of the public key? If yes, then this sounds an acceptable practice, if you really *need* to keep separate PKCS#12 files, which is uncommon. localKeyID is calculated differently in different places. MSIE, when exporting keys, makes the localKeyID 01 00 00 00 in all cases, and makes the friendlyName something that resembles a GUID. Netscape seems to hash something or other, as does Mozilla. But in general, I think the localKeyId found on a public key is supposed to match the localKeyId on the corresponding private key. I haven't found any documentation that explicitly says that, but it seems that that's been the case in my experience. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
libcrypto stack routines
Is there documentation (aside from looking at the header files) on how to use things like STACK_OF(type) and the sk_*_find() functions? Perhaps I'm going about it wrong, but I can't figure it out. Any help would be most apprecianted. I'm trying to do this: given a STACK_OF(PKCS12_SAFEBAG) instance and a STACK_OF(X509_ATTRIBUTES) instance, I'm trying to find the safebag which has all of the attributes in the given attribute stack. So, here's the code pseudo-code (omitting return values): void find_bag(STACK_OF(PKCS12_SAFEBAG) *bags, STACK_OF(X509_ATTRIBUTES) *attribs) { foreach (s in safebag) { bag_attribs = safebag[s]-attrib; foreach (i in attribs) { attrib = sk_X509_ATTRIBUTE_value(attribs, i); if ((attrib_pos = sk_X509_ATTRIBUTE_find(bag_attribs, attrib)) 0) { printf(couldn't find attrib %d\n, i); return; } else { printf(FOUND attrib at position %d\n, attrib_pos); } } /* all given attributes found in this bag */ printf(bag %d has all the attributes, it's the one you want, s); } The sk_X509_ATTRIBUTE_find() *always* returns -1. I believe this is because the base OpenSSL installation does not include a compare function for the X509_ATTRIBUTE type, so the sk_*_find function can't find an X509_ATTRIBUTE given a STACK_OF them. I tried declaring a compare function myself with the signature: int my_cmp(X509_ATTRIBUTE *a, X509_ATTRIBUTE *b); but when it's called during the sk_*_find invocation, it is passing invalid arguments (i.e. they're not pointers to X509_ATTRIBUTE structures). Anyone have any idea of a better way to do this, or if there is indeed a good X509_ATTRIBUTE compare function I can use when calling the sk_* functions when dealing with X509_ATTRIBUTES? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Global PKI on DNS?
Then a global PKI protocol server needs to be invented so you can just get the certs from the domain in question. i dont wanna see DNS system bogged down by this stuff. IMHOOC! use dns to get the IP and request from its IP the pki doc.. duh. 6/11/02 6:51:26 PM, Derek Atkins [EMAIL PROTECTED] wrote: David Conrad [EMAIL PROTECTED] writes: Why do you think the roots and TLDs would get millions of TCP queries for their certs? Why would anyone want to get the certs of the roots or tlds? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Installation of openSSL for Perl near an existing Apache installation
Please excuse a windows user out of his depth in a Unix world but . I am trying to install Perl XML components supplied by a credit card authentication company( datacash.com). For various reasons our Apache site runs on a Linux server which has dutifully proccessed SSL requests for a while now. The new XML based components require Crypt::SSLeay which I aquired and this requires openSSL Now I am concerned that when I tried to run the install scripts for SSLeay it looked for openssl in it's traditional location which is I believe /usr/local IT isn't there but there is an openssl executable located at /usr/bin/ now I am confused as I feel I already have SSL installed ( keys,certs and all that) I don't wont to construct to parallel SSL installations especially as one of them is providing my salary!. Are the SSL installations for Perl and Apache completely independant ? If they are do I have to obtain new certificates et al? I am therefore in need of guidance because I fear doing damage, but I have to get this up and running. Chris Lyon __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Fw: Installation of openSSL for Perl near an existing Apache installation
Please excuse a windows user out of his depth in a Unix world but . I am trying to install Perl XML components supplied by a credit card authentication company( datacash.com). For various reasons our Apache site runs on a Linux server which has dutifully proccessed SSL requests for a while now. The new XML based components require Crypt::SSLeay which I aquired and this requires openSSL Now I am concerned that when I tried to run the install scripts for SSLeay it looked for openssl in it's traditional location which is I believe /usr/local IT isn't there but there is an openssl executable located at /usr/bin/ now I am confused as I feel I already have SSL installed ( keys,certs and all that) I don't wont to construct to parallel SSL installations especially as one of them is providing my salary!. Are the SSL installations for Perl and Apache completely independant ? If they are do I have to obtain new certificates et al? I am therefore in need of guidance because I fear doing damage, but I have to get this up and running. Chris Lyon p.s. If this message is a repeat to the list please accept my apologies I have posted but have not recieved it via the list __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_read()
I know I posted this the other day, but if I ask for 60bytes, and there is 200 in the buffer, why is SSL_read() removing it all ? Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_read()
On Sun, 2002-05-19 at 13:23, Lutz Jaenicke wrote: On Sun, May 19, 2002 at 10:11:20AM +0100, Chris Plant wrote: I have established a connection (using SSL_accept), and sent and received data over it, before the connection is dropped and the server reports the error (using ERR_get_error_string): SSL_read: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number (336130315) Please try to use ssldump (http://www.rtfm.com/ssldump) to help in analyzing your problem. I guess, that the client initiates a renegotiation and does not use the same version (SSLv2/SSLv3/TLSv1) that was chosen in the initial handshake. ssldump should show you, whether really a new handshake takes place. No, this is a different problem, I know there is 200 bytes in the buffer, but when I ask for the first 60, the other 140 disappear, is this due to the encryption ? Chris Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl-users] Setting 5 year validity period.
On Tue, 21 May 2002, Brandon Amundson wrote: Is there something I could add to the following commands to change the default time a CA is good for? The ones I created are good for only 30 days. I would like to have them be good for 1825 days. To create the CA.pem and privkey.pem openssl req -out CA.pem -new -x509 To sign the server cert openssl x509 -req -in server.req -CA CA.pem -CAkey privkey.pem -CAserial file.srl -out server.pem Add: -days 1825 in both command lines. -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 Donate at http://www.milodesigns.com/donate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_peek()
I'm trying to use SSL_peek() in the same way as I use recv( , , ,MSG_PEEK), but when I ask SSL_read() to read only the first x bytes, I only get the first x bytes, as expected, and then I lose all the data in the queue after that. Is this the normal behaviour, due to the way the packets arrive, or have I misused SSL_peek() ? Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
REMOVE
__ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Default_crl_days
On Mon, 6 May 2002, Andrew T. Finnell wrote: Nope we have our own script that just uses the openssl tool. Basically we do .\openssl req -config openssl.cfg -newkey dsa:dsaparam.pem -x509 -nodes -out cacert.pem -keyout cakey.pem In our openssl.cfg file the only thing near 30 days is the default_crl_days which is why I thought it might have to do with that. If you don't specify the number of days using -days, I believe it defaults to 30 days (as specified in openssl.cfg). Add -days 365 to that command line and the expiration should be a year from now. You can view the expiration date for an x509 certificate by reading the output of $ openssl x509 -text -in mycert.pem Look for something like this: Validity Not Before: Mar 22 16:22:15 2002 GMT Not After : Mar 22 16:22:15 2003 GMT -cj -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 Donate at http://www.milodesigns.com/donate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Java SSL Support (didn't have a subject, so I am giving it one.)
On Tue, 30 Apr 2002, Ed Moyle wrote: On Monday, April 29, 2002 09:15, arjan pot [mailto:[EMAIL PROTECTED]] wrote: In other words; is it possible to connect with a Java - client through OpenSSL to a server, written in C? The part about this that sounds hard is the connect through OpenSSL part. My recommendation would be to use the javax.net.ssl.SSLSocket extensions and use the built-in SSL support in the java API. Check out the following: http://java.sun.com/j2se/1.4/docs/api/javax/net/ssl/SSLSocket.html There are numerousimplementations (e.g. JCSI for example, is free for research and educational purposes: http://www.wedgetail.com/jcsi/index.html). So, for example, you might do something like: SSLSocketFactory factory = new SSLSocketFactory(); Socket myClientSocket = createSocket(new String(127.0.0.1), 443); //myClient should be an SSLSocket. Use like you would any other. Does anybody know if the wrong signature length problems in JSSE have been fixed? Otherwise, I don't think this'll work, even if you code it properly... Check out the following link: http://groups.google.com/groups?hl=enframe=rightth=364ff2e1a2f20db0seekm=40373dc3.0108131639.3b69c55d%40posting.google.com#link3 -cj -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 Donate at http://www.milodesigns.com/donate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Java SSL Support (didn't have a subject, so I am giving it one.)
On 30 Apr 2002, Eric Rescorla wrote: Chris Cleeland [EMAIL PROTECTED] writes: On Tue, 30 Apr 2002, Ed Moyle wrote: Does anybody know if the wrong signature length problems in JSSE have been fixed? Otherwise, I don't think this'll work, even if you code it properly... Check out the following link: http://groups.google.com/groups?hl=enframe=rightth=364ff2e1a2f20db0seekm=40373dc3.0108131639.3b69c55d%40posting.google.com#link3 I dunno if this has been fixed or not (though it only applies to DSA). Right. Good point. However, for some reason I remember that we had problems with JSSE doing RSA properly, too. But memory is fuzzy anymore. PureTLS (http://www.rtfm.com/puretls) is a free Java SSL/TLS implementation that interoperates fine with OpenSSL. Thanks for the link! I checked it out. Do you have any idea what the performance is like compared to JSSE? (I notice that you suggest using GoNative accelerated implementations of crypto stuff, so comparisons should specify whether PureTLS uses GoNative or not.) Thanks! -cj -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 Donate at http://www.milodesigns.com/donate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is OpenSSL Production Ready?
On Mon, 8 Apr 2002, Mark H. Wood wrote: On Sat, 6 Apr 2002, Jeffrey Altman wrote: There is an answer to this of course. It is do not link against OpenSSL but instead load the libraries and functions manually as OpenSSL does with the DSO interface. Then the two programs are separate with separate licenses. Thank you! I hadn't thought of that, and it sounds like fun too. Sounds like this would be a great facility to stick into a contrib directory...call it glen--Gnu Linkage ENabler? -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 Donate at http://www.milodesigns.com/donate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: create cert non interactively
On 2 Apr 2002, Aleix Conchillo wrote: On Tue, 2002-04-02 at 11:50, Sarath Chandra M wrote: Hi, Is there way to create certificates using openssl in a noninteractive mode ? All the required values (common name, email, organization, ou etc) will be captured using a unix shell script and passed to openssl commands. Is it possible. Any help will be highly appreciated. i do it this way. there is probably a better one: openssl req -new -key prikey.pem -out req.csr info_file where info_file is a generated file (in this case with your shell script) and looks like this: -- ES Your state Your city Your organization Your organizational unit Your name -- if you don't want to fill any of the fields just leave a blank line. You can also just modify the .conf file to not prompt, e.g., I have something like this in a customized version of openssl.conf [req] ... prompt = no ... [req_distinguished_name] countryName = US stateOrProvinceName = Missouri localityName= STL organizationName= FOO organizationalUnitName = BAR commonName = $ENV::cert_owner emailAddress= $ENV::MAILADDR This way I'm not prompted. commonName and emailAddress take their values from the environment variables cert_owner and MAILADDR, respectively. If your CA private key has a passphrase, you can also use the -passin option to provide the passphrase via a multitude of ways. -cj PS BTW, I cobbled together this knowledge from docs/openssl.txt and the various manpages (req, x509, etc.) -- Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris Principal Software Engineer, Object Computing, Inc., +1 314 579 0066 Support Me Supporting Cancer Survivors in Ride for the Roses 2002 Donate at http://www.milodesigns.com/donate __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Newbie stupid question
Ah I was unclear. As with many Unix programs there are very basic instructions. I use the /lib because I don't know better. There are no written rules. It was handy..I don't think it makes much difference, however I like trying to do things correctly... I really dislike the idea of overwriting a -working- version of SSL with a new version. I like to compile and test something in a separate directory first and work out any weirdness before I install in the real directory. /lib just happened to be where it landed.. So I would be landing this on a production web server, YES its only my own personal web and mail server but it's the only server I have, so im a bit cautious in general. H... %find / -name crypto.h /usr/include/openssl/crypto.h /usr/local/lib/openssl-0.9.6c/include/openssl/crypto.h /usr/local/lib/openssl-0.9.6c/crypto/crypto.h /usr/virtual/share/usr/include/openssl/crypto.h %find / -name cryptlib.c /usr/local/lib/openssl-0.9.6c/crypto/cryptlib.c So it's the .h files that are present already that are causing a problem ?. The /usr/include/openssl directory seems like the problem. So can someone give me basic assistance, based on FreeBSD-elf and the above find how should I proceed. Where should the install go and what config options for path should I use on my platform. Do I need to remove some .h files first ?. Thanx very much in advance. Sorry for not trying to work these out myself, but it's a bit critical and im sure others have more knowledge then myself. This should be quite simple.. Im asking advice because -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Keary Suska Sent: Tuesday, March 26, 2002 11:33 AM To: OpenSSL Subject: Re: Newbie stupid question on 3/25/02 5:19 PM, [EMAIL PROTECTED] purportedly said: SO im on FreeBSD 4.1.1 It's a virtual server from Interland ( hostpro ) a Freedom 400X with full root. It came with a preinstalled older version of OpenSSL. I wanted to upgrade my OpenSSH and discovered I needed to also upgrade my openSSL.. Everything on the server is just the way it should be, all defaults.. After unpacking and following instructions I copy it all to /usr/local/lib.. The instructions tell you to do this? I'm no BSD expert but I know I wouldn't clutter my lib/ directories with source code. This would make sense for a binary distribution, but not a source distribution. Perhaps you misread the instructions? cryptlib.c:105: #error Inconsistency between crypto.h and cryptlib.c *** Error code 1 This could be happening because one of these files is from a previous version. openssl should compile in its own directory, using it's own headers. To be sure, completely remove the previous openssl install. I suspect that what you are doing above is fouling the compile. I have not seen compilation instructions that require copying anything to anywhere, and it seems odd to me that you would have to only for BSD (you don't have to for Linux). Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Compiling OpenSSL shared libraries under HPUX 11.X - working
Hi, Yesterday I posted a message regarding building OpenSSL-0.9.6c under HPUX 11.X and had to manually link the ssl shared library and copy files by hand. Well Yea that sucks quite a bit. But this morning I was talking to one of my developers and ,he's new to HPUX and trying to get his own code to work too, told me about the linker flag +cdp. Which replaced the recorded path with the specified path. From what we understand, HP-UX automaticaly binds the build directories into the object for run time linking. So by using the +cdp flag you can get around this. Syntax is: +cdp build path or old path:new path We are building in a directory called: /usr/local/src/openssl-0.9.6c and the destination directory is /usr/local/ssl/lib. Built everything cleanly with the following. I used the HP Ansi C compiler and the built in system linker (/usr/ccs/bin/ld) hps[src/openssl-0.9.6c]$ ./Configure threads shared hpux-parisc-cc (configures makefiles correctly, everything is cool here) I then add the following to the do_hpux-shared section to the top level Makefile: .. -L/usr/local/src/openssl-0.9.6c \ +cpd /usr/local/src/openssl-0.9.6c:/usr/local/ssl/lib \ .. then... hp[src/openssl-0.9.6c]$ make-- Successful build hp[src/openssl-0.9.6c]$ make test --- All tests work fine hp[src/openssl-0.9.6c]# make install Then tested Sendmail+STARTTLS config after rebuilding Sendmail it. I ran ldd on my sendmail executable: hp[src/openssl-0.9.6c]#ldd obj.HP-UX.11.11.9000-800/sendmail/sendmail /usr/lib/libc.2 = /usr/lib/libc.2 /usr/lib/libdld.2 =/usr/lib/libdld.2 /usr/lib/libc.2 = /usr/lib/libc.2 /usr/local/sasl/lib/libsasl.sl.8 = /usr/local/sasl/lib/libsasl.sl.8 /usr/local/ssl/lib/libcrypto.sl.0.9.6 = /usr/local/ssl/lib/libcrypto.sl.0.9.6 /usr/lib/libc.2 = /usr/lib/libc.2 /usr/lib/libdld.2 =/usr/lib/libdld.2 /usr/local/ssl/lib/libssl.sl.0.9.6 = /usr/local/ssl/lib/libssl.sl.0.9.6 /usr/lib/libc.2 = /usr/lib/libc.2 /usr/lib/libdld.2 =/usr/lib/libdld.2 /usr/local/ssl/lib/libcrypto.sl.0.9.6 = /usr/local/ssl/lib/libcrypto.sl.0.9.6 /usr/lib/libnsl.1 =/usr/lib/libnsl.1 /usr/lib/libxti.2 =/usr/lib/libxti.2 No /usr/local/src/openssl-0.9.6c (finally!) Here is the excerpt from the man page: +cdp oldpath:newpath Replace the recorded path for a shared library in the a.out. In 32-bit mode, ld records the absolute path names of any shared libraries searched at link time in the a.out file. When the program begins execution, the dynamic loader attaches any shared libraries that were searched at link time. Although you can use the +b and/or +s linker options to direct the dynamic loader to directories to search for the shared libraries, the dynamic loader, as a last resort, searches for the shared libraries in its absolute, recorded path in the a.out. You can specify more than one shared library oldpath:newpath, but each must be preceded by the +cdp option. Maybe this could get included in the next release of OpenSSL. ? If you have questions, please let me know.. Thanks! Chris p.s. My entry for do_hpux-shared # This assumes that GNU utilities are *not* used do_hpux-shared: libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; /usr/ccs/bin/ld +vnocompatwarnings \ -L/usr/local/src/openssl-0.9.6c \ +cdp /usr/local/src/openssl-0.9.6c:/usr/local/ssl/lib \ -b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ libs=$$libs -L. -l$$i; \ done +cdp oldpath:newpath Replace the recorded path for a sha the a.out. In 32-bit mode, ld records the absolute path names of any shared libraries searched at link time in the a.out file. When the program begins execution, the dynamic loader attaches any shared libraries that were searched at link time. Although you can use the +b and/or +s linker options to direct the dynamic loader to directories to search for the shared libraries, the dynamic loader, as a last resort, searches for the shared libraries in its absolute, recorded path in the a.out. You can specify more than one shared library oldpath:newpath, but each must be preceded by the +cdp option. -- __ OpenSSL Project http://www.openssl.org User Support Mailing List
Another ME too, having problems building OpenSSL under HPUX 11.
Hi, I have been following the thread about having problems with building OpenSSL under HPUX when creating shared libraries. I am also having the same problem. I created them just fine under Linux and Solaris 8. But HPUX 11.11 (11i) with either GCC 2.95.3 or HP's Ansi C compiler, I have problems. I unpacked the gziped tar archive and ran the following: -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
More problems compiling hp-ux 11i
Hi, Well not to beat a dead horse about this, and after going through the older threads regarding shared libraries under HPUX 11 and I tried a few things, but it ultimately didn't quite work right. What I had to do is do a number of things by hand. Build the thing with no modifications and then cp the libraries that finished compiling over and then rerun the linker for libssl.sl with a -L/usr/local/ssl/lib and everything that requires OpenSSL seems to work fine after that. I have tried this under Solaris and Linux without any problems. But HPUX is as another person had mentioned, a nightmare. I unpacked the gzipped tar archive and ran Configure with the following options I wanted to use the HPUX native compiler and create shared libraries and use threads. ./Configure threads shared hpux-parisc-cc make compile works and creates the crypto lib, but fails trying to build the ssl library. It complains it can't find it. ### + /usr/ccs/bin/ld +vnocompatwarnings -b -z -o libssl.sl.0.9.6 +h libssl.sl.0.9.6 -Fl libssl.a -lcrypto -ldld -lc /usr/ccs/bin/ld: Can't find library: crypto *** Error exit code 1 Stop. *** Error exit code 1 Stop. *** Error exit code 1 Stop. I edit the make file and added the following ### -L/usr/local/src/openssl-0.9.6c do_hpux-shared: libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \ ( set -x; /usr/ccs/bin/ld +vnocompatwarnings \ -L/usr/local/src/openssl-0.9.6c\ -b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \ -Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \ libs=$$libs -L. -l$$i; \ done ### This compiles fine and then whe I run make test I get the following at the end: ### Approximate total client time: 2.43 s /usr/lib/dld.sl: Can't open shared library: ../libcrypto.sl.0.9.6 /usr/lib/dld.sl: No such file or directory *** Termination signal 134 Stop. ## Ignoring the result of make test I did a make install, just for the hell of it. I am trying to put together sendmail with sasl and starttls on this system and when I did an 'ldd' of the sendmail binary I get the following: ldd /usr/local/src/sendmail/sendmail/obj.HP-UX.11.11.9000-800/sendmail/sendmail /usr/lib/libc.2 = /usr/lib/libc.2 /usr/lib/libdld.2 =/usr/lib/libdld.2 /usr/lib/libc.2 = /usr/lib/libc.2 /usr/local/sasl/lib/libsasl.sl.8 = /usr/local/sasl/lib/libsasl.sl.8 /usr/local/ssl/lib/libcrypto.sl.0.9.6 = /usr/local/ssl/lib/libcrypto.sl.0.9.6 /usr/lib/libc.2 = /usr/lib/libc.2 /usr/lib/libdld.2 =/usr/lib/libdld.2 /usr/local/ssl/lib/libssl.sl.0.9.6 = /usr/local/ssl/lib/libssl.sl.0.9.6 /usr/lib/libc.2 = /usr/lib/libc.2 /usr/lib/libdld.2 =/usr/lib/libdld.2 /usr/lib/dld.sl: Can't open shared library: /usr/local/src/openssl-0.9.6c/libcrypto.sl.0.9.6 /usr/lib/dld.sl: No such file or directory What I want to know is WHY under HPUX is it trying to bind the build directory for runtime execution? The -L flag to the linker does, according to the man page, what a well behaved linker with -L should do. Look here when during the build process for libraries. I'll be sending this email to a contact at HP to find out what's going on.. anybody here have any thoughts on the matter? Thank for any thoughts or ideas. Chris -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Question concerning CRLs in Cert Verify process
I'm testing the certificate verification process, mostly using code from ca.c and verify.c. I've been able to successfully verify my server certificate against the store context that I've built (X509_STORE_CTX_init(certVerifyCtx,certStore,OSMSServerCert,NULL);) I wanted to test CRL processing so I created and signed a CRL that contained 1 revoked certificate (the serial number corresponding to OSMSServerCert in the above). I signed the CRL using the private key of the CA. However, when I add the CRL to the X509_STORE*, presumably via X509_STORE_add_crl(certStore, crl), and subsequently call X509_very_cert, I still get a valid certificate. I would think that since the CRL contains the serial number of the certificate I'm verifying that it would fail. Did I do something wrong? Thanks. CM
Re: EVP_* Routines
ok, thanks. I did look at the EVP_EncryptInit man page, but the code I had there, was loosely based on some code I found on the net, they probably had the same problem. Chris [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EVP_* Routines
On Wed, 2002-01-02 at 18:00, Juan Segarra wrote: On 2 Jan 2002, Chris Plant wrote: I've compiled the attached code, and it doesn't decrypt the text correctly. If anyone could explain why to me, or point out a nice tutorial about using these routines, it would be much appreciated. I've been writing a tutorial about EVP routines in spanish (i'll wrote an english version after my exams :-P)... perhaps you'll find it useful (or useless :-P). http://spisa.act.uji.es/~juan/tutoriales/openssl/evp/ je,je,je... use at yout own risk ;-P __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Thanks, I managed to make some sense of it, and I'm getting somewhere with my software now. Chris Plant __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
EVP_* Routines
I've compiled the attached code, and it doesn't decrypt the text correctly. If anyone could explain why to me, or point out a nice tutorial about using these routines, it would be much appreciated. ircd_malloc() is basically malloc() with memset(). Chris Plant [EMAIL PROTECTED] #ifndef _ENPRESS_H_ #define _ENPRESS_H_ #include stdio.h #include string.h #include openssl/evp.h struct _encryption_contexts { EVP_CIPHER_CTX decrypt; EVP_CIPHER_CTX encrypt; }; typedef struct _encryption_contexts * EncryptInfo; int encrypt_buffer(EncryptInfo,unsigned char *,unsigned char *,int *); int decrypt_buffer(EncryptInfo,unsigned char *,unsigned char *,int); EncryptInfo generate_key(unsigned char *); #endif #include stdio.h #include sys/types.h #include sys/socket.h #include enpress.h int main(int argc,char **argv) { int sockets[2]; char *key=somekeys; EncryptInfo e_info=NULL; e_info=generate_key(key); socketpair(AF_UNIX,SOCK_STREAM,0,sockets); if(!fork()) { /* Sending process */ char buffer[512]=NICK Chunky\n\r\0; char enc_buffer[512]; char out_buffer[512]; int length,enc_length; encrypt_buffer(e_info,buffer,enc_buffer,enc_length); ircd_sprintf(out_buffer,5,%04d,enc_length); send(sockets[0],out_buffer,4,0); send(sockets[0],enc_buffer,enc_length,0); } else { /* Reciving process */ char in_buffer[512]; char clean_buffer[512]; char length_buffer[5]; int length,clean_len; recv(sockets[1],length_buffer,4,0); length_buffer[4]='\0'; printf(String is %s\n,length_buffer); length=atoi(length_buffer); printf(Number is %d\n,length); recv(sockets[1],in_buffer,length,0); clean_len=decrypt_buffer(e_info,in_buffer,clean_buffer,length); clean_buffer[clean_len]='\0'; printf(Cleaned buffer, it is %s\n,clean_buffer); } } /* This file is part of Chunky Monkey IRCD * * Chunky Monkey IRCD is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * Chunky Monkey IRCD is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with Chunky Monkey IRCD; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * $Id: enpress.c,v 1.1 2001/12/31 22:05:14 lloydy Exp $ * */ #include enpress.h #include utility.h #include logger.h /* * Lots of casting in here, until I sus out a better way of dealing with things */ /* * Encrypt buffer using key */ int encrypt_buffer(EncryptInfo info,unsigned char *buffer,unsigned char *enc_buffer,int *enc_len) { unsigned char enc_tmp_buffer[512]; int enc_tmp_len=0; *enc_len=0; EVP_EncryptUpdate((info-encrypt),enc_tmp_buffer,enc_tmp_len,buffer,strlen( (const char *)buffer)); *enc_len+=enc_tmp_len; strncpy(enc_buffer,enc_tmp_buffer,enc_tmp_len); EVP_EncryptFinal((info-encrypt),enc_tmp_buffer,enc_tmp_len); *enc_len+=enc_tmp_len; strncat(enc_buffer,enc_tmp_buffer,enc_tmp_len); return (*enc_len); } /* * Decrypt buffer using key * Assume the buffer is 512 bytes long */ int decrypt_buffer(EncryptInfo info,unsigned char *buffer,unsigned char *clean,int len) { char denc_tmp_buffer[512]; int tmp_len=0,out_len=0; EVP_DecryptUpdate((info-decrypt),denc_tmp_buffer,tmp_len,buffer,len); out_len+=tmp_len; strncpy(clean,denc_tmp_buffer,tmp_len); if(!EVP_DecryptFinal((info-decrypt),denc_tmp_buffer,tmp_len)) { printf(Failed to decrypt correctly\n); } out_len+=tmp_len; strncat(clean,denc_tmp_buffer,tmp_len); return out_len; } /* * Generate a blowfish key using the text */ EncryptInfo generate_key(unsigned char *key_text) { EncryptInfo new=NULL; unsigned char key[EVP_MAX_KEY_LENGTH]; unsigned char iv[EVP_MAX_IV_LENGTH]; if(!lc_strncmp(key_text,*,-1)) { return NULL; } new = ircd_malloc(sizeof(struct _encryption_contexts)); EVP_BytesToKey(EVP_bf_cbc(),EVP_md5(),NULL,key_text,strlen(key_text),1,key,iv); EVP_EncryptInit((new-encrypt),EVP_bf_cbc(),key,iv); EVP_DecryptInit((new-decrypt),EVP_bf_cbc(),key,iv); return new; }
Seems to be a bug with EVP_get_cipherbyname(p)
It appears that there may be a bug? with the call to EVP_get_cipherbyname(). My private key is saved in the following format -BEGIN RSA PRIVATE KEY-Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE-CBC,D2C954A223AC6C1C so far so good (I hope).. when I use the function PEM_Read_PrivateKey(fp, null, null, null) to construct the key, it always returns null. When I debugged it, I found that EVP_get_cipherbyname() called in PEM_get_EVP_CIPHER_INFO() always returns NULL when passed the encryption scheme (in this case, triple-des in cbc mode). Am I doing something wrong? I'm usingopensllv0.9.6b on Win2K. Thanks. Chris Mollis
Re: client/server verify problems
Lutz Jaenicke wrote: Do we need to resort to a verify callback to permit an 0.9.6b server to accept server certs from the client? Yes. You can globally set the purposed to be checked for, but this is only possible before the handshake is started (SSL_set_purpose()). This is however a pretty bad idea, as you could only switch from client to server, so that real client certificates now would fail. We did a callback function, and it works. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
client/server verify problems
We're porting some (previously) working code from an ancient version of ssleay to openssl 0.9.6b (HPUX). We're having a problem (apparently) with the server-side of a client-server application, both ends using openssl 0.9.6b. We're using locally generated certificates (Entrust PKI) for both the client and server, which according to openssl verify are only given the purpose of server. One Verisign server cert we played with appears to not have a purpose set, or at least permit both sslclient and sslserver. The client side doesn't have any trouble with talking to web servers (in particular, Stronghold 2.2) with the Entrust certs, and the web server is successfully able to retrieve the client cert. Tho, 2.2 of course uses ssleay internally. Yeah, once this mess is over, we're going to upgrade to Stronghold 3. When we use our client with a verisign-signed server cert, our server side successfully verifies. When we use openssl s_client (or our client) with our entrust cert, our server spits out: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned When we use openssl s_client we get: 29776:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:964:SSL alert number 46 29776:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:490: when running openssl verify with our root_certs, -purpose sslclient returns: error 26 at 0 depth lookup:unsupported certificate purpose OK Whereas with -purpose sslserver returns just OK. I _assume_ this has something to do with the purpose. openssl's code _apepars_ to verify that the cert has the right purpose. Right? Our SSL_CTX_set_verify call has SSL_VERIFY_PEER and SSL_VERIFY_FAIL_IF_NO_PEER_CERT. [I get confused around here, because I can't see anything that implies it would generate a no certificate returned message. If purpose was the real problem, wouldn't it say something more specific?] For various (mostly political) reasons, we can't [re]generate the certs we use with sslclient. Do we need to resort to a verify callback to permit an 0.9.6b server to accept server certs from the client? Or is something else going wrong? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Implementation Issues with OpenSSL
Thus spake Lutz Jaenicke ([EMAIL PROTECTED]): I know it has been a long time, but I have just continued to analyze your submission. I have not yet applied your patch. With respect to the SSL_SESSION_free() problem, it would only cure the symptoms of incorrect SSL_SESSION_free() use. It is not just the session list inside the SSL_CTX object; if a session is used by an SSL object we would also find a dangling pointer that we could not catch. The point should not be to cover for incorrect use of SSL_SESSION_free() and magically remove the session from the cache list, but to catch this as an error... Unfortunately SSL_SESSION_free() does not return diagnostic information (until now), so no application written with today's API would catch the error message... I don't claim to understand this code well enough to contradict you. It would certainly be an improvement to have SSL_SESSION_free() detect this error condition and complain loudly when it occurs. I also agree that an interface change is probably worthwhile to do better error reporting and recovery when this occurs. By now, I have updated the manual pages to reflect this problem and wait for more input with respect to this problem. Thanks for following up on this. -- Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Tru64 4.0f BN_sqr test fail
Once upon a time, Todd Williams [EMAIL PROTECTED] said: Actually, I'm encountering the same exact problem as Keith. Clean build, but fails the Square test. Look familiar? ... test BN_rshift test BN_sqr Square test failed! make: *** [test_bn] Error 1 But I don't think it's a gcc issue. I get the same result on two different Tru64 machines using the Compaq compiler... OSF1 V5.1 732 alpha: Compaq C V6.3-025 on Compaq Tru64 UNIX V5.1 (Rev. 732) Compiler Driver V6.3-026 (sys) cc Driver OSF1 V4.0 1530 alpha: Compaq C V6.4-214 (dtk) on Digital UNIX V4.0G (Rev. 1530) Compiler Driver V6.4-014 (dtk) cc Driver I'm having the same problem with openssl-0.9.6b on Tru64 5.1A with the Compaq C compiler: OSF1 V5.1 1885 alpha Compaq C V6.4-009 on Compaq Tru64 UNIX V5.1A (Rev. 1885) Compiler Driver V6.4-008 (sys) cc Driver I installed GNU bc, but that has nothing to do with the problem because the test never gets to running bc; it fails in running bntest. The end of the output of bntest looks like: test BN_sqr print test BN_sqr\n -8C * -8C - 4DA8FEE60001 2BEFF * 2BEFF - 6159F8795207C11108201 Square test failed! 1 Any ideas? -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: c_rehash script
Try this: ln -s /usr/local/ssl/bin/c_rehash /usr/local/bin/c_rehash (or where ever you want it to go in your path). You can say echo $PATH to check your current PATH. Good luck. -- chris ciotti stereo-link (http://www.stereo-link.com) Key fingerprint = B4B1 2888 6808 64FF 87FB D635 A483 F6DD 1BFB 36B6 Jason King wrote: I am having some trouble with a program trying to use the c_rehash script. It says it cannot find it in the current PATH but I know the file is located in /usr/loca/ssl/bin How can I change the current PATH to point to where the c_rehash script is located. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: libssl.so: undefined symbol: sk_X509_NAME_value
Dear Richard, Assume you are using RedHat 7.1 try this: Remove broken link if you remove ssl rpm. # rm /usr/lib/libcrypto.so.1 # rm /usr/lib/libssl.so.1 insert line /usr/local/ssl/lib in /etc/ld.so.conf # ldconfig -v # cd /usr/local/ssl/lib # ln -f -s libssl.so libssl.so.1 # ln -f -s libcrypto.so libcrypto.so.1 Hope this help Regards, Chris Lee -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 06, 2001 10:30 AM To: [EMAIL PROTECTED] Subject: libssl.so: undefined symbol: sk_X509_NAME_value I have, for two days, been banging my head on trying to install this apache server with mod_ssl. I keep having problems. I have tried absolutely everything I can think of to try to fix this. I have searched all of the postings and tried their solutions. Nothing works. Here is my OS ... Linux host_name_omitted 2.2.16-22smp #1 SMP Tue Aug 22 16:39:21 EDT 2000 i686 unknown Here is the error ... /apachectl startssl Syntax error on line 243 of /usr/local/share/apachessl/conf/httpd.conf: Cannot load /usr/local/share/apachessl/libexec/libssl.so into server: /usr/local/share/apachessl/libexec/libssl.so: undefined symbol: sk_X509_NAME_value ./apachectl startssl: httpd could not be started Here was my install process ... gtar xzvf src/openssl-0.9.6b.tar.gz gtar xzvf src/apache_1.3.20.tar.gz gtar xzvf src/mod_ssl-2.8.4-1.3.20.tar.gz gtar xzvf src/mod_auth_ldap.tar.gz gtar xzvf src/mod_put.tar.gz 1. install openssl # cd src/openssl-0.9.6b # ./config # make # make install 2. Add authmodldap to the apache src # cp -pr modauthldap apache_1.3.20/src/modules/ldap 3. configure mod_ssl # ./configure --with-apache=/usr/src/apache_1.3.20/ --prefix=/usr/local/share/apachessl 4. configure apache ( include modauthldap, mod_put, mod_ssl ) # SSL_BASE=/usr/local/ssl ./configure --enable-module=ssl --enable-rule=EAPI --prefix=/usr/local/share/apachessl --enable-shared=max --enable-module=all --add-module=../mod_put-1.3/mod_put.c --activate-module=src/modules/ldap/mod_auth_ldap.c # make # make certificate TYPE=test # make install 5. Edit /usr/local/share/apachessl/conf/httpd.conf 6. Should be done now start by using /usr/local/share/apachessl/bin/apachectl startssl This is where it totally bombs on me. I even tried Upgrading with APXS # ./configure --with-apxs=/usr/local/share/apachessl/bin/apxs --with-ssl=/usr/local/ssl This still didn't work. Best Regards, Richard Blalock ** * Man will occasionally stumble over the truth, but most of the time he will pick himself up and continue on. -- Winston Churchill Richard Blalock - Test Bed ArchitectInktomi Corp. 650-653-3142 Work # 4100 East Third Ave 916-215-4359 Cell # MS FC1-4 [EMAIL PROTECTED]Foster City, CA 94404 [EMAIL PROTECTED] Pager http://www.inktomi.com ** * __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
pod2man.pl-related compilation error. Help!
I wrote about this a few days ago and have not yet been able to solve it; I'd appreciate anybody's input... See http://marc.theaimsgroup.com/?l=openssl-usersm=99922122232541w=2 for details. Thanks! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CA has expired
I have created a Certificate Authority for non public use. The authority has expired. Is there a way to unexpire or reissue the CA certificate (which is self signed) so that I do not have to re sign the certificates that I have signed with my certificate? I have looked through the man pages but it is still unknown to me. Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problem with verifying certificates
Hi, I am running openssl 0.9.6a on a SunOS2.6 machine. I installed like so: ./config make make test make install my problem is, it doesn't seem to be able to verify *any* signed certificates. here is an example output from bin/openssl s_client -host rsaonline.rsasecurity.com -port 443 -showcerts (I picked rsaonline because I would think they would have a valid cert ;-) output: CONNECTED(0004) depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority -BEGIN CERTIFICATE- ... -END CERTIFICATE- --- Server certificate subject=/C=US/ST=Massachusetts/L=Bedford/O=RSA Security Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority --- No client certificate CA names sent --- SSL handshake has read 938 bytes and written 248 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 512 bit SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: 02007E424A3D34136D63A38C243A6910211EEA1C39567901AE8A0258D6F5 Session-ID-ctx: Master-Key: 49D9D45A4F2BCC8D464DFA115B4BD12D66F0A00E7ED820A279BEDF4E9D05D7DF9A3F98E5CD134C7BF5FDC7CD2ADEFEE6 Key-Arg : None Start Time: 988923327 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- as you can see from the section above the Certificate, it says cert not trusted, etc... I am wondering if there is something else I need to do?? thank you in advance! Chris Drumgoole email administrator CAEN, COE, Univ. of Michigan q __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenLDAP
Dear all, Instead of using RedHat 7.1 openldap rpm, I wanna build the program by source: program used: - openssl-0.9.6a - openldap-2.0.7 I using the following config: # env CPPFLAGS=-I/usr/local/ssl/include LIBS=-L/usr/local/ssl/lib \ ./configure --with-tls -with-cyrus-sasl --with-ldbm-api=gdbm \ --enable-shell -enable-wrappers --enable-crypt --enable-cleartext # make depend # make After the make, it show the following eror: /usr/bin/ld: cannot find -lssl collect2: ld returned 1 exit status make[2]: *** [libldap.la] Error 1 make[2]: Leaving directory `/usr/src/openldap-2.0.7/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/usr/src/openldap-2.0.7/libraries' make: *** [all-common] Error 1 What am I doing wrong? How can I fix it? Many thanks in advance. --- Regards, Chris Lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Direct read of RSA public key
I'm trying to do a modification of the /demos/sign/sign.c code. I had it working, but have managed to mess up my certificates/keys and can't seem to re-create ones that will function. 1) what I'd _like_ to do is generate an RSA private/public key pair and then read them in directly, without having to generate a certificate, x509 object etc. demos/sign/sign.c uses PEM_read_PrivateKey, but there doesn't appear to be a corresponding PEM_read_PublicKey. The read of the private key works fine, but I get a 13451:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: CERTIFICATE when it pass it a publickey.pem generated using the openssl rsa ... command. If I pass it the newcert.pem generated by CA.pl, I get a core dump on the PEM_read_X509 There is a PEM_read_RSAPublicKey, but then there is no obvious way to convert this to a EVP_PKEY 2) The second option is to generate the right x509 object. I've run through the CA.pl about a zillion times, and tried to use openssl req -key R1.pem -x509 -days 9 -out foo.pem which hangs after printing out Using configuration from /var/ssl/openssl.cnf ./CA.pl -newca ./CA.pl -newreq ./CA.pl -sign then using openssl rsa -in key.pem -out keyout.pem to strip out unencrypted private key. That private key works, but I can't get the %#%$%$#@%!@ public key read in #include stdio.h #include stdlib.h #include string #include "apps.h" #include openssl/rsa.h #include openssl/err.h #include openssl/evp.h #include openssl/objects.h #include openssl/x509.h #include openssl/crypto.h #include openssl/pem.h #include openssl/ssl.h #include "fstream.h" int main(int argc, char **argv) { std::cout argv[1]std::endl; ERR_load_crypto_strings(); char * pub=argv[1]; char * pvate=argv[2]; int err; X509 *x509; FILE * fp; fp = fopen(pvate,"r"); if (fp == NULL) exit(9); EVP_PKEY * prikey,*foo; prikey = foo = NULL; prikey = PEM_read_PrivateKey(fp,foo,NULL,NULL); fclose(fp); std::cout " read private key " std::endl; if(prikey==NULL) std::cout " pri key is null " std::endl; if(foo==NULL) std::cout " foo key is null " std::endl; fp = fopen(pub,"r"); if (fp == NULL) exit(9); cout " before pem_read_x509" std::endl; x509 = PEM_read_X509(fp, x509, NULL, NULL); fclose(fp); cout " after pem_read_x509" std::endl; if (x509 == NULL) { cout " x509 was null " endl; ERR_print_errors_fp (stderr); exit (1); } EVP_PKEY * pubkey; // = PEM_read_RSAPublicKey(fp,NULL,NULL,NULL); pubkey=X509_get_pubkey(x509); if (pubkey == NULL) { cerr " pubkey was NULL"std::endl; ERR_print_errors_fp (stderr); exit (1); } cout " read pubkey " endl; EVP_MD_CTX md_ctx; std::string licbuff; std::string temp; ifstream lictext(argv[3]); while(lictext) { getline(lictext,temp); licbuff+=temp; std::cout temp std::endl; licbuff+='\n'; } unsigned char *clicbuff = new unsigned char [licbuff.size()]; memcpy(clicbuff,licbuff.data(),licbuff.size()); EVP_SignInit (md_ctx, EVP_sha1()); cout " signinit" endl; EVP_SignUpdate (md_ctx, clicbuff, licbuff.size()); cout " signupdate " endl; unsigned char * sig_buf = new unsigned char [4096]; unsigned int sig_len =0; err = EVP_SignFinal (md_ctx, sig_buf, sig_len, prikey); std::cout sig_lenstd::endl; std::cout.setf(ios::hex,ios::basefield); for (int ik = 0 ; ik sig_len ; ik++) std::cout (unsigned int) sig_buf[ik]" "; std::coutendl; EVP_VerifyInit (md_ctx, EVP_sha1()); EVP_VerifyUpdate (md_ctx, clicbuff, licbuff.size()); err = EVP_VerifyFinal (md_ctx, sig_buf, sig_len, pubkey); if (err != 1) { ERR_print_errors_fp (stderr); exit (1); } if(err!=1) std::cerr " didn't work " err std::endl; } __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Random test fail dual pentium i686-faulty hardware?
Does anybody know why this should happen?? I have two identical Dell servers, both exactly the same spec, dual pentium 667 with 512MB ram, Linux6.2. I have successfully compiled and tested openssl-0.9.6 on one machine However when I compile it on the second and run make test the tests fail at different places, could be at the start or near the end This problem is driving me crazy and dell don't have any idea, could there be a problem with my hardware??? - Other programs also seem to be affected, including Tripwire, it fails when the app trys to decrypt an encrypted site key Any clues to this problem would help me greatly especially if it is the hardware at fault -- Christopher Bragg IT Development The Moviemarket [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Random test fail on dual cpu i686 follow up!
I have two identical Dell servers, both exactly the same spec, dual pentium 667 with 512MB ram, Linux6.2. I have successfully compiled and tested openssl-0.9.6 on one machine However when I compile it on the second and run make test the test also hangs and when I look at top the %CPU goes up over 90%, what is happening??? the tests fail at different places, could be at the start or near the end This problem is driving me crazy and dell don't have any idea, could there be a problem with my hardware??? - Other programs also seem to be affected, including Tripwire, it fails when the app trys to decrypt an encrypted site key Any clues to this problem would help me greatly especially if it is the hardware at fault -- Christopher Bragg IT Development The Moviemarket [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Install on MacOSXServer
Hi, I got openssl 0.9.6 to build on OSX Server with the previous suggestion of adding -DUSE_TOD to the apps/Makefile CFLAGS= -DMONOLITH -DUSE_TOD $(INCLUDES) $(CFLAG) I previously had it at the end: CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG) -DUSE_TOD since this is all new stuff for me I don't the difference. Perhaps someone who knows the difference and what these flags mean can explain. Of course, now apache doesn't want to build with it but that's a problem for tomorrow. -- Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Life after September 20th
What sideline patents? I have followed this issue and I do not know what patents you're referring to. The company I used to work for did research on this issue and talked to a number of IP attorneys regarding this issue. They didn't seem to feel that it was as cut and dry of an issue. They said that RSA may try to claim the algorithm is covered by other patents. I personally don't know one way or the other. That said though, if I had to make a decision one way or the other regarding this issue, I'd be sure to talk to lawyers first. --Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Life after September 20th
Uhmmm? You're not thinking of the MultiPrime thingy, are you? Nope, those are Compaq's patents as far as I know. --Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Bugs and Crashes
Did you get my updated test code yesterday? Does it look like I've got all the programming errors out of the test code itself? Bill, I took over your code -- I'm unable to reproduce the crash you're seeing. I let the code run (1st and 2nd version ) for quite a while with no problems. The only thing I can tell you from here is run your code under Purify and see what it says. It's certainly possible that the may be stack or heap corruption at some point. If there is a bug in OpenSSL, it may show up in there as well. --Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bugs and Crashes
'ThreadRootStartingPoint' runs the user code in ThreadMain in the __cThread class and cleans up when ThreadMain returns. This is where the crash is. Do you mean it's right after ThreadMain() returns? As a note, you don't need the exception socket in the select() (unless you're doing something I can't figure out here). If all you're doing is sleeping, the following works just as well: Sleep_us (int iMicroseconds) { // Resist the temptation to make any of these static, as doing so makes us Non-MT-Safe! struct timeval tval; tval.tv_sec = iMicroseconds / 100; tval.tv_usec = iMicroseconds % 100; select(0, NULL, NULL, NULL, tval); return (0); } I'm suspicious about the way you're getting rid of the threads. You have the thread change itself to a detached state and then commit suicide. I would look at cleaning up the threads a different way and see if your problem disappears. The only other thing I see that could be causing problems is the char buffer that you use for ERR_error_string(), although you'd pick that up pretty quick if it were overflowing. --Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
memory leaks??
Sorry for those of you that are reading this for the 2nd time, but I felt I should sent it to modssl and openssl lists to see if I can get any help. I've got some strange problems with the following setup: Solaris 7 apache 1.3.12 apache Jserv 1.1 mod_ssl 2.6.3-1.3.12 openssl-0.9.5a (just upgraded today from 0.9.5, but it didn't fix the problem described below) I have searched the message archives, but I didn't see anything there, so no flames please if I missed an answer to this. Occasionally, when users connect to one of the httpd daemons (on 443), the daemon goes nuts and allocates almost ALL of my available physical ram and swap space. It takes about 90 seconds to allocate the ram, during which time the machine will not respond to anything (ie. more web requests, login on console, etc). Once this httpd request has allocated approximately 550 megs of ram, the system becomes usable again, but obviously runs slower. If I kill the bad httpd, the whole process will eventually repeat itself. Sometimes it happens again in 2 minutes, sometimes not for a day or two. In the SSL_ENGINE_LOG logfile, the only errors I see for this httpd daemon are: [25/Apr/2000 18:10:21 25349] [error] SSL handshake failed (server server.address.was.here:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows) [25/Apr/2000 18:10:21 25349] [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long [25/Apr/2000 18:10:21 25349] [error] OpenSSL: error:0D080065:asn1 encoding routines:d2i_ASN1_INTEGER:bad object header [25/Apr/2000 18:10:21 25349] [error] OpenSSL: error:0D067004:asn1 encoding routines:ASN1_COLLATE_PRIMITIVE:nested asn1 error Then about 10 seconds later: [25/Apr/2000 18:10:29 25349] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] I would appreciate ANY help anyone can offer as this is currently crashing an important production server on a regular basis. Thanks for your help. Chris Smith Programmer __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MD5
I want to use the MD5 program that comes along with OpenSSL but I don't know how to supply a "KEY" to this program, it only accepts data and prints out a checksum. Any help ? "This book is a mirror -- when a monkey looks in, no philosopher looks out" - Nietzsche MD5 is a checksum (message digest) function. Why would you think it takes a key? HMAC-MD5 is a keyed MAC, but it's unclear what it is you want. Could you be a little more vague? "There's no need to be a jerk when someone asks a question" - Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PEM pass phrase
When I try to strip the password encryption off of the private key, as described below, I get the following error: req -key keyrq.txt -keyout test.key -nodes -config openssl.cnf unable to load Private key344:error:02001002:system library:fopen:system lib:tmp32dll\bss_file.c:103:fopen('.oids.oid','r')344:error:2006D002:BIO routines:BIO_new_file:system lib:tmp32dll\bss_file.c:105: 344:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:566:error in req Can anyone offer any assistance on this? Chris If you remove the password encryption on your private key,I believe you won't be getting this (it's what I belivemost people do that configure SSL servers to auto start onboot without manual intervention).If memory serves, I believe something likereq -key INPUT_KEY_FILE -keyout OUTPUT_KEY_FILE -nodeswill take an existing encrypted private key file andstrip the password encryption off of it. If I gotthis wrong, check the SSL archives, I know thatthis question has been asked and answered severaltimes before...you will find the proper syntaxthere.Thomas
Trouble with SSL_CTX_use_PrivateKey_file()
SSL_CTX_use_PrivateKey_file() seems to fail for me. I am reasonably new to this. Is there any kind of error stackor description that I can look at? If it makes a difference, I have gotten a class 3 certificate from verisign, and I believe that it is in PEM format. Any help would be appreciated. I have included a section of the code that I am using below: meth = SSLv3_client_method(); myCTX = SSL_CTX_new( meth ); if( SSL_CTX_use_certificate_file( myCTX, CertPEM, X509_FILETYPE_PEM ) = 0 ) {m_DebugLog.lfputs( "Failure: SSL_CTX_use_certificate_file( \"%s\")", CertPEM );_socket = INVALID_SOCKET;goto Error;}else {m_DebugLog.lfputs( "Success: SSL_CTX_use_certificate_file()" );} if( !SSL_CTX_use_PrivateKey_file( myCTX, CertPEM, X509_FILETYPE_PEM ) ) {m_DebugLog.lfputs( "Failure: SSL_CTX_use_PrivateKey_file()" );_socket = INVALID_SOCKET;goto Error;}else {m_DebugLog.lfputs( "Success: SSL_CTX_use_PrivateKey_file()" );} Thanks, Chris
Newbie looking for help
Hi, I have just setup OpenSSL and I am looking for some help. I have looked at the page and looked on the web and I have not found much support to date. I was wondering if there was maybe a more complete FAQ than what is available. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Setting up Diffie Hellman Ephemeral with OpenSSL
On 09/16/99, David Murphy said: Chris - I have to admit I really dont know.. We are starting out with OpenSSL and have been advised that the SSL_DHE_DSS.. cipher suites are free of patents and should therefore use them rather than RSA suites. We were also told the the 'ephemeral' would be best since the DH parameters are not stored in the certificate which means we could use any certificate (rather than a DH one). Yes, this is the case. As far as I can tell the our OpenSSL server is using whatever is in server.pem - the default certificate for OpenSSL? Ah see, the default server.pem is an RSA type certificate, and hence, it won't work with EDH/DSS. Would you concur that :- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA are reasonable choices to avoid patent issues? Yep, I can't see any problems there. I am looking at the s_server.c code to see what we have to do to have OpenSSL accept the DHE.. suites but its not immediately obvious..the following in s_server appears to do something with DH but I have no idea what... Well, I think the only thing you're missing is that you need to create a DSA certificate and parameters, and use those instead of the RSA counterparts. --Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Finding out my fingerprint
I am trying to find out what the fingerprint is to my cert. If I open it up in windows, a "thumbprint" is listed. Is this the samething as a fingerprint? Is there a way (that I have missed) to get the fingerprint using the OpenSSL utility? Sorry about the newbie question, but I have searched for quite some time (appearantly in all the wrong places). __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: NT and unable to find 'distinguished_name' in config error
I am currently having this same problem. Were you able to find a resolution? I'm using an NT build, following the Verisign CSR instructions, and am stuck at the "unable to find 'distinguished_name'" error below. I have generated CSRs for Verisign with OpenSSL from a Unix build before and don't believe I had to create a config file. D:\test\certs\testopenssl req -new -key key.pem -out csr.pem Using configuration from /usr/local/ssl/lib/openssl.cnf Unable to load config info Enter PEM pass phrase: unable to find 'distinguished_name' in config problems making Certificate Request D:\test\certs\test Thanks for any help, -Ed === ~ Ed Sweeney, Fairfax, VA mailto:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Client Certificate Problem
Running Linux 2.0.36 Apache 1.3.6 Openssl 0.9.3 Mod_ssl 2.3.0 My server is up and running and seems to work fine in secure mode without a clientcert. But every time I create and install a client cert. in netscape 4.06 I getrecieved bad data from server messagethe server log has the following.[Thu May 27 08:33:25 1999] [error] mod_ssl: SSL handshake failed (client 100.100.100.6, server 100.100.100.11:443) (OpenSSL library error follows)[Thu May 27 08:33:25 1999] [error] OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure From reading the openssl.cnf file it says that nsCertType can beleft alone except for object signing. If I am creating a self sign cert.to sign my server.crt. Should I change the openssl.cnf file to allowsigning ca.crt and then change it back before I create my server.crt And do I do the same thing while creating client cert's with CA.shAlso, if anyone has another idea I'd like to hear it.Chris Jensen[EMAIL PROTECTED]
Re: DES key mismatch
As Tri Phan once put it: I'm using openSSL-0.9.1c's EVP_BytesToKey to generate a DES encryption key for EVP_des_cbc() and EVP_des_ede3_ofb(). I can run my application sucessfully as an NT application, NSAPI DLL within NES 3.6.1 (on NT), Sun Solaris application, or Sun Solaris shared object without NSAPI. The same encyption is derived for my given password, salt, and iteration count. However, when I run my application as an NSAPI share object within Netscape Enterprise Server (NES) 3.61 on Solaris, a different DES encryption key is derived for the same password, salt, and iteration count. Keep in mind when working with dynamically loaded object files that the symbols already found in the program will override any symbols present in your loaded code (or anything linked to it). NS Enterprise Server has several symbols that conflict with the symbols in ssleay/openssl. When such a conflict exists, the Netscape version of the routine (which likely has different calling conventions or semantics) is used in preference to the OpenSSL version. I ran into this problem when trying to use SSL calls from within an NSAPI. I solved it by hacking the OpenSSL source to tweak the names of the colliding routines, changing *_Update to *_update: find /src/openssl-0.9.1c -type f \( -name '*.[ch]' -o -name '*.org' \) -exec egrep -s '(MD2|MD5|SHA1)_Update' {} \; -print | xargs perl5 -i -pe 's/(MD2|MD5|SHA1)_Update/$1_update/g;' As the example3.c file appears to use MD5 for the BytesToKey routine, this is the likely culprit. %% Christopher A. Bongaarts%% [EMAIL PROTECTED] %% ADCS - Internet Enterprise %% http://umn.edu/~cab %% University of Minnesota %% +1 (612) 625-1809 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RSA License + U.S. comercial use
On 05/26/99, Salz, Rich said: I expect, however, that what you are really interested in is "where can I get patches that integrate OpenSSL with crypto hardware?" I don't know of any such patches. It's a moderate level of effort for you to do it yourself. I also believe that integration with PKCS11, the standard crypto-token API is on the OpenSSL wish list. Actually, I've written patches for SSLeay-0.9.0b to use nCipher's hardware supporting acceleration, the hardware RNG, and limited access to the hardware key storage mechanism (actually the guys at nCipher wrote that part, I just included it with the stuff I did too). If you're in the US and you're interested in this, let me know, I will send it to you. The hardware is really great, and very fast. It requires a large thread pool (or OpenSSL to move to a totally async model, which is pretty tough) to really be effective though. The package should work fine under any OS that nCipher supports. --Chris __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.2b on Linux Alpha
[ ... old patch ... ] Ahh.. Ok thnx... them).. This patch would have been applied from the top of your sourcedir as 'patch -p1 .patch'. However, despite all effort from various people, there is no alpha.s version that passes 'make test' as of now. Ouch.. OK, i guess I can live with that.. :) Therefore, just add 'no-asm' to the ./configure command for now. like './configure gcc no-asm' ? Thanks Chris __ Pournelle's Law: If you do not know what you are doing, deal with people who do. -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl-0.9.2b on Linux Alpha
Hi; Just getting started with openssl and discovered that compiling fails on bn_div_words which after some further reading, seems to be related to probs with crypto/bn/asm/alpha.s. Looking in the archives, I discovered a patch/diff posted by Niels Poppe that I can apply to alpha.s that will (hopefully) fix my compiling probs. My problem is that I am not very accustomed to doing diffs, and I have been struggling for a few hours trying to apply the patch. I think it has something to do with the diff header; start diff segement -- Niels Poppe - org.net bv [EMAIL PROTECTED] diff -u --recursive openssl-SNAP-19990316-1530/crypto/bn/asm/alpha.s openssl.works/crypto/bn/asm/alpha.s --- openssl-SNAP-19990316-1530/crypto/bn/asm/alpha.sMon Dec 21 10:59:03 1998 +++ openssl.works/crypto/bn/asm/alpha.s Sun Mar 21 00:40:33 1999 @@ -530,6 +530,129 @@ end My openssl install is in /usr/local/openssl-0.9.2b/ . Can someone suggest what mods to the above diff need to be done, and then suggest a proper command line and location (in the filesystem) to execute the patch from? My apologies is this is a 'pain in the butt' newbie question. I am reasonably installing from source code (optimizing and so forth) but have had minimal experience with diffs (and have little docs about them).. Your help is greatly appreciated. Thanks Chris -- __ Pournelle's Law: If you do not know what you are doing, deal with people who do. -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]