Extracting certificate start and end dates
Hi All, I am trying to crack open a certificate and print out the start and expire dates to a debug log message. I found these two nifty functions X509_get_notBefore() and X509_get_notAfter() which return a pointer to a ASN1_TIME struct. I'm not sure where to go from here. I would like to be able to convert the ASN1_TIME to a time_t struct or something. Would one of you experts please advise the best approach? Thanks, Dallas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: printing a certificate
Thanks gents! On Wed, Jun 2, 2010 at 6:45 AM, Dr. Stephen Henson wrote: > On Tue, Jun 01, 2010, Dallas Clement wrote: > >> Hi, >> >> Would someone kindly tutor me on how to print out a certificate >> programmatically? I know how to extract the common name, but was just >> wondering if there is an API function to just print the whole thing in >> human readable form? >> >> X509 *pX509Peer = SSL_get_peer_certificate( pSsl ); >> if ( pX509Peer != 0 ) >> { >> // Extract the common name from the peer's certificate >> X509_NAME_get_text_by_NID( X509_get_subject_name( pX509Peer ), >> NID_commonName, commonName, >> commonNameBufferSize ); >> > > X509_print_ex() is the best function to use. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
printing a certificate
Hi, Would someone kindly tutor me on how to print out a certificate programmatically? I know how to extract the common name, but was just wondering if there is an API function to just print the whole thing in human readable form? X509 *pX509Peer = SSL_get_peer_certificate( pSsl ); if ( pX509Peer != 0 ) { // Extract the common name from the peer's certificate X509_NAME_get_text_by_NID( X509_get_subject_name( pX509Peer ), NID_commonName, commonName, commonNameBufferSize ); Thanks, Dallas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Client cert verification & SSL_CTX_set_client_CA_list()
Hi All, Could someone help me understand why there is a function SSL_CTX_set_client_CA_list() for telling the client which CAs the server will recognize but no function for telling the server which CAs the client will recognize? In other words, could you please explain the asymmetry? It doesn't make a whole lot of sense to me. Whether a client or server I give the same cert bundle file argument to SSL_CTX_load_verify_locations(). It seems like the latter function should be sufficient in determining which CAs are recognized. Thanks, Dallas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to make a legit CA cert?
Thanks Mark, that was an extremely helpful explanation. When I asked this question I was hoping to learn if CA certs are self-signed or if there is some other procedure to authenticate a CA cert as being legitimate. From your explanation it sounds like all CA certs are generated by the CA itself and then its left up to every browser vendor whether or not they want to include a particular CA's cert in its bundle. On Tue, Jun 1, 2010 at 8:19 AM, Mark H. Wood wrote: > This should be more widely understood: an application considers a CA > trusted because some human told it so. There is no other way. > > The "recognized" CAs are trusted by e.g. your browser because the > maker of the browser decided to trust them and so put them into the > list of trusted CAs that is packed in the browser. Others have > written about the kinds of things those CAs needed to do in order to > gain that trust. If you decide that you don't trust one of them, you > can take it out and it becomes untrusted *for you*. > > If you decide to trust a CA that hasn't made the browser makers' > goodie lists, you can just install it in your browser's list of > trusted CAs and it becomes trusted *for you*. Anyone else can do that > too, with a similar result for himself. > > If any given cert. is calculated to be trusted, that means that, at > the top of the chain, it can be linked back to a cert. that someone > marked manually as trusted. Trust is not calculable without that. > > Really, the only thing protecting most people from rogue CAs is the > browser makers' understanding that they, too, are in a position of > trust, and could be hurt badly by lax acceptance practices no matter > how many disclaimers they slather onto the EULA. We should all check > and tune our browsers' trust lists. (No, I haven't.) > > -- > Mark H. Wood, Lead System Programmer mw...@iupui.edu > Balance your desire for bells and whistles with the reality that only a > little more than 2 percent of world population has broadband. > -- Ledford and Tyler, _Google Analytics 2.0_ > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: human readable certificate verify error messages?
Thanks, do I need to free these string when I shutdown the app? On Sat, May 29, 2010 at 1:24 PM, Kyle Hamilton wrote: > Don't forget to call SSL_load_error_strings() and > CRYPTO_load_error_strings() just after you initialize the library for > this to work. > > -Kyle H > > On Fri, May 28, 2010 at 4:19 PM, Dallas Clement > wrote: >> Perfect. Thanks very much! >> >> On Fri, May 28, 2010 at 3:14 PM, Dave Thompson wrote: >>>> From: owner-openssl-us...@openssl.org On Behalf Of Dallas Clement >>>> Sent: Wednesday, 26 May, 2010 22:03 >>> >>>> Is there a function that translates certificate verify return codes? >>> >>> x509.h, x509/x509_txt.c >>> const char *X509_verify_cert_error_string(long n) >>> >>> >>> >>> __ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-us...@openssl.org >>> Automated List Manager majord...@openssl.org >>> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to make a legit CA cert?
Thanks all for the information. This is good stuff to know too. What I was really trying to understand is the nuts-n-bolts mechanics of how a legit CA certificate differs from a self-created one (I know, this is a dumb question...) For example, I can create my own for test purposes this way: openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt However, if I turn on cert verfication in my programs, this one gets rejects straight away (unknown CA). I presume the reason is because I have generated my own key to produce this cert. Is it possible to create a CA cert that looks and feels like a root cert issued from a legit company, like Verisign etc? I just want it to work in a test environment to ensure that cert verification works for both client and server certificates. Thanks again for your patience, Dallas On Sat, May 29, 2010 at 4:02 AM, Konrads Smelkovs wrote: > As somebody who audits CAs for purpose of them getting into trusted root > list, this is what you have to do: > a) Obtain WebTrust for certification authorities or ETSI 101 456 standard (+ > EV guidelines from cabforum.org) > b) Implement systems in line with one of these standards. Not cheap. HSM > devices alone cost $10k & upwards. > c) Get somebody who is trustworthy (think accountants or one of Big 4 > auditor companies, i recommend KPMG as I work for them) and/or webtrust > accredited auditors (who can certify) to audit you. First time you will > almost fail, but if the auditor is an advisor, he'll help you through. Not a > cheap thing to do either. > d) Submit your application to microsoft trusted root list program, mozilla, > opera and everybody else. MS has deadlines on march and september for > submission > e) Every 12 months, repeat audit. > f) Ask yourself, do you really need it and get maybe some CA to cross sign > you. > > -- > Konrads Smelkovs > Applied IT sorcery. > > > On Sat, May 29, 2010 at 5:08 AM, Patrick Patterson > wrote: >> >> On 28-May-10, at 8:04 PM, Dallas Clement wrote: >> >>> This is probably a dumb question, but if I wanted to be come the next >>> Verisign of this world, how do I create a legitimate CA cert? I'd >>> like to be able to create my own that passes verification without >>> throwing errors, like "unknown CA". >>> >> Well, the first thing that you do, is do things that build "Trust", or the >> perception that you are trustworthy. Invest in hardware that will protect >> the CA's keys. Build processes that protect those keys. Use facilities that >> give the impression of trust (if you've ever been to Verisign HQ for a key >> ceremony, you'll appreciate the amount of "theater" that they do :). Then, >> document all of these in your "Certificate Policy" and Certification >> Practice Statement, along with all of the ways that you go about binding >> people or servers to their associated keys, and how you manage all of your >> personnel and facilities that are used in the operation of the CA, and >> issuance of certificates by that CA. When you cut your keys, do it in the >> presence of an auditor, and according to a proper key ceremony script. >> >> Once you have this, then get audited to prove that you are following your >> certificate policy. Most of the browser vendors, to be included in their >> "Trusted Roots" list, like to see a Webtrust audit. If you want to be >> included in the list that can validate EVSSL certs, then you have to also >> follow the guidelines of the CA/Browser forum. >> >> Most of the vendors, however, also have the caveat that in order to be >> included in their list, you have to be a commercial entity that are issuing >> certs to "John Q Public". If you only issue to people within a small, closed >> community, then you'll have to talk pretty fast to get them to accept your >> CA into their browser. >> >> That's it. If you need any help, give us a call :) >> >> --- >> Patrick Patterson >> President and Chief PKI Architect >> Carillon Information Security Inc. >> http://www.carillon.ca >> >> >> >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org > > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to make a legit CA cert?
This is probably a dumb question, but if I wanted to be come the next Verisign of this world, how do I create a legitimate CA cert? I'd like to be able to create my own that passes verification without throwing errors, like "unknown CA". Thanks, Dallas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: human readable certificate verify error messages?
Perfect. Thanks very much! On Fri, May 28, 2010 at 3:14 PM, Dave Thompson wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of Dallas Clement >> Sent: Wednesday, 26 May, 2010 22:03 > >> Is there a function that translates certificate verify return codes? > > x509.h, x509/x509_txt.c > const char *X509_verify_cert_error_string(long n) > > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How can I disable authentication?
I've figured this out. Just needed to disable cert verification in addition to using aNULL cipher. SSL_CTX_set_verify( mpSslContext, SSL_VERIFY_NONE, NULL ); Sorry for the spam. On Wed, May 26, 2010 at 7:20 PM, Dallas Clement wrote: > One small piece of additional info: I'm trying to avoid the use of > any certificates. Is that even possible with OpenSSL? > > On Wed, May 26, 2010 at 6:34 AM, Dallas Clement > wrote: >> Hi Patrick, >> >> I had first tried doing it at run-time, and it didn't seem to work. >> >> SSL_set_cipher_list( mpSsl, "aNULL" ); >> >> I then modified ssl.h as follows: >> >> #define SSL_DEFAULT_CIPHER_LIST "aNULL:eNULL" /* low priority for RC4 >> */ >> >> In both cases, I'm getting this error on the server end: >> >> SSL error code = 1, msg = SSL_ERROR_SSL, error:1408A0C1:SSL >> routines:SSL3_GET_CLIENT_HELLO:no shared cipher >> >> And this error on the client end: >> >> SSL error code = 1, msg = SSL_ERROR_SSL, error:14077410:SSL >> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure >> >> Can you see anything I might be doing wrong? >> >> Thanks, >> Dallas >> >> On Wed, May 26, 2010 at 2:45 AM, Eisenacher, Patrick >> wrote: >>> Hi Dallas, >>> >>>> -Original Message- >>>> From: Dallas Clement >>>> >>>> Just wondering what the best way to turn off authentication is. I'm >>>> wanting to do so for testing purposes. Would someone please advise? >>> >>> just configure "aNULL" (see ssl.h) for your ciphersuites on both endpoints. >>> That way only ciphersuites without authentication get activated. >>> >>> HTH, >>> Patrick >>> __ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-us...@openssl.org >>> Automated List Manager majord...@openssl.org >>> >> > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
human readable certificate verify error messages?
Hello All, Is there a function that translates certificate verify return codes? #define X509_V_OK 0 #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT2 #define X509_V_ERR_UNABLE_TO_GET_CRL3 ... Just wondering if there is already a function to convert these to a string? Thanks, Dallas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How can I disable authentication?
One small piece of additional info: I'm trying to avoid the use of any certificates. Is that even possible with OpenSSL? On Wed, May 26, 2010 at 6:34 AM, Dallas Clement wrote: > Hi Patrick, > > I had first tried doing it at run-time, and it didn't seem to work. > > SSL_set_cipher_list( mpSsl, "aNULL" ); > > I then modified ssl.h as follows: > > #define SSL_DEFAULT_CIPHER_LIST "aNULL:eNULL" /* low priority for RC4 > */ > > In both cases, I'm getting this error on the server end: > > SSL error code = 1, msg = SSL_ERROR_SSL, error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher > > And this error on the client end: > > SSL error code = 1, msg = SSL_ERROR_SSL, error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure > > Can you see anything I might be doing wrong? > > Thanks, > Dallas > > On Wed, May 26, 2010 at 2:45 AM, Eisenacher, Patrick > wrote: >> Hi Dallas, >> >>> -Original Message- >>> From: Dallas Clement >>> >>> Just wondering what the best way to turn off authentication is. I'm >>> wanting to do so for testing purposes. Would someone please advise? >> >> just configure "aNULL" (see ssl.h) for your ciphersuites on both endpoints. >> That way only ciphersuites without authentication get activated. >> >> HTH, >> Patrick >> __ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How can I disable authentication?
Hi Patrick, I had first tried doing it at run-time, and it didn't seem to work. SSL_set_cipher_list( mpSsl, "aNULL" ); I then modified ssl.h as follows: #define SSL_DEFAULT_CIPHER_LIST "aNULL:eNULL" /* low priority for RC4 */ In both cases, I'm getting this error on the server end: SSL error code = 1, msg = SSL_ERROR_SSL, error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher And this error on the client end: SSL error code = 1, msg = SSL_ERROR_SSL, error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Can you see anything I might be doing wrong? Thanks, Dallas On Wed, May 26, 2010 at 2:45 AM, Eisenacher, Patrick wrote: > Hi Dallas, > >> -Original Message- >> From: Dallas Clement >> >> Just wondering what the best way to turn off authentication is. I'm >> wanting to do so for testing purposes. Would someone please advise? > > just configure "aNULL" (see ssl.h) for your ciphersuites on both endpoints. > That way only ciphersuites without authentication get activated. > > HTH, > Patrick > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How can I disable authentication?
Hello, Just wondering what the best way to turn off authentication is. I'm wanting to do so for testing purposes. Would someone please advise? Thanks, Dallas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Trouble cross-compiling for linux-ppc (SOLVED)
For the benefit of anyone else struggling with cross-compilation, this is how I got openssl configure and make to create shared libraries using my cross-compiler. include ../mak.inc OPEN_SSL_VERSION=0.9.8h all: tar xzvf openssl-$(OPEN_SSL_VERSION).tar.gz ; cd openssl-$(OPEN_SSL_VERSION) && \ ./Configure linux-ppc:$(CROSS_BIN)/$(CROSS_COMPILE)gcc no-krb5 zlib-dynamic shared threads && \ $(MAKE) SHLIB_TARGET=linux-shared all build-shared dep: all clean: rm -rf openssl-$(OPEN_SSL_VERSION) It would be nice if this could be done in a cleaner way, but it works. - Original Message Follows ----- From: "Dallas Clement" <[EMAIL PROTECTED]> To: openssl-users@openssl.org Subject: Re: Trouble cross-compiling for linux-ppc Date: Tue, 10 Jun 2008 10:39:38 -0500 > I was able to get the Configure script to work with my > cross-compiler as follows: > > /Configure linux-ppc:$(CROSS_BIN)/$(CROSS_COMPILE)gcc > no-krb5 zlib-dynamic shared threads > > However, no shared libraries are produced by the resulting > makefile. It looks like the $shared_target variable never > gets defined if you specify your own compiler. Does > anyone have any ideas how to get around this? > > - Original Message Follows - > From: "Dallas Clement" <[EMAIL PROTECTED]> > To: openssl-users@openssl.org > Subject: Trouble cross-compiling for linux-ppc > Date: Mon, 09 Jun 2008 21:11:46 -0500 > > > Hi All, > > > > I'm having a bit of a problem getting the openssl-0.9.8h > > Configure script to use my cross-compiler. These are > > the arguments I'm giving Configure: > > > > /Configure no-krb5 zlib-dynamic shared threads linux-ppc > > > > I can see from examining the Configure script that the > > compiler is defined as "gcc" in the configuration table > > corresponding to the "linux-ppc" target. This is what > > it looks like: > > > > "linux-ppc","gcc:-DB_ENDIAN -DTERMIO -O3 > > -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK > > DES_RISC1 > > > > > DES_UNROLL::linux_ppc32.o::dlfcn:linux-shared:-fPI > > C::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)" , > > I would like to somehow get the Configure script to use > > $(CROSS_BIN)/$(CROSS_COMPILE)gcc instead of just "gcc". > > > > Anybody know how to do this without having to modify the > > Configure script? I'd like to ideally expand the source > > tarball, run Configure and make. > > > > Thanks, > > Dallas > > > > > > > __ > > OpenSSL Project > http://www.openssl.org User Support Mailing List > > openssl-users@openssl.org Automated List > > Manager [EMAIL PROTECTED] > __ > OpenSSL Project > http://www.openssl.org User Support Mailing List >openssl-users@openssl.org Automated List > Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Trouble cross-compiling for linux-ppc
I was able to get the Configure script to work with my cross-compiler as follows: ./Configure linux-ppc:$(CROSS_BIN)/$(CROSS_COMPILE)gcc no-krb5 zlib-dynamic shared threads However, no shared libraries are produced by the resulting makefile. It looks like the $shared_target variable never gets defined if you specify your own compiler. Does anyone have any ideas how to get around this? - Original Message Follows - From: "Dallas Clement" <[EMAIL PROTECTED]> To: openssl-users@openssl.org Subject: Trouble cross-compiling for linux-ppc Date: Mon, 09 Jun 2008 21:11:46 -0500 > Hi All, > > I'm having a bit of a problem getting the openssl-0.9.8h > Configure script to use my cross-compiler. These are the > arguments I'm giving Configure: > > /Configure no-krb5 zlib-dynamic shared threads linux-ppc > > I can see from examining the Configure script that the > compiler is defined as "gcc" in the configuration table > corresponding to the "linux-ppc" target. This is what it > looks like: > > "linux-ppc","gcc:-DB_ENDIAN -DTERMIO -O3 > -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK > DES_RISC1 > DES_UNROLL::linux_ppc32.o::dlfcn:linux-shared:-fPI > C::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)" , > > I would like to somehow get the Configure script to use > $(CROSS_BIN)/$(CROSS_COMPILE)gcc instead of just "gcc". > > Anybody know how to do this without having to modify the > Configure script? I'd like to ideally expand the source > tarball, run Configure and make. > > Thanks, > Dallas > > __ > OpenSSL Project > http://www.openssl.org User Support Mailing List >openssl-users@openssl.org Automated List > Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Trouble cross-compiling for linux-ppc
Hi All, I'm having a bit of a problem getting the openssl-0.9.8h Configure script to use my cross-compiler. These are the arguments I'm giving Configure: ./Configure no-krb5 zlib-dynamic shared threads linux-ppc I can see from examining the Configure script that the compiler is defined as "gcc" in the configuration table corresponding to the "linux-ppc" target. This is what it looks like: "linux-ppc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)" , I would like to somehow get the Configure script to use $(CROSS_BIN)/$(CROSS_COMPILE)gcc instead of just "gcc". Anybody know how to do this without having to modify the Configure script? I'd like to ideally expand the source tarball, run Configure and make. Thanks, Dallas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]