Re: SHA1 Message Digest Getting Generated less than 160 Bits i.e. 152 bits.
Kedar Sabnis wrote: in some specific case SHA1 digest is coming as 152 bits long instead of 160 bits long. All possible 160 bits values have the same chance of being the output of a SHA1 digest, *including* those that comprise long strings of all zeros or all ones. This mean that, statistically, for 256 SHA1 hash values you generate you get one for which the initial byte is all zero. Depending on your code, this may make that value look like it's only 152 bits long instead of 160. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Win CE 6.0 + ARM + openssl
Jakob Bohm wrote: 1. The current README.WCE and code assumes that you link with one of two less free libraries (one is LGPL, the other requires reconfiguration of the target device/phone). I wrote my own more minimal library under the OpenSSL license to avoid them both. This obviously implied patching OpenSSL to use the new library rather than one of the two old ones. Why does it mean patching OpenSSL ? wcecompat seems to be just providing some stdlib function not available by default on WCE, so isn't your library just an alternative implementation of those functions ? If not, then why ? I suggest you put your lib on sourceforge or google code, and just provide the openssl patch. But I think your patch to openssl is much more likely to be accepted if you keep it as small as possible. If it's not small, maybe it's better, in a first step at least, to leave it together with the library on an external repository. 2. To simplify installation of my program, I prefer static linking of OpenSSL. This turned up a number of general (not WinCE specific) design issues in EVP and ASN code, resulting in massive bloat of programs that don't use all of OpenSSL. Basically, lots of .o files are pulled in by just-in-case calls (mostly XXX_free() functions), table-driven selection of which code to execute and other such bad practices. Using a number of ad-hoc patches I managed to cut down some of the overhead, but its not very clean or efficient yet. Could you provide this as a separate patch, that you would call "openssl code reorganization to optimize for use on embedded platforms" ? I think this discussion should continue on openssl-dev instead of -users. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Slow crypto initialization.
Ger Hobbelt wrote: a symptom I have learned to associate with the Rand_poll() heap walking issue. AFAIR some time ago there was a problem that *just the first call* to the heap walking function would, under 64 bits Windows, take second in some circumstances. That's clearly a bug, and only Microsoft can do something about it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Using ssldump fails with "segmentation fault" and core dumps.
Krishnappanaidu, Vasu wrote: We are using your ssldump to decrypt the SSL traffic and we get “segmentation fault” and also it core dumps. Use wireshark (or the command line version tshark), ssldump is dead and buried. wireshark also has some bugs in this domain (less than ssldump, but still a few), but has an active development team behind it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL Security Advisory
Dr. Stephen Henson wrote: On Wed, Jan 07, 2009, Victor Duchovni wrote: This is not very clear to me. Which signatures are poorly verified: 1. The server's signature on SSL/TLS protocol messages that must be signed under the server's private key (corresponding to the private key in its certificate)? [ITYM "... corresponding to the public key in its certificat..."] Yes it is 1 only. Certificate chain validation is not affected nor other forms of DSA/ECDSA signature verification such as S/MIME. Stephen, can you elaborate on that response because from the patch it seems that more than only client validation of the server signature in SSL sessions is affected. cms/cms_sd.c is affected, but the consequence is only a missing error message, right ? ssl/s2_srvr.c ssl/s3_srvr.c : The error in those two file seems to mean that server verification of DSA signed clients certificates is also affected. apps/verify.c is affected. This is the "app" file, not "crypto", so chain validation that is done in crypto is not affected. But if someone happens to rely on the command line tool to do the verification, he may be affected. apps/spkac.c is affected. This will not impact many people (command line verification of Netscape format certificate request) but should be noted. apps/x509.c is affected, but the impact seems extremely low affecting only the code path to generate a self signed cert. Also it may be important to insist on the point that anybody who has developed applications using openssl and using the existing code as a model (cut/paste) is quite likely to be impacted by this problem. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL HTTPS application and Wireshark v1.0.0 (Win32)
Joe Flowers wrote: [...] I can decrypt the HTTPS traffic OK [...] where the HTTPS traffic is initiated from a web browser (IE) on the client machine. BUT, when I try my HTTPS client application (on the client machine, talking to the server machine), the application seems to work correctly other than I am not able to see the decrypted data in Wireshark. [...] Is there a trick to getting Wireshark to work with OpenSSL applications or is there something wrong with my application which prevents Wireshark from decrypting the data? This sounds more like a Wireshark than an openssl question. I suspect, if your configuration of Wireshark is correct, that the negociated ciphersuite uses Diffie-Hellman, so can not be externally decrypted. Two solutions : - configure openssl on your server to disable the DH ciphersuites - use Debian for the server so that's it possible to break the generated DH secret and decrypt the session ;-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: About ECC patent and OpenSSL ECC code
Bob Bell (rtbell) wrote: [...] (for instance Certicom has a patent on having an ECC public key in an X.509 cert signed using RSA) [...] This patent really can not hold water if challenged (if the content's actually what's described here). This is what x509 has been designed to allow, also prior art of DSA public key X.509 cert signed using RSA is obvious, and you can not claim inventivity by doing exactly the same just with another algorithm, in a system where algorithm flexibility is built-in. But you need the patience, the nerves, the time and foremost the money to challenge it. It's too bad the American patent system apparently does not have a systematic public review period (I understand the new system for that since last year is voluntary, not systematic) like there is in France with the INPI. However, so few people in France know about the process for public review of patents that it's not effective at all (Here's a reference in french about it : http://www.cncpi.fr/LEX--lexique-O-observations-abecedaire-propriete-industrielle.htm , also http://www.inpi.fr/fr/brevets/deposer-un-brevet/les-16-etapes-cles-du-depot.html#c1157) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: segfault in ASN1_INTEGER_to_BN() to get serial number from a certificate
Jeremie Le Hen wrote: % char *tls_serial_number(X509 *peer) % { % ASN1_INTEGER *sn; % BIGNUM bn; % char *bnstr, *snstr; % size_t len; % % if ((sn = X509_get_serialNumber(peer)) == 0) % return (0); % ASN1_INTEGER_to_BN(sn, &bn); This can not work, you can not avoid dynamic allocation of bn. You are telling openssl to reuse the value inside bn, that will be random content from the stack. You might make it work by initialising bn to zero, but you'd depend for it to work on details of the internal working of ASN1_INTEGER_to_BN Use either : BIGNUM *bn; bn = ASN1_INTEGER_to_BN(sn, NULL); BN_free(bn); or BIGNUM *bn= NULL; ASN1_INTEGER_to_BN(sn, bn); BN_free(bn); __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Symmetric Encryption/Decryption with PKCS7 Padding
Hecber Cordova wrote: I'm trying to decrypt with openssl some encrypted files coming from .NET 2.0. The problem is .NET uses PKCS#7 Padding and openssl uses PKCS#5 Padding. It's the same thing. The other padding is ISO padding, also used within xml-enc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: See which random device openssl is using?
ScottZ wrote: Is there an easy way (ed. in AIX) to see what random device this compiled version of openssl chose to use? Found the answer to my question and that the tool to use depends on what platform your on. Truss is available on quite a few OS. That's a nice tip, thanks for the message. For a bit more info: truss -topen,kread,close openssl rand 2 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate ordering inside CRL
Dr. Stephen Henson wrote: On Fri, Nov 10, 2006, Jean-Marc Desperrier wrote: [...] That led me to use a modified index.txt with "openssl ca -gencrl" where the entries are not in the order of the serial number. But the crl openssl generates always has the certificate entries reordered in the order of their serial number. [...] No there's no requirement to do that just OpenSSL does it that way. When it uses CRLs it can reorder the revoked entries into serial number order so if they are presorted that saves a bit of time. You can stop this by commenting out the X509_crl_sort() line in apps/ca.c Thanks that will be helpful. Just, that's X509_CRL_sort :-) Whilst we're at it : In the documentation for openssl ca, I think it would be best to mention in the "-crlexts section" paragraph that the crl number extension should be set by using the crlnumber configuration file option, and not through that section*.* ** __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Certificate ordering inside CRL
Hi, I'm trying to reproduce with "openssl ca -gencrl" an existing crl where some entries are not ordered in the order of the serial number of the certificate. That led me to use a modified index.txt with "openssl ca -gencrl" where the entries are not in the order of the serial number. But the crl openssl generates always has the certificate entries reordered in the order of their serial number. I read RFC3280/2459, but I see nothing that says that the certificate entries must be ordered by serial number in the crl. revokedCertificates is a SEQUENCE OF SEQUENCE, not a SET, so the content should be allowed to be in any order ? Did I miss something that says you *must* order the certificate entries, or is it done so just because that's the way openssl does it ? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
openssl 0.9.8 and pkcs5v2 alg in pkcs12
Hi, The pkcs12 man page reads : -keypbe [...] If a a cipher name (as output by the list-cipher-algorithms command is specified then it is used with PKCS#5 v2.0 [...] The 'list-cipher-algorithms' command is only available in the 0.9.9-dev trunk version of openssl. Does it mean also that it's not possible with openssl 0.9.8 to use pkcs5v2 to use non-standard encryption algorithms to encrypt a pkcs#12 file ? If it is possible, what is the correct syntax to use aes, because I couldn't find out ? PS : Is it still true that anybody's authorized to post to openssl-users ? It didn't seem to work for me. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: cert5.db
Miroslav Zubcic a écrit: I must convert normal certificates in cert5.db or ServerCert.db format. How can I do this with openssl(1)? I have read man pages for pkcs7 pkcs8 pkcs12 etc ... grep google but I cannot find anything usefull. Convert them to pkcs12. Run a netscape 4.x (best done with a fresh new profile). Import the PKCS#12 in netscape through the security option Find the cert5.db file in the Netscape profile (~/.netscape) Copy it to where you want it to be exploited by the cisco access registrar. Somehow the cisco access registrar will need to know the password Netscape asked you before accessing the certificate db and that is used to encrypt cert5.db __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP and netscape 7 or mozilla
El Vie 18 Oct 2002 09:45, Michiels Olivier escribio: I've just implemented an OCSP responder and I want to test it with netscape or mozilla. Both browsers returns that the certificate cannot be verified for an unknown reason but when I use the ocsp client of openssl it works. Michiels Olivier a dit : Do you also believe that this is a mistake in Mozilla ? I have tested Mozilla with succes with the Verisign OCSP responder (activate OCSP, and connect to https://www.verisign.com). The unknown reason error code sure is annoying. Make sure all the CA are properly configured within Mozilla and have the proper usage enabled. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: www.openssl.org
Thomas Spoelstra a dit : >At 19:00 gmt+1 - is the OpenSSL site down? > > It does happen for me quite often that the OpenSSL site is down. It is indeed down for me too now, and I don't know any other site that I see down as often as the OpenSSL one. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help!!!
Aleksey Sanin wrote: > IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very bad > expirience > with it in the past. If it is possible, try gcc 2.95.3. I've had recently the occasion to compiles openssl 0.9.6 out of the box without problem with both 2.95.3 and 3.0.3 under Solaris. But with 2.95.3, I had a mysterious coredump inside dlopen everytime I was trying to load a Chrysalis pkcs#11 library inside my application program. I was not able to understand what was happening and I did not have the problem with 3.0.3, so I went on with that one. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Prevent apache from giving out server cert?
Erwann ABALEA wrote: >But to me it seems that enhancing access restriction using the server cert >is not a good idea. That means the server cert is a secret known only by >the trusted users. By definition, a certificate is public, so it cannot be >a secret. > > Basically, this means that the client is truly doing password based authentification, and that the password is the certificate of the server. Not going into that and doing standard user/password authentification will be a lot simpler, and more secure as each user will be able to have his own password. Shared password is about the worst you can imagine in security. That's what I meant by "even if you manage to do it, it won't bring anything more than the above solution". And we still haven't proved it's feasable, this would mean modifying the SSL stack of the client so that it accepts a connexion without receving the certificate of the server, and use instead a copy of the certificate from somewhere else to continue the transaction. No standard SSL stack will be able to do that, if modifying the stack for this is possible, you could as well modify it to do proper user certificate authentification. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape vs. IE with self root CA
Williams, Jeff wrote: >As >for Netscape, I'm having a problem getting Netscape to import the Root >Authority. > This is a known problem. The only way to import a new root inside Netscape 4.x is to create an HTML page with a link that points to the certificates, and install by clicking on the link on this page. The HTML page can be a file on your hard drive, as well as the certificate. The only important thing is that the MIME type associated inside the registry with the certificate file be the one Netscape expects. This usually is the case when you give the file the extension is .der. Try .cer too. If that doesn't word, do some search on the mailing list archive to get the exact MIME type needed, and find how to modify the MIME type from file explorer. >Also, is there a way to tell if my certificates that I sign are 128 bit >encrypted? Or is there something I should use with openssl to guarantee a >128 bit certificate? Thanks for the help! > What is called 128-bit certificates is a certificates with some special extension, and that is signed by an authority that the client browser will recognised as allowed to emit 128-bit certificate. When seing both of these together, the client webbrowser (IE below version 5.5 or Netscape Navigator 4.x) will switch to 128-bit cryptography, even if it's an export version that would usually be restricted to 56 bit. Your home-made CA is not recognised as such a trusted CA. If the application is intranet, you could search and find how to individually get each client webbrowser on the intranet to trust you CA to emit 128-bit certificate, but it won't be of any use in the general world. Even for an intranet, simply updating all the clients to a non-cryptographically restricted version would be _a lot_ easier. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl req and accents
Dr S N Henson wrote: > OpenSSL by default will assume the characters presented to it are > IS08859-1 (Latin 1) strings. It stores these in the ASN1 string type > known as a T61String: this isn't actually correct but Netscape and MSIE > can do this too. It would be correct if the real T61String encoding for this characters was used. Unfortunately if Netscape and MSIE can use IS08859-1 in T61String, they can't interpret the real, correct T61 encoding in T61String. > Characters which can't be represented as ISO8859-1 can still be handled > with the latest OpenSSL 0.9.7 development version. This has a new option > (-utf8) to the req application which instead interprets the input as > UTF8 strings. Do UTF8 strings crash as many applications as BMP strings or less ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Netscape 6 Client Hello
"Draelos, Timothy J" wrote: > I have imported a "Personal" certificate that I > created with openssl. It appears to work (i.e., says "Import successful"), > but the certificate never shows up in the Personal certificates list. I can > import into the "Intermediate CA" and "Trusted Root CA" certificate stores > and see them in the list, but not the Personal certificate store. Sounds like you're importing a certificate, and not a PCS#12 (certificate + private key). Without the private key, it will never be considered a personnal certificate. > Is there a way to "make" Netscape 6 issue a TLS-compliant Client Hello > handshake message? I have Disabled SSLv2 and SSLv3 and Enabled TLS in > "Netscape Personal Security Manager --> Advanced --> Options," but it still > begins the SSL handshake with an SSLv2/3-style Client Hello structure. Maybe someone can answer to that, but that's more a question for the newsgroup netscape.public.mozilla.crypto. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSC with explicit "Not Before" & "Not After" dates
> Xeno Campanoli wrote: > > > > Jean-Marc Desperrier wrote: > > > > >> Generate a self signed certificate with -req. > > >I've only generated self signed certificates with openssl req -x509. This is what I meant. -req was a mistyping. > I also > was a bit confused until I found the resulting certificate apparently > couldn't be redirected explicitly, and please correct me if I'm wrong > about this, but rather I ended up extracting it from the 01.pem file > that ends up in the newcerts directory. You can redirect it. You can use -out for that in addition to the other options. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
"Kenneth R. Robinette" wrote: > But no problem, if you order one, and try it out, you will not have to worry > about the license. You will have given it to > your kids to play with way before a year is up. This said if you are successful in using the iButton with the pkcs#11, you can be confident you have a program that can work with any pkcs#11 library that is able to work with Netscape, no matter how bad the interface is implemented. The only way to get it working is to do the same things as Netscape, in the same order, with the same values in the arguments. Any deviation from that means failure. > Both the GemSAFE and Rainbow have very good PKCS-11 support > and everything works as advertised. I can import/export SSH > public/private keys and certs with no problem, and both work well > with OpenSSL (thanks to all the excellent help from Dr. Henson). Hum, import/export SSH public/private keys ? I know the Gemsafe cards allows you to import RSA private keys from PKCS#12. Not sure if this is a great idea or not :-) It is convenient in some cases. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA Encrypt/Decrypt fails
Jan Zoellner wrote: > At 15.02.01 13:04, you wrote: > >point of using RSA if not ?, so I will insist once again on the fact that you > >SHOULDN'T do that. > > I reimplemented the whole thing to be padded with random data (which are > discarded upon decryption). PKCS#1 padding is worse than that, if I > interpret the source correctly. It sounds much better. > >If your protocol _ever_ sends the same data block to two different > >recipients, you are dead and buried. > > Different recipients don´t matter: The data is privately encrypted and can > be read by many recipients, all having posession of the same public key. > (Symmetric or hybrid cryptography is not applicable.) Data is never sent to > different recipients, as there is only one (at least from the viewpoint of used > keys). You are right, I spoke a bit too fast. What's more, the attack I was refering to, as someone made me notice already, requires "e" messages, not 2, so it's more difficult to do if you use a large e, like 65535. I remembered how I was told of an actual implementation, not using padding, that could be broke this way very easily, but it sounds like it used e=3. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PKCS #7 in OpenSsl?
"A. Konigsdorfer" wrote: > 'Free' means something different in my eyes: > > 1.2 The period of this license is a hundred eighty days (180 days) > from the moment the userdownloads the Software from Safelayer's > web (www.safelayer.com). The use beyond this time is not permitted. > > The original poster of this message asked for a COM control. You > should try http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ which > includes S/MIME, PGP and of course PKCS#7. > Take a look at the license. Well, if he takes a look at the license, he'll see it's 'Free' only for a restricted subset of peoples. He might be in a situation where he can use it for free, but it's better to check carefully first : " Any large-scale commercial use of cryptlib requires a license. "Large-scale commercial use" means any revenue-generating purpose such as use for company-internal purposes, or use of cryptlib in an application or product, with a total gross revenue of over US$5,000. " __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificates with many Virtual host
Reiner Buehl wrote: > Hi, > > > a) Can I make my on certificate valid for many host names ? > > There is a (not recommended) possibility for this: If all of your hosts > belong to the same domain you could generate a so called "wildcard certificate". > This is a certificate with a hostname like '*.mydomain.org' that would > not produce the error message. What public CA will accept to generate such a certificate !? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How do I create certificate requests from pubkey?
unshine sun wrote: > hiI want to converting public key to certificate requests. How do it? You can't. You need the private key in order to create what is called a proof of possession. i.e. the system is conceived so that you can't just take the public key and create a certificate request with the information you want. You need to use the private key to sign this request. This restrains you from requesting a certificate for someone else with information he does not want inside. Of course technically it's always possible, but the tools are conceived so that you will not be able to do it too easily. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Hardware Tokens and OpenSSL
Richard Levitte - VMS Whacker wrote: > From: James Dabbs <[EMAIL PROTECTED]> > > JDabbs> Does OpenSSL presently support hardware tokens for client-side > JDabbs> authentication, such as Aladdin "eToken" or Rainbow "iKey > JDabbs> 2000"? If not, is there any activity in this direction? > > I've been thinking about it. What's needed is the following: > > - a .so/.dll to use as an interface to the token > - programming documentation > > However, it may be that they all support PKCS#11, so perhaps it would > be a good thing to build a PKCS#11 engine... A number of people have made PKCS#11 patch against the software implementation, that could be reused ... The trouble with PKCS#11 is that in most cases the implementation is very bad. It's hard to have an implementation that can adapt to whatever set of functions is implemented or not, and many implementation will simply not work if anything in the call parameters doesn't look like what they like or if you don't call the function in the order they expect. So having one implementation of pkcs#11 that will just compile and run with any pkcs#11 token is really very hard, because you would have to go around every implementation bug of every token. One solution is to have an engine that does things _exactly_ the same way as Netscape (I mean same functions call, same functions call order, same parameter value), and you will be able to use it with every token that is compatible with Netscape. That the way I was finally able to make some use of the iButton pkcs#11 library (). __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: certificate issued by an official CA for openssl wanted
Alexander 'Alfe' Fetke wrote: > our customers > will run our application which will be both client and server. > the used protocols will be IIOP over SSL or plain IIOP (but then > of course without encryption, so this case is not of interest). > we are not planning to issue certificates by ourselves or make > our customers issue anything. Standard ssl server certificates have exactly the extension needed to open an ssl connexion. It doesn't matter if the protocole on it is HTTP or not. They could be restricted to have only the server usage, but until now all those I have seen have both ssl server (receives connexion) and ssl client (opens connexion) usage. If you ask for an intranet certificate, this frees you of the contraint that the common name does should be a FQDN in a domain you own. It's quite reasonnable for you to use a certificate under a public CA, but if the expense of a certificate under a public CA is too much for your clients, you might consider searching a non-commercial option for the clients and having an OOB (out of band) way of checking if the certificate owner is really your client. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Experiencing error when installing a Verisign certificate!
"Wilt, Paul" wrote: > [04/Dec/2000 12:09:21 5411938] [info] Init: Initializing OpenSSL library > [04/Dec/2000 12:09:21 5411938] [info] Init: Loading certificate & private > key of SSL-aware server storefront.xanedu.com:8443 There apache loads your server and private key. It work ok : No error. I can tell there is no password on your private key, or there would be log that says the password has been read from user. > [04/Dec/2000 12:09:24 5523600] [error] Init: (storefront.xanedu.com:8443) > Unable to configure verify locations for client authentication (OpenSSL > library error follows) There apache tries to load the PEM certificate of the CA that must be used for user verification in SSLv3. It doesn't work. There seem to be a problem with the end of line. > [04/Dec/2000 12:09:24 5523600] [error] OpenSSL: error:0B084009:x509 > certificate routines:X509_load_cert_crl_file:missing asn1 eos I must say I'm not completely sure if it's the loading of the CA certficates that fails, or the loading of the CRL that's associated to that CA. Anyway this should help you to search in the right direction. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Looking for an HTTPS client for NT C/C++
[EMAIL PROTECTED] wrote: > On 24 Nov, Jean-Marc Desperrier wrote: > > > Shridhar, a tool that incorporates OpenSSL code can hardly be released as > > GPL, because OpenSSL itself is not GPL. > As I understand the BSD license, BSD licensed code can be rereleased > under the GPL. See drivers/scsi/ncr53c8xx.c in the Linux kernel. This > code was BSD licensed, it originates from FreeBSD, was ported to Linux > and rereleased under the GPL. I said "hardly", the exact meaning is "they are problems" and they have been shown very recently. Just consut the archive, thread title "Licencing issues", and you'll know everything you need about it. This is only 10 days old. Only the original author can really take the decision to rereleased BSD/BSD like code under the GPL. In the case of ncr53c8xx.c, the original author is Stanglmeier, and _he_ is the one who has rereleased it under GPL if the announcement at start of the file is correct. This will not happen with OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Looking for an HTTPS client for NT C/C++
Shridhar Bhat wrote: > > ¾G¹ÅÂ×(kevin) wrote: > > > > Hi, > > > > Will you post to this mailing list how and where to download the tool? > > > > kevin > Yes, I would post it here. > > I've got the permission from management to release it under GPL. > I have asked to set up a machine from where it could be downloaded. > Also, I am figuring out the licensing issues. I came across lot of > discussions which advise releasing a tool under GPL. I may not spend > too much time on it but if you have some quick words on it, I would > be happy to have them. Sorry for the delay. Shridhar, a tool that incorporates OpenSSL code can hardly be released as GPL, because OpenSSL itself is not GPL. I think you should release it under a license similar to the one of OpenSSL, that is BSD like, that both makes the source of the product available to everyone, and leaves you perfectly free to use the code in any commercial product you do not want to release the source code of. Maybe be you could release it as an external contribution to openssl. It might be a good idea to take the license of the recent release of Echohttpd as a model. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]