[openssl-users] The openssl can verify certificate chain successful when no any root CA files
Hi, I am using openssl 1.0.2 on windows. as on windows, openssl could not use os's default root ca folder as on ubuntu (/etc/ssl/certs). and I do not use X509_STORE_add_cert() to add any root ca certificate files. But when I use X509_verify_cert() to verify certificate that I get from some url (ex. https://www.google.com), I found it will return 1. why it can be pass verified even I do not set any root CA files on windows. As I thought, we need root ca PEM files to verify certificate chain. Thanks~ -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Why no peer certificate available.
After I set -tls1 -servername, I can get certificate chain information. But in my code. I have used SSL_set_tlsext_host_name() to set host name, but it can not get certificate chain. On Tue, May 26, 2015 at 1:32 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, May 25, 2015 at 11:17 PM, Jerry OELoo oylje...@gmail.com wrote: Hi. I found there is a website which has https support. https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp and browser can show its certificate chain. but when I use openssl to connect website, it returns fail. openssl s_client -connect www.ib-channel.net:443 CONNECTED(0003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 305 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- So what is wrong that openssl can not get website's certificate? Thanks! I'm timing out from US/New York using Apple's downlevel version of OpenSSL (0.9.8). But I'm succeeding with the latest version of OpenSSL (1.0.2a). (It seems to be opposite of what Patrick is experiencing). Also, you usually want to specify TLS and the server name. SSLv3 is pretty much dead now. SNI also ensures the server selects the right certificate at during channel setup. openssl s_client -connect www.ib-channel.net:443 \ -tls1 -servername www.ib-channel.net ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Why no peer certificate available.
Hi. I found there is a website which has https support. https://www.ib-channel.net/miegin/web/jsp/B02-01.jsp and browser can show its certificate chain. but when I use openssl to connect website, it returns fail. openssl s_client -connect www.ib-channel.net:443 CONNECTED(0003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 305 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- So what is wrong that openssl can not get website's certificate? Thanks! -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] [openss-users] How to correctly shutdown for connection to avoid memory leak
Hi. I am using openssl 1.0.2 to do some ssl connection, now I am facing some memory leak issue. ssl = SSL_new(m_ctx); sbio = BIO_new_socket(server, BIO_NOCLOSE); SSL_set_bio(ssl,sbio,sbio); SSL_connect() ... //After handle, release resource if(ssl) SSL_shutdown(ssl); Now I have some questions about above code as I think there is some leak in it. 1) As I used BIO_NOCLOSE, should I free for BIO_new_socket 2) from SSL_shutdown. I found below, so Should I call SSL_shutdown twice? 0 The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. 3) It seems I missing SSL_free(), So when I do not need this ssl object, I should call SSL_free(), right? Thanks! -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] What global object I use in application lifetime
So, I can re-use g_ctx, but I need create a new g_ssl everytime, right? BTW, X509_STORE *store = X509_STORE_new(); for store, Can I reuse it as a global object? On Wed, Mar 25, 2015 at 11:33 AM, Salz, Rich rs...@akamai.com wrote: From document, I think CTX can be initialize only once. But I do not know g_ssl can be initialize only once? I can reuse g_ssl for 1000 differnt URLs? Please correct me if anything. Thanks! You need to create a new SSL object every time you want to do a connect. /r$ -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] What global object I use in application lifetime
Hi. Now when my application running, I will use SSL_connect() to connect 1000 different URLs. I want to keep some openssl object as global variable then I do not need to initialize/uninitialize again and again. Here is my sample code. g_ctx = SSL_CTX_new(method); g_ssl = SSL_new(g_ctx ); //SSL_connect will connect 1000 URLs 1 by 1. ... //release g_ctx and g_ssl From document, I think CTX can be initialize only once. But I do not know g_ssl can be initialize only once? I can reuse g_ssl for 1000 differnt URLs? Please correct me if anything. Thanks! Best Regards Jerry -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] How to construct certificate chain
I am using 1.0.2 stable release and add below code but it still get Equifax but browser get GeoTrust Global CA X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST); SSL_CTX_set1_param(ctx, param); X509_VERIFY_PARAM_free(param); On Mon, Nov 17, 2014 at 3:43 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Mon, Nov 17, 2014 at 03:13:22PM +0800, Jerry OELoo wrote: When I construct google's (www.google.com) certificate chain, it is different with browser's [openssl API] www.google.com - Google Internet Authority G2 - GeoTrust Global CA - Equifax Secure Certificate Authority This is what Google sends on the wire. [IE/Chrome] www.google.com - Google Internet Authority G2 - GeoTrust Global CA The browsers short-cicuit the chain, by finding an alternative trusted issuer for G2 It seems openssl use one certificate path with bridge cert but browsers use another certificate path, and in answer, it said OpenSSL, which curl uses, is not, or at least not yet; thus you must tell curl to give OpenSSL the Equifax root. (The OpenSSL 1.0.2 release, currently in beta, is announced to have enhancements in the area of cert chain validation, which I haven't looked at in detail yet., Commit 9d2006d8 (1.0.2 branch) implements a new X509_V_FLAG_TRUSTED_FIRST flag which should give similar (to the browsers) results if set in the X509_STORE_CTX used to validate the chain via: X509_VERIFY_PARAM_set_flags() and SSL_CTX_set1_param() see apps/apps.c and apps/s_client.c So is there any way that openssl 1.0.1j can solve this and construct same certificate path with browsers did? No, but it is far from clear why this is a problem. Google sends a chain signed by Equifax. So OpenSSL builds a chain with that. When Google stops sending the Equifax cert, OpenSSL will use the GeoTrust root CA if that's configured. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to load local certificate folder on windows
Hi All: I am using openssl 1.0.2 on windows 7 OS. I have put some root certificate files into a folder certs. when I using X509_STORE_load_locations() to load this folder into store, it returns 1 means success, but when I using X509_verify_cert(), it will return 0, and error shows 19(self signed certificate in certificate chain). It seems my local root certificates files is not checked by openssl, So what should I do to add certs folder? -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Intermediate certificates
As I heard, OpenSSL 1.0.2 will do some improvement for AuthorityInfoAccess, Am I right? Thanks! On Wed, Jan 28, 2015 at 3:49 PM, Dave Thompson dthomp...@prinpay.com wrote: From: openssl-users On Behalf Of Kurt Roeckx Sent: Tuesday, January 27, 2015 17:14 On Tue, Jan 27, 2015 at 11:42:51PM +0300, Serj wrote: snip What browsers do is cache the intermediate certificates. snip That's one possibility. Another is that it uses AuthorityInfoAccess to fetch the cert automatically, which OpenSSL currently does not (unless you figure out a custom X509_LOOKUP to do so). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Read cer file failed
Thanks Michael's information. I am on Ubuntu OS, And I found that If I fopen file with rb, it will work fine. On Tue, Jan 20, 2015 at 9:57 PM, Michael Wojcik michael.woj...@microfocus.com wrote: From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Jerry OELoo Sent: Tuesday, January 20, 2015 00:34 To: openssl-users@openssl.org Subject: [openssl-users] Read cer file failed I am reading cer file into X509 object, http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer cert = d2i_X509_fp(fp, NULL); it will return fail, as below What's the platform? What are the parameters to the fopen that you used to get fp? -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Read cer file failed
Hi All: I am reading cer file into X509 object, http://SVRSecure-G3-aia.verisign.com/SVRSecureG3.cer cert = d2i_X509_fp(fp, NULL); it will return fail, as below Error: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long Lib: asn1 encoding routines Func: ASN1_get_object Reason: header too long I use openssl to convert cer from DER format to PEM format it works fine, So I think it is a DER format file, but why d2i_X509_fp() read it failed. Thanks! -- Rejoice,I Desire! ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to construct certificate chain when missing intermediate CA
Hi All: I am using X509_STORE_CTX_get1_chain() to get web site's full certificate chain. Now I am encounter an issue that some web site does not return intermediate CA certificate but only web site leaf certificate. For example. https://globaltrade.usbank.com Below is certificate I get. Subject: /C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 As my environment missing VeriSign Class 3 Secure Server CA - G3 certificate. When open web site in Browsers (Chrome on windows), I can see certificate chain is built successfully, I think this is because browser should recognize VeriSign Class 3 Secure Server CA - G3 this intermediate CA, and automatically installed crt into system. So my question is how can I achieve same as browsers with openssl, with openssl I can get error info. But where can I use program to download VeriSign G3 certificate and installed automatically, then I can build full certificate chain. Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[20] Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[27] Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[21] -- Rejoice,I Desire! ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Why construct so wierd certificate chain for one web site
Hi. I am using X509_STORE_CTX_get1_chain() to construct certificate chain base on local root ca store. Now it works fine. But when I access this website, https://www.sgetvous.societegenerale.fr/ I get a very strange result. Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20] Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27] Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27] as above, CN points to *.talkspirit.com, what's this? But https://www.ssllabs.com/ssltest/analyze.html?d=www.sgetvous.societegenerale.fr query result is same as browser shown, certificate is signed by VeriSign. What's the problem, Thanks! -- Rejoice,I Desire! ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] Why construct so wierd certificate chain for one web site
Thanks Jeffrey Matt Now I have a more question, I do not want to make code use tlsv1 method and SSL_set_tlsext_host_name to query all website, I just want to when encounter this issue, then I will construct tlsv1 and set sni name to query certificate, So how can I get this kind of information, or what is correct coding process when support sni and non-sni webiste. Thanks! On Mon, Dec 29, 2014 at 5:20 PM, Matt Caswell m...@openssl.org wrote: On 29/12/14 08:32, Jerry OELoo wrote: Hi. I am using X509_STORE_CTX_get1_chain() to construct certificate chain base on local root ca store. Now it works fine. But when I access this website, https://www.sgetvous.societegenerale.fr/ I get a very strange result. Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20] Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27] Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27] as above, CN points to *.talkspirit.com, what's this? But https://www.ssllabs.com/ssltest/analyze.html?d=www.sgetvous.societegenerale.fr query result is same as browser shown, certificate is signed by VeriSign. What's the problem, Thanks! You need to call SSL_set_tlsext_host_name. If I connect to the above server using: openssl s_client -connect www.sgetvous.societegenerale.fr:443 Then I get the above certificate. If however I connect using: openssl s_client -connect www.sgetvous.societegenerale.fr:443 -servername www.sgetvous.societegenerale.fr I get the correct one. The server is using SNI so needs to know the hostname you are trying to connect to in order to provide you with the correct certificate. Matt ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users -- Rejoice,I Desire! ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
[openssl-users] How to display root certificate in command line
Hi All: I have used openssl command line to get some website's certificate chain. Now, I want to show root certificate information. but I do not find any command argument to do it. openssl s_client -showcerts -CApath /etc/ssl/certs -connect studentexclusives.hsbc.co.uk:443 I use -CApath to set root certificate path. From below, I can get full certificate path. 3 certificates CONNECTED(0003) depth=2 C = US, O = VeriSign, Inc., OU = VeriSign Trust Network, OU = (c) 2006 VeriSign, Inc. - For authorized use only, CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = VeriSign, Inc., OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3 verify return:1 depth=0 C = GB, ST = London, L = London, O = HSBC Holdings plc, OU = HTSE, CN = studentexclusives.hsbc.co.uk verify return:1 But in certificate chain, I only get 2 certificates information (I think this two are return by website.) --- Certificate chain 0 s:/C=GB/ST=London/L=London/O=HSBC Holdings plc/OU=HTSE/CN=studentexclusives.hsbc.co.uk i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 -BEGIN CERTIFICATE- MIIFUDCCBDigAwIBAgIQTw4Fx5Xv3tBjt8gNVOKAjjANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTMwODA2 MDAwMDAwWhcNMTUwODA3MjM1OTU5WjCBgTELMAkGA1UEBhMCR0IxDzANBgNVBAgT BkxvbmRvbjEPMA0GA1UEBxQGTG9uZG9uMRowGAYDVQQKFBFIU0JDIEhvbGRpbmdz IHBsYzENMAsGA1UECxQESFRTRTElMCMGA1UEAxQcc3R1ZGVudGV4Y2x1c2l2ZXMu aHNiYy5jby51azCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOpGrR8P hBbnPeewbha7UitdVHL+Zk7HCQ9Hi67+1GI8HgX+eMRk2w/LHL7gYSNr9ZelIPap ZfTDwBnHyUUH3SAf5ajg5vVFtROCYr9LLFXEW/97Qy6Anh1efJo15eoBXUYVYhBW IMjU6sO9T+kRBMgxoqtVM4WVmy4pN3NqHqF/8D4k+Y+fcBt2Nm3D/YwI+4H7Bt+P ap5oj5uALFdcr+dbO76FomAAJ3vjTw10lBCCdfnKmOjBayAVoz/qz91Fy1BYY9jA l9p1EXml1bYSPJaxfejiyKjHni64cBAMtHyhknlJYDs47mnyp5FLpg3nmxtGCNMR jXPtxRLDrFMAuGsCAwEAAaOCAYwwggGIMCcGA1UdEQQgMB6CHHN0dWRlbnRleGNs dXNpdmVzLmhzYmMuY28udWswCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYD VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEMGA1UdIAQ8MDowOAYKYIZIAYb4 RQEHNjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3Bz MB8GA1UdIwQYMBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMEUGA1UdHwQ+MDwwOqA4 oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1 cmVHMy5jcmwwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz cC52ZXJpc2lnbi5jb20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9TVlJTZWN1cmUtRzMt YWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmVHMy5jZXIwDQYJKoZIhvcNAQEFBQAD ggEBAFVoAhJ7Xv0hcv7fkR/mLE+OVhzgkwhTcANZmAuEQwo3ZwHICXg3p/ZjuRe6 4EV1CqSq1RwswG2GtOHFZ+CaC9Fi3lIDVRzaudLkYCF7mtLZls7DF3/HsoJ6muYX P0X3IsQ6hnc6a3ChdyN+IJymW/KRRUtHKmA/BQS8hOGpdmxvZIdgIkrHoAO3EXfk SkESma7BMDeW0DOeGuDhUrvn2N6UdyWSA2cdk6d4fQxWawqOiUtYT+o2oX3imDrg cDKU9HB3eqd0K5nwDFIFlbsZHs6gIGJVJeGVuk07Px5ucOZBFc/UMBBRI3bm2HW4 sjn3tNB8AITr3v3+Evf4vMnbaIs= -END CERTIFICATE- 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -BEGIN CERTIFICATE- MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG 5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8 f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB 2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAh0dHA6Ly9vY3NwLnZlcmlz aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4 RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
[openssl-users] Why can not get certificate chain if certificate expire
Hi All: I am using openssl api to get website's certificate chain. Now, For normal website, it works fine. Now I encounter a website which certificate is expire, https://soknad.sparebank1.no I use X509_STORE_CTX_get1_chain() to get certificate chain, and from online help (https://www.openssl.org/docs/ssl/SSL_CTX_set_cert_verify_callback.html) I use callback to always return 1 SSL_CTX_set_cert_verify_callback(ctx, client_cert_verify_cb, NULL); But I find that I can only get website certificate, I could not get its' issuer VeriSign Class 3 Extended Validation SSL SGC CA, and root CA VeriSign Class 3 Public Primary Certification Authority - G5 Now I want to get full certificate chain, How can I get it? -- Rejoice,I Desire! ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
Re: [openssl-users] Why can not get certificate chain if certificate expire
Hi Rich: But why browser Chrome can show all certificate path? How did it do? Thanks! On Wed, Dec 17, 2014 at 5:49 PM, Richard Moore richmoor...@gmail.com wrote: On 17 December 2014 at 08:08, Jerry OELoo oylje...@gmail.com wrote: Hi All: I am using openssl api to get website's certificate chain. Now, For normal website, it works fine. Now I encounter a website which certificate is expire, https://soknad.sparebank1.no The server is misconfigured and is only transmitting the leaf certificate - it's missing the intermediates. So you're getting all the certificates it's sending - one. Rich. ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users -- Rejoice,I Desire! ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
[openssl-users] How to get current using openssl version
Hi All: I am installing openssl in local path, and when I use SSLeay_version(SSLEAY_VERSION); to get version, it will return SSL version: OpenSSL 1.0.1f 6 Jan 2014, But installed version is 1.0.1j. It seems to get system installed version not my manually installed version, So How can I get it. PS. I have added include path to gcc: -I./openssl/include/openssl -- Rejoice,I Desire! ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
[openssl-users] What is release date for openssl 1.0.2
Hi All: I wonder when openssl 1.0.2 will officially release? Is there any exact schedule? Thanks! -- Rejoice,I Desire! ___ openssl-users mailing list openssl-users@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-users
[no subject]
Hi All: Now I want to create a certificate chain by myself. It will looks like as below: Server Certificate - Intermediate CA - Root CA. Now I am using openssl command to create these certificate files. # Create CA openssl genrsa -out ca.key 4096 openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt # Create Intermediate openssl genrsa -out intermediate.key 4096 openssl req -new -sha1 -key intermediate.key -out intermediate.csr # CA signs Intermediate openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt # Create Server openssl genrsa -out test.example.com.key 4096 openssl req -new -key test.example.com.key -out test.example.com.csr # Intermediate signs Server openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out test.example.com.crt Now I install ca.crt into WIndows7 local Trust Root Store. when I open test.example.com.crt file, I can see Certificate chain in Certification Path. But I get 1 warning information on intermediate certificate This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate. From search, I think this is because intermediate certificate/key is not a correct intermediate CA that it can not sign test.example.com.crt. Please kindly give me some suggestion about how to use openssl command to sign test.example.com.crt with intermediate CA. Thanks! -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to create intermediate CA certificate with openssl
Hi All: Now I want to create a certificate chain by myself. It will looks like as below: Server Certificate - Intermediate CA - Root CA. Now I am using openssl command to create these certificate files. # Create CA openssl genrsa -out ca.key 4096 openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt # Create Intermediate openssl genrsa -out intermediate.key 4096 openssl req -new -sha1 -key intermediate.key -out intermediate.csr # CA signs Intermediate openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt # Create Server openssl genrsa -out test.example.com.key 4096 openssl req -new -key test.example.com.key -out test.example.com.csr # Intermediate signs Server openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out test.example.com.crt Now I install ca.crt into WIndows7 local Trust Root Store. when I open test.example.com.crt file, I can see Certificate chain in Certification Path. But I get 1 warning information on intermediate certificate This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate. From search, I think this is because intermediate certificate/key is not a correct intermediate CA that it can not sign test.example.com.crt. Please kindly give me some suggestion about how to use openssl command to sign test.example.com.crt with intermediate CA. Thanks! -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to construct certificate chain
Hi All: I have used openssl 1.0.1j to construct certificate chain from https web site. Now I can construct certificate chain correctly for facebook, twitter. When I construct google's (www.google.com) certificate chain, it is different with browser's [openssl API] www.google.com - Google Internet Authority G2 - GeoTrust Global CA - Equifax Secure Certificate Authority [IE/Chrome] www.google.com - Google Internet Authority G2 - GeoTrust Global CA And from this link, http://security.stackexchange.com/questions/53231/google-certificates-correct-ca It seems openssl use one certificate path with bridge cert but browsers use another certificate path, and in answer, it said OpenSSL, which curl uses, is not, or at least not yet; thus you must tell curl to give OpenSSL the Equifax root. (The OpenSSL 1.0.2 release, currently in beta, is announced to have enhancements in the area of cert chain validation, which I haven't looked at in detail yet., So is there any way that openssl 1.0.1j can solve this and construct same certificate path with browsers did? Thanks in advance! -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to get matched root CA in X509_verify_cert()
Hi I have put some(100+) root CA certificate files in a folder, and Use x509_store_load_locations() to set to store load location. Then Use X509_STORE_CTX_init(), X509_verify_cert() to verify a certificate, When X509_verify_cert() return 1, I want to know which Root CA passed verify the certificate, How can I get this information? Thanks! -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Why public key SHA1 is not same as Subject key Identifier
Hi All: As I know, When calculate Public key in certificate, it's SHA1 value is equal to Subject Key Identifier in certificate, and I verify this, and found that some websites are follow this. But when I go to www.google.com website, I find the leaf certificate and intermediate certificate is ok, but root CA certificate (GeoTrust Global CA) is not. For Geo Trust Global CA certificate. Public key: 30 82 01 0a 02 82 01 01 00 da cc 18 63 30 fd f4 17 23 1a 56 7e 5b df 3c 6c 38 e4 71 b7 78 91 d4 bc a1 d8 4c f8 a8 43 b6 03 e9 4d 21 07 08 88 da 58 2f 66 39 29 bd 05 78 8b 9d 38 e8 05 b7 6a 7e 71 a4 e6 c4 60 a6 b0 ef 80 e4 89 28 0f 9e 25 d6 ed 83 f3 ad a6 91 c7 98 c9 42 18 35 14 9d ad 98 46 92 2e 4f ca f1 87 43 c1 16 95 57 2d 50 ef 89 2d 80 7a 57 ad f2 ee 5f 6b d2 00 8d b9 14 f8 14 15 35 d9 c0 46 a3 7b 72 c8 91 bf c9 55 2b cd d0 97 3e 9c 26 64 cc df ce 83 19 71 ca 4e e6 d4 d5 7b a9 19 cd 55 de c8 ec d2 5e 38 53 e5 5c 4f 8c 2d fe 50 23 36 fc 66 e6 cb 8e a4 39 19 00 b7 95 02 39 91 0b 0e fe 38 2e d1 1d 05 9a f6 4d 3e 6f 0f 07 1d af 2c 1e 8f 60 39 e2 fa 36 53 13 39 d4 5e 26 2b db 3d a8 14 bd 32 eb 18 03 28 52 04 71 e5 ab 33 3d e1 38 bb 07 36 84 62 9c 79 ea 16 30 f4 5f c0 2b e8 71 6b e4 f9 02 03 01 00 01 Public Key SHA1: 00:f9:2a:c3:41:91:b6:c9:c2:b8:3e:55:f2:c0:97:11:13:a0:07:20 Subject Key Identifier: c0 7a 98 68 8d 89 fb ab 05 64 0c 11 7d aa 7d 65 b8 ca cc 4e As you can above, Public Key SHA1 is not same as Subject Key Identifier. What' wrong about this? Thanks a lot! -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to get https web site certificate public key
Hi All: I use SSL_get_peer_certificate(), X509_get_pubkey() API to get web site https certificate public key, when I dump public key, I find which is not same as I see in browser (In Chrome, click padlock in URL address bar, - Connection - Certificate information - Certificate-Details - Public Key (field) ). I am curious about what are these two kind of public key data? -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: How to get https web site certificate public key
Thanks Dave's quick and detail explanation. I use RSA_print_fp to dump RSA in EVP_PKEY. Now I use i2d_RSAPublicKey() to encode on RSA* from EVP_PKEY which will show same as browser. Thanks a lot. One more thing, I find use i2d_RSAPublicKey() will be get same public between openssl API and browser for some sites (twitter.com, developer.apple.com), but for www.google.com, I find that is not exactly same (just has same begin 30 82 01 0a 02 82 01 01 and others are not same). so why google is not same? On Tue, Oct 28, 2014 at 3:41 PM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Jerry OELoo Sent: Tuesday, October 28, 2014 02:03 I use SSL_get_peer_certificate(), X509_get_pubkey() API to get web site https certificate public key, when I dump public key, I find which is not same as I see in browser (In Chrome, click padlock in URL address bar, - Connection - Certificate information - Certificate-Details - Public Key (field) ). I am curious about what are these two kind of public key data? On Windows (at least) Chrome (like IE) uses the Windows cert display which displays the subjectPublicKey value as encoded in the cert where it is DER nested in opaque OCTET STRING for extensibility. I don't know Chrome on other platforms but I'd expect it's the same. openssl stores and X509_get_pubkey() returns an EVP_PKEY structure, which has been decoded from the cert and converted to internal form, ready to be used by openssl logic to do things like encrypt a premaster for akRSA or verify a signature for (EC)DHE . How are you dumping it and what type of key is it? If you mean EVP_PKEY_print_public (which is the simplest way) on an RSA key (which is the most common on the public web), that displays the two fields, pubexpt and modulus, separately. If you want to get an encoding that should match what is shown in your browser, use i2d_RSAPublicKey on an RSA* extracted from the EVP_PKEY* or the DSA or ECC equivalents as appropriate. Alternatively encode the whole EVP_PKEY to an X509 SPKI with i2d_PUBKEY, and then discard the outer (prefixed) SEQUENCE and the AlgorithmIdentifier and the tag and length, leaving only the value part of the subjectPublicKey field. Alternatively, take the encoding shown in the browser and parse as DER to extract the fields of the publickey. For RSA this is easy; for DSA parameters are fairly complicated; for ECC parameters can be very complicated if explicit but that is rarely used, and the public point value can be compressed which is a little confusing. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
How to get matched root CA in X509_verify_cert()
Hi I have put some(100+) root CA certificate files in a folder, and Use x509_store_load_locations() to set to store load location. Then Use X509_STORE_CTX_init(), X509_verify_cert() to verify a certificate, When X509_verify_cert() return 1, I want to know which Root CA passed verify the certificate, How can I get this information? Thanks! -- Rejoice,I Desire! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
