Re: Regrading reducing the size of libcrypto.a
From: jeetendra gangele gangele...@gmail.com Please guide me How can i minimize the size since I need only selected algorithms. Can one strip a .a the file...? Mine goes from 3.3M down to 1.8M. But I have no idea if it will still be working... JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: help please
From: Abdulhadi Abulzahab abed-scorp...@hotmail.com 1 - I want to use the sha1 command but I need the result to go into txt file Search for any dos/windows shell tutorial... And then search about redirections ( file). 2 - I want to create a simple batch file contains the sha1 command I typed in the cmd : copy con test.bat cd c:\openssl\bin openssl.exe des -nosalt -in text.txt -out testenc.txt ctrl+z There is a huge difference between: COMMAND PARAM1 PARAM2... and COMMAND PARAM1 PARAM2... Again, refer to the tutorial... I know its simple Depends... JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL for Unix
From: João Alpande wavetro...@net.novis.pt Where can I get a compiled version of OpenSSL for Unix? how to install openssl in unix ? It would help if you could specify which unix os? JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help A Newbie , Please
From: Hammad Bhutta hammadbhu...@gmail.com Whenever i type https://bhutta.com my browser pops up eror. when i type http://bhutta.com/file.php everything works It seems apache is listening on 80 and not 443... Maybe ask on the apache mailing list. JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Help A Newbie , Please
From: Hammad Bhutta hammadbhu...@gmail.com On Wed, Feb 23, 2011 at 4:40 PM, John Doe jd...@yahoo.com wrote: It seems apache is listening on 80 and not 443... Maybe ask on the apache mailing list. thanks for your reply but can you direct me with the link. Plus how can i make the appache listne to port 443 http://tinyurl.com/4o645yo JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problem verifying a chain...
From: aerow...@gmail.com aerow...@gmail.com Use the '-issuer_checks' parameter to show exactly what it's looking for and where it's looking for it. At 'depth 1' (i.e., one step above the end-entity certificate), it's looking for the issuer (which means it's looking for the USERTRUST root certificate). I retrieved the usertrust certificate from my browser and concatenated it to my intermediate one and it worked! Thanks to both of you, JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Problem verifying a chain...
Hi, I have some issues with chained certificates. I am trying to verify my certificate with the intermediate certificate of my registrar... my.crt: Issuer: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=my.site.com gandi.crt: Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware Subject: C=FR, O=GANDI SAS, CN=Gandi Standard SSL CA # openssl verify -CAfile gandi.crt my.crt my.crt: /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA error 2 at 1 depth lookup:unable to get issuer certificate Is it the right command to test...? Is the error about gandi or usertrust? Thx, JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate roll
From: Mohan Radhakrishnan radhakrishnan.mo...@gmail.com Is there any material that shows how to roll to new certificates using OpenSSL ? I am looking for a test case to understand how this works. Anyone know about this ? Did you try to google something like generate certificate openssl or openssl certificates howto...? JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Recommandation related to tools to be used with OpenSSL
From: VictorMitu victorm...@yahoo.com I have the following scenario: i need an application that will do the following: 1. there is an input folder. In this folder, files will be copied/downloaded. 2. An application/script will periodically query this folder (auto-detection is also accepted). 3. if a new file is detected, the application will execute openssl smime -encrypt | openssl smime -sign commands on the file. 4. the output files (encrypted file and encrypted-signed files) will be dropped in an Output folder. The reverse operation is also expected: 1. an input folder will be queried periodically for new encrypted-signed files (auto-detection is also accepted). 2. if a new file is found, the following commands are applied: openssl smime -verify | openssl smime -decrypt and the following actions are perfromed: 2.1. The Signature is verified. The validation process will drop to an external file (txt, csv) the result of the validation (pass/failed). 2.2 The Encrypted file is decrypted in another folder. My question is actually a request for a recommandation related to an easy development tool (programming language, scripting) that is able to perform these operations, including the injection of openssl commands. Most languages can do this (execute external programs). Even a simple shell script run from cron... cd $INPUT_DIR ls | while read FILE do openssl_cmd1 $FILE $FILE.crypted openssl_cmd2 $FILE.crypted ... mv $FILE.crypted $OUTPUT_DIR/ rm -f $FILE done Copy/paste and adapt for the reverse. It depends on the level of sophistication you want... JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Certificate Revocation Lists and Apache...
Hi, I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a CA that is signing a CA SSL. Then, the CA SSL is signing the clients certificates. Now, I am testing Certificate Revocation Lists, but apache keeps saying: Invalid signature on CRL I used: $ openssl ca -config openssl.conf -name CA_ssl_default -revoke cassl/$CLIENTNAME.pem Using configuration from openssl.conf Enter pass phrase for cassl/private/cassl.key: Revoking Certificate 02. Data Base Updated $ openssl ca -config openssl.conf -name CA_ssl_default -gencrl -out cassl/crl.pem -crldays 365 Using configuration from openssl.conf Enter pass phrase for /root/Certifs/cassl/private/cassl.key: $ # cat cassl/crl.pem -BEGIN X509 CRL- MIIB... ... ...v40= -END X509 CRL- In apache logs, when the CRL file is activated in the conf: [debug] ssl_engine_init.c(538): Configuring client authentication [debug] ssl_engine_init.c(1113): CA certificate: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW] [debug] ssl_engine_init.c(626): Configuring certificate revocation facility [debug] ssl_engine_init.c(729): Configuring RSA server certificate [debug] ssl_engine_init.c(768): Configuring RSA server private key When I try to connect with a revoked (or unrevoked) certificate, I get: [debug] ssl_engine_kernel.c(1199): Certificate Verification: depth: 2, subject: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain, issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain [debug] ssl_engine_kernel.c(1391): CA CRL: Issuer: C=AA, ST=BB, L=CC, O=DD, CN=myhost.mydomain, lastUpdate: Nov 4 14:39:36 2009 GMT, nextUpdate: Nov 4 14:39:36 2010 GMT [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67567722 error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 [info] SSL Library Error: 67530866 error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) Also, at one point, I got a data too large: [warn] Invalid signature on CRL [error] Certificate Verification: Error (8): CRL signature failure [debug] ssl_engine_kernel.c(1779): OpenSSL: Write: SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [debug] ssl_engine_kernel.c(1798): OpenSSL: Exit: error in SSLv3 read client certificate B [info] [client 192.168.16.23] SSL library error 1 in handshake (server myhost.mydomain:12345) [info] SSL Library Error: 67530884 error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus [info] SSL Library Error: 218910726 error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned [info] [client 192.168.16.23] Connection closed to child 0 with abortive shutdown (server myhost.mydomain:12345) I reduced my CA and CASSL keys from 2048 down to 1024... not sure if it helped, but I don't have this error anymore... How can I check if the crl.pem file is ok? $ openssl crl -in cassl/crl.pem -text Certificate Revocation List (CRL): Version 1 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=AA/ST=BB/L=CC/O=DD/CN=myhost.mydomain Last Update: Nov 4 14:39:36 2009 GMT Next Update: Nov 4 14:39:36 2010 GMT Revoked Certificates: Serial Number: 02 Revocation Date: Nov 4 14:37:03 2009 GMT Signature Algorithm: sha1WithRSAEncryption 03:... ... ...:8d -BEGIN X509 CRL- MIIB... ... ...v40= -END X509 CRL- I also tried all sorts of verify combos, but all fail: $ openssl verify -verbose -config openssl.conf -purpose crlsign -crl_check cassl/crl.pem usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... $ openssl verify -verbose -CApath cassl/
ld.so.1
Hi, Does somebody has an idea about the following error message.ld.so.1: /usr/local/ssl/bin/openssl: fatal: libssl.so.0.9.7: open failed: No such file or directoryI don't understand 'cause openssl is correctly installed and my $PATH and $LD-LIBRARY_PATH seem to be correct.HOST:user1% echo $PATH/opt/VRTSvmsa/bin:/etc/vx/bin:/var/opt/STORtools/bin:/var/opt/SUNWvts/bin:/opt/SUNWvts/bin:/usr/local/ssl/bin:/usr/ccs/bin:/usr/local/bin:/oracle/JOY/817_32/bin:/home/joyadm:/usr/sap/JOY/SYS/exe/run:/usr/bin:.:/usr/ccs/bin:/usr/ucb HOST:user2% echo $LD_LIBRARY_PATH/usr/local/lib:/usr/local/ssl/libNB: I'm a newbie so don't blame me for all the stupid things I can write and I 'm not an english native speakersothank youjs Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze.
Anyone Know of a Web Based Certificate Authority.
Anyone know of a web based certificate authority that actually works as advertised. I have tried php-ca but I am having alot of trouble getting it to work. OpenCA is a little bit to full featured for what I am trying to accomplish. Basically I am looking to send a secret to an email address in order to verify a requestor's identity. If the requestor can correctly verifies themself, I would like to issue them a certificate. Thanks in Advance James Wilson _ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problem using the SMIME utiltiy
G'day, I have installed and compiled the openssl application sucessfully. I have had some problems getting the command line utility to work. I have a p7c file which someone sent me and i simply want to encrypt a text file so i can email it to them. When i use the openssl app it just tells me the usage i should be using and does nothing. I am using the folowing: ./openssl smime -encyrpt -pk7out -in inputfile.txt -out outputfile.txt key.p7c can anyone point out what i am doing wrong?? thanks John Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]