Re: Playing nice between OpenSSL and Microsoft libraries with 3DES pass phrases?
Do yourself a favor and just have one of the OpenSSL crypto experts do the function on a consulting basis. Will save you a lot of time, and misery! And it will be crypto correct. Ken There are a few other complications which you may not be aware of. But I am terrified that they exist. I'm a generic multiplatform network applications type, not a crypto geek. Under CryptoAPI you can't directly set the actual key. There are various tricks involving things like exponent of one RSA keys to get round this though. I realized this. I feed it the hash, it makes a key. Cool, unless you need to replicate the it makes a key using OpenSSL. OpenSSL allows you to set the actual key and has support for various standard key derivation algorithms like PKCS#12 or PKCS#5v2.0 . (I'd rant about the OpenSSL man pages, but I'd be off my own topic.) Since my first post, I've tripped PKCS#5v2.0; I guess my primary comment would be that the OpenSSL DES/EVP pages don't make it clear what is used for what ... for example that PKCS includes the key generation routines that may not be public key. Its advisable to use the EVP interface on OpenSSL rather the the low level routines. I realize that. But I didn't see the obvious path way to do using the low level or EVP routines. It isn't a good idea to just make up a key derivation algorithm: there are lots of these about that are horribly insecure. Many don't even use a salt which makes them vulnerable to attack. I wasn't planning to. I know of weaknesses (which I won't advertise) in exactly what I'm doing, but it's a major improvement on the simply XOR against a fixed key which the current implementation does. I prefer not add more *unknown* weaknesses. (All this is a mere fallback to running the whole sebang over SSL from client to server -- and I'm using SHA1 passwords when possible, which is whenever not calling external authenication facilities.) What this means for 3DES is that there isn't a common password based key derivation algorithm. The solution would be to implement one in either CryptoAPI or OpenSSL. For example you could implement PKCS#5 v2.0 under CryptoAPI or even the odd 3DES derivation algorithm under OpenSSL. Have you seen the Secure Programming Cookbook for C and C++ (by Viega Messier, from O'Reilly)? I'm looking at recipe (section) 4.10, which has PKCS#5 for Windows and OpenSSL.Of course, that leads off other parts of the book, so back to my reading ... -ahd- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-398-0221 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ftp implicit ssl connection
Take a look at: http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html Ken PBSZ is used when you are negotiating the size of the buffer to be encrypted. If you are using FTP over SSL, the FTP protocol is not performing any authentication or encryption. Therefore, you do not use PBSZ. Yes, you are right... but i'm sure that these servers i connect to use implicit ssl connection and i saw some clients sending the buffer size command... However, i tried to follow the normal ftp protocol with USER and PASS commands with the same result... no answer from server... Maybe i need some source code to see the difference with mine... Do you know about any linux sftp that implements ssl implicit connection ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-398-0221 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IMPORTANT: The release of 0.9.6h is postponed
Date sent: Fri, 22 Nov 2002 10:21:30 EST From: Jeffrey Altman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Copies to: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject:Re: IMPORTANT: The release of 0.9.6h is postponed Send reply to: [EMAIL PROTECTED] You are worried about a performance impact of clearing a small password buffer? I would think the idea of changing memset() to a more secure function is an excellent idea and well worth a couple of days of delay. Heck, I have been waiting for release 0.9.7 for a couple of years! Ken I thought making a memset() look-alike (somewhere in the discussion, setmem() was proposed) was enough to prevent it. No? There were three suggestions made that I had seen that appeared to work: . change all password buffers to volatile . replace memset() with your own function not called memset . use compiler specific command line options to turn off this optimization The problem with the first two is that they do have significant performance impacts. The problem with the last is that we do not want to need to know the command line options for each and every compiler. Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ___ ___ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ___ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-398-0221 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL on WIN2K
Date sent: Tue, 05 Nov 2002 13:12:27 To: [EMAIL PROTECTED] From: Thomas J. Hruska [EMAIL PROTECTED] Subject:Re: OpenSSL on WIN2K Send reply to: [EMAIL PROTECTED] Passing out this type of advice may end up getting application developers in a lot of hot water. The distribution of the OpenSSL dll's has no relation to the legal requirements involving the use of such dll's. I believe the term the US government uses for applications that do make use of such a concept is an open cryptographic interface. I have been told, but have no proof of such, the US Department of Commerce WILL NOT approve the export of any product that uses the OpenSSL dll's. Futher, all the applications I know of that have export approval, which use OpenSSL, is in fact static linked to the OpenSSL library. It would be interesting to know if any US based application, which has export approval, does use the OpenSSL dll's. Ken At 10:28 AM 11/5/2002 -0500, Oblio writeth: I'm not sure what these two files are, either (I think you meant 'ssleay32.dll and libeay32.dll'). However, I've found that a number of programs I have installed include versions of them, and there's a copy in my system32 directory. I can give you a copy if you'd like. Can anyone else tell us where these come from, and what they do? (And why the different copies on my system are different sizes?) They usually come from pre-built sources. Technically end-users should do the compilation of OpenSSL for their systems and companies should not incorporate OpenSSL into their product lines because of import and export regulations (legal issues just get messy in regards to cryptography software). However, many Windows-oriented products include OpenSSL binaries to make end-users lives easier. The downside to distributing the binaries is that every product that uses OpenSSL has to keep OpenSSL updated - thus requiring additional resources that could be spent doing something else. Hence the reason for the Win32 OpenSSL Installation Project. It deals with the legal issues of distributing OpenSSL, Windows programming/development issues, and end-user issues all at the same time in one convienent package. The reason for different sizes is usually due to whatever compiler the company used to build the DLLs. Also, the OpenSSL DLLs may be different versions...and anything below v0.9.6f/0.9.6g is subject to several serious security-oriented issues. Hope this helps! Thomas J. Hruska -- [EMAIL PROTECTED] Shining Light Productions -- Meeting the needs of fellow programmers http://www.shininglightpro.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Windows, MS VC++, MFC and OpenSSL
Date sent: Wed, 02 Oct 2002 11:26:19 +0200 From: Michael Voucko [EMAIL PROTECTED] Organization: Fillmore Labs GmbH To: [EMAIL PROTECTED] Subject:Re: Windows, MS VC++, MFC and OpenSSL Send reply to: [EMAIL PROTECTED] Yes it is possible, and in fact very easy. And it works quite well. Ken Radboud Platvoet wrote: Hi everyone, Does anyone know if it Is possible to use the MFC CAsyncSocket class as a base for an OpenSSL connection? The CAsyncSocket class has many nice features such as OnReceive, OnClose, OnAccept and OnConnect events which I use extensively in my programs that use unsecure connections. I would like to be able to use the same features for my secure connections. Checkout the current maximum block size in SSL_write() thread, it might give you a clue what to expect. -- Michael __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: zlib double free bug and openssl question.
Date sent: Tue, 4 Jun 2002 19:45:55 +0200 From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: zlib double free bug and openssl question. Organization: BTU Cottbus, Allgemeine Elektrotechnik Send reply to: [EMAIL PROTECTED] I know of several public applications that uses zlib with OpenSSL. Probably more that I don't know about. In general, anything that uses SSL enabled telnet can make use of the OpenSSL zlib feature. Ken On Mon, Jun 03, 2002 at 04:01:38PM -0400, Lenny Miceli wrote: I've tried to search the archives/bug reports/faq's and didn't find any definitive answers on the zlib Double Free Bug CERT's Advisory CA-2002-07 issue. Does openssl v0.9.6b or above have this issue? I know if you do a stings on libcrypto.a you find zlib alot, so I assume somehow the zlib library is used in crypto/comp/c_zlib.c or somewhere. Thanks for any help you can give me. If not explicitely selected, OpenSSL is not compiled with zlib- support. And even if it would be compiled in, it won't be used by default, unless an application enables it. I am not aware of any publicly available application using zlib functionality inside OpenSSL. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: About OpenSSL 0.9.7 release
Date sent: Fri, 5 Apr 2002 14:03:03 +0200 From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: About OpenSSL 0.9.7 release Organization: BTU Cottbus, Allgemeine Elektrotechnik Send reply to: [EMAIL PROTECTED] Just my two cents; lots of people are waiting for the 0.9.7 release, many for over a year. If I remember correctly, the one or two bugs that still are pending have been pending for over a year. How about rolling those fixes into a special release and let the many thousands of us that do not have to support 64 bit platforms be on our way. Ken On Fri, Apr 05, 2002 at 12:27:34PM +0200, Francesco Dal Bello wrote: I'm planning my activity, and so I like to know (if possible) what is the approximately time for 0.9.7 release. Nobody will give you a timeframe. (This is not meant as an offense. We are more or less waiting for one or two bugs to be fixed, especially the BIGNUM problem on 64bit platforms.) I have tried to build my company utility with openssl-0.9.7-stable-SNAP-20020226 and I have obtained a mistake (a function doesn't exist anymore). This mistake doesn't exist using 0.9.6c release. The 0.9.7 will be quite compatible backwards? It is our intention to be as compatible as possible except for changes required to fix bugs and extend functionality. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What chars are valid in a CN
From: Dilkie, Lee [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' openssl- [EMAIL PROTECTED] Subject:What chars are valid in a CN Date sent: Tue, 5 Mar 2002 08:31:28 -0500 Send reply to: [EMAIL PROTECTED] http://docs.iplanet.com/docs/manuals/cms/42/adm_gide/app_dn,htm Ken Stupid question but I can't seem to find a reference anywhere (or I'm not looking right) What characters are valid in a CN (common name, and is a CN most/less/the same restrictions as a DN?), obviously alphnum and some punctuation, but which ones? Anyone have a pointer to where this is specified? TIA, -lee dilkie __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL for telnet
From: Dilkie, Lee [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject:SSL for telnet Date sent: Mon, 10 Sep 2001 15:31:45 -0400 Send reply to: [EMAIL PROTECTED] http://www-cs-students.stanford.edu/~tjw/srp/ Designed for srp but has very good ssl/tls support. Ken I've been trying to find telnet-ssl client and server code. Does anybody know of any current implementations? The few I've run across are all built on old SSLeay. If someone could throw me a few url's I'd be grateful... Thanks, -lee __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
TLS/SSL Authentication
If I understand the handshaking of TLS/SSL between a host a client, the client sends a certificate to the host, then performs a RSA encryption operation using the certificate private key on challenge data sent by the host. If the certificate and private key is located on a USB token/Smart Card, and the private key is marked as sensitive or cannot be exported, then how does the Microsoft Browser perform the private key encryption using cryptoapi, when the private key cannot be exported? I have searched the cryptoapi documentation and cannot find any way to do this without using CryptExportKey to obtain the private key. Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: can we prevent export of a personal certificate?
From: Greg Stark [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: can we prevent export of a personal certificate? Date sent: Tue, 28 Aug 2001 17:40:31 -0400 Send reply to: [EMAIL PROTECTED] If they are using the Microsoft Certificate Server to request the certificates, that is an option that can be selected on the advanced form. Also a large number of standard html templates I have seen also has the Mark keys as exportable as an option. So if this is the case, they would have to edit the html template and remove/disable that option. Some of the Smart Cards/USB token cryptoapi providers will ignore this option, but most do not. Ken What you are referring to is in fact the private key information and not just the public certificate. I don't know of any way to stop a mozilla user from doing the backup, I'm just not that familiar with mozilla. For IE and if you are using one of the MS providers, the default is to disallow export of the private key. Check your script which creates the certficate request and private key; it should have something that looks like objectname.createPKCS10. Make sure nothing sets the low-order bit of objectname.GenKeyFlags; it should be zero. Greg Stark [EMAIL PROTECTED] - Original Message - From: werner fraga [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 28, 2001 4:58 PM Subject: Re: can we prevent export of a personal certificate? steve wrote: Do you mean 'private keys'? Certificates are public knowledge and can't be restricted in that way. What OS is this for, if windows then you can for MSIE but it depends on how you import the certificates in the first place. i think i mean 'certificates', as in mozilla's Edit -- Preferences -- Privacy... - Certificates -- Manage Certs -- Backup this allows the user to back up a certificate to a file and then restore it on another computer. i was hoping that this could be disabled somehow... our employees use IE netscape for windows, and mozilla for linux. the majority is using IE for windows, so it would be acceptable if we could just disable exports for IE... near as i can tell, we are using 'AcceptPKCS7' to import the certificate into IE... __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
DSA Keys
As quoted from several sources by Simon Tatham: PuTTY also does not support DSA for user authentication keys, for security reasons. What security issues is he referring to? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA Structure Enhancements
Will the functions: RSA_set_ex_data RSA_get_ex_data contained within OpenSSL version 0.9.6 remain valid in future versions of OpenSSL? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL V3 and IIS
Date sent: Wed, 8 Aug 2001 19:05:53 -0700 (PDT) From: Michael Shanzer [EMAIL PROTECTED] Subject:Re: Problems with SSL V3 and IIS To: [EMAIL PROTECTED] Send reply to: [EMAIL PROTECTED] Mike Yes, it does support pkcs-12 but Microsoft refers to them as .pfx. Simple use the openssl command Eric referenced and use a filename such as out.pfx or rename a .p12 to .pfx Ken --- Eric Rescorla [EMAIL PROTECTED] wrote: You should be able to use 'openssl -pkcs12' to extract the keys. IIS does not export it's keys into a PKCS#12 file. At least I have not found a way to export them into a PKCS #12 file. Not sure what the file format is. Mike __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL V3 and IIS
Date sent: Thu, 9 Aug 2001 06:00:17 -0700 (PDT) From: Michael Shanzer [EMAIL PROTECTED] Subject:Re: Problems with SSL V3 and IIS To: [EMAIL PROTECTED] Send reply to: [EMAIL PROTECTED] You must be running a version I have never seen or a real old one. On mine there is an option to export a certificate. IF AND ONLY IF the key can be exported, you are given an option to export both the certificate and private key to a .pfx file. If the key cannot be exported, of course you cannot create a .pfx file, but you can export just the certificate. Ken --- Kenneth R. Robinette [EMAIL PROTECTED] wrote: Yes, it does support pkcs-12 but Microsoft refers to them as .pfx. Simple use the openssl command Eric referenced and use a filename such as out.pfx or rename a .p12 to .pfx Ken From the IIS key manager menu, there is a option to back up the keys. The file that gets written out is not a PKCS #12 (or PFX ...) Mike __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with SSL V3 and IIS
Date sent: Thu, 9 Aug 2001 06:47:32 -0700 (PDT) From: Michael Shanzer [EMAIL PROTECTED] Subject:Re: Problems with SSL V3 and IIS To: [EMAIL PROTECTED] Send reply to: [EMAIL PROTECTED] Mike I missed the part about key manager. Although I have never exported a private key using the key manager (I always just saved the original cert/key), I suspect it is in the old Microsoft pvk format. If so, you can use Dr. Henson's pvk utility to convert. Take a look at: http://www.drh-consultancy.demon.co.uk Ken --- Kenneth R. Robinette [EMAIL PROTECTED] You must be running a version I have never seen or a real old one. IIS 4.0 which is the latest version that runs under NT4. The behavior you are describing sounds like IE, which is much nicer about letting you export keys. Mike __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: FTP over SSH2
Date sent: Wed, 25 Jul 2001 14:02:26 -0600 From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: FTP over SSH2 Send reply to: [EMAIL PROTECTED] SecureNetTerm. Take a look a www.securenetterm.com It also supports all the most popular PKCS11 Smart Cards/tokens including the new Sony FIU-710 fingerprint identification unit. Ken hi, Was not aware of that.. ?n for recommending to windows users what clients for SSL-FTP are currently available that encrypt both channels? TIA [EMAIL PROTECTED] On Wed, Jul 25, 2001 at 01:21:50PM -0400, Jeffrey Altman wrote: SSL FTP encrypts both the control channel and the data channel(s). The data channels are negotiating using SSL/TLS session caching for rapid connections. You can find patches to several FTP clients and daemons at Peter Runestig's ftp site ftp://ftp.runestig.com/pub/ C-Kermit 8.0 is a scriptable FTP client which support SSL/TLS security. http://www.kermit-project.org/ck80.html hi Dustin, Well for one it would no longer be FTP per se.. if you want to offer encrypted ftp service you could say for instance try some of the SSLed FTP stuff.. Try freshmeat for pointers.. Note that those clients that can do SSLed ftp only encrypt the control port not the data port.. Since FTP decided to used 2 ports instead of one which i have never really understood exactly.. There is also as Pawel mentioned you can tunnel for instance the OpenSSH where you can tunnel to the server if you want.. Well hope that helps you somewhat.. Best Regards [EMAIL PROTECTED] Dustin, OpenSSH has something called sftp, in sshd_config You can setup sftp_server as subsystem. But I haven't seen pure ftp over SSH. Cheers, Pawel -Original Message- From: Dustin Wiseman [mailto:[EMAIL PROTECTED]] Sent: Monday, July 23, 2001 10:07 PM To: [EMAIL PROTECTED] Subject: FTP over SSH2 Where can I find detailed instructions on setting up an FTP server on Red Hat Linux utilizing the SSH2 protocol? Thank You, Dustin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. SSH soon to follow. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using Microsoft CA generated certificates or Accessing other CSPs using OpenSSL generated Certificates?
From: Kevin Elliott [EMAIL PROTECTED] To: [EMAIL PROTECTED] Copies to: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject:Using Microsoft CA generated certificates or Accessing other CSPs using OpenSSL generated Certificates? Date sent: Wed, 25 Jul 2001 22:17:27 GMT Send reply to: [EMAIL PROTECTED] Kevin This has nothing to do with OpenSSL. You specify the CSP when you generate the CSR, and the associated private/public keys which are generated on the Smart Card/USB token. Then when the certificate has been signed by whatever (including OpenSSL) the certificate is placed on the Smart card/USB token and all the required entries are made within the Microsoft OS. There are several examples on how to do this within html on the web. The most common way is to use the software supplied by Microsoft (free) but it can be done in several different ways, including low level functions that can be called by C. I can send you an example html form that does all this if you desire. It uses an OpenSSL backend located on UNIX (simple perl script) to sign CSR's using a self signed CA certificate. We use this setup to generate test certificates for all the Smart Cards/USB tokens we test with our SecureNetTerm product. It works with all of them including the iButton, GemPlus, Rainbow, Aladdin, Litronic and the Sony FIU- 710 fingerprint identification unit. Ken Greetings, Hopefully someone has a good direction for me, and I've spent the last few days rtfming and scouring the last 6 months of the mailing list archives. I'd like to store OpenSSL generated certificates on some smartcards, but in order for that to work properly, I need to be able to put the cert on the smartcard utilizing the card manufacturer's Cryprographic Service Provider (CSP) (For example, Schlumberger CSP or GemPLUS CSP) instead of using the Microsoft Base Cryptographic Provider which is the default generally. If you apply for a VeriSign personal certificate, you are able to choose what type of CSP the cert should work with, and then using some ActiveX or Javascript/ Java Applet, it generates a cert request using the proper CSP. Then you install your cert via the CSP also. Hence, this is all web-based. There are some low-level utilities that allow direct cert transfer onto a smartcard, but this avoids the system footprinting in the registry so that your system is aware that the specific cert is located on a card. This is a problem ofcourse. So, since Apache with OpenSSL hasn't entirely reached the capabilities of targetting a specific CSP (if I understand right, the CSP is communicated through ActiveX (or something equivalent) and is not a parameter of the certificate itself), I thought about using the Microsoft Certificate Authority to generate and install the certs onto some smartcards. So far, that works fine, but I have not been able to use these certs with Apache/OpenSSL. Do I need to sign the certs with something from OpenSSL? Or possibly do I need to generate a web server cert from Microsoft CA for the Apache server? Will that even work? Might I need to convert the style of cert over to a regular x.509 der? I'm still slightly confused of the differences between an OpenSSL generated certificate, and a Microsoft CA certificate. Lastly, might I need to configure httpd.conf in a certain way to accept a Microsoft CA cert? While the first scenario is more welcomed because I am able to stick with an Apache and OpenSSL environment only, I could live with the second scenario until OpenSSL has matured to using CSPs. Regards, Kevin Elliott __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the low-level crypto functions implemented?
Date sent: Mon, 30 Apr 2001 18:01:22 -0400 From: Gila Sheftel [EMAIL PROTECTED] Organization: Gemplus Inc. To: [EMAIL PROTECTED] Subject:Where are the low-level crypto functions implemented? Send reply to: [EMAIL PROTECTED] Gila The rsa structure contains a pointer to the low level functions, and in fact one of the defaults is the one you show below. You can place your own function pointers in the rsa structure if you so desire. In fact that is what I do to interface to the GemPLUS Smart Card with our software. In our case, we have to be able to process both disk based as well as Smart Card based RSA keys, and this is where we do the intercept. I am sure there are other/better ways using engines and methods, etc. but this is a quick simple way to do it, and still use all the other SSL/crypto support without having to have multiple libraries. Ken Hi, Our purpose is to write an add-on to openSSL in order to interface it safely and comprehensively with a smartcard. My teammate and I have come a long way in understanding the high-level cryptography structure -- where the methods are found, how to use them, etc, but where we get stuck is the following: for example, in openssl-0.9.6a/crypto/rsa/rsa.h the following methods are mentioned: int (*rsa_pub_enc)(int flen,unsigned char *from,unsigned char *to, RSA *rsa,int padding); int (*rsa_pub_dec)(int flen,unsigned char *from,unsigned char *to, RSA *rsa,int padding); And they are again mentioned in rsa_lib.c where int RSA_public_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) returns it, but that's all. Are we missing something? Where are all the low-level methods defined? Are they system-native or protected or have I overlooked something entirely? I appreciate your help immensely, (let alone how much I learn just from lurking on this list) Gila. (Monstre) --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-- Gila Monstre [EMAIL PROTECTED] Fearless Geek(514)732-2459 Advanced Projects Group Gemplus Software If you can't beat your computer at chess, try kickboxing. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
From: Oliver Bode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Smart Card Readers Date sent: Wed, 25 Apr 2001 01:17:18 +1000 Send reply to: [EMAIL PROTECTED] Oliver You should forget that the Java iButton even exists. I wish I had. It has a lot of problems, such as a very slow transfer rate (about 150- 300 characters per second), has serious problems with USB delivery, is very slow (takes about 7 minutes to generate a 1024 bit RSA key onboard), is only about 2% PKCS-11 compliant, and on and on and on. I would only recommend the Java iButton to my worst enemies, and even then I would think long and hard before doing so. Ken Hello Maxime, You can find out more about the pkcs11 standard here: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/ When Smart Card manufacturers say their cards are PKCS11 compliant, correct me if I'm wrong, I take this to mean that the card is designed for x509 certificates and it has the ability to generate keys securely on the token. There are ways you can call this function from Netscape and MSIE. After keys are generated on the token the certificate request/public componant is sent to the CA for signing. You can use openssl to sign the certificate request and convert the signed request into a structure that can then be installed back on to the smartcard - the signed certificate and root certificate etc. You can also import pkcs12 files onto pkcs11 compliant smart cards using Netscape. On another note I am able to answer my own question on the ibutton. You can't buy it, the token is licenced to you on an annual basis. Which to me sounds problematic as I don't know what happens if you stop paying them. Bye, Oliver - Original Message - From: Maxime Dubois [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 07, 2001 8:06 PM Subject: Re: Smart Card Readers Hi, How do you work with openssl and PKCS11 SmartCard readers? Can we export a a PKCS11 certificate with the command line tool? I can only see a pkcs12 command. Thanks Regards Maxime DUBOIS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Smart Card Readers
From: Oliver Bode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Smart Card Readers Date sent: Wed, 25 Apr 2001 03:07:45 +1000 Send reply to: [EMAIL PROTECTED] Oliver Your concern on the license has been answered by DS on their newsgroup. They switched policy some time ago and decided that once you purchase the Java iButton, the license is good as long as you want to use it. But no problem, if you order one, and try it out, you will not have to worry about the license. You will have given it to your kids to play with way before a year is up. We still have several other tokens to test, but for now the Rainbow remains the best. The GemSAFE package is not bad, but a little expensive compared to the Rainbow and the Rainbow 2032 has much more memory (32K). I guess if USB is not an option, then perhaps I would consider the GemSAFE package. Both the GemSAFE and Rainbow have very good PKCS-11 support and everything works as advertised. I can import/export SSH public/private keys and certs with no problem, and both work well with OpenSSL (thanks to all the excellent help from Dr. Henson). Ken Hi Ken, After testing a few products and looking into this area in more detail I do think the IKey is the best value around. I'm still waiting to find out if the towitoko sign and crypt pack will do the job http://www.towitoko.com/deutsch/eng/prp.htm I will take your word for it on the ibutton. It did strike me as odd a semi conductor company was making this. The licence thing is really bizzare. What happens to your private key when the licence runs out? I really liked the jewlery concept though. Thanks, Oliver - Original Message - From: Kenneth R. Robinette [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 25, 2001 1:30 AM Subject: Re: Smart Card Readers From: Oliver Bode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Smart Card Readers Date sent: Wed, 25 Apr 2001 01:17:18 +1000 Send reply to: [EMAIL PROTECTED] Oliver You should forget that the Java iButton even exists. I wish I had. It has a lot of problems, such as a very slow transfer rate (about 150- 300 characters per second), has serious problems with USB delivery, is very slow (takes about 7 minutes to generate a 1024 bit RSA key onboard), is only about 2% PKCS-11 compliant, and on and on and on. I would only recommend the Java iButton to my worst enemies, and even then I would think long and hard before doing so. Ken Hello Maxime, You can find out more about the pkcs11 standard here: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/ When Smart Card manufacturers say their cards are PKCS11 compliant, correct me if I'm wrong, I take this to mean that the card is designed for x509 certificates and it has the ability to generate keys securely on the token. There are ways you can call this function from Netscape and MSIE. After keys are generated on the token the certificate request/public componant is sent to the CA for signing. You can use openssl to sign the certificate request and convert the signed request into a structure that can then be installed back on to the smartcard - the signed certificate and root certificate etc. You can also import pkcs12 files onto pkcs11 compliant smart cards using Netscape. On another note I am able to answer my own question on the ibutton. You can't buy it, the token is licenced to you on an annual basis. Which to me sounds problematic as I don't know what happens if you stop paying them. Bye, Oliver - Original Message - From: Maxime Dubois [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, April 07, 2001 8:06 PM Subject: Re: Smart Card Readers Hi, How do you work with openssl and PKCS11 SmartCard readers? Can we export a a PKCS11 certificate with the command line tool? I can only see a pkcs12 command. Thanks Regards Maxime DUBOIS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing
Re: Smart Card Readers
Date sent: Tue, 24 Apr 2001 20:47:13 +0200 From: Jean-Marc Desperrier [EMAIL PROTECTED] Organization: Certplus To: [EMAIL PROTECTED] Subject:Re: Smart Card Readers Send reply to: [EMAIL PROTECTED] True about Netscape, but this assumes that all you want to do is what Netscape can do. Have you ever tried putting a public key on the iButton using PKCS-11 other than by C_GenerateKeyPair? I did, and it does not work. Why? Because DS said it was not desiged to do so. They also state they wrote the PKCS-11 interface to do the bare minimum required by Netscape. Now of course you can write straight APDU code and do it, but who wants to write custom software for every device on the market? But the real killer is the speed. Who in their right mind would pay more for a device which takes ~7 minutes to do a simple operation that any of the other devices will do in ~15 seconds. And to add insult to injury, it costs you more money for the honor to wait the 7 minutes. I don't think very many of us common folk will tolerate a device that takes 3- 7 minutes to sign every email we send. On the ability to export private keys, that feature is of course controlled by the sensitive flag and is under complete control of whatever/whoever placed the data on the device. Once it is set, nothing can retrieve the data (private key or whatever) off the device. GemSAFE goes one additional step and requires all private keys to be sensitive no matter what. And for extreme security that is probably a good idea as long as you always remember that once placed on the card, a private key can never be removed. That implies that if someone other than you placed it there, like most of the commercial CA's do, you do not have a backup of that key and obtaining a duplicate of that key is next to impossible. And remember, these devices have internal power that do die, and if you are unlucky, one will fail a couple of months after your have placed it in production. We have had several iButtons fail in a period of a few months. But, if you want to use the iButton, have at it. Ken Kenneth R. Robinette wrote: But no problem, if you order one, and try it out, you will not have to worry about the license. You will have given it to your kids to play with way before a year is up. This said if you are successful in using the iButton with the pkcs#11, you can be confident you have a program that can work with any pkcs#11 library that is able to work with Netscape, no matter how bad the interface is implemented. The only way to get it working is to do the same things as Netscape, in the same order, with the same values in the arguments. Any deviation from that means failure. Both the GemSAFE and Rainbow have very good PKCS-11 support and everything works as advertised. I can import/export SSH public/private keys and certs with no problem, and both work well with OpenSSL (thanks to all the excellent help from Dr. Henson). Hum, import/export SSH public/private keys ? I know the Gemsafe cards allows you to import RSA private keys from PKCS#12. Not sure if this is a great idea or not :-) It is convenient in some cases. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Cryptlib
What is the relationship between cryptlib and OpenSSL? I noticed that Eric Young name appears in the cryptlib credits. Does cryptlib use OpenSSL as its core software component? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MD5 and X509
Date sent: Sat, 21 Apr 2001 08:06:03 -0400 From: Rich Salz [EMAIL PROTECTED] To: "Kenneth R. Robinette" [EMAIL PROTECTED] Copies to: [EMAIL PROTECTED] Subject:Re: MD5 and X509 Send reply to: [EMAIL PROTECTED] Rich Yes, its the hint that I am wondering about. If I do a MD5 signature on the modulus of a public key, then take the first four bytes of the resulting signature as an unsigned long to be used to create a unique identifier, how unique is it? Apparently Eric Young concluded that the first four bytes of the resulting signature of a cert subject was unique enough to create lookup indexes. I was just wondering what kind of trouble you could get into with this conclusion. Ken In the X509 functions, there are several that compute a MD5 fingerprint and use only the first four bytes of the resulting 16 byte fingerprint (such as X509_subject_name_hash). The MD5 documentation states that the 16 byte fingerprint is quite unique (2^64), how unique is the resulting 32 bit long value? The MD5 documentation is rather optimistic. :) While it hasn't been broken, per se, Dobbertin has found enough proof that the IETF dis-recommends MD5 as a hash mechanism, leaving only SHA-1. (And, presumably, SHA-nnn when they're released.) In these cases you mention, however, MD5 isn't being used as a cryptographic message digest, but rather a hash "hint" for lookups. No worries, mate. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MD5 and X509
From: "Greg Stark" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: MD5 and X509 Date sent: Sat, 21 Apr 2001 11:35:14 -0400 Send reply to: [EMAIL PROTECTED] Greg What I need is something that I can count on being unique, but at a reasonable size also. Four bytes fits quite nicely in an int (long) , and is based upon something that the Smart Card already contains, the modulus of the public keys. Normally I use the internal object handle of the public key, but one Smart Card we are working with defines new/different handles at each session login, whereas most other Smart Cards and tokens maintain the same handle from session to session as long as the object is still valid. We use this value as a key within other programs to perform operations using the Smart Card. Since we are trying to utilize the Smart Card/token for other things besides our programs use, such as Netscape/Internet Explorer email/SSL Access, etc. we don't want to mess with the common fields such as the subject. We also find that the vast majority of these cards do not support the "application specific" attribute so thats out. Right now we use the ID field which is used by everything I know of to store the modulus and to tie together the public/private keys and the cert/private key. Ken For your puposes, you'd expect it to look like any other random function that outputs four bytes. What exactly do you need for your 'unique enough' property? _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Rich Salz" [EMAIL PROTECTED] To: "Kenneth R. Robinette" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, April 21, 2001 8:39 AM Subject: Re: MD5 and X509 Apparently Eric Young concluded that the first four bytes of the resulting signature of a cert subject was unique enough to create lookup indexes. I was just wondering what kind of trouble you could get into with this conclusion. The worst case, of course, is needless hash-chain collisions. I don't think anyone has profiling data that shows this to be anywhere near worrying about, in terms of effciency. /r$ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Using external certificates in web browsers
From: "Greg Stark" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Copies to: [EMAIL PROTECTED] Subject:Re: Using "external" certificates in web browsers Date sent: Tue, 17 Apr 2001 15:19:35 -0400 Send reply to: [EMAIL PROTECTED] Or you could simply purchase one of the USB based tokens which allow for the storage of certs, and can be easily removed from one computer and moved to another. Both the Microsoft Explorer and Netscape support some of the more popular ones. With the proper software, these devices can also be treated as "external storage", which in fact they are. Ken Carl, For Internet Explorer, you would have to write a customized Cryptographic Service Provider (CSP) to accomplish this. It is not trivial. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Carl Perry" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 17, 2001 1:24 PM Subject: Using "external" certificates in web browsers I'm not sure if this is the correct place to ask this, but I am looking for information on using SSL user authentication certificates in the major web browsers. However, I would like the browser to ask for an external file for the certificate instead of using the internal database. If anyone has any information about this, it would be much appreciated. I am not on the list, so please CC your replies to this address. Thanks!! -Carl __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Extract Smart Card Cert to X509 struct
Date sent: Fri, 13 Apr 2001 18:31:06 +0100 From: Dr S N Henson [EMAIL PROTECTED] Organization: S N Henson To: [EMAIL PROTECTED] Subject:Re: Extract Smart Card Cert to X509 struct Send reply to: [EMAIL PROTECTED] Dr. Henson Thanks again. I took the lazy way and just modified a function I already had to convert the DER encoded cert data for output to a file and just passed the memory bio to the PEM_read_bio_X509 function. Ken "Kenneth R. Robinette" wrote: Is there any documentation available on extracting a PKCS-11 based certificate and placing it in a OpenSSL X509 struct for processing by OpenSSL? No there isn't as such. However since the PKCS#11 certificate constains the DER encoded certificate you can use d2i_X509() to decode it and populate the X509 structure: info on using the d2i_*() functions is in the FAQ. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pem/bio/evp help
Date sent: Mon, 09 Apr 2001 14:52:57 -0400 From: Gila Monstre [EMAIL PROTECTED] Organization: Gemplus To: [EMAIL PROTECTED] Subject:pem/bio/evp help Send reply to: [EMAIL PROTECTED] Gila Convince your company to ship our order for your product (been back ordered now for about three weeks) and I will show you how to do it. Also, I can show you how to do the verification for OpenSSH without having to export the private key from the Smart Card (which I expect is what most people would want). Also, I can send you a copy of a reply from Dr. Henson, from this group, which pointed us in the right direction. Just kidding about the request for assistance on the order. I am sure it will arrive in good time. Must be a lot of demand for Gemplus. Let me know if you want a copy of the note we got from Dr. Henson. Ken Hi! I've been pouring over the online documentation somewhat, but I'm afraid that I've been running in circles and I'm hoping that someone can give me a clue or point me in the right direction. My ultimate goal is to get the openssh client to authenticate to a server using a private key (DSA format for now) stored on a smarcard, specifically the GPK8000 if anyone is interested, but this shouldn't change anything. My problem is that to give the key to the openssh client, it has to be in evp format, or I have to use the DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x, pem_password_cb *cb, void *u); function to read the key in (I retrieve it from the card in unsigned char format) and I'm having difficulty understanding what BIO *bp is, and how I can fabricate it. Would DSA *PEM_read_bio_DSA_PUBKEY(NULL, (DSA *)unsigned char *mykeyfromcard, NULL, NULL); work? How do I turn my unsigned char into a DSA or evp_pkey format otherwise? Please let me know if you can shed soem light onto any of this! Thank you, Gila. --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=-- Gila Sheftel [EMAIL PROTECTED] Fearless Geek(514)732-2459 Advanced Projects Group Gemplus Software You *can* go home again. Just type "cd ~". __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Is there a Telnet app?
Date sent: Fri, 06 Apr 2001 15:33:24 -0400 From: Steve Roche [EMAIL PROTECTED] Organization: Powerlan USA, Inc. To: [EMAIL PROTECTED] Subject:Is there a Telnet app? Send reply to: [EMAIL PROTECTED] Steve Depends upon what you mean by SSL Toolkit, but SecureNetTerm does support and use the latest version of OpenSSL with both telnet and SSH. You can contact me for additional information/questions. Ken Does anyone know if there is a telnet application available that uses the latest version of the SSL toolkit? Thanks in advance, Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: JAVA/JNI Wrapper for OpenSSL.
Date sent: Thu, 29 Mar 2001 10:46:41 +0800 From: qun-ying [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: JAVA/JNI Wrapper for OpenSSL. Send reply to: [EMAIL PROTECTED] Yes, this normally is the result of including several of the source files from the apps file as a part of another library that links to the OpenSSL library. When I encountered it, I was including ca.c and req.c (if I remember correctly) in order to create and sign certs. If I recall, there were two files (the one you mention being one) which I had to choose and pick selected functions from in order to make the whole thing work correctly. Ken app_RAND_load_file() is not in the library. it is only a function used in the openssl command tool. you can get the function definition in apps/app_rand.c __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Many Thanks and a Recommendation
With the assistance of the SSL users group, I was able to complete our project to link OpenSSH/OpenSSL to the use of Smart Cards for both SSH-1 and SSH-2 rsa_private_decrypt and rsa_private encrypt processing. The use of the RSA method within the OpenSSL RSA key structure, combined with the CRYPTO_EX_DATA field provided everything necessary to allow our Microsoft windows based SSH Key Agent to utilize a Smart Card (iButton) to process the SSH challenge. From what I can determine, most if not all, Smart Cards contains the very low level bn_mod_exp function within hardware. In our case, we used all the code within OpenSSL to do the padding, etc. and only had a need to intercept the bn_mod_exp call. Currently, both rsa_private_decrypt and rsa_private encrypt expects the rsa key to contain more elements of the key then would be available under normal Smart Card use. In fact, only rsa-n would be known outside the card itself, which of course is required to be present on the SSH host in the form of a SSH-1 or SSH-2 public key file. I would recommend the addition of one additional flag within the rsa-flags field to allow for the specification of a special external bn_mod_exp processing function. Furthermore, I would recommend that the call to the "special" bn_mod_exp only contain the binary input data (just prior to the bin2bn call and the pointers to the output data buffer and the output data buffer length, and perhaps the rsa- n field. I say perhaps for the rsa-n field because the Smart Card already has this, all that is really needed is a keyid field (which we place in the ex_data field) to identify what Smart Card key pair to use. This would elimate some code necessary to force the RSA private encrypt function to call bn_mod_exp, and the bin2bn and bn2bin processing. The end result is all that would be required to use the Smard Card is to change the rsa method pointer for bn_mod_exp, set a bit in the rsa-flags field and place a key id in the ex_data field. In addition, and most important, this would allow for Smart Card support without changing anything within OpenSSL (after the modification) and only two minor intercepts within the SSH key agent code (dealing only with the rsa key structure itself). Any thoughts? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA Private Encrypt
Date sent: Sun, 25 Mar 2001 14:04:58 +0100 From: Dr S N Henson [EMAIL PROTECTED] Organization: S N Henson To: [EMAIL PROTECTED] Subject:Re: RSA Private Encrypt Send reply to: [EMAIL PROTECTED] Dr. Henson After I read your last note, and slept on it overnight, it all made sense and I got everything to work this morning with the Smart Card doing the rsa_mod_exp(). One minor suggestion, it would appear to me that the app_data field in the RSA_METHOD structure perhaps should be a void * instead of a char *. If I understand everything correctly, I should be able to place a pointer to a private structure in this field and be able to pass application dependent data relating to the key such as Smart Card type, key id, etc. I must say that the more I work with OpenSSL, the more I realize how brilliant and sophisticated the whole design is. And the support from the mailing list is first class. Ken "Kenneth R. Robinette" wrote: I was hoping that this was the case. Now if I set the RSA_FLAG_EXT_PKEY flag, how do I specify the function that will be called by OpenSSL to do the private encrypt? Is this available to a client program? I tried following the logic but quite frankly got lost at the rsa_eay_private_encrypt function. Is there any documentation on what the "private" function is passed and how the results should be returned? There's some documentation in the relevant rsa manual pages. What you do effectively is to create an RSA_METHOD structure, copy any relevant default methods and then replace whichever ones you want. Then create an RSA structure and set its method to the custom method just created and of course set RSA_FLAG_EXT_PKEY. Well that's what you do in non ENGINE builds. In the ENGINE stuff the method would be in an ENGINE structure and you'd set the RSA structures ENGINE... or something like that. rsa_mod_exp() is a low level function that does the actual mathematical private key operation: int (*rsa_mod_exp)(BIGNUM *r0,const BIGNUM *I,RSA *rsa); it expects an RSA private key operation to be performed on I and the result placed in r0. the ex_data part of the 'rsa' structure can be used to include additional information such as key handles etc. rsa_mod_exp() is most suitable where the hardware (or whatever) only handles the raw private key operation. This would be the case in some crypto accelarators or smart cards that don't do their own padding. In the smart card case the BIGNUM structures might be converted to and from buffers before passing to the card API. It is also possible to override at a higher level using rsa_priv_enc, rsa_priv_dec functions. This is more suited when the hardware (etc) implements its own version of the RSA algorithm complete with padding and pad checking etc, for example PKCS#11 or CryptoAPI. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SmartCard Public Key
I am trying to import the public RSA key (modulus) created on a Smart Card into an OpenSSL/OpenSSH key structure. The size of the Smart Card public/private key pair is 1024 bits, and the key pair was generated onboard the Smart Card. I use the following code: Key *k; k = key_new(KEY_RSA); if(k) { k-rsa = RSA_generate_key(1024,RSA_F4,NULL,NULL); BN_clear_free(k-rsa-n); k-rsa-n = BN_bin2bn(data,len,NULL); } If I check the size of k-rsa-n after the RSA_generate_key, the result from BN_num_bytes is 128 and from BN_num_bits is 1024. If I check the size of k-rsa-n after the BN_bin2bn call the result from BN_num_bytes is 128 and from BN_num_bits is 1023. Thel BN_bin2bn function call passes the public key data/len obtained from the Smart Card. I am using the OpenSSL/OpenSSH key structure to hold the public key just to be able to use all the current utilities necessary for the public key processing such as saving on the local file system, uploading to the host and for agent signing. What is causing the difference in the BN_num_bits result? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How can I encrypt public key in handshake?
Date sent: Tue, 20 Mar 2001 16:22:53 -0800 Subject:Re: How can I encrypt public key in handshake? From: "corky peavy" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Send reply to: [EMAIL PROTECTED] Again, if you are looking for a "username/password" style authentication method, take the following URL: http://srp.stanford.edu It may not make the god almighty security experts happy, but it beats the hell out of using username/password in the clear. Gee, I wonder if its true that the vast majority of companies worldwide still use the plaintext password method? Besides, I don't know of any method in use today that prevents someone very determined to intercept communications links successfully. Ken This kind of ad hoc thinking by amateurs never results in a protocol worthy of deployment. The whole concept of encrypting public keys is ludicrous, and it doesn't matter what the answers are when you're asking the wrong questions. __ Actually, I agree, but in the abscence of other solutions If there is a well thought out solution, that would certianly serve the security requirement better. Is there such a thing, other than the drafts that are still just getting started? __ FREE voicemail, email, and fax...all in one place. Sign Up Now! http://www.onebox.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Legality question.
From: "David Schwartz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:RE: Legality question. Date sent: Mon, 19 Mar 2001 14:42:36 -0800 Send reply to: [EMAIL PROTECTED] That is true, but if you let a loose end slip by, you would be in for a very big nasty surprise. I would advise you to consult an attorney that does this type of thing for a living. If you don't, your free product may end up costing you more than you will probably make in the next 10 or so lifetimes. Ken Any known export restrictions that I might run into conflict with since the recent loosening of U.S. export laws? Should I go dig up a copy of the ARIN database and exclude non-US IP ranges from downloads? Put up big disclaimers that say something to the effect of "By downloading this software, you take all possible liability upon yourself, and explicitly free the distributors from any responsibility for your actions regarding this software"? It's actually pretty loose now provided the entire distribution is open source. If portions of it aren't, you may need to apply for an exemption, which really isn't too terribly difficult anyway. Check out http://www.bxa.doc.gov specifically http://www.bxa.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Certificate Presentation
From: colorparam,,8000/param"Sandipan Gangopadhyay" [EMAIL PROTECTED]/color To: colorparam,,8000/param[EMAIL PROTECTED]/color boldSubject: colorparam,,8000/paramClient Certificate Presentation/bold/color Date sent: colorparam,,8000/paramSun, 11 Mar 2001 10:38:57 +0530/color Send reply to: colorparam,,8000/param[EMAIL PROTECTED]/color What version of OpenSSL are you using? Try the following command and see what the date/time fields look like. FontFamilyparamCourier New/paramopenssl asn1parse -in server.crt Ken FontFamilyparamArial/paramI know this has more to do with IE idiosyncrasies, but I have the following problem with my Client Certificate: 1. I have a client certificate (Digital ID) generated with Xenroll and certified by an OpenSSL CA. I am able to use the private key and certificate to sign emails. 2. I have an Apache-ModSSL server which is setup to request for client side certificate (I have tried both optional and require) 3. However, Internet Explorer 5.5 shows a dialogue box saying the server is requesting Client Authentication and asking me to select a certificate to use when connecting. The problem is that the list is EMPTY !!! While the certificate and private key are clearly visible in the Options | Certificate | Personal Section. Does anyone have any idea what is happening ? Anyone face this before ? Or where I should ask this question ? Thanks, Sandipan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] nofill __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ThumbDrive
For all of you that have been looking into a way to save your private keys, certs, etc. offline on a very small device, take a look at a device referred to as the ThumbDrive. They are solid state memory memory "disks" that connect to your computer via a USB port and have storage from 16MB to 128 MB (thats megabytes) on a device about the size of your thumb. Memory contents can be retained for ~10 years with the internal power system, and when connected to the workstation, draws power from the USB port. One end has a USB port that you can plug into your portable or desktop PC, with a cover to protect the port when traveling. Comes with the necessary driver for Windows 98, etc, plug and play. Once the driver is loaded, the thumbDrive is like any other disk on the workstation. Transfer speeds range from around 350 to 750 KB/second (that bytes, not bits). A 16 MB device is about $60.00 retail and includes everything you need. No additional cables, special ports, power supplies or anything! Just remove the USB cover, and plug it it. Since it looks like a disk to the OS, it can be used with any program without change (except of course the drive letter). One version, referred to as the Secure ThumbDrive, requires a passphrase to access the data. And no, I don't sell them, own any stock in the company or have any ties to the company. However I can say I order two, they were delivered the next day, and worked out of the box. Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
License Issue
Just as a point of reference, who is OpenSSL. Is it a corporation, a public trust, a private company or what? If we had a license issue, and I wanted our attorney to clarify any license issues, where does he go? Would any agreement made be legally binding? If so, under the laws of what country? Does Eric Young retain copyright over OpenSSL, and is his copyright statement still required? If Eric stills holds a legal interest in OpenSSL, can he sell it to someone, like RSA? I thought the license issue questions posted over the last couple of days were somewhat clear, but then I stopped and asked who really holds the legal rights to OpenSSL and who makes the decisions on what is correct and what is not. Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Secure Telnet
Date sent: Mon, 05 Mar 2001 16:01:29 -0800 To: [EMAIL PROTECTED], [EMAIL PROTECTED] From: Rodney Thayer [EMAIL PROTECTED] Subject:Re: Secure Telnet Send reply to: [EMAIL PROTECTED] I agree, even though we support both telnet/SSL/TLS and both "vendors" of SSH. The SRP package I mentioned earlier is about as state of the art as you can get, offers a variety of authentication methods such as Kerberos 4, Kerberos 5, PKI, SRP and of course, for those installations which must keep around the "old" telnet because of the 30 or 40 thousand workstations (windows and UNIX) based around the world, it supports plain old password also. It offers all the encryption available in OpenSSL, and I am glad to say, allows a company to use self signed certs for authentication. A big plus for large companies. The ability to plug in a new telnet server with advanced authentication/encryption features, yet still be usable to the current installed base is in itself critical. And although I probably should not mention it, the most important fact is that current client telnet programs can work with it. If you take a serious look at SSH, from a user point of view, the emulation on SSH based Windows workstation clients is in most cases a toy at best. Sufficient for those that are used to running simple command line type stuff, but not for business related applications. And if you think about it, the vast majority of all workstations in the world are Windows based, like it or not. And the sad fact is, I would bet that 80% or more of all the commercial companies in world still use telnet instead of SSH. I was convinced three years ago that sales of our Windows based, non secure, telent client would be zero in a couple of years. And here we are in 2001 and sales are the highest they have ever been. Ken given the recent noise about "the S word" (ssh, which may or may not be a trademark in some places), I think the whole question of SSH vs. Telnet with TLS should be reconsidered. What's the state of the art? STUNNEL with Telnet? At 04:01 PM 3/5/01 -0500, Michael T. Babcock wrote: http://www.openssh.com/portable.html SSH is the only* way to get good secure telnet to a remote machine -- it _isn't_ telnet, but provides the same functionality using strong security and public key authentication on top of passwords (if you want). * The only way I'll consider secure, at least. [EMAIL PROTECTED] wrote: Can anyone outline what is necessary to make telnet work securely? What do I need to get and where do I need to get the components? A different Apache? mod ssl? openSSL? telnet? -- Michael T. Babcock (PGP: 0xBE6C1895) http://www.fibrespeed.net/~mbabcock/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PEM_read_PrivateKey - Memory to Memory
Is there some magic function within OpenSSL where the contents of a private RSA/DSA file can be passed via memory to the equivalent of the PEM_read_PrivateKey function? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: building openSSL under Win32
From: "Doug Allen" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:building openSSL under Win32 Date sent: Thu, 8 Feb 2001 16:29:52 -0800 Send reply to: [EMAIL PROTECTED] Doug I built a snapshot released about a week before the one you used and had no problem. However I always do the following: perl util\mkdef.pl crypto ssl update as the INSTALL.W32 recommends. Also, someone I think knows one heck of a lot about OpenSSL as it relates to Windows told me that I was one very very very lucky guy to get any SNAPSHOT to compile correctly. Although I have only had minor problems getting snapshots to compile and run successfully, I always keep his warning in the back of my mind. Ken I followed the procedure in INSTALL.W32 to build the OpenSSL libraries for Win32 and ran into a problem with an undefined external: d2i_RSAPrivateKey. I successfully resolved other undefineds by removing them from the .def file, as mentioned in INSTALL.W32, but in this case, there are actual references in the object files which are linked for ssleay32.dll, but there is no routine by that name in the source code. I used openSSL-SNAP-20010206.tar.gz. Has anyone else run into this or successfully built the Win32 version recently? Thanks, Doug Allen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compiling OpenSSH w/OpenSSL KerberosIV
From: [EMAIL PROTECTED] Date sent: Wed, 7 Feb 2001 19:58:24 -0500 (EST) To: [EMAIL PROTECTED] Copies to: [EMAIL PROTECTED] Subject:Compiling OpenSSH w/OpenSSL KerberosIV Send reply to: [EMAIL PROTECTED] How are you getting the Kerberos headers in the OpenSSL build? What version of openssl are you trying to compile, the production version or one of the snapshots with the new kerberos stuff? Ken OpenSSL Folks (sorry about crosspost), It seems that the des.h header in OpenSSL is incompatible with my MIT kerberos des.h, at least on Linux. I'm seeing various conflicting types (bit_64, des_key_sched, c). I'm using a VALinux/Redhat 7 system with KerbIV and KerbV libraries installed, using the des.h in /usr/kerberos/include/kerberosIV. I was wondering if anyone on the list had looked into the problem, and had an idea how difficult it should be to resolve it. What is the likely direction these headers should be taken? Which library should change? Is there any plausible way to isolate them? Matt __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl on Win32 (help!)
From: "lucian" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: Openssl on Win32 (help!) Date sent: Mon, 29 Jan 2001 17:49:54 +0200 Send reply to: [EMAIL PROTECTED] Take a look at the .bat file you used when you compiled the OpenSSL .dll's. You must use the same options in VC 6.0 when you compile within your project. The most common problem is the type of executable you are creating in VC, multithreaded dll, etc. Ken - Original Message ----- From: "Kenneth R. Robinette" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, January 27, 2001 1:32 AM Subject: Re: Openssl on Win32 (help!) From: stuart hodgkinson [EMAIL PROTECTED] Subject:Re: Openssl on Win32 (help!) To: [EMAIL PROTECTED] Date sent: Fri, 26 Jan 2001 23:11:35 + (GMT+00:00) Send reply to: [EMAIL PROTECTED] Stuart I think you are trying a little to hard. And, although the documentation is not the best, you do have to at least try to read it. As for examples, the entire apps directory can be used as examples. You even have a complete server and complete client as well as openssl which uses a large majority of the functions. Have you even tried running openssl with s_server and s_client? On the winsock issue, why should you care. If you use the normal OpenSSL functions you have no need for socket calls. Perhaps I don't understand what you mean by examples. Ken Finally i have compilled s_client.c into a visual c++ project named SSLClient. It is attached here. But... it seems doesn't work at all. Why? In the debug mode BIO_printf() function cause a ntdll.dll memory exception: "Unhandled exception in SSLCliet.exe (NTDLL.DLL): 0x005: Access Violation" . The bio_err extern pointer seems to be incorrect. Can anyone help me? I am using a openssl dlls compiled by me on a nt 4 workstation sp6. __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl on Win32 (help!)
From: stuart hodgkinson [EMAIL PROTECTED] Subject:Re: Openssl on Win32 (help!) To: [EMAIL PROTECTED] Date sent: Fri, 26 Jan 2001 23:11:35 + (GMT+00:00) Send reply to: [EMAIL PROTECTED] Stuart I think you are trying a little to hard. And, although the documentation is not the best, you do have to at least try to read it. As for examples, the entire apps directory can be used as examples. You even have a complete server and complete client as well as openssl which uses a large majority of the functions. Have you even tried running openssl with s_server and s_client? On the winsock issue, why should you care. If you use the normal OpenSSL functions you have no need for socket calls. Perhaps I don't understand what you mean by examples. Ken Ok I'm new to this and my first mail was a bit vague. I downloaded the latest source and compiled it on Win NT sp6 but I'm low on documentation and could do with some of that. I found the example in the demo directory and noticed it was for unix/linux. I know theres some differences between winsocks and unix/linux stuff..so i was looking for a windows example. I found one that works with older static libs. But when I tried to recompile it with the new source it complians about the ssleay32.lib being currupt... Im baffled without docs and examples so any help is really really really appriciated. StOo - Original Message - From: "Kenneth R. Robinette" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Fri, 26 Jan 2001 18:25:49 + (GMT+00:00) Subject: Re: Openssl on Win32 From: stuart hodgkinson [EMAIL PROTECTED] Subject: Openssl on Win32 To: [EMAIL PROTECTED] Date sent:Fri, 26 Jan 2001 18:23:45 + (GMT+00:00) Send reply to:[EMAIL PROTECTED] Stuart What kind of example? It works exactly the same way with exactly the same calls. Ken Hi is there a good resource of information for win32 implementations of openssl? all the examples are in unix/linux (no gripes there! I'd rather be developing on linux!) I need a good example or 2 . please help StOo ___ FSmail - Get your free web-based email from Freeserve: www.fsmail.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ___ FSmail - Get your free web-based email from Freeserve: www.fsmail.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Openssl on Win32 (help!)
From: stuart hodgkinson [EMAIL PROTECTED] Subject:Re: Openssl on Win32 (help!) To: [EMAIL PROTECTED] Date sent: Sat, 27 Jan 2001 00:06:58 + (GMT+00:00) Send reply to: [EMAIL PROTECTED] Stuart Well, if you run and look at openssl s_client then your are looking at a real application, in fact one that contains one heck of a lot more then you would ever have a desire to use. And it is compiled with "C". All the apps in the apps directory use the two dll's produced when your compiled OpenSSL. You can even create static libraries that you can link to from Microsoft Visual C/C++. I use version 6.0 of Visual C/C++ and have linked to OpenSSL both with the .dll and static libraries. So if you want to look at a "real" application that can be used from a "C" point of view, look at any of those in the apps directory. If you don't have a OpenSSL baser server to test with, use the openssl s_server. It will run on Windows, and of course if you have compiled OpenSSL on a Unix system you can run the OpenSSL s_server on UNIX and the OpenSSL s_client on Windows. Or you can reverse it. I really don't know how you can find an example application any better than what you already have. If you want a really complex example application, download the apache web server and mod_ssl source. Ken ok. this is from a c/c++ standpoint for actual intergration into an application. So i'm looking for source code examples and linking information etc etc. StOo - Original Message ----- From: "Kenneth R. Robinette" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Fri, 26 Jan 2001 23:32:47 + (GMT+00:00) Subject: Re: Openssl on Win32 (help!) From: stuart hodgkinson [EMAIL PROTECTED] Subject: Re: Openssl on Win32 (help!) To: [EMAIL PROTECTED] Date sent:Fri, 26 Jan 2001 23:11:35 + (GMT+00:00) Send reply to:[EMAIL PROTECTED] Stuart I think you are trying a little to hard. And, although the documentation is not the best, you do have to at least try to read it. As for examples, the entire apps directory can be used as examples. You even have a complete server and complete client as well as openssl which uses a large majority of the functions. Have you even tried running openssl with s_server and s_client? On the winsock issue, why should you care. If you use the normal OpenSSL functions you have no need for socket calls. Perhaps I don't understand what you mean by examples. Ken Ok I'm new to this and my first mail was a bit vague. I downloaded the latest source and compiled it on Win NT sp6 but I'm low on documentation and could do with some of that. I found the example in the demo directory and noticed it was for unix/linux. I know theres some differences between win socks and unix/linux stuff..so i was looking for a windows example. I found one that works with ol der static libs. But when I tried to recompile it with the new source it complians about the ssleay 32.lib being currupt... Im baffled without docs and examples so any help is really really really ap priciated. StOo - Original Message - From: "Kenneth R. Robinette" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Fri, 26 Jan 2001 18:25:49 + (GMT+00:00) Subject: Re: Openssl on Win32 From: stuart hodgkinson [EMAIL PROTECTED] Subject:Openssl on Win32 To: [EMAIL PROTECTED] Date sent: Fri, 26 Jan 2001 18:23:45 + (GMT+00:00) Send reply to: [EMAIL PROTECTED] Stuart What kind of example? It works exactly the same way with exactly the same calls. Ken Hi is there a good resource of information for win32 implementations of openssl? all the exampl es are in unix/linux (no gripes there! I'd rather be developing on linux!) I need a good example or 2 . please help StOo ___ FSmail - Get your free web-based email from Freeserve: www.fsmail.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List
Re: Openssl on Win32 (help!)
From: stuart hodgkinson [EMAIL PROTECTED] Subject:Re: Openssl on Win32 (help!) To: [EMAIL PROTECTED] Date sent: Sat, 27 Jan 2001 01:00:18 + (GMT+00:00) Send reply to: [EMAIL PROTECTED] If the test programs work (in the out32 directory) then you should look elsewhere for the problem. Now don't take me wrong, I understand how hard it is to switch from one system to another system and get back in the groove again on all the programming details. However I don't think it is really wise to choose such an area as encryption, etc. as a good starting point. There are all sorts of issues totally unrelated to programming that you should be aware of, in addition to knowing how, why and the drawbacks of using portions of the OpenSSL code. Even if this is for your own enjoyment, and you could care less about all the other issues, OpenSSL presents a challenge to even the best of programmers. Take note of some of the questions being asked on this list; I don't even know what the hell half of them is even about. Ken doh! i completley missed that directory cheers. quick question though when i try to link to the sslevy32.lib i get:- CVTRES : fatal error CVT1107: D:\openssl\openssl-0.9.6\out32dll\ssleay32.lib is corrupt D:\openssl\openssl-0.9.6\out32dll\ssleay32.lib : fatal error LNK1123: failure during conversion to COFF: file invalid or corrupt Error executing link.exe. any ideas? i've been working on other os's for the past few years so im rusty as hell with windoze your help is appriciated. - Original Message - From: "Kenneth R. Robinette" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sat, 27 Jan 2001 00:22:38 + (GMT+00:00) Subject: Re: Openssl on Win32 (help!) From: stuart hodgkinson [EMAIL PROTECTED] Subject: Re: Openssl on Win32 (help!) To: [EMAIL PROTECTED] Date sent:Sat, 27 Jan 2001 00:06:58 + (GMT+00:00) Send reply to:[EMAIL PROTECTED] Stuart Well, if you run and look at openssl s_client then your are looking at a real application, in fact one that contains one heck of a lot more then you would ever have a desire to use. And it is compiled with "C". All the apps in the apps directory use the two dll's produced when your compiled OpenSSL. You can even create static libraries that you can link to from Microsoft Visual C/C++. I use version 6.0 of Visual C/C++ and have linked to OpenSSL both with the .dll and static libraries. So if you want to look at a "real" application that can be used from a "C" point of view, look at any of those in the apps directory. If you don't have a OpenSSL baser server to test with, use the openssl s_server. It will run on Windows, and of course if you have compiled OpenSSL on a Unix system you can run the OpenSSL s_server on UNIX and the OpenSSL s_client on Windows. Or you can reverse it. I really don't know how you can find an example application any better than what you already have. If you want a really complex example application, download the apache web server and mod_ssl source. Ken ok. this is from a c/c++ standpoint for actual intergration into an application. So i'm looking f or source code examples and linking information etc etc. StOo - Original Message - From: "Kenneth R. Robinette" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Fri, 26 Jan 2001 23:32:47 + (GMT+00:00) Subject: Re: Openssl on Win32 (help!) From: stuart hodgkinson [EMAIL PROTECTED] Subject:Re: Openssl on Win32 (help!) To: [EMAIL PROTECTED] Date sent: Fri, 26 Jan 2001 23:11:35 + (GMT+00:00) Send reply to: [EMAIL PROTECTED] Stuart I think you are trying a little to hard. And, although the documentation is not the best, you do have to at least try to read it. As for examples, the entire apps directory can be used as examples. You even have a complete server and complete client as well as openssl which uses a large majority of the functions. Have you even tried running openssl with s_server and s_client? On the winsock issue, why should you care. If you use the normal OpenSSL functions you have no need for socket calls. Perhaps I don't understand what you mean by examples. Ken Ok I'm new to this and my first mail was a bit vague. I downloaded the latest source and compil ed it on Win NT sp6 but I'm low on documentation and could do with some of that. I found the exampl e in the demo directory and noticed it was for unix/linux. I know theres some differences between w in socks and unix/linux stuff..so i was looking for a windows example. I found one that works with ol der static libs. But when I tried to recompile it with the new source it complians abo
Re: openssl on NT
From: Mark Swarbrick [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:openssl on NT Date sent: Tue, 23 Jan 2001 10:43:30 -0700 Send reply to: [EMAIL PROTECTED] Mark All you need is Perl and the normal Microsoft C compiler (we use VC++6.0). Perl is no big deal, just download and install. The only thing you use perl for is to configure for windows. After that you just compile with the batch file(s) created from the configure. After about 5 minutes you have the required .dlls and if you desire the libraries for static builds with your applications. Ken Ken I could really use some help getting openssl to work on NT. I have written a script in tcl/tk that checks web sites and I need to do a "package require tls" so that I can check https sites. And in order to do that apparently I must... Install TLS, which requires that I install openssl, which requires that I install, Perl, GNU C, GNU Make, and then follow a set of instructions that don't make sense and don't work. Can someone please help. I can't believe there isn't an easier way to do this. I wonder if someone already has this compiled so that I can just install some dlls and exes and it'l work. I'm following the instructions in the readme file for NT and it says to do a... ms\mingw32 What is that? Whatever it is it fails. Is "ms" supposed to be an exe file or is that some sort of path, and if so from where, the root? There is no ms.exe and there is no c:\ms directory? ??? Any hellp at all will be greatly appreciated. ...Mark [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
MS Explorer Client Certificate
The apache/mod_ssl "HowTo" states that a directory can be defined to require clients to be authenticated for a particular URL based upon client certificates signed by a certificate specified by the keyword SSLCACertificateFile. I assume that this implies that I can use my own self-signed CA cert file to sign these client certificates. A really nice feature for internal control of data on the intranet. Now what is the secret to get the Microsoft Explorer (5.+) to accept these client certificates and pass them to the https server? The explorer pops up a dialog box asking which cert to use (which is good) when I connect to the https server with the URL of the protected directory, however nothing is in the dialog box to select! No matter what I do, I cannot import a client cert into the explorer and have it end up in the dialog box. Is this another one of those internal Microsoft secrets or another clever "feature" forcing the world to pay for commercial grade client certificates? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: MS Explorer Client Certificate
Date sent: Tue, 23 Jan 2001 14:52:43 +1000 (EST) From: Grant [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: MS Explorer Client Certificate Send reply to: [EMAIL PROTECTED] The client certificate has the following extensions: X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection I have not been able to get explorer to place it in the Personal store. It always puts it in the "Other People" store regardless of what I specify. Ken What type of client certificate do you have? Have you imported it successfully into the "Personal" area? On Mon, 22 Jan 2001, Kenneth R. Robinette wrote: The apache/mod_ssl "HowTo" states that a directory can be defined to require clients to be authenticated for a particular URL based upon client certificates signed by a certificate specified by the keyword SSLCACertificateFile. I assume that this implies that I can use my own self-signed CA cert file to sign these client certificates. A really nice feature for internal control of data on the intranet. Now what is the secret to get the Microsoft Explorer (5.+) to accept these client certificates and pass them to the https server? The explorer pops up a dialog box asking which cert to use (which is good) when I connect to the https server with the URL of the protected directory, however nothing is in the dialog box to select! No matter what I do, I cannot import a client cert into the explorer and have it end up in the dialog box. Is this another one of those internal Microsoft secrets or another clever "feature" forcing the world to pay for commercial grade client certificates? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Win32 CA signed Apache Server-Netscape .CRT Problem
Problem: An Unix Apache/mod-ssl server .crt/.key pair generated from a .csr/.key signed by a self generated CA Cert on 32 bit Windows will not work with the Netscape 4.72 client running on Linux Redhat 6.2. However the same .csr/.key signed by the same self generated CA Cert on Redhat 6.2 Linux will work. It will also work with the Microsoft Explorer 5.50.4522.1800 running on Windows 98, regardless of where the .crt/.key pair was signed. The Netscape client fails with the message "OpenSSL: error:14094412: SSL outines:SSL3_READ_BYTES:sslv3 alert bad certificate" in the apache log file. It would appear that the Windows based OpenSSL ca program is not consistant with the Unix based OpenSSL ca program. Conditions: Apache WWW server with mod-ssl (mod_ssl-2.7.1- 1.3.14) running on Linux Redhat 6.2. Latest OpenSSL SNAP (same results with 0.9.6) Netscape client 4.72 running on Linux Redhat 6.2 Microsoft Windows Explorer 5.50.4522.1800 on Windows 98 In all cases the .crt/.key pair is a 1024 bit RSA key. The openssl.cnf file is identical on the Windows/Linux systems. Has anyone else seen this behavior and have found a solution? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Win32 CA signed Apache Server-Netscape .CRT Problem
Date sent: Fri, 19 Jan 2001 17:24:55 + From: Dr S N Henson [EMAIL PROTECTED] Organization: S N Henson To: [EMAIL PROTECTED] Subject:Re: Win32 CA signed Apache Server-Netscape .CRT Problem Send reply to: [EMAIL PROTECTED] The .csr/.key is generated using the following commands: openssl genrsa -out server.key 1024 openssl req -new -config /tmp/openssl.cnf -key server.key -out server.csr I then sign it with the openssl ca progam with a self generated/self signed ca crt and key. I then transfer the resulting server.key and server.csr to the Unix workstation and place in: /usr/local/apache/ssl.crt/server.crt /usr/local/apache/ssl.key/server.key I start up the Apache server, then use the Microsoft Internet Explorer on Windows 98 to connect to the Apache server. Everything goes well, the Microsoft Explorer knows that the cert is signed by a CA that is in it's list of CA certs, gives the proper warning, etc. and it displays a dialog box asking if I wish to proceed. I accept the yes button and the https page is displayed correctly. I then login to the Redhat Linux system and start the Netscape client. It states that it has received an improperly formatted cert and does nothing more. I then take the .csr and .key file mentioned above, tranfer both to the Linux workstation and use the same openssl ca command to sign the cert. I then transfer the resulting .crt and .key to the locations shown above. I restart Apache, and try Netscape again. This time it is happy and does much like the Microsoft Explorer, it displays a dialog stating it does not know about the ca and asks if I would like to add it. Note that the .csr and .key are identical in both cases. In both cases they have been created on the Windows workstation. Note that the ca .crt and .key are identical in both cases. The only difference is where the .csr and .key file for the server.crt is signed, but the openssl ca program is provided the identical input and .cnf file in both cases. Note that in both cases, I have not imported anything into the Explorer or Netscape. I am simply trying to connect to the www site using a https: url to test the installation of the Apache/mod-ssl .crt and .key file. I have taken note that mod_ssl and a package called ssl.ca-0.1 make some nasty remarks about using the openssl.cnf as supplied by OpenSSL and both in fact generate their own temporary openssl.cnf files in the script used to call the openssl ca program. I have tried the same on both Linux and Windows. It does not help the Windows problem. For the record, the ca cert and key were generated on the UNIX system. They were then transfered to the Windows workstation. So again, it appears that there is some subtle difference in OpenSSL when used on a UNIX platform verses one used on a Windows platform. The important thing to note (I think) is only the Netscape client does not like the cert received from the Apache/mod-ssl server. The Microsft Explorer thinks it is ok, and other programs that I use with the "problem" server cert likes it. Ken "Kenneth R. Robinette" wrote: Problem: An Unix Apache/mod-ssl server .crt/.key pair generated from a .csr/.key signed by a self generated CA Cert on 32 bit Windows will not work with the Netscape 4.72 client running on Linux Redhat 6.2. However the same .csr/.key signed by the same self generated CA Cert on Redhat 6.2 Linux will work. It will also work with the Microsoft Explorer 5.50.4522.1800 running on Windows 98, regardless of where the .crt/.key pair was signed. The Netscape client fails with the message "OpenSSL: error:14094412: SSL outines:SSL3_READ_BYTES:sslv3 alert bad certificate" in the apache log file. It would appear that the Windows based OpenSSL ca program is not consistant with the Unix based OpenSSL ca program. The two cases should be indentical with respect to the generated certificates. How are you generating the certificates (i.e. what precise command) and how are you importing them into Netscape, presumably a PKCS#12 file? You mention the "same self generated CA certificate". What do you mean by "same"? Is this the same private key or the same DN? If it is the same DN but different keys have you installed both CA certificates as trusted in Apache? Its possible if the DNs are the same but the keys are different that it is attempting to verify one certificate against the other CA and causing a verify error as a result. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage.
RE: Win32 CA signed Apache Server-Netscape .CRT Problem
From: "Jennifer Arden" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:RE: Win32 CA signed Apache Server-Netscape .CRT Problem Date sent: Fri, 19 Jan 2001 13:21:20 -0500 Send reply to: [EMAIL PROTECTED] No, as I stated in BOTH cases the name is .crt and .key. It works in the Linux signed case but not the Windows signed case. Both cases use the same apache/mod-ssl setup on the same Linux Redhat 6.0 system. Ken Ken I think with Apache server. The cert must have the extension of .pem I hope this help -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenneth R. Robinette Sent: Friday, January 19, 2001 1:14 PM To: [EMAIL PROTECTED] Subject: Re: Win32 CA signed Apache Server-Netscape .CRT Problem Date sent: Fri, 19 Jan 2001 17:24:55 + From: Dr S N Henson [EMAIL PROTECTED] Organization: S N Henson To: [EMAIL PROTECTED] Subject:Re: Win32 CA signed Apache Server-Netscape .CRT Problem Send reply to: [EMAIL PROTECTED] The .csr/.key is generated using the following commands: openssl genrsa -out server.key 1024 openssl req -new -config /tmp/openssl.cnf -key server.key -out server.csr I then sign it with the openssl ca progam with a self generated/self signed ca crt and key. I then transfer the resulting server.key and server.csr to the Unix workstation and place in: /usr/local/apache/ssl.crt/server.crt /usr/local/apache/ssl.key/server.key I start up the Apache server, then use the Microsoft Internet Explorer on Windows 98 to connect to the Apache server. Everything goes well, the Microsoft Explorer knows that the cert is signed by a CA that is in it's list of CA certs, gives the proper warning, etc. and it displays a dialog box asking if I wish to proceed. I accept the yes button and the https page is displayed correctly. I then login to the Redhat Linux system and start the Netscape client. It states that it has received an improperly formatted cert and does nothing more. I then take the .csr and .key file mentioned above, tranfer both to the Linux workstation and use the same openssl ca command to sign the cert. I then transfer the resulting .crt and .key to the locations shown above. I restart Apache, and try Netscape again. This time it is happy and does much like the Microsoft Explorer, it displays a dialog stating it does not know about the ca and asks if I would like to add it. Note that the .csr and .key are identical in both cases. In both cases they have been created on the Windows workstation. Note that the ca .crt and .key are identical in both cases. The only difference is where the .csr and .key file for the server.crt is signed, but the openssl ca program is provided the identical input and .cnf file in both cases. Note that in both cases, I have not imported anything into the Explorer or Netscape. I am simply trying to connect to the www site using a https: url to test the installation of the Apache/mod-ssl .crt and .key file. I have taken note that mod_ssl and a package called ssl.ca-0.1 make some nasty remarks about using the openssl.cnf as supplied by OpenSSL and both in fact generate their own temporary openssl.cnf files in the script used to call the openssl ca program. I have tried the same on both Linux and Windows. It does not help the Windows problem. For the record, the ca cert and key were generated on the UNIX system. They were then transfered to the Windows workstation. So again, it appears that there is some subtle difference in OpenSSL when used on a UNIX platform verses one used on a Windows platform. The important thing to note (I think) is only the Netscape client does not like the cert received from the Apache/mod-ssl server. The Microsft Explorer thinks it is ok, and other programs that I use with the "problem" server cert likes it. Ken "Kenneth R. Robinette" wrote: Problem: An Unix Apache/mod-ssl server .crt/.key pair generated from a .csr/.key signed by a self generated CA Cert on 32 bit Windows will not work with the Netscape 4.72 client running on Linux Redhat 6.2. However the same .csr/.key signed by the same self generated CA Cert on Redhat 6.2 Linux will work. It will also work with the Microsoft Explorer 5.50.4522.1800 running on Windows 98, regardless of where the .crt/.key pair was signed. The Netscape client fails with the message "OpenSSL: error:14094412: SSL outines:SSL3_READ_BYTES:sslv3 alert bad certificate" in the apache log file. It would appear that the Windows based OpenSSL ca program is not consistant with the Unix based OpenSSL ca program. The two cases should be indentical with respect to the generated certificates. How are you generating the certificates (i.e. what precise command) and how are you
Re: Win32 CA signed Apache Server-Netscape .CRT Problem
Date sent: Fri, 19 Jan 2001 20:01:53 + From: Dr S N Henson [EMAIL PROTECTED] Organization: S N Henson To: [EMAIL PROTECTED] Subject:Re: Win32 CA signed Apache Server-Netscape .CRT Problem Send reply to: [EMAIL PROTECTED] Dr. Henson As I stated before, Netscape never gets to the point of asking if I am willing to accept the bad cert. It just displays the message about the fact it cannot read the cert and stops. If I use the "good" cert that was signed on Linux, then it will accept the cert and will ask if I want to enter it into the database. At first I said yes, just to make sure that would work and it did. I then did as you recommended and deleted it from the database. Do you need the ca cert and key as well? I will put together a zip file and send all of them to you as soon as I resolve a production problem we are currently having. Thanks for the offer for assistance. Ken "Kenneth R. Robinette" wrote: The .csr/.key is generated using the following commands: openssl genrsa -out server.key 1024 openssl req -new -config /tmp/openssl.cnf -key server.key -out server.csr I then sign it with the openssl ca progam with a self generated/self signed ca crt and key. I then transfer the resulting server.key and server.csr to the Unix workstation and place in: /usr/local/apache/ssl.crt/server.crt /usr/local/apache/ssl.key/server.key I start up the Apache server, then use the Microsoft Internet Explorer on Windows 98 to connect to the Apache server. Everything goes well, the Microsoft Explorer knows that the cert is signed by a CA that is in it's list of CA certs, gives the proper warning, etc. and it displays a dialog box asking if I wish to proceed. I accept the yes button and the https page is displayed correctly. I then login to the Redhat Linux system and start the Netscape client. It states that it has received an improperly formatted cert and does nothing more. I then take the .csr and .key file mentioned above, tranfer both to the Linux workstation and use the same openssl ca command to sign the cert. I then transfer the resulting .crt and .key to the locations shown above. I restart Apache, and try Netscape again. This time it is happy and does much like the Microsoft Explorer, it displays a dialog stating it does not know about the ca and asks if I would like to add it. Note that the .csr and .key are identical in both cases. In both cases they have been created on the Windows workstation. Note that the ca .crt and .key are identical in both cases. The only difference is where the .csr and .key file for the server.crt is signed, but the openssl ca program is provided the identical input and .cnf file in both cases. Note that in both cases, I have not imported anything into the Explorer or Netscape. I am simply trying to connect to the www site using a https: url to test the installation of the Apache/mod-ssl .crt and .key file. Strange problem. When you accept the certificate on Netscape do you click to accept it for the session or until it expires? Also if the two certificates are virtually identical Netscape may have problems distinguishing the two if one is already in its database. See what happens if you wipe the Netscape database between the two tests. You can do this by renaming the key3.db and cert7.db files usually found under ~/.netscape . Also see if you get similar results with the s_server utility. If none of that helps send me the various certificate files and I'll see if I can see anything that might cause this. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Win32 CA signed Apache Server-Netscape .CRT Problem
Problem: An Unix Apache/mod-ssl server .crt/.key pair generated from a CSR/KEY signed by a self generated CA Cert on 32 bit Windows will not work with the Netscape 4.72 client running on Linux Redhat 6.2. However the same CSR/KEY signed by the same self generated CA Cert on Redhat 6.2 Linux will work. It will also work with the Microsoft Explorer 5.50.4522.1800 running on Windows 98, regardless of where the .crt/.key pair was generated. The Netscape client fails with the brain dead message "OpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate" in the apache log file. It would appear that the Windows based OpenSSL ca program is not consistant with the Unix based OpenSSL ca program. Conditions: Apache WWW server with mod-ssl (mod_ssl-2.7.1-1.3.14) running on Linux Redhat 6.2. Latest OpenSSL SNAP (same results with 0.9.6) Netscape client 4.72 running on Linux Redhat 6.2 Microsoft Windows Explorer 5.50.4522.1800 on Windows 98 In all cases the .crt/.key pair is a 1024 bit RSA key. The openssl.cnf file is identical on the Windows/Linux systems. Has anyone else seen this behavior and have found a solution? Ken __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mechanical extraction of roots from netscape?
Date sent: Thu, 18 Jan 2001 16:39:58 + From: Hannu Krosing [EMAIL PROTECTED] To: [EMAIL PROTECTED] Copies to: [EMAIL PROTECTED] Subject:Re: mechanical extraction of roots from netscape? Send reply to: [EMAIL PROTECTED] Rodney Yes, it is certutil and it can also be downloaded from www.modssl.org Ken Rodney Thayer wrote: In this document: http://www.kfu.com/~nsayer/encryption/openssl.html it refers to an Apache file, called ca_bundle.crt, which "contains all the roots from Netscape's cert7.db, automatically extracted". I'm not sure but it could be certutil from the Mozilla/iPlanet NSS tree. It can do all kinds of stuff on cert7.db and key3.db. It could also be any other tool from mozilla/security/nss/cmd/ --- Hannu __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]