Diffarent Error codes have same value
Hi All , I found in ssl.h header file that error codes repeats many times like. #define SSL_R_BAD_ECDSA_SIGNATURE 1112 #define SSL_R_KEY_ARG_TOO_LONG 1112 #define SSL_R_BAD_ECDSA_SIGNATURE 1112 #define SSL_R_MISSING_TMP_ECDH_KEY 1114 #define SSL_R_SSL2_CONNECTION_ID_TOO_LONG 1114 #define SSL_R_BAD_ECPOINT 1113 #define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 There are many such instances . What is the reason for assigning same value for different error codes... Regards, konark *** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
RE: accepting self signed certs
Hi Samy, 1. If server ready to accept any unanimous certificate (certificate need not be verified by the any of the server trusted CAs ) like your case self signed client certificate ,There is no point of asking client authentication. If server is requested for client authentication client should send certificate which must be issued by one of the server trusted CAs. 2. Generally servers wont ask client authentication for general connection, when ever client request for some critical resources then trough renegotiation server Can ask client authentication . In this case client authentication is must it cant accept the self signed OR unanimous certificate. Regards, Konark 09342513592 *** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! -Original Message- From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of Samy Thiyagarajan Sent: Thursday, February 02, 2006 6:02 PM To: openssl-users@openssl.org Subject: accepting self signed certs hi.. My test server has a list of trusted CAs. Now i also want to accept connections requested by clients with self signed certificates. Any simple way to accept the self signed certs ? Thanks in advance. Samy
How to load multiple client certificates
Hi ALL, Is there any function to load multiple client certificates ? Consider the case that There are multiple certificates to client It should chose one of the certificate appropriate for particular server . It depends the server CA list sent by server. Please suggest me some functional sequence to do this ? Thanks Regards, konark *** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
Apache + OpenSSL configuration
Hi friend, I'm new to Apache .. I don't know how to configure apache for different handshake scenarios . I hope there will be some config file where we can change options to work with different scenarios. Please help to configure the configuration file and location of the configuration file in apache installation. Regards, konark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem in creating certificate
While creating RSA:1024 certificate,I got this error Command : openssl req -newkey rsa:1024 -sha1 -keyout c:\test\rootkey.pem -out c:\test\cert_ssl.pem Error : 3284:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:.\c rypto\conf\conf_lib.c:325:
RE: Problem in creating certificate
Thanks to all. I got solution . It is the problem with configfile: I included config file using option config FILENAME option . Regards, konark *** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! -Original Message- From: owner-openssl-users@openssl.org [mailto:owner-openssl-users@openssl.org] On Behalf Of Vishnubhatla, Vijaya Bhaskar Sent: Thursday, January 12, 2006 4:42 PM To: openssl-users@openssl.org Subject: RE: Problem in creating certificate Hi, Check your PATH whether you included the openssl.cnf file, otherwise you include it with the option of -extfile path to your openssl.cnf. Hope it works Thanks, Bhaskar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Konark Sent: Thursday, January 12, 2006 3:47 PM To: openssl-users@openssl.org Subject: Problem in creating certificate While creating RSA:1024 certificate,I got this error Command : openssl req -newkey rsa:1024 -sha1 -keyout c:\test\rootkey.pem -out c:\test\cert_ssl.pem Error : 3284:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:.\c rypto\conf\conf_lib.c:325:
How to verify signed enveloped data
Please send me the snippet of the code to verify signed enveloped data . 1. I'm getting problem PKCS7_DataInit() returning NULL this function is called just after the decode of stored signedenveloped data. 2. It's looking like cipher in decode data is NULL. 3. Is there any init OR any other function should be called before calling decode signed enveloped data. Regards, konark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS7: what can be the content type (part of Content info ) other than simple data in Signed data
Hello Steve, Once again Thanks for your last solution ( Digest info ). I have small doubt about ... what can be the content type (part of Content info ) other than simple data in Signed data. Structure description SignedData ::= SEQUENCE { version Version, digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos } ContentInfo ::= SEQUENCE { contentType ContentType, content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } -It seems to be content type can only be Simple data ( after looking in to the code ) - Is it possible to put content type other than simple data like enveloped data when authenticated attributes are present . - I also found that it is checking for other type ( always Octet string ) when simple data ( data type ) is not present 1. can i assume if simple data is not the type of content info it should go into other type ? 2. if simple data is not the type of content info i need to encode and save the encoded content . is it so ? Regards, konark
How to verify signed enveloped data
Please send me the snippet of the code to verify signed enveloped data . 1. I'm getting problem PKCS7_DataInit() returning NULL this function is called just after the decode of stored signedenveloped data. 2. It's looking like cipher in decode signed enveloped data is NULL. 3. Is there any init OR any other function should be called before calling decode signed enveloped data. Regards, konark
PKCS7: what can be the content type (part of Content info ) other than simple data in Signed data
Hello Steve, Once again Thanks for your last solution ( Digest info ). I have small doubt about ... what can be the content type (part of Content info ) other than simple data in Signed data. Structure description SignedData ::= SEQUENCE { version Version, digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos } ContentInfo ::= SEQUENCE { contentType ContentType, content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } -It seems to be content type can only be Simple data ( after looking in to the code ) - Is it possible to put content type other than simple data like enveloped data when authenticated attributes are present . - I also found that it is checking for other type ( always Octet string ) when simple data ( data type ) is not present 1. can i assume if simple data is not the type of content info it should go into other type ? 2. if simple data is not the type of content info i need to encode and save the encoded content . is it so ? Regards, konark
PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
Hi All, I found that OpenSSL PKCS#7 module implementation is different from the both the versions . Please tell me which version it is following (URGENT) Regards, konark
RE: PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
Thanks for the reply . But my problem is .. PKCS#7 V1.5 sign implementation uses this structure in process of sign calculation DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest } But I found that OpenSSL is not doing as specified in V1.5 . Reply by cheking the OpenSSl . If incase OpenSSl is not fully folling the v1.5 Please let me know . Regards, konark On Fri, Nov 11, 2005, Konark wrote: Hi All, I found that OpenSSL PKCS#7 module implementation is different from the both the versions . Please tell me which version it is following (URGENT) PKCS#7 v1.5. Very few applications use 1.6. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
Actually we implemented PKCS#7 V1.5 ( we got the standards from RSA site ) - We did as per standard including DigestInfo structure as part of signature calculation . - When I try to identify signature with OpenSSL I found this thing then I tried with out this DigestInfo structure It's verified successfully . - That's why I doubt which version it is ? konark On Fri, Nov 11, 2005, Konark wrote: Thanks for the reply . But my problem is .. PKCS#7 V1.5 sign implementation uses this structure in process of sign calculation DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest } But I found that OpenSSL is not doing as specified in V1.5 . What makes you think that? Reply by cheking the OpenSSl . If incase OpenSSl is not fully folling the v1.5 Please let me know . OpenSSL passed S/MIME v2 compliance test which check PKCS#7 v1.5 conformance. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: PKCS7 standard : OpenSSL is following weather v1.5 OR v1.6 OR any other
Thanks Steve. I it seems to be correct But I need to check with my colleague who implemented PKCS#1 (crypto) . konark On Fri, Nov 11, 2005, Konark wrote: Actually we implemented PKCS#7 V1.5 ( we got the standards from RSA site ) - We did as per standard including DigestInfo structure as part of signature calculation . - When I try to identify signature with OpenSSL I found this thing then I tried with out this DigestInfo structure It's verified successfully . - That's why I doubt which version it is ? The DigestInfo is also part of PKCS#1 so if you tell some implementations (including OpenSSL) to sign a message digest the DigestInfo is automatic. You can see the DigestInfo structure by using the 'rsautl' utility on the signature. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
what can be the content type (part of Content info ) other than simple data in Signed data
what can be the content type (part of Content info ) other than simple data in Signed data. Structure description SignedData ::= SEQUENCE { version Version, digestAlgorithms DigestAlgorithmIdentifiers, contentInfo ContentInfo, certificates [0] IMPLICIT ExtendedCertificatesAndCertificates OPTIONAL, crls [1] IMPLICIT CertificateRevocationLists OPTIONAL, signerInfos SignerInfos } ContentInfo ::= SEQUENCE { contentType ContentType, content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL } -It seems to be content type can only be Simple data ( after looking in to the code ) - Is it possible to put content type other than simple data like enveloped data when authenticated attributes are present . Regards, konark
pkcs#7 API usage
Dear Users, I'm New to Open SSL but I have a good knowledge of pkcs7 ... I want use open SSL pkcs7.h Please send me API usage docs OR archive links .. Regards, konark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL Books for programmers
Hi Great OpenSSL Users, I'm working in security from past 1.5 years But not with OpenSSL Now I want to start using OpenSSL . I have one good book O'Reilly Network security with OpenSSL ... Please send me the tiles of other books, free Books And articles So that I can do programming using OpenSSL Regards, Konark. Huawei Technologies Co., Ltd. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]