Re: trying to get valid SSL cert working with uw-imap server.
[EMAIL PROTECTED] wrote: hey list, I have a uw-imap server installed on a solaris box. We currently have a working SSL certificate thats about to expire on our server. On top of that, our internal team that issues the certificates is changing their root certs, so we need to update that as well. so I have a new cert for my server and Im trying to get pine and mutt to connnect to it, but pine complains that its a self signed cert.. as does the openssl client SSL-Session: Protocol : TLSv1 Cipher: AES256-SHA Session-ID: 9878A3F0C550C7124A6FD64FC809E10971EFA324230151955A4CD64C5CEDFF52 Session-ID-ctx: Master-Key: 2E11F61B9BA160292DD85683983AFB20BAEFB9430E8ABDBE6819CBD7AC877BD1503C82D170DEFC2FFC7FA759F64728AF Key-Arg : None Start Time: 1179932976 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) What should I do to troubleshoot this? regards, Jason __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Maybe this isn't the correct list to ask for uw-imap... But you must add your new root certs to the CA certs databases where pine and mutt are searching for. For pine, the default path is embedded in the code (for mutt I don't know), during the build phase you can tell him ./build SSLCERTS=/path/to/CA root certs directory (hashed!!) With openssl s_client, you must tell him to point out the same dir with the option -CApath /path/to/CA root certs directory (hashed!!) Good luck! -- Ing. Sergio Rabellino Head of ICT Services Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS#7
Bernhard Froehlich wrote: [EMAIL PROTECTED] wrote: Hi! I need to convert PKCS#7 attached signatures to PKCS#7 detached signatures. Is it possibly? Is there any example? Thanks anyway! Since noone else answered I'll thay the little I believe to know about the subject... ;) I don't think doing this is possible using the openssl utilitoies, but it might be done using the ASN1 APIs. Maybe you should have a look at the asn1parse utility (apps/asn1pars.c) as a staring point. And tell me if you find out more. Ted ;) You can give a chance to openssl, viewing around the smime option. You must convert your pkcs#7 back to smime, then take a look at the -nodetach implementation in the smime, maybe you can find the exact way to do the detach conversion. Hope this helps. -- Dott. Mag. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Having problem compillin in solaris 10.
Lisandro Grullon wrote: Andrea, can you point me in the right direction where to find the compiler to supportamd64. thanks. I can give you a download for a tar of my gcc 4.0.1 installation... (/opt/gnu as installpath). Try on http://www.di.unito.it/~rabser/gcc_401_Solaris10_amd64.tar.gz (36Mb) Bye. -- Dott. Mag. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: For those of you using Solaris 10.
Lisandro Grullon wrote: Hi all, After struggling with the installation in two different production servers of openssl 0.9.8 I decided to give it a shot in a new clean server just install. I install the usual stuff (make,gcc, libconv,perl(is already include in Solaris 10) ) After you install those things you will need to define your PATH to find the compiler and make ,etc. After that you can gunzip and tar -xvf openssl. If everything goes ok, you can cd into the openssl directory and do a ./config this will create the tree structure for the source. After doing your configure do the make, after doing make you will see warning all over the place, just disregard the warning for a minute. After make is done, try doing make clean again at the end you will see maybe 1 or 2 warnings, finally do a make again and you should not see warning, that is what happen on my case, don't know what will happen in yours. Well, if everything goes well, you should be ready to do a make install now. Go ahead and install it. This method works for me using Solaris 10 x86 opteron, it seems that the release still have a few bugs that need to be fix for now, I will just keep compiling it this way since it is working. Good look to those of you compiling this in Solaris 10 x86. I've compiled on the same architecture, same S.O., with the latest gcc from sunfreeware.com without any problem at all. Some problem appear during the apache2, ssl module compilarion caused by a different constant defined in the new 0.9.8 (PEM_something) bye. -- Dott. Mag. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DES_ede3_cbc_encrypt and padding
Alicia da Conceicao wrote: Greetings: The DES_ede3_cbc_encrypt() routine does not appear to properly pad data to fill out the last block. Consider, if the last block contains 4 bytes for the unencrypted text test, DES_ede3_cbc_encrypt() is only padding the remaining characters with NULL characters: 74:65:73:74:00:00:00:00 But shouldn't it be padded as follow: 74:65:73:74:00:00:00:04 with the last byte containing the number of padded bytes. Note that if the last block is full, then an additional block of padding is added with 00:00:00:00:00:00:00:08. Is CBC padding in OpenSSL handled by a separate routine? Shouldn't CBC padding be handled by the CBC routine? Thanks in advance. Alicia. I noticed also a make test persistent failure if DES is enabled in Sparc/Solaris9/gcc342 hosts (4host tested) in 0.9.8. In my journey around 0.9.8 to solve the problem, a segmentation fault is done calling des cbc encrypt/decrypt. Note also that i'd no problems at all to compiletest openssl until this last release. -- Dott. Mag. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How can i convert p12/pfx to java key store (JKS) format
Jaleel P.A wrote: Hi, How can i convert p12/pfx to java key store (JKS) format Please let me know. This is bit urgent. thanks Jaleel Take a look at http://www.lazgosoftware.com/kse The KeyStore Explorer could be the simplest way to do that, or you can do this by hands, using the java KeyTool bundled with the JDK, in the documentation you can find everything, but you must unpack first your p12 with openssl pkcs12 command to get key and certs readable by the keytool. Bye. -- Dott. Mag. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Documentation on Sendmail TLS
Stephen T Albright wrote: Hello to all. First let me apologize for this message if it is not the correct list, but I need to start somewhere. Now my question. I have recently been tasked with recompiling Sendmail on a Sunfire 120 to include TLS support. I understand I need OpenSSL, and I have found some sites with information, but not enough to answer all of my questions. Does anyone know of a site, or recommend a book about OpenSSL configuration for this. Thanks to all for your time. I'm running sendmail with TLS enabled since Y2K, but no particular openssl configuration is requested. You must compile it and configure sendmail to use openssl API to achieve TLS channels for your MTA/MSA. If you have any question, send to me in private mail, this is not the right list. -- Dott. Mag. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Openssl 0.9.8 make test failed - addendum
This is the segmentation-fault line inside destest.c DES_ede3_cbcm_encrypt(cbc_data,cbc_out,16L,ks,ks2,ks3,iv3,iv2,DES_ENCRYPT); I'm using gcc as stated below: Reading specs from /usr/local/gnu_r342_solaris9/bin/../lib/gcc/sparc-sun-solaris2.9/3.4.2/specs Configured with: ../gcc-3.4.2//configure --prefix=/opt/gnu --disable-nls --enable-languages=c,c++ --enable-threads=posix --enable-version-specific-runtime-libs --enable-shared --with-as=/usr/ccs/bin/as --with-ld=/usr/ccs/bin/ld --disable-libgcj sparc-sun-solaris2.9 Thread model: posix gcc version 3.4.2 Thanks to Developers for Openssl Stuffs! -- Dott. Mag. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Any issues with WinXP SP2?
Lucius Millinder wrote: Know where I can get the url:// for sp2? Here you can find the download area for XP-SP2 (english only for now...) http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx Lucius L. Millinder Jr. Security SAN Systems Specialist -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Morgan Sent: Tuesday, August 17, 2004 6:54 AM To: [EMAIL PROTECTED] Subject: Any issues with WinXP SP2? I'm mainly thinking about the data execution prevention (DEP) feature. As far as I can make out it's all okay. Scott Morgan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 0.9.7c Vulnerability??
Fred Merritt wrote:
Michael, Andrew, Fred, and Mark,
first of all,
thank you for your rapid response to my append to this list. All your
comments were constructive, and helpful.
Do I have any reason to think that this is an OpenSSL bug?
No - I have my doubts. If this was an OpenSSL bug in the wild, I am
sure that this list would be full of appends about it. What makes me
think it might be, is
1. The quoted(might be false trail) modus operandi of the hackers -
use an openssl scanner, get in and then do a root exploit . . .
2. The first attack followed this MO impeccably, but I only have
myself to blame for not being up to date. The first attack
downloaded files - like telnet, and some backdoors to /tmp. All
files were nobody nogroup. A root exploit was downloaded, and my
machine was theirs.
3. The system was rebuilt, except for the Apache sub-system, and was
not attacked . No data files from the original incarnation of the
system were installed on the machine. All code restored was from
the development site, and could not possibly have been corrupted.
The system was online for 3 days without Apache/OpenSSL. Apache
without OpenSSL was up and down several times. Nothing was
attacked. Within two hours of the Apache/OpenSSL service being
restored, the system was attacked in the manner described in the
original append.
4. In the second attack, the kernel was protected from the root
exploit to which it was vulnerable in the first attack. In this
attack, files were also downloaded to /tmp, but the crackers were
unable to gain root access(I think!!), at least I have no evidence
of this. All the files down loaded were once again user/group
nobody/nogroup. there were some traces of the attacker trying to
damage files, but getting rejected due to not having the
appropriate permissions.
5. The attackers in their publicity on their own site do not (apart
from their claims of omnipotency) claim to be capable of attacking
0.9.7c it may be that their particular scanner was capable of
attacking 9.7c, be they themselves were not aware of it (if (it
was if they were) { I'm sure there would have been a lot of noise})
Could be interesting know the url of this site...
Obviously a visit must be done with an anonymizer proxy in the middle... :-)
...omissis...
--
Dott. Sergio Rabellino
Technical Staff
Department of Computer Science
University of Torino (Italy)
http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
0.9.7a Win32-VC++ 6.0 Compilation problem
Dear developers, I had a little (maybe) trouble to get compile the latest release of the package: the compiler is telling me about a redefinition of NETSCAPE_ENCRYPTED_PKEY and NETSCAPE_PKEY in the file crypto/asn1/n_pkey.c at line 96 and 109 ( DECLARE_ASN1_ENCODE_FUNCTIONS_const ). Commenting out the lines, the compilation job is ok, and so the test suite, but which are the implications of this line removal ?? Thanks a lot. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 0.9.7a Win32-VC++ 6.0 Compilation problem
Dr. Stephen Henson wrote: On Mon, Feb 24, 2003, Rabellino Sergio wrote: Dear developers, I had a little (maybe) trouble to get compile the latest release of the package: the compiler is telling me about a redefinition of NETSCAPE_ENCRYPTED_PKEY and NETSCAPE_PKEY in the file crypto/asn1/n_pkey.c at line 96 and 109 ( DECLARE_ASN1_ENCODE_FUNCTIONS_const ). Commenting out the lines, the compilation job is ok, and so the test suite, but which are the implications of this line removal ?? I've tested compiling OpenSSL 0.9.7a with VC++ and various SPs and never had any problems like that: it should compile without any warnings. Check that the line: #define EXPORT_VAR_AS_FUNCTION appears in crypto\opensslconf.h if not then the configuration didn't work. Make sure you follow all the steps in INSTALL.W32 to the letter. normally I follow all the steps, as I recompile openssl for my project as soon as a new version is available... The define was not present, so I run again perl Configure and the the define appear ... All the things go fine ... maybe i've missed the first step ?? Maybe ... Thanks again. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I just want the binaries for W2K
Peter 'Luna' Runestig wrote: Marcel Elsner wrote: Hi, i am sick of compiling everything again and again using 3 or more different compilers. I really tried it but now just want running code. Is anybody out there who allready has the binarys for windows 2000? if, then please send it or give me a link where i can download. Here's one suggestion: ftp://ftp.runestig.com/pub/openssl-win32/openssl-0.9.6h.msi ftp://ftp.runestig.com/pub/openssl-win32/openssl-0.9.6h.msi.sig or http://www.runestig.com/pub/openssl-win32/openssl-0.9.6h.msi http://www.runestig.com/pub/openssl-win32/openssl-0.9.6h.msi.sig More info about these packages: http://marc.theaimsgroup.com/?l=openssl-devm=103210259026139w=2 Cheers, - Peter Hi peter, which tool are you using to create .msi packages ?? It's a freeware one ? Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Remove passprase
Robbert Hardin wrote: Hello Bruno I tried, but it doesn't work: # openssl rsa -in cakey.pem -out canokey.pem read RSA key Enter PEM pass phrase: unable to load key 15251:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/evp/evp _enc.c:277: 15251:error:0906A065:PEM routines:PEM_do_header:bad decrypt:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem _lib.c:452: # I forgot to tell you I lost the pass phrase, which is why I wanted to change it. Sorry. Let me rephrase my question: Is it possible to remove or change a PEM pass phrase on keypair.pem generated with openssl if you don't have the PEM pass phrase? Cheers, Robbert Only by brute force, I suppose, or everything we do is not security -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_write problems
Trey A Mujakporue wrote: I recently posted a message to the list with details of a problem i am experiencing with Qpopper ver 4.04 with SSL/TLS enabled using Openssl version 0.9.6e It seems like this probelm has been ongoing for the past 2 years but there has been no fix. From my investigations it appears that the the problem may exist in the qpopper implementation of the SSL libraries, hence my posting to both lists, Im kinda desperate now so any help would be apreciated! details as follows. why not use ipop3d from washington university ??? see at http://www.washington.edu/imap Bye. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Compiling OpenSSH 3.3 or 3.4 with OpenSSL 0.9.6e under Solari s 9
Lutz Jaenicke wrote: On Thu, Aug 01, 2002 at 11:15:24AM +1000, Kalam, Imran wrote: I get the similar error when I am compiling openssl-0.6.c on solaris 2.6 operating system but the only difference is it complains about libld.so.1, which is missing from /usr/lib but it exits in /usr/ccs/lib directory, any help please ??? Seems that OpenSSL was compiled on a machine with libld.so.1 being located in another directory. I guess that you should recompile OpenSSL from source. I don't have Solaris around, so I cannot give you more than this generic advice. Best regards, Lutz On my solaris 2.6, that library is missing at all; which compiler are you using: cc or gcc ? -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: build a pkcs10 request using private / public key on asmartcard
Hul van den, G (Gerrit) wrote:
Hi all,
I want to build a pkcs10 request using the openssl software, but with the
private/public key on a smartcard. I have a pcks11 library to access the
smartcard.
If have stripped the req.c source, and now I have to do two things:
- Push the public key into the pkcs10 request structure.
- Sign the request.
To begin with the sign: This is not to difficult: I'll sign the request with
the pkcs11 library and push the sign into the request structure. I think
this will work.
Pushing the public key is different. The openssl req command expects a
private key. It extracts the public key from the private key and pushes the
public key into the pkcs10 request.
I don't have access to the private key: it is on the smartcard, but it is
possible to read the public key components: the modulus and exponent.
I have tried to analyse how the public key is retrieved from the private key
in the req command and how it is pushed into the request, but I can't find
the solution for my problem:
howto push the public key (modulus and exponent) directly into the
pkcs10 request structure - the X509_REQ structure in req.c; defined in
x509.h.
Does someone have any idea?
Greetings,
Inside the array PublicKeys[] i've the public keys parameters stored in the token
pkey=EVP_PKEY_new();^M
^M
rsapubkey=RSA_new();^M
^M
// We must get the hex version of the modulus and the exponent...^M
strcpy(modstring,);^M
for(k=0;kMODULUS_SIZE;k++)^M
{^M
sprintf(hexchar,%02.2x,PublicKeys[SelectedKeyPair].Modulus[k]);^M
strcat(modstring,hexchar);^M
}^M
^M
strcpy(expstring,); ^M
for(k=0;kEXPONENT_SIZE;k++)^M
{^M
sprintf(hexchar,%02.2x,PublicKeys[SelectedKeyPair].Exponent[k]);^M
strcat(expstring,hexchar);^M
}^M
^M
BN_hex2bn((rsapubkey-n),modstring);^M
BN_hex2bn((rsapubkey-e),expstring);^M
rsapubkey-d=NULL;^M
rsapubkey-p=NULL;^M
rsapubkey-q=NULL;^M
^M
#ifdef RABSER_DEBUG^M
printf(Request ModString is %s\n,modstring);^M
printf(Request ExpString is %s\n,expstring);^M
#endif^M
^M
EVP_PKEY_assign_RSA(pkey,rsapubkey);
So you have a pkey to pass to the request creation call
This works for me (Eutron CryptoIdentity USB Token with PKCS#11 Interface)
Gerrit
**
Gerrit van den Hul
Senior Software Designer
Altium - Think it, Design it, Build it
Phone Rabobank: +31 30 21 51 390
Phone Altium: +31 33 455 8584
Fax Altium: +31 33 455 5503
mobile: +31 6 1464 9859
E-Mail Rabobank: [EMAIL PROTECTED]
E-Mail Altium: [EMAIL PROTECTED]
Private E-mail: [EMAIL PROTECTED]
URL: http://www.altium.com
**
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
--
Dott. Sergio Rabellino
Technical Staff
Department of Computer Science
University of Torino (Italy)
Member of the Internet Society
http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: anybody is working with openssl and visual basic?
Yes, i've done an tool for corporate user certification (key and cert management) interfacing visualbasic with openssl. What do you need ? -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Java + SSL
Zamangoer, Ferruh wrote: Hi All, have anybody experiences with the following Error, which occurs when I want to use the example from the JNDI == LDAP == Security to connect to an LDAP Server over SSL: cutscence // Set up the environment for creating the initial context Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, com.sun.jndi.ldap.LdapCtxFactory); env.put(Context.PROVIDER_URL, ldap://localhost:636/o=JNDITutorial;); // Specify SSL env.put(Context.SECURITY_PROTOCOL, ssl); // Authenticate as S. User and password mysecret env.put(Context.SECURITY_AUTHENTICATION, simple); env.put(Context.SECURITY_PRINCIPAL, cn=S. User, ou=NewHires, o=JNDITutorial); env.put(Context.SECURITY_CREDENTIALS, mysecret); // Create the initial context DirContext ctx = new InitialDirContext(env); // ... do something useful with ctx /cutscence I become the following Error Root exception is java.net.SocketException: SSL implementation not available. I use also jsse.jar which is needed to run SSL. Can anybody help me :) Thanks in advance regards Ferruh It seems that jsse is not correctly installed in you VM. Follow the instruction embedded with the jsse for the correct definition of the security provider in the JRE_HOME/lib/security/java.security config file. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: No certificates in popup dialog box.
Dr S N Henson wrote: Brandon Amundson wrote: I am trying to sign a server cert from IIS 5.0 with my CA (openssl) that runs on my linux webserver. I have successfully signed the cert and move it back into IIS but when I go to access the site, the certificate dialog box pops up but there are no available certificates. I would like to use pre-existing user certificates that I have issued for my other site because I am going to be letting the same people have access to the new site. Does anyone know if this is possible and what I am not doing correctly, (besides using MS)? I heard something about the v3 extensions being a possible cause. Any thoughts? The FAQ gives the reason for this and some more info. What it doesn't say is how to add your CA to the trusted list of IIS. IIRC you can do this via the certificate import wizard, something like clicking on the show physical stores box and trusted root-local computer. You may have to the reboot. You can check using s_client to see if your CA is then sent (see FAQ). Steve. -- ... your support is definitely wonderful... Now I can use the client-authentication under IIS5 ... thanks. The strange thing is that now in IIS5 there is an interface to the TRUSTED-CA-LIST, but seems to be unused, or better used in combination to the importing in the trusted root-local computer store. Obviously this is undocumented in the ms-site. Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client certificate verification
Michael Sierchio wrote: Sharkey, Aoife wrote: Hi I am having aproblem where the server is unable to verify the client certificate I created. The Server is running IIS and is listening on port 443 for SSL traffic. here is an example of the ssldump file I didn't see anything here that suggests that the server is requesting client auth. There was apparently no 'Certificate request' component to the handshake, in which the server enumerates the DNs of acceptable CAs and client cert types. I'd conclude that the server isn't configured to need client auth. This is also my opinion, but after configuring (correctly ...) IIS to request client authentication, and inserting my CA in the list of CA trusted by IIS, the server doesn't request client certificate. Anyone has resolved this problem ? Maybe the extensions are wrong in the root or the server certificate ? My CA is published on http://ca.unito.it and a sample server certificate is on https://ca.unito.it thanks -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Expired Certificate in CRL
Stéphane Lemaire wrote:
Hi,
I wish improve my question. My CRL contains expirated and revokated
Certificates. I wish that my CRL contains only the expired certificates
which are technically valid and not expirated certificates. I do not wish
that the size of my CRL increases without end.
Did somebody already find a solution?
Regards,
Stéphane Lemaire
an entry can be marked either as
R=Revoked
V=Valid
E=Expired
In attachment you can find a source for the expire check (I don't
remember if was based on some sources similar found in the internet, or
if it's entirely of my inspiration...)
Use free for everyone who wants... But retain the creator credits...
--
Dott. Sergio Rabellino
Technical Staff
Department of Computer Science
University of Torino (Italy)
Member of the Internet Society
http://www.di.unito.it/~rabser
Tel. +39-0116706701
Fax. +39-011751603
// Rabellino Sergio - [EMAIL PROTECTED]
// Computer Science Department of Torino
#include stdio.h
#include stdlib.h
#include time.h
/* Openssl Includes */
#include openssl/conf.h
#include openssl/bio.h
#include openssl/err.h
#include openssl/bn.h
#include openssl/txt_db.h
#include openssl/evp.h
#include openssl/x509.h
#include openssl/x509v3.h
#include openssl/objects.h
#include openssl/pem.h
#define DB_type 0
#define DB_exp_date 1
#define DB_rev_date 2
#define DB_serial 3 /* index - unique */
#define DB_file 4
#define DB_name 5 /* index - unique for active */
#define DB_NUMBER 6
#define DB_TYPE_REV 'R'
#define DB_TYPE_EXP 'E'
#define DB_TYPE_VAL 'V'
main(int argc, char *argv[])
{
BIO *in=NULL;
BIO *out=NULL;
BIO *bio_err=NULL;
TXT_DB *db=NULL;
char **pp,*p;
int i,l;
time_t nowbin;
const struct tm *nowstruct;
char longdate[20];
long dd,cdd;
char tmpdate[20];
char indbfile[256];
char outdbfile[256];
/* Get time from the O.S. */
time(nowbin);
nowstruct = localtime(nowbin);
strftime(longdate,256,20%y%m%d%H,nowstruct);
dd=atol(longdate);
if ( argc 1 )
strcpy(indbfile,argv[1]);
else
strcpy(indbfile,index.txt);
if ( argc 2 )
strcpy(outdbfile,argv[2]);
else
strcpy(outdbfile,index.new);
printf(Reading from %s\n,indbfile);
printf(Writing to %s\n,outdbfile);
if (bio_err == NULL)
if ((bio_err=BIO_new(BIO_s_file())) != NULL)
BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
if (BIO_read_filename(in,indbfile) = 0)
{
perror(indbfile);
BIO_printf(bio_err,unable to open '%s'\n,indbfile);
exit(1);
}
if (BIO_write_filename(out,outdbfile) = 0)
{
perror(outdbfile);
BIO_printf(bio_err,unable to open '%s'\n,outdbfile);
exit(1);
}
db=TXT_DB_read(in,DB_NUMBER);
if (db == NULL)
{
perror(indbfile);
BIO_printf(bio_err,unable to decode '%s'\n,indbfile);
exit(1);
}
/* Lets check the entries */
for (i=0; isk_num(db-data); i++)
{
pp=(char **)sk_value(db-data,i);
if (pp[DB_type][0] == DB_TYPE_VAL)
{
strcpy(tmpdate,);
p=pp[DB_exp_date];
/* Do the dirty work for Y2K compatibility */
if (p[0] == '9')
strcat(tmpdate,19);
else
strcat(tmpdate,20);
strncat(tmpdate,pp[DB_exp_date],8);
cdd=atol(tmpdate);
if(dd cdd)
{ /* Expire the cert... */
printf(Certificate %s is signed Valid but is Expired...\n,pp[DB_serial]);
pp[DB_type][0] = DB_TYPE_EXP;
}
}
if (pp[DB_type][0] == DB_TYPE_REV)
{
strcpy(tmpdate,);
p=pp[DB_exp_date];
/* Do the dirty work for Y2K compatibility */
if (p[0] == '9')
strcat(tmpdate,19);
else
strcat(tmpdate,20);
strncat(tmpdate,pp[DB_exp_date],8);
cdd=atol(tmpdate);
if(dd cdd)
{ /* Expire the cert... */
printf(Certificate %s is signed as Revoked but is
Expired...\n,pp[DB_serial]);
pp[DB_type][0] = DB_TYPE_EXP;
pp[DB_rev_date] = NULL;
}
}
}
/* Write out the DB on the output file */
l=TXT_DB_write(out,db);
if (l 0)
{
perror(outdbfile);
BIO_printf(bio_err,unable to encode '%s'\n,indbfile);
}
else
printf(DB analyzed checked ok. \n);
BIO_free(in);
BIO_free(out);
}
# Set whatever you have installed the Openssl Libraries
OPENSSL_LIB = ./lib
OPENSSL_INCLUDE = ./include
CC = gcc
all : expire
expire : expire.c
${CC} expire.c -o expire -I ${OPENSSL_INCLUDE} -L ${OPENSSL_LIB}
-lcrypto
clean :
rm -f *.o
rm -f expire
SSL_connect on Non-Blocking Socket under Windows
Dear list users, i'm going to code a tls-telnet module for teraterm under windows socket 2.x, using the Non Blocking version of the sockets. Supposing that I can't never revert the socket to blocking, there's someone that has the right solution for doing the SSL_connect either with tls or sslv3 ? In my tests the SSL_connect fails on a regular basis, with the (rigth) socket error WSAEWOULDBLOCK and the simple re-calling of the the SSL_connect is not useful at all any hints ? Note that teraterm is freeware for win, and my module will be also free (if it runs) Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How I can create a Cert STORE
Antonio Ruiz Martínez wrote: Hello! Like I say in the subject How I can create a Cert Store? Thanks in advance, Regards, Antonio. Are you thinking about the Java Keystore (and certs... also)? -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How I can create a Cert STORE
Antonio Ruiz Martínez wrote: Rabellino Sergio wrote: Antonio Ruiz Martínez wrote: Hello! Like I say in the subject How I can create a Cert Store? Thanks in advance, Regards, Antonio. Are you thinking about the Java Keystore (and certs... also)? No, I'm thinking about the X509_STORE_CTX of OpenSSL I use the X509_STORE_CTX __only__ in the verify_callback function (merely copied from the apps dir of openssl...) Maybe others in the list are more skilled about it. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with Microsoft IIS csr
Enrico Russo wrote: Hi, I've some problems with string encoding. The Root Cert (created and self-signed with openssl) DN is : subject= /C=IT/ST=GE/L=Genova/O=Universit\xE0 di Genova/OU=Unige CA/CN=unige [EMAIL PROTECTED] When I try to sign requests created with Microsoft IIS or IE the organizationName field (with policy 'match') doesn't match ... : Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows commonName:PRINTABLE:'.csita.unige.it' organizationalUnitName:PRINTABLE:'Unige CA' organizationName :ASN.1 30:'^@U^@n^@i^@v^@e^@r^@s^@i^@t^@\0xFFE0^@ ^@d^@i^@ ^@G^@e^@n^@o^@v^@a' localityName :PRINTABLE:'Genova' stateOrProvinceName :PRINTABLE:'GE' countryName :PRINTABLE:'IT' The organizationName field needed to be the same in the CA certificate (Universit di Genova) and the request () There's a way to solve this problem ? Thanks Per evitare problemi, le consiglio di usare solo Universita senza la lettera accentata... E' bruttino, ma non c'e' altro modo, anche modificando il codice di openssl in modo da accettare caratteri NON PRINTABLE, poi incorre in molti problemi con i browser, fino al crash di netscape e/o explorer. Buon Lavoro. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
