RE: Multiple Threads accessing an SSL connection
Hey Thanks a lot for the answer David. Sanjay --- David Schwartz [EMAIL PROTECTED] wrote: I read many posts about multiple threads accessing a single SSL connection for read/write. I am still confused about the usage. What exactly is the truth? You cannot access the same SSL connection from more than one thread at a time. If I have a client SSL connection that has 3 to 4 threads accessing the same SSL connection for read/write to the server, will it cause a problem?? Yes, if they're accessing it at the same time. I can't imagine how two writes or two reads would be useful, so the only issue should be a read and a write at the same time. While that could be useful, you must not do that. If yes, then can I make use of mutex locks to allow only one thread access the SSL connection (for read/write) at a time??? If no, I am happy :) Yes, you can. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Multiple Threads accessing an SSL connection
Hi, I read many posts about multiple threads accessing a single SSL connection for read/write. I am still confused about the usage. What exactly is the truth? If I have a client SSL connection that has 3 to 4 threads accessing the same SSL connection for read/write to the server, will it cause a problem?? If yes, then can I make use of mutex locks to allow only one thread access the SSL connection (for read/write) at a time??? If no, I am happy :) Thanks in advance, Sanjay Acharya Wichita State University __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
setting certificate expiry to more than 30 days
Hello. I am posting this message again. Can someone help me over this. I am trying to create certificate using req command as follows, 1) First generated the cert request, openssl req -newkey rsa:1024 -config openssl.cnf -out xyz_careq.pem 2) Then generated the certificate as follows, openssl x509 -req -in xyz_careq.pem -extfile openssl.cnf -extensions req_extensions -signkey privatekey.pem -out xyz_cert.pem 3)When I see the expiry dates it shows as follows, openssl x509 -subject -issuer -dates -noout -in xyz_cert.pem subject= /C=US/O=XYZ/OU=XYZ Engineering Certification Authority/ST=KANSAS/L=Wichita/CN=XYZ Engineering CA/[EMAIL PROTECTED] issuer= /C=US/O=XYZ/OU=XYZ Engineering Certification Authority/ST=KANSAS/L=Wichita/CN=XYZ Engineering CA/Email=- notBefore=Feb 28 14:21:54 2005 GMT notAfter=Mar 30 14:21:54 2005 GMT Why is this happening? The certificate is generated fine with the x509 and -days 365 option. Can someone help me on this. Sanjay Acharya Wichita State University ---THE openssl.cnf FILE--- RANDFILE= $ENV::HOME/project/.rnd [ ca ] default_ca = my_ca_default [ my_ca_default ] dir = $ENV::HOME/project certs = $dir/certs crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/cakey.pem RANDFILE= $dir/private/.rand default_days= 365 default_crl_days = 1 default_md = sha1 x509_extensions = usr_cert policy = my_policy [ my_policy ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = supplied commonName = supplied emailAddress= supplied [ usr_cert ] basicConstraints=CA:false [ req ] default_bits= 2048 default_md = sha1 default_keyfile = privatekey.pem prompt = no distinguished_name = req_distinguished_name x509_extensions = req_extensions [ req_distinguished_name ] countryName = US organizationName = XYZ organizationalUnitName = XYZ Engineering Certification Authority stateOrProvinceName = KANSAS localityName= Wichita commonName = XYZ Engineering CA emailAddress= --- [ req_extensions ] basicConstraints = CA:true __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: setting certificate expiry to more than 30 days
But Ted, if I have to use -days option then why do we need to specify default_days name-value pairs in the openssl.cnf? :( Sanjay Acharya Wichita State University --- Bernhard Froehlich [EMAIL PROTECTED] wrote: Sanjay Acharya wrote: Hello. I am posting this message again. Can someone help me over this. I am trying to create certificate using req command as follows, See http://www.openssl.org/docs/apps/req.html Use -days option. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
default_days problem
Hi everyone. I am a newbie with regards to openssl. I would really appreciate if anyone can help me with this. I am having a problem with creation of a root certificate in linux. I have created my own configuration file openssl.cnf and am using that to create a root ca certificate. I am using the following command to generate the certificate, openssl req -x509 -newkey rsa -out xyz_cert.pem -outform PEM -config openssl.cnf The problem is that when I check the expiry date (Not after), it is set to 30 days from now although I have set the default_days to 365. Any clue why this is happening? Is it because I am using req option. I am pasting my openssl.cnf below. The expiry date shows fine if I run the above command with the -days = 365 option. Thanks in advance, Sanjay Acharya Wichita State University RANDFILE= $ENV::HOME/project/.rnd [ ca ] default_ca = my_ca_default [ my_ca_default ] dir = $ENV::HOME/project certs = $dir/certs crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/cakey.pem RANDFILE= $dir/private/.rand default_days= 365 default_crl_days = 1 default_md = sha1 x509_extensions = usr_cert policy = my_policy [ my_policy ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = supplied commonName = supplied emailAddress= supplied [ usr_cert ] basicConstraints=CA:false [ req ] default_bits= 2048 default_md = sha1 default_keyfile = privatekey.pem prompt = no distinguished_name = req_distinguished_name x509_extensions = req_extensions [ req_distinguished_name ] countryName = US organizationName = XYZ organizationalUnitName = XYZ Engineering Certification Authority stateOrProvinceName = KANSAS localityName= Wichita commonName = XYZ Engineering CA emailAddress= --- [ req_extensions ] basicConstraints = CA:true __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: default_days problem
Hello. Thanks for the solution. Actually I phrased the question wrong. I am sorry about that. Let me rephrase my question. I actually tried to create the self signed certificate without the x509 option using req as follows, 1) First generated the cert request, openssl req -newkey rsa:1024 -config openssl.cnf -out xyz_careq.pem 2) Then generated the certificate as follows, openssl x509 -req -in xyz_careq.pem -extfile openssl.cnf -extensions req_extensions -signkey privatekey.pem -out xyz_cert.pem 3)When I see the expiry dates it shows as follows, openssl x509 -subject -issuer -dates -noout -in xyz_cert.pem subject= /C=US/O=XYZ/OU=XYZ Engineering Certification Authority/ST=KANSAS/L=Wichita/CN=XYZ Engineering CA/[EMAIL PROTECTED] issuer= /C=US/O=XYZ/OU=XYZ Engineering Certification Authority/ST=KANSAS/L=Wichita/CN=XYZ Engineering CA/Email=- notBefore=Feb 28 14:21:54 2005 GMT notAfter=Mar 30 14:21:54 2005 GMT I have the default_days set as default_days= 365 in my default_ca What could be the problem? The certificate is generated fine with the x509 option as mentioned in my earlier mail. Thanks in advance, Sanjay Acharya Wichita State University, Kansas. --- sravan [EMAIL PROTECTED] wrote: Hi Sanjay, the following is an extract from the documentation(http://www.openssl.org/docs/apps/req.html) for the req command : .. - days *n * when the *-x509* option is being used this specifies the number of days to certify the certificate for. *The default is 30 days.* .. so, if u don't specify the above options, the default will be 30 days. the default_days value from the config file will be taken when you are not using the -x509 option. Sravan Sanjay Acharya wrote: Hi everyone. I am a newbie with regards to openssl. I would really appreciate if anyone can help me with this. I am having a problem with creation of a root certificate in linux. I have created my own configuration file openssl.cnf and am using that to create a root ca certificate. I am using the following command to generate the certificate, openssl req -x509 -newkey rsa -out xyz_cert.pem -outform PEM -config openssl.cnf The problem is that when I check the expiry date (Not after), it is set to 30 days from now although I have set the default_days to 365. Any clue why this is happening? Is it because I am using req option. I am pasting my openssl.cnf below. The expiry date shows fine if I run the above command with the -days = 365 option. Thanks in advance, Sanjay Acharya Wichita State University RANDFILE= $ENV::HOME/project/.rnd [ ca ] default_ca = my_ca_default [ my_ca_default ] dir = $ENV::HOME/project certs = $dir/certs crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/cakey.pem RANDFILE= $dir/private/.rand default_days= 365 default_crl_days = 1 default_md = sha1 x509_extensions = usr_cert policy = my_policy [ my_policy ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = supplied commonName = supplied emailAddress= supplied [ usr_cert ] basicConstraints=CA:false [ req ] default_bits= 2048 default_md = sha1 default_keyfile = privatekey.pem prompt = no distinguished_name = req_distinguished_name x509_extensions = req_extensions [ req_distinguished_name ] countryName = US organizationName = XYZ organizationalUnitName = XYZ Engineering Certification Authority stateOrProvinceName = KANSAS localityName= Wichita commonName = XYZ Engineering CA emailAddress= --- [ req_extensions ] basicConstraints = CA:true __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]