Error Using FIPS compliant OpenSSL Library Files in VC++ in Visual Studio 2005
Bonjour All, I had successfully compiled FIPS complaint OpenSSL and got libeayfips32.lib ssleay32.lib with the complete module on the path C:\usr\local\ssl\fips2.0\. I followed these steps: == 1. Compile openssl-fips2.0 == Open Visual Studio 2008 Command Prompt. cd openssl-fips2.0\ ms\do_fips [no-asm] Compiled FIPS module is located at C:\usr\local\ssl\fips-2.0 === 2. Integrate compiled openssl-fips2.0 in openssl-1.0.1e === Open Visual Studio 2008 Command Prompt. cd openssl-1.0.1e\ perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0 ms\do_nasm nmake -f ms\nt.mak nmake -f ms\nt.mak install Compiled FIPS compliant OpenSSL exe is located at C:\usr\local\ssl\bin\openssl.exe Compiled FIPS compliant OpenSSL libeay32.lib ssleay32.lib are located at C:\usr\local\ssl\lib\ Compiled FIPS compliant OpenSSL libeay32.dll ssleay32.dll are located at C:\usr\local\ssl\bin\ but i am facing issues in using them with VisualC++ in Visual Studio 2005. Normal versions of libeay32.lib ssleay32.lib work 100% fine with me. I want to simulate the tests and want to compile the source (C:\openssl-fips-2.0\fips\sha\fips_shatest.C) in my VC++ VC2005 console application. Create a new VC++ win32 console application project. In the resource files, add the compiled fips module files libeayfips32.lib ssleay32.lib from C:\usr\local\ssl\fips2.0\lib\. In the Source files, add the code file from the source code of C:\openssl-fips-2.0\fips\sha\fips_shatest.C. Right click on the source file and click properties. In the General section add the include files path and set them to C:\usr\local\ss\include\ and C:\usr\local\ssl\fips2.0\include\ and i am not using the precompiled headers option. When i compile the application i get the following lost list of errors: error LNK2001: unresolved external symbol _FIPS_digestfinal libeayfips32.lib error LNK2001: unresolved external symbol _FIPS_drbg_set_callbacks libeayfips32.lib error LNK2001: unresolved external symbol _FIPS_md_ctx_cleanup libeayfips32.lib error LNK2001: unresolved external symbol _EC_KEY_generate_key libeayfips32.lib Microsoft states that error LNK2001 occurs when Code references something (such as a function, variable, or label) that the linker can't find in the libraries and object files. It means there is certainly some issue in FIPS complied libeayfips32.lib ssleay32.lib files. Kindly help me in this regard. Regards Scott Thomas
Help regarding Compile FIPS compliant OpenSSL on Windows platform
15.00.30729.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. cl : Command line warning D9035 : option 'O' has been deprecated and will be removed in a future release uid.c cl /Fotmp32\o_time.obj -Iinc32 -Itmp32 /MT /Ox /O2 /Ob2 -O /Fdout32 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL _NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE /Zl -c .\crypto\o_time.c Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. cl : Command line warning D9035 : option 'O' has been deprecated and will be removed in a future release o_time.c cl /Fotmp32\o_str.obj -Iinc32 -Itmp32 /MT /Ox /O2 /Ob2 -O /Fdout32 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_ NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_DYNAMIC_ENGINE /Zl -c .\crypto\o_str.c Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. cl : Command line warning D9035 : option 'O' has been deprecated and will be removed in a future release o_str.c .\crypto\o_str.c(66) : fatal error C1083: Cannot open include file: 'strings.h': No such file or directory NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN\cl.EXE' : return code '0x2' Stop. Please help me to get fips enabled libeay32.dll Scott Thomas
Extended\Enhanced Key usage in Sub CA Certificates
Bonjour, I had made a test 5 level CA and doing Microsoft smart card logon from the end tier CA, i had a BIG BIG problem that my Sub CAs did not have smart card logon extension in EKU, so my end entity certificates were unable to do SC logon. The error was that the client certificate chain certificates are not valid for intended usage. Actually the SC logon extension was missing in all upper layer Sub ca certs. I diagnosed it after a long time and included the desired extension in all my subCA certs. Actually microsoft deals it like a constraint if an extension is not present. As there are a lot of extensions and thinking about the evolution, many extensions will be created n used in future, so if i add a particular set of extension in my sub ca certs then in future then i would set a constraint on my PKI solution and i would not be able to use these new extensions in end entity. Is it the best solution to remove EKU in all my sub ca certs to avoid constraints ? Waiting for Reply Regards Scott
Custom Attributes in the Subject of X.509 Certificate
Bonjour All, First i explain the scenarion. My domain name is lets say idtech.com. Under it i have created an ou=certificate users. Users are created under this OU. So my FQDN of a user is CN=scott,OU=Certificate Users,DC=idtech,DC=com. Same FQDN is in the subject of the user certificate SC logon is working fine. If i want to add some custom attributes in the Subject of X.509 certificate , lets say NIC=148795-89759 EmpNo=AQ5116494. then my Subject can become : CN=scott,NIC=148795-89759,EmpNo=AQ5116494,OU=Certificate Users,DC=idtech,DC=com Is it possible in OpenSSL ? Regards Scott Thomas
Re: [error] Certificate Verification: Error (34): unhandled critical extension
Bonjour Peter Sylvester, Extensions are ignored in the root. Without telling what critical extensions you have, it is difficult to help. I had some extensions set to critical in my Sub CA certificates, i have re generated all the sub CA certificates and now it works fine. Thats rite that critical extension are only ignored in root, if Sub CA's contain some critical extensions apache mutual authentication fails. Thanks so much for the guidance ... Best Regards Scott Thomas
Mutual Authentication using Multiple CA's in Apache (mod_ssl) does not work
Bonjour All Users, My setup has a ROOT CA and 3 level of Sub CA's. I have generated apache web server and client certificates from every the ROOT and Sub CA's. I have configured my APACHE web server for client certificate (mutual) authentication. I have generated the apache web server certificate and client certificates from the ROOT CA with proper extensions. In case of Root CA, it works well. Mutual authentication works fine. In case of Sub CA, the apache web server certifictae and client certificates are generated by SubCA with the same extensions/profile as in case of ROOT CA. But when i try to authenticate users from Sub CA's then following error occurs unhandled critical extension. SSLCACertificateFile contains the concatenated certifcates of all the CA's( issuing CA certtificate is at top and Root ca certificate is at bottom of this file) Here is my vhost file NameVirtualHost *:80 NameVirtualHost *:443 VirtualHost *:80 DocumentRoot /srv/www/htdocs/ ServerName XX RewriteEngine On RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R] /VirtualHost VirtualHost *:443 DocumentRoot /srv/www/htdocs/ ServerName X SSLEngine on SSLCipherSuite HIGH SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/certificates/cert.pem SSLCertificateKeyFile /etc/apache2/certificates/key.pem SSLCACertificateFile /etc/apache2/certificates/chain.pem #SSLCertificateChainFile /etc/apache2/certificates/chain.pem //chain.pem contains all the upper level certificates concanetated such that (1st certificate is of issuing CA , going downward towards the root CA... // i have also tried with the SSLCertificateChainFile directive but the error is same ... Directory /srv/www/htdocs/ SSLVerifyClient require SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_CN} eq SSLVerifyDepth 3 SSLOptions +StdEnvVars +ExportCertData /Directory /VirtualHost I am using OpenSSL version 0.9.8h release 28 May 2008 and Apache version 2.2.10-2.5 Kindly guide me in this aspect. Waiting for your kind Reply Best Regards Scott Thomas