Re: developing with open SSL
Hi Vered, If you're just fetching files or doing simple http GETs you might consider looking at curl (http://curl.haxx.se/) which might save you some work... depends what you want to do :-) cheers, Sean ps. curl uses openssl :-) Tim Pushor wrote: Vered, Https is http over ssl.The openssl library should be all you need (http://www.openssl.org). I recommend startig with Eric Rescorla's excellent 'Introduction to SSL Programming' (http://www.rtfm.com/openssl-examples/) Tim -Original Message- From: [EMAIL PROTECTED] Dear sir, I need to develop a client that can communicate with https server. The client has to be developed in C (on UNIX), and it has to be able encode and decode with SSL. I have no background on this subject, so please advise me on the following : 1.which SSL libs I should install in order to be able to use SSL, and from where can I get them? 2. Is this installation enough to be able communicating with https server? or should I install some https libs? 3. where can I get reference on https protocol, for C client? 4. is https just like http but with SSL layer, or the difference between them is much deeper? thanks in advance, Vered Domankevich __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building openssl-0.9.6c fails on HP-UX 9.01
Hi Bernhard, Could I suggest that you upgrade your version of gcc, since according to http://gcc.gnu.org/releases.html#timeline version 2.6.3 dates back to November 30, 1994 which in our industry is very old indeed! I'm not familiar with hp-ux, but no doubt you should be able to get your hands on a more recent version without too much difficulty - i don't know what the other folks recommend, but perhaps 2.95.3 would be a safe bet? cheers, Sean Bernhard R. Erdmann wrote: Hi, openssl-0.9.6c fails to link openssl on HP-UX 9.01: gcc -o openssl -DMONOLITH -I../include -fPIC -DTHREADS -DDSO_DL -O3 -DB_ENDIAN -DBN_DIV2W openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o -L.. -lssl -L.. -lcrypto -ldld /bin/ld: Unsatisfied symbols: gmtime_r (code) collect2: ld returned 1 exit status make[1]: *** [openssl] Error 1 make[1]: Leaving directory `/usr/local/src/openssl-0.9.6c/apps' gmake: *** [sub_all] Error 1 Building was started with ./config --prefix=/usr/local --openssldir=/usr/local/openssl. bash# gcc -v Reading specs from /usr/local/lib/gcc-lib/hppa1.1-hp-hpux9.01/2.6.3/specs gcc version 2.6.3 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems installing openssl-0.9.6c on Windows 2000 box
Andrew, - make[1]: gcc: Command not found it seems to me that make is trying to use the command gcc... but this is not available... as a double check try typing gcc at the command line... if that works double check your PATH... cheers, Sean Andrew Plata wrote: Can anyone help me, I am trying to install openssl-0.9.6c through cygwin on a Windows 2000 box. Here is the error message I receive when I run the make command. Devon Jones@CR718118-A mailto:Jones@CR718118-A /tmp/openssl-0.9.6c $ make + rm -f libcrypto + rm -f libssl making all in crypto... make[1]: Entering directory `/tmp/openssl-0.9.6c/crypto' gcc -I. -I../include -DDSO_WIN32 -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 - m486 -Wall -c -o cryptlib.o cryptlib.c make[1]: gcc: Command not found make[1]: *** [cryptlib.o] Error 127 make[1]: Leaving directory `/tmp/openssl-0.9.6c/crypto' make: *** [sub_all] Error 1 Can anyone help me? Sincerely, Andrew Plata __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: a problem in BN_mod_exp
Hi Biswa, what machine architecture are you using? ie a pentium (32-bit) or a usparc or alpha (64-bit) ? cheers, Sean biswatosh chakraborty wrote: Hi While dealing on RSAKeyGen I accidentally discovered a set of numbers for which BN_mod_exp is giving a wrong result. I want to know whether I am wrong or even if my code is right, is there some limitation to BN_mod_exp? I am interested to calculate (x^y)mod z by using BN_mod_exp(r,x,y,z) where the result is stored in r. I used openssl-0.9.6 downloaded from the openssl site two days back. I will give here the values of x,y,z and r in hex. Could anybody please throw some light on the seemingly wrong result? x = 3 y = 2DC6C0 z = 01035691B3FEC50B2AC41174CE60E220E2A33D4791F07BD4039644FE27C02617E1F50A252B6E0F4731BCD0811FB88E5C392338251EA4A63ECAA08CCC6447BC1446D0B8020D98AEE85A4BFEA2353A0268464FD68F0C4224FB011C2F3067C97E2B6C0F91D0F242D1BBACAD3C598481804420C546A0816F4CE5575F7F9B472BDD81FB1949 r = B6CF90E2BCC8E683FA61CEF3ABE0D2C0D226CF0F1DF29BFDDED2F17F81B60D9F939B502C078C8B995E6C231D0045D94606093963E3383911E3ED3460BBD109042AB0289CC37AA989F05B90280BBE56245AD452260EAF78D5EB22954A5681977FE06B86CA0A19730D5ABBC11F44DB7F154B74CDDACA4C7BA4AA6160A4F3E9CBB42423D36821827B13367C41759359BD37596FEF1F54AFB898D97FA124D0645E5B9FBF5F53A1207C9DA43E238AB57B7ECBF47A1A5CD5F411E8CFFBFAE0DABFE4E7290F2CD492E7C657605A6500DAE4AB6FB8E66B908D724F14EA090DC790C6C1AAF7A289844FC3642F466E42B62F1F1BCAE3A8C234A28CC76EAFB182C5DF3F93D2 And when I used a large integer calculator and gmp library as well, I found that both gmp and the calculator were giving the same reult but of course different from ssl .ssl's output is in the varaible r ,given above. gmp and the calculator gave the below number: 0176B344F2A78C Now,I went to the ssl BIGNUM code and found that for odd modulus, it executes montogomery and for even it uses BN_mod_exp_simple. If you use simple for all cases it gives slow but correct result but montogomery seems to fail in case of some odd modulus like in the present case. Any idea please? bye Thanks Biswa _ Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Net::SSLeay .. https-proxy-sniff.pl .. How can I snoop an MSIE browser session.
For all sniffing, I use ethereal (.com), free and very useful - recently helped me setup an ipsec connection - pointing out that the two ends were proposing different crypto sets. While I haven't used it for debugging ssl, I'd be quite sure there is useful information to be gleaned. Sean O'Riordain POP account for superquote.co.uk wrote: Hi, I'm using the most excellent https-proxy-sniff from the perl module Net::SSLeay. It works fine to sniff a secure transaction from a linux client on the local host ( to a remote server ), but fails when I try to sniff a transaction from MSIE on a windows client on the local ( private ) network. Anybody got any ideas ? Anybody succeeded at this before ? Cheers Simon Clewer __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ansi error
Hi Wally, Could you give us more details please? What exact commands did you issue to get the error? Does the file /etc/apache/ssl.key/server.key actually exist? Does it contain anything reasonable? Sean Auteria Wally Winzer Jr. wrote: I get the following error after compiling openssl-0.9.6c on Debian Linux after creating my own CA: [Tue Feb 26 12:43:32 2002] [error] mod_ssl: Init: Unable to read server certificate from file /etc/apache/ssl.key/server.key (OpenSSL library error follows) [Tue Feb 26 12:43:32 2002] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Can someone why this is occuring and possibly a fix/solution. Thanks. I'm using the mod-ssl-makecert script from libapache-mod-ssl. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Microslut Seeking help
Hi Derek, how exactly are you supposed to connect? https? if so... then just use the inet.ocx and set the connection protocol to 5 which is https instead of http... its really quite easy... i've access to vb6.. but it also works in 5 and 4 afaik.. (could be wrong..) to figure it out create a simple vb .exe... go Project /Components / Microsoft Internet Transfer Control 6.0... then set the Protocol to 5... i work on the other end (lamp)... and even i figured out how to get this to work in about 20 minutes :-) don't hesitate to get back to me if you want more details... and i'll try and track it down again... Sean Derek Strickland wrote: I have to integrate with a company that is running an all Perl/Unix site that requires an OpenSSL authentication. I have compiled OpenSSL on my Windows box and it passes all the tests for a valid installation, but I can't find any article on using OpenSSL from ASP. Is it possible? I even tried going into VB and making a project reference just so I could get some intellisense help on methods/properties and VB cannot add a reference to this DLL. Does this mean that I have no options other than building a FreeBSD box to talk to this Apache Server for this one task? Is there no way to make this run via ASP/IIS or at least use a built in IIS object that will communicate effectively with an OpenSSL Listener on his end. Help would be awesome. Thanks. Derek Strickland DotAnything Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using own CA certs with various clients
under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for less than this) you can install the certificate in each client by hand quite easily... if the file name has ending .cer then windows appears to recognize it and calls it Security Certificate... double click on this and hit Install Certificate... / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: Hello, I think you have to install the CA certificates in your client browser. I know two techniques you can use: 1. your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) 2. or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CA certificate I' hope that my answer, be helpful bye Zachary Denison a écrit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using own CA certs with various clients
sorry, I was unclear - the client needs BOTH the server cert and your CA cert. what i did was i puts the certs in a shared directory... and then each machine that wanted them just double clicked on the CA.cer and server.cer ... done... cheers, Sean Steve Barnes wrote: I have the same problem... (sort of).. I have been trying a similar thing, and failing... I'm trying to be my own CA and generate a server cert so I can enable SSL on a IIS4 webserver. I made myself a CA by running the command... #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout ./certs/CAkey.pem -out ./certs/CAcert.pem -days 365 Then I made a Certificate request in IIS Key Manager and signed it using the command... #openssl ca -policy policy_match -days 365 -md md5 -out ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert ./certs/CAcert.pem -outdir ./certs -infiles ./certs/iis-ssl-req.txt ... where iis-ssl-req.txt is the file from IIS Key Manager. I can then import the cert into IIS Key Manager and enable Secure Channel for my web server, but when I connect to https://secure-server, it gives me an error saying the cert is ok apart from the fact that it was issued by a company you have chosen not to trust . When I try importing the cert into IE, it imports it ok, but then it doesn't appear in the Trusted Root Certificate Authorities . So everytime I go to the site, it gives me the same error over over If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', Windows Exploder recognises it as a Security Certificate, when i double click, I get Windows does not have enough information to verify this certificate Any way I'm lost... I've gotten this far and it's really bugging me now... Can anyone help...? -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 09:53 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for less than this) you can install the certificate in each client by hand quite easily... if the file name has ending .cer then windows appears to recognize it and calls it Security Certificate... double click on this and hit Install Certificate... / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: Hello, I think you have to install the CA certificates in your client browser. I know two techniques you can use: 1. your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) 2. or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CA certificate I' hope that my answer, be helpful bye Zachary Denison a écrit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] The information contained in this e-mail transmission is confidential and may be privileged. It is intended only for the addressee(s) stated above. If you are not an addressee, any use, dissemination, distribution, publication, or copying of the information contained in this e-mail is strictly prohibited. If you
Re: simple question about OpenSSL and HTTP
Mars, have a look at http://www.modssl.org/ cheers, Sean MARS.LIN ªL¨|¼w wrote: I have a simple question about OpenSSL and HTTP I try to enhance httpd codes into secure one, such as httpsd. could i simply combine openssl library with httpd codes for that? are there any different between http and https except for the ssl handshacking? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: W2k wiazrd
for a self-signed certificate... NB Does NOT work for a public webpage... with both iis4 iis5, i took the ca.crt and server.crt that was generated... edited to remove the human readble stuff at the benginning - ie down as far as the --begin certificate etc... took the files over to my win box and double clicked on them and installed them... at the client - the browser obviously hasn't heard of the CA called Sean :-) so i take the CA.crt to my client winPC and double click ... now my MSIE has heard of CA-Sean... and i can browse my internal secure server to my hearts content AS-IF i'd gone off and bought a cert - which you can't do if its internal only afaik... cheers, Sean O'Riordain [EMAIL PROTECTED] wrote: -Original Message- From: Nevalainen, Eric [mailto:[EMAIL PROTECTED]] Sent: 22 August 2001 17:20 To: 'Robert Krenn' Cc: '[EMAIL PROTECTED]' Subject: W2k wiazrd Bingo! The string: bash-2.04# OpenSSL ca -out request.pem -notext -infiles certreq.txt where -out =the cert to be generated, and -infiles =the pending request, the -notext option supresses the plaintext form of the certificate to the output file. IIS 5 seems to like this. output looks like: I wouldn't hold your breath if this is a self-signed certificate. No doubt someone else will correct me if I'm wrong, but I've never been able to get self-signed certificate working on any version of IIS. (I'm assuming this is a server cert. If it's a client cert then I'm probably barking up the wrong tree). - John Airey __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]