Re: Private Key from Windows Cert Store
I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY-. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc.
Re: Question of openssl compilation
You might edit that Makefile for this yourself. 2010/10/8 HU Chengzhe chengzhe...@alcatel-sbell.com.cn Hello, I use follow command to compile openssl-0.9.8o 1) ./Configure solaris-sparcv9-cc --prefix=MY_OPENSSL_INSTALL_DIRECTORY shared 2) make 3) make install I can compile it successfully and under MY_OPENSSL_INSTALL_DIRECTORY/lib I can find some files like below: -rw-r--r-- 1 arkie bjumts 3623300 Aug 5 15:41 libcrypto.a lrwxrwxrwx 1 arkie bjumts18 Aug 5 15:41 libcrypto.so - libcrypto.so.0.9.8 -r-xr-xr-x 1 arkie bjumts 2567624 Aug 5 15:41 libcrypto.so.0.9.8 -rw-r--r-- 1 arkie bjumts588036 Aug 5 15:41 libssl.a lrwxrwxrwx 1 arkie bjumts15 Aug 5 15:41 libssl.so - libssl.so.0.9.8 -r-xr-xr-x 1 arkie bjumts424320 Aug 5 15:41 libssl.so.0.9.8 As we can see, there are two dynamic lib file libcrypto.so.0.9.8 andlibcrypto.so.0.9.8 . But my question is 1) How can I make the generated dynamic lib name as libcrypto.0.9.8.so and libcrypto.0.9.8.so, not the default name? 2) If dynamic lib name is changed successfully, How to make sure the link time name is same as the changed dynamic lib name? Is there some option similar with -soname which can specify the link time name? For example: =ldd libssl.so.0.9.8 libcrypto.so.0.9.8 = . After change name to libssl.0.9.8.so, result should be: =ldd libssl.0.9.8.so libcrypto.0.9.8.so =. . Thank you. Best Regards, Arkie
Re: Regarding intermediate CA
inside the file openssl.cnf let CA:TRUE 2010/10/15 Neeraj Jain nj...@cmctech.in Hello, We want to implement Root CA à intermediate CA à Server certs, but we are not able to create intermediate CA, it would be great if you can help me. Thanks, Neeraj Jain
Re: Creating a certificate with Unicode characters in Issuer and Subject
I'm a Chinese and had tried it. Because of the terminals do not suport UTF-16 charaters you can't make certificates UTF-16 strings inside. To do this, you must write your own program to call openssl's functions. 2009/11/19 Shaw Graham George gs...@axway.com Hi, I have a requirement to make some test keys/certificates that contain Unicode (Chinese) data in the Issuer and Subject fields. Print-out from an example certificate using openssl x509 is: Issuer: C=\x00C\x00N, ST=\x00G\x00u\x00a\x00n\x00g\x00d\x00o\x00n\x00g, L=\x00G\x00u\x00a\x00n\x00g\x00z\x00h\x00o\x00u, O=\x00G\x00D\x00C\x00A\x00 \x00C\x00e\x00r\x00t\x00i\x00f\x00i\x00c\x00a\x00t\x00e\x00 \x00A\x00u\x00t\x00h\x00o\x00r\x00i\x00t\x00y Subject: C=\x00C\x00N, ST=^\x7FN\x1Cw\x01, L=^\x7F]\xDE^\x02, ... Is this at all possible using the openssl tool? From the manual pages it seems that UTF-8 is supported, but not Unicode - for example the config man page says that null characters in strings is not allowed. If not, then does anybody know of any other tools that I could use to make my test keys/certificates. Thanks in advance, George. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 beta5 release (Build Broblem)
perl Configure VC-WIN32 -DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi -DOPENSSL_CAPIENG_DIALOG ms\do_ms nmake -f ms\ntdll.mak .\engines\e_capi.c(466) : error C2220: warning treated as error - no object fil generated .\engines\e_capi.c(466) : warning C4013: 'OPENSSL_isservice' undefined; assumin extern returning int NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. 2010/1/21 OpenSSL open...@openssl.org -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0 Beta 5 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The fifth beta is now released. This is expected be the final beta depending on the number of bugs reported. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-1.0.0-beta5.tar.gz Size: 4006467 MD5 checksum: f869b6b044296f31cee710f178605ef2 SHA1 checksum: a16377c02625f803a5dcfaa9c11aeadcfd3703b6 The checksums were calculated using the following command: openssl md5 openssl-1.0.0-beta5.tar.gz openssl sha1 openssl-1.0.0-beta5.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 122 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Also check the latest snapshots at ftp://ftp.openssl.org/snapshot/ or CVS (see http://www.openssl.org/source/repos.html) to avoid reporting previously fixed bugs. Since the fourth beta, the following has happened: - Provisional TLS session renegotiation fix - Option to output hash using older algorithm in x509 utility - Compression session handling bug fix - Build system fixes. - Other bug fixes. Reports and patches should be sent to openssl-b...@openssl.org. Discussions around the development of OpenSSL should be sent to openssl-...@openssl.org. Anything else should go to openssl-us...@openssl.org. The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file testlog. Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iQEVAwUBS1cho6LSm3vylcdZAQJiQAf+MFwN93YBcJI6sQIjAr5RSql7gdP9H+NV zNBf6nkLCJcuwu9tXeheuLRfvye5wF+FpWE6qS5a8mgm3Z6S8aOnacBvyfyo57U7 mTs4eNG9YBwS/wK7cavxzKLsVX0zgOMurqLmONUlNBSrW9m2R7uupfLn+SzQYrov gZl48yqB5AVtM4MiwEWmK9EnXH4SCtOWG4TEi2G30hP/5ssKoM4Y+GrQMueZnTEW RXR+N+1uvmqzDfekoTE3bfXd0BNPMUNh7JmSxT/WlhPxDk7Tx5yMxqnZChPgsSFN a9V38M/yDzbL8Gz3zToOC+GsVmf560+7b6aC1LvUPLXZZWOXn/vLsA== =A39y -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 0.9.8m-beta1 release (Build Broblem)
I built it with VC-Win32 and got a problem: perl Configure VC-WIN32 no-hw enable-capieng -DOPENSSL_ SSL_CLIENT_ENGINE_AUTO=capi -DOPENSSL_CAPIENG_DIALOG ms\do_masm nmake -f ms\ntdll.mak .\ssl\d1_both.c(992) : warning C4761: integral size mismatch in argument; conversion supplied .\ssl\d1_both.c(992) : error C2220: warning treated as error - no object file ge nerated NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. 2010/1/21 Thor Lancelot Simon t...@panix.com On Thu, Jan 21, 2010 at 12:59:36AM +0100, OpenSSL wrote: The OpenSSL project team is pleased to announce the release of version 0.9.8m-beta1 of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bug fix beta release which implements draft-ietf-tls-renegotiation-03.txt to address CVE-2009-3555. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. | *) Implement draft-ietf-tls-renegotiation-03. Re-enable | renegotiation but require the extension as needed. Unfortunately, | SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a | bad idea. It has been replaced by | SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with | SSL_CTX_set_options(). This is really not recommended unless you | know what you are doing. | [Eric Rescorla e...@networkresonance.com, Ben Laurie, Steve Henson] The change described above is a major API/ABI change. Now applications must handle three different cases: 1) No built-in support for preventing unsafe renegotiation; do it yourself with callbacks. 2) Built-in support controlled by SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, no #define at all for SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 3) Built-in support controlled by SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION, no #define for SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION I guess once again everyone gets to bump their major version numbers for the OpenSSL shared libraries for a point release (this'll be the second bump in three months for anyone who picked up 0.9.8l) and gets to write application code full of nasty #if hacks which check the OpenSSL version string. Yuck! Thor __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Public Key generation.
you have to gererate private key previously. 2009/7/16 sdc186 schaudh...@mzeal.com Hello Everyone, I am using openssl 0.9.8g. Can anybody tell me how to generate public key in openssl. Which command should I use for the generation? Thanks. -- View this message in context: http://www.nabble.com/RE%3A-Public-Key-generation.-tp24506389p24506389.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PHP Open SSL
The length of data to encrypt is limited depends on the key size you used, so that you can not encrypt all text by openssl_public_encrypt() simply. To do this you should reference to 'S/MIME'. 2009/7/14 mahendra [MinG] ming@hotmail.com Hi, i am developing a secure email application whereby the email sent to the receiver is encrypted using PHP openssl_public_encrypt(). The problem is i could not decrypt the message back to the original message using openssl_private_decrypt(). Questions: 1. What is the encoding format for the encrypted text that is generated from openssl_public_encrypt? 2. Is it possible that because when i generate the encrypted text, i echo it into a HTML textarea and hence changing the encoding? Thanks for your help and suggestion. -- What can you do with the new Windows Live? Find outhttp://www.microsoft.com/windows/windowslive/default.aspx
Re: how to process CRMF request generated from mozilla
Openssl can't do this yet. You may write it yourself. 2009/5/31 tito tit...@gmail.com how do I sign a certificate in openssl with the CRMF string generated from mozilla .
Re: Microsoft Visual C++
As I know,Microsoft Visual C++ Express do not support multithread programs correctly and OpenSSL needs to work at multithread mode. So you should use the other version of compiler instead. 2008/10/11 Michael Luich [EMAIL PROTECTED] On Fri, Oct 10, 2008 at 9:25 PM, Thomas J. Hruska [EMAIL PROTECTED] wrote: Michael Luich wrote: Hello, I'm trying to compile in Microsoft Visual C++ Express and I'm getting linker errors like: error LNK2019: unresolved external symbol _BIO_gets referenced in function char * __cdecl sr_encrypt(char *,struct _iobuf *) (?sr_encrypt@ @YAPADPADPAU_iobuf@@@Z) I got the header files all setup, but I can't get the libs working. I followed the help and copied the lib files to C:\Program Files\Microsoft Visual Studio 9.0\VC\lib . Anybody know what i'm missing? Mike Luich You have to add the .lib files to your project's Linker properties. -- Thomas Hruska Shining Light Productions Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] I've tried to do that but It doesn't seem to be working. Any idea on how I do that? Mike Luich -- you can't put your finger there - OOH! PUT YOUR FINGER THERE! - Princeton, Avenue Q (http://www.avenueq.com/) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Build static openssl
If you compile OpenSSL with VC,please do nmake -f \nt.mak instead of ntdll.mak. MingW do also dynamic and static compiling at one time. 2008/10/13 Prathima Dandapani -X (pdandapa - HCL at Cisco) [EMAIL PROTECTED] Hello All, Can anyone tell me how to create statically linked openssl? I have used no-shared option to Configure script,but invain. Please share your suggestions. Thanks, Prathima.
Re: Leaks X509
X509_free(x); 2008/10/2 David Schwartz [EMAIL PROTECTED] Stanislav Mikhailenko: Hello I use openssl 0.9.8i in my project under Win32. There are some leaks detected when i do just it: X509* x=X509_new(); X509_free(); It was in previous versions too. What should i do to remove this? Did you confirm that the memory was leaked and not actually still in use? To test this, repeat the code block to allocate and free two X509 objects and see if twice as much memory is leaked. If you see the same amount of memory leaked, that proves that something the code did the first time made the code use less memory the second time. This shows that the memory was not actually leaked, but was in fact in use -- and in fact was used by the second operation. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Remove Ask for a pass phrase
char passwd[] = {0}
2008/8/27 delcour.pierre [EMAIL PROTECTED]
Hello everyone,
I'm trying to load a private key with this function :
/EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,pem_password_cb *cb,
void *u);/
I use it this way :
EVP_PKEY* key = PEM_read_Privatekey(file,NULL,NULL,passwd);
with file a File* containing the correct file, and passwd a char*.
In this case : passwd = NULL;
If I load a private key which need a passphrase, the function ask me the
pass phrase (in konsole). I would like to remove this feature.
How can i have a NULL value as return instead of typing the required pass
phrase ?
Thank's in advance,
Have a nice day,
pierre
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Hello
Yes 2008/8/23 Nguyen, Harris [EMAIL PROTECTED] Hello, Is this the right place to ask Openssl programming issues? Thanks Harris Nguyen __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Creating certificates
I'm not sure what's wrong. I think that you might read the configuration file of openssl carefuly. Can you show out you resaults in BASE64 format in order to let others to test then for you? 2006/4/25, nduval (sent by Nabble.com) [EMAIL PROTECTED]: I have installed openssl and am hoping to use it to create a self signed CAand then client certificates to go along with it.I am using everything after a normal install.So far all I have done is a ca -newca, fill in the info.Then I do ca -newreqand then ca -sign.It seems I get what I need...I get the CA file, and the certificate file. To check them, I loaded the CA as a trusted root on my local machine, andthen opened the certificate to see if it corresponded properly to the CA inthe certification path, but I get the following message when I view it: The certificate is not valid because one of the certification authorities inthe certification path does not appear to be allowed to issue certificatesor this certificate cannot be used as an end-entity certificate. The CA does show up in the certification path, but with the yellowexclamation mark on it.Can anyone tell me how to correct this?Many thanks.Nathan--View this message in context: http://www.nabble.com/Creating-certificates-t1502430.html#a4073593Sent from the OpenSSL - User forum at Nabble.com.__ OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Smartcard Authentication
A1:Nothing to do because the Windows would do it automaticaly by a CSP A2:Search in MSDN with the keyword make a PKCS#10 request 2006/4/22, Sven Löschner [EMAIL PROTECTED]: Hello,At the moment I have a site, where a user can login with a certificate Icreate and give to him. No problems so far. But now I want two things:1.I would like to write the certificate on a Smartcard, so the user can insertthis smartcard and tip a PIN to authenticate on the server, instead of thefile-based-variant above. I read a few websites, e.g. about the OpenSC-project, but I don't know, howto solve my problem.2.The second one is a little bit easier, I hope. It would be nice to controlall the certificates via web interfaces, so I would not have to do everything on the console :-) .A few month ago, I have seen a page, where the administrator could easilyinsert all the User-Data into a web-based formular, and create thecertificates this way, but I don't remember the site-address :-(. I hope someone can help me, or give me some hints to solve my problems.P.S.: Especially the first one should work on Mozilla AND IE, because Ioften read about Mozilla-only-solutions. Sven__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
