ASN1 verify problems
Hello, I have got the test app ocsp.c (from the openssl distribution) that sends an OCSP request to a responder and verifies the result. This all works correctly and I am getting a valid response from a valid responder. However, exactly the same code with exactly the same certs and responder fails when I put it into my test app. The OCSP_RESPONSE_print() and OCSP_REQUEST_print() output exactly the same, but I get 338:error:0D089041:asn1 encoding routines:ASN1_verify:malloc failure:.\crypto\asn1\a_verify.c:146: 338:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:.\crypto\ocsp\ocsp_vfy.c:98:t It seems to have problems decoding the ASN1 strings coming back, but why? If the code is exacty the same. Regards, Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OCSP_basic_verify
(sobbing) I have been looking for the documentation, but there is none. All I can see i the definition of some flags: #define OCSP_NOCERTS0x1 #define OCSP_NOINTERN 0x2 #define OCSP_NOSIGS 0x4 #define OCSP_NOCHAIN0x8 #define OCSP_NOVERIFY 0x10 #define OCSP_NOEXPLICIT 0x20 #define OCSP_NOCASIGN 0x40 #define OCSP_NODELEGATED0x80 #define OCSP_NOCHECKS 0x100 #define OCSP_TRUSTOTHER 0x200 #define OCSP_RESPID_KEY 0x400 #define OCSP_NOTIME 0x800 What are they? Tat. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Dr S N Henson > Sent: 11 December 2001 18:21 > To: [EMAIL PROTECTED] > Subject: Re: OCSP_basic_verify > > > Tat Sing Kong wrote: > > > > Hi, > > > > I have been trying to figure out what the flags are for this > function and > > have come up with the following, can someone verify? > > > > int OCSP_basic_verify(OCSP_BASICRESP *bs, // the OCSP response > > STACK_OF(X509) *certs, // intermediate signing certs > > X509_STORE *st, // trusted responder certs > > unsigned long flags // flags as > defined in ocsp.h > > ); > > > > Can someone tell me what the difference between "certs" and "st" is? > > > > certs is a stack of certificates which can aid the verify operation. For > example if the response doesn't contain the signer's certificate it can > look in there. st is a trusted certificate store which contains trusted > certificates which are used to verify the signers certificate. > > Setting various values for the flags can change the meaning somewhat > too. The ocsp application source in apps/ocsp.c and documentation should > help clarify this. > > Steve. > -- > Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ > Personal Email: [EMAIL PROTECTED] > Senior crypto engineer, Gemplus: http://www.gemplus.com/ > Core developer of the OpenSSL project: http://www.openssl.org/ > Business Email: [EMAIL PROTECTED] PGP key: via homepage. > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Windows cert stores
Hello, I want to be able to access the certificates for Windows that the certificate manager looks after (the trusted CA's that come with Windows), there does Windows store these certificates, and in what format? Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP_basic_verify
Hi, I have been trying to figure out what the flags are for this function and have come up with the following, can someone verify? int OCSP_basic_verify(OCSP_BASICRESP *bs, // the OCSP response STACK_OF(X509) *certs, // intermediate signing certs X509_STORE *st, // trusted responder certs unsigned long flags // flags as defined in ocsp.h ); Can someone tell me what the difference between "certs" and "st" is? Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Intermediate signing certs
That's me told then, so to authenticate a certificate you need the whole "chain" of certs going from the cert to authenticate all the way to a trusted CA. The application I am writing is presented with certs to authenicate from an external source, and the configuration has to hold a "pool" of trusted certs so you can check the certificates presented. It appears that this "pool" has to basically have every possible signer in it. I was kind of hoping that I could get away with only a couple of trusted CA's; and traverse the certificate hierarchy to these roots. Hold on, I can't do that because without the intermediate signer certs how can I figure out who signed them? Got it now. Tat. > > > Would this be a hassle if you have a root CA with a lot of > intermediate > > > signers? That means that you have to store/locate all > possible intermediate > > > signers to evaluate a couple of end user certificates. > > > > This is why PKCS12 (iirc) provides a mechanism to provide intermediate > > certs with the final cert. The CA should have a suitable chain for its > > own certs, and it can return the extra certs with everything that it > > signs. > > This likely applies to PKCS7 Signed structure. > > > This doesn't help you when presented a naked cert by a stranger - you > > still have to locate those intermediate certs - but at that point you > > have more problems than just finding the intermediate certs. What does > > it mean to have a full cert chain if the root is a self-signed cert by > > "Bob's Bait Shop and Certificate Authority?" > > Any parseable certificate presented by a strager is good enough to > use that public key to send email encrypted to *his* private key. > At least if there's no chance for man-in-the-middle. > > Probably you are talking about verification that stranger is authorized > by some big guy to pay..it's completely different issue. Yes, one need > (root) certificate of that big guy and intermed certs to verify the chain. > > > You could decide to ignore any cert that's not from a major CA (which > > would make the stockholders of Verisign very happy), but that misses > > the point. An individual cert by Verisign really says very little about > > the person, a cert signed by a small college for its students for > > internal use may be rock solid. > > One could care about CA certificates related to his business, either > well-known or private ones used to verify access to local resources. > > > On a related note, is there documentation on how to set up a "well- > > behaved" certs and PKCS12 bags? I couldn't find anything the last > > time I checked, but maybe something has come out since then. > > Any problem with PKCS12 specifications published by RSA Labs? > What is "well-behaved" ? > > -vf __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Intermediate signing certs
Hello, If you have a signing hierarchy of A signs B, B signs C, and C signs D, so that A is your root CA and D is the end user certificate. If I want to check that D is signed by A, does that mean that intermediate signers B and C also have to be present in the certificate stack, or what openssl refer to as the cert chain? Would this be a hassle if you have a root CA with a lot of intermediate signers? That means that you have to store/locate all possible intermediate signers to evaluate a couple of end user certificates. Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: installing,compiling openssl for usage in VC ++ 6
Here's what I did: from openssl dir: perl util\mk1mf.pl VC-NT dll >ms/ntdll.mak then nmake -f ms\ntdll.mak If you look in ms\README, it tells you this; in a kind of cryptic-around-the-houses type way. Tat. > thanks for all the help everybody,but now i'll get path errors,i > will download somewhere the libs i don't have the time to play > around with perl and ... > That is what i get if i call do_ms > > "C:\Encyrypting\openSSL\toolkit\openssl-engine-0.9.6b\ms>perl > util\mkdef.pl 32 ssleay 1>ms\ssleay32.def > The system cannot find the path specified." > > The paths are in my systemenvironment,so i really don't know why > the sys is keep on giving errormessages about the paths. > > Thanks all > > Larry > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Java toolkit for SSL???
I'm sure I heard of one a while back called SSLava or something, but there definitely is one. Tat. > Hi, > > i tried to find a toolkit that can handle C and Java to make sure > being 100% compatible,because we have a networkclient > application written in C,and also a Browser application written in Java. > > Does anybody know a good SSL toolkit for java? > > Thanks > Larry __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP verification
Hello, I am looking at verifying the OCSP responses, in regard to verifying the OCSP signer certificate. I have been looking at OCSP_basic_verify, but can't figure it out, and there's no documentation. Can anyone shed any light? Also, are there any code examples of walking up a CA chain and verifying certs along the way? Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie alert.. How do I..?
I generally re-post this onto the newgroup every couple of weeks, but here's a newbie document: http://www.consegna.co.uk/exchangeCentre.html Hope this helps. Tat. Søren Erland Vestø wrote: > > Hi, > I'm currently developing an application where I need to secure the > communication between the client and the server. Someone then said to me: > "Why don't you try OpenSSL". So, I have taken a look. Unfortunately I find > the documentation to be... sparse in lack of a better word. > > Has anyone made a tutorial describing just how things fit together? Just a > simple description of how to make a secure connection between a client and > a server would go a _looong_ way. > > Kind regards, > > DNSPilot.com > Søren Erland Vestø > Main Coder > > DNSPilot.com - Frederiksgade 12 - DK-8000 Århus C > Tel.: +45 86 19 04 36 - Cel.: +45 20 98 57 77 > http://www.dnspilot.com > > Please use PGP whenever possible. Public key ID: 0x1AA98855 > PGP fingerprint: FF51 3403 32EB 9696 3121 2D45 AF96 74D6 1AA9 8855 > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Get Public Key in byte array
There are loads of d2i_ and i2d_ functions to do this. Have a look at the documentation which is very good in this area. Tat. Antonio Ruiz Martínez wrote: > > Hello! > > How I can get the public key (from a certificate) in an array of > bytes? > > Thanks in advance, > Regards, > Antonio. > > -- > -- > Antonio Ruiz Martínez > Facultad de Informática-Universidad de Murcia > 30001 Murcia - España (Spain) > Telf: +34-968-364644 e-mail: [EMAIL PROTECTED] > -- > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- +--- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] + This e-mail is from Consegna Advanced Technologies. The information in this e-mail and any files transmitted with it are confidential and may be legally privileged. It is intended solely for the stated recipient. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this e-mail in error please notify [EMAIL PROTECTED] or telephone +44 (0)161 833 3777. Views or opinions expressed by an individual within this e-mail may not necessarily reflect the views of Consegna Advanced Technologies. +- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Repost: Useful newbie document
I've written a document as part of my own openSSL notes that describes how to code an SSL client and server using the openSSL libraries. It's a bit noddy but it does the job. These might be useful for people just starting (I know I was looking for such a document when I started). http://www.consegna.co.uk/exchangeCentre.html The form filling is optional, so don't worry about that unless you absolutely want to :) Good luck! Tat. S/MIME Cryptographic Signature
Re: Repost: Useful newbie document
Yes, I suppose so. How should we go about this? Tat. Remo Inverardi wrote: > > > I've written a document as part of my own openSSL notes that describes > > how to code an SSL client and server using the openSSL libraries. It's > > a bit noddy but it does the job. > > When I started coding with OpenSSL, I remember looking for a document > like > that as well. What about including it in future OpenSSL distributions? > Compressed documentation takes almost no space, and the more > documentation, > the better. > > Byebye, Remo > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- +--- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] + This e-mail is from Consegna Advanced Technologies. The information in this e-mail and any files transmitted with it are confidential and may be legally privileged. It is intended solely for the stated recipient. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this e-mail in error please notify [EMAIL PROTECTED] or telephone +44 (0)161 833 3777. Views or opinions expressed by an individual within this e-mail may not necessarily reflect the views of Consegna Advanced Technologies. +- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Enter PEM pas phrase:
SSL_CTX_set_default_passwd_cb_userdata(pNewContext, ); ..load in pem file SSL_CTX_set_default_passwd_cb_userdata(pNewContext, ""); Xeno Campanoli wrote: > > I get the above prompt when passing any certificate/privatekey > (including one without a passphrase) to my Net::SSLeay.pm perl > programmed client. How can I pass the pass phrase to these routines > and > stop the prompting from happening? The prompt appears to live in: > > crypto/pem/pem_lib.c > > My perl code looks more or less like this: > > Net::SSLeay::CTX_use_RSAPrivateKey_file($this->{ctx}, > $this->{privatekey_filespec}, > &Net::SSLeay::FILETYPE_PEM); >Net::SSLeay::CTX_use_certificate_file($this->{ctx}, > > $this->{certificate_filespec}, > > &Net::SSLeay::FILETYPE_PEM); > > with error handling removed. I do CTX_set_options before that, and do > the rest afterward. > Everything else seems to be working in all related circumstances. > However, the first > call above seems to yield the prompt I gave in my subject line: > > Enter PEM pas phrase: > > and since this is an automated program, I don't want that. I'm looking > around for how to > do this the other way in Perl, but I don't see the routines. If anyone > has any suggestions they would be appreciated. > > Sincerely, Xeno > > formerly subscribed from [EMAIL PROTECTED] > > > -- > Xeno Campanoli - Aspiring and self-appointed member of the Diligentsia, > generally eschewing Dilatorian digressions and Obnoxioso > expenditures. > Email: [EMAIL PROTECTED] (home home page: > http://www.aa.net/~xeno > > -- > Xeno Campanoli - Aspiring and self-appointed member of the Diligentsia, > generally eschewing Dilatorian digressions and Obnoxioso expenditures. > Email: [EMAIL PROTECTED] (home home page: http://www.aa.net/~xeno > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- +--- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] + This e-mail is from Consegna Advanced Technologies. The information in this e-mail and any files transmitted with it are confidential and may be legally privileged. It is intended solely for the stated recipient. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this e-mail in error please notify [EMAIL PROTECTED] or telephone +44 (0)161 833 3777. Views or opinions expressed by an individual within this e-mail may not necessarily reflect the views of Consegna Advanced Technologies. +- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Repost: Useful newbie document
I've written a document as part of my own openSSL notes that describes how to code an SSL client and server using the openSSL libraries. It's a bit noddy but it does the job. These might be useful for people just starting (I know I was looking for such a document when I started). The last time I posted this message I asked people to email me personally, and I got inundated with email's. Therefore I asked if my company could make some space on the corporate web site: http://www.consegna.co.uk/exchangeCentre.html The form filling is optional, so don't worry about that unless you absolutely want to :) Good luck! Tat. -- +------- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] + This e-mail is from Consegna Advanced Technologies. The information in this e-mail and any files transmitted with it are confidential and may be legally privileged. It is intended solely for the stated recipient. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this e-mail in error please notify [EMAIL PROTECTED] or telephone +44 (0)161 833 3777. Views or opinions expressed by an individual within this e-mail may not necessarily reflect the views of Consegna Advanced Technologies. +- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Repost: Useful newbie document
I've written a document as part of my own openSSL notes that describes how to code an SSL client and server using the openSSL libraries. It's a bit noddy but it does the job. These might be useful for people just starting (I know I was looking for such a document when I started). The last time I posted this message I asked people to email me personally, and I got inundated with email's. Therefore I asked if my company could make some space on the corporate web site: http://www.consegna.co.uk/exchangeCentre.html The form filling is optional, so don't worry about that unless you absolutely want to :) Good luck! Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP memory leaks
Anyone using the OCSP beta stuff in the snapshot of openSSL? I am getting memory leaks for it, but when I do add the free'ing code it crashes. Here's the sequence OCSP_REQUEST_free(pOCSPRequest); OCSP_RESPONSE_free(pResponse); // Next line crashes OCSP_BASICRESP_free(pOCSPBasic); OCSP_CERTID_free(pID); I am following what the demo app does. However, I don't sign the OCSP requests. Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Open SSL server side in Windows
Filipe, I have successfully implemented some opensSSL with Windows NT. The problem you are describing could be due to: 1) The client rejecting the server cert because it does not trust it. 2) The server not sending the client a list of recommended CA's 3) The server cert not having the same name as the machine it comes from (see an earlier question I posted the other day) 4) Problems with ssl2/3 - hardcode version 2 or 3. I just had the same problem. The best thing to try is the openssl s_server/s_client program as it prints out lots of debug. Tat. Filipe Contente wrote: > > Hi!! > > I'm trying to implement a Open SSL server in windows with c++, > and i'm with problems when i try to get te client certificate!! > Does anyone have already implement a server side in Windows??? > > All the examples i saw was in Linux, i've never heard of one example > that > works with Windows. The Client side works ok!! > > I'm generating the certificates in Linux and i use them in windows, > there is any problem > with this?? > The c_rehash have any effect in windows?? > > Thank, Filipe Contente > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- +--- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] + This e-mail is from Consegna Advanced Technologies. The information in this e-mail and any files transmitted with it are confidential and may be legally privileged. It is intended solely for the stated recipient. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this e-mail in error please notify [EMAIL PROTECTED] or telephone +44 (0)161 833 3777. Views or opinions expressed by an individual within this e-mail may not necessarily reflect the views of Consegna Advanced Technologies. +- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
bad mac decode error
I have got an LDAP client talking to an LDAP server using SSL no problems. I am now using the openssl s_client program to talk to the LDAP server using the name security certs etc. However, after the ChangeCipherSpec mesages I get bad mac decode So I guess something has gone very wrong somewhere. I thought there was only one SSL protocol, if it works for one SSL server/client, it should work for all clients, servers etc? Any ideas? Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Useful newbie document
I've written a document as part of my own openSSL notes that describes how to code an SSL client and server using the openSSL libraries. It's a bit noddy but it does the job. These might be useful for people just starting (I know I was looking for such a document when I started), so if you want a copy then email me personally. Put "SSL doc request" in the subject header. Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL client-server connectivity problem
What is your command line for the server end? Tat. Puneet Parashar wrote: > > Hi, > > > i downloaded the openssl cryptographic library and toolkit from the openssl > web site. The compile and make has been done to produce dlls and lib files. > I have a openssl server running on my machine (port 4433). Now when i try to > make a client using: > > openssl s_client -connect (my_server_ip):4433 -state -debug > > the client terminates giving the following error: > SSL_connect: failed in SSLv3 read server hello A > 346:error:140790E5:SSL routines:SSL23_Write:SSL handshake > error:.\ssl\s23_lib.c:216: > > Why is the client terminating in the handshake process?? > > > Warm regards, > Puneet Parashar > Infosys® > > __ > Powered by Intellect, Driven By Values > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- +--- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] + This e-mail is from Consegna Advanced Technologies. The information in this e-mail and any files transmitted with it are confidential and may be legally privileged. It is intended solely for the stated recipient. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this e-mail in error please notify [EMAIL PROTECTED] or telephone +44 (0)161 833 3777. Views or opinions expressed by an individual within this e-mail may not necessarily reflect the views of Consegna Advanced Technologies. +- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Programmers reference for Openssl APIs
I was discussing this with some collegues the other day; if someone wrote a book called "Implementing SSL using openSSL" they would make an absolute killing. Why doesn't anyone do it? Tat. Louis LeBlanc wrote: > > Lutz Jaenicke wrote: > > > > On Wed, Dec 06, 2000 at 12:36:47PM -0800, Hegde, Ramdas wrote: > > > Thanks for the site. But I am looking for something more detailed for each > > > SSL API. > > > Something for a SSL beginner looking at what are the APIs to do SSL3. Any > > > references would be appreciated. > > > > There is no "User's Guide" as of now. Please check out the example applications > > included in the OpenSSL distribution and applications using OpenSSL for > > examples. > > With respect to detailed API documentation: it is being worked on; today > > I worked halfway through the upcoming manual page for SSL_CTX_use_certificate > > and friends. It will for sure be added until the weekend. Please check the > > latest snapshots and/or the OpenSSL website to access the latest state > > of manual pages. > > > > Best regards, > > Lutz > > -- > > You know, I recently went looking for this page. I had it linked in my > bookmarks. I remember it was extraordinarily helpful when I started > working on a client side SSL based app. I am just wondering if anyone > might just happen to have a cached or saved copy of this page. It > certainly would answer a lot of the questions posted by newbies! > > Besides, even if it is somewhat outdated, the translation to the current > code is still relatively easy. It has the good quality of being right > to the point and it is much more readable than any of the sample apps > (no offense to any of the authors :). > > If anyone has this doc or something like it, please post it. > > Thanks > L > -- > Louis LeBlanc > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > [EMAIL PROTECTED] > http://acadia.ne.mediaone.net > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- +--- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] + This e-mail is from Consegna Advanced Technologies. The information in this e-mail and any files transmitted with it are confidential and may be legally privileged. It is intended solely for the stated recipient. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this e-mail in error please notify [EMAIL PROTECTED] or telephone +44 (0)161 833 3777. Views or opinions expressed by an individual within this e-mail may not necessarily reflect the views of Consegna Advanced Technologies. +- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
STL and openSSL don't mix?
Hello everybody, I've written some C++ stuff, and some wrappers for OpenSSL which compile fine on VC++ 6.0, however when I put them together the compiler is complaining because openSSL uses variable names like "modulus" and "list" which are also used by the STL stuff. Anyone know a way around this, I guess namespaces has something to do with it. I hope, I don't want to go around editing the STL or openSSL. Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Microsoft Certs Security alert
Verisign have issued Microsoft certs by accident. Could pose serious security breach. http://www.microsoft.com/technet/security/bulletin/MS01-017.asp Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP docs
I've got apps\ocsp.c, but does anyone have any nice documentation on the OCSP API part of openssl? Tat. begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Technical Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard
Re: Openssl 0.9.7 ETA?
I got openssl-snap-20010319. I am using Microsoft Visual C++ 6.0 on NT 4.0. I removed the following entry points from the libeay32.def file. I guess they weren't present but I didn't look any further: EC_GFp_nist_method EC_GFp_recp_method Tat. Richard Levitte - VMS Whacker wrote: > > From: Tat Sing Kong <[EMAIL PROTECTED]> > > tsk> Anyone know when this is due? > > No. In the mean time, it would be really helpful if you would tell us > exactly what kind of mangling you need to do. That might help make it > work properly on your platform... > > tsk> I would like to use some of the OCSP stuff, but I am a bit worried > tsk> because I had to mangle some of the source files to compile it. > > -- > Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] > Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 > Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 > Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] > Member of the OpenSSL development team: http://www.openssl.org/ > Software Engineer, Celo Communications: http://www.celocom.com/ > > Unsolicited commercial email is subject to an archival fee of $400. > See <http://www.stacken.kth.se/~levitte/mail/> for more info. -- +--- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] + This e-mail is from Consegna Advanced Technologies. The information in this e-mail and any files transmitted with it are confidential and may be legally privileged. It is intended solely for the stated recipient. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you have received this e-mail in error please notify [EMAIL PROTECTED] or telephone +44 (0)161 833 3777. Views or opinions expressed by an individual within this e-mail may not necessarily reflect the views of Consegna Advanced Technologies. +- begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Technical Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard S/MIME Cryptographic Signature
Openssl 0.9.7 ETA?
Anyone know when this is due? I would like to use some of the OCSP stuff, but I am a bit worried because I had to mangle some of the source files to compile it. Tat. begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Technical Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard
Re: validity time
This is how I do it, I stole it from the examples. X509 *pCert; X509_gmtime_adj(X509_get_notBefore(pCert),0); // valid from X509_gmtime_adj(X509_get_notAfter(pCert),(long)60*60*24*expiryYears*365); //valid to > How do i set the "Valid from" and/or "Valid to" parameters in the > certificate? > > > ~~ > Pablo Millet > Red Message > Web Developer & Designer > Mob.: 0706 - 762 556 > > www.redmessage.com > ~~ begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Technical Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard
Re: Protocol messages
Greg, I was in the book store for a while deciding to go for the Rescorla's or Thomas. I got the Thomas book, damn. Any info regarding the protocol would be helpful as I am getting nowhere with this Netscape LDAP stuff, even the messages from it are completely screwed. Tat. Greg Stark wrote: > > Tat, > > This is an SSLv2 backward compatible hello message carried in an SSLv2 > record layer. The first byte 0x80 has the high bit set to1, which signals > that the length of the record should be computed from the remaining 7 bits > of the byte and the next byte, thus the length of the record is 0x5b bytes. > The rest of the message should follow section 4.19 of Rescorla's book, or > section E.1 of RFC2246. > > This kind of client hello message is produced by the > SSLv23_client_method() of OpenSSL > (http://www.openssl.org/docs/ssl/SSL_CTX_new.html#). > > I can't seem to find a description of the SSLv2 record protocol in any > of the TLS or SSLv3 rfc's or draft RFC's. I do have an HTML document that I > scrounged from somewhere (probably sun) describing SSLv2. I'd be glad to > e-mail to anyone or post it to the list. > > _ > Greg Stark > Ethentica, Inc. > [EMAIL PROTECTED] > _ > > - Original Message - > From: "Tat Sing Kong" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, February 23, 2001 11:59 AM > Subject: Protocol messages > > > According to my SSL book, a clientHello looks like this: > > > > (decimal values) > > > > 22 3 0 13 0 > > > > > > But what I get from my SSL client is this: > > > > (in hex) > > > > 80 5b 01 03 01 00 42 ... > > > > Which looks nothing like the book says, but it works anyway. > > > > Then with my Netscape LDAP client, the cipher and compress fields are > > completely missing. What gives? > > > > It should be noted that I can't get Netscape LDAP over SSL to work at > > all... > > Tat. > > > > > > ______ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- +--- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 (x30) | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Technical Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard
Protocol messages
According to my SSL book, a clientHello looks like this: (decimal values) 22 3 0 13 0 But what I get from my SSL client is this: (in hex) 80 5b 01 03 01 00 42 ... Which looks nothing like the book says, but it works anyway. Then with my Netscape LDAP client, the cipher and compress fields are completely missing. What gives? It should be noted that I can't get Netscape LDAP over SSL to work at all... Tat. begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Technical Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard
Continuing adventures of LDAP over SSL
Using my SSL server, I have connected to it using the Netscape LDAP SDK. Here is the console: SSL_accept:before SSL initalisation SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_accept:SSLv3 write certificate A SSL_accept:SSLv3 write key exchange A SSL_accept:SSLv3 write server done A SSL_accept:SSLv3 flush data SSL3 alert read:fatal:bad certificate SSL_accept:failed in SSLv3 read client certificate A I haven't asked for a client certificate, so I don't know why it's reading a "bad" client cert. I changed my client code so that it does send a certificate, but the console still complains about the same things. Does anyone have any ideas? Thanks in advance, Tat. begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Technical Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard
LDAP over SSL
Has anyone successfully got the Netscape LDAP SDK to talk to an SSL server written using openssl. On my server I have done... SOCKET sock; m_pSSLContext = SSL_CTX_new( SSLv23_client_method()); m_pSSL = SSL_new(m_pSSLContext)) SSL_set_fd(m_pSSL, sock); SSL_accept(m_pSSL); On my client... ldapssl_client_init("c://temp//cert7.db", NULL); pSession = ldapssl_init(HOST, SPORT, 1); ldap_simple_bind_s(pSession, pszUserID, pszPassword); However, my server call to SSL_accept() falls over, I know that the certificates probably don't match but is there something more fundamental I am missing out? The docs aren't much help... Tat. begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Technical Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard
Re: link problems on NT with openssl 096
I've seen it, and fixed it. Rather unhelpfully, I can't fully remember how. C/C++ -> Code Generation -> (Debug) Multi-threaded DLL Make sure that you are consistent with your use of this DLL in making your lib, and then .exe hth Tat. > Matthieu Ludinard wrote: > > > Hi, > > We developpe an application running on NT and Solaris with openssl > 092b. > I compile openssl 096 on Solaris and NT using Visual C++ 6 and when I > try to recompile my > application with openssl 096 on Visual 6, I have got the link error > messages : > conflicts with default library (MSVCRT,LIBC and LIBCD) > if I use the option /nodefaultlib to ignore the default library I have > got the error messages : > unresolved external symbol. > Have you got any idea to solve this problem ? > thanks, > > Matthieu Ludinard > > begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Technical Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard
SSL proxy
I am trying to proxy an SSL connection for a number of SSL servers, so therefore a client needs to negotiate with me before I can decide with real SSL server to connect to. If we assume that none of the SSL Server Certificates are related, i.e. they don't have the same CA. Then the proxy will have to be able to send all possible certs out to the client that connects. Looking at the API, and the SSL spec, this isn't possible. THere are SSL proxies out there, so how do they work? Thanks, Tat. begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Software Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard S/MIME Cryptographic Signature
Re: Can somebody list detailed steps about how to renew a cert?
Don't you just take the existing key pair (don't forget; key pairs never expire, certs do), and re-submit a cert request? Tat. Song Yi wrote: > > Thanks in advance. > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Software Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard S/MIME Cryptographic Signature
Re: Help ! Please help me !
Oh dear, sounds like you're in a right pickle. Don't forget to call this first: SSLeay_add_all_algorithms(); It fills out some structures in SSL library that may be the cause of your problems (I had the same problems as you, and this fixed it, after much debugging). There's no need to call RSA_new() as the RSA_generate_key() allocates the memory for you. I am using ssl 0.9.0b, but I think it's more or less the same as openssl. Good luck! Tat. It fills in some static data in the crypto lib and may be the cause of your problem. "Andr0xL1A0zs_Joo/Digital_Reality/MSM/IBCGroup%IBCGROUP" wrote: > > Hi, I'm a beginner programmer and I have been dropped into a big > cryptographic project. My boss went away, and told me what to do still he > comes back. > I have to do the following things in C: > > -generate an RSA key pair > -write it out in a file in DER or PEM format > > I tryed the following code: > > #include > #include > #include > > void main() > { > RSA *rsa; > FILE *file; > int modulus_size = 1024; > int public_exponent = 65535; > RAND_screen(); > rsa = RSA_new(); > rsa = RSA_generate_key(modulus_size, public_exponent, NULL,NULL); > file=fopen("out.rsa","w"); > PEM_write_RSAPrivateKey(file,rsa,NULL,NULL,0,NULL,NULL); > fclose(file); > } > > But I get a nice error box from Windows with the following: This program > has performed an illegal operation, and will be closed > > The problem must be with the PEM_write_RSAPrivateKey. > > What should I do ? > Or if you can't tell how to write in DER format, then just simply tell how > works the RSA_print_fp(..) function because I've got the same error message > with it. > > Thank you > > Joo Andras > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] -- +--- | Tat Sing Kong Bsc(Hons) | Senior Technical Architect | Consegna Advanced Technologies Ltd | 1st Floor, 30-32 Thomas Street | Manchester, M4 1ER, United Kingdom | http://www.consegna.co.uk | Tel : +44 (0)161 833 3777 (x30) | Fax : +44 (0)161 833 3636 | Email : [EMAIL PROTECTED] begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Software Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard S/MIME Cryptographic Signature
Re: SSL examples
I find some of the example stuff pretty mind blowing, what I would like to see is something like... First of all set this up Wait for a connection Do a bit of handshaking Send some data Clean up With all the function calls involved. One of the things I don't understand is what is the difference between SSL_use_certificate() and SSL_CTX_use_certificate(), the examples you mention don't use this, but a skeleton server in demos\ssl do. That's where the contradictions come in. Going into this blind, I don't really know where to start. I am familiar with the crypto part of the library, but I am learning again from scratch. Tat. Greg Stark wrote: > > > There is an example with the source distribution, but it appears to > > contradict some of the documentation. > > How so? Please be more specific. Also, look at the s_client.c and > s_server.c applications in the apps/ directory. They illustrate a great deal > of the SSL library. > > _ > Greg Stark > Ethentica, Inc. > [EMAIL PROTECTED] > _ > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] begin:vcard n:Kong;Tat Sing tel;fax:+44 (0)161 833 3636 tel;work:+44 (0)161 833 3777 x-mozilla-html:FALSE url:www.consegna.co.uk org:Consegna Advanced Technlogies Ltd version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Software Architect adr;quoted-printable:;;1st Floor=0D=0A30-32 Thomas Street=0D=0A;Manchester;;M4 1ER; fn:Tat Sing Kong end:vcard S/MIME Cryptographic Signature