CERT with two IPs ????
Hello, I am using imaps to retrieve my mail. My IMAP server has both a public IP address and a non-routable adress that we use here on the local LAN. From outside the network users at home are able to retrieve mail without problem. However here on the LAN where we use the non routable address to retrieve mail we get a warning every time we go to retrieve mail. The warning is: The server you are connecting to is using a security certificate which is expired or is not yet valid. Do you wish to continue using this server? I think the problem might be that the servers certificate is tied to the external IP address. If I do a nslookup here on the LAN for mailhost both the routable and non-routable IPs will be returned. Can someone help me out with a solution of work around on this. I would greatly apreciate it. Thanks __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
no authentication vs plaintext+TLS
Hello, Can someone elaborate on these two log entries: Aug 27 21:22:12 catfish imapd[3449]: [ID 781445 local6.notice] starttls: TLSv1 w ith cipher RC4-MD5 (128/128 bits) no authentication Aug 27 21:22:14 catfish imapd[3449]: [ID 237943 local6.notice] login: chirs.home .net[206.150.228.61] chirs plaintext+TLS Why no authentication when I am using sasl? Is this actualy beinag encrypted then? Any feedback would be appreciated. Thanks __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
with cipher RC4-MD5 (128/128 bits) no authentication
Hello, I am using Cyrus 2.0.16 and OpenSSL 0.9.6 and am using Outlook as my client to retrieve mail. The client craps out with a very generic error message: Could not fetch new headers in the inbox for catfish.jmq.net an unknown error has occured. Please save any existing work and restart the program. I have verified that STARTTLS is working find using: openssl s_client -connect localhost:993 which outputs the following(I have ommited the certificate output): SSL handshake has read 1096 bytes and written 320 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DES-CBC3-SHA Session-ID: 3DC0048E72D7B5B4EFC7ADC0EB3C5A83AA45EE6367BABDEE2F2B5EF5DAB643DA Session-ID-ctx: Master-Key: A21B525CF050B216E85B69E6027EAA66BA3AF6E867C4CDF8B62752F5D3F4AC0F 9FE5C6EDF583DF3845A55D01554696F5 Key-Arg : None Start Time: 998891753 Timeout : 300 (sec) Verify return code: 0 (ok) --- * OK catfish Cyrus IMAP4 v2.0.16 server ready This looks to me like things are ok. However when I view the log entry from my home client I see the following in my impad.log: Aug 27 01:51:38 catfish master[3266]: [ID 392559 local6.debug] about to exec /us r/local/bin/imapd Aug 27 01:51:38 catfish service-imaps[3266]: [ID 518349 local6.debug] executed Aug 27 01:51:38 catfish imapd[3266]: [ID 921384 local6.debug] accepted connectio n Aug 27 01:51:38 catfish imapd[3266]: [ID 459655 local6.notice] TLS engine: canno t load CA data Aug 27 01:51:38 catfish imapd[3266]: [ID 781445 local6.notice] starttls: TLSv1 w ith cipher RC4-MD5 (128/128 bits) no authentication Aug 27 01:51:38 catfish master[3004]: [ID 310780 local6.debug] process 3266 exit ed, status 0 Aug 27 01:55:53 catfish master[3280]: [ID 392559 local6.debug] about to exec /us r/local/bin/imapd Aug 27 01:55:53 catfish service-imaps[3280]: [ID 518349 local6.debug] executed Aug 27 01:55:53 catfish imapd[3280]: [ID 921384 local6.debug] accepted connectio n Aug 27 01:55:53 catfish imapd[3280]: [ID 459655 local6.notice] TLS engine: canno t load CA data Aug 27 01:55:53 catfish imapd[3280]: [ID 781445 local6.notice] starttls: TLSv1 w ith cipher DES-CBC3-SHA (168/168 bits) no authentication Aug 27 02:00:06 catfish imapd[3280]: [ID 921384 local6.debug] accepted connectio n Aug 27 02:00:06 catfish imapd[3280]: [ID 781445 local6.notice] starttls: TLSv1 w ith cipher RC4-MD5 (128/128 bits) no authentication Aug 27 02:00:06 catfish master[3004]: [ID 310780 local6.debug] process 3280 exit ed, status 0 Could someone help me out here? It's late and I am a bit at a loss. I checked the archives but found little to go on. Thanks in advance __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Expecting CERTIFICATE and missing asn1 ?
Hello, I am currently running secure imap(imaps) on port 993. When I use the openssl client to connect to this port I got the following errors: catfish# openssl s_client -connect localhost:993 -cert /var/imap/cert.pem unable to get certificate from '/var/imap/cert.pem' 1853:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expect ing: CERTIFICATE 1853:error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos:s sl_rsa.c:534: I looked at my server's cert (which also has the private key and the password removed) using: openssl rsa -noout -text -in path/mycert.key and there were no errors reported. Could someone provide me with some feedback on this? I would greatly apprecitate it. Thanks __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problems with CERT start line
Hello, I have a secure imap server running but have no luck connecting to the port(993) OpenSSL seems to detect something wront with my certs? Below are the error that were produced using s_client. If someone could give me some feedback I would greatly appreciate it. Thanks catfish# openssl x509 -noout -modulus -in /var/imap/key.pem unable to load certificate 1874:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expect ing: TRUSTED CERTIFICATE catfish# openssl s_client -connect localhost:993 CONNECTED(0003) 1875:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_cln t.c:460: catfish# openssl s_client -connect localhost:993 -cert /var/imap/cert.pem unable to get certificate from '/var/imap/cert.pem' 1877:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expect ing: CERTIFICATE 1877:error:140AD009:SSL routines:SSL_CTX_use_certificate_file:missing asn1 eos:s sl_rsa.c:534: __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL on itanium
Nice observations. The alpha is gone now? When did DEC discontinue it? Lastly in the measurement what does um stand for? Thanks --- Bryan-TheBS-Smith [EMAIL PROTECTED] wrote: Diarmuid Oneill wrote: When I download and build OpenSSL (which works fine!) and run the openssl speed rsa1024 tests, I get around 68 rsa signings/sec. When I run this on a 4 CPU (700Mhz) P3 machine I get around 103 private rsa signings/sec. I understand that the test is running on 1 cpu only but that's the case for both machines. It looks like most of the functions are integer. Itanium is slower, MHz for MHz, than just about any x86 Pro+ processor at integer (even using optimized code). Only at floating point does Itanium do about 2x a P3, MHz for MHz (and the P4 is slower than the P3, MHz for MHz, unless you use lossy/interpolated SSE instructions). -- TheBS P.S. It's sad to see a 3-year old design at 0.35um, the Alpha 264 667MHz/4MB, can toast the 0.13um Itanium 733MHz/4MB at floating point. Too bad Alpha is gone now. -- Bryan TheBS Smith mailto:[EMAIL PROTECTED] chat:thebs413 Engineer AbsoluteValue Systems, Inc. http://www.linux-wlan.org PresidentSmithConcepts, Inc. http://www.SmithConcepts.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_connect:error
Thanks for your replay Lutz. I do have a /dev/unrandom though which is a link to /dev/random and I see a prescence of a /.rnd file doesnt this mean that openssl is starting up correctly ? Also can you tell me how to add add RAND_egd(/path/to/egd-socket); to the beginning of an application in my case IMAP? i.e what is the procedure for doing this? I will run ssldump. Thanks again --- Lutz Jaenicke [EMAIL PROTECTED] wrote: On Sat, Aug 18, 2001 at 10:01:05PM -0700, chirs charter wrote: I am using openssl-0.9.6 on a Solaris box. I am currently using a temporary self signed certificate. The OS is Solaris 8. For /dev/random I have installed ANDIrand(http://www.cosy.sbg.ac.at/~andi/) and I have also installed PRNGD. I installed both as I thought the problem might relate to the random number generator. I am using openssl to encrypt client connection to our Cyrus IMAP 2.0.16 server. Here is the ouput of a Cyrus connection utility called imtest: First thing: OpenSSL versions before 0.9.7 (which is not yet released, so I talk about all current versions), do not access /dev/random or PRNGD automatically. The application has to access it explicitly. (From the output below I am however not sure, what the reason for the failure is.) You may to the start of both server and client to make sure that the PRNG is properly seeded. imtest -v -t /var/imap/mailhost.crt localhost C: C01 CAPABILITY S: * OK catfish Cyrus IMAP4 v2.0.16 server ready S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMI C_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS S: C01 OK Completed S01 NO Error initializing TLS starting TLS engine setting up TLS connection SSL_connect:before/connect initialization write to 000D6A20 [000F4870] (90 bytes = 90 (0x5A)) 16 03 01 00 55 01 00 00|51 03 01 3b 7f 48 2b 76 0010 b6 b5 6d dd c2 ce 95 6a|2c 19 88 c8 d9 a3 4a 76 0020 3b b7 e9 56 11 0c 11 73|fb 25 a5 00 00 2a 00 16 0030 00 13 00 0a 00 66 00 07|00 05 00 04 00 65 00 64 0040 00 63 00 62 00 61 00 60|00 15 00 12 00 09 00 14 0050 00 11 00 08 00 06 00 03|01 005a - SPACES/NULS SSL_connect:SSLv3 write client hello A read from 000D6A20 [000EC060] (5 bytes = 5 (0x5)) 2a 20 42 41 44 write to 000D6A20 [000E3DD0] (7 bytes = 7 (0x7)) 15 20 42 00 02 02 46 SSL3 alert write:fatal:unknown I don't know what is going on here. Yesterday afternoon I wrote the manual page for SSL_alert_type_string() et al and just discovered, that the alert descriptions for TLSv1 are not included in the library, only for SSLv3... Therefore we only see the unknown here. I will fix this today. SSL_connect:error in SSLv3 read server hello A -1 SSL_connect error -1 SSL session removed TLS negotiation failed! Asking for capabilities again since they might have changed C: C01 CAPABILITY S: Invalid tag S: * BAD Invalid tag I have tried looking up some of these error on various newsgroup but have come up empty handed. Could someone help shed some light on the possible cause and or workaround. I would greatly appreciate any help. Thank you. Please run ssldump (http://www.rtfm.com/ssldump) to find out more details, and check out the output of the server. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PCAP library: needed for ssldump
Hello, I am trying to install ssldump 0.9b1 so that I can trouble shoot a problem that I am having with openssl 0.9.6 on Solaris 8 . I have libpcap libpcap-0.6.1 installed in /usr/local/lib and the include files in /usr/local/include: catfish# ls -l /usr/local/lib/libpcap.a -rw-r--r-- 1 bin bin 142920 Jan 20 2001 /usr/local/lib/libpcap.a catfish# ls -l /usr/local/include/pcap* -rw-r--r-- 1 bin bin 3326 Jan 20 2001 /usr/local/include/pcap-na medb.h -rw-r--r-- 1 bin bin 6317 Jan 20 2001 /usr/local/include/pcap.h When I run configure the script craps out like this: catfish# ./configure --with-pcap-lib=/usr/local/lib --with-pcap-inc=/usr/local/i nclude loading cache ./config.cache checking host system type... sparc-sun-solaris2.8 checking target system type... sparc-sun-solaris2.8 checking build system type... sparc-sun-solaris2.8 checking for gcc... gcc checking whether the C compiler (gcc ) works... yes checking whether the C compiler (gcc ) is a cross-compiler... no checking whether we are using GNU C... yes checking whether gcc accepts -g... yes checking whether make sets ${MAKE}... yes checking for ranlib... ranlib checking for a BSD compatible install... ./install-sh -c checking for pow in -lm... yes checking for PCAP include files... found in /usr/local/include checking for PCAP library... configure: error: Couldn't find PCAP library: needed for ssldump Has anyone sucessfuly build this tool? If so could you think of anything I am blatantly missing here? I am really at a loss. Thanks __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_connect:error
Hello, I am using openssl-0.9.6 on a Solaris box. I am currently using a temporary self signed certificate. The OS is Solaris 8. For /dev/random I have installed ANDIrand(http://www.cosy.sbg.ac.at/~andi/) and I have also installed PRNGD. I installed both as I thought the problem might relate to the random number generator. I am using openssl to encrypt client connection to our Cyrus IMAP 2.0.16 server. Here is the ouput of a Cyrus connection utility called imtest: imtest -v -t /var/imap/mailhost.crt localhost C: C01 CAPABILITY S: * OK catfish Cyrus IMAP4 v2.0.16 server ready S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID NO_ATOMI C_RENAME UNSELECT MULTIAPPEND SORT THREAD=ORDEREDSUBJECT THREAD=REFERENCES IDLE STARTTLS S: C01 OK Completed S01 NO Error initializing TLS starting TLS engine setting up TLS connection SSL_connect:before/connect initialization write to 000D6A20 [000F4870] (90 bytes = 90 (0x5A)) 16 03 01 00 55 01 00 00|51 03 01 3b 7f 48 2b 76 0010 b6 b5 6d dd c2 ce 95 6a|2c 19 88 c8 d9 a3 4a 76 0020 3b b7 e9 56 11 0c 11 73|fb 25 a5 00 00 2a 00 16 0030 00 13 00 0a 00 66 00 07|00 05 00 04 00 65 00 64 0040 00 63 00 62 00 61 00 60|00 15 00 12 00 09 00 14 0050 00 11 00 08 00 06 00 03|01 005a - SPACES/NULS SSL_connect:SSLv3 write client hello A read from 000D6A20 [000EC060] (5 bytes = 5 (0x5)) 2a 20 42 41 44 write to 000D6A20 [000E3DD0] (7 bytes = 7 (0x7)) 15 20 42 00 02 02 46 SSL3 alert write:fatal:unknown SSL_connect:error in SSLv3 read server hello A -1 SSL_connect error -1 SSL session removed TLS negotiation failed! Asking for capabilities again since they might have changed C: C01 CAPABILITY S: Invalid tag S: * BAD Invalid tag I have tried looking up some of these error on various newsgroup but have come up empty handed. Could someone help shed some light on the possible cause and or workaround. I would greatly appreciate any help. Thank you. __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]