Compile 1.0.1j on Win8.1 with capi
Hello, I am noticing that when I install the OpenSSL bundle from http://slproweb.com/products/Win32OpenSSL.html The lib folder gets a lot of .lib files in it that are corresponding to the engines such as capi.lib How can I compile OpenSSL to generate those same lib files? Is it simply a matter of configuring with enable-capieng to make this happen? I need to generate the libraries for use in my stunnel compile that I am trying to do on windows. When I just did a build line like in the INSTALL.W32 : perl Configure VC-WIN32 no-asm --prefix=c:/some/openssl/dir ms\do_ms I do not get those same .lib files, specifically, the capi.lib file is missing, so I get a message like the following from stunnel when it's running: [ ] Enabling support for engine 'capi' [!] error queue: 2606A074: error:2606A074:engine routines:ENGINE_by_id:no such engine [!] error queue: 260B6084: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found [!] error queue: 25070067: error:25070067:DSO support routines:DSO_load:could not load the shared library [!] ENGINE_by_id: 25078067: error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library Any guidance appreciated. This is my first time trying to build OpenSSL myself, and I am not wholly familiar with visual studio build on top of that. Thanks!
Re: Compile 1.0.1j on Win8.1 with capi
Just to add some more information - When I do my nmake -f ms\ntdll.mak command, I do end up with some out32dll.dbg and out32.dbg directories in my source folders, and if I browse to the out32.dbg folder and do openssl engine I do get some output: $ ../out32.dbg/openssl.exe engine (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support (4758cca) IBM 4758 CCA hardware engine support (aep) Aep hardware engine support (atalla) Atalla hardware engine support (cswift) CryptoSwift hardware engine support (chil) CHIL hardware engine support (nuron) Nuron hardware engine support (sureware) SureWare hardware engine support (ubsec) UBSEC hardware engine support (padlock) VIA PadLock (no-RNG, no-ACE) (gost) Reference implementation of GOST engine (capi) CryptoAPI ENGINE So it seems to me like the libraries maybe are getting built, but I can't seem to link to them correctly in my stunnel code. And also, if i do the nmake -f ms\ntdll.mak install, *.lib files in the out32dll.dbg folder do not make it to the lib folder of my install directory. They are in there for the precompiled binaries. Were those just copied in by hand? On Fri, Nov 14, 2014 at 3:11 PM, Derek Cole derek.c...@gmail.com wrote: Hello, I am noticing that when I install the OpenSSL bundle from http://slproweb.com/products/Win32OpenSSL.html The lib folder gets a lot of .lib files in it that are corresponding to the engines such as capi.lib How can I compile OpenSSL to generate those same lib files? Is it simply a matter of configuring with enable-capieng to make this happen? I need to generate the libraries for use in my stunnel compile that I am trying to do on windows. When I just did a build line like in the INSTALL.W32 : perl Configure VC-WIN32 no-asm --prefix=c:/some/openssl/dir ms\do_ms I do not get those same .lib files, specifically, the capi.lib file is missing, so I get a message like the following from stunnel when it's running: [ ] Enabling support for engine 'capi' [!] error queue: 2606A074: error:2606A074:engine routines:ENGINE_by_id:no such engine [!] error queue: 260B6084: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found [!] error queue: 25070067: error:25070067:DSO support routines:DSO_load:could not load the shared library [!] ENGINE_by_id: 25078067: error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library Any guidance appreciated. This is my first time trying to build OpenSSL myself, and I am not wholly familiar with visual studio build on top of that. Thanks!
RE: detect Md5 sign signatures
The Signature Algorithm field is the correct field to check. As clarification: MD5 is not a signature algorithm, it's a hashing algorithm. A certificate is hashed using the specified hashing algorithm, and then signed using the specified signature algorithm. Thus, sha1WithRSAEncryption indicates that the certificate was hashed using sha1, and the result was encrypted using RSA to generate the signature. Md5WithRSAEncryption indicates it was hashed using md5, and signed with RSA. Thus, the certificate you're looking at was hashed with SHA1, not MD5. Derek From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of val john Sent: Tuesday, September 24, 2013 1:03 AM To: openssl-users@openssl.org Subject: detect Md5 sign signatures Hi guys i have server certificate used in company Radius server , i how can check wheather its a md5 sign cert or sha sign certificate . which attribute that indicate whether its md5 sign or sha sign ? is iSignature Algorithm: sha1WithRSAEncryptiot attribute Please advice Thank You John
Re: SANs for self signed certs
Just to update - I found the section in one of the apps that copies the extensions from the request. I was able to enable the EXT_COPY_ADD and was able to get my SANS in the cert as well as the request. On Wed, Apr 24, 2013 at 6:44 PM, Derek Cole derek.c...@gmail.com wrote: Hello, I have some code which I am using to generate a CSR and some code which I am using to generate a cert using my cert authority. If I view the CSR, I can see that my alt names were added correctly. If I view the cert itself, the altnames are not there. I had kind of thought that if I had a CSR with the alt names in it, the cert would get them too. Is that not correct? I am using the same CONF variable for both the CSR and the cert, but I am adding the extensions for subject alt name programmatically to the CSR (but not to the cert). I am doing this in a similar way as the mkreq.c demo by pushing my extension objects onto a stack and adding them before the X509_REQ_sign call. Do I need it in both places, or maybe just on the cert creation part and nto the CSR? Alternatively, is there a way to add subject alt names programmatically to the config as an X509_EXTENSION object? Then I could perhaps just rely on the configuration to set the alt names instead of trying to force the X509_EXTENSION into the cert. Thanks for any help
Working with the CA database
Hello, I am acting as my own cert authority so the index.txt file is constantly being updated as I generate new certs. However, I have noticed that things like the DB_file field are never used in the CA program. Is it safe for me to write some custom code that will take advantage of that field? For example, if a client is connecting and I already have a cert for it, I'd like to be able to load the Cert based on the filename (that still exists on the drive somewhere). It'd be nice to be able to do that DB lookup, find the filename, load the cert, and return. It doesnt look like OpenSSL actually has anything like that already in it, so I'm not sure what people are doing in production environments with a bunch of certs. The closest thing I can find to what I am talking about is the CRL tool, however, that seems to just be concerned with updating the list, not actually serving back up the cert or anything. Thanks in advance for any tips.
SANs for self signed certs
Hello, I have some code which I am using to generate a CSR and some code which I am using to generate a cert using my cert authority. If I view the CSR, I can see that my alt names were added correctly. If I view the cert itself, the altnames are not there. I had kind of thought that if I had a CSR with the alt names in it, the cert would get them too. Is that not correct? I am using the same CONF variable for both the CSR and the cert, but I am adding the extensions for subject alt name programmatically to the CSR (but not to the cert). I am doing this in a similar way as the mkreq.c demo by pushing my extension objects onto a stack and adding them before the X509_REQ_sign call. Do I need it in both places, or maybe just on the cert creation part and nto the CSR? Alternatively, is there a way to add subject alt names programmatically to the config as an X509_EXTENSION object? Then I could perhaps just rely on the configuration to set the alt names instead of trying to force the X509_EXTENSION into the cert. Thanks for any help
Help me understand how this should work:
Hello all, I am curious about how something should work relating to some self signed certs I am trying to use. It has been a while since I was messing with this. I have a webserver setup for my internal webmail at https://examplemail.com. however, that site redirects to https://mail.mycompany.com How should the certs be set up for this? Currently, my browser is giving me a warning when I go to https://example.com that the cert i am giving back is only valid for www.mycompany.com I guess I need to know what to research to make all of these guys sort of use the same cert. is this what chaining could do for me? Thanks
Re: Use OpenSSL socket as a normal socket
Well that would still require an SSL handshake right? My client that sends the unencrypted traffic knows nothing of SSL at all, and I can't modify it, so it is just coming in a normal TCP stream. On Fri, Nov 9, 2012 at 6:44 AM, Michel msa...@paybox.com wrote: Hi, Perhaps I misunderstand you, but wouldn't it be easier to just choose eNULL cipher when no encryption is needed ? Le 09/11/2012 06:08, Derek Cole a écrit : Hello, I have a server running that I am accepting both SSL and non SSL traffic. Currently I check the traffic first and if the first part of the TCP data looks like an SSL header, I send it off to an OpenSSL socket to be read. If it's plaintext, I just read it right there on that socket. Is it possible to skip the SSL header check and just send all traffic to an SSL socket, and reliably be able to read the traffic regardless whether it's encryprted or not? just to be clear, I do have the SSL context set up properly and don't have a problem reading it, it's just annoying that I Have to check my traffic in a separate step, and send it down the flow path of SSL if it's encrypted. Thanks __**__**__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Use OpenSSL socket as a normal socket
Hello, I have a server running that I am accepting both SSL and non SSL traffic. Currently I check the traffic first and if the first part of the TCP data looks like an SSL header, I send it off to an OpenSSL socket to be read. If it's plaintext, I just read it right there on that socket. Is it possible to skip the SSL header check and just send all traffic to an SSL socket, and reliably be able to read the traffic regardless whether it's encryprted or not? just to be clear, I do have the SSL context set up properly and don't have a problem reading it, it's just annoying that I Have to check my traffic in a separate step, and send it down the flow path of SSL if it's encrypted. Thanks
libpcap working with openSSL sockets
Hello, Is it possible to use libpcap to detect an incoming connection (writing all packets those packets to a socket), then, if using libpcap i determine that a SSL connection was established , stand up another socket to read the same file descriptor with the SSL client so that I could use the proper context and such to decrypt it? THanks
Re: libpcap working with openSSL sockets
To be clear - I have already written the code to read the SSL header. Regarding your last line - is there a cleaner way to redirect as you say, or is it as I described - opening a new socket and writing the packet to it? If I wanted to decrypt on the fly, is there a standard way of decrypting the TCP payload automatically as the SSL socket does when you stand up a SSL_CTX and use SSL_new with that context? On Wed, Oct 31, 2012 at 2:06 PM, dreamwvr dream...@dreamwvr.com wrote: On 10/31/12 11:21 AM, Derek Cole wrote: Hello, Is it possible to use libpcap to detect an incoming connection (writing all packets those packets to a socket), Yes then, if using libpcap i determine that a SSL connection was established , Then check if it has a SSL header reading the header https://en.wikipedia.org/wiki/**Transport_Layer_Security#TLS_** handshake_in_detailhttps://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake_in_detail stand up another socket to read the same file descriptor with the SSL client so that I could use the proper context and such to decrypt it? THanks Then redirect to another socket or dup to decrypting on the fly.. although it did work well for the fly.. not so well the other guy:-)
Re: libpcap working with openSSL sockets
As I am thinking about this a little more - I guess that the SSL_new and SSL_accept handles all of the SSL handshake negotiation as well, that would have to be manually handled if you were trying to decrypt on the fly? On Wed, Oct 31, 2012 at 2:23 PM, Derek Cole derek.c...@gmail.com wrote: To be clear - I have already written the code to read the SSL header. Regarding your last line - is there a cleaner way to redirect as you say, or is it as I described - opening a new socket and writing the packet to it? If I wanted to decrypt on the fly, is there a standard way of decrypting the TCP payload automatically as the SSL socket does when you stand up a SSL_CTX and use SSL_new with that context? On Wed, Oct 31, 2012 at 2:06 PM, dreamwvr dream...@dreamwvr.com wrote: On 10/31/12 11:21 AM, Derek Cole wrote: Hello, Is it possible to use libpcap to detect an incoming connection (writing all packets those packets to a socket), Yes then, if using libpcap i determine that a SSL connection was established , Then check if it has a SSL header reading the header https://en.wikipedia.org/wiki/**Transport_Layer_Security#TLS_** handshake_in_detailhttps://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake_in_detail stand up another socket to read the same file descriptor with the SSL client so that I could use the proper context and such to decrypt it? THanks Then redirect to another socket or dup to decrypting on the fly.. although it did work well for the fly.. not so well the other guy:-)
Re: Firefox unhappy with my self signed Cert
As some additional info, I am suspecting this may be an issue with my config file. I am using the same config file I used to set up my certificate authority, which has under [ req ] a couple of values plugged in - for one, prompt=no, because I didnt want it to prompt me for values. It also has a value filled in for distinguished_name which points to a section called [ ca_distinguished_name ] that has the values for commonName, etc, that seem to be getting put into my CSR. Could this be the issue? Do I need to have a separate config file for generating my CSRs than I used for generating my CA cert? Thanks On Fri, Oct 12, 2012 at 11:22 AM, Derek Cole derek.c...@gmail.com wrote: So I think you were right. I used a command to view the CSR that I generated with the following: openssl req -new -nodes -subj /CN=www.myserver.com -out /tmp/file.csr -keyout /tmp/privkey.csr -config /my/openssl.cnf when I do this though, I noticed that my subject line, which I view with openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf It seems like the file is getting created with the common name in the config file intsead of the one I pass it. Does it not overrride the config file? Thanks On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Thursday, 11 October, 2012 19:03 i have a server that is running a custom app that can accept a SSL connection. I generate a cert on each server, that is signed by my own CA. I tested whether this worked or not by using the openssl s_client and s_server commands, and it actually worked to connect to the server using those commands. I started the server with a PEM file that contained the signed cert request, Nit: it contains the cert, and privatekey. A cert is NOT a signed CSR. as well as the private key for that cert request. This allowed me to start the server with openssl s_server -accept 443 -cert myfile.cert Note that will support connection at the SSL level, but not give an HTTP response unless you type it by hand (which is hard to do). Add -www to support minimal requests from browsers. and on the client side snip: s_client okay I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. [which] says Wrong Site and This iste attempts to identify itself iwth invalid information Most SSL clients including Firefox, unlike s_client, check that the name in the server cert matches the name of the server they want, almost always as a domain name. The traditional and simple way is the CommonName in the server cert's Subject field is the FQDN. Most clients, I'd expect including Firefox but didn't take time to test, also support (1-level) wildcard, or the SubjectAlternativeName extension which can have multiple domain names or wildcards or some other options that are rarely used. Public CAs often call this multi-domain, or Unified Communications which was Microsoft's jargon for it. If you're doing these certs yourself and can issue whatever you want free anytime, I'd go with simple, but openssl ca (or x509 -req) can do SAN if you set-up the config file(s). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL_connect with pselect failing
Hello, I am trying to use SSL_connect. I have bound a socket to my interface, set up the context, and call SSL_connect(). This is returning a -1, which I catch, and call SSL_get_error() to fall through a switch statement. It is retuning a SSL_ERROR_WANT_WRITE So I am trying to use pselect in a while loop here to get the return. I call SSL_get_fd() to get the file descriptor, FD_SET() to add to my fd_set, and then pselect(ssl_fd+1, 0, fds, 0, timeout, NULL) This reaches my timeout every time. Is there a reason to see why it is not connecting, even though the intiial SSL_connect returned WANT_WRITE? Just to complete the model of what I was doing - assuming there was a succesful pselect(), I was going to call SSL_connect() again, and either go through the loop again, or exitand continue.
Re: SSL_connect with pselect failing
Nevermind. I didn't realize that I did have the call in there for my socket connect() (which was in another part of the code for non-ssl connections...it is needed for both). I had though SSL_connect took care of that too. On Sun, Oct 14, 2012 at 5:35 PM, Derek Cole derek.c...@gmail.com wrote: Hello, I am trying to use SSL_connect. I have bound a socket to my interface, set up the context, and call SSL_connect(). This is returning a -1, which I catch, and call SSL_get_error() to fall through a switch statement. It is retuning a SSL_ERROR_WANT_WRITE So I am trying to use pselect in a while loop here to get the return. I call SSL_get_fd() to get the file descriptor, FD_SET() to add to my fd_set, and then pselect(ssl_fd+1, 0, fds, 0, timeout, NULL) This reaches my timeout every time. Is there a reason to see why it is not connecting, even though the intiial SSL_connect returned WANT_WRITE? Just to complete the model of what I was doing - assuming there was a succesful pselect(), I was going to call SSL_connect() again, and either go through the loop again, or exitand continue.
Re: Firefox unhappy with my self signed Cert
So I think you were right. I used a command to view the CSR that I generated with the following: openssl req -new -nodes -subj /CN=www.myserver.com -out /tmp/file.csr -keyout /tmp/privkey.csr -config /my/openssl.cnf when I do this though, I noticed that my subject line, which I view with openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf It seems like the file is getting created with the common name in the config file intsead of the one I pass it. Does it not overrride the config file? Thanks On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Thursday, 11 October, 2012 19:03 i have a server that is running a custom app that can accept a SSL connection. I generate a cert on each server, that is signed by my own CA. I tested whether this worked or not by using the openssl s_client and s_server commands, and it actually worked to connect to the server using those commands. I started the server with a PEM file that contained the signed cert request, Nit: it contains the cert, and privatekey. A cert is NOT a signed CSR. as well as the private key for that cert request. This allowed me to start the server with openssl s_server -accept 443 -cert myfile.cert Note that will support connection at the SSL level, but not give an HTTP response unless you type it by hand (which is hard to do). Add -www to support minimal requests from browsers. and on the client side snip: s_client okay I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. [which] says Wrong Site and This iste attempts to identify itself iwth invalid information Most SSL clients including Firefox, unlike s_client, check that the name in the server cert matches the name of the server they want, almost always as a domain name. The traditional and simple way is the CommonName in the server cert's Subject field is the FQDN. Most clients, I'd expect including Firefox but didn't take time to test, also support (1-level) wildcard, or the SubjectAlternativeName extension which can have multiple domain names or wildcards or some other options that are rarely used. Public CAs often call this multi-domain, or Unified Communications which was Microsoft's jargon for it. If you're doing these certs yourself and can issue whatever you want free anytime, I'd go with simple, but openssl ca (or x509 -req) can do SAN if you set-up the config file(s). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Firefox unhappy with my self signed Cert
Interesting. While I was playing around with this, I actually noticed that if I use the -subj option on the CSR, I am not able to do this. I was able to get it working by adding the common name on the actual cert generation from that CSR. The config file was modified so that for my priority_match, which had some match fields, was changed to priority_any which only had a common name required, firefox was happy. Just thought I'd post this workaround in case anyone else stumbles across it. On Fri, Oct 12, 2012 at 4:42 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Friday, 12 October, 2012 11:22 So I think you were right. I used a command to view the CSR that I generated with the following: openssl req -new -nodes -subj /CN=www.myserver.com -out /tmp/file.csr -keyout /tmp/privkey.csr -config /my/openssl.cnf when I do this though, I noticed that my subject line, which I view with openssl req -noout -text -in /tmp/file.csr -config /my/openssl.cnf Aside: you don't need a config file to view an existing request, although since 1.0.0 it gives a spurious warning. It seems like the file is getting created with the common name in the config file intsead of the one I pass it. Does it not overrride the config file? req -new has two ways of getting the subject DistinguishedName, prompted from the terminal and unprompted from the config file. Apparently -subj substitutes only for prompted; to make it effective, specify or default prompt=yes in the config file. (And if that config file will or might be used in actual prompting mode, make sure you have DNpart = promptstring not DNpart = actualvalue as you should for prompt=no.) In 0.9.8 if you specify all parameters needed for req -new on the commandline you don't need a config file for that. Since 1.0.0 -new demands a config file even if not needed. On Thu, Oct 11, 2012 at 7:55 PM, Dave Thompson dthomp...@prinpay.com wrote: snip: name(s) in cert must match host desired by client like Firefox __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL cert authority with no database
Thanks for the quick response. I hadn't thought about CRL at this point actually.. I am just wading into this trying to get minimal functionality first. In case anyone is wondering, I also found that if you make a database.attr file to go with database, you can add unique_subject = no for a workaround until implementing something more stable. -Derek On Thu, Oct 11, 2012 at 6:34 PM, Charles Mills charl...@mcn.org wrote: I hit this EXACT problem. ** ** The **wrong* *ways to solve it are to keep deleting the database or deleting records from the database. ** ** The right way to solve it is to revoke certificates that you want to re-issue. I just happen to have a (Windows – sorry if you’re not Windows) .BAT file to do just that, and as a side benefit, it maintains a CRL that you can play with. (You do intend to support CRLs, right?) ** ** rem revoke a certificate and re-issue the CRL rem unable to write 'random state' seems to be normal rem pass the name of the PEM file to be revoked as the only argument ** ** openssl.exe ca -revoke %1 -config myConfig.cnf -keyfile myRoot.key.pem -passin pass:the_password ** ** openssl.exe ca -gencrl -out myRevocations.crl -config myConfig.cnf -keyfile myRoot.key.pem -passin pass:the_password ** ** pause Check status of certificate revocation and CRL generation (CRL *success* outputs no messages) ** ** *Charles* *From:* owner-openssl-us...@openssl.org [mailto: owner-openssl-us...@openssl.org] *On Behalf Of *Derek Cole *Sent:* Thursday, October 11, 2012 3:14 PM *To:* openssl-users@openssl.org *Subject:* OpenSSL cert authority with no database ** ** Hello, Is there a way to sign certificates with your own CA, and NOT have to use a database file to keep track of them? For development purposes, I end up creating the same cert multiple times, and trying to sign it which will cause me to get the TXT_DB error number 2 sometimes, which does not allow the signing of the cert to proceed. Thanks!
Firefox unhappy with my self signed Cert
Hello, I sort of posted about this earlier, but I think this is a more concise question (as the previous replies were helpful for me to start debugging the problem). i have a server that is running a custom app that can accept a SSL connection. I generate a cert on each server, that is signed by my own CA. I tested whether this worked or not by using the openssl s_client and s_server commands, and it actually worked to connect to the server using those commands. I started the server with a PEM file that contained the signed cert request, as well as the private key for that cert request. This allowed me to start the server with openssl s_server -accept 443 -cert myfile.cert and on the client side openssl s_client -connect myserver:443 -CAfile my_server_cert.pem This gave me a verify code of zero, so I thought I was good to go. I installed my_server_cert.pem as a trusted authority in firefox, however, it still prompts that it is an Untrusted Connection and has the button to add security exception. When I click this button, I noticed that under Certificate Status it says Wrong Site and This iste attempts to identify itself iwth invalid information I'd prefer my clients to not have this pop-up when they are connecting to my servers. From the server side, when I debug the app, I see I get the sslv3 alert bad certificate error at first, and then the next connection's are SSL_accepted() as the client requests cert status and such, until i'm finally done adding the security exception, and my final SSL_accept() finally gets a return of 1 which I was hoping for. Is this just a firefox bug or what? I have noticed too, that I am able to launch my custom app, and use openssl s_client -connect to connect to that same server, same certs, and it gives me verify code zero. Thanks for any insight.
Re: Firefox unhappy with my self signed Cert
Thanks to everyone for the information. I can't recall right now how I set up the name - I was thinking for sure it was with the FQDN, but I'll double check. I will do that reading and check tomorrow when I am back at work and see if I can figure out what is going wrong there. Thanks On Thu, Oct 11, 2012 at 8:41 PM, Charles Mills charl...@mcn.org wrote: The wildcard is the lowest-level component of a DNS name, which is at the left as written; in You're right (left?) of course. I was somehow picturing it incorrectly in my mind. I quick went and looked at my wildcard comparison code and it is correct (whew!). In my other thread about checking client IP addresses I was picturing a lowest-level/RIGHTmost wildcard on the IP address: e.g. 192.168.1.* That's lowest level conceptually but I guess not what the standard or convention provides for. BTW, a good quick discussion of wildcard certificate names: http://support.godaddy.com/help/article/567/what-is-a-wildcard-ssl-certifica te (They'd love to sell you one; this is not an endorsement.) Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Thursday, October 11, 2012 5:13 PM To: openssl-users@openssl.org Subject: RE: Firefox unhappy with my self signed Cert From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills Sent: Thursday, 11 October, 2012 19:40 Some minor points: How do you specify the name (URL) of the Web site in Firefox? Do you use exactly the same name as you use with the test client (and the name in the certificate)? OP's test client was openssl s_client, which does NOT check hostname, so that one doesn't matter. URL in Firefox/etc and name in cert do. Firefox is saying the certificate is for myserver but you are specifying a different name when you open the site. The name has to be exactly the same as one of the names (including alternates) in the certificate. (You can wildcard the last node in the alternate names.) myserver is not the same as myserver.com You can use wildcard in either Subject or SubjectAlternativeNames. The wildcard is the lowest-level component of a DNS name, which is at the left as written; in abstract that might be considered last but I think most people wouldn't call it that. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_accept fails with bad certificate error
Thank you for the reply. It is probably obvious that I am new to SSL programming, and I am modifying some existing code. I will read over your information and write back if I am still having issues. Thanks Derek On Wed, Oct 10, 2012 at 4:30 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Derek Cole Sent: Tuesday, 09 October, 2012 21:12 I am trying to write a server that will accept an incoming SSL connection. In psuedo, I have the following chain of function calls SSL_CTX_load_verify_locations(ctx, root_cert_file, root_cert_dir) SSL_CTX_use_certificate_chain_file(chain file) SSK_CTX_use_PrivateKey_file(chain file) SSL_CTX_set_verify (sets SSL_VERIFY_PEER) SSL_CTS_set_verify_depth(to a depth of 4) I assume you are checking all calls that can return an error indication; you suggest this below everything goes fine. If not, do so. But not all errors are (or can be) caught, so lack of error indication doesn't prove lack of error. When you request client auth (aka client cert), it's usually best to specify the CAs you like, so if the client has multiple certs it can pick right. OpenSSL does NOT do this automatically. If root_cert_file (or another file) has all CA(s) you trust, you can use SSL_load_client_CA_file and SSL_[CTX_]set_client_CA_list . Otherwise, e.g. if you have CA(s) present only in root_cert_dir, it's a little more complicated. Note SSL_VERIFY_PEER requests client auth but doesn't require it. To require it add SSL_VERIFY_FAIL_IF_NO_PEER_CERT . And if you want to allow clients to use certs from a public CA, depth 4 doesn't leave much margin. Practically all public CAs today chain either 2 or 3 within the CA itself, and often 1 or 2 more when one CA buys trust from another (usually older) one. If you require clients use certs you issue with your own CA (see below) you can control the depth. The chain file has 3 things in it - private key of the server CA a signed certificate request signed by my server CA the public key of the server CA 0. A CA doesn't sign requests (CSRs), it signs certs. A cert is *derived from* a CSR, but it isn't a signed CSR. If you have a cert issued from a CSR for your server, it is a cert for your server, or just your server cert. 1. A cert chain consists of certs, not publickeys. 2. If your server cert is signed by the CA root key+cert, you don't need any chain. Just load the server privatekey and the server cert. If your server cert is signed by an intermediate CA key+cert, and that possibly by another etc., you must either (1) send chain or (2) have client(s) trust anyway, depending on client. There are several suboptions: (1A) give the server cert and chain cert(s) in chain_file (1B) give the server cert and have chain cert(s) in server truststore (your root_cert_file and/or root_cert_dir). OpenSSL automatically fills the chain from truststore. (2A) have client trust the first (non-sent) intermediate cert as an anchor. OpenSSL doesn't but other clients may. (2B) have all non-sent chain certs in and used from client truststore. OpenSSL does (automatically). 2A and 2B depend on the client(s), and so are suitable only if your clients are known and reasonably few. 3. In all cases, the/each client's truststore must contain the CA root for the server cert. Does my server CA mean one you own and operate, or a public one you chose to use? 3A. If the server CA is a public one like Verisign, the client may already trust its root, depending on the client. Windows and common web browsers, and some utilities like curl, and Java, come with truststores containing some dozens of public established CA roots. OpenSSL does not. If you use s_client or similar, you need to get at least the root used, and optionally others you like, and put in client truststore. 3B. If the server CA is one you created (and not delegated as a CA under an established CA, which AIUI is difficult and costly to obtain so probably not), no typical client will have its root already; for all clients, you must add it. When I create a new SSL structure everything goes fine, but when I call SSL_accept() on it, I get a return of zero, which when I read the error queue says sslv3 alert bad certificate What does this error mean exactly? Is it a problem with my server certificate itself, the client certificate returned on the verify, or what? alert means client said it didn't like your (server) auth. Either the client is mistaken, usually because it doesn't have the root in its truststore as above (though bugs are possible), or the cert/chain you sent is in fact bad. This occurs at a point the in protocol before client-auth, so no attempt was made to verify any client cert. If a client cert is received and doesn't verify, that's a different error. The client may have displayed a more specific error. If not, try another client
SSL_accept fails with bad certificate error
Hello, I am trying to write a server that will accept an incoming SSL connection. In psuedo, I have the following chain of function calls SSL_CTX_load_verify_locations(ctx, root_cert_file, root_cert_dir) SSL_CTX_use_certificate_chain_file(chain file) SSK_CTX_use_PrivateKey_file(chain file) SSL_CTX_set_verify (sets SSL_VERIFY_PEER) SSL_CTS_set_verify_depth(to a depth of 4) The chain file has 3 things in it - private key of the server CA a signed certificate request signed by my server CA the public key of the server CA When I create a new SSL structure everything goes fine, but when I call SSL_accept() on it, I get a return of zero, which when I read the error queue says sslv3 alert bad certificate What does this error mean exactly? Is it a problem with my server certificate itself, the client certificate returned on the verify, or what?
Re: openssl procedure - i read your mini tutorial have 1 question - please
Hello Alain, sorry for the delay in the reply... I'm currently outstation at the moment and had to find the time to VPN into my network inorder to check the IIS settings for you... hmm... I checked my IIS setup and it indicates that the server certificate is valid... one thing I noticed is that you are using a 512-bit RSA key instead of a 1024-bit RSA key which I am using... if it is not too much effort, please run over the steps I outlined, this time specify a 1024 bit key.. also ensure that the common name used by the certficate (inputted during the certificate request generation) is the same as the NETBIOS/DNS Name of your IIS Server Machine... Good Luck and please let me know how it pans out... Friday, July 25, 2003, 8:47:14 PM, you wrote: AL Very thanks for you answer. AL In the website console administration. AL On my Webserver, via properties - tab Directory Security - in secure AL communication frame, View Certificate. AL In the Certificate Window, the last tab called Certification Path, you have AL a box called 'Certificate Status' that give me : AL This certificate has an nonvalid digital signature. AL If I try to connect my website : https://127.0.0.1/ No connection... the AL IIS web server just don't listen on port 443 because it think that AL certificate is bad.. AL The most amazing things that is IIS import with succes the certificate and AL indicate than I have the privkey. Also, I check in the Event Viewer in all AL subdirectories... but I found nothing concerning IIS except this : AL --- AL Event Type: Warning AL Event Source: W3SVC AL Event Category: None AL Event ID: 48 AL Description: AL One of the certificates in the certificate chain of the server certificate AL for instance '1' has an invalid signature. AL AL Also, If I installed my NetMeeting certificate, IIS web server work fine in AL SSL mode(so my configuration is correct.. .except for this Server AL Certificate) AL So, if you have an idea... ! Thanks, AL Alain AL nb: i attached snapshot about the certificate window. AL - Original Message - AL From: Derek Chew En-Hock [EMAIL PROTECTED] AL To: Alain Lafleche [EMAIL PROTECTED] AL Cc: [EMAIL PROTECTED] AL Sent: Friday, July 25, 2003 7:42 AM AL Subject: Re: openssl procedure - i read your mini tutorial have 1 AL question - please Hello Alain, where did you see the certificate status option? from my IE6 browser, it indicates only indicates that the certificate isn't verified by a trusted CA... not to mention I see the SSL symbol (locked padlock icon) which indicates that 128-bit encryption is enabled... any more experienced OpenSSL users would like to comment on this? Thursday, July 24, 2003, 10:34:54 PM, you wrote: AL Hi, AL I just read your mini-tutorial i want to thanks you..! It was really AL better easy to do procedure. Thanks AL But, I have only 1 question : AL Certificate Request is sign with success. I imported it in IIS. I can AL check the certificate is write at my name it's indicated than I have AL private key for this certificate. AL But the problem is in certificate status is indicate : AL This certificate has an nonvalid digital signature. AL The results is than IIS doen'st work in secure mode. AL Thanks very much, AL Alain AL nb: i make test with another certificate and my IIS configuration AL works good in secure ssl mode. -- Best regards, Derekmailto:[EMAIL PROTECTED] -- Best regards, Derekmailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl procedure - i read your mini tutorial have 1 question - please
Hello Alain, where did you see the certificate status option? from my IE6 browser, it indicates only indicates that the certificate isn't verified by a trusted CA... not to mention I see the SSL symbol (locked padlock icon) which indicates that 128-bit encryption is enabled... any more experienced OpenSSL users would like to comment on this? Thursday, July 24, 2003, 10:34:54 PM, you wrote: AL Hi, AL I just read your mini-tutorial i want to thanks you..! It was really better easy to do procedure. Thanks AL But, I have only 1 question : AL Certificate Request is sign with success. I imported it in IIS. I can check the certificate is write at my name it's indicated than I have private key for this certificate. AL But the problem is in certificate status is indicate : AL This certificate has an nonvalid digital signature. AL The results is than IIS doen'st work in secure mode. AL Thanks very much, AL Alain AL nb: i make test with another certificate and my IIS configuration works good in secure ssl mode. -- Best regards, Derekmailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[HOWTO] Use Open SSL Cert in IIS
Hello Everyone, just wanted to contribute a short HOWTO as I have been spending the last few days reading google groups, the openssl HOWTOs and didn't really find a good one that teaches you how to get it done... any comments appreciated! anyway, great work OpenSSL team! How to use OpenSSL to act as a CA to sign an IIS certificate request for SSL use 1. Create a certificate request via the Internet Services Manager under 'Directory Security-Secure Communication-Server Certificate'. This is found under the property tab for the webserver you want to secure. Follow the wizard to create a certificate request and fill up all required details. At the end of the wizard, it will generate a certreq.txt file. Move this to your favorite linux box (e.g Debian) or run openssl under cygwin. 2. We now have to generate a private key using OpenSSL openssl genrsa -des3 -out cakey.pem 2048 The process will prompt you to supply a PEM pass phrase to help secure the key. 3. Now we have to create a CA certificate for our bogus CA openssl req -new -x509 -key cakey.pem -out cacert.pem -days 1825 4. Create the following directories in your home directory demoCA demoCA/private demoCA/newcerts Also create in demoCA a empty text file called 'index.txt' and a text file called 'serial' with the numbers '01' 5. Move your private key cakey.pem to the demoCA/private directory and cacert.pem to demoCA/ 6. Sign our previously created IIS certificate request openssl ca -in certreq.txt -out iis.cer 7. Open iis.cer in your favorite text editor (eg vi) and remove all the text before the line '-- Begin Certificate --'. IIS is not able to handle the text above that line and may get confused! 8. Move iis.cer back to your Windows machine and complete the certificate request in IIS by importing the iis.cer file. All done! -- Best regards, Derek Chew En-Hock mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Outlook DOES NOT support client-side certs
This is for the purposes of the list archives, as I have wasted a great deal of time on this and there is misleading information on the Internet. I have tested Outlook 2002, both with and without Office ServicePack1 and Office ServicePack2 (independently), on 4 different workstations, and I can say with a high degree of certainty that Microsoft Outlook does NOT support the use of client-side certificates. It simply does not return the certificate when prompted for it, and then fails to connect. I was very thorough in my testing, trying everying including making sure that the cert 'cn' matched the email address of the IMAP account, and it just doesn't work. Several hours of Google searches and Microsoft KnowledgeBase searches did not produce any information on this subject. Thanks, Derek Simkowiak dereks at itsite dot com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Book....
For those who don't already know this, there's a book on OpenSSL published by O'Reilly. Details: Network Security with OpenSSL Authors: John Viega, Matt Messier and Pravir Chandra Publisher: O'Reilly ISBN: 0-596-00270-X Cheers, Derek -- __ Derek Heidorn E-Mail: [EMAIL PROTECTED]
Converting PCKS12 certificates to PEM format
Hi, I have PKCS12 format certificates (.pfx) which I use in conjunction with IE to connect to a secure site requiring client certificates. This works fine. I would like to do the same using openssl. However, since openssl does not support the PKCS12 format directly, I need to convert the certificates to PEM format. I have tried various utilities such as openssl PKCS12, but cannot get openssl to successfully send the client certificate in an acceptable format for the server. I get a fatal certificate_unknown alert when openssl sends the certificate after the ServerHello. Any help would be appreciated. Regards Derek Jones __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Microsoft IIS backup key format
I was just playing with this yesterday... I generated a CSR for thawte and imported the cert and verified it all worked in IIS5 and then export everything for use with Apache-mod-ssl 1.3.20. I was able to run the exported private key file through the pkcs12 util in openssl and then edit the file in vi to seperate out the encrypted private key just use the -in and -out params to the pkcs12 util Later, dj Hellan,Kim KHE wrote: Simple question. Does anyone know what format the key backup file from a MS IIS webserver is? If yes...anyone know of a tool to parse/create such a file? The binary backup file contains both the private key and the belonging certificate, but it is not PKCS#12. My guess is, that the key probably is the obscure MS PVK format and the certificate is another MS specific format. Thanks, Kim Hellan KMD / KMD-CA http://www.kmd-ca.dk Mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Derek Browne[EMAIL PROTECTED] Director of RD - Security Yo Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
timestamp server with OpenSSL
I'd like to set up my own timestamping server with OpenSSL. Has anyone done this already and can give me some pointers or point me to a good resource? Thanks in advance, Derek. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
req: help to rebuff an attack on openssl
All, I have a report in front of me commissioned by someone in my company to review our CA/PKI system. Frankly I'm not too happy about it and would like some bitingly worded and technically brilliant responses to support our use of OpenSSL which I would like to continue. The push of the report is to move away from openss to a vendor solution. I've had a cursory look over some vendor products like baltimore, identrus and iplanet and haven't been too impressed with any of the bells and whistles they offer like vendor specific browser apps and client private key escrow in proprietary databases. I was very impressed by Iplanet's pre sales "technical" sales guys telling me they didn't use Xenroll.dll to install certs in IE browsers with their certificate management software (as I do with my CA), they use OSPF! and suggest we _force_ all of our clients to use netscape browser anyway. Some other unnamed company expect you to think adding %30 to the price of their already pricey software is justified if it lets you use "advanced features" (ie x509v3 extended attribute). I guess people that have never used openssl would be impressed. Is there anyone on the list who has done a more rigourous comparison of commercial systems Vs. OpenSSL? Either out of the box openssl executables or custom written apps using the libraries? An independant review of commercial CA's would be the ultimate resource here and I can add on the features possible with openssl based apps/scripts. Any help as always greatly appreciated. Dereck Charles. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Certificate based SSO
Forgive me for being slightly off topic here. My company has several sites and applications that require authentication by digital certificate. We'd like to wrap it all up into a portal site for single point of access and make it single sign on. I was wondering if anyone on the list could point me to a good source of info on certificate based single sign on solutions, preferably based on openssl and some sort of ldap x.500 system? I'd like to have people come in to the portal site over https, authenticate with a digital certificate and then be able to access other secure sites using the same certificate _without being asked again for the certificate_. Thanks in advance for any help. Derek Charles. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: autoloader emissions in Net::SSLeay.pm
Has NOBODY got any idea why this would be happening? Same program, same call-method, but when one program calls it, it autoloads the die_if_ssl_error nonsense causing the "known problem", but if another program calls with the exact same parameters it works fine. Help! D OK, I'll bite... under what conditions will die_if_ssl_error be made autoloadable? I can call the get_https function with the SAME set of arguments from the same perl package (I have my own "WebGet" package that I use internally at work for fetching pages from HTTP or HTTPS servers). Setting stuff up in debug mode, I print out the argument list I'm going to call get_https with, and they're identical. Is there any way to FORCE it NOT to autoload die_if_ssl_error? Here's the debug output in the case where it works. In both cases, this debug output is printed out RIGHT before my WebGet.pm package calls out to: ($page,$response,%reply_headers) = get_https($host,$port,$location,$header_string); [ I'm using $header_string and not make_headers only because I had removed that code in the process of debugging, and after I found out what it did I didn't bother putting it back ] Can anyone give me any suggestions as to what I am doing wrong, and what I should do to correct it? $ ./db_test.pl HOST: pp1.yahoo.com PORT: 443 LOCATION: / HEADER_STRING: -- User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95) Host: my.secure.yahoo.com -- OK ... And In the case where it fails: $ ./test.sh HOST: pp1.yahoo.com PORT: 443 LOCATION: / HEADER_STRING: -- User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95) Host: my.secure.yahoo.com -- Argument "pp1.yahoo.com" isn't numeric in entersub at /usr/local/lib/perl5/site_perl/5.005/i386-freebsd/Net/SSLeay.pm line 342. Ambiguous call resolved as CORE::connect(), qualify as such or use at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 1034. Argument "/etc/passwd" isn't numeric in entersub at /usr/local/lib/perl5/site_perl/5.005/i386-freebsd/Net/SSLeay.pm line 342. Use of uninitialized value at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al) line 1265. Use of uninitialized value at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al) line 1266. Use of uninitialized value at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al) line 1310. Use of uninitialized value at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al) line 1313. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
autoloader emissions in Net::SSLeay.pm
OK, I'll bite... under what conditions will die_if_ssl_error be made autoloadable? I can call the get_https function with the SAME set of arguments from the same perl package (I have my own "WebGet" package that I use internally at work for fetching pages from HTTP or HTTPS servers). Setting stuff up in debug mode, I print out the argument list I'm going to call get_https with, and they're identical. Is there any way to FORCE it NOT to autoload die_if_ssl_error? Here's the debug output in the case where it works. In both cases, this debug output is printed out RIGHT before my WebGet.pm package calls out to: ($page,$response,%reply_headers) = get_https($host,$port,$location,$header_string); [ I'm using $header_string and not make_headers only because I had removed that code in the process of debugging, and after I found out what it did I didn't bother putting it back ] Can anyone give me any suggestions as to what I am doing wrong, and what I should do to correct it? $ ./db_test.pl HOST: pp1.yahoo.com PORT: 443 LOCATION: / HEADER_STRING: -- User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95) Host: my.secure.yahoo.com -- OK ... And In the case where it fails: $ ./test.sh HOST: pp1.yahoo.com PORT: 443 LOCATION: / HEADER_STRING: -- User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 95) Host: my.secure.yahoo.com -- Argument "pp1.yahoo.com" isn't numeric in entersub at /usr/local/lib/perl5/site_perl/5.005/i386-freebsd/Net/SSLeay.pm line 342. Ambiguous call resolved as CORE::connect(), qualify as such or use at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 1034. Argument "/etc/passwd" isn't numeric in entersub at /usr/local/lib/perl5/site_perl/5.005/i386-freebsd/Net/SSLeay.pm line 342. Use of uninitialized value at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al) line 1265. Use of uninitialized value at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al) line 1266. Use of uninitialized value at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al) line 1310. Use of uninitialized value at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al) line 1313. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Iaik and Openssl
Does anybody now how to make openSSL read certificates and keys created by IAIK? I think they might implement different OIDs. Please Help? Derek DeMoroChief Technical OfficerBallotDirect(650) 799-8490
No Subject
Does anybody now how to make openSSL read certificates and keys created =by IAIK?I think they might implement different OIDs. OpenSSL cannot seem to recognize my Iaik Private Key. Please Help? Derek DeMoroChief Technical OfficerBallotDirect(650) 799-8490
Re: Sign.sh on win32
Thank You very much. It worked. Why is it creating a bad crt file? Derek - Original Message - From: "Peter 'Luna' Runestig" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, June 08, 2000 11:53 AM Subject: Re: Sign.sh on win32 Derek DeMoro wrote: Hi All, I created my own CA and now want to sign any *.csr file on win32. I noticed the sign.sh file in mod-ssl and tried to duplicate it on my 2000 machine. The certificate is created, but when I click on it, it says it's an invalid security certificate. Anybody have a fix? Help. Please The crt file contains both some clear text info about the cert and the -BEGIN/END CERTIFICATE- wrapped pem encoded part. Open the file in a text editor and put the pem encoded part first, and you'll be fine. -- Peter "Luna" Runestig (fd. Altberg), Sweden [EMAIL PROTECTED] PGP Key ID: 0xD07BBE13 Fingerprint: 7B5C 1F48 2997 C061 DE4B 42EA CB99 A35C D07B BE13 Gubben Movitz ler och nickar, / men från Charons mörka sund dödens blund / i dina blickar / bådar snart din sista stund. Carl Michael Bellman, Fredmans epistel nr 34 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SafeGossip
At 10:14 AM 10/7/99 +0100, Ben Laurie wrote: IIRC, providing "hooks" to strong-crypto stuff is also considered the same as providing strong-crypto itself, according to U.S. Idiocy^WLaw. Allegedly, it isn't illegal, but the spooks keep telling everyone it is. IANAL. Dunno. Sendmail's not including hooks because their lawyers seem to have agreed with the spooks. IANAL. D __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
