Symetric ciphers question
If i dont have key ageement and key exchange. Can my symetric cipher work?. My understanding is that the symetric key used for both encryption and decryption is the agreed key between the client and server after key agreement has been done. For key agreement to work i thought you need a private key and public key pair. So when there is a client and server public and private key used everything is fine. What about when there is no client private and public key but there is a root key on the client side. Also when there are neither root keys or client keys on the client side. On the server side there is always root and server keys. Even when there is no client or root keys on the client side the data is still encrypted over the ssl connction in some way..i used sniffer software to trace the packets...thats how i know...how can this be? How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.
Problem of server telling client to shut down
For some reason i cannot let the client know the server has shutdown. I read the documents about ssl_shutdown() and it said if the return value is 1 then its successful. I checked this on the server side using get_shutdown() and it retrurned "1" which i believe to be the correct value. When i use get_shutdown on the client side it returns 0 which is incorrect so it never seems to get the shutdown message from the server. Also i am writing to the server on the client side and when i write after the server has shutdown it does not show any error. The second time i try to write to it it goes into the write loop and just exits inside the write function somewhere. My connection is blocking by the way could this have something to do with it?. Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.
can't send client shutdown message???????
I am trying to send the client a shutdown message. I use set shutdown on the server side and then i do ssl_shutdown.the return value from ssl_shutdown is 1 so i thought if i do get_shutdown() function on the client side that i should be able to get a return value that signals i have shutdown the serverbut i dont i always get 0 for some annoying reason. New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
client read problem please help!!!!!
Here is the relevant code. The problem is in this do_client_loop. I need to read from the server to check if it has closed but when i do this i cannot write to the server again for some reason. How can i rectify this..thanks in advance int do_client_loop(SSL *ssl) { int err, nwritten; char buf[80]; for (;;) { if (!fgets(buf, sizeof(buf), stdin)) break;for (nwritten = 0; nwritten sizeof(buf); nwritten += err) {err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten); if
(err = 0) return 0; } err = SSL_read(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0;} return 1; } int main(int argc, char *argv[]) { BIO *conn; SSL *ssl; SSL_CTX *ctx; long err; init_OpenSSL( ); seed_prng( ); clientfile = argv[1]; ctx =
setup_client_ctx( ); conn = BIO_new_connect(SERVER ":" PORT); if (!conn) int_error("Error creating connection BIO"); if (BIO_do_connect(conn) = 0) int_error("Error connecting to remote machine"); ssl = SSL_new(ctx); SSL_set_bio(ssl, conn, conn); if (SSL_connect(ssl) = 0) int_error("Error connecting SSL object"); if ((err = post_connection_check(ssl, SERVER)) != X509_V_OK) { fprintf(stderr, "-Error: peer certificate: %s\n", X509_verify_cert_error_string(err));
int_error("Error checking SSL object after connection"); } fprintf(stderr, "SSL Connection opened\n"); if (do_client_loop(ssl)) SSL_shutdown(ssl); else SSL_clear(ssl); fprintf(stderr, "SSL Connection closed\n"); SSL_free(ssl); SSL_CTX_free(ctx); return 0; }
Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.
Re: client read problem please help!!!!!
yeah you would think that but it doesnt for some strange reason.Girish Venkatachalam [EMAIL PROTECTED] wrote: Looks like I have not understood your problem. Why do you have to do an SSL_read() to figure out ifit has closed? SSL_write() will fail it the other sidecloses...--- michael Dorrian <[EMAIL PROTECTED]>wrote: Here is the relevant code. The problem is in this do_client_loop. I need to read from the server to check if it has closed but when i do this i cannot write to the server again for some reason. How can i rectify this..thanks in advance int do_client_loop(SSL *ssl) { int err, nwritten; char buf[80]; for (;;) { if (!fgets(buf, sizeof(buf), stdin)) break; for (nwritten = 0;
nwritten sizeof(buf); nwritten += err) { err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0; } err = SSL_read(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err = 0) return 0; } return 1; } int main(int argc, char *argv[]) { BIO *conn; SSL *ssl; SSL_CTX *ctx; long err; init_OpenSSL( ); seed_prng( ); clientfile = argv[1]; ctx = setup_client_ctx( ); conn = BIO_new_connect(SERVER ":" PORT); if (!conn) int_error("Error creating connection BIO"); if (BIO_do_connect(conn) = 0) int_error("Error connecting to remote machine"); ssl = SSL_new(ctx); SSL_set_bio(ssl, conn, conn); if (SSL_connect(ssl) =
0) int_error("Error connecting SSL object"); if ((err = post_connection_check(ssl, SERVER)) != X509_V_OK) { fprintf(stderr, "-Error: peer certificate: %s\n", X509_verify_cert_error_string(err)); int_error("Error checking SSL object after connection"); } fprintf(stderr, "SSL Connection opened\n"); if (do_client_loop(ssl)) SSL_shutdown(ssl); else SSL_clear(ssl); fprintf(stderr, "SSL Connection closed\n"); SSL_free(ssl); SSL_CTX_free(ctx); return 0; } - Blab-away for as little as 1E½/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
closing client connection problem
If the server returns an error my client does not shut down the connection. I think i have to use SSL_Read and then if the return value is less than or equal to 0 then i just break. The problem is that when i use SSL_Read then my SSL_write does not seem to work...why is that.or is there a simpler way to check if the server has closed the connection?. How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.
Understanding Client/Server encryption
I make a client and server certificate and then sign it with the root cert.Are these generated certificates the public keys?. I can attach small data to an RSA key but usually RSA is not used for actually encrypting the data. Is that right?. Aspecified cipher suite(e.g sha1 for hashing etc.) is used. This is also where the actual data you send's encryption scheme is also defined.Not really sure about this?. I also use SSL_OP_EPHEMERAL_RSA and SINGLE_OP_SINGLE_DH_USE So by this i see i use diffie hellmanfor key exchangeand then using RSA encryption for verification. The way this is done is very vague. How are both of these used together exactly?. I know how both the diffie hellman and RSA algorithms work as public/private keys. I think that in this case for verification a crytographic hash(e.g sha1)is made of the generatedcertificates and then this is used to matchcerts for verification. Also i dont see exactly where my public key and private keys on both the server and clientinteract to encrypt and decrypt the data. Can someone explain this better?. New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Re: Understanding Client/Server encryption
Not boring at all and thank you for your detailed reply. I guess the last part of my question was pretty vague. I just wanted to know how the diffie-hellman and RSA public key algorithms work together. It seems both are used. But i am not sure about exactly how they are used. The diffie hellman one is the ephemeral keying one and thats about all i know..any help would be great thanks.Girish Venkatachalam [EMAIL PROTECTED] wrote: Kyle is the best person to explain these things toyou. However I will make an attempt. Please findanswers inline.--- michael Dorrian <[EMAIL PROTECTED]>wrote: I make a client and server certificate and then sign it with the root cert.Are these generated certificates the public keys?Yes, certificates are nothing but public keys(in thiscase the client and server public keys respectively)and some other ancillary information signed by theprivate key of the CA(the root cert's private key inyour case). Let us take the case of RSA for signing.Signing is nothing but the encryption with the privateportion of the RSA keypair of the hash of the messagein question. So in your case, the message consists of the client orserver certificate(public key with ancillary data). So a hash is produced with the above message as input.SHA1 is the hash algorithm used for that. Once the hash is generated, it is encrypted with theCA's private key(root cert in your case). Lo, once you append this RSA encrypted hash, you havethe signature.. I can attach small data to an RSA key but usually RSA is not used for actually encrypting the data. Is that right?.RSA or for that matter any public key encryptionscheme is highly computation intensive and alsounsuitable for messages of arbitrary length. The goal of all public key cryptosystems is either keyexchange or key agreement and of course signing( ornon repudiation).Now if you take any protocol like SSL or ssh , publickey algorithms are used only for establishing a secretkey between communicating peers, therefore a secretkey(typically a DES3 or AES key) is encrypted with thepeer's public key and sent across. This is called adigital envelope. Since the peer's private key is known only to thepeer, only the peer can decrypt the secret key andhence now secret communications can happen between thepeers.This is how SSL works, this is how ssh works, and thisis how most other security protocols would work. A specified cipher suite(e.g sha1 for hashing etc.) is used. This is also where the actual data you send's encryption scheme is also defined. Not really sure about this?.SSL RFC defines certain "cipher suites". These are acombination of a particular public key algorithm, aparticular secret key algorithm and mode, and aparticular HMAC algorithm or a hash algorithm.We already saw how the first two are used. The HMACalgorithm is used to protect the integrity of thetransferred messages. i.e, to prevent againstmalicious or accidental tampering of messages. Since hash algorithms like SHA1 or MD5 do not use asecret, anybody can modify the message along with thehash, that is why HMAC in which SHA1 or MD5 is usedalong with a secret key is used for protecting theintegrity in SSL.Well, HMAC is not the only way to do it but ... I also use SSL_OP_EPHEMERAL_RSA and SINGLE_OP_SINGLE_DH_USE So by this i see i use diffie hellman for key exchange and then using RSA encryption for verification. The way this is done is very vague. How are both of these used together exactly?. I know how both the diffie hellman and RSA algorithms work as public/private keys. I think that in this case for verification a crytographic hash(e.g sha1) is made of the generated certificates and then this is used to match certs for verification. Also i dont see exactly where my public key and private keys on both the server and client interact to encrypt and decrypt the data. Can someone explain this better?.Well, I don't know much about what the ephemeraloptions do in SSL but AFAIK the word ephemeral is usedfor short lived security associations. So if you usean ephemeral key, its lifetime is very short. If Iunderstand correctly the way SSL uses ephemeral keysis by using the SSL renegotiate option in which ciphersuites are changed on the fly. Again this happens because once a secret channel isestablished, you can always change the secret keysused for a new set of messages.To answer the second part of the question, public andprivate keys really become irrelevant once the SSLsession is established, since it is practicallyimpossible and also unncessary to use them once asecret key is established.You can try encrypting a large buffer with RSA. Evenon modern processors, it will take a huge amount oftime. Again, this is because fundamentally public keycryptosystems work very differently from secret keycryptosystems.Public key cryptosystems use mathematically hard NPcomplete problems like large number factorization ordiscrete log problems(and also elliptic curveproblems) to encrypt data.Wh
How to prompt user for password
I am not talking about the pem pass phrase here. I want a last line of authentication from the client. I want the server to have a list of common names of clients it trusts. With these client names also a client password will be stored on the server side. At runtime the server asks for this password before the ssl connection can be opened. Also the user name is got from the client certificates common name. How is this usually done and is there a function that does this?. Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice.
Re: Why is a client certificate needed?
Slight problemthat unknown_CA error for some reason only appears on the server side not the clientKyle Hamilton [EMAIL PROTECTED] wrote: A client certificate does not identify an IP or domain name, a clientcertificate identifies a user.A server certificate identifies an IP or domain name (usually domain name).And to follow up to your other question (how to make it a warninginstead of an error): If you're programming, you set a callback forcert_verify (or whatever it's called, I'm too tired to look it upright now). Then, you can look at the verify return code -- if it'sUNKNOWN_CA, then you can present a dialog to the user. This happensbefore any actual application data is transmitted on the wire.-Kyle HOn 3/30/06, michael Dorrian <[EMAIL PROTECTED]>wrote: This is the scenario. I have a root CA which i use to sign both the client certificate and server certificate. When you are checking the client certificate all you are checking is if the ip address matches the ip address in the certificate but the certificate and ip address could be anyones?. Therefore all i need if i want to connect to the server is the same root CA as the server and then make my own client certificate and then connect to the server. In this case the root CA is all i need to have to make my client CA. Therefore, why is this check needed at all?. Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
Re: Why is a client certificate needed?
Thanks alot for the info kyle. I think i should be able to figure out that callback function myself. Thanks again.Kyle Hamilton [EMAIL PROTECTED] wrote: A client certificate does not identify an IP or domain name, a clientcertificate identifies a user.A server certificate identifies an IP or domain name (usually domain name).And to follow up to your other question (how to make it a warninginstead of an error): If you're programming, you set a callback forcert_verify (or whatever it's called, I'm too tired to look it upright now). Then, you can look at the verify return code -- if it'sUNKNOWN_CA, then you can present a dialog to the user. This happensbefore any actual application data is transmitted on the wire.-Kyle HOn 3/30/06, michael Dorrian <[EMAIL PROTECTED]>wrote: This is the scenario. I have a root CA which i use to sign both the client certificate and server certificate. When you are checking the client certificate all you are checking is if the ip address matches the ip address in the certificate but the certificate and ip address could be anyones?. Therefore all i need if i want to connect to the server is the same root CA as the server and then make my own client certificate and then connect to the server. In this case the root CA is all i need to have to make my client CA. Therefore, why is this check needed at all?. Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.
Re: Renewing expired certificates
Thanks alot for the response. It helped alot. Bernhard Froehlich [EMAIL PROTECTED] wrote: michael Dorrian wrote: Is this correct or is there a simpler way. I have to revoke all my client,server and root files and then basically create everything over again?. It depends on which certs are expired. If it's the root certificate which has expired you're basically correct. But there's no need to revoke all client certs, they will be valid at least till the root cert is expired not longer than their own expiry (handling of expired root certificates depends somewhat on the application) I am sure i can just use the same commands i used to make the root cert and then sign the client and server files and by doing this just overwrite all the existing files that are there. Is there a simpler way of just renewing the files that exist without having to create the root CA cert again and signing everything. The security does not need to be very high in my system but i would like to have a client and server pair and have two way authentication but keeping the same CA forever is fine. The only time i would like to use the revoke command is when it is really needed. Do i need to use the revoke command and why?. No. Revoking of expired certificates is only needed if you keep using your index file and the "unique_subject" entry in openssl.cnf is not set to "no".One thing you'll have to think of is, that if you overwrite your existing files you'll have no way to revoke one of the old certs in case it is compromised. They may still be valid some time. Also what is the easiest way for me to renew my expired certificates?. If you still have a backup of the requests it should be possible to generate certificates for all those requests using batch mode and sending out the new certs. But it may be difficult to convince the client software to use the new cert with the old keys, depending on the software (I have not managed it e.g. with Mozilla browsers)... IMHO it would be better just to notify your clients that they have to send in a new cert request. Any answers to both these questions would be greatly appreciated.Hope it helps,Ted;)-- PGP Public Key InformationDownload complete Key from http://www.convey.de/ted/tedkey_convey.ascKey fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Why is a client certificate needed?
This is the scenario. I have a root CA which i use to sign both the client certificate and server certificate. When you are checking the client certificate all you are checking is if the ip address matches the ip address in the certificate but the certificate and ip address could be anyones?. Therefore all i need if i want to connect to the server is the same root CA as the server and then make my own client certificate and then connect to the server. In this case the root CA is all i need to have to make my client CA. Therefore, why is this check needed at all?. Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1/min.
Re: Why is a client certificate needed?
sorry typo client CA = client cert.michael Dorrian [EMAIL PROTECTED] wrote:This is the scenario. I have a root CA which i use to sign both the client certificate and server certificate. When you are checking the client certificate all you are checking is if the ip address matches the ip address in the certificate but the certificate and ip address could be anyones?. Therefore all i need if i want to connect to the server is the same root CA as the server and then make my own client certificate and then connect to the server. In this case the root CA is all i need to have to make my client CA. Therefore, why is this check needed at all?. Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min. New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Untrsuted Root CA warning instead of error
The way openssl is set up you load the CAs you trust and if they dont match an unknown CA error happens...is it possible to not have this as an error but a warning and then the user can decide whether to break the connection or not. New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Renewing expired certificates
Is this correct or is there a simpler way. I have to revoke all my client,server and rootfiles and then basically create everything over again?. I am sure i can just use the same commands i used to make theroot cert and then sign the client and server filesand by doing this just overwrite all the existing files that are there. Is there a simpler way of just renewing the files that exist without having to create the root CA cert again and signing everything. The security does not need to be very high in my system but i would like to have a client and server pair and have two way authentication but keeping the same CA forever is fine. The only time i would like to use the revoke command is when it is really needed. Do i need to use the revoke command and why?. Also what is the easiest way for me to renew my expired certificates?. Any answers to both these questions would be greatly appreciated. Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
Re: SSLCARevocationFile
try this: # openssl ca revoke file.pem # openssl ca -gencrl -out revokefile.crl # openssl crl -in exampleca.crl -noout -CAfile file.pem[EMAIL PROTECTED] wrote: HelloI built a web server with apache 2.xx. Access is secure with SSLVerifyClient directiveWhen I revoke a certificate and then generate my CRL, I can verify that the certificate has been well revocated and is part of the CRL with the following commands :openssl ca -config openssl.cnf -revoke file.pemopenssl ca -config openssl.cnf -gencrl -out crl.pem -crldays 30And : openssl crl -in crl.pem -textCertificate Revocation List (CRL):Version 1 (0x0)Signature Algorithm: md5WithRSAEncryptionIssuer: /C=FR/ST=RHONE ALPE/L=LYON/O=DGI/CN=ca_root/[EMAIL PROTECTED]Last Update: Mar 21 12:05:03 2006 GMTNext Update: Apr 20 12:05:03 2006 GMTRevoked Certificates:Serial Number: 02Revocation Date: Mar 17 13:13:21 2006 GMTSerial Number: 03Revocation Date: Mar 17 12:16:19 2006 GMTSignature Algorithm: md5WithRSAEncryption73:66:b1:89:22:80:78:a7:c7:d5:ce:d9:5e:35:0b:96:d1:83:57:3c:4a:c0:9e:30:d4:9a:37:96:79:71:ff:85:48:42:4a:35:56:f8:d9:fa:d1:ad:c9:74:5d:e8:02:bd:27:2c:6b:77:55:59:96:07:f1:fc:4d:b8:1b:4c:14:2d:86:84:7c:8b:a7:b0:10:c6:32:b6:37:d6:f9:41:3a:38:85:61:57:ac:46:76:b0:df:cb:1b:b3:24:46:6f:8b:32:61:39:4f:b8:6d:ad:75:a2:63:85:7d:56:f1:2c:3d:0d:f0:c2:d1:d4:9e:a8:2c:86:27:4d:e3:c3:69:8c:3a:c9:66:f3:44:86:e8:a9:a8:a0:3b:70:23:6f:c8:3e:e1:bf:2a:15:cf:ed:fb:d4:2d:57:8d:54:f7:53:aa:1a:8b:89:f0:69:c9:00:dd:8f:bf:73:88:95:86:a4:76:f3:7a:fe:39:44:a9:1c:9f:41:dd:6e:62:51:0c:43:81:a5:e3:fe:ab:f3:2f:27:a9:c0:0f:92:a3:ab:da:35:9a:6c:ce:57:eb:61:b8:1c:7f:91:b6:ad:c0:99:21:bb:30:b8:25:13:5e:b5:fb:ed:e9:55:b3:4c:4a:19:d8:96:fc:f3:e1:2c:62:a9:80:d5:b3:72:ce:37:5d:36:36:22:a4:74:e9:c3-BEGIN X509 CRL-MIIB4TCByjANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJGUjETMBEGA1UECBMKUkhPTkUgQUxQRTENMAsGA1UEBxMETFlPTjEMMAoGA1UEChMDREdJMRAwDgYDVQQDFAdjYV9yb290MR4wHAYJKoZIhvcNAQkBFg9jYV9yb290QGRnaS5jb20XDTA2MDMyMTEyMDUwM1oXDTA2MDQyMDEyMDUwM1owKDASAgECFw0wNjAzMTcxMzEzMjFaMBICAQMXDTA2MDMxNzEyMTYxOVowDQYJKoZIhvcNAQEEBQADggEBAHNmsYkigHinx9XO2V41C5bRg1c8SsCeMNSaN5Z5cf+FSEJKNVb42frRrcl0XegCvScsa3dVWZYH8fxNuBtMFC2GhHyLp7AQxjK2N9b5QTo4hWFXrEZ2sN/LG7MkRm+LMmE5T7htrXWiY4V9VvEsPQ3wwtHUnqgshidN48NpjDrJZvNEhuipqKA7cCNvyD7hvyoVz+371C1XjVT3U6oai4nwackA3Y+/c4iVhqR283r+OUSpHJ9B3W5iUQxDgaXj/qvzLyepwA+So6vaNZpszlfrYbgcf5G2rcCZIbswuCUTXrX77elVs0xKGdiW/PPhLGKpgNWzcs43XTY2IqR06cM=-END X509 CRL-Problem : I'm still able to connect the server with my revocated certificate.Question : I'm not sur that apache take account of my CRL, how can I verify it ?Second Question : what can I do so that my revocated certificate is rejected by the web server ?My httpd.conf:DocumentRoot "/var/www/serveur/serverssl/html"ServerName serversslServerAdmin [EMAIL PROTECTED]ErrorLog logs/error_ssl_logTransferLog logs/access_ssl_logSSLEngine onSSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXPSSLCertificateFile /etc/ssl/cassl/serverssl.pemSSLCertificateKeyFile /etc/ssl/cassl/serverssl.keySSLCACertificatePath /etc/ssl/casslSSLCACertificateFile /etc/ssl/cassl/trustees.pemSSLCARevocationFile /etc/ssl/crl/crl.pemSSLVerifyClient requireSSLVerifyDepth 10Any help would be great__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.
Re: SSLCARevocationFile
sorry was a typo in the last post.. # openssl ca revoke file.pem # openssl ca -gencrl -out revokefile.crl # openssl crl -in revokefile.crl -noout -CAfile file.pemmichael Dorrian [EMAIL PROTECTED] wrote:try this: # openssl ca revoke file.pem # openssl ca -gencrl -out revokefile.crl # openssl crl -in exampleca.crl -noout -CAfile file.pem[EMAIL PROTECTED] wrote: HelloI built a web server with apache 2.xx. Access is secure with SSLVerifyClient directiveWhen I revoke a certificate and then generate my CRL, I can verify that the certificate has been well revocated and is part of the CRL with the following commands :openssl ca -config openssl.cnf -revoke file.pemopenssl ca -config openssl.cnf -gencrl -out crl.pem -crldays 30And : openssl crl -in crl.pem -textCertificate Revocation List (CRL):Version 1 (0x0)Signature Algorithm: md5WithRSAEncryptionIssuer: /C=FR/ST=RHONE ALPE/L=LYON/O=DGI/CN=ca_root/[EMAIL PROTECTED]Last Update: Mar 21 12:05:03 2006 GMTNext Update: Apr 20 12:05:03 2006 GMTRevoked Certificates:Serial Number: 02Revocation Date: Mar 17 13:13:21 2006 GMTSerial Number: 03Revocation Date: Mar 17 12:16:19 2006 GMTSignature Algorithm: md5WithRSAEncryption73:66:b1:89:22:80:78:a7:c7:d5:ce:d9:5e:35:0b:96:d1:83:57:3c:4a:c0:9e:30:d4:9a:37:96:79:71:ff:85:48:42:4a:35:56:f8:d9:fa:d1:ad:c9:74:5d:e8:02:bd:27:2c:6b:77:55:59:96:07:f1:fc:4d:b8:1b:4c:14:2d:86:84:7c:8b:a7:b0:10:c6:32:b6:37:d6:f9:41:3a:38:85:61:57:ac:46:76:b0:df:cb:1b:b3:24:46:6f:8b:32:61:39:4f:b8:6d:ad:75:a2:63:85:7d:56:f1:2c:3d:0d:f0:c2:d1:d4:9e:a8:2c:86:27:4d:e3:c3:69:8c:3a:c9:66:f3:44:86:e8:a9:a8:a0:3b:70:23:6f:c8:3e:e1:bf:2a:15:cf:ed:fb:d4:2d:57:8d:54:f7:53:aa:1a:8b:89:f0:69:c9:00:dd:8f:bf:73:88:95:86:a4:76:f3:7a:fe:39:44:a9:1c:9f:41:dd:6e:62:51:0c:43:81:a5:e3:fe:ab:f3:2f:27:a9:c0:0f:92:a3:ab:da:35:9a:6c:ce:57:eb:61:b8:1c:7f:91:b6:ad:c0:99:21:bb:30:b8:25:13:5e:b5:fb:ed:e9:55:b3:4c:4a:19:d8:96:fc:f3:e1:2c:62:a9:80:d5:b3:72:ce:37:5d:36:36:22:a4:74:e9:c3-BEGIN X509 CRL-MIIB4TCByjANBgkqhkiG9w0BAQQFADBxMQswCQYDVQQGEwJGUjETMBEGA1UECBMKUkhPTkUgQUxQRTENMAsGA1UEBxMETFlPTjEMMAoGA1UEChMDREdJMRAwDgYDVQQDFAdjYV9yb290MR4wHAYJKoZIhvcNAQkBFg9jYV9yb290QGRnaS5jb20XDTA2MDMyMTEyMDUwM1oXDTA2MDQyMDEyMDUwM1owKDASAgECFw0wNjAzMTcxMzEzMjFaMBICAQMXDTA2MDMxNzEyMTYxOVowDQYJKoZIhvcNAQEEBQADggEBAHNmsYkigHinx9XO2V41C5bRg1c8SsCeMNSaN5Z5cf+FSEJKNVb42frRrcl0XegCvScsa3dVWZYH8fxNuBtMFC2GhHyLp7AQxjK2N9b5QTo4hWFXrEZ2sN/LG7MkRm+LMmE5T7htrXWiY4V9VvEsPQ3wwtHUnqgshidN48NpjDrJZvNEhuipqKA7cCNvyD7hvyoVz+371C1XjVT3U6oai4nwackA3Y+/c4iVhqR283r+OUSpHJ9B3W5iUQxDgaXj/qvzLyepwA+So6vaNZpszlfrYbgcf5G2rcCZIbswuCUTXrX77elVs0xKGdiW/PPhLGKpgNWzcs43XTY2IqR06cM=-END X509 CRL-Problem : I'm still able to connect the server with my revocated certificate.Question : I'm not sur that apache take account of my CRL, how can I verify it ?Second Question : what can I do so that my revocated certificate is rejected by the web server ?My httpd.conf:DocumentRoot "/var/www/serveur/serverssl/html"ServerName serversslServerAdmin [EMAIL PROTECTED]ErrorLog logs/error_ssl_logTransferLog logs/access_ssl_logSSLEngine onSSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXPSSLCertificateFile /etc/ssl/cassl/serverssl.pemSSLCertificateKeyFile /etc/ssl/cassl/serverssl.keySSLCACertificatePath /etc/ssl/casslSSLCACertificateFile /etc/ssl/cassl/trustees.pemSSLCARevocationFile /etc/ssl/crl/crl.pemSSLVerifyClient requireSSLVerifyDepth 10Any help would be great__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less. Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.
Re: convert untrusted certificate to a trusted one.
Andrew You may need to buy a trusted certificate from some company who sells them like for example "VeriSign". They are pretty expensive. I take it whatever organisation you are working for then they will have to buy it. I am afraid you cannot convert a certificate to a trusted one using openssl unless you make certificates for both the client and the server yourself. If you are distributing software to clients and then they connect to your server then you can embed your trusted ca when you install the software but if for example you have no control over the client side then you need to buy the certificate. What are you using the cetificates for?. For example www.amazon.com have a trusted certificate. Because anyone browsing the web can log on but there is no control on the client side so the only way they can have security is to buy their certificate from an agency that specializes in it. The web browser checks to see if the web sites certificate is from a trusted authority(e.g verisign) if it is then only a security alert dialog box appears and you click ok to enter but if its a self signed certificate then another dialog box appears after you click ok. This warns you that the certificate was not issued by a trusted authority so it is not "trusted". A self signed certificate and a trusted certificate have the same security as far as encryption is concerned but the trusted certificate is from an agency that specialises in making certificates. This explains the process for making a self signed certificate for a web browser at http://www.xenocafe.com/tutorials/self_signed_cert_IIS/self_signed_cert_IIS-part1.php. If you set up this server on windows XP and then try to log in to your machine you will see the two dialog boxes appear. In a secure website the second dialog box does not appear because the site is trusted. I gave you this example because it is very simple and easy to understand presuming you have windows XP. Hope this helps. MichaelAndrew Madu [EMAIL PROTECTED] wrote: Hi Michael,yes I have made a self signed certificate (untrusted) which I want to make trusted if possible.regardsAndrew On 3/20/06, michael Dorrian [EMAIL PROTECTED] wrote:what exactly do you mean?. Have you made a self signed certificate yourself which is untrusted or what type of certificate have you now that is "untrusted". Andrew Madu [EMAIL PROTECTED] wrote: Hi, I have created a selcert certificate, under java 1.5, which I need to convert to a trusted one. How can I do this using openssl or keytools?regardsAndrewYahoo! MailBring photos to life! New PhotoMail makes sharing a breeze. Yahoo! Mail Use Photomail to share photos without annoying attachments.
Re: certificate chain and root CA question
Thank you both for your very helpful replies.Now i have tested a so called valid subCA. In my root CA and subCA configuration files(seperate configuration files)i have basic constraints set to "CA:True" exactly the same as the root certificate. But when i loaded my subCA which was signed by my root CA it gave a certificate chain error. A valid subCA signed by a valid root CA cannot be trusted as far as i can see. Or maybe i misunderstood?. "Dr. Stephen Henson" [EMAIL PROTECTED] wrote: On Fri, Mar 17, 2006, Olaf Gellert wrote: Dr. Stephen Henson wrote: On Fri, Mar 17, 2006, michael Dorrian wrote:1. Can a CA signed by the root CA act as a trusted CA itself?.Provided the root CA permits this... Actually I think: not. It seems to be impossible to evaluate a certificate only up to a subCA, openssl always requires the complete chain up to the root CA. So I cannot tell openssl "this is a trusted subordinate CA, that's enough." That's not actually what I meant. I meant that a valid subCA signed by atrusted root CA is itself trusted.There is a mechanism to restrict trust to explicit chains in S/MIME but notcurrently in SSL.Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Travel Find great deals to the top 10 hottest destinations!
Re: convert untrusted certificate to a trusted one.
what exactly do you mean?. Have you made a self signed certificate yourself which is untrusted or what type of certificate have you now that is "untrusted". Andrew Madu [EMAIL PROTECTED] wrote:Hi, I have created a selcert certificate, under java 1.5, which I need to convert to a trusted one. How can I do this using openssl or keytools?regardsAndrew Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze.
certificate chain and root CA question
The root CA can sign another CA. So you can have as many CA's as you like. But when the root sign another CA why can't that CA act as a trusted CA. For example i made my root CA then i created another server CA which i had signed by the root CA. I tried to load the Server CA certas my trusted CA certinstead of the root CA cert using SSL_CTX_load verify_locations but it came back as an error. In any certificate chain do u always need to have the root CA in order to verify the chain. If that is the case why are subsidiary CA's needed at all and what is their function. If every client who has a certificate signed by the root CA needs this root CA to verify its chain then any other client could act as a server and you would trust them as they have cert that was signed by your trusted CA. Is this the case. If it is it does not make any sense to me. This is probably not the case and the whole purpose of this certificate chain checking was to stop that type of thing happening but i dont see how it does stop it happening. In this i have put forward two basic questions: 1. Can a CA signed by the root CA act as a trusted CA itself?. 2. How does the certificate chain stop another client who has a certificate signed by the same root authority as youacting as a trusted CA. I know the ip addresses will be different but maybe there is a way around that too. Yahoo! Travel Find great deals to the top 10 hottest destinations!
RE: X509 cert time
Stephan, This function "X509_get_notBefore(cert));" returns a ASN1_TIME pointer so u cannot print out the results using %d which is for integers or maybe it prints out something but not correct. Now just call like this: ASN1_TIME *cert_time; char *pstring; cert_time = X509_get_notBefore(cert)); pstring = (char*)cert_time-data; printf("Time unformatted is: %s",pstring); The format should be like "YYMMDDHHMMSSZ" as someone previously said. I am sorry i did not parse this but i am sure you can figure it out yourself. Good luck!Stefan Vatev [EMAIL PROTECTED] wrote: hi DS, here is the code snippet i'm using: X509 *cert; FILE fp; fp=fopen("cacert.der","r"); /* error check*/
cert=d2i_X509_fp(fp,NULL); /* error check*/ printf("Valid From : %d",X509_get_notBefore(cert)); /*gives 13 and when printed using %s, it gives segmentation fault*/ actually, the call X509_get_notBefore() is a macro defined in ssl.h as #define X509_get_notBefore(x) ((x)-cert_info-validity-notBefore) and the data type of the member 'notBefore' is ASN1_TIME . am i doing something wrong and do u have any idea that how can i parse and print the date elements? thanx and regards, -VipinWell, if you just want to print a date, useASN1_TIME_print(BIO*, ASN1_TIME*)-ÕúBòèûB úC Tophost.bg99,9 % uptime24/7 EääðúæêEúCE÷íEâèäèEñò úC EEñâÿEhttp://www.tophost.bg/__OpenSSL
Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.
Re: X509 cert time - i got it
Here is another thread that converts the time to a string. It may be helpful in the future http://www.securitybuzz.org/buzz/emails/id/276651/vipin rathor [EMAIL PROTECTED] wrote:hi DS and all, i was just searching the mail archive and fortunately i got the conversation between "Tan Eng Tan" and "Pj" dated almost a year back. There is a call named ASN1_TIME_print(), using this u can print time in GMT format. i guess i've answered myselfThank u all, -VipinRelax. Yahoo! Mail virus scanning helps detect nasty viruses! Yahoo! Travel Find great deals to the top 10 hottest destinations!
RE: Verifying certificate was signed by a trusted Authority
I think David may have a point here. On the client side you have a list of CA's you trust so therefore other CA's will not be accepted. It is a big problem that you can revoke other Certs with the same CN though.David Schwartz [EMAIL PROTECTED] wrote: ...except that it's not. A later certificate (w/ different public key) with the same CN can issue revocations against an earlier certificate with the same CN, per X.509. That's part of the problem with the entire X.509 model in the first place.Is this so without the newer certificate being explicitly selected astrusted? That would be a serious flaw and it's hard for me to believe thatcould be. Do you have a reference?DS__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail Use Photomail to share photos without annoying attachments.
RE: Verifying certificate was signed by a trusted Authority
I think David may have a point here. On the client side you have a list of CA's you trust so therefore other CA's will not be accepted. It is a big problem that you can revoke other Certs with the same CN though.David Schwartz [EMAIL PROTECTED] wrote: ...except that it's not. A later certificate (w/ different public key) with the same CN can issue revocations against an earlier certificate with the same CN, per X.509. That's part of the problem with the entire X.509 model in the first place.Is this so without the newer certificate being explicitly selected astrusted? That would be a serious flaw and it's hard for me to believe thatcould be. Do you have a reference?DS__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze.
Re: Verifying certificate was signed by a trusted Authority
First of all thank you for your reply. I read one of your previous replies to the following postand this seems to be what i need. http://www.mail-archive.com/openssl-users@openssl.org/msg20673.html X509_AUX is a "trusted certificate" format "With PEM_read_bio_X509_AUX if the certificate is trusted then the extra datawill be included."This returns an X509_AUX structure and i think its this auxilliary information that i need to decide whether the certificate is from a trusted authority or not. I don't know how to extract this information though. At the moment i get my X509 structure using SSL_get_peer_certificate(). I need to use this in order to get the server certificate. Then i extract theinformation held within this certificateusing X509_NAME_print_ex() following your previous advice. How would i go about getting this extra information that i need. "Dr. Stephen Henson" [EMAIL PROTECTED] wrote: On Tue, Mar 14, 2006, michael Dorrian wrote: Thanks for your reply. It makes sense that it does not trust any authority by default. I will try to research these functions a little more but it may be difficult to find a way to actually check that it was signed by a trusted authority. Anyway i appreciate the help. If I understand your query can do this quite simply usingSSL_CTX_get_cert_store() and calling X509_STORE_add_cert() on it for eachtrusted CA.You need to have the CAs in the form of an X509 structure but there areseveral documented ways to do that include d2i_X509() and PEM_read_bio_X509().Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail Use Photomail to share photos without annoying attachments.
Re: Verifying certificate was signed by a trusted Authority
So if what you are saying is true then i could call myself the same name as a trusted CA authority when making my root CA and the browser will think i am a trusted CA. Is that correct?. It seems too simple to be true."Dr. Stephen Henson" [EMAIL PROTECTED] wrote: On Wed, Mar 15, 2006, michael Dorrian wrote: First of all thank you for your reply. I read one of your previous replies to the following post and this seems to be what i need. http://www.mail-archive.com/openssl-users@openssl.org/msg20673.html X509_AUX is a "trusted certificate" format "With PEM_read_bio_X509_AUX if the certificate is trusted then the extra data will be included." This returns an X509_AUX structure and i think its this auxilliary information that i need to decide whether the certificate is from a trusted authority or not. I don't know how to extract this information though. At the moment i get my X509 structure using SSL_get_peer_certificate(). I need to use this in order to get the server certificate. Then i extract the information held within this certificate using X509_NAME_print_ex() following your previous advice. How would i go about getting this extra information that i need. Not that isn't what you need. That is something else entirely. It is analagousto the browser trust settings which restrict the purposes a CA can be usedfor. By definition the CA has to be trusted before those are set.Back to your original query. A browser doesn't do anything magic to determineif a certifcate comes from a trusted CA. It contains a list of trusted root CAsinternally and checks against those. OpenSSL does the same thing except itdoesn't come with a pre-loaded set of trusted CAs you have to set themyourself.If you don't want to load them from a file you can use the SSL_CTX_get_store()and X509_STORE_add_cert() as I indicated.Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze.
How secure are these programs?
I would just like to have the same security as somebody connecting to a https server(certificate does not need to be a trusted one). I cannot use any client keys or certs. I know that i have to present my server certificate to the client and then the client decides whether or not to connect to the server. I know that the server basically validates nothing about the client but just presents its certificate and the user decides if he/she wishes to connect to the server. I know that if i get a trusted certificate from some company like verisign and use that, that it could be more secure but at the moment i think that is not an option.Is it possible to make these programs more secure and how?. server output is: [EMAIL PROTECTED]/server SSL connection openedclient output is: [EMAIL PROTECTED]/client Subject-CN: 192.13.19.25 Issuer-CN: Server
CA Issuer Country:US Issuer Organisation: My companyDo you wish to have a secure connection with this server[y:n]y SSLConnection openedThe c programs are the following / client.c***/ #include "common.h"SSL_CTX* InitCTX(void){ SSL_METHOD *method; SSL_CTX *ctx; OpenSSL_add_all_algorithms();/* Load cryptos, et.al. */ SSL_load_error_strings();/* Bring in and register error messages */ method = SSLv2_client_method();/* Create new client-method instance */ ctx = SSL_CTX_new(method);/* Create new context */ if ( ctx == NULL )
{ ERR_print_errors_fp(stderr); abort(); } return ctx;} int do_client_loop(SSL *ssl){ int err, nwritten; char buf[80]; for (;;) { if (!fgets(buf, sizeof(buf), stdin)) break; for (nwritten = 0; nwritten sizeof(buf); nwritten += err) { err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten); if (err =
0) return 0; } } return 1;}void ShowCerts(SSL* ssl){ X509 *cert; char buf[100]; /* get the server's certificate */cert = SSL_get_peer_certificate(ssl);if ( cert != NULL ) { /* issuer */X509_NAME_get_text_by_NID(cert-cert_info-subject, NID_commonName, buf,sizeof(buf));printf(" Subject-CN: %s\n", buf);X509_NAME_get_text_by_NID(cert-cert_info-issuer, NID_commonName, buf,sizeof(buf));printf(" Issuer-CN: %s\n", buf);X509_NAME_get_text_by_NID(cert-cert_info-issuer, NID_countryName, buf,sizeof(buf));printf(" Issuer
Country: %s\n", buf);X509_NAME_get_text_by_NID(cert-cert_info-issuer, NID_organizationName, buf,sizeof(buf));printf(" Issuer Organisation: %s\n", buf);} else printf("No certificates.\n");} int main(int argc, char *argv[]){ BIO *conn; SSL *ssl; SSL_CTX *ctx; char input; init_OpenSSL( ); seed_prng( ); ctx = InitCTX(); conn = BIO_new_connect(SERVER ":" PORT); if (!conn) int_error("Error creating connection BIO"); if (BIO_do_connect(conn) =
0) int_error("Error connecting to remote machine"); ssl = SSL_new(ctx); SSL_set_bio(ssl, conn, conn); if (SSL_connect(ssl) = 0) int_error("Error connecting SSL object");ShowCerts(ssl);printf("Do you wish to have a secure connection with this server[y:n]:");scanf("%s", input);//Isconnect = (char*)input;if (!strncmp(input, "n",1)){ SSL_free(ssl); SSL_CTX_free(ctx); return 0;} fprintf(stderr, "SSL Connection opened\n"); if (do_client_loop(ssl)) SSL_shutdown(ssl); else SSL_clear(ssl);
fprintf(stderr, "SSL Connection closed\n"); SSL_free(ssl); SSL_CTX_free(ctx); return 0;} / server.c***/ #include "common.h"#define CERTFILE "server.pem"#define CAFILE "rootcert.pem"#define CADIR NULLSSL_CTX *setup_server_ctx(void){ SSL_CTX *ctx; ctx = SSL_CTX_new(SSLv23_method( )); if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) int_error("Error loading CA file and/or directory"); if (SSL_CTX_set_default_verify_paths(ctx) != 1) int_error("Error loading default CA file and/or directory"); if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE)
!= 1) int_error("Error loading certificate from file"); if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1) int_error("Error loading private key from file"); return ctx;} int do_server_loop(SSL *ssl){ int err, nread; char buf[80]; do { for (nread = 0; nread sizeof(buf); nread += err) { err = SSL_read(ssl, buf + nread, sizeof(buf) - nread); if (err = 0)
break; } fprintf(stdout, "%s", buf); } while (err 0); return (SSL_get_shutdown(ssl) SSL_RECEIVED_SHUTDOWN) ? 1 : 0;}void THREAD_CC server_thread(void *arg){ SSL *ssl = (SSL *)arg; #ifndef WIN32 pthread_detach(pthread_self( ));#endif if (SSL_accept(ssl) = 0) int_error("Error accepting SSL connection"); fprintf(stderr, "SSL Connection opened\n"); if (do_server_loop(ssl)) SSL_shutdown(ssl); else SSL_clear(ssl); fprintf(stderr, "SSL Connection closed\n");
SSL_free(ssl); ERR_remove_state(0); #ifdef WIN32 _endthread( );#endif}int main(int argc, char *argv[]){ BIO *acc, *client; SSL *ssl; SSL_CTX *ctx; THREAD_TYPE tid; init_OpenSSL( ); seed_prng( ); ctx = setup_server_ctx( ); acc = BIO_new_accept(PORT); if (!acc)
Re: .NET wrapper for OpenSSL
sounds brilliant. I may have needs for that shortly. Where can i get it?Frank Laub [EMAIL PROTECTED] wrote: I've just recently put together a C# class library that wraps the crypto DLL via PInvoke. I was wondering if anyone here would be interested in such a thing or if perhaps I should just create a seperate project for it. It has many advantages but the biggest is allowing for ease of use of the OpenSSL crypto API via managed lanaguages. If anyone is interested, give me a shout. -Frank Yahoo! Travel Find great deals to the top 10 hottest destinations!
Re: X509 info
Here is a function to do what you want that i just wrote today. At least i hope its what you want. Good luck!. void ShowCerts(SSL* ssl){ X509 *cert; char buf[100]; /* get the server's certificate */cert = SSL_get_peer_certificate(ssl);if ( cert != NULL ) { /* issuer */X509_NAME_get_text_by_NID(cert-cert_info-subject, NID_commonName, buf,sizeof(buf));printf(" Subject-CN: %s\n", buf);X509_NAME_get_text_by_NID(cert-cert_info-issuer, NID_commonName, buf,sizeof(buf));printf(" Issuer-CN: %s\n", buf);X509_NAME_get_text_by_NID(cert-cert_info-issuer, NID_countryName, buf,sizeof(buf));printf(" Issuer Country: %s\n",
buf);X509_NAME_get_text_by_NID(cert-cert_info-issuer, NID_organizationName, buf,sizeof(buf));printf(" Issuer Organisation: %s\n", buf);} else printf("No certificates.\n");} Bernhard Froehlich [EMAIL PROTECTED] wrote: vipin rathor wrote: hi all, I want to develop a small utility in C to show all information about the X509 certificate file in a structured comprehensive(as displayed by browsers like IE). i'm working on SLES 9. so please help me out one more thing, i know the routines like X509_get_subject_name() and X509_get_issuer_name(), but i can not find the manaul pages for these routines. where can i get that??? moreover i want other
information about other routines as well that can give me all information about the certificate. An early response will be appreciated.You should have a look at http://www.openssl.org/docs/crypto/X509_NAME_print_ex.html, I think it is quite close to what you want.Otherwise I'd suggest to have a look at the sources of the X509-utility of OpenSSLHope it helps.Ted;)-- PGP Public Key InformationDownload complete Key from http://www.convey.de/ted/tedkey_convey.ascKey fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
Yahoo! Mail
Use Photomail to share photos without annoying attachments.
Re: Sign a self signed certif by a CA
Help is at hand. This is a really good explanation of how to set up certificates on Apache. I dont think it tells you how to revoke out of date certificates but i can help you with that if you want. Hope this helps. http://www.flatmtn.com/computer/Linux-SSLCertificatesApache.htmlEtienne Chove [EMAIL PROTECTED] wrote: Hi,I'd like to generate a certificate, so I did it with :sudo openssl req -x509 -config confs/apache-rouge.cnf -new \-nodes -keyout apache-rouge.key -out apache-rouge.reqso this certificate is self-signed.I'd like it to be self signed, so when someone accept it for one of myvirtual host, it's accepted for the others (virtual hosts are listed insubjectAltName)I now want to sign it with the CA (but I don't know how to do), so people whoaccepted the CA also accpet this certificat by defaut.Any idea ?Thanks.-- Etienne ChoveNetwork Admin__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Travel Find great deals to the top 10 hottest destinations!
Verifying certificate was signed by a trusted Authority
I know SSL_CTX_load_verify_locations() loads the CAs you trust from a pem file that you store locally on your client machine but i cannot use this function as i dont want to read a pem file on the client side. I want to know if you can check to see if the server certificate presented was signed by a trusted certification authority or if its from a self signed CA. Is there any function in Openssl that can check for this?. I basically want to accomplish the same thing as when you connect to a secure server with your browser. If its a self signed certificate an extradialog boxappears warning you about this, if not this dialog box does not appear. I am not worried about the dialog boxes of course just a way of distinguishing between them. Is there a function in Openssl that does this?. Yahoo! Travel Find great deals to the top 10 hottest destinations!
Re: Sign a self signed certif by a CA
yes is the anwer to that. If you download the code for this book from this site http://www.opensslbook.com/code.html. It will unzip to a folder called "NSw0-1.3". Go into this folder and in this folder there is one subfolder called "ssl". Run that makefile in that folder. It creates two ca's one rootCA then a server CA. You can make an infinite number of CA's although usually one root CA should be enough but this gives you an example of how this is done. Good luck!.Etienne ChovE[EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE-Hash: SHA1michael Dorrian a écrit : Help is at hand. This is a really good explanation of how to set up certificates on Apache. I dont think it tells you how to revoke out of date certificates but i can help you with that if you want. Hope this helps. http://www.flatmtn.com/computer/Linux-SSLCertificatesApache.html Is it possible to hase a certificate signed by more than one CA ?- --Etienne-BEGIN PGP SIGNATURE-Version: GnuPG v1.4.2 (GNU/Linux)iD8DBQFEF7uJvsnSxJjnYzIRApVUAJ9LFwxCYtJHcyp7xfi6QoulPVKawgCfZRmExk0yUrFl6GPyd3Rp8abGk20==srva-END PGP SIGNATURE-__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail Use Photomail to share photos without annoying attachments.
Re: Verifying certificate was signed by a trusted Authority
Thanks for your reply. It makes sense that it does not trust any authority by default. I will try to research these functions a little more but it may be difficult to find a way to actually check that it was signed by a trusted authority. Anyway i appreciate the help.Kyle Hamilton [EMAIL PROTECTED] wrote: OpenSSL does not, by default, trust ANY certification authorities. This means that you have to give it the certs directly.It looks like the only way to do that at this point is to call the(mostly) undocumented SSL_CTX_set_cert_store() function. The bestdocumentation at this point is the source -- I'd suggest picking apartthe SSL_CTX_load_verify_locations() and figure out how it creates andsets the store.-Kyle HOn 3/14/06, michael Dorrian <[EMAIL PROTECTED]>wrote: I know SSL_CTX_load_verify_locations() loads the CAs you trust from a pem file that you store locally on your client machine but i cannot use this function as i dont want to read a pem file on the client side. I want to know if you can check to see if the server certificate presented was signed by a trusted certification authority or if its from a self signed CA. Is there any function in Openssl that can check for this?. I basically want to accomplish the same thing as when you connect to a secure server with your browser. If its a self signed certificate an extra dialog box appears warning you about this, if not this dialog box does not appear. I am not worried about the dialog boxes of course just a way of distinguishing between them. Is there a function in Openssl that does this?. Yahoo! Travel Find great deals to the top 10 hottest destinations!__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED] Yahoo! Mail Bring photos to life! New PhotoMail makes sharing a breeze.
Validating server certificate only
I want to create a sample program which connects to the server and reads in various information to verify that this server is trustworthy and then when i verify its the correct one ,connect and transfer data. I have only seen client and server examples which use a client and server pair made by a CA but i want to basically do the same thing as in a web browser but using client and server c programs. Can i use the same file as used in the browser to verify the servers authenticity or how would i go about doing it?. Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
