subject:"Hard\-coded trusted CA\-cert"

Re: Hard-coded trusted CA-cert

2003-04-03 Thread rajagopalan ramanujam

hi Henson,

Thanx for the suggestion. I tried the following Code :
unsigned char CA_cert[811]={
0x30,0x82,0x03,0x27,0x30,0x82.};

  /* load our CA cert into the certificate chain */
  c = CA_cert;
  x = d2i_X509(NULL,c,(long) sizeof(CA_cert));
  if( x == NULL ){
goto end;
  }
  cert_store=SSL_CTX_get_cert_store(ctx);
  X509_STORE_add_cert(cert_store,x);
  if(x != NULL)
X509_free(x);

This code is working fine but i see a memory leak in
this part of the code. I am loosing 2048 bytes on heap
every time i exit out. I tried commenting this code
and everything is ok..

Please can you tell the what Cleanup procedure am i
missing here?

thankyou,
raj

--- Dr. Stephen Henson [EMAIL PROTECTED] wrote:
 On Wed, Mar 26, 2003, rajagopalan ramanujam wrote:
 
  hi,
  
  I have tested the SSL handshake but failing when
  verifying server certificate
  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I
  generated the self signed CA and used the same
 CAcert
  to verify using openssl verify and also using
 openssl
  s_client -verify 1 -CAfile and it seems to be
 working
  perfectly ok.
  
  Since i dont have a file system on embedded
 platform i
  cannot use SSL_CTX_load_verify_locations().
  
  I have converted the CAcert file from  base64
 format
  to C structure using openssl utility and i am
 calling
  SSL_CTX_use_certificate(ctx,x). Still i see that
 there
  is an error some where. I tried calling
  SSL_CTX_add_extra_chain_cert, but did not help.
  
 
 You need to retrieve the trusted certificate store
 using SSL_CTX_get_store()
 and then add the certificate to it using
 X509_STORE_add_cert().
 
 Steve.
 --
 Dr Stephen N. Henson.
 Core developer of the   OpenSSL project:
 http://www.openssl.org/
 Freelance consultant see:
 http://www.drh-consultancy.demon.co.uk/
 Email: [EMAIL PROTECTED], PGP key:
 via homepage.

__
 OpenSSL Project
 http://www.openssl.org
 User Support Mailing List   
 [EMAIL PROTECTED]
 Automated List Manager  
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Hard-coded trusted CA-cert

2003-03-26 Thread rajagopalan ramanujam

hi,

I have tested the SSL handshake but failing when
verifying server certificate
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I
generated the self signed CA and used the same CAcert
to verify using openssl verify and also using openssl
s_client -verify 1 -CAfile and it seems to be working
perfectly ok.

Since i dont have a file system on embedded platform i
cannot use SSL_CTX_load_verify_locations().

I have converted the CAcert file from  base64 format
to C structure using openssl utility and i am calling
SSL_CTX_use_certificate(ctx,x). Still i see that there
is an error some where. I tried calling
SSL_CTX_add_extra_chain_cert, but did not help.

Can anyone let me know what's wrong in my code?

unsigned char CA_cert[811]={
0x30,0x82,0x03,0x27,0x30,0x82,0x02,0x90,0xA0,0x03,0x02,.};

void ssl_client (void)
{
 
  SSLeay_add_ssl_algorithms();
  meth = SSLv3_client_method();
  SSL_load_error_strings();

  ctx = SSL_CTX_new (meth); 
 
SSL_CTX_set_cipher_list(ctx,SSL3_TXT_RSA_RC4_40_MD5);
  {  
X509 *x=NULL;
unsigned char* c;

/* load our CA cert into the certificate chain */
 c = CA_cert;
 x = d2i_X509(NULL,c,(long) sizeof(CA_cert));
if( x == NULL ){
goto end;
 }
if(!SSL_CTX_add_extra_chain_cert(ctx,x)){
goto end;
}
socket(..);
.
.
SSL_connect()
.
/* verify the server certificate */
err= SSL_get_verify_result(SSL *ssl);
.
}



__
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!
http://platinum.yahoo.com
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Hard-coded trusted CA-cert

2003-03-26 Thread Dr. Stephen Henson

On Wed, Mar 26, 2003, rajagopalan ramanujam wrote:

 hi,
 
 I have tested the SSL handshake but failing when
 verifying server certificate
 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I
 generated the self signed CA and used the same CAcert
 to verify using openssl verify and also using openssl
 s_client -verify 1 -CAfile and it seems to be working
 perfectly ok.
 
 Since i dont have a file system on embedded platform i
 cannot use SSL_CTX_load_verify_locations().
 
 I have converted the CAcert file from  base64 format
 to C structure using openssl utility and i am calling
 SSL_CTX_use_certificate(ctx,x). Still i see that there
 is an error some where. I tried calling
 SSL_CTX_add_extra_chain_cert, but did not help.
 

You need to retrieve the trusted certificate store using SSL_CTX_get_store()
and then add the certificate to it using X509_STORE_add_cert().

Steve.
--
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Hard-coded trusted CA-cert

2002-03-09 Thread Boguslaw Brandys


Hello,

I'm newbie but now I can hardcode root certificate.Thank You!
Still one question :


X509 *x;
..
  X509_free(x);  //do I must call this ?


Also any example how to read certificate to/and from memory buffer would be
nice. ;-)

Boguslaw Brandys


- Original Message -
From: Dilkie, Lee [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 26, 2002 6:20 PM
Subject: RE: Hard-coded trusted CA-cert


 Dennis,

 This is what I did. I think I just looked into the
SSL_CTX_load_verify_locations() function and copied what it did.


 {

 X509 *x=NULL;
 unsigned char* c;

 c = CACert;
 x = d2i_X509( NULL, c, (long) sizeof( CACert ) );
 if( x == NULL ){
 PostErrStack( MiSslInit(): d2i_X509(CACert) failed );
 goto ERROR_CLEANUP;
 }
 if( !SSL_CTX_add_extra_chain_cert( sslctx, x ) ){
 PostErrStack( MiSslInit(): SSL_CTX_add_extra_chain_cert() failed );
 goto ERROR_CLEANUP;
 }
 }

 hope this helps.

 -lee

 -Original Message-
 From: Dennis Jarosch [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, February 26, 2002 5:47 AM
 To: [EMAIL PROTECTED]
 Subject: Hard-coded trusted CA-cert


 Hi everybody!

 I'm searching for a way of hard-coding a trusted CA certificate into a
 client executable. I have browsed the archives and the documentation,
 but I was unable to find anything useful yet.

 Currently, I use SSL_CTX_load_verify_locations() to load my trusted
 CA-file. In my case there will only be one trusted CA and I'd prefer not
 to load it from a file.

 So is there a way of declaring something like this:

 unsigned char CACert[]={0x30,0x82,0x02,0x6B,...}

 which could be generated using 'openssl x509 -C -noout -in cacert.pem'
 and feeding it to the CTX for verification?

 Thanks for any help!

 Dennis
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]
 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing List[EMAIL PROTECTED]
 Automated List Manager   [EMAIL PROTECTED]



-- 

Okresl Swoje potrzeby - my znajdziemy oferte za Ciebie!
[ http://oferty.onet.pl ]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Hard-coded trusted CA-cert

Hard-coded trusted CA-cert

Re: Hard-coded trusted CA-cert

Re: Hard-coded trusted CA-cert

4 matches

Site Navigation

Mail list logo

Footer information