RE: Please Help: Certificate Validation using subjectAltName extension
Thanks Dave for explanation. One doubt regarding sentence If a subjectAltName extension of type dNSName is present, that MUST be used as the identity(RFC 2818) What does this line means ? Does it says if a certificate have different CN in issuer subject field but SubAltname: x.x.x.x which matches with HOST.URL (server) then will handshake goes through ? i.e. [ certificate_extensions ] basicConstraints = CA:false subjectAltName = DNS:x.x.x.x DNS:localhost [ req_distinguished_name ] countryName= US stateOrProvinceName= Chems localityName = Washington organizationName = Sercomm commonName = Verisign [ req_extensions ] basicConstraints = CA:true subjectAltName = DNS:x.x.x.x,DNS:localhost Am i correct ? Please help. Best Regards, S S rout -- View this message in context: http://old.nabble.com/Please-Help%3A-Certificate-Validation-using-subjectAltName-extension-tp32906983p33873612.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Please Help me out- SSL ERROR
From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout Sent: Wednesday, 18 January, 2012 02:52 snip root@1143726:/usr/bin# openssl s_client -connect 10.204.4.69:7003 WARNING: can't open config file: /usr/ssl/openssl.cnf CONNECTED(0003) depth=0 C = IN, ST = Karnataka, L = Bangalore, O = Airvana, CN = 10.204.4.69 verify error:num=20:unable to get local issuer certificate snip Certificate chain 0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=10.204.4.69 i:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=Root CA snip My Set up looks like this. e.g. Certificate Chain would be , ROOT- Server ( I keep ROOT at CLIENT and Server cert at SERVER). Am I right ? Yes, at least for server auth. If you use client auth, which is not very common, then *also* have the client cert at the client and its root at the server. [root@squidpc TEST]# openssl x509 -in root.pem -text snip Please let me know what is missing here why i am getting the above error. Either specify -CAfile root.pem on the s_client commandline OR put that root cert in the default truststore which is used when you don't specify -CAfile and/or -CApath on the commandline. The default truststore can be a single file or a directory with hashcode names or links or both, and is in a location that depends on your platform and the build options of your OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Please Help: Certificate Validation using subjectAltName extension
From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout Sent: Saturday, 03 December, 2011 02:56 My TLS client can validate both CN and SN i need to test both the scenario. I don't know how to create certificate with subjectAltName extension using openssl commands. In the RFC-2818 , there are two ways of Certificate Validation for Host name 1)CN (Common Name) 2)SN( Subject Name) 1. Common Name part of subject name which is the value of Subject. 2. Subject *Alternative* Name which is an extension. If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. As this says, although a bit tersely. I created Self-signed certificate using open-ssl commands and my certificate chain looks like below where CN=10.204.4.69 openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Please tell how to create certificate with subjectAltName extension using openssl commands ? The same way(s) you create a cert with any extension(s). See man req; man x509; man ca; man x509v3_config In x509 -req supply -extfile with the name of a config file, and -extsect with the name of a section in that file unless it is default or pointed to by default.extensions, specifying the extension(s) you want. You want something like subjectAltName=DNS:my.host.example For selfsigned you can save a step (or two) with req -x509 (and -newkey) in which case use -extensions or req.x509_extensions . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/20/2011 12:45 PM, Gaglia wrote: ... Feedbacks always appreciated, in case somebody has further investigated the issue :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/16/2011 07:13 PM, y...@inbox.lv wrote: ... So everybody here seems to agree that steps 1)...7) I listed in the first post are correct, and that the problem in EC management lies in OpenVPN, right? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/16/2011 06:50 AM, y...@inbox.lv wrote: openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context My premise is that we are considering only OpenSSL v 1.0.0. Under this condition, as I wrote in the first post, I do something like: # generate EC private key for curve sect571k1, no point compression # (to enable point compression, use -conv_form compressed ) openssl ecparam -out cakey.pem -name sect571k1 -text -genkey # generate EC certificate with the above private key with SHA512 # (note that the -sha512 arg has no effect if using v0.9.8, it # will use SHA-1 instead) openssl req -out cacert.pem -key cakey.pem -sha512 -x509 -new # check that everything is OK openssl x509 -text -in cacert.pem Certificate: ... *Signature Algorithm: ecdsa-with-SHA512* Issuer: ... Public Key Algorithm: id-ecPublicKey EC Public Key: pub: 02:3A:... ASN1 OID: sect571k1 X509v3 extensions: ... *Signature Algorithm: ecdsa-with-SHA512* 20:89:... -BEGIN CERTIFICATE- MIJ... ... ASd45g== -END CERTIFICATE- Any wrongdoing up to here? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Sat, Jul 16, 2011, y...@inbox.lv wrote: openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid digest type:.c ryptoecec_pmeth.c:229: AFAIK there is no standard for using ECC with ripemd160. OpenSSL supports SHA1 and SHA2 algorithms with ECC. So if you used -sha256 it should work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
sha256 worked. (both for dgst and for req) If i understand correctly, ECDSA algorithm only needs hash as a defined length bitstring, so adapting ripemd in place of sha1 should have been easier than sha256 (because ripemd has the same length as sha1, sha256 is longer). Citējot *Dr. Stephen Henson st...@openssl.org [1]*: On Sat, Jul 16, 2011, y...@inbox.lv wrote: openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid digest type:.c ryptoecec_pmeth.c:229: AFAIK there is no standard for using ECC with ripemd160. OpenSSL supports SHA1 and SHA2 algorithms with ECC. So if you used -sha256 it should work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Tavs bezmaksas pasts Inbox.lv Links: -- [1] mailto:st...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Thu, Jul 14, 2011 at 3:35 PM, Jeffrey Walton noloa...@gmail.com wrote: On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton aerow...@gmail.com wrote: Dismissed or withdrawn? It seems to me Certicom stopped bitting a hand that feeds it. Jeff Looking at the docket, it looks like they reached an agreement to dismiss without prejudice (meaning the suit could be refiled in the future). -Kyle H Verify This Message with Penango.p7s Description: S/MIME Cryptographic Signature
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/15/2011 08:23 AM, Kyle Hamilton wrote: ... Excuse me, I got lost somewhere... Does this mean that it is not possible to use EC crypto with OpenSSL because the algorithms are patented? If so, why OpenSSL does provide support to EC crypto? Sorry, I don't want to start a religion war, but as an EU citizen (and as like as many other humans too, I guess), I find unbelievably absurd the idea of patenting the mathematical description of an algorithm. Let's put it in this way: in the unlikely and deplorable event of an user willing to illegally use patented EC cryptography with OpenSSL for personal use (hence assuming responsibility for any consequence), could he/she use OpenSSL? Is OpenSSL able to handle this kind of crypto? I guess yes, for (as in the first post of the thread) I managed to apparently do a lot of things with the curve of my choice... My question is, apart from legal considerations: did I do something wrong in the certificate generation process? Thanks for any help :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
Version of ECDSA available in openssl 1.0.0d supports only SHA1. (maybe there are patches, which adds other hash functions, but default build on win32 supports only sha1). ECDH and ECDSA are not guaranteed to use the same curve. At least with s_server curve for ECDSA is specified in certificate, but curve for ECDH is specified by -named_curve argument. Other programs probably use something similar. Last time i searched openvpn forums for anything ECC related, did not found anything (probably bad keywords, but also might be lack of ECC support). Citējot *Kyle Hamilton aerow...@gmail.com [1]*: ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm. DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data. ANSI X9 has object identifiers for ECDSA with a variety of hashes. 1.2.840.10045.4.3. and then one of the following: 1: ECDSA with SHA-224 2: with SHA-256 3: SHA-384 4: SHA-512 The information on the curve in use is part of subjectPublicKeyInfo: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (521 bit) pub: 04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37: a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0: 69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9: cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6: 40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d: b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa: 65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7: 01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9: 07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35 Field Type: prime-field Prime: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff A: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:fc B: 51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85: 40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e: f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd: 3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f: d4:6b:50:3f:00 Generator (uncompressed): 04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66: 23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af: 60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d: c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9: 7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b: c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57: 9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99: 5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70: 86:a2:72:c2:40:88:be:94:76:9f:d1:66:50 Order: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01: 48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f: b7:1e:91:38:64:09 Cofactor: 1 (0x1) Seed: d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84: aa:a0:da:64:ba Signature Algorithm: ecdsa-with-SHA256 30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c: f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7: 06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c: ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42: 01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82: ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3: 12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45: 3f:5f:da:cd:80:45:c9:79:58:d3:79:a2 The curve in use can be named (reducing the size of the subjectPublicKeyInfo), or it can be specified explicitly (like the above). (I included the hash to show that it is indeed legitimate to have a different hash size. I should note that I didn't generate this with OpenSSL, and I don't know how
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Fri, Jul 15, 2011, y...@inbox.lv wrote: Version of ECDSA available in openssl 1.0.0d supports only SHA1. (maybe there are patches, which adds other hash functions, but default build on win32 supports only sha1). What makes you think that? OpenSSL 0.9.8 only supports SHA1 with ECDSA in things like certificates but 1.0.0 and later should support other hashes such as SHA256. Can you give an example where 1.0.0 is failing? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Fri, Jul 15, 2011 at 10:32 AM, Gaglia san...@paranoici.org wrote: On 07/15/2011 08:23 AM, Kyle Hamilton wrote: ... Excuse me, I got lost somewhere... Does this mean that it is not possible to use EC crypto with OpenSSL because the algorithms are patented? If so, why OpenSSL does provide support to EC crypto? EC is considered to be a patent minefield. Some people (RSA Data Security) say that it's possible to implement EC cryptography using different types of algorithms which are not covered by the patents. Other people (Bruce Schneier, US NSA) say that the mechanism itself is patented, not simply specific algorithms for calculation. The US NSA licensed from Certicom the right to sublicense the EC algorithms used in Suite B. My understanding is that OpenSSL received a gift from Sun Microsystems of its EC sublicense from NSA. Let's put it in this way: in the unlikely and deplorable event of an user willing to illegally use patented EC cryptography with OpenSSL for personal use (hence assuming responsibility for any consequence), could he/she use OpenSSL? Is OpenSSL able to handle this kind of crypto? Yes. And, given OpenSSL's EC sublicense gift, the user of OpenSSL (if my understanding is correct, IANAL!) is also licensed. I guess yes, for (as in the first post of the thread) I managed to apparently do a lot of things with the curve of my choice... My question is, apart from legal considerations: did I do something wrong in the certificate generation process? Nobody can know unless you post the certificate in question, or at the least the dump of the x509 structure you have. One thing that might cause a problem is if you enabled EC point compression in your OpenSSL compile, as I don't believe OpenSSL has a license for that. -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/15/2011 05:36 PM, Kyle Hamilton wrote: ... EC is considered to be a patent minefield. Some people (RSA Data Security) say that it's possible to implement EC cryptography using different types of algorithms which are not covered by the patents. Other people (Bruce Schneier, US NSA) say that the mechanism itself is patented, not simply specific algorithms for calculation. I'll make just one comment here: U.S. patent law, at least as applied to software, is a festering cesspool. The US NSA licensed from Certicom the right to sublicense the EC algorithms used in Suite B. My understanding is that OpenSSL received a gift from Sun Microsystems of its EC sublicense from NSA. OpenSSL (in the guise of its corporate manifestation, the OpenSSL Software Foundation), is a direct NSA sublicensee (http://opensslfoundation.com/testing/docs/NSA-PLA.pdf). Note that sublicense only covers some prime field ECC; for the rest of it seek competent legal advice. Also note the license is nontransferrable. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Fri, Jul 15, 2011 at 5:36 PM, Kyle Hamilton aerow...@gmail.com wrote: On Fri, Jul 15, 2011 at 10:32 AM, Gaglia san...@paranoici.org wrote: On 07/15/2011 08:23 AM, Kyle Hamilton wrote: ... Excuse me, I got lost somewhere... Does this mean that it is not possible to use EC crypto with OpenSSL because the algorithms are patented? If so, why OpenSSL does provide support to EC crypto? EC is considered to be a patent minefield. Some people (RSA Data Security) say that it's possible to implement EC cryptography using different types of algorithms which are not covered by the patents. Consider the source: RSA's strongest competition is ECC and Certicom (or should we say ECC's past competition was RSA?). RSA Data Security managed to implant RSA into DSA with heavy lobbying, but RSA's glory days are behind them or gone. The SecurID scandal is another testament to the fact. I often wonder why open source implementations even care: (1) the implementations are often available through out the world, where US patent law does not apply, (2) for US domestic uses, push the burden of licensing compliance onto the user (or #define out any code found to be offense by *real* lawyers), and (3) most implementors don't have the money to make it worthwhile to litigate. For (3), Certicom most likely won't make a dime, so there's no monetary relief or benefit even if they incur loss or damages. And at best, they will probably be granted an injunction against US distribution. Guess wheat folks will do in that case (what did they do with RSA - download form Australia or Germany or ...). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
openssl dgst -ripemd160 -sign ec5_ca.key shr.o.txt WARNING: can't open config file: /usr/local/ssl/openssl.cnf Error setting context 5664:error:100C508A:elliptic curve routines:PKEY_EC_CTRL:invalid digest type:.c ryptoecec_pmeth.c:229: Also, in documentation on pkeyutl program is mentioned, that ECDSA supports only sha1 http://www.openssl.org/docs/apps/pkeyutl.html# (subsection EC ALGORITHM) Documentation on dgst program did not mention any limitations for choice of hash, there only was said, that sha1 is preferred choice. That EC key used in failed example above is based on secp521r1 and was generated by openssl. Citējot *Dr. Stephen Henson st...@openssl.org [1]*: On Fri, Jul 15, 2011, y...@inbox.lv wrote: Version of ECDSA available in openssl 1.0.0d supports only SHA1. (maybe there are patches, which adds other hash functions, but default build on win32 supports only sha1). What makes you think that? OpenSSL 0.9.8 only supports SHA1 with ECDSA in things like certificates but 1.0.0 and later should support other hashes such as SHA256. Can you give an example where 1.0.0 is failing? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Tavs bezmaksas pasts Inbox.lv Links: -- [1] mailto:st...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm. DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data. ANSI X9 has object identifiers for ECDSA with a variety of hashes. 1.2.840.10045.4.3. and then one of the following: 1: ECDSA with SHA-224 2: with SHA-256 3: SHA-384 4: SHA-512 The information on the curve in use is part of subjectPublicKeyInfo: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (521 bit) pub: 04:00:ef:07:81:ff:79:01:d3:10:a4:42:6b:d5:37: a9:ed:6b:a4:1d:20:8a:20:b6:44:34:09:d9:3d:f0: 69:0f:b2:65:3f:d9:dd:68:72:a7:2b:cd:d4:70:e9: cb:21:dd:05:34:1b:4e:42:0f:65:63:5e:b9:24:a6: 40:f6:cc:22:94:ea:3b:01:7f:65:38:09:33:b0:0d: b3:91:b6:1d:4a:a7:9f:17:2e:56:4d:ff:14:d3:aa: 65:5d:3a:3d:ba:c2:d9:30:30:41:73:14:3e:6e:c7: 01:ae:af:52:b6:cc:31:6d:26:dd:39:dc:60:c8:b9: 07:fb:21:38:ec:75:dc:0f:3b:b7:9d:44:35 Field Type: prime-field Prime: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff A: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:fc B: 51:95:3e:b9:61:8e:1c:9a:1f:92:9a:21:a0:b6:85: 40:ee:a2:da:72:5b:99:b3:15:f3:b8:b4:89:91:8e: f1:09:e1:56:19:39:51:ec:7e:93:7b:16:52:c0:bd: 3b:b1:bf:07:35:73:df:88:3d:2c:34:f1:ef:45:1f: d4:6b:50:3f:00 Generator (uncompressed): 04:00:c6:85:8e:06:b7:04:04:e9:cd:9e:3e:cb:66: 23:95:b4:42:9c:64:81:39:05:3f:b5:21:f8:28:af: 60:6b:4d:3d:ba:a1:4b:5e:77:ef:e7:59:28:fe:1d: c1:27:a2:ff:a8:de:33:48:b3:c1:85:6a:42:9b:f9: 7e:7e:31:c2:e5:bd:66:01:18:39:29:6a:78:9a:3b: c0:04:5c:8a:5f:b4:2c:7d:1b:d9:98:f5:44:49:57: 9b:44:68:17:af:bd:17:27:3e:66:2c:97:ee:72:99: 5e:f4:26:40:c5:50:b9:01:3f:ad:07:61:35:3c:70: 86:a2:72:c2:40:88:be:94:76:9f:d1:66:50 Order: 01:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: ff:ff:ff:fa:51:86:87:83:bf:2f:96:6b:7f:cc:01: 48:f7:09:a5:d0:3b:b5:c9:b8:89:9c:47:ae:bb:6f: b7:1e:91:38:64:09 Cofactor: 1 (0x1) Seed: d0:9e:88:00:29:1c:b8:53:96:cc:67:17:39:32:84: aa:a0:da:64:ba Signature Algorithm: ecdsa-with-SHA256 30:81:87:02:41:7b:7d:88:a9:56:e8:d5:a0:f6:38:e7:85:4c: f5:1c:81:64:de:92:25:37:42:2d:31:cb:8b:af:04:32:7b:d7: 06:19:4a:eb:a9:ca:9d:88:38:11:99:bc:2e:2b:35:e6:69:1c: ca:1c:8c:86:7d:74:bc:dd:96:20:8e:38:01:63:15:8b:02:42: 01:66:42:70:5f:2e:cc:fb:1f:f3:d4:96:54:e9:b7:0a:3b:82: ec:b7:90:45:19:c0:ac:4c:ef:82:3d:77:07:e1:4d:13:81:d3: 12:23:bc:84:4f:9b:ac:55:c4:a1:3b:85:08:5a:2f:ae:ad:45: 3f:5f:da:cd:80:45:c9:79:58:d3:79:a2 The curve in use can be named (reducing the size of the subjectPublicKeyInfo), or it can be specified explicitly (like the above). (I included the hash to show that it is indeed legitimate to have a different hash size. I should note that I didn't generate this with OpenSSL, and I don't know how OpenSSL generates the sPKI.) Also, note the large number of 0xff bytes in the prime. These can be eliminated if you're willing to pay Certicom's point compression patent license fee. The patent situation around Elliptical Curve is a bit murky, but (IANAL) I am proceeding as though the narrow interpretation promoted by the RSA Crypto FAQ is correct: the patent situation is the opposite of what was the case for DH and RSA: the algorithm itself is not specifically described in any particular patent, only particular efficient implementations of it -- such as 'an efficient algorithm using only left-shift and add instructions'. The reason why there's murkiness is because everyone who does things is pretty much counseled to avoid looking at the patents -- if the patents are known, then it's evidence of willful
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On Thu, Jul 14, 2011 at 6:22 PM, Kyle Hamilton aerow...@gmail.com wrote: ECDSA is the elliptical curve (discrete-logarithm-based) variant of DSA, the Digital Signature Algorithm. DSA was developed by the US National Security Agency as a means of creating prime-factorization-based signatures without providing code paths which would permit the encryption of arbitrary data. ANSI X9 has object identifiers for ECDSA with a variety of hashes. [SNIP] The patent situation around Elliptical Curve is a bit murky, but (IANAL) I am proceeding as though the narrow interpretation promoted by the RSA Crypto FAQ is correct: the patent situation is the opposite of what was the case for DH and RSA: the algorithm itself is not specifically described in any particular patent, only particular efficient implementations of it -- such as 'an efficient algorithm using only left-shift and add instructions'. The reason why there's murkiness is because everyone who does things is pretty much counseled to avoid looking at the patents -- if the patents are known, then it's evidence of willful (rather than accidental) infringement and any punitive damages for such are tripled. However, Professer Dan J Bernstein says that his prime at 256 bits is unpatented and there's prior art from several years before the Certicom patents were filed -- and there was an infringement lawsuit brought by Certicom against Sony, which was dismissed in 2009. Dismissed or withdrawn? It seems to me Certicom stopped bitting a hand that feeds it. Jeff On Sun, Jul 10, 2011 at 8:27 PM, y...@inbox.lv wrote: When i searched on it, it seemed that ECDH requires specified named curve, and openVPN does not have a means of specifying it. Also, it seems that ECDSA works only with SHA-1 (I also would like to know, why it cannot take any 160 bit hash). I searched about it few weeks ago and relevant messages were few months old. Citējot Gaglia san...@paranoici.org: On 07/05/2011 03:23 PM, Gaglia wrote: I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian. No idea anybody, really? :( __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/11/2011 05:27 AM, y...@inbox.lv wrote: When i searched on it, it seemed that ECDH requires specified named curve You need to specify the curve's name, like this: openssl ecparam -name sect571k1 but this should only be done in the parameters generation stage, the generated certificates should contain this information by themselves, so I don't think specifying it to OpenVPN should be needed. Also, it seems that ECDSA works only with SHA-1 This has been marked as a bug and it was fixed in the most recent versions of OpenSSL. I've met this issue with OpenSSL 0.9.8x (I don't remember the x), this version is indeed the deafult one for both Debain Squeeze and Ubuntu Natty, so this is quite annoying (I like Debian a lot, but its repos are often too much outdated). As I've written before, I've manually compiled OpenSSL v1.0.0 and I can read the following for my certificate, as expected: openssl x509 -text -in cacert.pem ... Signature Algorithm: ecdsa-with-SHA512 I searched about it few weeks ago and relevant messages were few months old. Same problem here :( it seems that if someone managed to solve the problem, he/she didn't bother to write back the solution. Thanks anyway for the reply, still waiting for further help, I can't believe nobody managed to solve this issue :( __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
On 07/05/2011 03:23 PM, Gaglia wrote: I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian. No idea anybody, really? :( __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: OpenSSL + OpenVPN Elliptic Curves (SHA512, ECDSA, ECDH, Linux, Debian)
When i searched on it, it seemed that ECDH requires specified named curve, and openVPN does not have a means of specifying it. Also, it seems that ECDSA works only with SHA-1 (I also would like to know, why it cannot take any 160 bit hash). I searched about it few weeks ago and relevant messages were few months old. Citējot *Gaglia san...@paranoici.org [1]*: On 07/05/2011 03:23 PM, Gaglia wrote: I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian. No idea anybody, really? :( Links: -- [1] mailto:san...@paranoici.org
Re: Please help RFC 5746
On Sun, Jul 03, 2011, Ritesh Rekhi wrote: Hi , I need little help in implementing RFC 5746 on server, as per RFC it is not very clear on how to tell clients that Server doesn't support renegotiation. If anybody knows a way to tell clients that server doesn't support renegotiation , please let me know. It isn't clear from your message whether you want to tell the client you don't support renegotiation or don't support secure renegotiation. If a client doesn't support secure renegotiation and attempts to renegotiate then by default it will get back a no renegotiation alert (for TLS v1.0 or later). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please Help: RSA Public Key Exponent size
Hi Bizhan, The command BN_num_bytes(rsa_public_key-e) returns the size of the exponent part of the public key, and it is 3 bytes. 10001. Could this be a valid value? Yes. Typical values are 3, 17, and 65535. We have a system that requires public key exponent to be 4 bytes, could I pad the exponent so it be 4 bytes? Yes. Pad at the leading octets. Jeff On Fri, Oct 30, 2009 at 10:38 PM, Bizhan Gholikhamseh (bgholikh) bghol...@cisco.com wrote: Hi All, In our environment a secure server creates Private/Public RSA keys. We Can never access the Private key but we are able to access the Public Key. The command BN_num_bytes(rsa_public_key-e) returns the size of the exponent part of the public key, and it is 3 bytes. 10001. Could this be a valid value? We have a system that requires public key exponent to be 4 bytes, could I pad the exponent so it be 4 bytes? Many thanks in advance, B __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Please help: very urgent: Query on patented algorithms
At 01:20 PM 6/16/2008, Michael Sierchio wrote: RC4 is owned (and trademarked) by RSA Security Inc, but they are no longer enforcing the patent, RC4 was never protected by patent, but by trade secret. When the details of the algorithm were published, Ron Rivest himself suggested calling the alleged RC4 ARCFOUR. It is indeed a trademark of RSA Security. Michael is right. No patent. RSA subsequently switched to patent protection for RC5 and RC5. Some ancient history might offer context. RC4, developed by Rivest in 1987, was originally sold, under contractual constraints, as a proprietary RSA trade secret -- a mode of IP protection which soon proved to be frail and toothless in Cyberspace, where anonymous publication on the Net broke the trade secret contract but allowed the perpetrator to escape all liability. RSADSI initially filed for US trademark protection on RC4 in 1993, and the trademark -- as a mark of origin, a mark that identified the source of the distributed code -- became the last line defense for the RC4 IP when the RC4 algorithm was reverse engineered and published on the Cypherpunks List in September of 1994. In a swirl of ironies, this was a critical event in public crypto history, because the illicit publication of RC4 made it possible for non-US developers to do their own versions of SSL. SSLea, ancestor of OpenSSL, soon broke the NSA's restrictive policies on the international use of strong-crypto SSL for browsers and web-based transactions. Many versions of alleged RC4 (ARC4 or ArcFour) were soon in widespread use, even in IETF standards. Anyone can code or use ACR4, but EMC/RSA still defends its monopoly on the RC4 trademark because undefended trademarks become invalid. _Vin __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please help: very urgent: Query on patented algorithms
Hi, Use the tool Dependency Walker (http://www.dependencywalker.com/) to look at the exported functions of libeay32.dll. If it exports RC5, you will see exported symbols starting with RC5. For MDC2, you'll find symbols starting with MDC2 and etc... Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On Mon, June 16, 2008 3:55 pm, bagavathy raj wrote: Hi, I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if these libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2 etc. Can you please let me know if there is any way to find out this? Any help would be highly appreciated. Thanks in adavance, Bagavathy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please help: very urgent: Query on patented algorithms
Hi, Is there any binary distribution where I can find SSL dlls without patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling without them. I could exclude other algos but not RC4. Some linking issues. So i need to know if there is any ssl release without the patented algorithms. On 6/16/08, Mounir IDRASSI [EMAIL PROTECTED] wrote: Hi, Use the tool Dependency Walker (http://www.dependencywalker.com/) to look at the exported functions of libeay32.dll. If it exports RC5, you will see exported symbols starting with RC5. For MDC2, you'll find symbols starting with MDC2 and etc... Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On Mon, June 16, 2008 3:55 pm, bagavathy raj wrote: Hi, I have openssl dlls(i.e.libeay32.dll, ssleay32.dll). I need to know if these libaries are using any of the patented algorithms like IDEA, RC4, RC5,MDC2 etc. Can you please let me know if there is any way to find out this? Any help would be highly appreciated. Thanks in adavance, Bagavathy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please help: very urgent: Query on patented algorithms
On 6/16/08, bagavathy raj [EMAIL PROTECTED] wrote: Hi, Is there any binary distribution where I can find SSL dlls without patented algorithms like IDEA,MCD2,RC4,RC5 etc. I tried compiling without them. I could exclude other algos but not RC4. Some linking issues. So i need to know if there is any ssl release without the patented algorithms. RC4 is owned (and trademarked) by RSA Security Inc, but they are no longer enforcing the patent, and will allow free usage of the OpenSSL implementation of this cipher to those that ask. However they do require that OpenSSL toolkit users either do not call it RC4, or call it Alleged RC4 cipher to avoid trademark infringement. If you even mention the words RC4 in your documentation you may need to mention that it is Alleged and that RC4 is a trademark of RSA Security. RC2 is also a trademark of RSA Security, but this one can be used without the Alleged prefix, providing you list them as the trademark owner. Disclaimer: I am not a lawyer, and I suggest you contact RSA directly to confirm this information on your own. -Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please help: very urgent: Query on patented algorithms
RC4 is owned (and trademarked) by RSA Security Inc, but they are no longer enforcing the patent, RC4 was never protected by patent, but by trade secret. When the details of the algorithm were published, Ron Rivest himself suggested calling the alleged RC4 ARCFOUR. It is indeed a trademark of RSA Security. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
Hi,
Tried the given function, it compiles but throws error Run-Time Check
Failure #3 - The variable 'rsa' is being used without being defined.. Any
clue?? And the char * buf contains the key right??
Thanks Regards
Shalmi
Marek Marcola wrote:
Hello,
ok i l try that.let me know u ..
You may try something like that (not tested):
int rsa_read_pem(RSA ** rsa, char *buf, int len)
{
BIO *mem;
if ((mem = BIO_new_mem_buf(buf, len)) == NULL) {
goto err;
}
*rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL);
BIO_free(mem);
if (*rsa == NULL) {
goto err;
}
return (0);
err:
return (-1);
}
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
--
View this message in context:
http://www.nabble.com/please-help-me.-tf3975055.html#a13384524
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
Hello, I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
i tried that way, now its generating coredump files.is there any other way to solve that issue... Marek Marcola [EMAIL PROTECTED] wrote: Hello, I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format. Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Heres a new way to find what you're looking for - Yahoo! Answers
Re: please help me.....
ok i l try that.let me know u ..
Marek Marcola [EMAIL PROTECTED] wrote: Hello,
i tried that way, now its generating coredump files.is there any other
way to solve that issue...
You should use something like that (buf and len has your key):
unsigned char *p;
RSA *rsa = NULL;
p = buf;
if ((rsa=d2i_RSAPrivateKey(NULL,p,(long)len)) == NULL){
goto err;
}
if (SSL_CTX_use_RSAPrivateKey(ctx,rsa) != 1){
goto err;
}
RSA_free(rsa);
But you should be sure that buf has DER (ASN.1) PKCS1 private key.
If you dump this buffer to file, you should be able to do something
like that:
$ openssl rsa -in key.der -inform der -text -noout
$ openssl asn1parse -in key.der -inform der
If you will get error then probably you have pem format, you may try
to convert with:
$ openssl rsa -in key.pem -outform der -out key.der
and try again.
Best regards,
--
Marek Marcola
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
-
The DELETE button on Yahoo! Mail is unhappy. Know why?
Re: please help me.....
Hello,
i tried that way, now its generating coredump files.is there any other
way to solve that issue...
You should use something like that (buf and len has your key):
unsigned char *p;
RSA *rsa = NULL;
p = buf;
if ((rsa=d2i_RSAPrivateKey(NULL,p,(long)len)) == NULL){
goto err;
}
if (SSL_CTX_use_RSAPrivateKey(ctx,rsa) != 1){
goto err;
}
RSA_free(rsa);
But you should be sure that buf has DER (ASN.1) PKCS1 private key.
If you dump this buffer to file, you should be able to do something
like that:
$ openssl rsa -in key.der -inform der -text -noout
$ openssl asn1parse -in key.der -inform der
If you will get error then probably you have pem format, you may try
to convert with:
$ openssl rsa -in key.pem -outform der -out key.der
and try again.
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
i tried that way,buffer information is not DER format. buffer header like this. -BEGIN RSA PRIVATE KEY- .. -END RSA PRIVATE KEY- Is they anyother way to resolve that problem? Marek Marcola [EMAIL PROTECTED] wrote: Hello, I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format. Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Heres a new way to find what you're looking for - Yahoo! Answers
Re: please help me.....
Hello,
ok i l try that.let me know u ..
You may try something like that (not tested):
int rsa_read_pem(RSA ** rsa, char *buf, int len)
{
BIO *mem;
if ((mem = BIO_new_mem_buf(buf, len)) == NULL) {
goto err;
}
*rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL);
BIO_free(mem);
if (*rsa == NULL) {
goto err;
}
return (0);
err:
return (-1);
}
Best regards,
--
Marek Marcola [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
thank you, its working fine.
Marek Marcola [EMAIL PROTECTED] wrote: Hello,
ok i l try that.let me know u ..
You may try something like that (not tested):
int rsa_read_pem(RSA ** rsa, char *buf, int len)
{
BIO *mem;
if ((mem = BIO_new_mem_buf(buf, len)) == NULL) {
goto err;
}
*rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL);
BIO_free(mem);
if (*rsa == NULL) {
goto err;
}
return (0);
err:
return (-1);
}
Best regards,
--
Marek Marcola
__
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
-
The DELETE button on Yahoo! Mail is unhappy. Know why?
Re: please help me on OCSP
Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the "unable to get local issuer certificate" error. To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash varma d [EMAIL PROTECTED] wrote: Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i getlatest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:270730 7D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this.Please help me out.Thanks,vv__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: please help me on OCSP
Hi, Thanks a lot prakash for your reply. Actually my application works in this way1) I will get the x.509 certificate from any server(lets say) yahoo.com, now from that i will extract yahoo.com user certificate(may be issued by verisign or others), issuers root certificate.2) Now i need to check the OCSP status of these individual certificates3) Since verisign is an OCSP responder i just want to query ocsp.verisign.com for these individual certificates. but while i was trying with your command openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem I am getting an error message like Error Querying OCSP responder3256: .. Connect error... But when i am trying with same command and same certificates to ocsp.openvalidation.org i am getting status information.But only problem with openvalidation is that they dont have up-to-date information(for some cases). Are there are any public ocsp responder where i can query them instead of ocsp.versign.com. I would be grateful to you if you would give a reply. Thanks in Advance Thanks,Varma On 8/24/05, prakash babu [EMAIL PROTECTED] wrote: Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the unable to get local issuer certificate error. To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash varma d [EMAIL PROTECTED] wrote: Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others. I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl, I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) ) But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i get latest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:2707307D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357: unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this. Please help me out.Thanks,vv __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: please help me on OCSP
Maybe your URL is wrong. I just tried this: openssl ocsp -issuer VeriSignClientECA.pem -url http://ocsp.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text and it works fine as follows: D:\prjs\ocsp\newEcaCAopenssl ocsp -issuer VeriSignClientECA.pem -url http://ocs p.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = U.S. Government, OU = ECA, OU = VeriSign, Inc., CN = VeriSign Client ECA OCSP Responder Produced At: Aug 23 17:10:46 2005 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE Cert Status: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=ECA, OU=Certification Authorities, C N=VeriSign Client External Certification Authority Validity Not Before: Aug 16 00:00:00 2005 GMT Not After : Sep 15 23:59:59 2005 GMT Subject: C=US, O=U.S. Government, OU=ECA, OU=VeriSign, Inc., CN=VeriSign Client ECA OCSP Responder Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d: 04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70: a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5: cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46: d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9: e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93: 03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f: de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6: c4:b3:1a:50:69:8c:dc:26:93 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:https://eca.verisign.com/CA/VeriSignECA.cer X509v3 Certificate Policies: Policy: 2.16.840.1.101.3.2.1.12.2 CPS: https://www.verisign.com/repository/eca/cps X509v3 Extended Key Usage: critical OCSP Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation OCSP No Check: X509v3 Subject Alternative Name: DirName:/CN=OCSP2-TGV-1-141 X509v3 Subject Key Identifier: 30:EF:0D:8E:CD:58:05:E9:73:96:06:4E:63:48:F9:24:59:82:41:D4 X509v3 Authority Key Identifier: keyid:0D:C0:D8:3D:BF:FB:65:93:C8:37:66:26:E2:8A:12:5F:BB:C2:80:F 5 Signature Algorithm: sha1WithRSAEncryption 6b:8d:79:7a:b3:d5:1d:e7:0e:ac:18:e7:f0:b4:fc:b4:cf:03: cf:f2:de:e0:93:b9:60:99:ab:b3:52:96:85:dc:34:20:f0:78: d8:24:c8:b3:71:25:f2:90:8d:7f:dc:00:7e:25:92:fd:e0:26: fa:3d:99:a1:89:86:a0:09:fe:0a:20:34:0a:68:31:cd:60:9d: 63:a1:d9:2f:36:7c:4d:74:cc:ca:91:65:cb:a5:1f:5f:3a:e4: e4:73:67:9b:8e:50:ec:33:28:37:4c:05:33:a8:84:3e:63:7c: 3d:c5:cd:90:c3:72:99:99:7e:e8:e9:67:42:3c:1b:e6:6f:a5: 6d:37 -BEGIN CERTIFICATE- MIID2jCCA0OgAwIBAgIQD3R2JIIqMK01/EWLEzZLCzANBgkqhkiG9w0BAQUFADCB lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDUwODE2MDAwMDAwWhcNMDUwOTE1MjM1OTU5WjB7MQswCQYDVQQG EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5 MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG
Re: please help me on OCSP
It is the OCSP responder cert. I suppose you already have that, right? Or you can use this one which will expire on Sep 15, 2005 though. -BEGIN CERTIFICATE- MIID2jCCA0OgAwIBAgIQaVnCDg78Yj+N1V5h9xQh0jANBgkqhkiG9w0BAQUFADCB lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDUwNTI2MDAwMDAwWhcNMDUwNjI1MjM1OTU5WjB7MQswCQYDVQQG EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5 MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG wDAPBgkrBgEFBQcwAQUEAgUAMCcGA1UdEQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQ Mi1UR1YtMS0xNDEwHQYDVR0OBBYEFDDvDY7NWAXpc5YGTmNI+SRZgkHUMB8GA1Ud IwQYMBaAFA3A2D2/+2WTyDdmJuKKEl+7woD1MA0GCSqGSIb3DQEBBQUAA4GBAHrP OjxDB35f/2+cORsVIl1oVPy71CaCnJ32KDxlEIRSW7sn4BIkBLfr2Un5ozt7SXzz 6qw5I/hIyT1ADaLjpQubN6H+Oxk6ve6xw1JPuDMLHnABLeF+GzLSs2UxFr3bl4AE gAnMe402U2NJZBJhvvHu+YWdT4cDohuSqEeu+x5R -END CERTIFICATE- --- satish danduvarma [EMAIL PROTECTED] wrote: Hi Paul, Thats great. Thanks for your quick response. What is tgv.pem file. how can we get that file. Thanks in advance, Varma On 8/24/05, Paul Simon [EMAIL PROTECTED] wrote: Maybe your URL is wrong. I just tried this: openssl ocsp -issuer VeriSignClientECA.pem -url http://ocsp.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text and it works fine as follows: D:\prjs\ocsp\newEcaCAopenssl ocsp -issuer VeriSignClientECA.pem -url http://ocs p.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = U.S. Government, OU = ECA, OU = VeriSign, Inc., CN = VeriSign Client ECA OCSP Responder Produced At: Aug 23 17:10:46 2005 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE Cert Status: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=ECA, OU=Certification Authorities, C N=VeriSign Client External Certification Authority Validity Not Before: Aug 16 00:00:00 2005 GMT Not After : Sep 15 23:59:59 2005 GMT Subject: C=US, O=U.S. Government, OU=ECA, OU=VeriSign, Inc., CN=VeriSign Client ECA OCSP Responder Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d: 04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70: a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5: cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46: d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9: e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93: 03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f: de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6: c4:b3:1a:50:69:8c:dc:26:93 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:https://eca.verisign.com/CA/VeriSignECA.cer X509v3 Certificate Policies: Policy: 2.16.840.1.101.3.2.1.12.2 CPS: https://www.verisign.com/repository/eca/cps X509v3 Extended Key Usage: critical OCSP Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation OCSP No Check: X509v3 Subject Alternative Name: DirName:/CN=OCSP2-TGV-1-141 X509v3 Subject Key
Re: please help me on OCSP
On Tue, Aug 16, 2005, varma d wrote: But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pemfile. This is an issue of how you trust the reponse from the OCSP responder. There are three cases: 1. Response signed by the same key as the CA that issued the certificate. 2. Response signed by a key in a certificate delegated by the issuing CA. 3. A key locally configured as trusted. In case #1 and #2 the trust can be determined automatically from the certificate being validated. In case #3 the relevant key needs to be determined by some other means. So its a case of how the responder is configured. In some cases the responder is misconfigured and you have to use option #3. 2)I tested by giving latest user certificates other than openvalidation.orghttp://openvalidation.orgcertificates, but i am getting this error user.pem:WARNING: Status times invalid. 3220:error:2707307D:OCSP routines:OCSP_check_validity:status expired:.\crypto\ocsp\ocsp_cl.c:357: unknown This Update: Oct 24 06:00:11 2004 GMT Next Update: Oct 25 06:00:11 2004 GMT The responder is saying that its response is valid between those dates: so it is sending out of date information. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please, help - compilation or configuration issue
Hi, did you link against the openssl-libs (eg. crypto / sll)? Did you use an (ANSI-) c compiler or a c++ compiler? Try cc(?) prueba.c -I/usr/local/ssl/include -L/path/to/openssl/libs -lcrypto -lssl Good luck, Sebastian Silvia Gisela Pavon Velasco wrote: I have sent this before and got no answers, It may look simple, but It's not. Please give me some ideas, or at least if there's someone who has installed on HP-UX 11.0 with no problems, tellme what C compiler do you have or if you did something more besides de quick installation instructions. - I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system. I've tried to installit and I can't get OpenSSL to work there. I have: - HP-UX 11.0 operating system - Perl 5.8.5 - HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C Compiler I'm trying to install the file openssl-0.9.7g.tar.gz following the quick installation instructions and everything goes ok, the log's doesn't show any errors at all (I have log files in case someone wants to take a look at them) and the command line tool works just fine just adding the correct path to my PATH variable. The problem is when I try to use the libraries in a C program. I try to run a simple example code I got from the OpenSSL homepage and I got an error saying that It can't find the openssl/.h included file: cc prueba.c cpp: prueba.c, line 2: error 4036: Can't open include file 'openssl/evp.h'. Even IF I compile with the -I option It doesn't find the functions: cc prueba.c -I/usr/local/ssl/include cc: prueba.c, line 32: warning 604: Pointers are not assignment-compatible. cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type. /usr/ccs/bin/ld: Unsatisfied symbols: EVP_get_digestbyname (first referenced in prueba.o) (code) EVP_DigestInit_ex (first referenced in prueba.o) (code) OpenSSL_add_all_digests (first referenced in prueba.o) (code) EVP_DigestFinal_ex (first referenced in prueba.o) (code) EVP_MD_CTX_cleanup (first referenced in prueba.o) (code) EVP_MD_CTX_init (first referenced in prueba.o) (code) EVP_DigestUpdate (first referenced in prueba.o) (code) I have tried everything I know to find the libraries, from specifying in my PATH variable the path of the installation; and even to copy the /usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory and still can't get it to work. I have the feeling that I'm missing some configuration specific from my operating system, that's why I'm asking for your help, cause I've really have tried to make it work first (I have reinstalled twice openssl and the C compiler). At this point these are my env variables related to openssl: OPENSSLDIR=/usr/local/ssl PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:. export PATH SHLIB_PATH=/usr/local/ssl/lib -- I added this export SHLIB_PATH - Silvia Gisela _ NOTA: La información de este correo es de propiedad exclusiva y confidencial. Este mensaje es sólo para el destinatario señalado, si usted no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe ser entendida como dada o avalada por Alestra, sus subsidiarias o sus empleados, salvo cuando ello expresamente se indique. Es responsabilidad de quien recibe este correo de asegurarse que esté libre de virus, por lo tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad alguna. NOTE: The information in this email is proprietary and confidential. This message is for the designated recipient only, if you are not the intended recipient, you should destroy it immediately. Any information in this message shall not be understood as given or endorsed by Alestra, its subsidiaries or their employees, unless expressly so stated. It is the responsibility of the recipient to ensure that this email is virus free, therefore neither Alestra, its subsidiaries nor their employees accept any responsibility. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Please, help - compilation or configuration issue
I will reply for you...but, I have never setup anything as you asking. I'm sorry. I'm sure somewhere there is a forum that can address this issue. Maybe this is not that forum. miles -Original Message- From: Silvia Gisela Pavon Velasco [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 2:08 PM To: openssl-users@openssl.org Subject: Please, help - compilation or configuration issue I have sent this before and got no answers, It may look simple, but It's not. Please give me some ideas, or at least if there's someone who has installed on HP-UX 11.0 with no problems, tellme what C compiler do you have or if you did something more besides de quick installation instructions. - I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system. I've tried to installit and I can't get OpenSSL to work there. I have: - HP-UX 11.0 operating system - Perl 5.8.5 - HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C Compiler I'm trying to install the file openssl-0.9.7g.tar.gz following the quick installation instructions and everything goes ok, the log's doesn't show any errors at all (I have log files in case someone wants to take a look at them) and the command line tool works just fine just adding the correct path to my PATH variable. The problem is when I try to use the libraries in a C program. I try to run a simple example code I got from the OpenSSL homepage and I got an error saying that It can't find the openssl/.h included file: cc prueba.c cpp: prueba.c, line 2: error 4036: Can't open include file 'openssl/evp.h'. Even IF I compile with the -I option It doesn't find the functions: cc prueba.c -I/usr/local/ssl/include cc: prueba.c, line 32: warning 604: Pointers are not assignment-compatible. cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type. /usr/ccs/bin/ld: Unsatisfied symbols: EVP_get_digestbyname (first referenced in prueba.o) (code) EVP_DigestInit_ex (first referenced in prueba.o) (code) OpenSSL_add_all_digests (first referenced in prueba.o) (code) EVP_DigestFinal_ex (first referenced in prueba.o) (code) EVP_MD_CTX_cleanup (first referenced in prueba.o) (code) EVP_MD_CTX_init (first referenced in prueba.o) (code) EVP_DigestUpdate (first referenced in prueba.o) (code) I have tried everything I know to find the libraries, from specifying in my PATH variable the path of the installation; and even to copy the /usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory and still can't get it to work. I have the feeling that I'm missing some configuration specific from my operating system, that's why I'm asking for your help, cause I've really have tried to make it work first (I have reinstalled twice openssl and the C compiler). At this point these are my env variables related to openssl: OPENSSLDIR=/usr/local/ssl PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:. export PATH SHLIB_PATH=/usr/local/ssl/lib -- I added this export SHLIB_PATH - Silvia Gisela _ NOTA: La información de este correo es de propiedad exclusiva y confidencial. Este mensaje es sólo para el destinatario señalado, si usted no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe ser entendida como dada o avalada por Alestra, sus subsidiarias o sus empleados, salvo cuando ello expresamente se indique. Es responsabilidad de quien recibe este correo de asegurarse que esté libre de virus, por lo tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad alguna. NOTE: The information in this email is proprietary and confidential. This message is for the designated recipient only, if you are not the intended recipient, you should destroy it immediately. Any information in this message shall not be understood as given or endorsed by Alestra, its subsidiaries or their employees, unless expressly so stated. It is the responsibility of the recipient to ensure that this email is virus free, therefore neither Alestra, its subsidiaries nor their employees accept any responsibility. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please, help - compilation or configuration issue
It's been a few years since I've worked on HP-UX and I don't have access to a machine running that OS currently. but here's what I remember. I hope it's accurate. I've plucked a couple settings out of old Makefiles that I've saved - you'll have to see where to add the settings in your Makefiles. 1) You almost always need to add some standard defines to get the HP C compilers to include common things. If you use Imake, you'll see it adding stuff like this. CCOPTIONS = -Ae STD_DEFINES = -Dhpux -DSYSV -D_HPUX_SOURCE 2) The compile-time linker doesn't automatically configure the executable stub to use the SHLIB_PATH environment variable. (Gotta love that HP chose not to use LD_LIBRARY_PATH that just about everyone else uses and also deactivated it's use by default.) So, I pass a flag to the linker. SHLIBLDFLAGS = -b HP also doesn't have ldd, but does have chatr (maybe it's chattryou'll have to look).That utility can be used to inspect your executable stub to determine the shared library locationseither compiled in or dynamically located, and also whether the SHLIB_PATH is used by the run-time linker.Very nice things to know. Best regards, Lance http://www.newparticles.com/ Silvia Gisela Pavon Velasco wrote: I have sent this before and got no answers, It may look simple, but It's not. Please give me some ideas, or at least if there's someone who has installed on HP-UX 11.0 with no problems, tellme what C compiler do you have or if you did something more besides de quick installation instructions. - I'm looking for someone who has installed OpenSSL on an HP-UX 11.0 system. I've tried to installit and I can't get OpenSSL to work there. I have: - HP-UX 11.0 operating system - Perl 5.8.5 - HP C/ANSI C Developer's Bundle for Hp-ux (S800) wich includes HP C/ANSI C Compiler I'm trying to install the file openssl-0.9.7g.tar.gz following the quick installation instructions and everything goes ok, the log's doesn't show any errors at all (I have log files in case someone wants to take a look at them) and the command line tool works just fine just adding the correct path to my PATH variable. The problem is when I try to use the libraries in a C program. I try to run a simple example code I got from the OpenSSL homepage and I got an error saying that It can't find the openssl/.h included file: cc prueba.c cpp: prueba.c, line 2: error 4036: Can't open include file 'openssl/evp.h'. Even IF I compile with the -I option It doesn't find the functions: cc prueba.c -I/usr/local/ssl/include cc: prueba.c, line 32: warning 604: Pointers are not assignment-compatible. cc: prueba.c, line 32: warning 563: Argument #3 is not the correct type. /usr/ccs/bin/ld: Unsatisfied symbols: EVP_get_digestbyname (first referenced in prueba.o) (code) EVP_DigestInit_ex (first referenced in prueba.o) (code) OpenSSL_add_all_digests (first referenced in prueba.o) (code) EVP_DigestFinal_ex (first referenced in prueba.o) (code) EVP_MD_CTX_cleanup (first referenced in prueba.o) (code) EVP_MD_CTX_init (first referenced in prueba.o) (code) EVP_DigestUpdate (first referenced in prueba.o) (code) I have tried everything I know to find the libraries, from specifying in my PATH variable the path of the installation; and even to copy the /usr/local/ssl/include/openssl directory to the /opt/CC/include/CC dirctory and still can't get it to work. I have the feeling that I'm missing some configuration specific from my operating system, that's why I'm asking for your help, cause I've really have tried to make it work first (I have reinstalled twice openssl and the C compiler). At this point these are my env variables related to openssl: OPENSSLDIR=/usr/local/ssl PATH=$PATH:/usr/local/ssl/bin:/usr/local/ssl/include/:. export PATH SHLIB_PATH=/usr/local/ssl/lib -- I added this export SHLIB_PATH - Silvia Gisela _ NOTA: La información de este correo es de propiedad exclusiva y confidencial. Este mensaje es sólo para el destinatario señalado, si usted no lo es, destrúyalo de inmediato. Ninguna información aquí contenida debe ser entendida como dada o avalada por Alestra, sus subsidiarias o sus empleados, salvo cuando ello expresamente se indique. Es responsabilidad de quien recibe este correo de asegurarse que esté libre de virus, por lo tanto ni Alestra, sus subsidiarias ni sus empleados aceptan responsabilidad alguna. NOTE: The information in this email is proprietary and confidential. This message is for the designated recipient only, if you are not the intended recipient, you should destroy it immediately. Any information in this message shall not be understood as given or endorsed by Alestra, its subsidiaries or their employees, unless expressly so stated. It is the responsibility of the recipient to ensure that
Re: Please Help me --Who can tell me what the SSL structure looks like?
From what I can see, SSL is defined as typedef struct ssl_st SSL in ssl.h. If you search for struct ssl_st in ssl.h you will find the definition for that structure. Hope that helps! On Sat, 2004-10-02 at 19:00, lu lu wrote: Hi, list members. I really want help very much. I asked this question about a week ago, but nobody answer my question. I think maybe it is just because that I had not make the question clear. What I want to know is where can I find the definition of SSL. As it appears in many functions like -- int ssl23_get_client_hello (SSL *s), I cannot find where it is defined. I cannot understand how the openssl make handshake as many handshake functions use this structure. I find for the whole week on the net for the definition of this structure, but nothing get. Maybe I am not good at searching. Please, anybody here who know where can I find some useful information or who know the definition of the structure helps me on this question. Thanks for taking time to read my question. And I am eagerly waiting for the answer. Cynthia __ Do You Yahoo!? 150MP3 1G1000 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help Me Before I Jump ! ! !
http://www.openssl.org/support/ On Fri, 20 Aug 2004, Buddy wrote: Anyone out there, please help me! I am disabled and do not want to continue to see your conversations, although I appreciate the reason and the cause of the conversations. I just want off the list. Thanks, Buddy - Original Message - From: Buddy To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Cc: Main Identity Sent: Friday, August 20, 2004 3:35 PM Subject: Re: Mail System Error - Returned Mail Please reply... maybe you know something I do not Thanks, Buddy - Original Message - From: Buddy To: [EMAIL PROTECTED] Cc: Main Identity Sent: Friday, August 20, 2004 3:21 PM Subject: Re: Mail System Error - Returned Mail I sent you nothing. I have been trying to get off this email freeforall trash mail list for over a year. Any advice ? Buddy ps please reply, I really want off this list. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 20, 2004 12:02 PM Subject: Mail System Error - Returned Mail ALERT!!! This e-mail in its original form contained one or more attached files that were infected with a virus or worm, or contained another type of security threat. The following attachments were infected and have been repaired: No attachments are in this category. The following attachments were deleted due to an inability to clean them: 1. file.zip: [EMAIL PROTECTED] The Following attachments were not delivered due to inbound mail policy violations: No attachments are in this category. Road Runner does not contact the sender of the infected attachment(s) in the event that they were not actually sent from the indicated party. Please contact the sender directly to alert them of their issue with infected files if you wish to do so. For more information on Road Runner's virus filtering initiative, visit our Help Member Services pages at http://help.rr.com, or the virus filtering information page directly at http://help.rr.com/faqs/e_mgsp.html. Original message text follows __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help
I *think* I understand it now, but any clarification etc. would still be most appreciated. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of steve thornton Sent: 23 July 2003 10:09 To: [EMAIL PROTECTED] Subject: Please help Hi I've been trying to edit and rebuild the ASN.1 database using objects.pl. I am having problems understanding what is going on. As I understand it, the file to edit is objects.txt, but if I change this file in any way, then objects.pl no longer works. Can anybody please tell me what I should be doing here? many many thanks Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help
On Wed, Jul 23, 2003, steve thornton wrote: Hi I've been trying to edit and rebuild the ASN.1 database using objects.pl. I am having problems understanding what is going on. As I understand it, the file to edit is objects.txt, but if I change this file in any way, then objects.pl no longer works. Can anybody please tell me what I should be doing here? If the added lines use the correct syntax you should be OK as long as you call 'make update'. You should be careful about deleting lines from objects.txt because this will break binary compatibility with any applications that use the NIDs directly: they'd need to be recompiled. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help
Yes I've noticed this. Basically I am making an embedded client, and am looking for every way possible to reduce code size, and obj_dat is very big. I've more or less concluded that it is not worth the trouble, but 24k is 24k. It surely should be possible to parse the essential info (Issuer, Subject and public key info etc.) from a cert. without having all the machinery that is in OpenSSL, but achieving that within the context of OpenSSL at present would be a *lot* of work. Would you agree, have you any comments? many thanks Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: 23 July 2003 12:36 To: [EMAIL PROTECTED] Subject: Re: Please help On Wed, Jul 23, 2003, steve thornton wrote: Hi I've been trying to edit and rebuild the ASN.1 database using objects.pl. I am having problems understanding what is going on. As I understand it, the file to edit is objects.txt, but if I change this file in any way, then objects.pl no longer works. Can anybody please tell me what I should be doing here? If the added lines use the correct syntax you should be OK as long as you call 'make update'. You should be careful about deleting lines from objects.txt because this will break binary compatibility with any applications that use the NIDs directly: they'd need to be recompiled. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help
On Wed, Jul 23, 2003, steve thornton wrote: Yes I've noticed this. Basically I am making an embedded client, and am looking for every way possible to reduce code size, and obj_dat is very big. I've more or less concluded that it is not worth the trouble, but 24k is 24k. It surely should be possible to parse the essential info (Issuer, Subject and public key info etc.) from a cert. without having all the machinery that is in OpenSSL, but achieving that within the context of OpenSSL at present would be a *lot* of work. Would you agree, have you any comments? Well if its embedded then binary compatibility wont matter if you can just recompile everything. You can delete a large number of objects in objects.txt without any major harm. There are other areas you can also look into to reduce code size such as crypto and digest algorithms, extension code, PKCS#12, PKCS#7, ENGINE etc etc. It would be *very* difficult to try to restrict OpenSSL to the sizes claimed for some SSL libraries (40K I've heard quoted for one), so hard in fact that starting again might be less effort. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help
Thanks for that Steve, that was the conclusion I had just come to. Now I need to convince by bosses. I wonder if they'll pay me to write things from scratch? Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: 23 July 2003 13:52 To: [EMAIL PROTECTED] Subject: Re: Please help On Wed, Jul 23, 2003, steve thornton wrote: Yes I've noticed this. Basically I am making an embedded client, and am looking for every way possible to reduce code size, and obj_dat is very big. I've more or less concluded that it is not worth the trouble, but 24k is 24k. It surely should be possible to parse the essential info (Issuer, Subject and public key info etc.) from a cert. without having all the machinery that is in OpenSSL, but achieving that within the context of OpenSSL at present would be a *lot* of work. Would you agree, have you any comments? Well if its embedded then binary compatibility wont matter if you can just recompile everything. You can delete a large number of objects in objects.txt without any major harm. There are other areas you can also look into to reduce code size such as crypto and digest algorithms, extension code, PKCS#12, PKCS#7, ENGINE etc etc. It would be *very* difficult to try to restrict OpenSSL to the sizes claimed for some SSL libraries (40K I've heard quoted for one), so hard in fact that starting again might be less effort. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help me!!
On Mon, Mar 17, 2003, luke wrote:
i have try many times.
i got the same error message.
==
perl Configure VC-WIN32
.\ms\do_nt.bat
nmake -f .\ms\nt.mak
ps .net vc++(vc++ v7)
.
ui_compat.c
cl /Fotmp32\krb5_asn.obj -Iinc32 -Itmp32 /MD /W3 /WX /G5 /Ox /O2
/Ob2 /
Gs0 /GF /Gy
/nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DD
SO_WIN32 -DOPENSSL_SYSNAME_WINNT /Fdout32 -DOPENSSL_NO_KRB5 -c
.\crypto\krb5\kr
b5_asn.c
cl : Command line warning D4029 : optimization is not available in the
standard
edition compiler
krb5_asn.c
lib /out:out32\libeay32.lib
@C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nmF2.tmp
'lib' ¤£¬O¤º³¡©Î¥~³¡«ü¥O¡B
¥i°õ¦æªºµ{¦¡©Î§å¦¸ÀÉ¡C
NMAKE : fatal error U1077: 'lib' : return code '0x1'
Stop.
Looks like a crippled restricted version of VC++. Try removing the /O* options
by manually editing ms\nt.mak, they are on the CFLAG line right at the top.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: [PLEASE HELP..URGENT!!!!] OPENSSL on Compaq Tru64 or any 64-bit machine.
Use compiler option like: cc +DD64 eg: ./configure hpux-cc +DD64 Bye, Durai. ( [EMAIL PROTECTED]) Hi, Is there any variable that is supposed to be set for compiling on a 64 bit machine like Compaq's Tru64?? I have used the openssl library for all the machines and it works except for Tru64. I defined 'SIXTY_FOUR_BIT' in the bn.h file and that made the session key encryption with a public key work fine. But, I still had problems using the EVP_Decrypt functions!! Please help me with this. Is there something that I have to define somewhere else for the other algorithms to work? as I had done for bn.h?? Any help would be greatly appreciated. Thanx, Jay.. = - J | - [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help: SSL_read() hang after read http 100 continue header
Lin No I am not an OpenSSL developer. However I have built several server and client applications using OpenSSL. The the following code works with IE 5.0 and the simple client program I sent you. BIO_puts(io,HTTP/1.1 100 Continue\r\n); BIO_puts(io,Server: Microsoft-IIS/5.0\r\n); BIO_puts(io,Date: Wed, 30 Oct 2002 06:34:5 6 GMT\r\n\r\n); /* the extra 0d 0a after the Date header is needed to tells the browser it has reached the end of the block before reading the 200 reponse code */ /* Without the \r\n the server sends an invalid response to the browser */ BIO_puts(io,HTTP/1.1 200 OK\r\n); BIO_puts(io,Server: Microsoft-IIS/5.0\r\n); BIO_puts(io,Date: Wed,30 Oct 20 02 06:35:07 GMT\r\n); BIO_puts(io,Content-Length: 1863\r\n); BIO_puts(io,Content-Type: text/html\r\n); BIO_puts(io,Expires: Wed, 30 Oct 2002 06:35: 07 GMT\r\n); BIO_puts(io,Cache-control: private\r\n); BIO_puts(io,\r\n); BIO_puts(io,html\r\n); BIO_puts(io,head\r\n); BIO_puts(io,titleBIO Openssl Test Server/title\r\n); BIO_puts(io,/head\r\n); BIO_puts(io,body\r\n); BIO_puts(io,centerfont face=VerdanaBIO OpenSSL Test Server/font/center\r\n); BIO_puts(io,/body\r\n); BIO_puts(io,/html\r\n); Browser output: html head titleBIO Openssl Test Server/title /head body centerfont face=VerdanaBIO OpenSSL Test Server/font/center /body /html Simple client output Wrote 17 chars Handshake completed successfully! Read 411 chars: HTTP/1.1 100 Continue Server: OpenSSL/1.0 Date: Wed, 30 Oct 2002 06:34:5 6 GMT HTTP/1.1 200 OK Date: Wed,30 Oct 20 02 06:35:07 GMT Content-Length: 1863 Content-Type: text/html Expires: Wed, 30 Oct 2002 06:35: 07 GMT Cache-control: private html head titleBIO Openssl Test Server/title /head body centerfont face=VerdanaBIO OpenSSL Test Server/font/center /body /html I am running this code on Windows 2000 Server with VC++ 6.0. Send me your client or server code so that I can look at it. - Original Message - From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 13, 2002 1:13 PM Subject: Re: Please help: SSL_read() hang after read http 100 continue header On Wed, Nov 13, 2002 at 09:53:34AM -0800, Lin Ma wrote: I have a client program using Openssl to send request to and receive response from a web server. SSL_read hangs if the web server sends the following headers. The following is the header dump without SSL. I think the problem is the separator 0d 0a 0d 0a between the two block of headers. No. The SSL layer does not care about the data transferred, whether it is line oriented or not. ... You can see, it is like HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT 0d 0a 0d 0a HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT Content-Length: 1863 . There is separator 0d 0a 0d 0a between the two block of headers. My program just stuck in the separator and couldn't get the following HTTP/1.1 200 OK ... If I change it to non-blocking, SSL_read() doesn't hang any more, but it keep getting SSL_ERROR_WANT_READ error, if I keeping SSL_read, it keep getting SSL_ERROR_WANT_READ and doesn't return valid data. This means, that no data has been received or at least not enough data to complete the TLS record. SSL_read() is waiting for (more) data. Use ssldump to analyze the traffic. What platform are you working on? Windows or UNIX? Can you try your program on another platform? Microsoft IIS is not know to be free of errors, but it seems to work good enough that I don't think the problem is caused by the server side. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help: SSL_read() hang after read http 100 continue header
On Wed, Nov 13, 2002 at 09:53:34AM -0800, Lin Ma wrote: I have a client program using Openssl to send request to and receive response from a web server. SSL_read hangs if the web server sends the following headers. The following is the header dump without SSL. I think the problem is the separator 0d 0a 0d 0a between the two block of headers. No. The SSL layer does not care about the data transferred, whether it is line oriented or not. ... You can see, it is like HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT 0d 0a 0d 0a HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 30 Oct 2002 06:34:56 GMT Content-Length: 1863 . There is separator 0d 0a 0d 0a between the two block of headers. My program just stuck in the separator and couldn't get the following HTTP/1.1 200 OK ... If I change it to non-blocking, SSL_read() doesn't hang any more, but it keep getting SSL_ERROR_WANT_READ error, if I keeping SSL_read, it keep getting SSL_ERROR_WANT_READ and doesn't return valid data. This means, that no data has been received or at least not enough data to complete the TLS record. SSL_read() is waiting for (more) data. Use ssldump to analyze the traffic. What platform are you working on? Windows or UNIX? Can you try your program on another platform? Microsoft IIS is not know to be free of errors, but it seems to work good enough that I don't think the problem is caused by the server side. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help!!!
In message [EMAIL PROTECTED] on Mon, 22 Apr 2002 19:16:13 -0700, Paul Mallary [EMAIL PROTECTED] said: pmallary I have been trying to figure this out on my own for the past day or so and am stumped. I have installed all of the necessary stuff for openssl to compile but I keep getting these error messages when I configure and make... Which version of gcc did you use? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help!!!
In message [EMAIL PROTECTED] on Mon, 22 Apr 2002 22:38:47 -0700, Aleksey Sanin [EMAIL PROTECTED] said: aleksey IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very aleksey bad expirience with it in the past. If it is possible, try aleksey gcc 2.95.3. Is that just on Solaris, or a recommendation to avoid gcc 3 in general? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help!!!
I've tried it on Solaris and Linux. IMHO, in both cases it is not polished as well as it should be. Probably there exist projects there you have to use 3.0 because of its new features. But it's not the case for me. Aleksey. Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Mon, 22 Apr 2002 22:38:47 -0700, Aleksey Sanin [EMAIL PROTECTED] said: aleksey IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very aleksey bad expirience with it in the past. If it is possible, try aleksey gcc 2.95.3. Is that just on Solaris, or a recommendation to avoid gcc 3 in general? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
gcc 3 (was Re: Please Help!!!)
On Tue, Apr 23, 2002 at 10:06:41AM +0200, Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Mon, 22 Apr 2002 22:38:47 -0700, Aleksey Sanin [EMAIL PROTECTED] said: aleksey IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very aleksey bad expirience with it in the past. If it is possible, try aleksey gcc 2.95.3. Is that just on Solaris, or a recommendation to avoid gcc 3 in general? One thing to be careful about when using gcc 3 is whether it was configured with a shared libgcc or not: for instance, the Solaris binary packages of gcc 3 from sunfreeware.com do use a shared libgcc (as it's the default), which introduces a dependency of shared libraries produced by gcc -shared on the shared libgcc. So you have to set LD_LIBRARY_PATH or LD_RUN_PATH to $prefix/lib where you installed gcc, if you want the library to load, and they'll never work on another Solaris machine unless you copy over the libgcc_s.so too. gcc 3 configured with --disable-shared doesn't suffer from this problem. joe __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help!!!
Aleksey Sanin wrote: IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very bad expirience with it in the past. If it is possible, try gcc 2.95.3. I've had recently the occasion to compiles openssl 0.9.6 out of the box without problem with both 2.95.3 and 3.0.3 under Solaris. But with 2.95.3, I had a mysterious coredump inside dlopen everytime I was trying to load a Chrysalis pkcs#11 library inside my application program. I was not able to understand what was happening and I did not have the problem with 3.0.3, so I went on with that one. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help!!!
IMHO it's bad idea to use gcc 3.0 on Solaris now. I had very bad expirience with it in the past. If it is possible, try gcc 2.95.3. Aleksey Sanin Paul Mallary wrote: I have been trying to figure this out on my own for the past day or so and am stumped. I have installed all of the necessary stuff for openssl to compile but I keep getting these error messages when I configure and make... ./Configure solaris-sparcv8-gcc shared no-threads JUST A SECTION OF THE ./Configure Makefile = Makefile.ssl comp.h = ../../include/openssl/comp.h [File exists] make[2]: Leaving directory `/export/install/packages/openssl-0.9.6c/crypto/comp' make[1]: Leaving directory `/export/install/packages/openssl-0.9.6c/crypto' making links in ssl... make[1]: Entering directory `/export/install/packages/openssl-0.9.6c/ssl' Makefile = Makefile.ssl ssl.h = ../include/openssl/ssl.h [File exists] ssl2.h = ../include/openssl/ssl2.h [File exists] ssl3.h = ../include/openssl/ssl3.h [File exists] ssl23.h = ../include/openssl/ssl23.h [File exists] tls1.h = ../include/openssl/tls1.h [File exists] Then when I run make JUST A SECTION + rm -f libcrypto.so.0 + rm -f libcrypto.so + rm -f libcrypto.so.0.9.6 + rm -f libssl.so.0 + rm -f libssl.so + rm -f libssl.so.0.9.6 making all in crypto... make[1]: Entering directory `/export/install/packages/openssl-0.9.6c/crypto' ( echo #ifndef MK1MF_BUILD; \ echo /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */; \ echo #define CFLAGS \gcc -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRA SPARC -DMD5_ASM\; \ echo #define PLATFORM \solaris-sparcv9-gcc\; \ echo #define DATE \`date`\; \ echo #endif ) buildinf.h gcc -I. -I../include -fPIC -DDSO_DLFCN -DHAVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -D MD5_ASM -c -o cryptlib.o cryptlib.c In file included from cryptlib.c:59: /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:36:27: iso/stdio_iso.h: No such file or directory In file included from cryptlib.c:59: /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:194: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:229: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:230: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:236: parse error before size_t /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:241: parse error before size_t /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:250: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:252: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:276: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:285: parse error before '*' token /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:286: parse error before FILE /usr/local/lib/gcc-lib/sparc-sun-solaris2.8/3.0.3/include/stdio.h:287: parse error before '*' token cryptlib.c:60:20: string.h: No such file or directory What is wrong with what I am doing? Any help would be a life saver! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help - startssl fails due to the following errors:
Fixed it. Had to reinstall apache+modssl after reinstalling openssl - Original Message - From: Mike K To: [EMAIL PROTECTED] Sent: Thursday, December 20, 2001 2:00 PM Subject: Please help - startssl fails due to the following errors: [Thu Dec 20 16:48:20 2001] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows)[Thu Dec 20 16:48:20 2001] [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long That is from my error_log. Any ideas how to fix this? -MK
Re: Please help
Salam, Signing a request has no relation with signing requests. To do so try what follows: 1/ Request Generation: openssl req -new -out cert.req 2/ request Signature: openssl req -ca -config path/openssl.cnf -in cert.req -out cert.pem path: path to openssl.cnf configuration file (may be /usr/share/ssl/openssl.cnf). Verify that directories and your CA and key files in the openssl.cnf file are correct. bye Haikel MEJRI Security Enginner National Digital Certification Agency TUNISIA On Friday 30 November 2001 01:44, you wrote: Dear All, I am finding problems while generating a certificate with openssl. When I want to generate a signed certificate using this command: openssl x509 -req -CA /usr/local/ca/cacert.crt -CAkey /usr/local/ca/private/cakey.pem -days 365 -in /tmp/req.pem -out /tmp/signed_req.pem -CAcreateserial --I get this problem 27182:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: TRUSTED CERTIFICATE Please can anybody help me solve this problem Thanking you in advance Hafida __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help me!
Hello Ryan! Thank you very much. I have added the line in the Certificate Extensions section of my openssl.cnf file: crlDistributionPoints=URI:http://cert.vrn.ru/crl/main.crl and then I made some certificates with this extensions. Such certificates have the following value of CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://cert.vrn.ru/crl/main.crl I suppose it's ok at this step. But the next step... It's not clear for me. MS Outlook Express tries to check if the certificate has been revoked or not, but it says The digital ID has not been revoked or revocation information for this certificate could not be determined. The CRL has been made with the following command: openssl ca -gencrl -out crl.pem -config openssl.cnf passin pass: Then I copied crl.pem file into appropriate directory of my web server and rename it(file) to main.crl I made certificate, then revoked it for testing, and then made a CRL as I wrote above. Have I made a mistake? Why MS Outlook Express does not say me that the certificate has been revoked? Yours sincerely, Valery E-mail: [EMAIL PROTECTED] - Original Message - From: Ryan Hurst [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 10:15 PM Subject: RE: Please help me! Valery -- This field in a certificate points to where the issuer will make its certificate revocation list available. If you are using OpenSSL or OpenCA (based off of OpenSSL) to issue your certificates you will want to probably put up a web server or LDAP capable directory where you can make your certificate revocation list available; refer to the absolute URL for this list in this extension. You may also want to include an AIA (authorityInformationAccess) extension as well, this can point to a OCSP responder capable of responding with individual certificate statuses. The Microsoft platform implements its revocation handling in a library called cryptnet.dll; this supports all the transports that WinInet supports (http/s,ftp,ldap/s,file). When the CryptoAPI applications that use revocation checking (Outlook can be configured to do this and in Office XP it is the default behavior), cryptnet will attempt to retrieve the CRL specified in this extension and use it for revocation checking. There are also alternate revocation providers available windows that implement additional protocols (OCSP, SCVP, CRL, CRLdp); ValiCert produces one such provider. I hope this helps. Ryan -Original Message- From: Valery [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 1:12 AM To: [EMAIL PROTECTED] Subject: Please help me! Hello! I used the certificate extensions crlDistributionPoints in my openssl.cnf file. And I faced the following problem. What should I indicate in thihs field (crlDistributionPoints)? I need that MS Outlook Express checks if the certificate has been revoked or not when it is on-line? What do I need to do? Yours faithfully, Valery E-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help me!
Valery -- This field in a certificate points to where the issuer will make its certificate revocation list available. If you are using OpenSSL or OpenCA (based off of OpenSSL) to issue your certificates you will want to probably put up a web server or LDAP capable directory where you can make your certificate revocation list available; refer to the absolute URL for this list in this extension. You may also want to include an AIA (authorityInformationAccess) extension as well, this can point to a OCSP responder capable of responding with individual certificate statuses. The Microsoft platform implements its revocation handling in a library called cryptnet.dll; this supports all the transports that WinInet supports (http/s,ftp,ldap/s,file). When the CryptoAPI applications that use revocation checking (Outlook can be configured to do this and in Office XP it is the default behavior), cryptnet will attempt to retrieve the CRL specified in this extension and use it for revocation checking. There are also alternate revocation providers available windows that implement additional protocols (OCSP, SCVP, CRL, CRLdp); ValiCert produces one such provider. I hope this helps. Ryan -Original Message- From: Valery [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 1:12 AM To: [EMAIL PROTECTED] Subject: Please help me! Hello! I used the certificate extensions crlDistributionPoints in my openssl.cnf file. And I faced the following problem. What should I indicate in thihs field (crlDistributionPoints)? I need that MS Outlook Express checks if the certificate has been revoked or not when it is on-line? What do I need to do? Yours faithfully, Valery E-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please Help: Crypto library with Visual C++
Title: ??: Please Help: Crypto library with Visual C++ thousand thanks for your help :D it helps a lot and it works fine now... Now, pls. one more thing, I tried to decode a Base64 encoded string into the string is (for example) :KljL0/zpzt8Y/UtenpqyMPt3JjQTFV5uofM349JXCY1z2i08XKzTW7LlpgnPDLh48Trbq6b/TErJ3UwFvbo8TOf8l4Xnp9yI6RtTWJlVZzJ5+AnY7lKLThSq8fgpVqwnJGVjfIHev6AI9qKHT+8vhN9tTacdU6WkZ6oYiOTb0jE= I am not sure how Do you know where I could some example codes, or perhaps some references on this stuff? very struggling indeed :) Thanks again for everything. Best regards,Jordan Cheun Ngen, ChongINF-4067 Universiteit TwentePostbus 2177500 AE EnschedeThe NetherlandsDistributed and Embedded Systems (DIES)Office Phone: +31 53 4894655Web site: http://www.cs.utwente.nl/~chongEmail Add.: [EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of YONG.YUESent: Monday, September 10, 2001 11:17 AMTo: '[EMAIL PROTECTED]'Subject: ??: Please Help: Crypto library with Visual C++ i think all necessary files for your application is as follows: openssl-0.9.6a/out32dll/ : ssleay32.dll libeay32.dll ssleay32.lib libeay32.rls openssl-0.9.6a/inc32/openssl - this directory contains all head files needed you can do this by two means first : you copy the inc32/openssl to the vc include directory such as D:\Program Files\Microsoft Visual Studio\VC98\INCLUDE\openssl ... vc++ can find this head file automaticly. this one seems much more easy ..haha second ..you make a directory called include parallel to your project diectory.. copy openssl head files to this directory .. then in your project setting: c++ /preprocessor /additonal include directories ... add : ..\include then all ok .. have a good time -ÔʼÓʼþ- ·¢¼þÈË: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]´ú±í Jordan C N Chong ·¢ËÍʱ¼ä: 2001Äê9ÔÂ10ÈÕ 15:43 ÊÕ¼þÈË: openss-user Ö÷Ìâ: Please Help: Crypto library with Visual C++ Dear All, Thousand thanks for your help. I really appreciate that. Your help really means a lot to me... Now, the problem is about the VC setting, I am not sure how to set the directory settings for the project For example, I copied all the files from the directory "crypto" in the "openssl-x-x" to another directory, and then rename it to "openssl". I include the header file of envelope "evp/evp.h". But when I compile the file, the compiler complains it couldn't find the file "openssl/opensslconf.h" (which exists in the "crypto" directory). I hope you could understand my problem. So... I am really confused on how to set up the directory. I don't want to modify all the header files. Is there alternative ways? Please help. Thousand thanks. Wish you all the best. Best regards, Jordan Cheun Ngen, Chong INF-4067 Universiteit Twente Postbus 217 7500 AE Enschede The Netherlands Distributed and Embedded Systems (DIES) Office Phone: +31 53 4894655 Web site: http://www.cs.utwente.nl/~chong Email Add.: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please Help: Crypto library with Visual C++
Title: ??: Please Help: Crypto library with Visual C++ Dear Yong Yue I am sorry to bother you again. The description is clear enough on the URL you gave me. However, I looked at the BIO explanation on http://www.columbia.edu/~ariel/ssleay/bio.html I am not sure how to read in some data from a file to the BIO filter/sink/source Is there any example for this purpose? I am really really terribly sorry to bother you. Thanks for your help. Wish you all the best. Best regards,Jordan Cheun Ngen, ChongINF-4067 Universiteit TwentePostbus 2177500 AE EnschedeThe NetherlandsDistributed and Embedded Systems (DIES)Office Phone: +31 53 4894655Web site: http://www.cs.utwente.nl/~chongEmail Add.: [EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of YONG.YUESent: Monday, September 10, 2001 12:19 PMTo: '[EMAIL PROTECTED]'Subject: ??: Please Help: Crypto library with Visual C++ u can follow this link: http://www.openssl.org/docs/crypto/BIO_f_base64.html# -原始邮件-发件人: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]代表 Jordan C N Chong发送时间: 2001年9月10日 18:04收件人: [EMAIL PROTECTED]主题: RE: Please Help: Crypto library with Visual C++ thousand thanks for your help :D it helps a lot and it works fine now... Now, pls. one more thing, I tried to decode a Base64 encoded string into the string is (for example) :KljL0/zpzt8Y/UtenpqyMPt3JjQTFV5uofM349JXCY1z2i08XKzTW7LlpgnPDLh48Trbq6b/TErJ3UwFvbo8TOf8l4Xnp9yI6RtTWJlVZzJ5+AnY7lKLThSq8fgpVqwnJGVjfIHev6AI9qKHT+8vhN9tTacdU6WkZ6oYiOTb0jE= I am not sure how Do you know where I could some example codes, or perhaps some references on this stuff? very struggling indeed :) Thanks again for everything. Best regards,Jordan Cheun Ngen, ChongINF-4067 Universiteit TwentePostbus 2177500 AE EnschedeThe NetherlandsDistributed and Embedded Systems (DIES)Office Phone: +31 53 4894655Web site: http://www.cs.utwente.nl/~chongEmail Add.: [EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of YONG.YUESent: Monday, September 10, 2001 11:17 AMTo: '[EMAIL PROTECTED]'Subject: ??: Please Help: Crypto library with Visual C++ i think all necessary files for your application is as follows: openssl-0.9.6a/out32dll/ : ssleay32.dll libeay32.dll ssleay32.lib libeay32.rls openssl-0.9.6a/inc32/openssl - this directory contains all head files needed you can do this by two means first : you copy the inc32/openssl to the vc include directory such as D:\Program Files\Microsoft Visual Studio\VC98\INCLUDE\openssl ... vc++ can find this head file automaticly. this one seems much more easy ..haha second ..you make a directory called include parallel to your project diectory.. copy openssl head files to this directory .. then in your project setting: c++ /preprocessor /additonal include directories ... add : ..\include then all ok .. have a good time -ÔʼÓʼþ- ·¢¼þÈË: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]´ú±í Jordan C N Chong ·¢ËÍʱ¼ä: 2001Äê9ÔÂ10ÈÕ 15:43 ÊÕ¼þÈË: openss-user Ö÷Ìâ: Please Help: Crypto library with Visual C++ Dear All, Thousand thanks for your help. I really appreciate that. Your help really means a lot to me... Now, the problem is about the VC setting, I am not sure how to set the directory settings for the project For example, I copied all the files from the directory "crypto" in the "openssl-x-x" to another directory, and then rename it to "openssl". I include the header file of envelope "evp/evp.h". But when I compile the file, the compiler complains it couldn't find the file "openssl/opensslconf.h" (which exists in the "crypto" directory). I hope you could understand my problem. So... I am really confused on how to set up the directory. I don't want to modify all the header files. Is there alternative ways? Please help. Thousand thanks. Wish you all the best. Best regards, Jordan Cheun Ngen, Chong INF-4067 Universiteit Twente Postbus 217 7500 AE Enschede The Netherlands Distributed and Embedded Systems (DIES)
RE: Please Help: BIO!!
Title: ??: Please Help: Crypto library with Visual C++
Hi,
Thanks
for your reply. I have tried, still the memory leak problem happens
:)
and
the whole application crashes
my
code is like this:
BIO *bio, *b64;BIO
*bio_out;char inbuf[128];int
inlen;b64 = BIO_new(BIO_f_base64());bio =
BIO_new_file("content.key", "rb"); bio_out = BIO_new_fp(stdout,
BIO_NOCLOSE);bio = BIO_push(b64, bio);while ((inlen =
BIO_read(bio, inbuf, 128)) 0) {BIO_write(bio_out, inbuf,
inlen);}
BIO_free_all(bio);
what I
wish to do is, read the data from the file content.key
and
then decode the data
and
then convert the decoded data in to a char * (or perhaps to another new
file)
but
here what i do is just print out the decoded data :)
i am
sorry to bother you that much.
pls
forgive
and
pls help if you have the time :D
thousand thanks. Wish you all the
best.
Best
regards,Jordan Cheun Ngen,
ChongINF-4067 Universiteit TwentePostbus 2177500 AE EnschedeThe
NetherlandsDistributed and Embedded Systems
(DIES)Office Phone: +31 53
4894655Web site: http://www.cs.utwente.nl/~chongEmail Add.:
[EMAIL PROTECTED]
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of ??Sent: Monday, September 10, 2001 1:24
PMTo: '[EMAIL PROTECTED]'Subject: ??: Please
Help: Crypto library with Visual C++
oh
nothing do not be nervous
i think
if you want to read data from a file
first
you must construct a
BIO * mbio = BIO_new_file(filename , "rb") object
then build another BIO* b64 =BIO_new(BIO_f_base64());
then mbio = BIO_push(b64,
mbio);
all ok
...
read data from
while((inlen =
BIO_read(mbio, inbuf, strlen(message))) 0)
{
do as you
wish
}// remember free all bio resource BIO_free_all(bio);
can this solve your problem?
RE: Please Help: BIO!!
Title: ??: Please Help: Crypto library with Visual C++
HI :D
Sorry to bother you again.
I
think I have found the reason :)
it is
because the Project setting is incorrect (thanks for your hints
indeed)
I have
to set the Code Generation (under tag C/C++), the "Use run-time library" to
"Multithreaded DLL" :D
All
the best.
Best
regards,Jordan Cheun Ngen,
ChongINF-4067 Universiteit TwentePostbus 2177500 AE EnschedeThe
NetherlandsDistributed and Embedded Systems
(DIES)Office Phone: +31 53
4894655Web site: http://www.cs.utwente.nl/~chongEmail Add.:
[EMAIL PROTECTED]
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of ??Sent: Monday, September 10, 2001 1:48
PMTo: '[EMAIL PROTECTED]'Subject: ??: Please
Help: BIO!!
oh when application crash .. it normally beacause link mfc lib
problem
you may try use mfc in shared dll or mfc instatic
dll
it may ok..
as for memory leak ..
begin ..
OpenSSL_add_all_algorithms();SSL_load_error_strings();
your code...
End:
ERR_free_strings();EVP_cleanup();
see u later...:)
-原始邮件-发件人: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]代表 Jordan C N
Chong发送时间: 2001年9月10日 19:43收件人:
[EMAIL PROTECTED]主题: RE: Please Help:
BIO!!
Hi,
Thanks for your reply. I have tried, still the
memory leak problem happens :)
and the whole application
crashes
my
code is like this:
BIO *bio, *b64;BIO
*bio_out;char inbuf[128];int
inlen;b64 = BIO_new(BIO_f_base64());bio
= BIO_new_file("content.key", "rb"); bio_out = BIO_new_fp(stdout,
BIO_NOCLOSE);bio = BIO_push(b64, bio);while
((inlen = BIO_read(bio, inbuf, 128)) 0)
{BIO_write(bio_out, inbuf,
inlen);}
BIO_free_all(bio);
what I wish to do is, read the data from the file
content.key
and then decode the data
and then convert the decoded data in to a char *
(or perhaps to another new file)
but here what i do is just print out the decoded
data :)
i
am sorry to bother you that much.
pls forgive
and pls help if you have the time
:D
thousand thanks. Wish you all the
best.
Best
regards,Jordan Cheun
Ngen, ChongINF-4067 Universiteit TwentePostbus 2177500 AE
EnschedeThe NetherlandsDistributed and Embedded Systems
(DIES)Office Phone: +31
53 4894655Web site: http://www.cs.utwente.nl/~chongEmail Add.:
[EMAIL PROTECTED]
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
??Sent: Monday, September 10, 2001 1:24 PMTo:
'[EMAIL PROTECTED]'Subject: ??: Please Help: Crypto
library with Visual C++
oh
nothing do not be nervous
i
think if you want to read data from a file
first you must construct a
BIO * mbio =
BIO_new_file(filename , "rb") object
then build another BIO* b64
=BIO_new(BIO_f_base64());
then mbio =
BIO_push(b64, mbio);
all ok
...
read data from
while((inlen =
BIO_read(mbio, inbuf, strlen(message))) 0)
{
do as you
wish
}// remember free all bio resource BIO_free_all(bio);
can this solve your problem?
RE: Please Help: Crypto
Dear Dirk, Have a look at http://www.iconsinc.com/~agray/ossldev/nt and pick the workspace for the version of OpenSSL you want to use (you'll still need to download the src tarball of OpenSSLvx.y.z). CU, Dirk Thanks for your reply. I don't understand here. All I wish to do is to use the OpenSSL cryptography library... but not OpenSSL.. Although I have already installed the OpenSSL with Apache server on my machine... 1. to do enc/decryption 2. signature generation and verification 3. certificate management However I wish to know whether there is a specific direction on achieving that... like: 1. how to use the provided OpenSSL crypto API? 2. any settings on VC++ 6.0 for that? 3. any library (.LIB) needed? etc. Please help. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PLease help! Using LWP to check to see if Secure Server is running
My guess is LWP by default sends requests to port 80.
There must be a method to specify a different port...
The request string where you specified the url...
my $req = new HTTP::Request('GET', 'https://www.someserver.com');
...just get's added the the http header inside the tcp
payload and interpreted by the http daemon on port 80.
--
Jack VargaSMTS | [EMAIL PROTECTED]
Circadence Corporation | 303.413.8800 x 1082
4888 Perl East Circle | Boulder, Colorado 80301
-Original Message-
From: Frank Belfie [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 08, 2001 2:20 PM
To: [EMAIL PROTECTED]
Subject: PLease help! Using LWP to check to see if Secure Server is
running
use LWP::UserAgent;
my $ua = new LWP::UserAgent;
my $req = new HTTP::Request('GET', 'https://www.someserver.com');
my $res = $ua-request($req);
print $res-code."\n";
The return code is always 501 with secure servers, and 200
with non-secure.
Should this code work?
I know the ssl server is up and listening, yet I get the 501
code. All I need
this to do is see if it is still taking requests. I
installed the openssl, and
all neccessary packages.
RedHat 7.0, Perl5.6.0. Doesn't throw any errors?
Any help is very appreciated!
Thanks,
Frank Belfie
Datacomm Engineer
Commerce Bank, N.A.
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: PLease help! Using LWP to check to see if Secure Server is ru nning
Sorry. This is not correct. LWP apparently doesn't
support HTTPS out of the box because of the complexities
associated with key exchanges and cert mgmt.
-Original Message-
From: Varga, Jack [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 08, 2001 2:39 PM
To: '[EMAIL PROTECTED]'
Subject: RE: PLease help! Using LWP to check to see if Secure
Server is
ru nning
My guess is LWP by default sends requests to port 80.
There must be a method to specify a different port...
The request string where you specified the url...
my $req = new HTTP::Request('GET', 'https://www.someserver.com');
...just get's added the the http header inside the tcp
payload and interpreted by the http daemon on port 80.
--
Jack VargaSMTS| [EMAIL PROTECTED]
Circadence Corporation| 303.413.8800 x 1082
4888 Perl East Circle | Boulder, Colorado 80301
-Original Message-
From: Frank Belfie [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 08, 2001 2:20 PM
To: [EMAIL PROTECTED]
Subject: PLease help! Using LWP to check to see if Secure Server is
running
use LWP::UserAgent;
my $ua = new LWP::UserAgent;
my $req = new HTTP::Request('GET', 'https://www.someserver.com');
my $res = $ua-request($req);
print $res-code."\n";
The return code is always 501 with secure servers, and 200
with non-secure.
Should this code work?
I know the ssl server is up and listening, yet I get the 501
code. All I need
this to do is see if it is still taking requests. I
installed the openssl, and
all neccessary packages.
RedHat 7.0, Perl5.6.0. Doesn't throw any errors?
Any help is very appreciated!
Thanks,
Frank Belfie
Datacomm Engineer
Commerce Bank, N.A.
[EMAIL PROTECTED]
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: PLease help! Using LWP to check to see if Secure Server is running
Might look at the LWP::SecureSocket module in the CPAN archives. I've never
tried it, but from the description it work with what you're looking to do.
"Varga, Jack" wrote:
Sorry. This is not correct. LWP apparently doesn't
support HTTPS out of the box because of the complexities
associated with key exchanges and cert mgmt.
-Original Message-
From: Varga, Jack [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 08, 2001 2:39 PM
To: '[EMAIL PROTECTED]'
Subject: RE: PLease help! Using LWP to check to see if Secure
Server is
ru nning
My guess is LWP by default sends requests to port 80.
There must be a method to specify a different port...
The request string where you specified the url...
my $req = new HTTP::Request('GET', 'https://www.someserver.com');
...just get's added the the http header inside the tcp
payload and interpreted by the http daemon on port 80.
--
Jack VargaSMTS| [EMAIL PROTECTED]
Circadence Corporation| 303.413.8800 x 1082
4888 Perl East Circle | Boulder, Colorado 80301
-Original Message-
From: Frank Belfie [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 08, 2001 2:20 PM
To: [EMAIL PROTECTED]
Subject: PLease help! Using LWP to check to see if Secure Server is
running
use LWP::UserAgent;
my $ua = new LWP::UserAgent;
my $req = new HTTP::Request('GET', 'https://www.someserver.com');
my $res = $ua-request($req);
print $res-code."\n";
The return code is always 501 with secure servers, and 200
with non-secure.
Should this code work?
I know the ssl server is up and listening, yet I get the 501
code. All I need
this to do is see if it is still taking requests. I
installed the openssl, and
all neccessary packages.
RedHat 7.0, Perl5.6.0. Doesn't throw any errors?
Any help is very appreciated!
Thanks,
Frank Belfie
Datacomm Engineer
Commerce Bank, N.A.
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: please help me first!
¾ç½Â¸ð£¬ÄúºÃ£¡ Opensslreq -new -x509 -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem Opensslreq -out reqU.pem -keyout keyU.pem -new Opensslca -policy policy_anything -out certU.pem -infiles reqU.pem Opensslpkcs12 -in certU.pem -inkey reqU.pem -certfile ./demoCA/cacert.pem -out certU.p12 -export -name "user" -inkey keyU.pem I success creation certificate. I cann't append the sample certificate! why? ÔÚ 2001-03-05 10:40:00 ÄúдµÀ£º Help please!! First!! Sorry!! I am unfamilier with things English!! I was test with openssl. I create certificate follow later.. 1."root ca generation" Opensslreq -new -x509 -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem 2.User certification generation" Opensslreq -out reqU.pem -keyout keyU.pem -new Opensslca -policy policy_anything -out certU.pem -infiles reqU.pem Opensslpkcs12 -in certU.pem -inkey reqU.pem -certfile ./demoCA/cacert.pem -out certU.p12 -export -name "user" -inkey keyU.pem I success creation certificate. I appended my sample certificate! Question! I'm create intermediation CA(?) follow sample.. openSSL req -new -keyout keyM.pem -out reqM.pem openSSL x509 -req -in reqM.pem -extensions v3_usr -CA ./democa/cacert.pem -CAkey ./democa/private/cakey.pem -CAcreateserial -out certM.pem openssl x509 -x509toreq -in certM.pem -signkey keyM.pem -out tmp.pem openssl ca -policy policy_anything -out certM1.pem -infiles tmpM.pem openssl pkcs12 -in certM1.pem -inkey keyM.pem -certfile ./democa/cacert.pem -out certM.p12 -export -name "remoteM" and i install But that added user certification How create intermediation CA(?) ? i want install intermediation CA(?) but i don't know I want openssl sample command that create down issue! Please help me! Ö Àñ£¡ zgleaf [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help apache-ssl
I dont know much about modssl, but If you set SSLVerifyClient to 1 you are telling the server to authenticate its clients (criptographically verify the clients identity). An entitity (lets say somebody connecting to your server) needs a certificate in order to be athenticated, but hardly any web user has his own certificate (You have to buy it or make your own certification authority and make the server trust it). And thats is your error message: your browser does not have a certificate. Just dont set SSLVerifyClient to 1, if you want usual people (99% of web users) to be able to get into your web. Christoph Hubmann wrote: in httpd.conf:SSLCACertificatePath /usr/local/ssl/certsSSLCACertificateFile /usr/local/ssl/certs/ClientCA.crtSSLCertificateFile /usr/local/ssl/certs/ServerCA.crtSSLCertificateKeyFile /usr/local/ssl/private/ServerCA.keySSLVerifyClient 1SSLVerifyDepth 1 with SSLVerifyClient 0 there is no problemwith SSLVerifyClient 1, i cant cennoct to the server in the error_log is the following message:[Tue Feb 20 16:01:14 2001] /usr/local/src/apache_1.3.14/src/modules/ssl/gcache s tarted [Tue Feb 20 16:01:14 2001] [debug] apache_ssl.c(369): Random input /dev/urandom( 1024) - 1024 [Tue Feb 20 16:01:14 2001] [info] created shared memory segment #118657 [Tue Feb 20 16:01:14 2001] /usr/local/src/apache_1.3.14/src/modules/ssl/gcache s tarted [Tue Feb 20 16:01:14 2001] [notice] Apache/1.3.14 Ben-SSL/1.42 (Unix) configured -- resuming normal operations [Tue Feb 20 16:01:14 2001] [info] Server built: Feb 16 2001 16:46:27 [Tue Feb 20 16:01:27 2001] [debug] apache_ssl.c(369): Random input /dev/urandom( 1024) - 1024 [Tue Feb 20 16:01:29 2001] [error] SSL_accept failed [Tue Feb 20 16:01:29 2001] [error] error:140890B0:SSL routines:SSL3_GET_CLIENT_C ERTIFICATE:no certificates returned what is wrong? i use netscape 4.75 please help christoph hubmann -- Jorge Olmos Fors __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help with understanding client authentication
I've been building a small https client everything has gone quite well. Now I've been told that I need to include support for client authentication using a standard x.509 certificate I am stumped. How do you manage client trust to your server? how do you know that you are really communicating in a confidential way with the intended server? Is there a configuration file with 'trusted CAs or server certs', etc?, Is the certificate just going to be a file? Do I just have to set a path to it, or is there some sort of installation that I need to do? It depends what kind of https client software you are building. As you can tell, I'm at a real basic level with this one. I've looked at the command line tool documentation, but I don't know what I'm looking for. You can for example (mis)use a PKCS12 file containing a user key-pair/cert and even some trust base. For example, if you want to make a simple client/server protocol based on https between some client software and one service, where each user has access to his/her server, you could use a file (or a hardware token) with three things: - a key/pair for the user, - a corresponding cert - a cert of the server containing a service URL somewhere. This file completely describes the information concerning a user. (The client software may need one configuration parameter about https proxies, this might be handled independantly from the user parms and considered as a parameter of the workstation and not of the USER.) Peter Sylvester __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: please help with understanding client authentication
The certificate can be an ASN1 or PEM format file. To use a certificate, you must also have a private key file (also in PEM or ASN1 format). The certificate must be the public key for the private key file. Both of these files can be created using the openssl utility. Example: Generate a 1024 bit private key file, encoded with 3DES password found in the file 3des.key and output the private key to rsa.prv: openssl genrsa -rand random.file -des3 -passout file:3des.key -out rsa.prv 1024 Generate a certificate request based on the private key and output the certificate request to cert.req (note my.config is a config file based on the format in the documentation): openssl req -new -config my.config -key rsa.prv -passin file:3des.key -out cert.req If you have a CA (Entrust, etc.) send the the cert.req file to get the certificate. For testing you can use the openssl's CA utility: openssl ca -config testCA.config -in cert.req -out cert.cert For the client code to actually utilize the rsa.prv file and the cert.cert file (from the above example) check out the API: SSL_CTX_use_certificate_file SSL_CTX_use_PrivateKey_file This should be enough to get you in trouble. If any of this is wrong, sorry! Jon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Randall Ward Sent: Wednesday, August 09, 2000 1:28 PM To: '[EMAIL PROTECTED]' Subject: please help with understanding client authentication I've been building a small https client everything has gone quite well. Now I've been told that I need to include support for client authentication using a standard x.509 certificate I am stumped. Is the certificate just going to be a file? Do I just have to set a path to it, or is there some sort of installation that I need to do? As you can tell, I'm at a real basic level with this one. I've looked at the command line tool documentation, but I don't know what I'm looking for. Any help at all would be most useful. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help with understanding client authentication
[EMAIL PROTECTED] wrote: Hi Randal, I am trying to get OpenSSL to import private key files. You can load a private key with PEM_read_PrivateKey() (defined in openssl/pem.h) -Original Message- From: EXT Randall Ward [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 09, 2000 1:28 PM To: '[EMAIL PROTECTED]' Subject: please help with understanding client authentication I've been building a small https client everything has gone quite well. Now I've been told that I need to include support for client authentication using a standard x.509 certificate I am stumped. Is the certificate just going to be a file? Do I just have to set a path to it, or is there some sort of installation that I need to do? You load a certificate with PEM_read_X509() (defined in openssl/pem.h) parameters are: fp: file pointer x: pointer for in object, leasve it NULL cb: callback for passphrase (only needed for private key) u: parameter passed to callback cb has the form: int cb(char *buf, int size, int rwflag, void *userdata); buf: buffer for pass phrase size: size of buf rwflag: on read you can ignore this userdata: param u from PEM_read...() (Assuming key and certificate are stored in PEM...) these private key and certificate you can set insert in the SSL data: int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); int SSL_use_certificate(SSL *ssl, X509 *x); (from openssl/ssl.h) By Goetz -- Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PLEASE HELP ME...............................!!!!
Hi, in short: using SSL you have two parts of encryption: first a public/secret key system (asymmetric cryptographie) is used to establish a connection and to agree for a common secret key. When both parties have agreed to that common secret key (which is, in short, encrypted with the public keys (very short, this is) ) the common secret key is used for the encrypting of the exchanged data. So, for agreement for a common secret key, asymmetric cryptographie is used. To be sure you use the true public key of your partie (so nobody elses key, maybe that of an man-in-the-middle) you get a certificate. Why a certificate? Because chances are high that you do not know all keys of all people/server you want to correspond with. So you get a certificate which is signed by a CA (certificate authority) that you know and that you can trust. More to find in literature. Hops this helps Doris On Tue, 13 Jun 2000, Pamu Radhakrishna wrote: hi, You know that OpenSSL supports DES for encryption of data.So if you want to establish a communication link between client server then you must use a secret key. Now my question is,What the certificate contains? I mean what public keys it contains for what purpose they can be used? Could anybody tell me,before encryption of actual data using secret key, what are the necessary steps that could be performed to share the secret key? ThanX --Radha __ Do You Yahoo!? Yahoo! Photos -- now, 100 FREE prints! http://photos.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help
-Im new to all this. What the plan is for me and a friend to make a -webpage with a few different sections. We would like to be able to -update it from one page. A page that would let us choose what section -it will be added to, write the new news or whatever and post it -automatically and making the changes to the html code. Well, it's not that this should be answered in this form, but If anyone uses FileMaker 5 (I used it because it was the only thing available and stable, Access sux.) then I have something I'm willing to open source. With FMP5, you can make a database of HTML code bits, called BODY PARTS for obvious reasons. Then you can assemble each page of your site by choosing the body parts in order of appearance. The advantage: if you have to change something dynamically from time to time, you now have the ability to modify a common HTML segement (say a navigation bar) in one step. Yes, I know server-side includes are the same thing, but this leaves cleaner directories and some people don't have SSI's... -Brendan Robert --- I am surviving the BS Y2K problem like everyone else in the world... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help with openssl + imap.
John Castillo wrote: built SSLeay0.8.1b Why are you're using this old version. Upgrade to latest OpenSSL release from http://www.openssl.org/ . Jul 15 17:45:20 phoenix stunnel[12524]: Wrong permissions on /usr/local/ssl/certs/stunnel.pem Since the file stunnel.pem contains a private key its permissions should be og-rwx. Jul 15 17:45:20 phoenix stunnel[12524]: Could not load DH parameters from /usr/local/ssl/certs/stunnel.pem Jul 15 17:45:20 phoenix stunnel[12524]: Diffie-Hellman initialization failed You are using RSA keys in your certificate. No problem. Ciao, Michael. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help with openssl + imap.
Try the following URL. It works for me with all versions of stunnel... http://www.dtcc.edu/cs/admin/notes/ssl/ On Thu, 15 Jul 1999, John Castillo wrote: Hello All, Argghh.. where did my hair go! I have been trying to configure SSL for use with my current imap server (Cyrus). I found a couple or reference pages which point to SSLeay (openssl) and stunnel which would allow me to configure an SSL environment for Cyrus. If you could please help with some suggestions or explanation of the error messages I'm getting, you're awesome (because the key/cert/SSL part is stumping me). This is what I've done so far. built SSLeay0.8.1b built stunnel3.4a with RSAglue library added the proper entry in /etc/inetd.conf -namely simap stream tcp nowait cyrus /usr/local/sbin/stunnel -D 7 -l /usr/cyrus/bin/imapd imapd Everything looks good but now I get this error everytime one of my clients (outlook express or Netscape messenger) tries to connect to the SSL secure IMAP server... Jul 15 17:45:20 phoenix stunnel[12524]: Wrong permissions on /usr/local/ssl/cert s/stunnel.pem Jul 15 17:45:20 phoenix stunnel[12524]: Could not load DH parameters from /usr/l ocal/ssl/certs/stunnel.pem Jul 15 17:45:20 phoenix stunnel[12524]: Diffie-Hellman initialization failed Jul 15 17:45:20 phoenix stunnel[12524]: stunnel 3.4a on i686-pc-linux-gnu PTHREA D+LIBWRAP Jul 15 17:45:20 phoenix stunnel[12524]: 7 connected from 172.16.0.227:3679 It seems to WORK though.. I'm just wondering what all the DH errors are all about. John C. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
