Re: Unable to locate the keystore/certificate store or private key
[EMAIL PROTECTED] wrote: Nils, The basic succession of calls are as follows. I think the program waits for an ssl_read or ssl_write to implicitly trigger the handshake process. meth = TLSv1_client_method() SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); SSL_CTX_new(meth); ssl = SSL_new( ctx ); sbio = BIO_new_socket( sock, BIO_NOCLOSE ); SSL_set_bio( ssl, sbio, sbio ); SSL_set_connect_state( ssl ); iSslInitStatus = SSL_in_init( ssl ); After that, the only API calls are ssl_read(), ssl_write() and an occasional SSL_pending( ssl ). well, if no location for the certs is explicitly set the certificates in $OPENSSL_DIR/certs/ and the cert in $OPENSSL_DIR/cert.pem are used (if present). The value of OPENSSLDIR is defined in opensslconf.h (or type "openssl version -a"). As you already wrote that there are no certificates on your disk it would be interessting to know if the functions for cert verification are modified in your openssl version (possible to a engine for cert validation). Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
Hello, > The basic succession of calls are as follows. I think the program > waits for an ssl_read or ssl_write to implicitly trigger the handshake > process. > > meth = TLSv1_client_method() > > SSL_load_error_strings(); > SSLeay_add_ssl_algorithms(); > SSL_CTX_new(meth); > > > ssl = SSL_new( ctx ); > sbio = BIO_new_socket( sock, BIO_NOCLOSE ); > SSL_set_bio( ssl, sbio, sbio ); > SSL_set_connect_state( ssl ); > iSslInitStatus = SSL_in_init( ssl ); > > After that, the only API calls are ssl_read(), ssl_write() and an > occasional SSL_pending( ssl ). My proposition is to add: ERR_print_errors_fp(stderr); when connecting to Cisco (to check real errors) and to add: fprintf(stderr, "%s/%s", SSL_get_version(ssl), SSL_get_cipher(ssl)); to check what ciphers are negotiated with IIS. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
Nils, The basic succession of calls are as follows. I think the program waits for an ssl_read or ssl_write to implicitly trigger the handshake process. meth = TLSv1_client_method() SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); SSL_CTX_new(meth); ssl = SSL_new( ctx ); sbio = BIO_new_socket( sock, BIO_NOCLOSE ); SSL_set_bio( ssl, sbio, sbio ); SSL_set_connect_state( ssl ); iSslInitStatus = SSL_in_init( ssl ); After that, the only API calls are ssl_read(), ssl_write() and an occasional SSL_pending( ssl ). Nils Larsch <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/29/2006 02:58 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: > > Nils, > > Yes. I read the entire e-mail. I can't find ANYWHERE where it's being > fed to the application, (including the source code). As far as I can > see, it's definitely not being used in an ssl_ library call nor is he which ssl api calls are used to initialize the ssl context ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
[EMAIL PROTECTED] wrote: Nils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he which ssl api calls are used to initialize the ssl context ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
[EMAIL PROTECTED] wrote: Excellent, excellent idea. Is ssldump an API call? it's an application to analyze a ssl connection (see http://www.rtfm.com/ssldump/ ) Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
On Tue, 2006-08-29 at 13:52 -0400, [EMAIL PROTECTED] wrote: > > Excellent, excellent idea. Is ssldump an API call? If so, I haven't > seen that. Let me go out to the site and look. I wish there were a > more organized and informative source for information on the openssl > API. This is very useful utility, you may find this at: http://freshmeat.net/projects/ssldump/ Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
Excellent, excellent idea. Is ssldump an API call? If so, I haven't seen that. Let me go out to the site and look. I wish there were a more organized and informative source for information on the openssl API. That should definitely make the problem expose itself. Thanks! Marek Marcola <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/29/2006 02:20 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject RE: Unable to locate the keystore/certificate store or private key Hello, > The server side SSL is no longer terminated on the IIS server. It is > being handled by Cisco 11500 series content switches and it the > application will no longer work. My proposition is to get ssldump and dump SSL handshake with IIS and Cisco to check difference and working parameters (with IIS). Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
Hello, > The server side SSL is no longer terminated on the IIS server. It is > being handled by Cisco 11500 series content switches and it the > application will no longer work. My proposition is to get ssldump and dump SSL handshake with IIS and Cisco to check difference and working parameters (with IIS). Best regards, -- Marek Marcola <[EMAIL PROTECTED]> __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
The server side SSL is no longer terminated on the IIS server. It is being handled by Cisco 11500 series content switches and it the application will no longer work. "Diffenderfer, Randy" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/28/2006 03:23 PM Please respond to openssl-users@openssl.org To cc Subject RE: Unable to locate the keystore/certificate store or private key I don't see the execution platform given here. Perhaps you might consider doing an 'strace' (if linux)? Anything that is opened and "secretly" imported into the program should be discernible from this. Just a thought... rnd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 28, 2006 2:55 PM To: openssl-users@openssl.org Cc: openssl-users@openssl.org; [EMAIL PROTECTED] Subject: Re: Unable to locate the keystore/certificate store or private key Nils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he building his own in memory or using some other filename etc. I don't see how the program was ever getting a root cert to make it through the handshake process. I've searched for *.pem, *{hash}.0 files from root, (/), all to no avail. How it was ever working is beyond me. I kknow it has to be getting this from somewhere. Nils Larsch <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/28/2006 02:08 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: > > Nils, > > Yes, 0.9.6b is the exact version. Please help! hmm, did you read the rest of my mail ? Do you have the source code ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
The platform is AIX. I don't think they've ever explicitly used a *.pem file. Somehow the app was able to communicate with an IIS server and complete the handshake process or at least communicate and get txn's across, (I'm not sure how). "Diffenderfer, Randy" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/28/2006 03:23 PM Please respond to openssl-users@openssl.org To cc Subject RE: Unable to locate the keystore/certificate store or private key I don't see the execution platform given here. Perhaps you might consider doing an 'strace' (if linux)? Anything that is opened and "secretly" imported into the program should be discernible from this. Just a thought... rnd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 28, 2006 2:55 PM To: openssl-users@openssl.org Cc: openssl-users@openssl.org; [EMAIL PROTECTED] Subject: Re: Unable to locate the keystore/certificate store or private key Nils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he building his own in memory or using some other filename etc. I don't see how the program was ever getting a root cert to make it through the handshake process. I've searched for *.pem, *{hash}.0 files from root, (/), all to no avail. How it was ever working is beyond me. I kknow it has to be getting this from somewhere. Nils Larsch <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/28/2006 02:08 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: > > Nils, > > Yes, 0.9.6b is the exact version. Please help! hmm, did you read the rest of my mail ? Do you have the source code ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
Title: Message I don't see the execution platform given here. Perhaps you might consider doing an 'strace' (if linux)? Anything that is opened and "secretly" imported into the program should be discernible from this. Just a thought... rnd -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, August 28, 2006 2:55 PMTo: openssl-users@openssl.orgCc: openssl-users@openssl.org; [EMAIL PROTECTED]Subject: Re: Unable to locate the keystore/certificate store or private keyNils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he building his own in memory or using some other filename etc. I don't see how the program was ever getting a root cert to make it through the handshake process. I've searched for *.pem, *{hash}.0 files from root, (/), all to no avail. How it was ever working is beyond me. I kknow it has to be getting this from somewhere. Nils Larsch <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/28/2006 02:08 PM Please respond toopenssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote:> > Nils,> > Yes, 0.9.6b is the exact version. Please help!hmm, did you read the rest of my mail ? Do you have the source code ?Cheers,Nils__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
Nils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he building his own in memory or using some other filename etc. I don't see how the program was ever getting a root cert to make it through the handshake process. I've searched for *.pem, *{hash}.0 files from root, (/), all to no avail. How it was ever working is beyond me. I kknow it has to be getting this from somewhere. Nils Larsch <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/28/2006 02:08 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: > > Nils, > > Yes, 0.9.6b is the exact version. Please help! hmm, did you read the rest of my mail ? Do you have the source code ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
[EMAIL PROTECTED] wrote: Nils, Yes, 0.9.6b is the exact version. Please help! hmm, did you read the rest of my mail ? Do you have the source code ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
Nils, Yes, 0.9.6b is the exact version. Please help! Nils Larsch <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 08/26/2006 06:23 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: > > Hi, > > I'm using openssl, (I think the slimmed down engine version), and openssl 0.9.6 ? since there's no separate engine verion for openssl >= 0.9.7 > attempting to support a program written by someone else. The server that > I'm talking to recently moved to a new ISP and the program stopped > working. It should be as simple as getting the server's new certificate > and it should work. The problem is that I can't find ANY place where > this program is using a keystore, (*.pem), so I can't add the new cert. > All of the typical directories, (e.g. /certs), are empty, (and I mean > all of them). In both production and the test environment, there are no > certificate files off of any of the usual directories and the program > itself doesn't open or use any keystore files in any of the SSL library > calls. Normally, you'd just find the keystore and add the new > certificate and all would be well. My question is this; since I don't > see any place that this program is using a private key or a certificate > store, how is it working? Where does it get a list of CA's etc.? Does > openSSL provide an internal keystore in the libraries? It has to be > getting this information from somewhere to complete the handshake > process. Thanks in advance. perhaps the keys certs are hardcoded ... If you have the source code available the parameters of functions like SSL_CTX_set_cert_store() might tell you which certs are used. Cheers, NIls PS: Please don't send mails to openssl-dev _and_ openssl-users. One list should be sufficient (in this case openssl-users). __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
[EMAIL PROTECTED] wrote: Hi, I'm using openssl, (I think the slimmed down engine version), and openssl 0.9.6 ? since there's no separate engine verion for openssl >= 0.9.7 attempting to support a program written by someone else. The server that I'm talking to recently moved to a new ISP and the program stopped working. It should be as simple as getting the server's new certificate and it should work. The problem is that I can't find ANY place where this program is using a keystore, (*.pem), so I can't add the new cert. All of the typical directories, (e.g. /certs), are empty, (and I mean all of them). In both production and the test environment, there are no certificate files off of any of the usual directories and the program itself doesn't open or use any keystore files in any of the SSL library calls. Normally, you'd just find the keystore and add the new certificate and all would be well. My question is this; since I don't see any place that this program is using a private key or a certificate store, how is it working? Where does it get a list of CA's etc.? Does openSSL provide an internal keystore in the libraries? It has to be getting this information from somewhere to complete the handshake process. Thanks in advance. perhaps the keys certs are hardcoded ... If you have the source code available the parameters of functions like SSL_CTX_set_cert_store() might tell you which certs are used. Cheers, NIls PS: Please don't send mails to openssl-dev _and_ openssl-users. One list should be sufficient (in this case openssl-users). __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]