RE: Please Help me out- SSL ERROR
From: owner-openssl-us...@openssl.org On Behalf Of Mr.Rout Sent: Wednesday, 18 January, 2012 02:52 snip root@1143726:/usr/bin# openssl s_client -connect 10.204.4.69:7003 WARNING: can't open config file: /usr/ssl/openssl.cnf CONNECTED(0003) depth=0 C = IN, ST = Karnataka, L = Bangalore, O = Airvana, CN = 10.204.4.69 verify error:num=20:unable to get local issuer certificate snip Certificate chain 0 s:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=10.204.4.69 i:/C=IN/ST=Karnataka/L=Bangalore/O=Airvana/CN=Root CA snip My Set up looks like this. e.g. Certificate Chain would be , ROOT- Server ( I keep ROOT at CLIENT and Server cert at SERVER). Am I right ? Yes, at least for server auth. If you use client auth, which is not very common, then *also* have the client cert at the client and its root at the server. [root@squidpc TEST]# openssl x509 -in root.pem -text snip Please let me know what is missing here why i am getting the above error. Either specify -CAfile root.pem on the s_client commandline OR put that root cert in the default truststore which is used when you don't specify -CAfile and/or -CApath on the commandline. The default truststore can be a single file or a directory with hashcode names or links or both, and is in a location that depends on your platform and the build options of your OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: please help me.....
Hi, Tried the given function, it compiles but throws error Run-Time Check Failure #3 - The variable 'rsa' is being used without being defined.. Any clue?? And the char * buf contains the key right?? Thanks Regards Shalmi Marek Marcola wrote: Hello, ok i l try that.let me know u .. You may try something like that (not tested): int rsa_read_pem(RSA ** rsa, char *buf, int len) { BIO *mem; if ((mem = BIO_new_mem_buf(buf, len)) == NULL) { goto err; } *rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL); BIO_free(mem); if (*rsa == NULL) { goto err; } return (0); err: return (-1); } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/please-help-me.-tf3975055.html#a13384524 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
Hello, I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
i tried that way, now its generating coredump files.is there any other way to solve that issue... Marek Marcola [EMAIL PROTECTED] wrote: Hello, I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format. Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Heres a new way to find what you're looking for - Yahoo! Answers
Re: please help me.....
ok i l try that.let me know u .. Marek Marcola [EMAIL PROTECTED] wrote: Hello, i tried that way, now its generating coredump files.is there any other way to solve that issue... You should use something like that (buf and len has your key): unsigned char *p; RSA *rsa = NULL; p = buf; if ((rsa=d2i_RSAPrivateKey(NULL,p,(long)len)) == NULL){ goto err; } if (SSL_CTX_use_RSAPrivateKey(ctx,rsa) != 1){ goto err; } RSA_free(rsa); But you should be sure that buf has DER (ASN.1) PKCS1 private key. If you dump this buffer to file, you should be able to do something like that: $ openssl rsa -in key.der -inform der -text -noout $ openssl asn1parse -in key.der -inform der If you will get error then probably you have pem format, you may try to convert with: $ openssl rsa -in key.pem -outform der -out key.der and try again. Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - The DELETE button on Yahoo! Mail is unhappy. Know why?
Re: please help me.....
Hello, i tried that way, now its generating coredump files.is there any other way to solve that issue... You should use something like that (buf and len has your key): unsigned char *p; RSA *rsa = NULL; p = buf; if ((rsa=d2i_RSAPrivateKey(NULL,p,(long)len)) == NULL){ goto err; } if (SSL_CTX_use_RSAPrivateKey(ctx,rsa) != 1){ goto err; } RSA_free(rsa); But you should be sure that buf has DER (ASN.1) PKCS1 private key. If you dump this buffer to file, you should be able to do something like that: $ openssl rsa -in key.der -inform der -text -noout $ openssl asn1parse -in key.der -inform der If you will get error then probably you have pem format, you may try to convert with: $ openssl rsa -in key.pem -outform der -out key.der and try again. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
i tried that way,buffer information is not DER format. buffer header like this. -BEGIN RSA PRIVATE KEY- .. -END RSA PRIVATE KEY- Is they anyother way to resolve that problem? Marek Marcola [EMAIL PROTECTED] wrote: Hello, I have a RSA key information on buffer.i want to merge with buffer content to SSLcontext object. i am using SSL_CTX_use_RSAPrivateKey_ASN1(ctxr[i],keyinfo,strlen(keyinfo)) this SSL API. that API is failing . it gives following error message. 9755: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282: 29755: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=RSA 29755: error:140B200D:SSL routines:SSL_CTX_use_RSAPrivateKey_ASN1:ASN1 lib:ssl_rsa.c:607 how to resolve the issue. please help me. Try d2i_RSAPrivateKey() if your buffer has RSA key in DER format. Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Heres a new way to find what you're looking for - Yahoo! Answers
Re: please help me.....
Hello, ok i l try that.let me know u .. You may try something like that (not tested): int rsa_read_pem(RSA ** rsa, char *buf, int len) { BIO *mem; if ((mem = BIO_new_mem_buf(buf, len)) == NULL) { goto err; } *rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL); BIO_free(mem); if (*rsa == NULL) { goto err; } return (0); err: return (-1); } Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: please help me.....
thank you, its working fine. Marek Marcola [EMAIL PROTECTED] wrote: Hello, ok i l try that.let me know u .. You may try something like that (not tested): int rsa_read_pem(RSA ** rsa, char *buf, int len) { BIO *mem; if ((mem = BIO_new_mem_buf(buf, len)) == NULL) { goto err; } *rsa = PEM_read_bio_RSAPrivateKey(mem, NULL, NULL, NULL); BIO_free(mem); if (*rsa == NULL) { goto err; } return (0); err: return (-1); } Best regards, -- Marek Marcola __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - The DELETE button on Yahoo! Mail is unhappy. Know why?
Re: please help me on OCSP
Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the "unable to get local issuer certificate" error. To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash varma d [EMAIL PROTECTED] wrote: Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others.I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl,I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) )But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i getlatest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:270730 7D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357:unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this.Please help me out.Thanks,vv__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: please help me on OCSP
Hi, Thanks a lot prakash for your reply. Actually my application works in this way1) I will get the x.509 certificate from any server(lets say) yahoo.com, now from that i will extract yahoo.com user certificate(may be issued by verisign or others), issuers root certificate.2) Now i need to check the OCSP status of these individual certificates3) Since verisign is an OCSP responder i just want to query ocsp.verisign.com for these individual certificates. but while i was trying with your command openssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem I am getting an error message like Error Querying OCSP responder3256: .. Connect error... But when i am trying with same command and same certificates to ocsp.openvalidation.org i am getting status information.But only problem with openvalidation is that they dont have up-to-date information(for some cases). Are there are any public ocsp responder where i can query them instead of ocsp.versign.com. I would be grateful to you if you would give a reply. Thanks in Advance Thanks,Varma On 8/24/05, prakash babu [EMAIL PROTECTED] wrote: Hi, The -Vafile option is used for explicitly trusting the responder certificate of the ocsp serverSo if you omit this option you will get the unable to get local issuer certificate error. To get this command workingopenssl ocsp -url http://ocsp.verisign.com:8080 -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pem 1. First you must get a certificate from Verisign -User.pem2. Get the CA certificate that was used to sign your request - ROOT_CA.pem3. Trust the Verisign OCSP responder certficate - OCSPServer.pem --Prakash varma d [EMAIL PROTECTED] wrote: Hi,Today i was very much excited to see this mailing list on openSSL. I searched several messages and its great to see that people here are helping others. I need your help.I read tutorials on OCSP from http://openvalidation.org about using OCSP in openssl, I have couple of questions.1) I used the following command to send OCSP request and get response from OCSP responder.openSSLocsp -url http://ocsp.openvalidation.org -issuer ROOT_CA.pem -VAfile OCSPServer.pem -cert User.pemWhen i am executing this command , i am getting response from OCSP responder stating that certificate status is good. (i have taken this command/files from openvalidation.org (http://www.openvalidation.org/useserviceopenssl.htm) ) But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pem file.If i give my URL as http://ocsp.verisign.com, how can i get verisign's OCSPServer.pem. Also how can i get latest OCSPServer.pem file for the given URL. 2)I tested by giving latest user certificates other than openvalidation.org certificates, but i am getting this erroruser.pem:WARNING: Status times invalid.3220:error:2707307D:OCSP routines:OCSP_check_validity:statusexpired:.\crypto\ocsp\ocsp_cl.c:357: unknownThis Update: Oct 24 06:00:11 2004 GMTNext Update: Oct 25 06:00:11 2004 GMTFor this do i need to update my OCSPServer.pem fileThank you for your time and considerationI would be grateful to you if you would help me out as i am spending a lot of time on understanding this. Please help me out.Thanks,vv __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: please help me on OCSP
Maybe your URL is wrong. I just tried this: openssl ocsp -issuer VeriSignClientECA.pem -url http://ocsp.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text and it works fine as follows: D:\prjs\ocsp\newEcaCAopenssl ocsp -issuer VeriSignClientECA.pem -url http://ocs p.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = U.S. Government, OU = ECA, OU = VeriSign, Inc., CN = VeriSign Client ECA OCSP Responder Produced At: Aug 23 17:10:46 2005 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE Cert Status: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=ECA, OU=Certification Authorities, C N=VeriSign Client External Certification Authority Validity Not Before: Aug 16 00:00:00 2005 GMT Not After : Sep 15 23:59:59 2005 GMT Subject: C=US, O=U.S. Government, OU=ECA, OU=VeriSign, Inc., CN=VeriSign Client ECA OCSP Responder Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d: 04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70: a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5: cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46: d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9: e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93: 03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f: de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6: c4:b3:1a:50:69:8c:dc:26:93 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:https://eca.verisign.com/CA/VeriSignECA.cer X509v3 Certificate Policies: Policy: 2.16.840.1.101.3.2.1.12.2 CPS: https://www.verisign.com/repository/eca/cps X509v3 Extended Key Usage: critical OCSP Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation OCSP No Check: X509v3 Subject Alternative Name: DirName:/CN=OCSP2-TGV-1-141 X509v3 Subject Key Identifier: 30:EF:0D:8E:CD:58:05:E9:73:96:06:4E:63:48:F9:24:59:82:41:D4 X509v3 Authority Key Identifier: keyid:0D:C0:D8:3D:BF:FB:65:93:C8:37:66:26:E2:8A:12:5F:BB:C2:80:F 5 Signature Algorithm: sha1WithRSAEncryption 6b:8d:79:7a:b3:d5:1d:e7:0e:ac:18:e7:f0:b4:fc:b4:cf:03: cf:f2:de:e0:93:b9:60:99:ab:b3:52:96:85:dc:34:20:f0:78: d8:24:c8:b3:71:25:f2:90:8d:7f:dc:00:7e:25:92:fd:e0:26: fa:3d:99:a1:89:86:a0:09:fe:0a:20:34:0a:68:31:cd:60:9d: 63:a1:d9:2f:36:7c:4d:74:cc:ca:91:65:cb:a5:1f:5f:3a:e4: e4:73:67:9b:8e:50:ec:33:28:37:4c:05:33:a8:84:3e:63:7c: 3d:c5:cd:90:c3:72:99:99:7e:e8:e9:67:42:3c:1b:e6:6f:a5: 6d:37 -BEGIN CERTIFICATE- MIID2jCCA0OgAwIBAgIQD3R2JIIqMK01/EWLEzZLCzANBgkqhkiG9w0BAQUFADCB lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDUwODE2MDAwMDAwWhcNMDUwOTE1MjM1OTU5WjB7MQswCQYDVQQG EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5 MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG
Re: please help me on OCSP
It is the OCSP responder cert. I suppose you already have that, right? Or you can use this one which will expire on Sep 15, 2005 though. -BEGIN CERTIFICATE- MIID2jCCA0OgAwIBAgIQaVnCDg78Yj+N1V5h9xQh0jANBgkqhkiG9w0BAQUFADCB lDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEMMAoGA1UE CxMDRUNBMSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMTkwNwYD VQQDEzBWZXJpU2lnbiBDbGllbnQgRXh0ZXJuYWwgQ2VydGlmaWNhdGlvbiBBdXRo b3JpdHkwHhcNMDUwNTI2MDAwMDAwWhcNMDUwNjI1MjM1OTU5WjB7MQswCQYDVQQG EwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNFQ0ExFzAV BgNVBAsTDlZlcmlTaWduLCBJbmMuMSswKQYDVQQDEyJWZXJpU2lnbiBDbGllbnQg RUNBIE9DU1AgUmVzcG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO s7CVM3MfKvWnY2svXQRmE981uWCakqgWU5m9cKWcND/0kQWhFShROBzT1czVgvtD dH+EbkF3Oaa+RtX775EQa6u5IA3dCr1a+eQr4kNPyTAAicfPgKl2kwMIAxJwpXaG wR09YBL1L96cnaMrrSJRH7lcev2NpsSzGlBpjNwmkwIDAQABo4IBQzCCAT8wRwYI KwYBBQUHAQEEOzA5MDcGCCsGAQUFBzAChitodHRwczovL2VjYS52ZXJpc2lnbi5j b20vQ0EvVmVyaVNpZ25FQ0EuY2VyMFIGA1UdIARLMEkwRwYKYIZIAWUDAgEMAjA5 MDcGCCsGAQUFBwIBFitodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9y eS9lY2EvY3BzMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMJMA4GA1UdDwEB/wQEAwIG wDAPBgkrBgEFBQcwAQUEAgUAMCcGA1UdEQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQ Mi1UR1YtMS0xNDEwHQYDVR0OBBYEFDDvDY7NWAXpc5YGTmNI+SRZgkHUMB8GA1Ud IwQYMBaAFA3A2D2/+2WTyDdmJuKKEl+7woD1MA0GCSqGSIb3DQEBBQUAA4GBAHrP OjxDB35f/2+cORsVIl1oVPy71CaCnJ32KDxlEIRSW7sn4BIkBLfr2Un5ozt7SXzz 6qw5I/hIyT1ADaLjpQubN6H+Oxk6ve6xw1JPuDMLHnABLeF+GzLSs2UxFr3bl4AE gAnMe402U2NJZBJhvvHu+YWdT4cDohuSqEeu+x5R -END CERTIFICATE- --- satish danduvarma [EMAIL PROTECTED] wrote: Hi Paul, Thats great. Thanks for your quick response. What is tgv.pem file. how can we get that file. Thanks in advance, Varma On 8/24/05, Paul Simon [EMAIL PROTECTED] wrote: Maybe your URL is wrong. I just tried this: openssl ocsp -issuer VeriSignClientECA.pem -url http://ocsp.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text and it works fine as follows: D:\prjs\ocsp\newEcaCAopenssl ocsp -issuer VeriSignClientECA.pem -url http://ocs p.verisign.com -cert eca_usr_cert.pem -VAfile tgv.pem -no_nonce -text OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = U.S. Government, OU = ECA, OU = VeriSign, Inc., CN = VeriSign Client ECA OCSP Responder Produced At: Aug 23 17:10:46 2005 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 75EB8BF61A586BADD9044359324DAC621F5B59C8 Issuer Key Hash: 0DC0D83DBFFB6593C8376626E28A125FBBC280F5 Serial Number: 1B148220FC005FD035E866279AE682BE Cert Status: good This Update: Aug 23 17:10:46 2005 GMT Next Update: Aug 30 17:10:46 2005 GMT Certificate: Data: Version: 3 (0x2) Serial Number: 0f:74:76:24:82:2a:30:ad:35:fc:45:8b:13:36:4b:0b Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=U.S. Government, OU=ECA, OU=Certification Authorities, C N=VeriSign Client External Certification Authority Validity Not Before: Aug 16 00:00:00 2005 GMT Not After : Sep 15 23:59:59 2005 GMT Subject: C=US, O=U.S. Government, OU=ECA, OU=VeriSign, Inc., CN=VeriSign Client ECA OCSP Responder Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ce:b3:b0:95:33:73:1f:2a:f5:a7:63:6b:2f:5d: 04:66:13:df:35:b9:60:9a:92:a8:16:53:99:bd:70: a5:9c:34:3f:f4:91:05:a1:15:28:51:38:1c:d3:d5: cc:d5:82:fb:43:74:7f:84:6e:41:77:39:a6:be:46: d5:fb:ef:91:10:6b:ab:b9:20:0d:dd:0a:bd:5a:f9: e4:2b:e2:43:4f:c9:30:00:89:c7:cf:80:a9:76:93: 03:08:03:12:70:a5:76:86:c1:1d:3d:60:12:f5:2f: de:9c:9d:a3:2b:ad:22:51:1f:b9:5c:7a:fd:8d:a6: c4:b3:1a:50:69:8c:dc:26:93 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: CA Issuers - URI:https://eca.verisign.com/CA/VeriSignECA.cer X509v3 Certificate Policies: Policy: 2.16.840.1.101.3.2.1.12.2 CPS: https://www.verisign.com/repository/eca/cps X509v3 Extended Key Usage: critical OCSP Signing X509v3 Key Usage: critical Digital Signature, Non Repudiation OCSP No Check: X509v3 Subject Alternative Name: DirName:/CN=OCSP2-TGV-1-141 X509v3 Subject Key
Re: please help me on OCSP
On Tue, Aug 16, 2005, varma d wrote: But, In this command what is the purpose of OCSPServer.pem, i still dont understand the purpose of OCSPServer.pem as we need to just send our request and expect a response from OCSP responder irrespective of OCSPServer.pemfile. This is an issue of how you trust the reponse from the OCSP responder. There are three cases: 1. Response signed by the same key as the CA that issued the certificate. 2. Response signed by a key in a certificate delegated by the issuing CA. 3. A key locally configured as trusted. In case #1 and #2 the trust can be determined automatically from the certificate being validated. In case #3 the relevant key needs to be determined by some other means. So its a case of how the responder is configured. In some cases the responder is misconfigured and you have to use option #3. 2)I tested by giving latest user certificates other than openvalidation.orghttp://openvalidation.orgcertificates, but i am getting this error user.pem:WARNING: Status times invalid. 3220:error:2707307D:OCSP routines:OCSP_check_validity:status expired:.\crypto\ocsp\ocsp_cl.c:357: unknown This Update: Oct 24 06:00:11 2004 GMT Next Update: Oct 25 06:00:11 2004 GMT The responder is saying that its response is valid between those dates: so it is sending out of date information. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Please Help me --Who can tell me what the SSL structure looks like?
From what I can see, SSL is defined as typedef struct ssl_st SSL in ssl.h. If you search for struct ssl_st in ssl.h you will find the definition for that structure. Hope that helps! On Sat, 2004-10-02 at 19:00, lu lu wrote: Hi, list members. I really want help very much. I asked this question about a week ago, but nobody answer my question. I think maybe it is just because that I had not make the question clear. What I want to know is where can I find the definition of SSL. As it appears in many functions like -- int ssl23_get_client_hello (SSL *s), I cannot find where it is defined. I cannot understand how the openssl make handshake as many handshake functions use this structure. I find for the whole week on the net for the definition of this structure, but nothing get. Maybe I am not good at searching. Please, anybody here who know where can I find some useful information or who know the definition of the structure helps me on this question. Thanks for taking time to read my question. And I am eagerly waiting for the answer. Cynthia __ Do You Yahoo!? 150MP3 1G1000 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please Help Me Before I Jump ! ! !
http://www.openssl.org/support/ On Fri, 20 Aug 2004, Buddy wrote: Anyone out there, please help me! I am disabled and do not want to continue to see your conversations, although I appreciate the reason and the cause of the conversations. I just want off the list. Thanks, Buddy - Original Message - From: Buddy To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Cc: Main Identity Sent: Friday, August 20, 2004 3:35 PM Subject: Re: Mail System Error - Returned Mail Please reply... maybe you know something I do not Thanks, Buddy - Original Message - From: Buddy To: [EMAIL PROTECTED] Cc: Main Identity Sent: Friday, August 20, 2004 3:21 PM Subject: Re: Mail System Error - Returned Mail I sent you nothing. I have been trying to get off this email freeforall trash mail list for over a year. Any advice ? Buddy ps please reply, I really want off this list. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, August 20, 2004 12:02 PM Subject: Mail System Error - Returned Mail ALERT!!! This e-mail in its original form contained one or more attached files that were infected with a virus or worm, or contained another type of security threat. The following attachments were infected and have been repaired: No attachments are in this category. The following attachments were deleted due to an inability to clean them: 1. file.zip: [EMAIL PROTECTED] The Following attachments were not delivered due to inbound mail policy violations: No attachments are in this category. Road Runner does not contact the sender of the infected attachment(s) in the event that they were not actually sent from the indicated party. Please contact the sender directly to alert them of their issue with infected files if you wish to do so. For more information on Road Runner's virus filtering initiative, visit our Help Member Services pages at http://help.rr.com, or the virus filtering information page directly at http://help.rr.com/faqs/e_mgsp.html. Original message text follows __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help me!!
On Mon, Mar 17, 2003, luke wrote: i have try many times. i got the same error message. == perl Configure VC-WIN32 .\ms\do_nt.bat nmake -f .\ms\nt.mak ps .net vc++(vc++ v7) . ui_compat.c cl /Fotmp32\krb5_asn.obj -Iinc32 -Itmp32 /MD /W3 /WX /G5 /Ox /O2 /Ob2 / Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DD SO_WIN32 -DOPENSSL_SYSNAME_WINNT /Fdout32 -DOPENSSL_NO_KRB5 -c .\crypto\krb5\kr b5_asn.c cl : Command line warning D4029 : optimization is not available in the standard edition compiler krb5_asn.c lib /out:out32\libeay32.lib @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nmF2.tmp 'lib' ¤£¬O¤º³¡©Î¥~³¡«ü¥O¡B ¥i°õ¦æªºµ{¦¡©Î§å¦¸ÀÉ¡C NMAKE : fatal error U1077: 'lib' : return code '0x1' Stop. Looks like a crippled restricted version of VC++. Try removing the /O* options by manually editing ms\nt.mak, they are on the CFLAG line right at the top. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Please help me!
Hello Ryan! Thank you very much. I have added the line in the Certificate Extensions section of my openssl.cnf file: crlDistributionPoints=URI:http://cert.vrn.ru/crl/main.crl and then I made some certificates with this extensions. Such certificates have the following value of CRL Distribution Points: [1]CRL Distribution Point Distribution Point Name: Full Name: URL=http://cert.vrn.ru/crl/main.crl I suppose it's ok at this step. But the next step... It's not clear for me. MS Outlook Express tries to check if the certificate has been revoked or not, but it says The digital ID has not been revoked or revocation information for this certificate could not be determined. The CRL has been made with the following command: openssl ca -gencrl -out crl.pem -config openssl.cnf passin pass: Then I copied crl.pem file into appropriate directory of my web server and rename it(file) to main.crl I made certificate, then revoked it for testing, and then made a CRL as I wrote above. Have I made a mistake? Why MS Outlook Express does not say me that the certificate has been revoked? Yours sincerely, Valery E-mail: [EMAIL PROTECTED] - Original Message - From: Ryan Hurst [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 26, 2001 10:15 PM Subject: RE: Please help me! Valery -- This field in a certificate points to where the issuer will make its certificate revocation list available. If you are using OpenSSL or OpenCA (based off of OpenSSL) to issue your certificates you will want to probably put up a web server or LDAP capable directory where you can make your certificate revocation list available; refer to the absolute URL for this list in this extension. You may also want to include an AIA (authorityInformationAccess) extension as well, this can point to a OCSP responder capable of responding with individual certificate statuses. The Microsoft platform implements its revocation handling in a library called cryptnet.dll; this supports all the transports that WinInet supports (http/s,ftp,ldap/s,file). When the CryptoAPI applications that use revocation checking (Outlook can be configured to do this and in Office XP it is the default behavior), cryptnet will attempt to retrieve the CRL specified in this extension and use it for revocation checking. There are also alternate revocation providers available windows that implement additional protocols (OCSP, SCVP, CRL, CRLdp); ValiCert produces one such provider. I hope this helps. Ryan -Original Message- From: Valery [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 1:12 AM To: [EMAIL PROTECTED] Subject: Please help me! Hello! I used the certificate extensions crlDistributionPoints in my openssl.cnf file. And I faced the following problem. What should I indicate in thihs field (crlDistributionPoints)? I need that MS Outlook Express checks if the certificate has been revoked or not when it is on-line? What do I need to do? Yours faithfully, Valery E-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Please help me!
Valery -- This field in a certificate points to where the issuer will make its certificate revocation list available. If you are using OpenSSL or OpenCA (based off of OpenSSL) to issue your certificates you will want to probably put up a web server or LDAP capable directory where you can make your certificate revocation list available; refer to the absolute URL for this list in this extension. You may also want to include an AIA (authorityInformationAccess) extension as well, this can point to a OCSP responder capable of responding with individual certificate statuses. The Microsoft platform implements its revocation handling in a library called cryptnet.dll; this supports all the transports that WinInet supports (http/s,ftp,ldap/s,file). When the CryptoAPI applications that use revocation checking (Outlook can be configured to do this and in Office XP it is the default behavior), cryptnet will attempt to retrieve the CRL specified in this extension and use it for revocation checking. There are also alternate revocation providers available windows that implement additional protocols (OCSP, SCVP, CRL, CRLdp); ValiCert produces one such provider. I hope this helps. Ryan -Original Message- From: Valery [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 1:12 AM To: [EMAIL PROTECTED] Subject: Please help me! Hello! I used the certificate extensions crlDistributionPoints in my openssl.cnf file. And I faced the following problem. What should I indicate in thihs field (crlDistributionPoints)? I need that MS Outlook Express checks if the certificate has been revoked or not when it is on-line? What do I need to do? Yours faithfully, Valery E-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: please help me first!
¾ç½Â¸ð£¬ÄúºÃ£¡ Opensslreq -new -x509 -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem Opensslreq -out reqU.pem -keyout keyU.pem -new Opensslca -policy policy_anything -out certU.pem -infiles reqU.pem Opensslpkcs12 -in certU.pem -inkey reqU.pem -certfile ./demoCA/cacert.pem -out certU.p12 -export -name "user" -inkey keyU.pem I success creation certificate. I cann't append the sample certificate! why? ÔÚ 2001-03-05 10:40:00 ÄúдµÀ£º Help please!! First!! Sorry!! I am unfamilier with things English!! I was test with openssl. I create certificate follow later.. 1."root ca generation" Opensslreq -new -x509 -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem 2.User certification generation" Opensslreq -out reqU.pem -keyout keyU.pem -new Opensslca -policy policy_anything -out certU.pem -infiles reqU.pem Opensslpkcs12 -in certU.pem -inkey reqU.pem -certfile ./demoCA/cacert.pem -out certU.p12 -export -name "user" -inkey keyU.pem I success creation certificate. I appended my sample certificate! Question! I'm create intermediation CA(?) follow sample.. openSSL req -new -keyout keyM.pem -out reqM.pem openSSL x509 -req -in reqM.pem -extensions v3_usr -CA ./democa/cacert.pem -CAkey ./democa/private/cakey.pem -CAcreateserial -out certM.pem openssl x509 -x509toreq -in certM.pem -signkey keyM.pem -out tmp.pem openssl ca -policy policy_anything -out certM1.pem -infiles tmpM.pem openssl pkcs12 -in certM1.pem -inkey keyM.pem -certfile ./democa/cacert.pem -out certM.p12 -export -name "remoteM" and i install But that added user certification How create intermediation CA(?) ? i want install intermediation CA(?) but i don't know I want openssl sample command that create down issue! Please help me! Ö Àñ£¡ zgleaf [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PLEASE HELP ME...............................!!!!
Hi, in short: using SSL you have two parts of encryption: first a public/secret key system (asymmetric cryptographie) is used to establish a connection and to agree for a common secret key. When both parties have agreed to that common secret key (which is, in short, encrypted with the public keys (very short, this is) ) the common secret key is used for the encrypting of the exchanged data. So, for agreement for a common secret key, asymmetric cryptographie is used. To be sure you use the true public key of your partie (so nobody elses key, maybe that of an man-in-the-middle) you get a certificate. Why a certificate? Because chances are high that you do not know all keys of all people/server you want to correspond with. So you get a certificate which is signed by a CA (certificate authority) that you know and that you can trust. More to find in literature. Hops this helps Doris On Tue, 13 Jun 2000, Pamu Radhakrishna wrote: hi, You know that OpenSSL supports DES for encryption of data.So if you want to establish a communication link between client server then you must use a secret key. Now my question is,What the certificate contains? I mean what public keys it contains for what purpose they can be used? Could anybody tell me,before encryption of actual data using secret key, what are the necessary steps that could be performed to share the secret key? ThanX --Radha __ Do You Yahoo!? Yahoo! Photos -- now, 100 FREE prints! http://photos.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]