Newbie Question here...
I have installed Win32 Binary including OpenSSL 0.9.8t (MSI Installer): httpd-2.2.22-win32-x86-openssl-0.9.8t.msi on my windows server. I want to upgrade JUST openSSL that's bundled with this install to the latest PCI compliant version. I want to go to OpenSSL 0.9.8u or possibly w.How can I do just that ? Is there a step by step guide out there? Thanks, Brad
Re: Newbie Question here...
On 4/24/2012 6:19 PM, bfinkel...@aaamissouri.com wrote: I have installed Win32 Binary including OpenSSL 0.9.8t (MSI Installer): httpd-2.2.22-win32-x86-openssl-0.9.8t.msi http://newverhost.com/pub//httpd/binaries/win32/httpd-2.2.22-win32-x86-openssl-0.9.8t.msi on my windows server. I want to upgrade JUST openSSL that's bundled with this install to the latest PCI compliant version. I want to go to OpenSSL 0.9.8u or possibly w.How can I do just that ? Is there a step by step guide out there? 1. Find out how the people who made that bundle compiled OpenSSL, in particular if they used the standard compile or made some changes. 2. If they made their own changes to OpenSSL, you will need to find someone who knows how to make the same changes to the latest OpenSSL (version 0.9.8w, released earlier today). 3. If they used the standard compile, go to http://openssl.org/related/binaries.html, follow the link to the prebuilt binaries by Shining Light Productions and wait for them to make a 0.9.8w package (a few minutes ago, they only had 0.9.8v, which is still better than 0.9.8t). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Newbie question on EVP API
Hi! I'm new to openssl. I've got two questions on EVP API: 1. What do EVP_EncryptInit_ex and EVP_CipherInit_ex differ with? When should I use encrypt/decrypt and when cipher? 2. Where can I read about cipher modes? There are several modes for each cipher on http://openssl.org/docs/crypto/EVP_EncryptInit.html#CIPHER%20LISTING They differ with suffix like _cbc, _ecb, _cfb, _ofb and etc. What are meanings of these suffixes and use-cases? Best regards, Alexey Luchko. -- Luch sms stands for save my soul __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Newbie question on EVP API
Alexey Luchko l...@ank-sia.com writes: I'm new to openssl. I've got two questions on EVP API: 1. What do EVP_EncryptInit_ex and EVP_CipherInit_ex differ with? When should I use encrypt/decrypt and when cipher? If you look at the source, EVP_EncryptInit_ex/EVP_DecryptInit_ex are just trivial wrappers around EVP_CipherInit_ex. So use whichever seems to make more sense to you. 2. Where can I read about cipher modes? There are several modes for each cipher on http://openssl.org/docs/crypto/EVP_EncryptInit.html#CIPHER%20LISTING They differ with suffix like _cbc, _ecb, _cfb, _ofb and etc. What are meanings of these suffixes and use-cases? They're standard chaining modes. wikipedia has a reasonable description of them. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: newbie question: sample s_server usage
On 9/28/07, Deep Chand [EMAIL PROTECTED] wrote: Hi, I'm a newbie to openssl and openssl toolkit. i need to add support for tls to one java client including client authentication, and i've made the changes to the client and need to test it with server, so trying to use s_server. I have used keytool utility supplied with jdk1.4 to generate client/server public/private key certificates using rsa algo. how do i use these certificates in invoking and testing my client using s_server? openssl s_server some tcp options here -cert filename -key keyfile and it should work. Checkout man page for more information about available options :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
newbie question: sample s_server usage
Hi, I'm a newbie to openssl and openssl toolkit. i need to add support for tls to one java client including client authentication, and i've made the changes to the client and need to test it with server, so trying to use s_server. I have used keytool utility supplied with jdk1.4 to generate client/server public/private key certificates using rsa algo. how do i use these certificates in invoking and testing my client using s_server? any help is appreciated. thanks, deep -- View this message in context: http://www.nabble.com/newbie-question%3A-sample-s_server-usage-tf4533778.html#a12938503 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
(complete) newbie question
Hi Guys 'n' girls, I've been a member of the list, but not really reading (because WOW - it's technical!) but nonetheless want to get my head around not only the production of certificates, but also their implimentation on servers. What my sole goal(s) [!] is, is to be able to: 1. Produce my own certificate (self-signed) 2. Present this (i.e. each one) to persons arriving at site(s) I publish, to enable them to realise it's 'me', that's talking to them. 3. Initiate/respond to initiation of 'secure' (SSL) sessions - i.e. give website users 'security' of knowing their interaction with websites I publish is encrypted - to SSL standard standards: in short a https connection. 4. To be able to store the information received from web-users encrypted on my server(s). I appreciate 4. may be outwith the bounds of this list, but what I really need - and I mean, really, really need g is someone to give me a link to a (free) resource out their on the web, that can give me enough insight to get to work producing the above. FWIW, I'm 'au fait' with SSL as a user (I understand what's being negotiated [I think!]. I am also the (legal/lawyer) author of a book about PGP; so you can take it as read that I understand the basics, and perhaps advanced understanding of public key cryptography. When it comes to openSSL etc, though, I'm completely lost: I need a beginners text that can *practically* get me up to speed on all the basics, conceptually, but more realistically, PRACTICALLY. Could someone on this list please recommend a text that will bring me up to speed on all of this, 'tout suite'. Many thanks in advance for any replies; bet your bottom dollar if you can help out on this question, the next one won't be so stupid!!! ggg PP Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. http://smallbusiness.yahoo.com/webhosting __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie question
Unfortunately, I don't control the server and don't believe there is an SSL connection to that component, but other components will require an SSL connection. So using SSL for everything is not possible. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bertram Scharpf Sent: Wednesday, January 31, 2007 7:44 PM To: openssl-users@openssl.org Subject: Re: Newbie question Hi, Am Mittwoch, 31. Jan 2007, 13:02:13 -0500 schrieb Doug Kunzman: Can openssl be used for HTTP communication without using SSL if in the future we are going to SSL communication to our project? You should consider using SSL right from the start. There are loads of key generation howtos on the web. I'm running Apache on Gentoo here and it worked right from the start. Just say openssl s_client ... instead of telnet ... on the client side. I experienced handling sensitive data comes earlier than you might reckon and it's no mistake to be prepared in time. Bertram -- Bertram Scharpf Stuttgart, Deutschland/Germany http://www.bertram-scharpf.de __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie question
Can openssl be used for HTTP communication without using SSL if in the future we are going to SSL communication to our project? Doug __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question
This is just a shot in the dark answer -- because I don't know of a way to use SSL without using SSL :) You can get a web-site project up and running using port 443 with a web-server (like apache), without using openSSL encryption on port 443 Then you can setup openSSL and your certs later and can encrypt communications over port 443. Bill Angus, MA http://www.psychtest.com - Original Message - From: Doug Kunzman To: openssl-users@openssl.org Sent: Wednesday, January 31, 2007 10:02 AM Subject: Newbie question Can openssl be used for HTTP communication without using SSL if in the future we are going to SSL communication to our project? Doug __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie question
All - I was looking for an interface or factory class like java has were you can switch between SocketFactory and SSLSocketFactory and both implement the Socket interface. Does this help? The port is no big deal but the low level asynchronous and sychrononous communication socket class seams like a problem that all ready been solved. Also, I'm a better Java programmer than C++ programmer does anyone know of a book that could help? Doug _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Angus Sent: Wednesday, January 31, 2007 2:43 PM To: openssl-users@openssl.org Subject: Re: Newbie question This is just a shot in the dark answer -- because I don't know of a way to use SSL without using SSL :) You can get a web-site project up and running using port 443 with a web-server (like apache), without using openSSL encryption on port 443 Then you can setup openSSL and your certs later and can encrypt communications over port 443. Bill Angus, MA http://www.psychtest.com - Original Message - From: Doug mailto:[EMAIL PROTECTED] Kunzman To: openssl-users@openssl.org Sent: Wednesday, January 31, 2007 10:02 AM Subject: Newbie question Can openssl be used for HTTP communication without using SSL if in the future we are going to SSL communication to our project? Doug __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL newbie Question [Regd: java class to read a PEM file]
Hi, If I may attempt a slightly better response than my first one! Sorry to openssl-dev people about spamming your list with this. Probably this email is better suited to openssl-users, so I'm cross-posting it. (If anyone decides to reply, please reply to openssl-users!) 1. Dr Stephen N. Henson's link is an excellent document. Very helpful. http://www.openssl.org/docs/crypto/pem.html There is only one small gotchya I would like to add to that document, regarding this: === The private key (or other data) takes the following form: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,3F17F5316E2BAC89 ...base64 encoded data... -END RSA PRIVATE KEY- The line beginning DEK-Info contains two comma separated pieces of information: the encryption algorithm name as used by EVP_get_cipherbyname() and an 8 byte salt encoded as a set of hexadecimal digits. === The 8 byte salt also serves as the IV during decryption. So you use it as salt for key-derivation, and then you use it again as IV for decryption. It's dual-purpose. ;-) The 8 byte salt will be 16 bytes when using AES: DEK-Info: AES-256-CBC,1876F5A50C9046D504D47B2BF8951875 BUT you only use the first 8 bytes as Salt during the key-derivation. I think I spent about 10 hours trying to figure out that little detail! You do use all 16 bytes as the IV during the decryption. 2. Max Weijun Wang recommends using KeyStore.getInstance(pkcs12) to load it. That's a great idea, but you probably need to get openssl to output the file in DER format first: openssl pkcs12 -in pkcs12.pem -out pkcs12.der -outform DER Java can read PKCS #12 files, but only in DER form. Not in OpenSSL's PEM form. The PKCS #12 file created by OpenSSL in PEM format is actually just a series of X509 certificates and an encrypted private key (usually using the Traditional SSLeay Format). If you have time you can manually split out all those different PEM items (using cut paste) into separate files. You can then get openssl to decrypt the RSA key into unencrypted PKCS #8 DER format (see below). Finally, with all these files on your hard-drive, you can get Java to load them: // Load the certs using this: CertificateFactory.generateCertificate( byte[] pemOrDer ); // Load the RSA private key using this: KeySpec spec = new PKCS8EncodedKeySpe( byte[] derOnly ); 3. What kind of PEM files are you importing? Java can already import X509 certificates in PEM format no problem: keytool -import -file x509.pem Java is a little picky about carriage returns before and after the Base64 section. I'm also not sure what keytool does if the PEM file contains more than one certificate. If you're working directly in Java, then newer versions of CertificateFactory.generateCertificates() ( Java 5? Java 1.3 definitely had problems) can handle more than one cert in a PEM file just fine. Java's very picky about comments in the PEM. Your PEM files must only contain -BEGIN THING- and -END THING-. Anything before and after the BEGIN and END sections will upset Java. X509 certificates in PEM are fine. But if you're trying to deal with RSA or DSA encrypted private keys in Java, things get harder. You need to decrypt them to unencrypted pkcs8 format using: openssl pkcs8 -topk8 -nocrypt -outform DER You can load the output of that directly into Java's java.security.spec.PKCS8EncodedKeySpec class. == Above is how you can deal with this stuff manually with some help from openssl. There is a java library which can also do all of these operations in pure java: http://juliusdavies.ca/commons-ssl/ Commons-SSL currently only deals with the reading of this stuff. For writing you still need openssl. In particular, for RSA, DSA, and PKCS #12 files in PEM, I think you're probably better off with the Commons-SSL library's PKCS8Key class as opposed to messing around on the command line and cutting pasting and all that. http://juliusdavies.ca/commons-ssl/pkcs8.html :-) yours, Julius On 11/27/06, Julius Davies [EMAIL PROTECTED] wrote: Hi, Isvaran, The Commons-SSL KeyStoreBuilder utility might help you. http://juliusdavies.ca/commons-ssl/utilities.html You could also take a look at the PKCS8Key, PEMUtil and PEMItem classes. http://juliusdavies.ca/commons-ssl/javadocs/ Good luck! yours, Julius On 11/27/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Mon, Nov 27, 2006, Isvaran Krishnamurthy wrote: Hi, I have a requirement to read a PEM file and import it in to a java JKS store. I am looking at a pure java solution (no JNI / library dependancy). I need to know the format of the PEM file and the relationship between each entry in the PEM file (if any). I tried to find documentation of the PEM format on the web to no avail. I would greatly appreciate it if any of you fine folks would help me
Re: Newbie question X509 certificate stores
Some problems w/reverse DNS prevented posting this until now. On Wed, Dec 28, 2005 at 07:12:30PM +0100, Dr. Stephen Henson wrote: On Wed, Dec 28, 2005, George Garvey wrote: I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Captured the HTTP post. Tried -verify as above: openssl smime -verify -in src/fo/van/as2/inbound/2005-12-28:12:10:47 Error reading S/MIME message 6747:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 6747:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 6747:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:315: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
Some problems w/reverse DNS prevented posting this until now. On Wed, Dec 28, 2005 at 07:12:30PM +0100, Dr. Stephen Henson wrote: On Wed, Dec 28, 2005, George Garvey wrote: I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Captured the HTTP post. Tried -verify as above: openssl smime -verify -in src/fo/van/as2/inbound/2005-12-28:12:10:47 Error reading S/MIME message 6747:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 6747:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 6747:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:315: __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
On Mon, Jan 02, 2006, George Garvey wrote: Some problems w/reverse DNS prevented posting this until now. On Wed, Dec 28, 2005 at 07:12:30PM +0100, Dr. Stephen Henson wrote: On Wed, Dec 28, 2005, George Garvey wrote: I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Captured the HTTP post. Tried -verify as above: openssl smime -verify -in src/fo/van/as2/inbound/2005-12-28:12:10:47 Error reading S/MIME message 6747:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 6747:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 6747:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:315: Can you send the message (privately to me if you want) that is producing that error? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
On Mon, Jan 02, 2006, Dr. Stephen Henson wrote: On Mon, Jan 02, 2006, George Garvey wrote: Some problems w/reverse DNS prevented posting this until now. On Wed, Dec 28, 2005 at 07:12:30PM +0100, Dr. Stephen Henson wrote: On Wed, Dec 28, 2005, George Garvey wrote: You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Captured the HTTP post. Tried -verify as above: openssl smime -verify -in src/fo/van/as2/inbound/2005-12-28:12:10:47 Error reading S/MIME message 6747:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:140: 6747:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 6747:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:315: Can you send the message (privately to me if you want) that is producing that error? Ah I can see the problem. The current MIME parser (wrongly) assumes the transfer encoding will always be base64. A possible fix (haven't got round to checking this yet) is in RT id #1261. Alternatively if you just save the content excluding the headers to a file you can use the -inform DER option to the 'smime' utility. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie question X509 certificate stores SOLVED
There seems to be a problem with whatever has been used to save the data. It is prepending the byte 0, 1 to the start of the structure. If you skip these OpenSSL has no problems parsing the PKCS#7 data. Worked a treat. I downloaded an older version of the PKZIP application note, and everything became clear. The mysterious two bytes at the beginning are the version number (I assume of the version of M$ CryptoAPI used to create the store). I very vaguely remember something about it now, but I am using a newer version of PKZIPs Appnote, which for some reason omits this info. Kicking myself now. Thank you for all your help. Regards, Chris smime.p7s Description: S/MIME cryptographic signature
RE: Newbie question X509 certificate stores
What do you mean fails to open the store? What does the data look like that you are feeding into d2i_PKCS7()? Doies it have lines with -BEGIN in it? I cannot find this anywhere in the data. If the data is available as a file try: openssl pkcs7 -in file -inform DER openssl pkcs7 -in file and if both of those fail: openssl asn1parse -inform DER -in file I have saved the data blob to a file (which I have attached to the posting). All of the above commands fail with the same errors as d2i_PKCS7(). The asn1parse command complains about a bad Boolean. I am stumped here. Chris cert_store_data Description: Binary data
Re: Newbie question X509 certificate stores
On Wed, Dec 28, 2005, Chris Morrison wrote: What do you mean fails to open the store? What does the data look like that you are feeding into d2i_PKCS7()? Doies it have lines with -BEGIN in it? I cannot find this anywhere in the data. If the data is available as a file try: openssl pkcs7 -in file -inform DER openssl pkcs7 -in file and if both of those fail: openssl asn1parse -inform DER -in file I have saved the data blob to a file (which I have attached to the posting). All of the above commands fail with the same errors as d2i_PKCS7(). The asn1parse command complains about a bad Boolean. I am stumped here. There seems to be a problem with whatever has been used to save the data. It is prepending the byte 0, 1 to the start of the structure. If you skip these OpenSSL has no problems parsing the PKCS#7 data. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. On Wed, Dec 28, 2005 at 12:45:18AM +0100, Dr. Stephen Henson wrote: What does the data look like that you are feeding into d2i_PKCS7()? Doies it have lines with -BEGIN in it? No. If the data is available as a file try: openssl pkcs7 -in file -inform DER openssl pkcs7 -inform DER -in src/fo/van/as2/msg.enc unable to load PKCS7 object 23182:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 23182:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=PKCS7 openssl pkcs7 -in file openssl pkcs7 -in src/fo/van/as2/msg.enc unable to load PKCS7 object 23183:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:637:Expecting: PKCS7 and if both of those fail: openssl asn1parse -inform DER -in file openssl asn1parse -inform DER -in src/fo/van/as2/msg.enc 0:d=0 hl=2 l= 10 prim: EOC There are also some proprietary store outputs from CryptoAPI which can be produced which OpenSSL cannot handle. Steve. Supposedly the public key produced is X.509. However, I can't read that with OpenSSL, either. I an read the private key (which is documented by the AS2 software as PKS#1 RSA private key -- I assume they mean PKCS#1). I can provide the file to anyone who can assist with this. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
On Wed, Dec 28, 2005, George Garvey wrote: I'm having a very similar problem as this one. I have a file I made from data sent from an AS2 system. The HTTP headers before the data are (abbreviated to the S/MIME stuff): Subject: EDIINTDATA Message-Id: [EMAIL PROTECTED] Disposition-Notification-To: inXServices Disposition-Notification-Options: signed-receipt-protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: inline; filename=smime.p7m Content-Length: 1334 I saved the 1334 bytes after the blank line following the Content-Length to a file. I can't seem to use that file with OpenSSL. You should be able to use the smime utility on the whole message including headers for example: openssl smime -verify -in message or to output a standard PKCS#7 structure in PEM format: openssl smime -pk7out -in message then the standard pkcs7 utility should tolerate it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie question X509 certificate stores
-Original Message- From: [EMAIL PROTECTED] [mailto:owner-openssl- [EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: 13 August 2005 17:44 To: openssl-users@openssl.org Subject: Re: Newbie question X509 certificate stores On Sat, Aug 13, 2005, Chris Morrison wrote: Michael wrote: Hi Chris, What type of keystores are you talking about here? (pkcs#12?) It's a PKCS#7 store, I am trying to read the certificate store from a digitally signed ZIP file. I have done it with no probs in VC++ using Microsoft's CryptoAPI, you just read the data into a buffer, which you use to create a CRYPT_DATA_BLOB object that can be passed to the CertOpenStore() function. I cannot see how to do this in openSSL, assuming that it can be done. Ah now that's a different thing entirely. CryptoAPI for its own reasons decides to allow parsing of certificates only PKCS#7 data using its certficate store functions. OpenSSL instead allows PKCS#7 data to be converted to an internal structure called PKCS7 which contains the details of the parsed data. If the relevant data is in memory d2i_PKCS7() will create the structure. From then on you can follow the code which is called with the print_certs function in apps/pkcs7.c. I've finally found time to get back to this project. Thanks for the pointers Steve. However, I've tried using the above call d2i_PKCS7(), but it fails to open the store with the errors below. 4777:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 4777:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=PKCS7 What are these supposed to mean? When is there going to be some documentation for the API of OpenSSL? Chris smime.p7s Description: S/MIME cryptographic signature
Re: Newbie question X509 certificate stores
On Tue, Dec 27, 2005, Chris Morrison wrote: I've finally found time to get back to this project. Thanks for the pointers Steve. However, I've tried using the above call d2i_PKCS7(), but it fails to open the store with the errors below. 4777:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946: 4777:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=PKCS7 What do you mean fails to open the store? What does the data look like that you are feeding into d2i_PKCS7()? Doies it have lines with -BEGIN in it? If the data is available as a file try: openssl pkcs7 -in file -inform DER openssl pkcs7 -in file and if both of those fail: openssl asn1parse -inform DER -in file There are also some proprietary store outputs from CryptoAPI which can be produced which OpenSSL cannot handle. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
So many replies. I don't know where to start. Chris Morrison wrote: Hi all, I have recently moved over to Linux, having rid my computer of the M $.Windows virus. I am porting a program that I wrote over to Linux and I am looking for a library to provide X509 digital certificate functions. Micro$oft provide a function in their CryptoAPI called CertOpenStore() which allows you to open a digital certificate store from a file or memory. Is there such a function under OpenSSL? It look like a great library but the lack of documentation on the API (that I can find) is a major drag. Regards, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
Hi Chris, What type of keystores are you talking about here? (pkcs#12?) Michael. On 8/13/05, Chris Morrison [EMAIL PROTECTED] wrote: So many replies. I don't know where to start. Chris Morrison wrote: Hi all, I have recently moved over to Linux, having rid my computer of the M $.Windows virus. I am porting a program that I wrote over to Linux and I am looking for a library to provide X509 digital certificate functions. Micro$oft provide a function in their CryptoAPI called CertOpenStore() which allows you to open a digital certificate store from a file or memory. Is there such a function under OpenSSL? It look like a great library but the lack of documentation on the API (that I can find) is a major drag. Regards, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
Michael wrote: Hi Chris, What type of keystores are you talking about here? (pkcs#12?) It's a PKCS#7 store, I am trying to read the certificate store from a digitally signed ZIP file. I have done it with no probs in VC++ using Microsoft's CryptoAPI, you just read the data into a buffer, which you use to create a CRYPT_DATA_BLOB object that can be passed to the CertOpenStore() function. I cannot see how to do this in openSSL, assuming that it can be done. Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question X509 certificate stores
On Sat, Aug 13, 2005, Chris Morrison wrote: Michael wrote: Hi Chris, What type of keystores are you talking about here? (pkcs#12?) It's a PKCS#7 store, I am trying to read the certificate store from a digitally signed ZIP file. I have done it with no probs in VC++ using Microsoft's CryptoAPI, you just read the data into a buffer, which you use to create a CRYPT_DATA_BLOB object that can be passed to the CertOpenStore() function. I cannot see how to do this in openSSL, assuming that it can be done. Ah now that's a different thing entirely. CryptoAPI for its own reasons decides to allow parsing of certificates only PKCS#7 data using its certficate store functions. OpenSSL instead allows PKCS#7 data to be converted to an internal structure called PKCS7 which contains the details of the parsed data. If the relevant data is in memory d2i_PKCS7() will create the structure. From then on you can follow the code which is called with the print_certs function in apps/pkcs7.c. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie question X509 certificate stores
Hi all, I have recently moved over to Linux, having rid my computer of the M $.Windows virus. I am porting a program that I wrote over to Linux and I am looking for a library to provide X509 digital certificate functions. Micro$oft provide a function in their CryptoAPI called CertOpenStore() which allows you to open a digital certificate store from a file or memory. Is there such a function under OpenSSL? It look like a great library but the lack of documentation on the API (that I can find) is a major drag. Regards, Chris __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie question
Hi, I am trying to create RSA public and private keys on Windows with OpenSSL 0.9.7e. I want to save both to disk for later use, but I can't figure out how to read them again... I am doing the following: CUT code to seed the pool rsa = RSA_generate_key(RSA_KEY_LENGTH, RSA_F4, NULL, (char *)stdout); put rsa into a buffer p pub_rsa = d2i_RSAPublicKey(NULL, (const unsigned char**) p, (long)len); len -= (p-buf); priv_rsa = d2i_RSAPrivateKey(NULL, (const unsigned char**)p,(long)len); error handling // save public key BIO *pub = BIO_new_file(pubkey_file, w); PEM_write_bio_RSAPublicKey(pub, pub_rsa); BIO_free(pub); // save private key BIO *priv = BIO_new_file(privkey_file, w+); PEM_write_bio_RSAPrivateKey(priv, priv_rsa, NULL, NULL, 0, NULL, NULL); // load saved private key and write it to a new file for comparison RSA *r_rsa; BIO *tmp = BIO_new_file(privkey.txt, w); BIO_reset(priv); PEM_read_bio_RSAPrivateKey(priv, r_rsa, NULL, NULL); BIO_free(priv); PEM_write_bio_RSAPrivateKey(tmp, r_rsa, NULL, NULL, 0, NULL, NULL); CUT My idea was to compare the privkey_file with privkey.txt and verify that they are identical. I am unfortunately getting an access violation in the call to PEM_read_bio_RSAPrivateKey() in libeay32.dll. I must be doing something wrong... How should I go about reading those keys from disk? Thanks a lot in advance, jules __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie question (with answer - long)
On Fri, 2005-04-01 at 07:31 +0530, Denis wrote: Don't you need to allocate some memory to be able to store the RSA key in r_rsa? I assumed that would happen automatically due to the 'pointer-to- pointer' parameter. Best regards, jules BTW: Doing the following solved my problem: RSA *read_pub_key(const char *pubkey_file) { RSA *key = NULL; BIO *bp; ERR_load_crypto_strings(); bp = BIO_new(BIO_s_file()); if (BIO_read_filename(bp, pubkey_file) = 0) { perror(pubkey_file); goto exit;; } key = PEM_read_bio_RSAPublicKey(bp, NULL, NULL, NULL); if (!key) { ERR_print_errors_fp(stderr); goto exit; } exit: BIO_free(bp); return key; } RSA *read_priv_key(const char *privkey_file) { RSA *key = NULL; BIO *bp; SSLeay_add_all_algorithms(); ERR_load_PEM_strings(); bp = BIO_new(BIO_s_file()); if (BIO_read_filename(bp, privkey_file) = 0) { perror(privkey_file); goto exit; } key = PEM_read_bio_RSAPrivateKey(bp, NULL, NULL, NULL); if (!key) { ERR_print_errors_fp(stderr); goto exit; } exit: BIO_free(bp); return key; } void create_rsa_files(const char *pubkey_file, const char *privkey_file) { RSA *rsa; RSA *pub_rsa; RSA *priv_rsa; int len; unsigned char buf[RSA_KEY_LENGTH * 2]; unsigned char *p; HCRYPTPROV cx = NULL; if (!CryptAcquireContextA(cx, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { DWORD err = GetLastError(); printf(Could not acquire a cryptographic context - %X\n, err); } unsigned char seed[64]; if (!CryptGenRandom(cx, 64, seed)) printf(Could not get random seed\n); RAND_seed(seed, 64); if (!CryptReleaseContext(cx, 0)) { DWORD err = GetLastError(); printf(Could not release the cryptographic context - %X\n, err); } rsa = RSA_generate_key(RSA_KEY_LENGTH, RSA_F4, NULL, (char *)stdout); RSA_blinding_on(rsa, NULL); p = buf; /* Save the public key into buffer, we know it will be big enough * but we should really check how much space we need by calling the * i2d functions with a NULL second parameter */ len = i2d_RSAPublicKey(rsa, p); len += i2d_RSAPrivateKey(rsa, p); printf(The public and private key are now both in a char array\n); printf(and are taking up %d bytes\n, len); printf(%s\n, buf); RSA_free(rsa); p = buf; pub_rsa = d2i_RSAPublicKey(NULL, (const unsigned char**) p, (long)len); len -= (p-buf); priv_rsa = d2i_RSAPrivateKey(NULL, (const unsigned char**)p, (long)len); if ((pub_rsa == NULL) || (priv_rsa == NULL)) ERR_print_errors_fp(stderr); if (!RSA_check_key(priv_rsa)) printf(Private RSA not validated\n); else printf(Private RSA OK\n); // store public key BIO *pub = BIO_new_file(pubkey_file, w); PEM_write_bio_RSAPublicKey(pub, pub_rsa); BIO_free(pub); RSA_free(pub_rsa); // store private key BIO *priv = BIO_new_file(privkey_file, w); PEM_write_bio_RSAPrivateKey(priv, priv_rsa, NULL, NULL, 0, NULL, NULL); BIO_free(priv); RSA_free(priv_rsa); } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Total newbie Question
Hi David! On Sat, 12 Feb 2005, David Schwartz wrote: Hi folks, I am new to openssl and I am trying to use a Thawte key with Mutt but I keep getting this error message: Verification failure 8458:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:222:Verify error:unable to get local issuer certificate I have searched on Google, but the answers seem to be above my knowledge level :) Is there a simple cure to this. Sean You need to configure Mutt to trust the certificate that signed the certificate for the key you want to use. Otherwise, OpenSSL has no way to know that the key should be trusted. Okay I will search for info on that, this seems to be right way Sean smime.p7s Description: S/MIME cryptographic signature
Re: Total newbie Question
Which operating system are you using? [Unable to display image]If we have sent you this message in error, please accept ourapologies. You can be removed from our mailing list by replying to this emailaddress with the words 'REMOVE'This message is intended only for the use of the person(s) ("Theintended recipient(s)") to whom it is addressed). It may contain information,which is privileged and confidential within the meaning of applicable law.If you are not the intended recipient, please contact the sender as soon aspossible.The views expressed in this communication may not necessarily be the views held by Midistrator Technologies (UK) Ltd.CONFIDENTIALITY NOTICE: This email and any attachments are sent in confidence, and for the exclusive use of the addressee(s), and on the basis that the recipient will conduct appropriate virus checks. If you receive this email in error, please telephone us upon receipt: and delete the email: you are strictly prohibited from using, copying or disclosing any information contained in it, save to the intended recipient. Internet communications and e-mails are not secure and we are not responsible for their abuse by third parties, nor for any alteration or corruption in transmission, nor for any damage or loss caused by any virus or other defect. inline: logo843902.jpg
Re: Total newbie Question
Hi COMPSUPPLIER! On Sun, 13 Feb 2005, [EMAIL PROTECTED] wrote: Which operating system are you using? I use SuSE Linux 9.2 Sean __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Total newbie Question
I had a similar problem and within YAST checking thru the etc/sysconfig files you have to ensure the Letters SSL are in place you can view and example from within your usr/share/doc/packages I suggest you check the example pages as I am not in front of our servers at present If needed I can collate the info and tell you tomorrow if you need further assistance Midistrator Technologies Limited [Unable to display image]If we have sent you this message in error, please accept ourapologies. You can be removed from our mailing list by replying to this emailaddress with the words 'REMOVE'This message is intended only for the use of the person(s) ("Theintended recipient(s)") to whom it is addressed). It may contain information,which is privileged and confidential within the meaning of applicable law.If you are not the intended recipient, please contact the sender as soon aspossible.The views expressed in this communication may not necessarily be the views held by Midistrator Technologies (UK) Ltd.CONFIDENTIALITY NOTICE: This email and any attachments are sent in confidence, and for the exclusive use of the addressee(s), and on the basis that the recipient will conduct appropriate virus checks. If you receive this email in error, please telephone us upon receipt: and delete the email: you are strictly prohibited from using, copying or disclosing any information contained in it, save to the intended recipient. Internet communications and e-mails are not secure and we are not responsible for their abuse by third parties, nor for any alteration or corruption in transmission, nor for any damage or loss caused by any virus or other defect. inline: logo843902.jpg
Re: Total newbie Question
Hi COMPSUPPLIER! On Sun, 13 Feb 2005, [EMAIL PROTECTED] wrote: I had a similar problem and within YAST checking thru the etc/sysconfig files you have to ensure the Letters SSL are in place you can view and example from within your usr/share/doc/packages I suggest you check the example pages as I am not in front of our servers at present If needed I can collate the info and tell you tomorrow if you need further assistance Umm just did a search in /etc/sysconfig and the only mention is to Postfix which I removed in favour of exim. Sean smime.p7s Description: S/MIME cryptographic signature
Re: Total newbie Question
Can I email you tomorrow I had the same problem your experiencing Until I put in the letters SSL i got the same error on SuSe 9 pro I managed then to set up our site here http://www.mtlgroup.co.uk/shop1/index.php Also where have you put your private.key, myserver.key you CA.txt the yourdomain.csr regards Midistrator Technologies Limited [Unable to display image]If we have sent you this message in error, please accept ourapologies. You can be removed from our mailing list by replying to this emailaddress with the words 'REMOVE'This message is intended only for the use of the person(s) ("Theintended recipient(s)") to whom it is addressed). It may contain information,which is privileged and confidential within the meaning of applicable law.If you are not the intended recipient, please contact the sender as soon aspossible.The views expressed in this communication may not necessarily be the views held by Midistrator Technologies (UK) Ltd.CONFIDENTIALITY NOTICE: This email and any attachments are sent in confidence, and for the exclusive use of the addressee(s), and on the basis that the recipient will conduct appropriate virus checks. If you receive this email in error, please telephone us upon receipt: and delete the email: you are strictly prohibited from using, copying or disclosing any information contained in it, save to the intended recipient. Internet communications and e-mails are not secure and we are not responsible for their abuse by third parties, nor for any alteration or corruption in transmission, nor for any damage or loss caused by any virus or other defect. inline: logo843902.jpg
Re: Total newbie Question
Hi COMPSUPPLIER! On Sun, 13 Feb 2005, [EMAIL PROTECTED] wrote: Can I email you tomorrow I had the same problem your experiencing Until I put in the letters SSL i got the same error on SuSe 9 pro I managed then to set up our site here _http://www.mtlgroup.co.uk/shop1/index.php_ (http://www.mtlgroup.co.uk/shop1/index.php) Also where have you put your private.key, myserver.key you CA.txt the yourdomain.csr I imported the key from Opera, well exported it, them inported it. I have not used a self made key, would that be the problem, just a thawte key. I have just downloaded their root keys Sean __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Total newbie Question
you need a private.key and a myserver.key and you will have a server.csr and yourdomain.csr you will also need your THAWTE CA.txt which is signed version of yourdomain.csr,but this needs to match with your private.key which in turn is linked to yourserver.key you would need links in your VHost SSL to point to locations within the SuSe system What Apache are you running? Are your Httpd files in Etc/Apache2 or usr/local/apache2 Regards Midistrator Technologies Limited [Unable to display image]If we have sent you this message in error, please accept ourapologies. You can be removed from our mailing list by replying to this emailaddress with the words 'REMOVE'This message is intended only for the use of the person(s) ("Theintended recipient(s)") to whom it is addressed). It may contain information,which is privileged and confidential within the meaning of applicable law.If you are not the intended recipient, please contact the sender as soon aspossible.The views expressed in this communication may not necessarily be the views held by Midistrator Technologies (UK) Ltd.CONFIDENTIALITY NOTICE: This email and any attachments are sent in confidence, and for the exclusive use of the addressee(s), and on the basis that the recipient will conduct appropriate virus checks. If you receive this email in error, please telephone us upon receipt: and delete the email: you are strictly prohibited from using, copying or disclosing any information contained in it, save to the intended recipient. Internet communications and e-mails are not secure and we are not responsible for their abuse by third parties, nor for any alteration or corruption in transmission, nor for any damage or loss caused by any virus or other defect. inline: logo843902.jpg
Re: Total newbie Question
Hi COMPSUPPLIER! On Sun, 13 Feb 2005, [EMAIL PROTECTED] wrote: you need a private.key and a myserver.key and you will have a server.csr and yourdomain.csr you will also need your THAWTE CA.txt which is signed version of yourdomain.csr,but this needs to match with your private.key which in turn is linked to yourserver.key you would need links in your VHost SSL to point to locations within the SuSe system What Apache are you running? Are your Httpd files in Etc/Apache2 or usr/local/apache2 I am currently only using it for email purposes and maybe then will play a bit more Sean __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Total newbie Question
Hi OpenSSL! On Sun, 13 Feb 2005, Sean Rima wrote: Hi COMPSUPPLIER! On Sun, 13 Feb 2005, [EMAIL PROTECTED] wrote: you need a private.key and a myserver.key and you will have a server.csr and yourdomain.csr you will also need your THAWTE CA.txt which is signed version of yourdomain.csr,but this needs to match with your private.key which in turn is linked to yourserver.key you would need links in your VHost SSL to point to locations within the SuSe system What Apache are you running? Are your Httpd files in Etc/Apache2 or usr/local/apache2 I am currently only using it for email purposes and maybe then will play a bit more Just sorted the problem, I exported the Thawte Personal Email key from Opera and imported it and it works :) Sean smime.p7s Description: S/MIME cryptographic signature
Total newbie Question
Hi folks, I am new to openssl and I am trying to use a Thawte key with Mutt but I keep getting this error message: Verification failure 8458:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:222:Verify error:unable to get local issuer certificate I have searched on Google, but the answers seem to be above my knowledge level :) Is there a simple cure to this. Sean smime.p7s Description: S/MIME cryptographic signature
RE: Total newbie Question
Hi folks, I am new to openssl and I am trying to use a Thawte key with Mutt but I keep getting this error message: Verification failure 8458:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:222:Verify error:unable to get local issuer certificate I have searched on Google, but the answers seem to be above my knowledge level :) Is there a simple cure to this. Sean You need to configure Mutt to trust the certificate that signed the certificate for the key you want to use. Otherwise, OpenSSL has no way to know that the key should be trusted. DS smime.p7s Description: S/MIME cryptographic signature
Newbie Question SSL Apache
Hallo, I have a question regarding SSLCACertificateFile from the SSL-Apache in http.conf File. I have a server certificate which is issued by our Sub CA. My Question which Certificate must I use the Root CA or the Sub CA Certificate. The Root CA Certificate is issued by DFN-PCA in Hamburg/Germany, and the Sub CA is produced by our selves. TIA R. Markham
Re: Newbie Question SSL Apache
R. Markham wrote: Hallo, I have a question regarding SSLCACertificateFile from the SSL-Apache in http.conf File. I have a server certificate which is issued by our Sub CA. My Question which Certificate must I use the Root CA or the Sub CA Certificate. The Root CA Certificate is issued by DFN-PCA in Hamburg/Germany, and the Sub CA is produced by our selves. This is a question that should be best answered by the issuing CA... ;) As far as I understand it the File pointed at by SSLCACertificateFile must contain both Certs, the Root-CA's and the Sub CA's since Apache sends the complete Certificate chain to the browser. TIA R. Markham Kind regards, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
AW: Newbie Question SSL Apache
Hi Ted, I am rather confused which of the Variable to use. It seems to me they are equal. SSLCACertificateFile and SSLCertificateChainFile Have any idea. Regards Richard Markham -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Bernhard Froehlich Gesendet: Mittwoch, 12. Januar 2005 11:54 An: openssl-users@openssl.org Betreff: Re: Newbie Question SSL Apache R. Markham wrote: Hallo, I have a question regarding SSLCACertificateFile from the SSL-Apache in http.conf File. I have a server certificate which is issued by our Sub CA. My Question which Certificate must I use the Root CA or the Sub CA Certificate. The Root CA Certificate is issued by DFN-PCA in Hamburg/Germany, and the Sub CA is produced by our selves. This is a question that should be best answered by the issuing CA... ;) As far as I understand it the File pointed at by SSLCACertificateFile must contain both Certs, the Root-CA's and the Sub CA's since Apache sends the complete Certificate chain to the browser. TIA R. Markham Kind regards, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
newbie question ...
Hi all !!! I've been working for a while with the cipher and digest RC4-SHA1 routines for a project, but now I want to use the X509 libraries to handle an certificate.cer issued by a local CA. I've looked and been tried with d2i_X509 and d2i_X509_fp routines but my tests fails. So .. my question is ... how can (or must) I convert a CER certificate into a DER or PEM certificate with the X509 certificate handle routines ???. I could solve my last problems with SHA1 and RC4 but this time I can't . sorry I'm a newbie... Thanks in advance Zainos. Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
Re: newbie question ...
On Fri, Mar 26, 2004, Carlos Roberto Zainos H wrote: Hi all !!! I've been working for a while with the cipher and digest RC4-SHA1 routines for a project, but now I want to use the X509 libraries to handle an certificate.cer issued by a local CA. I've looked and been tried with d2i_X509 and d2i_X509_fp routines but my tests fails. So .. my question is ... how can (or must) I convert a CER certificate into a DER or PEM certificate with the X509 certificate handle routines ???. I could solve my last problems with SHA1 and RC4 but this time I can't . sorry I'm a newbie... I've seen .cer files in both PEM, DER and base64 (without PEM headers) format so it could be any... See if the command: openssl x509 -in file.cer -noout -text works. If it does then you can use the PEM routines such as PEM_read_bio_X509() to load it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
another Newbie Question
Im currently reading network security with open ssl, and im well and truly stuck. ive google, and check the book site to see if its a reported mistake.. no luck. Does anyone know if SSL_library_init(), and SSL_load_error_strings() are part OpenSSL?, or are they functions the writer is using? Im getting external unresolved linker errors from them. Ive included the following... #include openssl/bio.h #include openssl/err.h #include openssl/rand.h #include openssl/ssl.h #include openssl/x509v3.h Any ideas? Thanks Darren __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: another Newbie Question
On Wed, Jan 21, 2004 at 06:10:39AM -0500, Darren McDonald wrote: Im currently reading network security with open ssl, and im well and truly stuck. ive google, and check the book site to see if its a reported mistake.. no luck. Does anyone know if SSL_library_init(), and SSL_load_error_strings() are part OpenSSL?, or are they functions the writer is using? Im getting external unresolved linker errors from them. Ive included the following... #include openssl/bio.h #include openssl/err.h #include openssl/rand.h #include openssl/ssl.h #include openssl/x509v3.h When compling/linking append -lssl -lcrypto such that the necessary functions are actually linked in... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: another Newbie Question
Thanks, but do you have any idea how idea accomplish this in C++ Borland builder? Ive already set it up to search for header files in the relavent folder, what am I missing? On Wed, Jan 21, 2004 at 06:10:39AM -0500, Darren McDonald wrote: Im currently reading network security with open ssl, and im well and truly stuck. ive google, and check the book site to see if its a reported mistake.. no luck. Does anyone know if SSL_library_init(), and SSL_load_error_strings() are part OpenSSL?, or are they functions the writer is using? Im getting external unresolved linker errors from them. Ive included the following... #include openssl/bio.h #include openssl/err.h #include openssl/rand.h #include openssl/ssl.h #include openssl/x509v3.h When compling/linking append -lssl -lcrypto such that the necessary functions are actually linked in... Best regards, Lutz -- Lutz Jaenicke __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: another Newbie Question
aaahhh, I see now. I err, forgot to include the libarys that go with the header files, got it sorted now. Thanks to all. Darren __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
newbie question
We have an Oracle Internet Application Server with Apache 1.3 and OpenSSL. SSL works, but I would like to make it so that when the web user goes to http://whatever.ddd, they are forced/redirected to https://whatever.ddd. Is this an SSL, or an Apache directive, if so what directive. I've played around with Redirect but to no avail. And I've tried SSLRequireSSL also to no avail. Or is this something that needs to be addressed either in the firewall or the index.html page. The setup of Apache and OpenSSL are the default install that comes with Oracle IAS. Thanks, Frank __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question
On Thu, 28 Aug 2003 [EMAIL PROTECTED] wrote: Is this an SSL, or an Apache directive, if so what directive. I've played around with Redirect but to no avail. And I've tried SSLRequireSSL also to no avail. Apache. Create a virtual server for the HTTP port, and use a Redirect rule in that server configuration section. For more details see the Apache configuration guides. Regards Henrik __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
On Thu, Aug 21, 2003, Rohan Pinto wrote: I have a SunONE WebServer 6.0 running on a certain subnet. (www.abcd.com - for this example) The Webserver serves content over http. I intend to protect this content via PDC authentication. To do so, I'd need 2 things. 1. A Server Cert 2. A User Cert (on a smartcard) [assumption is that the user would be prompted to insert his smartcard everytime he wishes to access the server. i'd plug the usercert on the browser (custom app) and retain the public key on the card. the browser would have a pointer to the card for the piublic key] I think you mean retain the private key on the card: the public key will be in the user cert anyway... You'll also need a PKCS#11 module to do the private key SSL/TLS operations on the smart card (for Mozilla/Netscape) or a CSP (for MSIE). Then I launched my webserver admin console and added ca.cer as the rootCAcert and server.cer as the cert for the server itself. I then added a listen socket on the server listening on port 443. I also enabled Client Authentication (for PDC authentication) at this point even though i did not have a PDC i assumed that teh server would simply deny access. but the issue is that this method just didnt work. It could be that the browser is giving an uninformative error message. First try it without enabling client authentication on the server. If you can connect OK then the server cert is fine. Then try enabling client auth. If it stops working use s_client to check the list of CAs the server presents to see if the required client auth CA is present. If not then that's the problem: you need to add your client CA to the list of CAs the server sends out with client auth... Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
Dr. Stephen Henson wrote: On Fri, Aug 22, 2003, Charles B Cranston wrote: Well, the sad answer to this question is yes. It turns out that in the design of SSL the client does the verification, so each client has its own little set of peccadillos. Indeed but if the OP means that you need a different server certificate for each browser then the answer is no: the requirements aren't mutually exclusive. Agreed, we were able to eventually arrive at an architecture that seems to work for all our usages, both client and server. These are some of the ones we found: Netscape 4 will not tolerate an ExtendedKeyUsage extension. Hmmm. What makes you think that? EKU is *required* to handle step up (aka SGC, magic, 128 bit [yuck]) and Netscape 4 handled that. Hello Steve! Based on a dialog that came up that said unknown critical extension when I had a critical EKU extension and that dialog not coming up when I made it a noncritical extension or left it out entirely. I don't think this had anything to do with stepup, but correct me if I'm missing something. You might look at what kind of extensions are included. The documentation for the extensions is in a docs directory of the OpenSSL source and it is something innocuous like openssl.txt or something like that. Also, read the man page on the openssl.cnf file format. Its doc/openssl.txt and this is referenced in the FAQ. It's man config for the openssl.cnf file format. My experience is that the comments in the distributed file add greatly to the documentation so both should be read. It shouldn't be necessary to alter the default extensions for a simple SSL server certificate. Yes, I believe this to be the case, but note that software rot might affect this. We have some Java client code that REQUIRES a BasicConstraints extension, for example, and while I believe the distributed cnf does put one in, in slight violation of PKIX/RFC3380 (and this is well and truly disclosed and documented in the commentary!) it may someday come to pass that some client requires something above and beyond. Wasn't there a case in the last two months on this list where somebody was trying to generate a certificate for an HP printer or printer server and it needed some specific certificate usage extension bits??? Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
On Fri, Aug 22, 2003, Charles B Cranston wrote: Dr. Stephen Henson wrote: These are some of the ones we found: Netscape 4 will not tolerate an ExtendedKeyUsage extension. Hmmm. What makes you think that? EKU is *required* to handle step up (aka SGC, magic, 128 bit [yuck]) and Netscape 4 handled that. Hello Steve! Based on a dialog that came up that said unknown critical extension when I had a critical EKU extension and that dialog not coming up when I made it a noncritical extension or left it out entirely. I don't think this had anything to do with stepup, but correct me if I'm missing something. Well not setting it to critical might have worked unless you specifically wanted any client that didn't recognize the extension to reject it. Setting anything to critical may cause problems for older clients because at least one version of IE rejects anything that's critical even if it does recognize it. It shouldn't be necessary to alter the default extensions for a simple SSL server certificate. Yes, I believe this to be the case, but note that software rot might affect this. We have some Java client code that REQUIRES a BasicConstraints extension, for example, and while I believe the distributed cnf does put one in, in slight violation of PKIX/RFC3380 (and this is well and truly disclosed and documented in the commentary!) it may someday come to pass that some client requires something above and beyond. IIRC RFC2459 frowned upon basicConstraints (but didn't forbid it) in end user certificates whereas RFC3280 now specifically allows it. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
Continuation of a dialog between Dr. Stephen Henson and Charles B Cranston: B: These are some of the ones we found: B: Netscape 4 will not tolerate an ExtendedKeyUsage extension. S: Hmmm. What makes you think that? EKU is *required* to handle step up S: (aka SGC, magic, 128 bit [yuck]) and Netscape 4 handled that. B: Based on a dialog that came up that said B: unknown critical extension when I had a critical EKU extension B: and that dialog not coming up when I made it a noncritical B: extension or left it out entirely. I don't think this had B: anything to do with stepup, but correct me if I'm missing B: something S: Well not setting it to critical might have worked unless you specifically S: wanted any client that didn't recognize the extension to reject it. S: Setting anything to critical may cause problems for older clients because at S: least one version of IE rejects anything that's critical even if it does S: recognize it. B: Gee, Steve, I'm sorry, I didn't completely read (or comprehend B: at least) your earlier remark. You are saying that NS calls it an B: unknown critical extension even though it knows about it in the B: context of stepup??? That's just broken. The standard clearly B: states that if you don't know about an extension and it's critical B: you fail. If it knows about it how can it be unknown? Yeah left B: hand doesn't know what right hand is doing I guess. Thanks for the B: additional data point. Guess we didn't test it as completely as we B: thought we did. And if IE rejects anything that is critical even B: if it does recognize it (absent the critical bit) then IMHO it is B: broken too. Grump. S: It shouldn't be necessary to alter the default extensions for a simple SSL S: server certificate. B: Yes, I believe this to be the case, but note that software rot B: might affect this. We have some Java client code that REQUIRES B: a BasicConstraints extension, for example, and while I believe B: the distributed cnf does put one in, in slight violation of B: PKIX/RFC3380 (and this is well and truly disclosed and documented B: in the commentary!) it may someday come to pass that some client B: requires something above and beyond. S: IIRC RFC2459 frowned upon basicConstraints (but didn't forbid it) in end user S: certificates whereas RFC3280 now specifically allows it. B: Hmm, missed that change, alligators and swamps... Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
Well, I took dumps of the two certificates (and CSR) that Rohan provided, and the dates overlap, which might be the IE specific problem. At first it looked like the subject DNs were exactly the same between the two certificates, but upon closer examination the subject DN for the server certificate lacks the Email=xx tag. It is a little confusing but I don't know if it is really a problem for the software (which is harder to confuse!) = ROOT cert: Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=MG Solutions Class 3 Root CA, OU=Security Infrastructure Deployment Engineering (SIDE), CN=www.ldapguru.com/[EMAIL PROTECTED] = Validity Not Before: Aug 22 01:39:07 2003 GMT Not After : Aug 17 01:39:07 2023 GMT Subject: C=US, ST=California, L=San Jose, O=MG Solutions Class 3 Root CA, OU=Security Infrastructure Deployment Engineering (SIDE), CN=www.ldapguru.com/[EMAIL PROTECTED] = Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:9b:41:b0:77:3b:ca:a4:70:79:c3:ec:ea:44:2d: = SERVER cert: Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=California, L=San Jose, O=MG Solutions Class 3 Root CA, OU=Security Infrastructure Deployment Engineering (SIDE), CN=www.ldapguru.com/[EMAIL PROTECTED] = Validity Not Before: Aug 22 02:07:24 2003 GMT Not After : Aug 17 02:07:24 2023 GMT this confuses IE! Subject: C=US, ST=California, O=MG Solutions Class 3 Root CA, OU=Security Infrastructure Deployment Engineering (SIDE), CN=www.ldapguru.com no EMail here! Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:f5:3b:af:5f:3a:05:b9:20:f3:93:14:87:43:76: = Hope this helps. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
On Fri, Aug 22, 2003, Charles B Cranston wrote: Continuation of a dialog between Dr. Stephen Henson and Charles B Cranston: B: These are some of the ones we found: B: Netscape 4 will not tolerate an ExtendedKeyUsage extension. S: Hmmm. What makes you think that? EKU is *required* to handle step up S: (aka SGC, magic, 128 bit [yuck]) and Netscape 4 handled that. B: Based on a dialog that came up that said B: unknown critical extension when I had a critical EKU extension B: and that dialog not coming up when I made it a noncritical B: extension or left it out entirely. I don't think this had B: anything to do with stepup, but correct me if I'm missing B: something I've never seen that dialog on Netscape, though I've seen IE produce it. What I'm saying is that stepup uses EKU (among other things) to identify its certificates Netscape 4.[something] did support stepup so presumably it at least partially parsed EKU. What version rejected critical EKU? S: Well not setting it to critical might have worked unless you specifically S: wanted any client that didn't recognize the extension to reject it. S: Setting anything to critical may cause problems for older clients because at S: least one version of IE rejects anything that's critical even if it does S: recognize it. B: Gee, Steve, I'm sorry, I didn't completely read (or comprehend B: at least) your earlier remark. You are saying that NS calls it an B: unknown critical extension even though it knows about it in the B: context of stepup??? That's just broken. The standard clearly B: states that if you don't know about an extension and it's critical B: you fail. If it knows about it how can it be unknown? Yeah left B: hand doesn't know what right hand is doing I guess. Thanks for the B: additional data point. Guess we didn't test it as completely as we B: thought we did. And if IE rejects anything that is critical even B: if it does recognize it (absent the critical bit) then IMHO it is B: broken too. Grump. Well its only an older version of IE that does that, the current stuff doesn't though it has its own weirdness. This will get much more fun when if and when things like nameConstraints become more common. The latest IE already displays that but does something strange and the standards are ambiguous too... Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
Based on a dialog that said unknown critical extension I've never seen that dialog on Netscape, though I've seen IE produce it. What I'm saying is that stepup uses EKU (among other things) to identify its certificates Netscape 4.[something] did support stepup so presumably it at least partially parsed EKU. What version rejected critical EKU? Well, I'm wondering if I remember this wrong. It was definitely IE that required the dates to nest, but it MIGHT have been IE that said this dialog as well. I remember my initial development setup was Netscape 4.72 on a Macintosh and an Apache 1.x server running on my (Debian) Linux machine, and I did discover this problem fairly late in the process, so it COULD be that I discovered it while testing with IE (I believe it was 5). The problem was that this Win 98 system is the one I cross boot with Debian, so I couldn't use it as a client until the PKI was migrated to a Solaris box, and that happened relatively late in the process. We have jealousy problems here with machine counts, so I can only have two machines on my desk. So I do a lot of testing with the machines at home and with laptops that are not in the face of the jealous ones... Guess I'm getting old. My SO is a college professor, and she was so worried about her tendancy to forget her train of thought in the middle of class that she got an MRI this week. I just chalk it up to our getting old. Setting anything to critical may cause problems for older clients because at least one version of IE rejects anything that's critical even if it does recognize it. ... if IE rejects anything that is critical even if it does recognize it (absent the critical bit) then IMHO it is broken too. Grump. Well its only an older version of IE that does that, the current stuff doesn't though it has its own weirdness. Now I wonder if I misread you again. You are saying if it does recognize it does that mean 1) it allows it (possibly by not knowing about it at all) or 2) it actually recognizes it and does something different In case 1, yes, it seems OK to reject something critical that you don't know about, while 2, seems to me if you do something different when it is present you shouldn't give a tinkers dam about the critical bit. That's what the definition of the critical bit IS, and IMHO software that recognizes the extension to the point of assigning it semantic meaning should NOT reject it just for being critical, and software that does so is broken. Grump. This will get much more fun when if and when things like nameConstraints become more common. The latest IE already displays that but does something strange and the standards are ambiguous too... Well, let this be a warning to EVERYBODY OUT THERE that you need to consider the possibility that some of your clients may be broken and not doing the documented right thing (and being on a Dean's desk where you haven't a chance in the world of getting it thrown out :-) and be sure to test if you do use any of the new groovy features... -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
On Fri, Aug 22, 2003, Charles B Cranston wrote: Based on a dialog that said unknown critical extension I've never seen that dialog on Netscape, though I've seen IE produce it. What I'm saying is that stepup uses EKU (among other things) to identify its certificates Netscape 4.[something] did support stepup so presumably it at least partially parsed EKU. What version rejected critical EKU? Well, I'm wondering if I remember this wrong. It was definitely IE that required the dates to nest, but it MIGHT have been IE that said this dialog as well. I remember my initial development setup was Netscape 4.72 on a Macintosh and an Apache 1.x server running on my (Debian) Linux machine, and I did discover this problem fairly late in the process, so it COULD be that I discovered it while testing with IE (I believe it was 5). Yes its IE with that validity nesting thing. I've had a note about that in my PKCS#12 FAQ almost from the start. I'm not saying Netscape didn't have a unrecognized critical extension dialog its just that I've never seen it. Setting anything to critical may cause problems for older clients because at least one version of IE rejects anything that's critical even if it does recognize it. ... if IE rejects anything that is critical even if it does recognize it (absent the critical bit) then IMHO it is broken too. Grump. Well its only an older version of IE that does that, the current stuff doesn't though it has its own weirdness. Now I wonder if I misread you again. You are saying if it does recognize it does that mean 1) it allows it (possibly by not knowing about it at all) or 2) it actually recognizes it and does something different In case 1, yes, it seems OK to reject something critical that you don't know about, while 2, seems to me if you do something different when it is present you shouldn't give a tinkers dam about the critical bit. That's what the definition of the critical bit IS, and IMHO software that recognizes the extension to the point of assigning it semantic meaning should NOT reject it just for being critical, and software that does so is broken. Grump. It was a bug in some older IE versions. I'm dredging up distant memory here but in pseudo code what it should've done is: if (critical !recognized) reject(); What I *think* it did instead was: if (critical recognized) reject(); This behaviour stayed for quite a while and various CAs worked around it by not making any extensions critical. This will get much more fun when if and when things like nameConstraints become more common. The latest IE already displays that but does something strange and the standards are ambiguous too... Well, let this be a warning to EVERYBODY OUT THERE that you need to consider the possibility that some of your clients may be broken and not doing the documented right thing (and being on a Dean's desk where you haven't a chance in the world of getting it thrown out :-) and be sure to test if you do use any of the new groovy features... There's also the possibility that there is no documented right thing or it is ambiguous so that two clients can do contradictory things with an extension and both be compliant because the standard doesn't define the correct behaviour. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
Sigh. But if you READ THE MAN PAGE FOR X509 YOU WOULD SEE THAT IF THERE IS NO -CASERIAL FILE SPECIFIED IT LOOKS IN A FILE WITH THE SAME NAME AS THE SIGNING CERT BUT WITH A SRL SUFFIX. So if you put the two ASCII characters 1A into a file called cacert.srl you would expect the certificate that is produced to have serial number 25 and the file to contain 1B after all the smoke has cleared. Honestly, you'd think after you led the horse to within two feet of the river he would figure it out... Rohan Pinto wrote: I keep getting a error when i try this. i generated privkey.pem by using ./openssl genrsa -out privkey.pem 2048 AND cacert.pem by using ./openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 Then I generated a CSR from my webserver (on a different domain/different box different instalce altogether) named it mev.csr.pem transfered that file over to the box running openssl. ./openssl x509 -req -in mev.csr.pem -CA cacert.pem -CAkey rivkey.pem -days 1024 -out mev.cert.pem Signature ok subject=/C=US/ST=California/L=San Jose/O=MEV DEMO LAB SERVER/OU=RandD/CN=www.mev.com Getting CA Private Key Enter PEM pass phrase: cacert.srl: No such file or directory 2279:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('cacert.srl','r') 2279:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247: looks like it's looking for a file cacert.srl, but I never specified this filename, any insight on this Rohan - Original Message - From: Charles B Cranston [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 12:21 PM Subject: Re: Newbie question - Signing CSR's Rohan Pinto wrote: I wrote What you need to do is: 1. create a root certificate 2. install that root certificate into all your web browsers 3. create a CSR on the server 4. use the root to sign that CSR into a server certificate This is the part that i would need help on. I have created a root certificate, I've imported that into all my web browsers and also on the webserver. I have also crested a cSR from the webserver. I dont know how to sign the CSR If I could get some advise on jow to sign a CSR i would at leats get an understanding of the flow. From what i have understood so far... I used the rootCA private key while signing the CSR. The webservers public key is sittign somewhere on the webserver. i would need to use that key to sign the CSR. The question is. how do i get that key?. Also I am confused as i believed that the webservers key would be embedded in the CSR. You are doing fine until you get to signing the CSR with the webserver's public key which is sitting somewhere on the webserver. Important theoretical points 1. The CSR IS the webserver's public key, plus some ID info 2. The CSR is made INTO the Certificate by signing with the root's private key (not any server key nor any public key) 3. The webserver's PRIVATE key is the one sitting somewhere on the webserver 4. The Certificate IS the webserver's public key (as obtained from the CSR) and is SIGNED using the root's private key. Why? So the root's public key, which EVERYBODY has access to, can be used to VERIFY that the certificate has not been forged. So, take the CSR from the webserver machine to the machine where you are running OpenSSL. Sign the CSR into a certificate using the private key from the root certificate. This can be done with either the ca tool (or something like CA.PL which calls it) or with the x509 tool. Take the certificate back and install it into the webserver. The way to do this varies from webserver to webserver but go to http://www.ssl.com/support/installation.jsp and look at the menu over on the right hand side. Find your webserver software and see if they have good installation documentation. This is a VERY well done web site. 5. install the server certificate on the server Wish i could get some pointers on the the steps to sign a CSR thats generated from a webserver (which resides on abcd.com domain) using openssl that resides on (xyz.com) on xyz.com: ftp abcd.com get server.csr.pem quit openssl x509 -req -in server.csr.pem \ -CA root.cert.pem -CAkey root.key.pem more options \ -out server.cert.pem ftp abcd.com put server.cert.pem Under more options there is -CAserial to set a serial number, maybe -sha1 to use SHA instead of MD5 as a hash, -days to set the certificate lifetime, etc. Some of these things can be set in the OpenSSL configuration file. I'd look at man x509. Alternatively, signing can be done with the ca tool, but I'm not so familiar with it. It requires an infrastructure of a data file and a serial number file and directories of various things etc and since I based our database on Oracle it seemed too high-level and high-maintenance to use. Unfortunately it seems I need to use it for my personal identity and privacy PKIs since x509 doesn't seem to know how
Re: Newbie question - Signing CSR's (picture enclosed)
So... if the CASr has been generated and the CSR has been sent to the CA (running openssl) whats the command (in openssl) to sign this CSR ?? anything on the lines of.. ./openssl -some parameters- request.CSR -some parameters- signedCSR.cer ?? Rohan - Original Message - From: Charles B Cranston [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 12:50 PM Subject: Re: Newbie question - Signing CSR's (picture enclosed) Sometimes a picture is worth a thousand words: The Standard Model of Certificate generation: On the server machine: Generate CSR operation +-+ +-+ | Private Key | | Certificate Signing Request | +--+--+ | | v | ++| | | Public Key || | ++| | | |Distinguished Name | | | Note: hash is signed | ++| by private key above | |Hash|| | ++| +--+--+ | | Sent to CA for signing v +-+ CA can use public key | Certificate | from CSR to check | | signature on hash to| ++| prevent alteration of | | Public Key || CSR by adversary| ++| | | | Issuer Distinguished Name | | | | Subject DistinguishedName | | | Note: hash is signed| ++| by private key of root | |Hash|| | ++| +--+--+ | | Returned to server v In secure site operation: Server presents certificate to client Client uses public key of root (obtained from preconfigured root certificate) to check hash to ensure certificate has not been forged. Client rolls a random number and encrypts it with the public key from the server certificate, then returns it to the server. Server decrypts this with server private key and both sides use it as a symmetric key for conventional (e.g., DES) cryptography. Eavesdropper does not have access to private key so cannot decrypt. Man-in-the-middle attacker does not have access to private key so cannot decrypt. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's (picture enclosed)
On Wed, Aug 20, 2003, Rohan Pinto wrote: So... if the CASr has been generated and the CSR has been sent to the CA (running openssl) whats the command (in openssl) to sign this CSR ?? anything on the lines of.. ./openssl -some parameters- request.CSR -some parameters- signedCSR.cer ?? As I mentioned in the other message you first have to create a root CA and its directory structure. The command: CA.pl -newca will do that (there are other ways but CA.pl is the easiest). Then when you have the CSR rename it to newreq.pem and do: CA.pl -sign and the certificate will be in newcert.pem Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
I keep getting a error when i try this. i generated privkey.pem by using ./openssl genrsa -out privkey.pem 2048 AND cacert.pem by using ./openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 Then I generated a CSR from my webserver (on a different domain/different box different instalce altogether) named it mev.csr.pem transfered that file over to the box running openssl. ./openssl x509 -req -in mev.csr.pem -CA cacert.pem -CAkey rivkey.pem -days 1024 -out mev.cert.pem Signature ok subject=/C=US/ST=California/L=San Jose/O=MEV DEMO LAB SERVER/OU=RandD/CN=www.mev.com Getting CA Private Key Enter PEM pass phrase: cacert.srl: No such file or directory 2279:error:02001002:system library:fopen:No such file or directory:bss_file.c:245:fopen('cacert.srl','r') 2279:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:247: looks like it's looking for a file cacert.srl, but I never specified this filename, any insight on this Rohan - Original Message - From: Charles B Cranston [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 12:21 PM Subject: Re: Newbie question - Signing CSR's Rohan Pinto wrote: I wrote What you need to do is: 1. create a root certificate 2. install that root certificate into all your web browsers 3. create a CSR on the server 4. use the root to sign that CSR into a server certificate This is the part that i would need help on. I have created a root certificate, I've imported that into all my web browsers and also on the webserver. I have also crested a cSR from the webserver. I dont know how to sign the CSR If I could get some advise on jow to sign a CSR i would at leats get an understanding of the flow. From what i have understood so far... I used the rootCA private key while signing the CSR. The webservers public key is sittign somewhere on the webserver. i would need to use that key to sign the CSR. The question is. how do i get that key?. Also I am confused as i believed that the webservers key would be embedded in the CSR. You are doing fine until you get to signing the CSR with the webserver's public key which is sitting somewhere on the webserver. Important theoretical points 1. The CSR IS the webserver's public key, plus some ID info 2. The CSR is made INTO the Certificate by signing with the root's private key (not any server key nor any public key) 3. The webserver's PRIVATE key is the one sitting somewhere on the webserver 4. The Certificate IS the webserver's public key (as obtained from the CSR) and is SIGNED using the root's private key. Why? So the root's public key, which EVERYBODY has access to, can be used to VERIFY that the certificate has not been forged. So, take the CSR from the webserver machine to the machine where you are running OpenSSL. Sign the CSR into a certificate using the private key from the root certificate. This can be done with either the ca tool (or something like CA.PL which calls it) or with the x509 tool. Take the certificate back and install it into the webserver. The way to do this varies from webserver to webserver but go to http://www.ssl.com/support/installation.jsp and look at the menu over on the right hand side. Find your webserver software and see if they have good installation documentation. This is a VERY well done web site. 5. install the server certificate on the server Wish i could get some pointers on the the steps to sign a CSR thats generated from a webserver (which resides on abcd.com domain) using openssl that resides on (xyz.com) on xyz.com: ftp abcd.com get server.csr.pem quit openssl x509 -req -in server.csr.pem \ -CA root.cert.pem -CAkey root.key.pem more options \ -out server.cert.pem ftp abcd.com put server.cert.pem Under more options there is -CAserial to set a serial number, maybe -sha1 to use SHA instead of MD5 as a hash, -days to set the certificate lifetime, etc. Some of these things can be set in the OpenSSL configuration file. I'd look at man x509. Alternatively, signing can be done with the ca tool, but I'm not so familiar with it. It requires an infrastructure of a data file and a serial number file and directories of various things etc and since I based our database on Oracle it seemed too high-level and high-maintenance to use. Unfortunately it seems I need to use it for my personal identity and privacy PKIs since x509 doesn't seem to know how to process a SPKIX file. Sorry about my somewhat fuzzy (and in some places WRONG) answer before. I should REALLY learn not to type anything in before noon. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: Newbie question - Signing CSR's
On Tue, Aug 19, 2003, Rohan Pinto wrote: This is the part that i would need help on. I have created a root certificate, I've imported that into all my web browsers and also on the webserver. I have also crested a cSR from the webserver. I dont know how to sign the CSR If I could get some advise on jow to sign a CSR i would at leats get an understanding of the flow. From what i have understood so far... I used the rootCA private key while signing the CSR. The webservers public key is sittign somewhere on the webserver. i would need to use that key to sign the CSR. The question is. how do i get that key?. Also I am confused as i believed that the webservers key would be embedded in the CSR. This normally involves using the 'ca' utility, before you do that a certain directory structure needs to be set up. This is documented in the ca manual page. However its easier to use the CA.pl script this can create the root CA and directory structure and sign the request among other things. Something like: CA.pl -newca move server request to newreq.pem CA.pl -sign new cert is then in newcert.pem Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's
Rohan Pinto wrote: I wrote What you need to do is: 1. create a root certificate 2. install that root certificate into all your web browsers 3. create a CSR on the server 4. use the root to sign that CSR into a server certificate This is the part that i would need help on. I have created a root certificate, I've imported that into all my web browsers and also on the webserver. I have also crested a cSR from the webserver. I dont know how to sign the CSR If I could get some advise on jow to sign a CSR i would at leats get an understanding of the flow. From what i have understood so far... I used the rootCA private key while signing the CSR. The webservers public key is sittign somewhere on the webserver. i would need to use that key to sign the CSR. The question is. how do i get that key?. Also I am confused as i believed that the webservers key would be embedded in the CSR. You are doing fine until you get to signing the CSR with the webserver's public key which is sitting somewhere on the webserver. Important theoretical points 1. The CSR IS the webserver's public key, plus some ID info 2. The CSR is made INTO the Certificate by signing with the root's private key (not any server key nor any public key) 3. The webserver's PRIVATE key is the one sitting somewhere on the webserver 4. The Certificate IS the webserver's public key (as obtained from the CSR) and is SIGNED using the root's private key. Why? So the root's public key, which EVERYBODY has access to, can be used to VERIFY that the certificate has not been forged. So, take the CSR from the webserver machine to the machine where you are running OpenSSL. Sign the CSR into a certificate using the private key from the root certificate. This can be done with either the ca tool (or something like CA.PL which calls it) or with the x509 tool. Take the certificate back and install it into the webserver. The way to do this varies from webserver to webserver but go to http://www.ssl.com/support/installation.jsp and look at the menu over on the right hand side. Find your webserver software and see if they have good installation documentation. This is a VERY well done web site. 5. install the server certificate on the server Wish i could get some pointers on the the steps to sign a CSR thats generated from a webserver (which resides on abcd.com domain) using openssl that resides on (xyz.com) on xyz.com: ftp abcd.com get server.csr.pem quit openssl x509 -req -in server.csr.pem \ -CA root.cert.pem -CAkey root.key.pem more options \ -out server.cert.pem ftp abcd.com put server.cert.pem Under more options there is -CAserial to set a serial number, maybe -sha1 to use SHA instead of MD5 as a hash, -days to set the certificate lifetime, etc. Some of these things can be set in the OpenSSL configuration file. I'd look at man x509. Alternatively, signing can be done with the ca tool, but I'm not so familiar with it. It requires an infrastructure of a data file and a serial number file and directories of various things etc and since I based our database on Oracle it seemed too high-level and high-maintenance to use. Unfortunately it seems I need to use it for my personal identity and privacy PKIs since x509 doesn't seem to know how to process a SPKIX file. Sorry about my somewhat fuzzy (and in some places WRONG) answer before. I should REALLY learn not to type anything in before noon. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question - Signing CSR's (picture enclosed)
Sometimes a picture is worth a thousand words: The Standard Model of Certificate generation: On the server machine: Generate CSR operation +-+ +-+ | Private Key | | Certificate Signing Request | +--+--+ | | v | ++| | | Public Key || | ++| | | |Distinguished Name | | | Note: hash is signed | ++| by private key above | |Hash|| | ++| +--+--+ | | Sent to CA for signing v +-+ CA can use public key | Certificate | from CSR to check | | signature on hash to| ++| prevent alteration of | | Public Key || CSR by adversary| ++| | | | Issuer Distinguished Name | | | | Subject DistinguishedName | | | Note: hash is signed| ++| by private key of root | |Hash|| | ++| +--+--+ | | Returned to server v In secure site operation: Server presents certificate to client Client uses public key of root (obtained from preconfigured root certificate) to check hash to ensure certificate has not been forged. Client rolls a random number and encrypts it with the public key from the server certificate, then returns it to the server. Server decrypts this with server private key and both sides use it as a symmetric key for conventional (e.g., DES) cryptography. Eavesdropper does not have access to private key so cannot decrypt. Man-in-the-middle attacker does not have access to private key so cannot decrypt. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Challenge Password - Newbie question
I am using the following script to create my certificate. openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:1whatever -passout pass:whatever -days 365 openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der rm -rf newcert newreq.pem When I execute this command I am asked for an challenge password. But I provided at the commands themselv a -passin pass and -passout pass. Is this the same or are this different passwords? It seems to me that the challenge password I am asked to enter during creation is not used for the certificate. And a second question: When I import the .p12 file into Windows I am asked for a password I am asked for a Secret. Is this the challenge password? Thanks for the help Berndt Command output. ITS-Test1:/etc/1x# ./createcert.pl karaduman Generating a 1024 bit RSA private key ++ ++ writing new private key to 'newreq.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AT]:AT State or Province Name (full name) [Vienna]:Vienna Locality Name (eg, city) []: Organization Name (eg, company) [TGM - Schule der Technik]:TGM - Die Schule der Technik Organizational Unit Name (eg, section) [IT-Service]:IT-Service Common Name (eg, YOUR name) [TGM Wireless CA]:Ercan Karaduman Email Address [EMAIL PROTECTED]:[EMAIL PROTECTED] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:G5N5B3Y3 An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 163 (0xa3) Validity Not Before: Aug 18 15:42:54 2003 GMT Not After : Aug 17 15:42:54 2004 GMT Subject: countryName = AT stateOrProvinceName = Vienna organizationName = TGM - Die Schule der Technik organizationalUnitName= IT-Service commonName= Ercan Karaduman emailAddress = [EMAIL PROTECTED] X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Aug 17 15:42:54 2004 GMT (365 days) Sign the certificate? [y/n]:y openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:1whatever -passout pass:whatever -days 365 openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der rm -rf newcert newreq.pem -- TGM - Die Schule der Technik IT - Service A - 1200 Wien, Wexstr. 19-23 Tel. +43(1)33126/316 Fax: +43(1)33126/154 E-Mail: [EMAIL PROTECTED] -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question: unable to load Netscape SPKAC structure
Thank you very much for the help!!! The charriage returns (^M) appeared in the file because the browser was running in a MacOS X, there is no problem if the Netscape client is runnig in Linux, for example. I have made a script to delete the charriage returns (^M). But... when i try to sign the client certificate request openssl ca -spkac certerq. (...) BEGIN CERTIFICATE- MIIDvTCCAyagAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBmjELMAkGA1UEBhMCRVMx DzANBgNVBAgTBk1hZHJpZDEUMBIGA1UEBxMLQ2FudG9ibGFuY28xEzARBgNVBAoT CkVNQm5ldC9DTkIxETAPBgNVBAsTCENOQi1DU0lDMRgwFgYDVQQDEw9lcmlzLmNu Yi51YW0uZXMxIjAgBgkqhkiG9w0BCQEWE25ldGFkbWluQGNuYi51YW0uZXMwHhcN MDMwNzE1MTQ0NzM3WhcNMDQwNzE0MTQ0NzM3WjCBgzELMAkGA1UEBhMCRVMxDzAN BgNVBAgTBk1hZHJpZDETMBEGA1UEChMKRU1CbmV0L0NOQjERMA8GA1UECxMIQ05C LUNTSUMxGDAWBgNVBAMTD2VyaXMuY25iLnVhbS5lczEhMB8GCSqGSIb3DQEJARYS ZW1haWxAeW91cmhvc3QuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH 2aA5rdIZXQVbz49/VFf8/1PK6IUsAq073uKHlT9tMwvyIQHFB6LPRbw4FoskB6jg VXNDANqJbelNSBlLz4lg6fGu+DhNg5vqDy7IZS3TuiDZKAmgdNSiO6bfy8D/KM2I 7/8k2K0k49qJ3dysg++iI9TbVt7VnshtsZF5ECCO/wIDAQABo4IBJjCCASIwCQYD VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm aWNhdGUwHQYDVR0OBBYEFFonnvTPOSUM6uTJc4TTQhousHa/MIHHBgNVHSMEgb8w gbyAFFIrWqlFW+S/O7gaJiqsalpsUx2joYGgpIGdMIGaMQswCQYDVQQGEwJFUzEP MA0GA1UECBMGTWFkcmlkMRQwEgYDVQQHEwtDYW50b2JsYW5jbzETMBEGA1UEChMK RU1CbmV0L0NOQjERMA8GA1UECxMIQ05CLUNTSUMxGDAWBgNVBAMTD2VyaXMuY25i LnVhbS5lczEiMCAGCSqGSIb3DQEJARYTbmV0YWRtaW5AY25iLnVhbS5lc4IBADAN BgkqhkiG9w0BAQQFAAOBgQAu1HSRQxxeQLbz/kbw9cVrOaMOHxLRRdpjIZ7NLpcV mdjnF1IV6zvyHRV3kxNLHm0xpaXGWnfA9Ri/vzA0nqFCkUa3+Zyn/QQFtb829kdn eZHzGMXElX3b9VGy8Jlvqi/Zvd+BQZ/j64B2rBYWrPrxqyaauuquM3pgwIh4ct5M 7Q== -END CERTIFICATE- Data Base Updated Segmentation fault (core dumped) Where can i found information about this error? Please, any ideas? Thank you in advanced. Richard Levitte - VMS Whacker wrote: I see a number of embedded charriage returns (^M). hos need to be removed. Yes. My current experimental code does this, I don't believe I would have put it in if it were not necessary: } elsif ( $req=$data-{'spkac'} ) {# Netscape SPKAC # $$ GET SERIAL NUMBER FROM DATABASE $req =~ s/\s+//g; # Delete CR LF . $req = 'SPKAC='.$req.\n.join(\n,@dn).\n; my $cert = spkcsign $ENV{'UMCPCA_vault'},'ID Cert Signing Passphrase', $ENV{'UMCPCA_OPENSSL'},$tmp,$serial,$req, $certlife,$certmail; # htmlfail htmlesce certtext $cert; # $$ INSERT CERT INTO DATABASE # $$ DELIVER CERT TO CLIENT print Content-Type: application/x-x509-user-cert\n\n$cert; } else { # Neither PKCS10 nor SPKAC htmlfail 'Neither PKCS10 nor SPKAC data returned...'; -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie question: unable to load Netscape SPKAC structure
I'm following the CA recipe examples to do a CA setup under an AIX 5 environment. http://home.himolde.no/~kd/prosjekt/ca/ca.html openssl version 0.9.7 Browsers to test the client: Mozilla 1.0 or Netscape 7.01 When i try to sign the client certificate request... openssl ca -spkac certreq.9484 -days 365 Using configuration from /usr/local/contrib/openssl/openssl.cnf Enter pass phrase for /usr/local/etc/httpd/conf/ca/private/cakey.pem: unable to load Netscape SPKAC structure 19506:error:0B081076:x509 certificate routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:91: Segmentation fault (core dumped) please, could you tell me what is wrong? sholud i modify my opsnssl.cnf? where? thank you very much. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question: unable to load Netscape SPKAC structure
What does certreq.9484 look like? Especially when decoded with the openssl spkac tool? David García Aristegui wrote: I'm following the CA recipe examples to do a CA setup under an AIX 5 environment. http://home.himolde.no/~kd/prosjekt/ca/ca.html openssl version 0.9.7 Browsers to test the client: Mozilla 1.0 or Netscape 7.01 When i try to sign the client certificate request... openssl ca -spkac certreq.9484 -days 365 Using configuration from /usr/local/contrib/openssl/openssl.cnf Enter pass phrase for /usr/local/etc/httpd/conf/ca/private/cakey.pem: unable to load Netscape SPKAC structure 19506:error:0B081076:x509 certificate routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:91: Segmentation fault (core dumped) please, could you tell me what is wrong? sholud i modify my opsnssl.cnf? where? thank you very much. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question: unable to load Netscape SPKAC structure
At first, the certreq. is more certreq.8558 commonName = Client Example emailAddress = [EMAIL PROTECTED] organizationName = Org organizationalUnitName = Unit localityName = Madrid stateOrProvinceName = Madrid countryName = ES SPKAC = MIICUTCCATkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIzBDKDXI3^MvflpWV X0NTusSZbAlB6DHd4UYJoX1iD8c6odYfKFOKWVVyzYcPFaleM7JM6YT3qB^MUCU30WzWy+kwphfPO6Kl ZwtFH6Sa7Ejeskd3j2a0rw0yBn05AP86bpW2p6wCeyHU^M40QGyw9d48zUKQQhS/7QKobscLU0Z63C4F uHblK7SCyoqNIAD8vdzt1DO4uSTLgR^MuDRri1v5OBEI1CXCgpqbqZEiK8VmNhDP5KZIEK25YLPH3IH6 fcSbmjJnOSvPlSFs^MiZPfGS/nZiLn9ZIc7yFTgvxpWlgN1lHOWaz4IN7zFcC5VkxiSpNnSKhslxMFUZ aQ^MZ6yybsZopdn/AgMBAAEWEWNoYWxsZW5nZVBhc3N3b3JkMA0GCSqGSIb3DQEBBAUA^MA4IBAQB8rN FFnrq1CXD7AT0bWfFfXar/ZAu5LDCv55uqhb4Kmah9KbVe3q5cT3W/^MMCOQrfuFasmQ1mGpNUwM4b2l YpEVWOgm6tiZHp8nfwz2a68jke5qrsfLtxO2FGEu^Mnc/EMqTs6h23PQlwDEU01E2Sqs6eovNOZYpuS0 fQtNdNBcTevMuV5sIYadUgX7S+^M673f1SnqQyJTHG3KlF7jmLpi/LyJtxFc/IvfqymHf2y4cakV0hMc vkBV6NlfzmSg^M01wcwY2VjyZ/+5rAPArnTSi4Nxx7guaIhkxVwjaHoQOnpUbFNsia32Uu8RJpSTCz hbvsl/kXThFgba5FGCkVbZuSJ7fy then i use the openssl ca -spkac certreq. -days 365 more certreq.8558 commonName = Client Example emailAddress = [EMAIL PROTECTED] organizationName = Org organizationalUnitName = Unit localityName = Madrid stateOrProvinceName = Madrid countryName = ES SPKAC = MIICUTCCATkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIzBDKDXI3^MvflpWVX0NTu sSZbAlB6DHd4UYJoX1iD8c6odYfKFOKWVVyzYcPFaleM7JM6YT3qB^MUCU30WzWy+kwphfPO6KlZwtFH6Sa7E jeskd3j2a0rw0yBn05AP86bpW2p6wCeyHU^M40QGyw9d48zUKQQhS/7QKobscLU0Z63C4FuHblK7SCyoqNIAD 8vdzt1DO4uSTLgR^MuDRri1v5OBEI1CXCgpqbqZEiK8VmNhDP5KZIEK25YLPH3IH6fcSbmjJnOSvPlSFs^MiZ PfGS/nZiLn9ZIc7yFTgvxpWlgN1lHOWaz4IN7zFcC5VkxiSpNnSKhslxMFUZaQ^MZ6yybsZopdn/AgMBAAEWE WNoYWxsZW5nZVBhc3N3b3JkMA0GCSqGSIb3DQEBBAUA^MA4IBAQB8rNFFnrq1CXD7AT0bWfFfXar/ZAu5LDCv 55uqhb4Kmah9KbVe3q5cT3W/^MMCOQrfuFasmQ1mGpNUwM4b2lYpEVWOgm6tiZHp8nfwz2a68jke5qrsfLtxO 2FGEu^Mnc/EMqTs6h23PQlwDEU01E2Sqs6eovNOZYpuS0fQtNdNBcTevMuV5sIYadUgX7S+^M673f1SnqQyJT HG3KlF7jmLpi/LyJtxFc/IvfqymHf2y4cakV0hMcvkBV6NlfzmSg^M01wcwY2VjyZ/+5rAPArnTSi4Nxx7gua IhkxVwjaHoQOnpUbFNsia32Uu8RJpSTCz^Mhbvsl/kXThFgba5FGCkVbZuSJ7fy openssl spkac -in certreq.8558 Error loading SPKAC 26928:error:0B081076:x509 certificate routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:91: Thank you in advanced. What does certreq.9484 look like? Especially when decoded with the openssl spkac tool? David García Aristegui wrote: I'm following the CA recipe examples to do a CA setup under an AIX 5 environment. http://home.himolde.no/~kd/prosjekt/ca/ca.html openssl version 0.9.7 Browsers to test the client: Mozilla 1.0 or Netscape 7.01 When i try to sign the client certificate request... openssl ca -spkac certreq.9484 -days 365 Using configuration from /usr/local/contrib/openssl/openssl.cnf Enter pass phrase for /usr/local/etc/httpd/conf/ca/private/cakey.pem: unable to load Netscape SPKAC structure 19506:error:0B081076:x509 certificate routines:NETSCAPE_SPKI_b64_decode:base64 decode error:x509spki.c:91: Segmentation fault (core dumped) please, could you tell me what is wrong? sholud i modify my opsnssl.cnf? where? thank you very much. -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question: unable to load Netscape SPKAC structure
In message [EMAIL PROTECTED] on Mon, 14 Jul 2003 17:34:21 +0200, David García Aristegui [EMAIL PROTECTED] said: david At first, the certreq. is david david more certreq.8558 david david commonName = Client Example david emailAddress = [EMAIL PROTECTED] david organizationName = Org david organizationalUnitName = Unit david localityName = Madrid david stateOrProvinceName = Madrid david countryName = ES david SPKAC = MIICUTCCATkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIzBDKDXI3^MvflpWV david X0NTusSZbAlB6DHd4UYJoX1iD8c6odYfKFOKWVVyzYcPFaleM7JM6YT3qB^MUCU30WzWy+kwphfPO6Kl david ZwtFH6Sa7Ejeskd3j2a0rw0yBn05AP86bpW2p6wCeyHU^M40QGyw9d48zUKQQhS/7QKobscLU0Z63C4F david uHblK7SCyoqNIAD8vdzt1DO4uSTLgR^MuDRri1v5OBEI1CXCgpqbqZEiK8VmNhDP5KZIEK25YLPH3IH6 david fcSbmjJnOSvPlSFs^MiZPfGS/nZiLn9ZIc7yFTgvxpWlgN1lHOWaz4IN7zFcC5VkxiSpNnSKhslxMFUZ david aQ^MZ6yybsZopdn/AgMBAAEWEWNoYWxsZW5nZVBhc3N3b3JkMA0GCSqGSIb3DQEBBAUA^MA4IBAQB8rN david FFnrq1CXD7AT0bWfFfXar/ZAu5LDCv55uqhb4Kmah9KbVe3q5cT3W/^MMCOQrfuFasmQ1mGpNUwM4b2l david YpEVWOgm6tiZHp8nfwz2a68jke5qrsfLtxO2FGEu^Mnc/EMqTs6h23PQlwDEU01E2Sqs6eovNOZYpuS0 david fQtNdNBcTevMuV5sIYadUgX7S+^M673f1SnqQyJTHG3KlF7jmLpi/LyJtxFc/IvfqymHf2y4cakV0hMc david vkBV6NlfzmSg^M01wcwY2VjyZ/+5rAPArnTSi4Nxx7guaIhkxVwjaHoQOnpUbFNsia32Uu8RJpSTCz david hbvsl/kXThFgba5FGCkVbZuSJ7fy I see a number of embedded charriage returns (^M). hos need to be removed. -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question: unable to load Netscape SPKAC structure
Richard Levitte - VMS Whacker wrote: I see a number of embedded charriage returns (^M). hos need to be removed. Yes. My current experimental code does this, I don't believe I would have put it in if it were not necessary: } elsif ( $req=$data-{'spkac'} ) {# Netscape SPKAC # $$ GET SERIAL NUMBER FROM DATABASE $req =~ s/\s+//g; # Delete CR LF . $req = 'SPKAC='.$req.\n.join(\n,@dn).\n; my $cert = spkcsign $ENV{'UMCPCA_vault'},'ID Cert Signing Passphrase', $ENV{'UMCPCA_OPENSSL'},$tmp,$serial,$req, $certlife,$certmail; # htmlfail htmlesce certtext $cert; # $$ INSERT CERT INTO DATABASE # $$ DELIVER CERT TO CLIENT print Content-Type: application/x-x509-user-cert\n\n$cert; } else { # Neither PKCS10 nor SPKAC htmlfail 'Neither PKCS10 nor SPKAC data returned...'; -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie Question Re: Public Key Encryption [Please help!!]
Hi, I am trying to encrypt a session key that I created using DES_KEY_SCHEDULE. I am using RSA_public_encrypt to encrypt the session key (8 bytes) with the public key using RSA_PKCS1_OEAP_PADDING. This creates a 64byte encrypted session key. I send this to the Server on the windows machine. But 'Importing the Encrypted Session Key' on that server fails. That's implemented using wincrypt.h functions such as CryptImportObjectEx. Further info: I used the public key received from the server (created using the asymmetric_encrypt_algorithm) and I imported that using: rsaPubKey = (RSA*) d2i_RSA_PUBKEY_bio(pub,NULL); Now, I use this to encrypt the session key: unsigned char ciphertext[512]; unsigned char iv[8]; unsigned char iv1[8]; RAND_seed(rnd_seed, sizeof (rnd_seed)); RAND_pseudo_bytes(iv,8); bytecopy(iv,iv1,8); encryptlen = RSA_public_encrypt (8, (*ks)-ks.cblock, ciphertext, rsaPubKey, RSA_PKCS1_OAEP_PADDING); if(encryptlen == -1) { fprintf (stderr, ERROR: Failed to encrypt using public key\n); goto proc_exit; } The length after this is 64, which is preferred. So, after all this when I finally send the 'ciphertext' chars as the encrypted session key, the server fails to import it using CryptImportKey (from wincrypt.h). The ERROR RECEIVED says: Either the algorithm that works with the public key you are trying to import is not supported by this CSP, or an attempt was made to import a session key that was encrypted with something other than one of your public keys If anyone has come into a similar problem or anything close, please let me know. Any help will be tremendously appreciated. If you like to know more details or are interested in working with me on this, please let me know. Thanx in advance, J.. = - J | - [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA public and private key lengths (newbie question)
Hi, Thanks a lot for the reply. I have one more question. The private key contains all the RSA key data whereas the public key contains just the public components. So yes, this is normal. Cheers, Geoff Since public key contains only the public components is it possible to encrypt a message using RSA_public_encrypt() with a RSA struct having just the public key i.e. RSA struct obtained from rsa = d2i_RSAPublicKey(..) Thanks, Manish -- Manish Chablani ([EMAIL PROTECTED]), Graduate Student, Computer Science Department, Indiana University -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA public and private key lengths (newbie question)
Hi, Here is the snippet of my code which generates RSA key pair and then saves the public and private keys in character buffer. However the output shows the public key and private keys are of different sizes.. I was under the impression that pub and priv keys are of same sizes.. is my understanding wrong or some problem with my code ? Here is the code snippet.. /**/ #define NUM_BITS 1024 #define RSA_F4 0x10001 RSA *rsa; unsigned char ki_pub[1024]; /* Public Key generated by lamboot */ unsigned char ki_pri[1024]; /* corresponding Private Key generated by lamboot */ unsigned char *p; int ki_pub_len; /* length of public key */ int ki_pri_len; /* length of private key */ /* Set up the initial RSA key pair ki */ if ((rsa=RSA_generate_key(NUM_BITS,RSA_F4,NULL,NULL))==NULL) { perror(RSA key generation failed); } /* Save the public and private keys into the char array */ p = ki_pub; ki_pub_len = i2d_RSAPublicKey(rsa,p); printf(Length of public key is %d\n,ki_pub_len); p = ki_pri; ki_pri_len = i2d_RSAPrivateKey(rsa,p); printf(Length of private key is %d\n,ki_pri_len); // The output generated is: Length of public key is 140 Length of private key is 609 Is this output correct ?? am I missing something ? Manish. -- Manish Chablani ([EMAIL PROTECTED]), Graduate Student, Computer Science Department, Indiana University -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA public and private key lengths (newbie question)
Hi, On Sat, 13 Jul 2002, Manish Ramesh Chablani wrote: Here is the snippet of my code which generates RSA key pair and then saves the public and private keys in character buffer. However the output shows the public key and private keys are of different sizes.. I was under the impression that pub and priv keys are of same sizes.. is my understanding wrong or some problem with my code ? [snip] The output generated is: Length of public key is 140 Length of private key is 609 The private key contains all the RSA key data whereas the public key contains just the public components. So yes, this is normal. Cheers, Geoff __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie question, extending life of self-signed certs beyond 30 days.
Hi Zac, Try this command specifying explicitely the number of days: openssl req -config /etc/openssl.cnf -new -x509 -keyout newkey.pem -out newcert.pem -days 365 note: check for the openssl.cnf path For more details you can consult this URL: http://www.linux.org/docs/ldp/howto/SSL-Certificates-HOWTO/x139.html Zac Taylor [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by:cc: owner-openssl-users@Subject: Newbie question, extending life of self-signed certs beyond 30 days. openssl.org 11/07/2002 19:57 Please respond to openssl-users Hi, I have a RH 7.2 system running Apache 2.0.39 and openssl-0.9.6b-8. I used the openssl utilities to create a private key and a self-signed certificate. I noticed that my browser showed the certiciate having a validity of only a month, so I went to the /usr/share/ssl/openssl.cnf file and changed the following : default_days = 3650 default_crl_days = 3650 default_md = sha1 Having re-created the self-signed cert and restarted the web server, I noticed that the browser showed the sha1 encryption (changed from md5), but no change to the validity - I was expecting it to be 10 years. Is there a way to change the default days for a self-signed certificate. When I created it, I was not prompted for the valid days. Thanks in advance, Zac. __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie question, extending life of self-signed certs beyond 30 days.
Hi, I have a RH 7.2 system running Apache 2.0.39 and openssl-0.9.6b-8. I used the openssl utilities to create a private key and a self-signed certificate. I noticed that my browser showed the certiciate having a validity of only a month, so I went to the /usr/share/ssl/openssl.cnf file and changed the following : default_days = 3650 default_crl_days = 3650 default_md = sha1 Having re-created the self-signed cert and restarted the web server, I noticed that the browser showed the sha1 encryption (changed from md5), but no change to the validity - I was expecting it to be 10 years. Is there a way to change the default days for a self-signed certificate. When I created it, I was not prompted for the valid days. Thanks in advance, Zac. __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
re: newbie question on OCSP
OK... I think I get it... Now, the openssl site mentions an ocsp command for openssl, which I would assume would enable it to launch an ocsp response server. Firstly, I have openssl-0.9.6c-engine, and yet cannot find ocsp by me? Is it part of the planned 0.9.7? If so, is there a stable-looking release that includes it? Can anyone give me the basic basics on how it is meant to be used, and if it will work with the index.txt file mainained by openssl's mini-ca ca command? Thanks for all the help, you guys are great! Issac PS. Can I humbly ask that people cc back to me also? tnx __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
Issac Goldstand wrote: OK... I think I get it... Now, the openssl site mentions an ocsp command for openssl, which I would assume would enable it to launch an ocsp response server. Firstly, I have openssl-0.9.6c-engine, and yet cannot find ocsp by me? Is it part of the planned 0.9.7? If so, is there a stable-looking release that includes it? Can anyone give me the basic basics on how it is meant to be used, and if it will work with the index.txt file mainained by openssl's mini-ca ca command? Thanks for all the help, you guys are great! Issac It is part of 0.9.7. There is a test reponder supported by the 'openssl' command of 0.9.7 which can indeed read status information from the index.txt file. However its only useful for test purposes in its current form, for example it will only accept one incoming connection. It would be possible to use it for more serious applications by wrapping it in a CGI script from a webserver though. It wont work well under heavy load or for a large number of certificates though. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
There are other differences: CRL's can be big An org might consider its CRL private info (ooh look, Fred must have gotten fired) It's hard to *prove* you consulted a CRL; for OCSP use a hash of your real document as the nonce, and save the response. An OCSP responder can work off faster information than just the CA's CRL. hope this helps. /r$ -- Zolera Systems, http://www.zolera.com Information Integrity, XML Security __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
Rich Salz wrote: An org might consider its CRL private info (ooh look, Fred must have gotten fired) In private email, I was prompted to explain this better. The issue is not when ONE cert is revoked, but when a large number, and you can make guesses about the number range. For example, an Identrus bank might lose a customer, revoking 100 certificates; a corporation might shut down a department, revoking a couple-dozen, etc. Hope this helps (more). /r$ -- Zolera Systems, http://www.zolera.com Information Integrity, XML Security __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
newbie question on OCSP
Can someone please help a poor newbie understand exactly what this is for and how it's used? I've tried looking at the documentation, but I feel like I'm drowning, probably because I'm trying to understand the details, but not quite getting the simple stuff,.. Thanks in advance, Issac __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
Hi, OCSP stands for Online Certificate Status Protocol. This, as the name suggests specifies a protocol to obtain the Status of a Certificate Online. There can be many reasons for a certificate to become invalid even before its actual lifetime for which it was issued. These may be Key Compromise etc etc.. Each CA maintains a list of all the revoked certificates. That list is called as the Certificate Revocation List (CRL). Our aim is to obtain the status of a certificate ie Valid or Invalid. To be more techincal Revoked or Not Revoked. One method of knowing this is using the LDAP protocol. Use this protocol a user can download the CRL and check it with the Serial Number of the Certificate in Question. If the serial number is found, it means the Certificate is revoked else the user can assume that the Certificate is not revoked. This requires a lot of memory in your system as the CRL size keep on increasing. For that reason the OCSP protocol was born. This might be the author's intention in bringing up this protocol. There is a server called an OCSP responder. This server will maintain all the certificates that are revoked for a particular CA. (The CA may itself be an OCSP responder also). User constructs an OCSP request as per the protocol with all the details of the Certificate for which the revocation status has to be found. The responder will respond with the status of that certificate saying whether it is GOOD, REVOKED or UNKOWN. This is my understanding of the OCSP protocol. I hope this helps... Regards Suram - Original Message - From: Issac Goldstand [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 08, 2002 1:17 AM Subject: newbie question on OCSP Can someone please help a poor newbie understand exactly what this is for and how it's used? I've tried looking at the documentation, but I feel like I'm drowning, probably because I'm trying to understand the details, but not quite getting the simple stuff,.. Thanks in advance, Issac __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
newbie question
Hi, I'm a software developer that uses Interbase as my backend database. I have no expertise/knowlege on SSL and fewer on TCP/IP and networking. I was discusing at an Interbase newsgroups about the easy to break encription of Interbase username/password over the net during connection (client to server) and more, data is not encripted to be sent over network. So, using Interbase over INTERNET is not a good idea (as any snifer can get your passord/data). So, Bill Todd (TeamB) came with "How about SSL or VPN?". Well, I thought (think in the past :) sorry my poor english) I could not use SSL other than with Web Servers (like Apache and IIS) but then I got curious... Can I make my (C/S) database connection over SSL (using TCP/IP)?? If Yes, what do I need?? The database engine has to implement something?? --How does SSL works?? Well, I'm sorry for so "open" questions, if you can point me any "direction", give me some references and docs I should read, I'd be thankfull!! Thanks to any help, Regards. Anderson Farias [EMAIL PROTECTED] PS I use Interbase server at both WindowsNT and Linux OSs. And clientat Windows9x. ---
RE: newbie question
Hi, From personal experience, I've found the following two topics exceptionally handy: 1. Following all the threads in the mailing list 2. Eric Rescorla's book, SSL and TLS, Designing and building Secure systems (www.rtfm.com) 3. There's also a few loose guides, like the one on Linuxdoc, etc. that help with key concepts I've used SSL to secure our VPN, and it works great. Pascal -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Anderson Farias Sent: Sunday, 17 February 2002 12:07 p.m. To: [EMAIL PROTECTED] Subject: newbie question Hi, I'm a software developer that uses Interbase as my backend database. I have no expertise/knowlege on SSL and fewer on TCP/IP and networking. I was discusing at an Interbase newsgroups about the easy to break encription of Interbase username/password over the net during connection (client to server) and more, data is not encripted to be sent over network. So, using Interbase over INTERNET is not a good idea (as any snifer can get your passord/data). So, Bill Todd (TeamB) came with How about SSL or VPN?. Well, I thought (think in the past :) sorry my poor english) I could not use SSL other than with Web Servers (like Apache and IIS) but then I got curious... Can I make my (C/S) database connection over SSL (using TCP/IP)?? If Yes, what do I need?? The database engine has to implement something?? -- How does SSL works?? Well, I'm sorry for so open questions, if you can point me any direction, give me some references and docs I should read, I'd be thankfull!! Thanks to any help, Regards. Anderson Farias [EMAIL PROTECTED] PS I use Interbase server at both WindowsNT and Linux OSs. And client at Windows9x. --- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question
Anderson Farias [EMAIL PROTECTED] writes: I'm a software developer that uses Interbase as my backend database. I have no expertise/knowlege on SSL and fewer on TCP/IP and networking. I was discusing at an Interbase newsgroups about the easy to break encription of Interbase username/password over the net during connection (client to server) and more, data is not encripted to be sent over network. So, using Interbase over INTERNET is not a good idea (as any snifer can get your passord/data). So, Bill Todd (TeamB) came with How about SSL or VPN?. Well, I thought (think in the past :) sorry my poor english) I could not use SSL other than with Web Servers (like Apache and IIS) but then I got curious... Can I make my (C/S) database connection over SSL (using TCP/IP)?? Almost certainly. If Yes, what do I need?? The database engine has to implement something?? -- How does SSL works?? SSL is a security layer that sits on top of TCP/IP. The idea is that every byte of data you transmit over TCP is first encrypted. So, here's the protocol stack w/o and w/ SSL +---+ +---+ | | | Application | | Application | +---| | | | SSL | +---+ +---+ | TCP | | TCP | +---+ +---+ | IP | | IP | +---+ +---+ Without SSL With SSL In general, this requires modifying the applications (though not the TCP stacks) on either side. However, many applications already have SSL patches or plugins. If you have an application you can't modify you can often insert an SSL proxy that will SSLize or de-SSLize the data. For instance: | ++ | +--+ ++ | SSL | | | Proxy| | Normal | | Client | | |---| Server | ++ Protocol/SSL | +--+ /|\ +- | | FirewallNormal Protocol Stunnel is one such proxy. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] Author of SSL and TLS: Designing and Building Secure Systems http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
newbie question
Hi, I'm a software developer that uses Interbase as my backend database. I have no expertise/knowlege on SSL and fewer on TCP/IP and networking. I was discusing at an Interbase newsgroups about the easy to break encription of Interbase username/password over the net during connection (client to server) and more, data is not encripted to be sent over network. So, using Interbase over INTERNET is not a good idea (as any snifer can get your passord/data). So, Bill Todd (TeamB) came with "How about SSL or VPN?". Well, I thought (think in the past :) sorry my poor english) I could not use SSL other than with Web Servers (like Apache and IIS) but then I got curious... Can I make my (C/S) database connection over SSL (using TCP/IP)?? If Yes, what do I need?? The database engine has to implement something?? --How does SSL works?? Well, I'm sorry for so "open" questions, if you can point me any "direction", give me some references and docs I should read, I'd be thankfull!! Thanks to any help, Regards. Anderson Farias [EMAIL PROTECTED] PS I use Interbase server at both WindowsNT and Linux OSs. And clientat Windows9x. ---
Re: newbie question
On Sat, Feb 16, 2002 at 08:23:14PM -0300, Anderson Farias wrote: Well, I thought (think in the past :) sorry my poor english) I could not use SSL other than with Web Servers (like Apache and IIS) but then I got curious... Can I make my (C/S) database connection over SSL (using TCP/IP)?? If Yes, what do I need?? The database engine has to implement something?? -- How does SSL works?? SSL is Secure Socket LAYER, so if you application work over TCP/IP SSL must works. Try www.stunnel.org, e.i. ./nelson -murilo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question -- private key -- encrypted token
I based my GUI fields on the Distinguised Name prompts displayed when I ran the command,openssl req -new -nodes -keyout private.key -out public.csrfrom the command line. These fields included Country Name, State or Province Name,Locality Name, Organization Name, Organizational Unit Name, Common Name, and Email address.Additionally, the command prompted for *extra* attributes. These included a challengepassword and optional company name. So the term challenge password came from the openssl prompt. This challenge password is sent with the certificate request. I am able to execute the command via the c language "system" call and a public.csr is generated. I can send this csr to verisign to get a trial id and plug it into codewritten by someone else and it appears to work. I am just curious about this challenge passwordand what is it used for...and do i want to use it. Also, the private key is in PEM format soisn't it already encrypted? Do I need to do anything else to it? Bear Giles [EMAIL PROTECTED] wrote: When I was looking at how other GUI based applications worked, I noticed that after all of the common name information was entered it asked for the challenge password.This sounds a bit confused. (Just because someone elsewrote a GUI for this task doesn't mean that they understoodwhat needed to be done. You need to be sure you understandwhat you're doing, not just blindly mimicking anotherpackage.)If you're authenticating a request with a SPKAC (signed public key and challenge), instead of a self-signed cert, you needto include a challenge string in the SPKAC. The purpose ofthe challenge string is to prevent a SPKAC being reused byan imposter, and it is usually specified by the CA when itprovides a template for the certificate request, althoughit could also be specified in a way that requires the usert! o enter the information manually.The private key should also be encrypted, but that'susually referred to as a "passphrase" or "password".A "challenge password" sounds a lot like somebody hearing"challenge" and assuming it must refer to the private key,not the SPKAC.(Aside: do self-signed certs used as requests also includechallenge strings as an "attribute"?) question is, after you have generated the private key, how do you store it in a token? Then, how do you protect the token with a password? Token? Again this is a bit confusing - when I read"token" I think of a physical device like a smart card.Somehow I doubt that's what you mean. ;-)One standard format for private keys is PKCS8 (see pkcs8(1)).The keys may be kept as standalone files, or stored in adatabase or other type of 'keystore'. openssl genrsa -out outfile.pem 1024openssl genrsa 1024 | openssl pkcs! 8 -topk8 [-v2 bf] -out outfile.pembut between the pipe and the passphrase I found it easierto use the C API directly.__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do You Yahoo!? Send FREE video emails in Yahoo! Mail.
newbie question on installing certificate request
I have generated a CSR, and sent it to Verisign. Verisign sent me back an e-mail. From this email, what do i use to install the certificate, and what command do I use to install the certificate I received from Verisign?? Thanks CarolynDo You Yahoo!? Send FREE video emails in Yahoo! Mail.
Newbie question on generating a certificate request
Greetings All, I am very new to openssl and am having some difficulty finding the information on generating a certificate request. What I really want to do is obtain the distinguished name information via a web page then pass that information into the openssl call (specifically I want to do openssl req -in file -nodes -keyout key.pem -out out.pem where file is the information submitted by the user via the web page). However, in order to use the "-in" qualifier I believe the input file has to be in PEM format (or that is what I believe I have gathered from the openssl.org site). Is this the case? If so, how do I convert the file from ascii to PEM. Also, should there be field names associated with the data from the disntinguised name (ie key value pair) ? If so, what exactly should these be? If this is documented someplace, PLEASE point me in the direction of the documentation. Thank you, CaroylnDo You Yahoo!? Send FREE video emails in Yahoo! Mail.
Re: Newbie question on generating a certificate request
Carolyn Malloy wrote: Greetings All, I am very new to openssl and am having some difficulty finding the information on generating a certificate request. What I really want to do is obtain the distinguished name information via a web page then pass that information into the openssl call (specifically I want to do openssl req -in file -nodes -keyout key.pem -out out.pem where file is the information submitted by the user via the web page). However, in order to use the -in qualifier I believe the input file has to be in PEM format (or that is what I believe I have gathered from the openssl.org site). Is this the case? If so, how do I convert the file from ascii to PEM. Also, should there be field names associated with the data from the disntinguised name (ie key value pair) ? If so, what exactly should these be? If this is documented someplace, PLEASE point me in the direction of the documentation. What you actually need to do is to construct a template configuration file with the necessary field values in it and pass that on the command line using the -config option. See the EXAMPLES section of the req(1) manual page in doc/apps/req.pod or at: http://www.openssl.org/docs/apps/req.html#EXAMPLES Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Very Newbie Question
Hello, I am looking for some advice on where to start with a Python script that needs to send and receive some data over SSL. I have looked into using M2Crypto in conjunction with OpenSSL for the solution. All I need to do is a POST to a secure server and parse the response. Here is my question: Do I need Python + OpenSSL + SWIG to do this? How should I deal with the certs? I am very new to SSL so I am not sure where to start. All help is well appreciated, how-to's, tutorials etc. . Thank you in advance. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
newbie question
well. i am a newbie trying to understand 1. what is a certificate? 2. who shall make it? 3. who how to get it? 4. if i have my own setup, and some previleged users only should get the access to the site, how can i implement that? 5. and if 4( as above) is possible, how can i achieve it? infact, i went through the openssl documentation at openssl.org but, for my primitive knowledge, it was all greek and latin. please forgive me ...and just give me a little information. regds murali krishna vemuri __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: newbie question
Go to either http://www.netscape.com/ http://www.verisign.com/ http://www.rsa.com/ and read up on the docs contained there. On each site can be found good info discussing the questions you ask. -Original Message- From: Murali K. Vemuri [mailto:[EMAIL PROTECTED]] Sent: Friday, December 14, 2001 6:58 AM To: [EMAIL PROTECTED] Subject: newbie question well. i am a newbie trying to understand 1. what is a certificate? 2. who shall make it? 3. who how to get it? 4. if i have my own setup, and some previleged users only should get the access to the site, how can i implement that? 5. and if 4( as above) is possible, how can i achieve it? infact, i went through the openssl documentation at openssl.org but, for my primitive knowledge, it was all greek and latin. please forgive me ...and just give me a little information. regds murali krishna vemuri __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question
Try www.linuxdoc.org look for the SSL Certificates HOWTO. On Fri, 2001-12-14 at 11:57, Murali K. Vemuri wrote: well. i am a newbie trying to understand 1. what is a certificate? 2. who shall make it? 3. who how to get it? 4. if i have my own setup, and some previleged users only should get the access to the site, how can i implement that? 5. and if 4( as above) is possible, how can i achieve it? infact, i went through the openssl documentation at openssl.org but, for my primitive knowledge, it was all greek and latin. please forgive me ...and just give me a little information. regds murali krishna vemuri __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]