Cheers!
In general, should I be looking to submit patches against master? Assuming
the latest stable branch was the place to go may have been presumptuous of
me. :)
Best regards,
Oscar Jacobsson
On 2014-06-26 14:40, "Hubert Kario via RT" wrote:
>- Original Message -----
&g
Well...
I think it's more a case of OpenSSL and LDAP using *different*
mechanisms for string encoding. LDAP reverses the RDN sequence (making
it conform to RFC 2253), while OpenSSL (and this goes back to SSLeay)
does not.
I don't think you could really claim that there was an "X.500 order" at
al
Just my two hundredths of a crown:
(and I really hope I get the ordering right.)
"O=McDonalds, L=Tampa, ST=FL, C=US"
This does break the naming recommendations given in X.521 Annex B
though, which don't allow for a stateOrProvinceName.
Best regards,
//oscar
David Lyon wrote:
> We have a new
Bodo Moeller wrote:
> Oh, that. I think that was a typo; all the other branches use
> INT_MAX (and so does 0.9.6-stable now).
Ah. I haven't got anything that could really pass for a C standard
library reference handy, so I just chalked it up to MSVC misbehaving out
of habit.
Thanks for clearing
Bodo Moeller wrote:
> > * crypto/bio/bss_bio.c now checks SSIZE_MAX, and in the visual c++
> > limits.h this won't get defined unless one defines _POSIX_. Should this
> > definition go into e_os.h or is it ok to simply insert it here prior to
> > the inclusion of limits.h?
>
> If SSIZE_MAX is not
Unfortunately, the engine version of 0.9.6c doesn't build cleanly with
MSVC. Would you mind terribly using a current snapshot of the stable
engine branch instead, until there's an official release that addresses
this issue?
Best regards,
//oscar
__
Hi!
More MSVC fixes.
The little path below is required to get crypto/engine/hw_aep.c to
compile with MSVC.
Best regards,
//oscar
diff -u -r1.1.2.4 hw_aep.c
--- hw_aep.c7 Feb 2002 22:04:27 - 1.1.2.4
+++ hw_aep.c23 Feb 2002 10:20:39 -
@@ -82,8 +82,8 @@
#endif
-static
Hi!
I think something along the following should do the trick:
// Create a memory buffer BIO
BIO* certBIO = BIO_new_mem_buf(buffer, bufferLength);
// Read request from BIO
X509* cert = PEM_read_bio_X509(certBIO, 0, 0, 0);
// get length of DER encoding
int encLength = i2d_X509(cert, 0);
// Cre
This was all actually changed intentionally a while back as there was a
conflict between id-at-uniqueIdentifier and { 0 9 2342 19200300 100 1 1
} (henceforth simply reffered to as Userid.)
The reason for the conflict is that both claimed the short name "uid".
Userid, having formally had the attri
Hi!
Just a couple of quick niggles with the 0.9.6-stable branch:
* The fix for crypto/tmdiff.c (ie. the diff between 1.9.2.1 & 1.9.2.2)
needs to be merged into this branch as well. Missing #endif.
* crypto/bio/bss_bio.c now checks SSIZE_MAX, and in the visual c++
limits.h this won't get defined
Richard Levitte - VMS Whacker wrote:
> Suggestion: there are packages out there that supply interfaces for
> OpenSSL to perl, python, ruby and I don't know what other languages.
> If you build a VB interface, it might be a good idea to release it as
> a separate package.
>
> [reasoning deleted fo
Warning: loads of Win32-specific information inside. Proceed at your own
risk!
If by making it run via ASP/IIS you mean having it accessible from
Visual Basic/VBScript I'm afraid there's quite a bit of manual tweaking
that will have to be done.
In order for C functions to be at all usable from V
Richard Levitte - VMS Whacker wrote:
> I just commited a libeay.num that have these added. I also changed
> the main trunk libeay.num so those two would stay in the same position
> there as well.
Grand!
> According to the Unixly manuals, they are defined in or through
> string.h. Is that true
Hi!
Just two slight problems with the Win32/VC6 build:
1) util/libeay.num seems to be missing a couple of entires, namely:
ENGINE_load_aep
ENGINE_load_sureware
These are both in the trunk, but don't seem to have made it out into the
release branch.
2) For some reason, in the de
Dr S N Henson wrote:
> I'd be reluctant to have multiple APIs handling each case. What we could
> have is flags or profiles saying what a certain kind of database should
> support.
OpenSSL currently has separate APIs, as opposed to flags or profiles,
for handling EVP_PKEYs, X509s and X509_CRLs be
Bear Giles wrote:
> Remember that there are actually two independent pieces of code here -
> a "tab A" independent shared library and a "slot B" library that loads
> it. The latter can provide convenience wrappers to functions in the
> former, avoiding the need to duplicate code in the independen
Richard Levitte - VMS Whacker wrote:
> Actually, wouldn't the availability of functionality be somewhat up to
> the plug-in as well? In the full-blown PKI, you will also have things
> like "fetch me the cert corresponding to this name" and "fetch me the
> key (or a handle to the key) with this fi
Bear Giles wrote:
> But a plug-in that transparently updated a smart card would be extremely
> handy. :-) That's what makes the design so hard - it needs to be able
> to handle everything from 8k smart cards holding a single veiled key and
> cert to RDBMS databases with 50,000+ entries.
I think
Bear Giles wrote:
> And from a pragmatic perspective, whole-cert hashes make a lot of sense.
NB: I've only ever messed about with relational databases for a brief
spell a few years back, so please excuse my struggling with the
terminology.
As primary keys go, I'm certain that whole-cert hashes w
Richard Levitte - VMS Whacker wrote:
>
> From: Bear Giles <[EMAIL PROTECTED]>
>
> bear> Of course, this opens the whole can-o-worms of "what constitutes
> bear> a duplicate cert?" Is it an exact match, or matching I+SN, or
> bear> some other criteria?
>
> Depending on who you listen to, one coul
I couldn't seem to find too much information about what platform your
client is running on, but it sure sounds like a case of run-time library
conflict.
If you're on a tunning win32 & building with msvc please consult the FAQ
for info on how you might be able to resolve this:
http://www.openssl.
Ralf Dreger wrote:
> After a while the error is coming. I tryed to find the file, but it is not
> coming
> with your product.
>
> [...]
>
> .\crypto\cryptlib.c(59) : fatal error C1083: Cannot open include file:
> 'stdio.h'
> : No such file or directory
>From the FAQ:
* Why does the OpenSSL compi
Hmm. Seems to have gotten lost on the way. Resending.
//oscar
--- Begin Message ---
Please find attached the patches required to get the trunk (as of last
night) to compile with visual c++ using the standard build procedure.
Best regards,
//oscar
Index: crypto/aes/Makefile.ssl
===
Please find attached the patches required to get the trunk (as of last
night) to compile with visual c++ using the standard build procedure.
Best regards,
//oscar
Index: crypto/aes/Makefile.ssl
===
RCS file: /usr/local/cvsroot/libr
Hi!
This really depends a lot on your situation. If you've got access to the
card containing the certificate and private key, you're better off using
something like Cryptoki (PKCS#11) to encrypt/decrypt directly using the
card without having to extract data.
If you don't have access to the card,
Works like a charm. Thanks!
//oscar
Richard Levitte - VMS Whacker wrote:
> Thanks for finding that. I've a patch that I'm going to commit as
> soon as I see that it compiles. Wanna try it? Expect it within half
> an hour.
__
Richard Levitte - VMS Whacker wrote:
> Thanks for finding that. I've a patch that I'm going to commit as
> soon as I see that it compiles. Wanna try it? Expect it within half
> an hour.
Cheers! I'll try rsync:ing my repository copy again in a bit.
//oscar
_
About half a year ago, apps/pkcs12.c was patched to use the load_*()
functions of apps/apps.c instead of its own. This patch appears to have
broken the client, as the new function prototype is:
stack = load_certs(...)
which is called twice in case CA certificates are passed using the
'-certfile'
I've used DC-based naming (RFC 2377?) for a while now, and can't really
remember running in to any particular problems.
I generate the certificates using the OpenSSL command line apps using a
configuration like this:
[ OJ_req_distinguished_name ]
0.domainComponent = TLD component (
Your private key is in the file 'user.key', which you have specified by
passing the argument '-out user.key' to the genrsa command.
Your certificate, stored in 'user.crt' does not contain the private key,
hence the name "public-key certificate", but the PFX you create
('user.pfx') using the pkcs1
Amodhini U wrote:
> Does OpenSSL already have a function to pack an
> X.509v3 structure into a contiguous array-block? And
> to unpack it back afterwards? If so, could you please
> point me to those functions? And to any sample code
> that uses them?
OpenSSL does indeed have such a function, w
Neff Robert A wrote:
> In keeping with Windows tradition, I would move that you NOT use
> the letter 's' for single-threaded, but rather use the "mt"
> designation for "multi-threaded" or "mtd" for "multi-threaded-debug"
> would be my preference. No "mt" designation within the library name
> woul
#x27;m not sure how one
should tell them apart either, if necessary. Perhaps by appending an 's'
to the static library builds, much like a 'd' would be to the debug
builds?
Richard Levitte - VMS Whacker wrote:
>
> From: Oscar Jacobsson <[EMAIL PROTECTED]>
>
>
First off, both server names appear to point to the same IP address,
meaning it's a case of a single dodgy server.
I'm pretty sure this is a case of the server ignoring the minor protocol
version number sent by the openssl client (3.1 = TLSv1), and simply
responding as if the client had requested
Richard Levitte - VMS Whacker wrote:
> Single threaded Static, non-debug - ??? (please help me out)
libc.lib (Compiler flag /ML)
> Single threaded Static, debug - ??? (please help me out)
libcd.lib (Compiler flag /MLd)
> Multithreaded Static, non-debug - ??? (please hel
Dr S N Henson wrote:
> On the subject of Windows builds I had this idea of generating VC++
> workspaces automagically by getting a perl script to get dev studio to
> create one of the beasts using OLE. This is left as an exercise to the
> reader :-)
Just out of curiosity. Would such an exercise r
Hi!
The easiest way to set this up is to make sure your client has the root CA
certificate in a file locally on his machine. Then you can call the function
load_verify_locations(ctx, CA_FILE, 0) in your client code in order to have your
client's SSL_CTX trust the certificates in that file.
//osc
It is indeed.
The reason load_verify_locations(ctx, 0, caPath) isn't working as expected, is
because that method places requirements on how the certificate files in there
are named.
When you run load_verify_locations(ctx, caFile, 0), all certificates are in
caFile are loadad and added to your ct
Making sure that the server uses a certificate issued by verisign is a case of
using the SSL_CTX_load_verify_locations(...) function to add verisign's root as
a trusted certificate. There are actually quite a number of verisign "roots",
but I digress...
You will definitely want to perform some ki
Dr S N Henson wrote:
> Only problem is that this is on Windows and the standard c_rehash wont
> work.
Actually, after looking at the c_rehash code, and removing the (IMHO quite
redundant) stuff that sifts through the path and tries to find the openssl
command, it works just fine on windows, using
Dr S N Henson wrote:
> Only problem is that this is on Windows and the standard c_rehash wont
> work.
Ah.
Oh well, the functionality can be emulated quite easily by mimicking the script.
First make sure we can actually verify our cert directly by file:
> openssl verify -CAfile ca.crt user.crt
First of all, there's no need for the EVP_PKEY*, as PEM_read_RSAPrivateKey() and
RSA_private_encrypt() both use RSA*s.
The reason you're getting the segmentation fault is that you haven't initialized
the output buffer, which must be RSA_size(rsa) bytes.
Please also consider using some form of pa
Hi!
>From the SSL_CTX_load_verify_locations manpage:
If CApath is not NULL, it points to a directory containing CA certificates in
PEM format. The files each contain one CA certificate. The files are looked up
by the CA subject name hash value, which must hence be available. If more than
one CA
Jean-Marc Desperrier wrote:
> The UID of openssl is NOT the UID of RFC2253.
> When openssl displays the string UID in a name, it's a
> X500UniqueIdentifier, not a unserid.
Yes, I think there was a similar case a few years back when Microsoft chose "ST"
as their encoding for streetAddress, when th
Perhaps actually differing between "short names" and actual string encoding
would be prudent?
I don't think we could really go ahead and deprecate the use of "UID", as RFC
2253 defines it as the proper string encoding of the userid attribute type, and
the "short names" appear to be used when stri
Just a quick hack to dump a private key to an unsigned char[]. Basically copied
and pasted the equivalent bit from x509.c. Seems to work ok (famous last words
aside.)
Cheers,
//oscar
diff -r1.31 rsa.c
82a83
> * -C - print out C code forms
99c100
< int informat,outformat,text=0,
Oscar Jacobsson wrote:
> Also, would it be possible to add *.out to ms/.cvsignore so that these
> files can actually be overwritten as required by the test process?
And could ms/*.out then also please be removed from the repository in the first
place?
Cheers,
/
The declaration of tmp.clear in SSL2_STATE seems to have changed from
int to unsigned int, so the following patch should get rid of the only
current compiler warning:
diff -r1.33 s2_srvr.c
475c475
< || (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
---
> || (is_exp
From: [EMAIL PROTECTED]
mark> Log:
mark> Back-port of Broadcom engine code from 0.9.7 to 0.9.6, but with a few
mark> patches taken from Red Hat Linux 7.2. Original code from Broadcom with
mark> patches and backport by Nalin, more backport to fix warnings and const
mark> changes by Mark
List,
I encountered a problem (as well as the odd warning or two) when
compiling last night's snapshot on VC-NT.
Basically, EVP_Digest now takes an additional ENGINE*, which is not
present in the MD() macros defined in crypto/rand/rand_lcl.h.
I'm not entirely sure how best to solve this. I thin
Hi again!
I'll attempt to answer the questions you have in-line below. I hope it's
ok if I try to keep things as simple as possible right now, referring to
the OpenSSL command-line tools as much as possible.
PS. I hope to be able to start work on the tutorial during the day.
//oscar
"Ravi Prak
I guess it depends on exactly what you mean by interdependent CAs. Are
you referring to cross-certification between different CA products, or
were you more interested in cross certification in general?
I've done a bit cross certification work using OpenSSL for a piece of
software I'm currently wo
Hi Amnon!
IIRC, enabling TLSv1 in IE5 would result in not being able to connect to
such a buggy server, which I assume would be for the same reason as with
s_client.
IE6 however seems to be able to connect, which I think (although this is
only me guessing here) is due to it detecting the "bad ma
I can recommend taking a look at the Adaptive Communications Environment
(http://www.cs.wustl.edu/~schmidt/ACE.html) if you're interested in a
package that will hide the OpenSSL implementation details for you.
The documentation available from the site is excellent, IMHO, and
there's even a couple
Hi!
I *think* the problem you are describing is actually on the server side.
IIRC this is because your s_client by default will attempt to use TLS
1.0 (SSL 3.1), which the server incorrectly parses as SSL 3.0 (ignoring
the minor version number).
TLS 1, which s_client assumes both parties have a
Harald Koch wrote:
> I'm not quite sure either, to be honest, which is why I don't like the
> separate certificates approach. On the other hand, I'm told that the
> financial institutions, for whatever reason, *like* having separate certs
> (presumably so that different people can be given access
Dr S N Henson wrote:
> Extensions are also used for security purposes, for example to indicate
> whether a certificate is a valid CA certificate and to prevent end user
> certificates being able to masquerade as CAs.
I would definitely consider the ability to constrain issued certificates
through
Hi!
If you were wondering how to get this policy OID into a CA certificate
using OpenSSL in the first place, the easiest way would be to use the
following line in the CA certificate extension section of your
configuration file:
certificatePolicies=0.4.0.1456.1.1
Best regards,
//oscar
Bahram B
George Staikos wrote:
> All the problem certificates say "unable to load certificate file".
There appears to be extra newlines inserted before the '-END
CERTIFICATE-' lines in both ibm.pem and wellsfargo.pem. Removing
these will allow OpenSSL to parse the files correctly.
As pointed out
Pardon me for barging in, but I just thought a link to the actual paper,
courtesy of NEC's excellent Citeseer service, might come in handy:
http://citeseer.nj.nec.com/8352.html
Is there a specific reason you're looking into using MMH specifically as
opposed to UMAC? (Halevi, Krawczyk et al):
ht
No problems encountered, but I thought there might still be some
interest in seeing which platforms I have so far compiled and tested on
using openssl-e-0.9.6-stable-SNAP-20010708.tar.gz:
win2k sp2/vc++ 6 sp3,
linux 2.2.16/egcs 2.91,
solaris 2.6/sun workshop 6.
No problems at all encountered so
[EMAIL PROTECTED] wrote:
>
> I think Oscar's a bit confused.
Quite possibly. :-)
> Richard wants to say
> This is the cert of the OCSP responder I trust
> and that *is all* he wants to say. He does not want/need to verify the
> chain of certs from the responder. (It could be self-sig
Richard Levitte - VMS Whacker wrote:
> I definitely do *not* want to have to tell OpenSSL that I trust the CA
> of my "Trusted Responder" certificate, because that might imply that I
> trust any certificate that CA has produced.
Precisely, and that's why we have the key usage extensions. You woul
Dror wrote:
> The disadvantages (in VC environment) are:
> 1.) that the memory leaks report appears in two places: the leaks
> occurred in the application (with the file name and line number)
> together with those occurred in OpenSSL (without the file name
> and line number ) on the debug output
Ow. Sorry list! Private mail gone awry. Fell victim to the reply-to
header.
//oscar
Oscar Jacobsson wrote:
>
> Richard Levitte - VMS Whacker wrote:
> > Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
>
> Är mitt antagande att "ex", likt tyska
Richard Levitte - VMS Whacker wrote:
> Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Är mitt antagande att "ex", likt tyskans motsvarighet "aus", är en
dativbildande preposition riktig, månne?
//oscar, ständigt på jakt efter nya sätt att märka ord. ;-)
__
The 6th draft of X.509 2000 (which was all I had handy) has the following
to say about the encoding of SETs OF:
In order to enable the validation of SIGNED and SIGNATURE types in a
distributed environment, a distinguished encoding is required. A
distinguished encoding of a SIGNED or SIGNATURE da
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte - VMS
> Whacker
> Sent: den 26 september 2000 13:58
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: OCSP and issuerNameHash (was: Object names)
>
>
> Unless we can assume tha
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Levitte - VMS
> Whacker
> Sent: den 25 september 2000 23:14
> To: [EMAIL PROTECTED]
> Subject: Objects and a configuration file
>
> [...]
>
> I'm definitely willing to redesign the contents of o
Richard Levitte wrote:
> And still, short names have been used for a while, since they do appear
in
> X.400 addresses and in DNs a little here and there.
Pardon me for butting in to the discussion this late, but is this really
an issue of short or long names?
I think the core problem at hand see
William C Klein wrote:
> ...
>
> unable to load 'random state'
> This means that the random number generator has not been seeded
> with much random data.
> Consider setting the RANDFILE environment variable to point at a file that
> 'random' data can be kept in (the file will be overwritten).
>
>
> Colin Chalmers wrote:
> After successfully compiling and testing the source code I am now
> trying to integrate the libraries into an application I am building in
> VC6, winnt 4.0 sp5 . Unfortunately Iam getting the following error
>
> test.obj : error LNK2001: unresolved external symbol
> _SSL
Arne Ansper wrote:
> One of my colleagues, Mr. Toomas Kiisk <[EMAIL PROTECTED]> made changed
> BIO_s_log so that required functions from advapi32.dll are looked up at
> runtime, so you don't have to create NT and 9x versions of OpenSSL
> DLLs. I attached the diff between 0.9.5a and our version.
G
Alexei Bakharevski wrote:
> Some suggestions, although, not specific to NT:
> 1. have the following build targets: static library (debug & release),
> dynamic library (debug & release);
There's a few other issues at hand, I think. Would it be enough to just
release a "static library" build target
List,
would there be any interest in seeing some work put into refining the
win32 build process, and if so would there be any specific requests?
I was basically considering something along the lines of unifying the
ms\do_*.bat into a single script that would be able to create all of the
differen
Oscar Jacobsson wrote:
> Keon should probably take part of the blame for failing to set Version,
> as required by RFC 2459:
>
> 5.1.2.1 Version
>
>This optional field describes the version of the encoded CRL. When
>extensions are used, as required by this profil
Jean-Marc Desperrier wrote:
> This looks like a valid crlExtensions as in a RFC-2459, but I'm not sure if OpenSSL
> pretends to support RFC-2459 fully.
Keon should probably take part of the blame for failing to set Version,
as required by RFC 2459:
5.1.2.1 Version
This optional field descr
Richard Levitte - VMS Whacker wrote:
> Thanks. I'm comparing to a CRL I have and which works, and what I
> find that looks weird is this part:
Is this not a case of a "missing" revokedCertificates SEQUENCE OF
SEQUENCE ? Would this be normal encoding for an empty CRL?
revokedCertificates is flagg
Hi!
When trying to make a debug win32 link with a MASM 6.11-generated
s1-win32.obj I get the following warning:
libeay32.lib(s1-win32.obj) : warning LNK4200: corrupt line number
information in object file; ignored
NASM-0.98 apperars to have no problems though.
Cheers,
//oscar
S/MIME Cryptogr
79 matches
Mail list logo