and password for Servers 1, 2, 3, etc. as well as a
valid client certificate? Or should a username map to a pkcs12
bundle?
thanks
Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Hi all,
How can I simply take an existing unencrypted client certificate and
add a password to it? In other words, do the opposite of:
openssl rsa -in pass.pem -out nopass.pem
thanks
Chris
__
OpenSSL Project
that:
openssl.exe rsa -des -in certnew.cer -out passcert.cer
unable to load Private Key
3752:error:0906D06C:PEM routines:PEM_read_bio:no start
line:.\crypto\pem\pem_lib.c:644:Expecting: ANY PRIVATE KEY
Chris
__
OpenSSL Project
the client certificate and impersonate, so I
would like to add a password to the cert. I would think this would be
similar to where for instance Verisign sends you a certificate for
your webserver, and it has a password on it. Am I mistaken?
Chris
certificate and impersonate, so I
would like to add a password to the cert. I would think this would be
similar to where for instance Verisign sends you a certificate for
your webserver, and it has a password on it. Am I mistaken?
Chris
No, you are completely confused and really need to read
On 11/22/06, Chris Covington [EMAIL PROTECTED] wrote:
On 11/22/06, Chris Covington [EMAIL PROTECTED] wrote:
On 11/22/06, David Schwartz [EMAIL PROTECTED] wrote:
OK, perhaps I need to explain this more. I have a client cert
scenario where in order to verify the client's identity
On 11/22/06, Victor Duchovni [EMAIL PROTECTED] wrote:
On Wed, Nov 22, 2006 at 09:31:35PM -0500, Chris Covington wrote:
I am most likely using the wrong terms (but I may be completely
confused, I admit). When one distributes client certificates to take
the place of usernames/passwords
different p12 stores).
It would therefore be useful to me to somehow combine either the PEM or P12
files that result from my conversion into a single keystore for Java. Is
this possible? If so, how? If not... drat.
Thanks,
Chris
Thank you. I'll give it a try.
Cheers,
Chris
From: Kyle Hamilton [EMAIL PROTECTED]
Reply-To: openssl-users@openssl.org
To: openssl-users@openssl.org
Subject: Re: Merge certs?
Date: Fri, 29 Sep 2006 12:48:30 -0700
http://www.alphaworks.ibm.com/tech/keyman
Found it. :)
-Kyle H
On 9/29/06
are selected, and also all strengths are selected
then I want the negotiation to use AES256 instead of 3DES if the
server also allows this.
-Chris
__
OpenSSL Project http://www.openssl.org
User Support
'Medium' it does not select AES128.
and If I use 'High' then it selects both AES128 and AES256.
-Chris
Is this a real problem? What's wrong with:
!EXPORT:!LOW:!MEDIUM:DEFAULT:-DHE-RSA-AES128-SHA:-DHE-DSS-AES128-SHA:-AES128-SHA
Sorry, I guess this (DEFAULT: should have been first
?
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
says the same thing. Does anyone have any suggestions for fixing this?
Thanks,
Chris Harward.
error U1077: 'cl' : return code '0x2'
Stop.
Could anyone point me in the right direction?
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users
.
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
ciphers and the minimum/maximum strengths, so I have not found any
solution to the problem.
It's been close to two months now, so I'm currently considering
switching to an older version of OpenSSL which does not have the bug.
-Chris
Try the next 0.9.8 snapshot.
Thanks Dr. Steve!
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
work around please let me know.
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager
On 2/25/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote:
The preferred interface to all ciphers is EVP.
The reason I am not using the EVP interface was to save space.
Currently OpenSSL is already making my end product way too large so I'm
trying to minimize the code dependancies.
128 bits is fixed
Is there any documentation covering the AES support in OpenSSL? I
can't find anything. There seems to be no manual entry or
anything under docs.
I do have it working but I'm wondering how to change the block size
(seems to always use 128 bits by default?) and what the difference
between
On 2/23/06, Dr. Stephen Henson [EMAIL PROTECTED]
wrote:
There are security issues associated with RSA private key operations which arehandled by OpenSSL trying the reverse operation using a public key whichrequires the public exponent.While this is particularly the case when all CRT components
I'm having a bit of trouble creating and using RSA keys from raw data.
I have the public exponent(e), public modulus(n), and private modulus(d).
Encryption seems to work (don't know for sure):
RSA* rsa = RSA_new();
rsa-e = BN_bin2bn(pubexp, pubexp_len, rsa-e);
rsa-n = BN_bin2bn(pubmod,
On 2/22/06, Chris [EMAIL PROTECTED] wrote:
Decryption seg faults without e and is incorrect with e:
snip
Seems strange to seg fault, doesn't it know something is
missing/incorrect? Does RSA_new not initialize the structure to a
clean state? Wouldn't an error be appropriate here?
OK, I worked
On 2/16/06, Kyle Hamilton wrote:
Yeah. Any cipher that is not explicitly added is denied. So, try just doing:
CString Shif = AES128-SHA;
When I just use this string, it automaticly adds AES256-SHA as well.
This appears to be a bug in OpenSSL 0.98a. Could anyone confirm this?
-Chris
in the development version?
If so, which source file would I need to look at?
-Chris
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated
I tried adding : as suggested, but this still did not work. :(
Does anyone have other suggestions?
-Chris
I'm trying to allow my program to be configurable for either AES 128
bit, or AES 256 bit. The problem is that when I select only the
AES128-SHA cipher, the AES256-SHA cipher gets added
.
--
// Chris
somewhere or at least listed in the relevant
sections of the documentation. I spent much time looking through
evp.h and other headers trying to find something that made sense and
the whole time all I needed was PKCS12_PBE_add().
Thanks again!
--
// Chris
On 2/16/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote:
On Thu, Feb 16, 2006, Chris wrote:It is documented in doc/openssl.txt and that file is referred to in the FAQ...http://www.openssl.org/support/faq.html#MISC2
At some point I'll tidy that up and place it in an appropriate manual page orbetter
= SSL_get_cipher_list(lSSL, i);
if (res)
{
m_List.AddString((char*)res);
ccnt++;
}
}
-Chris Clark
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
It appears that the SSL_METHOD functions don't allow a server to
accept connections using either SSL or TLS, so it has to be either one
or the other.
Does anyone have a work around to allow both SSL and TLS connections
to be accepted?
-Chris Clark
be best to do
it this way so the users have a choice of 128 or 256 bit AES, and at the same
time adhering to the documented definition of what MEDIUM means.
-Chris Clark
__
OpenSSL Project http
-SHA
DHE-DSS-AES128-SHA
But when I select a high set of cipher suites it does include the above,
in addition to the 256 bit ciphers.
It seems that this is only a problem with the AES ciphers.
-Chris Clark
is faster then 256 bit AES, and will use less CPU overhead on
slower machines. Is this not true?
Is there an easy way I can limit openssl to only use 128 bit ciphers
for example?
-Chris Clark
__
OpenSSL Project
great for everything except AES, which incorrectly
groups all the 128 bit ciphers as being HIGH instead of MEDIUM.
Is it a known bug, or are the docs outdated?
-Chris Clark
__
OpenSSL Project http
128 bit and 256 bit key lengths when they are
using AES...
Looks like I will have to implement these user options the hard way then :(
-Chris Clark
__
OpenSSL Project http://www.openssl.org
User
on which ciphers to use, or to
stick with the simplistic nature of the MEDIUM and HIGH settings along
with the 4 groups.
-Chris Clark
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
.
Kicking myself now.
Thank you for all your help.
Regards,
Chris
smime.p7s
Description: S/MIME cryptographic signature
am stumped here.
Chris
cert_store_data
Description: Binary data
-Original Message-
From: [EMAIL PROTECTED] [mailto:owner-openssl-
[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson
Sent: 13 August 2005 17:44
To: openssl-users@openssl.org
Subject: Re: Newbie question X509 certificate stores
On Sat, Aug 13, 2005, Chris Morrison wrote
, but creating a new one would be a
Bad Thing.
Thanks,
Chris
--
Chris Gray/k/ Embedded Java Solutions BE0503765045
Embedded Mobile Java, OSGihttp://www.kiffer.be/k/
[EMAIL PROTECTED] +32 3 216 0369
? The web page
mentions a serious problem with SHA-1 which will be fixed in the next
version ...
BTW what is GSS-API (RFC 2853), which also turned up in my searches? I know it
stands for Generic Security Service, but where does it fit into the puzzle?
TIA,
Chris
--
Chris Gray/k/ Embedded
is why people use the bp bio structure. i.e. this contains
both data and datalen parameters.
Thanks
Chris R
- Original Message -
From: Dr. Stephen Henson [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Tuesday, September 20, 2005 3:19 AM
Subject: Re: rsa_publiic_encrypt problem
So many replies. I don't know where to start.
Chris Morrison wrote:
Hi all,
I have recently moved over to Linux, having rid my computer of the M
$.Windows virus.
I am porting a program that I wrote over to Linux and I am looking for a
library to provide X509 digital certificate functions
Michael wrote:
Hi Chris,
What type of keystores are you talking about here? (pkcs#12?)
It's a PKCS#7 store, I am trying to read the certificate store from a
digitally signed ZIP file.
I have done it with no probs in VC++ using Microsoft's CryptoAPI, you
just read the data into a buffer
SSLCertificateKeyFile in Apache's SSL config to
the corresponding files.
Thank you Jorey and Steve!!
Thus far it is working. As soon as I change my NAT config I will know
for sure!
Chris.
__
OpenSSL Project
()
which allows you to open a digital certificate store from a file or
memory.
Is there such a function under OpenSSL? It look like a great library but
the lack of documentation on the API (that I can find) is a major drag.
Regards,
Chris
I only require a single trusted root, so I'm sticking with
this solution.
Thanks.
-
Chris
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Chris MckenzieSent: June 8, 2005 4:35
PMTo: 'openssl-users@openssl.org'Subject: RE: Quick
question
!
- Chris
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Mckenzie
Sent: June 7, 2005 6:50 PM
To: 'openssl-users@openssl.org'
Subject: RE: Quick question about 'client-ssl-warning' = 'Peer certificat e not verified'
Thanks Brian.
Wow, I'm
:BIO routines:BIO_new_file:no such file
SSL error: 32010: 3 - error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
at /usr/lib/perl5/vendor_perl/5.8.0/IO/Socket/SSL.pm line 580
Is there a CA cert filename extension that should be met if SSL_ca_path is used?
Thanks.
- Chris
the SSL.pm check for 'SSL_check_crl' (line 587) occur before Net::SSLeay::CTX_load_verify_locations (line 582) so the setting would make a difference?
Anyways, thanks for reading my ramblings. I'm going to try and upgrade to the latest stable openssl and see if it makes a difference.
- Chris
be performed. Which sort of makes the point of setting it moot.
Any ideas? I'm getting close to giving up.
Thanks.
- Chris
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Mckenzie
Sent: June 8, 2005 2:00 PM
To: 'openssl-users@openssl.org
crack at it.
Please, please, please, let me know if this is a known issue that I just couldn't find any information on. It would be greatly appreciated.
Thanks!
- Chris
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Mckenzie
Sent: June 8, 2005
during the hand shaking, not after the connection is
established.
Is there an OpenSSL environment variable I can set to
require SSL cert verification?
Thanks!
- Chris
rtfn0wUD3V1eN.rtf
Description: RTF file
smime.p7s
Description: S/MIME cryptographic signature
to implement any of this, it would be greatly appreciated. Or which SSL support for LWP I'd be better off with.
Thanks!
- Chris
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian DeGeeter
Sent: June 7, 2005 5:01 PM
To: openssl-users@openssl.org
Subject: RE
:rsaEncryption
2994:d=6 hl=2 l= 0 prim: NULL
2996:d=5 hl=3 l= 128 prim: OCTET STRING
These are the last few lines, I can see the messageDigest line, how
would I interpret the OCTET STRING ?
I am sure I am missing something here, I am sure this should be simple !
Thanks again for your help.
Chris
Many thanks
Chris...
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
seen that too.
I can't believe other people have not seen this problem before, i.e.
signing on the client browser and verifying on the server using
OpenSSL !
Chris...
__
OpenSSL Project http
routines:PKCS7_verify:certificate verify
error:pk7_smime.c:222:Verify error:unable to get local issuer
certificate
I am sure I am nearly there, can anyone help me please ?
Chris...
__
OpenSSL Project http://www.openssl.org
that is the problem
! Is the problem CR/LF ? I am signing using FireFox on Windows to sign
but using OpenSSL on Linux to verify.
Any ideas ?
Chris...
__
OpenSSL Project http://www.openssl.org
User
in the code,
or what version of OpenSSL I should upgrade to, I would very much
appreciate it. Please CC me on any correspondence; I am not
subscribed to the list.
Thank you for your time,
Chris Lalancette
__
OpenSSL Project
I didn't get any replies to this when I sent it last week. Am I on the
wrong list for this sort of query?
Chris...
=== original message ===
I've manage to diagnose this down further to a snippet of code inside
ERR_STATE *ERR_get_state(void)
on roughly line 1022 of crypot/err/err.c of the 0.9.7
.
Chris...
Dr. Stephen Henson wrote:
On Mon, Mar 14, 2005, cmb wrote:
Thank you, duh, turning on debug for config cleared up all my stack
trace problems.
Here is the excerpt of a stack trace that is double freeing:
#11 0x081a39db in CRYPTO_free (str=0x0) at mem.c:378
#12 0x081b1fa6 in ERR_get_state
certificate).
Best regards,
Chris Rørbæk
Development Engineer
one else done this making new
asn.1 in x509 certs?
Any input on how to get further is great!
Best regards,
Chris Rørbæk
Development Engineer
Intermate A/S
Kongevejen 194 A
3460 Birkeroed
Denmark
Direct : +45 72 26 04 28
Mobile:+45 22 77 04 28
Fax: +45 72 26 04 04
e-mail: [EMAIL PROTECTED]
web
As I understand it, the client signs data sent from the server in
order to authenticate itself. Therefore yes it does need its private
key.
On Tue, 18 Jan 2005 11:17:01 +, Shaun Lipscombe
[EMAIL PROTECTED] wrote:
If the client sends the server its certificate (public key) and the
server
All,
We have a code signing facility that has signed a lot of code using
a certificate that recently expired. Now, validation of the signed
code fails because one of the certs in the chain has expired (not
the root cert, and not the signing cert).
So, should the verification routine be changed to
trust.pem except the changed validity dates and the
signature.
You can not just replace the trust.pem with trust_new.pem as the new
root ca cert (trust_new.pem) did not sign the sub ca cert (a-sign.pem)
and so the chain is broken. They need to give you a new ca cert and
server cert.
Chris
are
not the same as the keys for trust_new.pem. They have the same fields
in the DN, but do not share the same keys (if they do then this is bad
practice by the issuers), so it is a different key that signed the
a-sign.pem and so your trust chain is broken.
Chris
You need to join the OpenCA Users mailing list for answers to problems
with OpenCA.
On Thu, 11 Nov 2004 13:03:56 +0100, Angel Martinez Gonzalez
[EMAIL PROTECTED] wrote:
Hello:
I´m trying to initializate OpenCA. In Request Setup of Phase 1, I enter this
DN:
C=ES, ST=Valladolid,
On Tue, 2 Nov 2004, Richard Levitte - VMS Whacker wrote:
In message [EMAIL PROTECTED] on Thu, 28 Oct 2004 17:51:48 -0400, Carson Gaspar
[EMAIL PROTECTED] said:
carson --On Thursday, October 28, 2004 15:13:14 +0100 Robert Bannocks
carson [EMAIL PROTECTED] wrote:
carson
carson I get this
and I'm using
Sunfreeware's GCC package Sun's make on all platforms
Chris Pitchford [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
for your help.
cheers,
ski
--
When we try to pick out anything by itself, we find it
connected to the entire universeJohn Muir
Chris Ski Kacoroski, [EMAIL PROTECTED], 425-489-6263
__
OpenSSL Project
could have
a different PRNG).
Any ideas, documentation pointers, etc.?
Best wishes
--
Chris Gray /k/ Embedded Java Solutions
Embedded Mobile Java, OSGihttp://www.kiffer.be/k/
[EMAIL PROTECTED] +32 3 216 0369
There are conversion routines like
BN_bin2bn //binary to BIGNUM type for rsa-e
There are d2i Public key routines to read DER or PEM
format but my file is not in DER or PEM format.
My second question is what format my public key file
is and how to I convert it to RSA structure.
Thank you
Chris
;
BIO_write(bio_out, buf, inlen);
BIO_flush(bio_out);
}
printf(\n%d was total len!\n, totallen);
BIO_free_all(bio);
return 0;
}
--
Chris Green [EMAIL PROTECTED]
A watched process never cores.
__
OpenSSL
Chris Green [EMAIL PROTECTED] writes:
while((inlen = BIO_read(bio, buf, 512) 0))
My bad :( That's what not using C for a while will do to you :(.
--
Chris Green [EMAIL PROTECTED]
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
exchange.
I just need to
encrypt and decrypt payloads before and after they are sent through whatever
transport I select.
-Chris
,F_SETFL,O_NONBLOCK)
blocking:
fcntl(my_socket,F_SETFL,0)
--
http://www.badgerbadgerbadger.com/
On Feb 20,
2004, at 9:14 AM, Chris Rowe wrote:
Do I
need to call ioctlsocket(m_socket, FIONBIO, (u_long FAR*)
iMode); to enable non-blocking or can I
just #define FIONBIO and
#define USE_NBIO from
Just to get this thread back on track. I am simply trying to find a code
example that shows using bio pairs instead of the SSL_write and SSL_read
functions, so that I can use openssl routines in conjunction with native
WinSock calls. In other words, I would like to be able to encrypt/decrypt
using
a
little push in the right direction please.
Thanks in advance,
Chris Rowe
Do I need to call ioctlsocket(m_socket, FIONBIO, (u_long FAR*) iMode); to enable non-blocking or can I just #define FIONBIO and #define USE_NBIO from within my code?
From: Chris Rowe
[mailto:[EMAIL PROTECTED]
Sent: Friday, February 20, 2004
9:18 AM
To: '[EMAIL PROTECTED
: owner-[EMAIL PROTECTED]
[mailto:owner-[EMAIL PROTECTED]]
On Behalf Of Chris Rowe
Sent: Wednesday, 18 February 2004
8:04 AM
To: [EMAIL PROTECTED]
Subject: Installation Trouble VC7
Win32
OK I am new to openssl and am experiencing difficulty
building openssl. I have followed the install.w32 instructions
Of Andrzej Posiadala
Sent: Wednesday, February 18, 2004 6:29 AM
To: [EMAIL PROTECTED]
Subject: Re: Installation Trouble VC7 Win32
Hi Chris,
under this url
http://www.iconsinc.com/~agray/ossldev
you may find solution to your problem. It's a workspace for VC6 but works
fine for me with VC++ .NET
OK I am new to openssl and am experiencing difficulty
building openssl. I have followed the install.w32 instructions to the letter,
but still no luck on the nmake step
Does anyone have a makefile or project/solution file *.sln
that simplifies the build under VS.Net VC7?
These two steps
Hello Vadim!
On Mon, 2004-02-16 at 21:28, Vadim Fedukovich wrote:
Dear Chris,
authentication methods and protocols were researched for years.
The method described is an easy one and probably could be implemented fast.
However, one better start from requirements before any coding
in the direction of some examples on how to do this?
The reason I want to use PKCS7 is because the library on the client side
is already setup to do this with a single C function call.
Regards,
Chris
__
OpenSSL Project
). Is there some lower level calls
that can be made to just load the specific CACert into the SSL_CTX
structure?
Thanks
Chris Zacker
attachment: winmail.dat
stdin. I've used this method before and it's actually pretty reliable in my
own experience. Worst case I am not able to open a file for writing, or
openssl outputs an empty file, but that's easy to check for.
Any thoughts?
Chris
they become a client, and it's a big hurdle to throw at some people right
off the bat. With all the stuff that can go wrong on the client side, we
keep as much as possible on our end.
Chris
- Original Message -
From: Bart J. Smit [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, August 30
then the actual server name? This is a single
purpose server only.
Thanks All
Chris S.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED
Do I need to include the :443 when I apply for the certificate?
Thanks
CS
-Original Message-
From: pablo neira [mailto:[EMAIL PROTECTED]
Sent: Friday, June 06, 2003 4:41 AM
To: [EMAIL PROTECTED]
Subject: Re: Startup error
Swenson, Chris wrote:
I have install apache 1.3.27
Ok let me rephrase my original question: Why would
someone trust a cert chain of length 3 less then they
would a cert chain of length 2? I see software (like
apache) that have a tunable acceptable-cert-chain-length
parameter. Why wouldn't you just trust any cert
chain length?
cj
- Original
- Original Message -
From: Rich Salz [EMAIL PROTECTED]
To: Chris Jarshant [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, April 04, 2003 2:56 PM
Subject: Re: Certificats : chain
Ok let me rephrase my original question: Why would
someone trust a cert chain of length 3 less
- Original Message -
From: Dr. Stephen Henson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 31, 2003 7:52 PM
Subject: Re: X509_STORE and X509_verify performance
On Mon, Mar 31, 2003, Chris Jarshant wrote:
I generated 1000 test self-signed CA certs, and wrote
a small
Well in the short term some kind of evil hack will be needed by an
application. This would involve messing around with the internals of the
X509_STORE and normally you shouldn't go near those. However in this case
you
haven't got any choice.
In outline you'd create an X509_OBJECT for each
I generated 1000 test self-signed CA certs, and
wrote
a small program to add them all to an X509_STORE
in
preparation for verifying a certificate.. But this
operation
took a LONG, LONG time. Even adding 500 certs
took
approx. 30 seconds! It appeared to go real
fast for
the first 100 certs,
And just to be clear, it was the for() loop
that
calls X509_STORE_add_cert() for each
certthat was taking forever, not the actual
verification, which took no perceivable (in
terms of user interface delay)
time.
cj
- Original Message -
From:
Chris Jarshant
To: [EMAIL
All,
ocsp2.valicert.net seems to be
non-functional. Anyone
know of any OCSP Responders I can use to test
my
OCSP client? I have used openvalidation.org
with
moderate success (some of their certs don't
have
the OCSPSigning extended key usage
attribute,
which openssl promptly rejects).
cj
201 - 300 of 368 matches
Mail list logo
