I have a private CA certificate created using openssl command line.
The issue is that the certificate expires on 19th Oct, 2007.
The question is that Is it possible to extend the expiry of this
certificate without changing any other fields in the certificate?
Basically, I want to continue
It seems to me that the OP is indeed asking something else entirely
different from the question which you yourself seem to have posed and
then immediately failed to answer. He's asking
Is it possible to extend the expiry of this certificate without
changing any other fields in the
make test
make install
I have tried installing the 0.9.8d with no luck either. I have checked
the internet and previous openssl mailing notes and not found something on
this so any help is appreciated.
end
-
David Flatley
I.T. Specialist, Senior Consultant
IBM Global Business services
Department
make
make test
make install
Thanks
David
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List
make
make test
make install
Thanks
David Flatley
- Forwarded by David Flatley/Burlington/IBM on 10/16/2007 12:55 PM
-
David
The application creates about 800 threads in a Linux 2.6 Kernel.
This is really one of those don't do that then things.
Thread-per-connection is well-known to break down at about 750 connections.
#0 SHA1_Init (c=0x0) at sha_locl.h:150
#1 0x405b2bb0 in init (ctx=0x0) at m_sha1.c:72
#2
Hi all. Ok I need to set up a cipher and certificate. But I've a little
question: How to make a X509 certificate? What is the right way to build
a X509 certificate in C?
For example:
X509 *newx509 = NULL;
newx509 = X509_new();
assert(newx509 != NULL);
and then? How to set attribbutes,
I will be out of the office starting 10/09/2007 and will not return until
10/15/2007.
I will respond to your message when I return.
__
OpenSSL Project http://www.openssl.org
User Support Mailing
So when generating a key, how do I determing the size?
If the bits paramater in RSA_generate_key fuction equals 128,
does this mean
I have created a 128 bit key?
RSA_generate_key(bits,RSA_F4,NULL,NULL);
Note that a 128-bit RSA key would be completely worthless. 512-bits in the
recommended
I need a way to hide the public key in the binary...
You can't ask in public for a good hiding place.
Note that your question has *nothing* to do with OpenSSL or even public key
encryption for that matter. Your question is basically how do I make a
tamperproof executable.
DS
Andreas71 wrote:
I'm creating a web service in Erlang, using OpenSSL. I want the clients to
communicate with the server over SSL. I'm only interested in the
encryption
part of SSL, so I don't need any certificates signed by Verisign/etc to
verify that the server really is The Server. The
As for the approach I'm sketching, I was under the impression that SSL
could function as easy as that, where the server has got a self-signed
certificate with a public and secret key, and then whatever client,
with a certificate on their own, could connect to the server with SSL
and get an
Viktor, out network is secure, but clients outside our network will
access it over the internet. I'm concerned about the client sending
his username/password in clear text over the internet, and thought SSL
would do the encryption trick with ease, using a self-signed
certificate.
Andreas
Hy!
Is it possible to create a certificate with openssl without using the
coresponding private key (which is stored in a smartcard) but
with the public
key only?
Your question really doesn't make any sense. Why would the key being in a
smartcard keep you from using it? The whole point
My program has a CSR in DER format, and the CA private key, and needs
to generate a CRT in DER format. The CA key is DSA, the CSR may be from
a DSA or RSA key.
Now, it seems that all documentation I was able to google shows how to
do that using the openssl command line tool, but there's no
I need this CRL for testing needs ))
That really doesn't make any sense. What is the point of testing with
something that bears no relationship to anything in the real world?
If you want to test if your CRL logic works, create your own test CA, your
own test certificate, and your own test CRL
for the assistance!
--David
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL
to the certification path, the only certificate shown is that of the
server GORSKY; the signing CA's certificate is not shown. Shouldn't it?
Did I do something wrong in the signing process?
Thanks
David m. chinn
Hello,
Now you *are* saying that if you just use something to validate the
certificate, you are safe.
You and I are in violent agreement, you just don't see it. You
also suggest
setting up an SSL connection that provides everything except
MITM detection.
You then take something
for this error, and it seemed like it might be a
known bug either in openssl or in gcc on some platforms. I wanted to
see if anyone knows what the error means, and whether it's likely to
be a bug in openssl, the compiler, or in my application.
Thank you!
--David
On Wed, Sep 26, 2007 at 11:03:21AM +0200, Steffen DETTMER wrote:
So your point is that some property from the original
certificate (lets say some hash or so) could be included in
the extra authentication to detect a MITM (or whatever faked)
certificate? In that case, SSL would
Victor Duchovni wrote:
Use a self-signed cert and and a trusted source of peer-cert or cert
fingerprint mappings. The public CA is just one mapping function.
Well then you're going to have to argue with yourself since you said not to
do this two posts ago:
Actually not the certificate, it
In this second step of verification, you can exchange public keys,
certificates, challenges, responses, and so on. Each side can
verify what it
is talking to on the other side by whatever mechanism you want.
Ahh, yes, ok. But the result would not be SSL but
something-SSL-based, right?
Storing some fingerprint of a certificate or public key locally
in some trusted place (such as a local file system) seems to be
quite secure (should be the same level as having a CAs root
certificate in a file), however, I'm not sure if this works with
OpenSSL which seems to expect to be
Hello David,
I would like to learn more on MITM in this particular scenario. I
used to believe that if a server is using a signed certificate,
the MITM is not possible (Is it possible with techniques like DNS
poisoning?). Looks like I missed something important. Could you
point me
SSL works just fine to prevent MITM with self-signed certs, provided
the client has prior knowledge of the self-signed cert.
Right, but what if they don't?
It can then
check for the right public key, or the right certificate fingerprint
(more convenient via the OpenSSL API than extracting
Here is my understanding about a real CA.
A real CA would be an agency or like, which would have the infrastructure
required to sign certificate requests (say openssl toolkit, its own key
pair, its own root certificate etc). In addition to this, it would have
capabilities / mechanism to
After compiling my ssl file ssl_server.c, there are some errors.
Plese show me how to solve these errors.
These are linker errors. You didn't link to the OpenSSL library. The
solution is to add an appropriate command like '-lssl -lcryto'.
I installed the latest version openssl in Linux
I doubt if self signed certificate will be a good idea, as
against a signed
certificate.
With the approach I am proposing, the server installer itself works like a
CA.
Only an authorized person will have access to this installer (say
admin) and
can generate a signed certificate.
I don't
For now, my purpose is not to establish and identity of a server with the
certificate. I plan to use a signed certificate, so that the client can be
sure
that the server indeed holds the private key associated with the
public key
provided by the server in its certificate.
You have a
using alternative names without getting the
invalid or does not match warning.
Thanks,
David
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz
Sent: Tuesday, September 18, 2007 6:54 PM
To: openssl-users@openssl.org
Subject: RE: Configuration
So could someone guide me with the best practices used in such scenarios?
Is there a way to securely embed the private key in the installers / CA
certificate?
I guess I'm confused. What purpose would a certificate serve if anyone can
generate one that serves any purpose?
If I can generate a
Once I purchase a trusted certificate, I was assuming both of these
warnings would be removed; I thought a SAN-certificate would allow me to
connect to the website using alternative names without getting the
invalid or does not match warning.
Thanks,
David
What error are you getting now
the 'certificate not
trusted' message, I was attempting to not have the invalid or does not
match warning message.
commonName = blah.mysite.com
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = blah.mysite.com
DNS.2 = blah002.mysite.com
Thanks,
David
-Original Message-
From
?
Thanks,
David
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Murphy, David F
Sent: Wednesday, September 19, 2007 1:07 PM
To: openssl-users@openssl.org
Subject: RE: Configuration file for subjectAltName
I ran the following command,
openssl x509 -text
and the commands you executed to utilize
the configuration file?
Thanks, David Murphy
Thanks Viktor and Buddy,
Below is my cnf file and the commands I tried. The key and the crt were both
created, however when I render the test website using blah002.mysite.com I get
a security warning message anyway. I must have done something wrong or left
off a step ...
Cnf File -
[ req ]
Below are my cnf file and the commands I tried. The key and the crt were both
created, however when I render the test website using blah002.mysite.com I get
a security warning message anyway. I must have done something wrong or left
off a step ...
Cnf File -
[ req ]
default_bits
Below are my cnf file and the commands I tried. The key and the
crt were both created, however when I render the test website
using blah002.mysite.com I get a security warning message anyway.
I must have done something wrong or left off a step ...
It's not clear what you are trying to do.
Our server application expects from connecting clients to show their
certificate to checks their CN,OU and decide what permissions to allow for
that client
I generated a client certificate and embedded encrypted private key in it.
Everything works.
Gret.
But now I want to avoid using
You'll have to define what thumbprint means. In web browsers
and the 'x509'
utility it is the hash of the whole encoding which X509_digest() returns
though it is sometimes called fingerprint too.
The digest used is not necessarily the same one used in the
certificate and is
typically SHA1
/* This is just one of the tests I have tried */
FD_ZERO(rfds);
FD_SET(acceptSock, rfds);
FD_ZERO(wfds);
FD_SET(acceptSock, wfds);
FD_ZERO(rfds);
FD_SET(acceptSock, efds);
do {
/* see if we have any
David Schwartz wrote:
/* This is just one of the tests I have tried */
FD_ZERO(rfds);
FD_SET(acceptSock, rfds);
FD_ZERO(wfds);
FD_SET(acceptSock, wfds);
FD_ZERO(rfds);
FD_SET(acceptSock, efds);
do
is there any reasonable way how to copy certificate (and private key) from
SSL_CTX to SSL object if
certificate in SSL_CTX is changed?
Are you asking if you can change the key and certificate being used by a
session that's already in progress?
DS
int result = fread(wbuf, fsize, 1, fp);
void *buffer;
buffer = (char *)malloc (length);
long err = SSL_write(ssl,buffer, strlen((char *)buffer));
err = SSL_get_error(ssl,err);
You lost track of what you were doing. You put the number of bytes to send
in 'result',
I am using OpenSSL in my project. I wanted to send binary data,
The term binary data could mean anything.
but SSL_write is not working.
That's not a very good description of the problem.
Is there any other way to do it.
You really have to give us something more to go on.
DS
to the certification path, the only certificate shown is that of the
server GORSKY; the signing CA's certificate is not shown. Shouldn't it?
I know it was signed, because I can see an entry for it
Did I do something wrong in the signing process?
Thanks
David m. chinn
Consider a 'select' followed by a 'read' in another thread. Is
that the operation that shouldn't block or are the 'select' and
the 'read' unrelated?
If the read was started (called) after the select finished
(returned), then this read (and only this read) is the subsequent
operation. If
sorry, seems I'm unable to get it (I read it several times :)). I
think the select could (if needed) store some flag (associated
with some fd) to remember that it returned that read must not
block by guarantee. Maybe some list including all fds where
select returned this. Any OS function
This is acceptable for Perl, but not for C :-) Even if most
people would want a write contradicting its man page, I'd still
consider it wrong :)
I don't follow you.
If you tried to write two bytes, why would you want to wait
until the first one could be written but not wait until the
Hi!
* David Schwartz wrote on Tue, Aug 28, 2007 at 08:56 -0700:
I think it is important to note that a blocking read usually
should return if one single byte is available (even if more had
been requested)
Correct.
and a blocking write should return as soon as at
least one
Actually, this page says:
A descriptor shall be considered ready for reading when a
call to an input function with O_NONBLOCK clear would not
block, whether or not the function would transfer data
successfully.
Right, that is a hypothetical concurrent read.
Is that not to say that if
a 'readability' hit on a listening
socket and then block in 'accept' if there's a subsequent error on the
connection don't exist?
Although David has theorized on the possibility of an operating system
receiving a UDP packet from another host, then indicating readability
via select() to the application
size example, I expect read to return 0. I made a
small test program and on linux (accidently?) it does not block
when reading a truncated file (actually, select even returns
`ready for read' on an empty file).
A file is always ready. There is never anything to wait for.
David, do you mean
David Schwartz wrote:
That is not only not implemented by any known implementation but quite
literally impossible. Please tell me what implementation
guarantees that a
TCP 'write' after a 'select' hit for writability will not block.
This is no use, your asking me for references and I'm
Hmm...interesting. Essentially what you are saying is If one thinks
they need to use select() on a blocking socket, use non-blocking sockets
instead. And only when non-blocking sockets are insufficient, use
select() (i.e. to avoid a CPU-eating polling type of situation without
sacrificing
There is no need for the data buffer to stay constant between calls to
SSL_write.
Arne
Did you see my post proving that this must be false? Here's the scenario
again:
1) You try to write 16 bytes on a non-blocking SSL connection.
2) This results in a 24 byte record after encryption.
3)
What I want to know is how do I tell OpenSSL that it is okay to do some
processing of socket data but not block even with blocking sockets?
You are asking for the impossible. There is no way to be sure a socket
operation will not block other than to set the socket non-blocking. Much
code has
MSDN Library documents select() as being exactly as I describe:
http://msdn2.microsoft.com/en-us/library/ms740141.aspx
(See the description of when readfds returns).
So now that the matter you describe has been cleared up, answer the
question.
You misunderstand the documentation. Nowhere
Which part of For other sockets, readability means that queued data is
available for reading such that a call to recv, WSARecv, WSARecvFrom, or
recvfrom is _guaranteed not to block_. do you not understand?
It means a hypothetical concurrent call, not a future actual call.
There is simply no
David Schwartz wrote:
Which part of For other sockets, readability means that queued data
is
available for reading such that a call to recv, WSARecv,
WSARecvFrom, or
recvfrom is _guaranteed not to block_. do you not understand?
It means a hypothetical concurrent call, not a future
It seems the OpenSSL TLS server, when forced to use TLSv1,
shuts down the connection immediately after receiving a
ClientHello with major version number not equal to 0x03.
Nothing was sent to the client to notify the error.
What could be sent to the client to notify it of the error? Since
We are trying to debug an exchange csr request. I would like to read
this csr in with openssl and read it in plain text format somehow.
Can this be done?
openssl req -text
DS
__
OpenSSL Project
Side track: Is it possible to make the window platform listen on 31
sockets at once per thread ? (or whatever is small limit was)
IOCP.
Okay you closed your ears to the read event ? On Unix the select() has
an exceptfds which can be used to pickup a socket error/close (but may
not be
RSA_public_encrypt(size, inText, sigBuffer, rsaPubKey,
RSA_PKCS1_OAEP_PADDING);
Ooops, you just threw away the return value from RSA_public_encrypt. So how
are you going to know how big the signature is?
sigretVal = RSA_size(rsaPrivKey);
unsigned char *plainText = new unsigned
RSA_public_encrypt(size, inText, sigBuffer, rsaPubKey,
RSA_PKCS1_OAEP_PADDING);
Ooops, you just threw away the return value from
RSA_public_encrypt. So how
are you going to know how big the signature is?
RSA_size()
I thought RSA_size gave the modulus size, which is also the
I am not familar with ASN.1, or any of the specifice of which the rsa
key is generated. It just seemed as it should not be so.
What is the ASN.1 encoding, and how is it used?
The vast majority of file formats begin with a header that is similar or
identical for files that contain different
Hello
I have question.
I tried generate public key via openssl (RSA,1024) and I always got 162B
large file.
Now I want to generate public key via JAVA Cryptography library.
I'm repeatedly generating public. For example I created RSA keys with 1024
bit length, but sometimes I got 162B
Problem is openSSL only seems to work if I explicitly pass it the
location of the certificates with the -Capath switch.
It doesn't seem able to find them on it's own.
This creates a problem for OpenLDAP when I am trying to query an LDAP
server via ssl/tls.
example: /usr/bin/ldapsearch -H
command: openssl s_client -connect server.name.ac.uk:636 -verify 5
result: Verify return code: 19 (self signed certificate in certificate
chain)
command: openssl s_client -connectserver.name.ac.uk:636 -verify 5 -CApath
/etc/pki/tls/certs
result: Verify return code: 0 (ok)
Obviously that
I'm trying to use the RSA_public_decrypt function but I need to
set up the public key manually.
I have the public exponent and modulus in the form of an array of
'unsigned char' and have converted these to BIGNUM format using
BN_bin2bn. I assigned them to the RSA fields n and e.
The I call
You're right, I get RSA_R_BAD_E_VALUE (101). Just took the wrong
define for the mail. ERR_GET_REASON returns 101.
Only the RSA key generation function can produce this error. Perhaps you had
it left over from a previous function you called? Perhaps your engine can
generate this error in
You're right, I get RSA_R_BAD_E_VALUE (101). Just took the wrong
define for the mail. ERR_GET_REASON returns 101.
Only the RSA key generation function can produce this error.
Perhaps you had it left over from a previous function you called?
Perhaps your engine can generate this error in
This is the first call in the engine and the set of n and e
doesn't raise any error (I've just tested it). The error occurs
on RSA_public_decrypt.
Frank Wockenfuß
I see no way RSA_public_decrypt can make ERR_GET_REASON return 101. If
you're 100% absolutely positively sure that's happening,
I do
ENGINE_load_builtin_engines();
before calling the decrypt function. There is no other engine
attached, I use the standard engines from OpenSSL 0.9.8e.
Are there other way to verify the signature with only the public key?
RSA_verify.
DS
Same mistake as before: 119 means RSA_R_WRONG_SIGNATURE_LENGTH
Frank Wockenfuß
Perhaps you aren't using the same padding as the signature was made with?
Perhaps what you have isn't really a signature at all. It's hard to say.
DS
Thanks, guys- this does indeed seem to be the cause of the problem.
I am going to fix my application to send all the data at once.
Best,
David
On Jul 27, 2007, at 5:53 PM, David Schwartz wrote:
First off have you tried to merge the application data for the
SSL_write() calls into larger
/server code.
Thanks, everyone, for your help so far with this.
--David
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List
First off have you tried to merge the application data for the
SSL_write() calls into larger writes ? That is don't write the
HTTP/1.1 200 Ok on its own, but concatenate the headers/content-body
into the same SSL_write() call so the total size for the call is at
least 1500 bytes but maybe
I have a Linux server application that calls SSL_write in a loop, and
polls the underlying socket using the poll(2) system call. In the
loop, the first few calls to poll return immediately with data on the
socket, but I'm finding that the last call to poll always takes about
50ms to before
connection? What happens between
the call to SSL_write and the point where the client receives the 200
OK message? The error may of course be on the client side, but I
just wanted to see if there is any debugging I could do on my
SSL_write call.
Thank you!
On Jul 26, 2007, at 3:38 PM, David
that I confirmed via log message that the
SSL_write operation completes before I call poll.
Thank you,
David
__
OpenSSL Project http://www.openssl.org
User Support Mailing List
Anybody have any idea which assembler is preferred when building with VC8?
I always build with masm, since it is installed with VC8 (the ml.exe in the
vc\bin directory is masm).
DS
__
OpenSSL Project
Thanks very much, I'm starting to understand this. One last question:
what's the difference between the export password and the password that
the system asks for when creating a key for which -des3 was specified?
Why doesn't the export just inherit/use the key encryption password?
This is
The pkcs12 export command seems to want both the certificate and the
private key to be able to create a certificate containing the private
key which the key owner can use to verify signatures and decrypt mail
signed and encrypted using his public key.
Decrypting mail requires the private
Perhaps wandering a bit off-topic, but in practice many CAs which are
trusted by most browsers will issue certificates to whomever controls
a domain at the time the cert is issued, and so there's very little
difference between trusting DNS and trusting DNS+SSL for site
authentication (though
Hi, I see this option when I import but I don't understand something
more fundamental. Why doesn't the cert itself have any password
protection? Is it because when I created it I specified the key
password only to build the cert from the key? And the cert gets built
with no protection?
NetSNMP is the open source SNMP management Kit which uses OpenSSL
Libcrypto.
I would like to know what changes I have to make in the NetSnmp to
access the FIPS compatible OpenSSL Libraries.
Go to this web page:
http://www.openssl.org/docs/fips/
Download and read the user's guide and security
Ramaniganth,
I worked on enhancing net-snmp to work with OpenSSL in FIPS mode a few
months ago. After seeming to get it to work, the project was shelved, so
the code never got published. But, I can tell you the approach I took.
First, I would echo the advice from David Schwartz to carefully
Not to beat a dead horse, but I forgot to mention that the application
does work properly when performing the same operations on non-SSL
connections. In other-words if I use telnet to connect to the server on
the non-SSL port and type nothing in the console and then have a second
client
Having only done minimal socket programming, I'm in a bit of a steep
learning curve right now. Other then understanding what a blocking and
non-blocking operation is, I don't fully understand the ramifications of
switching to non-blocking I/O. Compounding this issue is the third party
code,
We are working on a threaded solution but right now we are using some
third-party code (Webs 2.18) which is single threaded.
That's fine, but if you using blocking calls in a single-threaded
application, you can really only handle one client at a time.
I'm also not sure I understand your
No wonder I couldn't find the MakeCertificate function, it's actually
resides in an external library. I 'll try to do anything I could to make
sure it works as needed..
However, thank you very much for your help David Schwartz.. if you were in
java.sun.com forum I'd surely have given you
Hi, a question about the SSL:
In SSL, the server certificate is checked by the
client as to whether the server actually holds the
private key of it. This is done by client sending the
session key signed by server's public key.
So, why there is a need for a check of domain name in
the
I am hoping that someone can clear this up for me.
The tls1_PRF() function uses both the md5 and sha1 algorithms to generate
pseudo-random data. Since this function is used for TLS key
derivation, is
the md5 algorithm allowed for key derivation while operating in FIPS mode?
The MD5 is not
This function rounds an ASN1_UTCTIME up to the end of the day it belongs to.
You need to call this function on an ASN1_UTCTIME before you set it as the
'not valid after' date:
void X509_gmtime_roundup(ASN1_UTCTIME *s)
{ /* Rounds an ASN1_UTCTIME up to the end of the current day */
char buf[32];
I added the X509_gmtime_roundup(X509_get_notAfter(x)); at my
renewCertificate function. When I renewed the cert valid to for example, to
31/7/2007, the cert valid to will be strangely changed to '1/8/2007
7:59:59. May I know which part should I alter here?
There is nothing to change, as it
hold on! thanks a lot I managed to get it to 23:59:59. all i had to do was
change the value
strcpy(buf+6, 235959Z); to strcpy(buf+6, 155959Z);
I would not do that. There is no way you can know that 15:59:59 will
correspond to 24:59:59 in the future when the certificate expires. You are
I built OpenSSL with the FIPS module, and after a few issues built it
successfully on Solaris 10 (using Sun cc) and on Windows using MinGW.
Each works fine on its own platform, but if I encrypt on Solaris 10, I
get decryption errors on Windows, and vice versa.
Any ideas?
Did you do a 'make
thanks a lot for your lenghty explanation, David Schwartz. I really
appreciate it for you to help me explain all this. I noted you said that
what I did might be sensible if three things are the case:
1) The locale you are using the certificate has no daylight savings time.
2
801 - 900 of 1731 matches
Mail list logo
