X509_STORE_CTX_set_time usage
Hi All, I am facing a problem with check_cert_time function in OpenSSL library. I am trying to handle X509_V_ERR_CERT_NOT_YET_VALID and X509_V_ERR_CERT_NOT_YET_VALID errors.I am trying to simulate this errors with the expired certificate and certificate not yet valid. Problem here is I am always getting the error certificate is not yet valid.I am not able to get the error certificate has expired. I checked the function check_cert_time. static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) { time_t *ptime; int i; if (ctx-param-flags X509_V_FLAG_USE_CHECK_TIME) ptime = ctx-param-check_time; else ptime = NULL; i=X509_cmp_time(X509_get_notBefore(x), ptime); if (i == 0) { ctx-error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } if (i 0) { ctx-error=X509_V_ERR_CERT_NOT_YET_VALID; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } i=X509_cmp_time(X509_get_notAfter(x), ptime); if (i == 0) { ctx-error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } if (i 0) { ctx-error=X509_V_ERR_CERT_HAS_EXPIRED; ctx-current_cert=x; if (!ctx-verify_cb(0, ctx)) return 0; } return 1; } Here value of i is always 1. Hence I am not able to simulate X509_V_ERR_CERT_HAS_EXPIRED. Here ctx-param-check_time is set by another function X509_VERIFY_PARAM_set_time. Function X509_STORE_CTX_set_time invokes X509_VERIFY_PARAM_set_time. I wanted to know how X509_STORE_CTX_set_time function is invoked and where it will be invoked. I am not able to find any information by browsing the code. Thanks and Regards, Jaya __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1611] [PATCH] NetWare platform OpenSSL 0.9.8g
Hi Steve, Patches applied. thanks again - just tested with latest 0.9.9-dev snapshot, and all builds to completion! That's very great!! Copying is now down with the perl script copy.pl to avoid some problems with using copy. ok, not yet checked the install target, but will soon do Well the WIN32 build (and mk1mf.pl) didn't include some of the latest assembly language files. The AES_ASM_OBJ string needed to be added in another place to avoid it adding the object suffix. aahh... I've now updated the WIN32 build system to use AES and some of the other assembly language files for SHA2 as well. You might want to do something similar for the netware build. yes, sure! I've added the two new ones sha256 and sha512 to the NetWare build system, and also added Andy's autodetection of nasm - nasmw: http://194.242.35.79/downloads/openssl/netware-openssl-SNAP-20080104.diff now what's not clear to me is how the other sources get aware of existance of the sha2* asm objects? They get created and compiled, but I didnt see a new define like -DSHA2_ASM which tells the *.c files to plugin the asm stuff... greets, Guenter. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1611] [PATCH] NetWare platform OpenSSL 0.9.8g
On Fri, Jan 04, 2008, Guenter Knauf wrote: I've now updated the WIN32 build system to use AES and some of the other assembly language files for SHA2 as well. You might want to do something similar for the netware build. yes, sure! I've added the two new ones sha256 and sha512 to the NetWare build system, and also added Andy's autodetection of nasm - nasmw: http://194.242.35.79/downloads/openssl/netware-openssl-SNAP-20080104.diff now what's not clear to me is how the other sources get aware of existance of the sha2* asm objects? They get created and compiled, but I didnt see a new define like -DSHA2_ASM which tells the *.c files to plugin the asm stuff... Applied. There are a couple of new ones which I'd initially omitted from the Windows build: -DSHA256_ASM and -DSHA512_ASM. I've been meaning to redo the WIN32 assembly language support for a while now. Creating the things in the batch file seems a bit of a hack and they could be handled in the makefile in the same way as the Unix build. The Configure script also works out things like CFLAGS for the relevant options. The WIN32 build partly duplicates this functionality, it should really just pick up whatever options the Configure script has decided. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Tomcat + HttpClient + SSL + tcnative-1.dll issues?
Are there any known issues when using the Apache HttpClient to send https requests to Tomcat running with tcnative-1.dll? Perhaps different SSL stacks causing issues? The issue we are seeing is duplicate messages: our HttpClient sends just one copy of the message (an https request), but on the Tomcat side (with tcnative-1.dll) we are seeing the message twice. This only happens with https and not http. Stacy Johnson Software Engineer Voice Technology Group - CCBU [EMAIL PROTECTED] Phone :1 978 936 0689 http:/// logo.gif
Re: [openssl.org #1611] [PATCH] NetWare platform OpenSSL 0.9.8g
Hi Steve, Applied. thanks again! There are a couple of new ones which I'd initially omitted from the Windows build: -DSHA256_ASM and -DSHA512_ASM. ok - then I need these also in netware.pl - see patch below and attached: --- netware.pl.orig Fri Jan 04 13:05:02 2008 +++ netware.pl Fri Jan 04 20:33:27 2008 @@ -332,7 +332,8 @@ $whirlpool_asm_src=crypto${o}whrlpool${o}asm${o}wp-nw.asm; $cpuid_asm_obj=\$(OBJ_D)${o}x86cpuid-nw${obj}; $cpuid_asm_src=crypto${o}x86cpuid-nw.asm; - $cflags.= -DOPENSSL_CPUID_OBJ -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DMD5_ASM -DSHA1_ASM -DWHIRLPOOL_ASM; + $cflags.= -DOPENSSL_CPUID_OBJ -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DMD5_ASM -DWHIRLPOOL_ASM; + $cflags.= -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM; $cflags.= -DAES_ASM -DRMD160_ASM; } else Creating the things in the batch file seems a bit of a hack and they could be handled in the makefile in the same way as the Unix build. The Configure script also works out things like CFLAGS for the relevant options. The WIN32 build partly duplicates this functionality, it should really just pick up whatever options the Configure script has decided. hmm, since the configure script is written in Perl I was also already thinking if we could work with that only If I have next some spare time I will give it a try, and try to figure out what's adaptable from Unix world thanks, Guen. netware.pl.diff Description: Binary data
Re: [openssl.org #1611] [PATCH] NetWare platform OpenSSL 0.9.8g
On Sat, Jan 05, 2008, Guenter Knauf wrote: Creating the things in the batch file seems a bit of a hack and they could be handled in the makefile in the same way as the Unix build. The Configure script also works out things like CFLAGS for the relevant options. The WIN32 build partly duplicates this functionality, it should really just pick up whatever options the Configure script has decided. hmm, since the configure script is written in Perl I was also already thinking if we could work with that only If I have next some spare time I will give it a try, and try to figure out what's adaptable from Unix world Well the ultimate I suppose would be to make the builds all consistent and avoid the batch files entirely. So you could do on WIN32: perl Configure VC-WIN32 [options] nmake For WIN32 I'll initially be looking at picking up and defining some CFLAGS from the Configure script and auto building the assembly language files from the perl scripts. That will have some relevance to other mk1mf builds too. I notice that another is missing from the WIN32 builds: the BN_ASM_MONT files. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]