OpenSSL Certificate
Hi folks, I have successfully installed and experimented with the open SSL package on our local Solaris machine. I managed to generate a self-signed certificate using the 'openssl req -new ...' command. You find in attach of this mail certreq.pkc file in order to sign a certificate using the experimental certification authority 'openssl ca -in ...'. Thanks for your help, Riadh KHALFALLAH Phd in Computer Science MedSoft, Tunisia -- Riadh KHALFALLAH Chef de projet - Medsoft Rue 101, Immeuble Astre Les Berges du Lac 2045 Tunis - Tunisie Tl.: (216)(1) 862 955 Fax: (216)(1) 862 956 E-mail : [EMAIL PROTECTED] Name of the Webmaster: RIDCHA E-mail address of the Webmaster: [EMAIL PROTECTED] Name and Version number of the software: Generated for: Oracle Application Server Release 4.0.8.1.0 Generated using: genreq version 1.0 Distinguished Name: Common Name: www.medsoft.com.tn Org-unit: service developement Organization: Medsoft Locality: les berges du lac State or Province: tunis Country: TN -BEGIN NEW CERTIFICATE REQUEST- MIIBQjCB7QIBADCBhzELMAkGA1UEBhMCVE4xDjAMBgNVBAgTBXR1bmlzMRowGAYD VQQHExFsZXMgYmVyZ2VzIGR1IGxhYzEQMA4GA1UEChQHTWVkc29mdDEdMBsGA1UE CxQUc2VydmljZSBkZXZlbG9wZW1lbnQxGzAZBgNVBAMTEnd3dy5tZWRzb2Z0LmNv bS50bjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCfZv3rx0j4UJjQUT97EO4oO1pw 0fRxeVhQbt0X6FZLA7Dqy4+UjX157sPp/iT7jz1LOk9tESOXIxwXNMhYweYvAgMB AAGgADANBgkqhkiG9w0BAQQFAANBAHvDqxOBgotVnB2K6A8EVpcXSHyJqAdM2l9E xG82Gas0tSMirLnbo5Tansq2LHWjQOiQxvl//QIRflva6UJ/2sY= -END NEW CERTIFICATE REQUEST-
Re: How to make a CA signed certificate (in code)
Kim, since X.509 certificate is somethingToBeSigned and signature over that once can use X509_sign() to do it. Probably you mean certify_cert() and, yes, lots of parameters there to specify certificate content. Regards, Vadim On Fri, 16 Feb 2001, Hellan,Kim KHE wrote: Hi I'm trying to make a CA signed certificate. I already have composed/loaded all of the following "parts" for the certificate: EVP_PKEY* pCAKey; /* CA private key */ X509* pCACert; /* CA root certificate */ X509_NAME* pX509Subject; /* Certificate subject */ EVP_PKEY* pPubKey;/* Certificate public key */ STACK_OF(X509_EXTENSION)* pExtensions;/* X509v3 extensions */ unsigned long ulNoDaysValid; /* Valid_from is the current time */ unsigned long ulCertSerialNo; Now I "just" need to combine all this into a certificate. I have looked at the CA/X509 apps, but its a bit confusing since they contain a lot of code that I don't really need, since I have all the "parts" ready and I don't use a config file. I also looked at the X509_Certify() function, but it has so many arguments and some of them I don't event know what are. I would really appreciate if someone could help me how to get the last bit of the way, composing and signing the certificate. Any hints are welcome! TIA Kim Hellan KMD / KMD-CA http://www.kmd-ca.dk Mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
DH_generate_parameters and primes
Hi, When I call DH_compute_key(), I get a core dump. If I run DH_check over the parameters passed to DH_compute_key() I get bit 1 set, which according to dh.h means that number generated is not prime; presumably, this is causing DH_compute_key() to croak. This is a short excerpt: unsigned char *client_key; BIGNUM client_key; DH *dh_struct; dh_struct= DH_new(); dh_struct= DH_generate_parameters(64, 5, NULL, NULL); DH_check(dh_struct, dh_error); DH_generate_key(dh_struct); DH_compute_key(dh_secret, client_key, dh_struct); I do this to generate the keys once for the server, and once for the client; it works fine on the client, but not on the server (the code is essentially the same for both of them). Am I passing the correct parameters to DH_generate_parameters? Any ideas? josh. --- Josh Howlett, Network Supervisor, Networking and Digital Communications, Information Services. [EMAIL PROTECTED] | 0117 9546895 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Bug? no_tmp_rsa flag ignored in s_server
Hi, I'm using 0.9.5a, but this should be easy to check in 0.9.6: The no_tmp_rsa flag in s_server is ignored. There is an "#if 1" that forces a callback to be used (which ignores the flag), blocking the code that would test the flag before setting a value. Simply grep for no_tmp_rsa in s_server.c and you'll see the problem, it's obvious. The simplest fix (imho) is to make setting the callback conditional on the flag - if the callback is not set then corresponding ciphers suites are not used. Andrew __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS12
Hi, Tomcat use SSL directly, I use the keytool of the JDK to generate the key pair and a self certificate. I need to generate certificates for clients but the browser says that if have to be in the format PKCS12. For the keytool I specify a keystore type at the command line, via the -storetype option and I put that uses the pkcs12, but it not function, also I changed the value of the keystore.type property specified in the security properties file " java.security", that resides in the JDK security properties directory, java.home\lib\security and also didnt function. How can I generate a certificate with the pkcs12 format using the keytool of the JDK?? Julie. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
get your own 100 meg web site for only $11.95 per month today! STOP PAYING $19.95 or more PER MONTH for your web site, WHEN YOU CAN GET ONE FOR ONLY $11.95 PER MONTH! DO YOU ALREADY HAVE A WEBSITE? ALL YOU HAVE TO DO IS TRANSFER THE DOMAIN TO OUR SERVERS AND UPLOAD YOUR DATA AND YOU ARE READY TO GO! YOUR NEW WEB SPACE CAN BE CREATED INSTANTLY WITH JUST A SIMPLE PHONE CALL OUR OFFICE. YOU CAN CHANGE YOUR SITE AS MUCH AS YOU WANT with no extra charge! UNLIMITED TRAFFIC -- no extra charge! A SET UP FEE OF $40.00 APPLIES for FIRST TIME CUSTOMERS. ALL FEES PREPAID IN ADVANCE FOR THE YEAR PLUS A $40.00 SET UP CHARGE. FOR DETAILS CALL 1 888 248 0765 or fax 240 337 8325 WEB HOSTING INTERNATIONAL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Compiling for BC5.02
Hi, Sorry if this is a stupid question, I have already read the faq and searched google for an answer... I have BC5.02 and bcb4, I have noticed that it appears that some people have gotten openssl to compile under 5.02, but I havent been able to figure out what commands i need to type to set it up. I tried runningn the bcb4 setup, it generated a make file which 'make' wouldnt compile. Could it be the problem with having both compilers on the system. I really need to be using ssl with a BC5.02 program (not bcb4, although having it work in bcb4 would be a temporary solution) Thanks for any help. Regards Jacob Rhoden ___ "Have a nice day.. unless, you have planned otherwise" System Administrator / Web Developer / Programmer Jacob Rhoden - [EMAIL PROTECTED] - 0403 788 386 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Why is mod_ssl OK with NN 4.5?!
Thanks. I eventually reduced the problem to s_server running against a stripped-down version of my server, all on a newly installed OS (to avoid DLL confusion). After adding trace statements to the code I found that I was missing a callback in my code to calculate a temporary RSA key (yes, I could have spotted it from s_server output further down the page if I had thought more clearly; yes I could have spotted it by comparing source if I had concentrated better...!) Cheers, Andrew At 12:10 PM 2/16/01 +0100, Lutz Jaenicke wrote: On Fri, Feb 16, 2001 at 10:56:47AM +, Andrew Cooke wrote: Thanks for two good suggestions. Although I was using neither, they don't change much: - I am now using SSLv23_method and SSL_OP_ALL - The connection fails unless SSL_OP_NO_SSLv3 is included (ie SSLv3 is excluded) - The error is now "No common cipher" (handshake B; no handshake A) "No common cipher" suggests *very* strongly that I have an error in my compilation/linking/library that is excluding some cipher suite. However, when I list the available ciphers from within the code everything seems correct and the same libraries work with SSLv2 (or rather, with SSLv3 disabled) and with other browsers. I don't have a NN 4.5 available by now, it is quite old, isn't it. The "No common cipher" seems a bit strange to me. Let me suggest two more things: - Set up s_server and try to connect to it. s_server will probably more comparable to your code. (With or without bug workarounds, see the list of options.) - There is a difference to mod_ssl in that mod_ssl also restricts the ciphers allowed by removing the EXPORT56 ciphers. There is a IE bug with them, I am not aware that Netscape should also be affected, but it is well worth a try. If this applies, the first test should have failed :-) Check out the default cipherstring used in mod_ssl and use it for s_server. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Export IPlanet certificates to Apache/mod_ssl
I've seen a few references to this topic, but only one solution. (That appears to only work for Netscape Enterprise 3.6, not 4.1) It can be found at http://mah.everybody.org/docs/netscape-to-apache . Is there any other way of exporting/importing the certificate? The deal is we are running into issues with Netscape IPlanet that is causing our app to fail, where it does not in Apache. We want to switch while being a seamless as possible to the users. (Ie. Turn off one, and turn on another one whevever we are ready. Don't want to wait for DNS to propigate etc.) I am not above ordering a new certificate, but would rather not. Any help you have is appreciated. Ren West __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to make a CA signed certificate (in code)
"Hellan,Kim KHE" wrote: Hi I'm trying to make a CA signed certificate. I already have composed/loaded all of the following "parts" for the certificate: EVP_PKEY* pCAKey; /* CA private key */ X509* pCACert; /* CA root certificate */ X509_NAME* pX509Subject;/* Certificate subject */ EVP_PKEY* pPubKey; /* Certificate public key */ STACK_OF(X509_EXTENSION)* pExtensions; /* X509v3 extensions */ unsigned long ulNoDaysValid;/* Valid_from is the current time */ unsigned long ulCertSerialNo; Now I "just" need to combine all this into a certificate. I have looked at the CA/X509 apps, but its a bit confusing since they contain a lot of code that I don't really need, since I have all the "parts" ready and I don't use a config file. I also looked at the X509_Certify() function, but it has so many arguments and some of them I don't event know what are. I would really appreciate if someone could help me how to get the last bit of the way, composing and signing the certificate. Any hints are welcome! There's a simpler example in demos/selfsign.c . This creates self signed certificates but its easy enough to adapt. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Serial number on self signed Root CA certificate
Sandipan Gangopadhyay wrote: I am issuing a self signed (Root CA) certificate as follows - ./openssl req -new -x509 -days 365 -key ca.key -out ca.crt It writes a serial number 0 ! ./openssl ca takes the serial number from a source such as ./demoCA/serial How do I make openssl req in -x509 mode do the same or is there some other way to set the serial such as -CAsetserial ? There isn't any option to do this however since this has been frequently requested I've added an option req and x509. It will be in the next snapshot and should be fairly easy to adapt to older versions of OpenSSL. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Exportable cipher suite
On Fri, 16 Feb 2001, Patrick Li wrote: Thanks for the information. Does that mean there is no longer restrictions on using any of the cipher suites specified by TLS or SSL outside of the US? Sorry for a simple question. But is it still the case that only Canada and US are allowed to use browers with 128 bit encryption strength? Who is the party who would allow one nation but not another to use an algorithm, and punish infractions? You should check with local laws at the point of use to find out what you are permitted to *use*. The U.S. once had rather severe restrictions on what encryption *products* could be *exported*, but citizens could *use* whatever would work so long as they didn't try to send the software *itself* out of the country. (One exception is amateur radio, which used to be *heavily* restricted as to the nature of the signal used to modulate the carrier. This was many years ago, and I don't know the current situation.) The U. S. still maintains a pretense of regulation, though it is very much relaxed. You should get advice from an attorney with experience in export law before attempting to export from the U.S. or Canada any given technology for secure communication. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Make a good day. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
new oscp code
Hello, I wonder whether it would be useful to allow that a client can also may its OCSP request through some proxy, I guess yes. the real question is whether someone has looked in the socket bio used in ocsp.c to see how code to allow at least some things could be added: - connection through an 'http' proxy, i.e. sending the complete URL to a proxy instead of the host. - connection through an SSL proxy, i.e. using CONNECT - One might add proxy authentication methods or else. - ... Regards Peter Sylvester __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSH and SSL
Hi everybody, I am working on a VB Client for SSH. I read the RFC's and barely understood anything. I talked to some people on deja and they said I have to get openssl, compile it and use the DLLs. I've done that but cannot reference the DLLs in VB. I have the exe's and dlls sitting in one directory but I'm not sure what I'm supposed to do. I was up all night last night(and the previous 3 nights) doing this stuff and can't figure it out so any help would be appreciated. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DH_generate_parameters and primes
The first param to DH_generate_parameters() is supposed to be the number of *bits* in the prime, not bytes (see http://www.openssl.org/docs/crypto/DH_generate_parameters.html#). My guess is you really want 64*8 for that parameter. Also, DH_generate_parameters() creates the DH structure for you. Your first call to DH_new() doesn't do anything except create a memory leak. DH_check() returns its answer in the integer *pointed* to by the second parameter. So, if dh_error is an int then you need to pass dh_error to DH_check(). _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Josh Howlett" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, February 19, 2001 1:17 PM Subject: DH_generate_parameters and primes Hi, When I call DH_compute_key(), I get a core dump. If I run DH_check over the parameters passed to DH_compute_key() I get bit 1 set, which according to dh.h means that number generated is not prime; presumably, this is causing DH_compute_key() to croak. This is a short excerpt: unsigned char *client_key; BIGNUM client_key; DH *dh_struct; dh_struct= DH_new(); dh_struct= DH_generate_parameters(64, 5, NULL, NULL); DH_check(dh_struct, dh_error); DH_generate_key(dh_struct); DH_compute_key(dh_secret, client_key, dh_struct); I do this to generate the keys once for the server, and once for the client; it works fine on the client, but not on the server (the code is essentially the same for both of them). Am I passing the correct parameters to DH_generate_parameters? Any ideas? josh. --- Josh Howlett, Network Supervisor, Networking and Digital Communications, Information Services. [EMAIL PROTECTED] | 0117 9546895 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Export IPlanet certificates to Apache/mod_ssl
Ren West wrote: I've seen a few references to this topic, but only one solution. (That appears to only work for Netscape Enterprise 3.6, not 4.1) It can be found at http://mah.everybody.org/docs/netscape-to-apache . Is there any other way of exporting/importing the certificate? The deal is we are running into issues with Netscape IPlanet that is causing our app to fail, where it does not in Apache. We want to switch while being a seamless as possible to the users. (Ie. Turn off one, and turn on another one whevever we are ready. Don't want to wait for DNS to propigate etc.) I am not above ordering a new certificate, but would rather not. Any help you have is appreciated. Try renaming the key and certificate database files to key3.db and cert7.db, copy to a Netscape 4.X profile and see if the certificate appears. If so export it and use the OpenSSL pkcs12 utility on it. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: new oscp code
From: Peter Sylvester [EMAIL PROTECTED] Peter.Sylvester I wonder whether it would be useful to allow that a Peter.Sylvester client can also may its OCSP request through some Peter.Sylvester proxy, I guess yes. Nothing actually stops you from doing such a thing. I've no idea if that has an impact on security... Peter.Sylvester the real question is whether someone has looked in Peter.Sylvester the socket bio used in ocsp.c to see how code to Peter.Sylvester allow at least some things could be added: Peter.Sylvester Peter.Sylvester - connection through an 'http' proxy, i.e. sending Peter.Sylvester the complete URL to a proxy instead of the host. Peter.Sylvester Peter.Sylvester - connection through an SSL proxy, i.e. using CONNECT Peter.Sylvester Peter.Sylvester - One might add proxy authentication methods or else. Do you mean that this should be added into OpenSSL (libcrypto)? I wonder why, because after all, OpenSSL isn't meant to implement an HTTP client, although we currently have HTTP code in the OCSP code. I think code to implement HTTP access throguha HTTP proxy belongs in another library, like libwww (there's a transport class available with libwww that makes it use OpenSSL. Last time I looked, it wasn't very advanced at all, however). -- Richard Levitte \ Spannvgen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Net::SSLeay and certificate verification
Hi -
I have been for some time trying to figure out how to do certificate
verification with the Net::SSLeay perl module. Unfortunately there is no
documentation on this anywhere in the module, and the one sample program
which uses callbacks does not fail if it is an invalid cert. Also
unfortunately, I can not find very much good documentation in general on how
to do this, so i apologize if I do not explain my problem very well.
Basically what I am trying to do is this:
/usr/local/ssl/bin/openssl s_client -connect www.equifax.com:443 -verify
-1 -CApath .
With a thawte certificate and hashed symlink in the local directory, but in
a perl script. The trick here is the -1 verification, I want this perl
script to fail unless it can have -1 verification (sorry if incorrect term).
Right now, the callback.pl script verifies at 1, so it will verify any site
you connect to provided only you have some (any) cert. How do i get it to
only verify if it can trace the cert chain back up to, say thawte? Here is
a copy of the verify function (and what sets it) also.
$ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!");
Net::SSLeay::CTX_set_default_verify_paths($ctx);
Net::SSLeay::CTX_load_verify_locations($ctx, '', $cert_dir)
or die_now("CTX load verify loc=`$cert_dir' $!");
Net::SSLeay::CTX_set_verify($ctx, 0, \verify);
die_if_ssl_error('callback: ctx set verify');
sub verify {
my ($ok, $x509_store_ctx) = @_;
print " Verify called ($ok)\n";
my $x = Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx);
if ($x) {
print "Certificate:\n";
print " Subject Name: "
. Net::SSLeay::X509_NAME_oneline(
Net::SSLeay::X509_get_subject_name($x))
. "\n";
print " Issuer Name: "
. Net::SSLeay::X509_NAME_oneline(
Net::SSLeay::X509_get_issuer_name($x))
. "\n";
}
$callback_called++;
return $ok; #$ok; # 1=accept cert, 0=reject
}
When I run this without the thawte certificate, while connecting to
mycio.com (issued by equifax, issued by thawte), verify is called, and
returns:
Verify called (0)
Certificate:
Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Verify called (1)
Certificate:
Subject Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Verify called (1)
Certificate:
Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Verify called (1)
Certificate:
Subject Name: /C=US/ST=California/L=Santa Clara/O=Network
Associates/OU=myCIO.com/CN=www.mycio.com
Issuer Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2
However, when I try to connect to a site using a snakeoil cert, it returns
Verify called (0)
Certificate:
Subject Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
[EMAIL PROTECTED]
Issuer Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
[EMAIL PROTECTED]
Verify called (1)
Certificate:
Subject Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
[EMAIL PROTECTED]
Issuer Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
[EMAIL PROTECTED]
And still verifies. What do I need to do? Once again, I apologize if this
sounds silly, but I can not find _any_ good documentation about this, and I
have never done any C openssl stuff. Thanks.
-Ian
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: SSH and SSL
On Mon, Feb 19, 2001 at 10:02:39AM -0500, [EMAIL PROTECTED] wrote: Hi everybody, I am working on a VB Client for SSH. I read the RFC's and barely understood anything. I talked to some people on deja and they said I have to get openssl, compile it and use the DLLs. I've done that but cannot reference the DLLs in VB. I have the exe's and dlls sitting in one directory but I'm not sure what I'm supposed to do. I was up all night last night(and the previous 3 nights) doing this stuff and can't figure it out so any help would be appreciated. I think you have a lot of research ahead of you, grasshopper :-) If you want to write an SSH client which isn't broken you'll need a pretty good understanding of the crypto and the protocols. Kris PGP signature
RE: :SSLeay and certificate verification
Nevermind, I ended up realising that there is actually documentation of each
function in the see also section on openssl.org (which i had never noticed
before), so I just rewrote it in C. And it works :-)
-Ian
-Original Message-
From: Shaughnessy, Ian
To: '[EMAIL PROTECTED]'
Sent: 2/19/01 1:17 PM
Subject: Net::SSLeay and certificate verification
Hi -
I have been for some time trying to figure out how to do certificate
verification with the Net::SSLeay perl module. Unfortunately there is
no
documentation on this anywhere in the module, and the one sample program
which uses callbacks does not fail if it is an invalid cert. Also
unfortunately, I can not find very much good documentation in general on
how
to do this, so i apologize if I do not explain my problem very well.
Basically what I am trying to do is this:
/usr/local/ssl/bin/openssl s_client -connect www.equifax.com:443
-verify
-1 -CApath .
With a thawte certificate and hashed symlink in the local directory, but
in
a perl script. The trick here is the -1 verification, I want this perl
script to fail unless it can have -1 verification (sorry if incorrect
term).
Right now, the callback.pl script verifies at 1, so it will verify any
site
you connect to provided only you have some (any) cert. How do i get it
to
only verify if it can trace the cert chain back up to, say thawte? Here
is
a copy of the verify function (and what sets it) also.
$ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!");
Net::SSLeay::CTX_set_default_verify_paths($ctx);
Net::SSLeay::CTX_load_verify_locations($ctx, '', $cert_dir)
or die_now("CTX load verify loc=`$cert_dir' $!");
Net::SSLeay::CTX_set_verify($ctx, 0, \verify);
die_if_ssl_error('callback: ctx set verify');
sub verify {
my ($ok, $x509_store_ctx) = @_;
print " Verify called ($ok)\n";
my $x =
Net::SSLeay::X509_STORE_CTX_get_current_cert($x509_store_ctx);
if ($x) {
print "Certificate:\n";
print " Subject Name: "
. Net::SSLeay::X509_NAME_oneline(
Net::SSLeay::X509_get_subject_name($x))
. "\n";
print " Issuer Name: "
. Net::SSLeay::X509_NAME_oneline(
Net::SSLeay::X509_get_issuer_name($x))
. "\n";
}
$callback_called++;
return $ok; #$ok; # 1=accept cert, 0=reject
}
When I run this without the thawte certificate, while connecting to
mycio.com (issued by equifax, issued by thawte), verify is called, and
returns:
Verify called (0)
Certificate:
Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business
CA-2
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Verify called (1)
Certificate:
Subject Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Verify called (1)
Certificate:
Subject Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business
CA-2
Issuer Name: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Server
[EMAIL PROTECTED]
Verify called (1)
Certificate:
Subject Name: /C=US/ST=California/L=Santa Clara/O=Network
Associates/OU=myCIO.com/CN=www.mycio.com
Issuer Name: /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business
CA-2
However, when I try to connect to a site using a snakeoil cert, it
returns
Verify called (0)
Certificate:
Subject Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn
it/C
[EMAIL PROTECTED]
Issuer Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn
it/C
[EMAIL PROTECTED]
Verify called (1)
Certificate:
Subject Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn
it/C
[EMAIL PROTECTED]
Issuer Name:
/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUn
it/C
[EMAIL PROTECTED]
And still verifies. What do I need to do? Once again, I apologize if
this
sounds silly, but I can not find _any_ good documentation about this,
and I
have never done any C openssl stuff. Thanks.
-Ian
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Recipe: Getting SSL and WebObjects 4.5 to live happily togetheron MacOS X Server 1.2
I've got a recipe to install: openssl-0.9.6 mod_ssl-2.8.0-1.3.17 apache_1.3.17 and WebObjects 4.5 on MacOS X Server 1.2 It's working on our server right now. This recipe is a compilation of the helpful hints and suggestions from a few people from a few lists :) 0) su to root. 1) get the tarballs wget http://www.modssl.org/source/mod_ssl-2.8.0-1.3.17.tar.gz wget http://www.apache.org/dist/apache_1.3.17.tar.gz wget http://www.openssl.org/source/openssl-0.9.6.tar.gz 2) extract them gnutar xzf mod_ssl-2.8.0-1.3.17.tar.gz gnutar xzf apache_1.3.17.tar.gz gnutar xzf openssl-0.9.6.tar.gz 3) 'Fix' openssl Find openssl-0.9.6/apps/speed.c and add at the end of line 90 the following text: " !defined(__MACOSXSERVER__)" 4) build openssl cd openssl-0.9.6 ./config no-threads -D__MACOSXSERVER__ make clean make make test make install 5) Get ready to build mod_ssl 5.1) Borrowed from Scott's article in Stepwise, supply the compiler flag: -DDYLD_CANT_UNLOAD. Scott used EXTRA_CFLAGS but the configure chastised me for doing so, suggesting that I use CFLAGS setenv CFLAGS "-DDYLD_CANT_UNLOAD" 5.2) On my test machine, I renamed apache.conf in /Local/Library/WebServer/Configure. I did this so I'd know for sure that a new .conf file would be installed. I'm not sure how important it was to do that... There was a point where I was doing random behaviours hoping something would work... On our main server, I renamed the Configure directory as well as /Local/Library/Apache... 5.3) configure for mod_ssl cd mod_ssl-2.8.0-1.3.17 ./configure \ --with-apache=../apache_1.3.17 \ --with-ssl=../openssl-0.9.6 \ --prefix=/Local/Library/WebServer \ --exec-prefix=/usr/local\ --libexecdir=/Local/Library/Apache/Modules \ --iconsdir=/Local/Library/Apache/Icons \ --includedir=/Local/Library/Frameworks/Apache.framework/Versions/1.3/Header s \ --target=apache \ --enable-rule=SSL_SDBM \ --enable-module=most\ --enable-shared=ssl \ --enable-shared=max That line starting with "--includedir" is a long one - watch out for wrapped lines :) 6) build Apache Just follow the instructions that the mod_ssl configure tells you to do: cd ../apache_1.3.17 make make certificate make install 7) build WebObjects Adaptor This is almost just like in Scott's Stepwise article... 7.1) create the Adaptors directory structure cp -r /System/Developer/Examples/WebObjects/Source/Adaptors . chmod -R ug+w Adaptors/Adaptor 7.2) Alter Makefile to supply the -DEAPI flag. Edit Adaptors/Apache/Makefile to add -DEAPI to CFLAGS. I just pasted "-DEAPI" to the end of both line 68 and 70 (overkill I know...) 7.3) Make and install the adaptor make \ "APXS = /usr/local/sbin/apxs" \ "APACHEHEADERS=/Local/Library/Frameworks/Apache.framework/Versions/1.3/Heade rs" install mod_WebObjects.so /Local/Library/Apache/Modules/ That line starting with "\"APACHEHEADERS" is a long one - watch out for wrapped lines :) 8) Post stuff Because I set aside my apache.conf file and a bunch of other stuff, I had to go through the new configuration and make sure that everything was okay. In particular, I made sure that references to WebObjects found in the original apache.conf file were restored in the new apache.conf, the ssl keys/certficates/etc were put back, etc... Once I had my basic recipe figured out, the process was pretty quick :) One problem that I still have (I was hoping that this upgrade would have fixed this) is that I get intermittent "Data Encryption Error" (on IE) or "Network IO Error" (on Netscape). This error did not come up with the test certificate, the one signed by Snake Oil Any ideas on this would be greatly appreciated! Mark __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
