Do you know where I can get license terms for Open SSL 2.0?
We are planning to embed Open SSL 2.0 into our products for commercial purpose. I am trying to get license terms and conditions for Open SSL, but so far no luck. Do you know how I can get license terms for Open SSL? If there is no any particular license terms and conditions, can you tell me how ISVs use Open SSL for their products? Any example will be very helpful for us. Your respones will be highly appreciated. Thank you very much for your help. Best, Eric Maruta __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Do you know where I can get license terms for Open SSL 2.0?
On Tue, Oct 16, 2001 at 08:59:44PM -0400, Maruta, Eric wrote: We are planning to embed Open SSL 2.0 into our products for commercial purpose. I am trying to get license terms and conditions for Open SSL, but so far no luck. It is part of the distribution: LICENSE. You can also read the most recent version at http://www.openssl.org/source/cvs/exp/LICENSE?rev=1.7hideattic=1sortbydate=0 Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
using own CA certs with various clients
Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PKCS#7 with BER Format
Can OpenSSL process PKCS#7 files in the BER format? I know DER is a subset of BER and I'm wondering if there are any BER formatted files that OpenSSL can't handle. Thanks, Don __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
AW: How do I install OPENSSL on Solaris 2.x
go to www.sunfreeware.com select your solaris version and see further instructions. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl smime and certificates chains in signatures?
My understanding is that usually there's a complete certificates chain in a smime signature. Is there a way to extract _all_ the certificates in the chain using openssl command? openssl pkcs7 -print_certs seems to extract only the signer's certificate and not any of the intermediate or CA certificates. Cheers! Dima __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: How to use OpenSSL in MS-Windows Environment
You can download the source from the OpenSSL website and then follow the instructions in the INSTALL.W32 file to compile the DLLs yourself. There are some simple example applications under the demo directory that you can refer to. Michael Lee - Original Message - From: lawrence [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 17, 2001 2:57 PM Subject: How to use OpenSSL in MS-Windows Environment I would like to use SSL in my project. However, I don't have any idea how to do it. I have some questions listed below: 1. What is the files that I need to download in order to use OpenSSL in my program? 2. Is there any compiled DLL for MS-Windows? If yes, where can I download the DLL, DLL source code and the documentation? Thanks and Regards, LAWRENCE LOW __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Compiled Win32 version
I like to have a copy also. LAWRENCE LOW -Original Message- From: LaDon L Harrison [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 7:06 AM To: [EMAIL PROTECTED] Subject: Compiled Win32 version Hi, I'm trying to use openssl-0.9.6b in conjunction with Win2K/Apache/THe Exchange Project to enable an e-commerce site. Does anyone there have a compiled version of this code I can download? I do not possess the necessaru skills to compile it on my own. Thanks much. LaDon __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
pkcs12 error message
i'm trying to create a p12 file from a pem file (a .crt file) and i get the follow error message: openssl pkcs12 -export -in w.crt -out w.p12 -name micert Error loading private key 995:error::PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: ANY PRIVATE KEY i did this where i have the privates keys and nothing, is something wrong in my instruction???, any clue will help, is there another way to do this??, thanks. juan carlos albores __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to create a restorable PKCS#12 file for Netscape 6
Hi All, I am new to this mailing list. Maybe this is a FAQ but I couldn't find an answer from.. I have my own CA (for servlet developping purpose) and created a client cert, named usercert.pem and userkey.pem, signed by the CA's cert. From these files, I created a PKCS#12 format cert file with: # openssl pkcs12 -export -in usercert.pem -inkey userkey.pem \ -out user.p12 The user.p12 is importable for IE5.x, IE6, and Netscape 4.x. But not for Netscape 6. Actually, Netscape 6 has no import a certification dialog/menu or something like that, it has certificate backup/restore button instead. I used restore button to import the user.p12, but Netscape 6 said that failed restoring the user.p12 :- So, followings are what I did for using the user.p12 in Netscape 6: 1. Import the user.p12 into Netscape 4.x. 2. Export the certificate from Netscape 4.x, named userX.p12. 3. Restore the userX.p12 into Netscape 6 via the restore button. Dose anyone know proper openssl command line option(s) to create a Netscape 6 importable PKCS#12 certificate ? Any informations are welcome. FYI, following is result of openssl pkcs12 -info -in userX.p12, hope this might help.. start MAC Iteration 1 MAC verified OK PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1 Bag Attributes friendlyName: Heita localKeyID: SNIP Key Attributes: No Attributes Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC, SNIP SNIP -END RSA PRIVATE KEY- PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1 Certificate bag Bag Attributes friendlyName: Heita localKeyID: SNIP subject=/C=JP/ SNIP issuer= /C=JP/ SNIP -BEGIN CERTIFICATE- SNIP -END CERTIFICATE- end Regards, --- m-hirano __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problem signing spkacs
Hello: I'm trying to use the openssl ca command inside a mod_perl handler (I borrowed Perl code from http://www.pseudonym.org/ssl/) to sign netscape spkacs, and I'm running into a very funky problem. The docs say that the signed cert wil come out in PEM form. As I understand it, PEM certs look like -BEGIN CERTIFICATE- some lines of Base-64 encoded stuff -END CERTIFICATE- and what I get coming out is soemthing very different. When I try to download it to a netscape browser using a mime type of 'application/x-x509-user-cert', Netscape won't load it. My environment is Debian Potato dist with Linux kernel 2.4.9 openssl 0.9.6b The command I use is /usr/local/bin/openssl ca -batch \ -config /var/ssl/PhysempCA/request.cnf \ -out /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.pem \ -spkac /var/ssl/PhysempCA/newcerts/72ff92dd0ca7e7a8309435072ed478.spkac The output to STDOUT is : Using configuration from /var/ssl/PhysempCA/request.cnf Check that the SPKAC request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' localityName :PRINTABLE:'Mexico' organizationName :PRINTABLE:'Audrain Medical Center' commonName :PRINTABLE:'Michele Trammell' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Oct 17 18:47:20 2002 GMT (366 days) Write out database with 1 new entries Data Base Updated Here is the SPKAC (inserted newlines for readability): SPKAC=MIIBOjCBpDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwpvydCd+jgvlAkbVa TI+OAhaTLunUKN0ov5pvSm+TS0RxvbqhO2olCTp7dV9urim10EE2dUe/JuTo9tlUblgjVO5 m2ZAA35fKYXyEQhFQdkAvErXS2GMF0PxHUUAXEMGHuureCjSw8xzR4RaytmEPS0HFslbIHM FC8fdBnNN/8kCAwEAARYAMA0GCSqGSIb3DQEBBAUAA4GBADIDIjM2gVP0Go/OhpnYA6XgNE HMkXX//YX01VrY+vu9oaBxohSSMfismi9nUoPZ00EYh4uQa08jf+tUCrAYvGmGED1e5Y4/F WQ3SsHzfMqxkaNilln2xEKYlFWrB984/u/fkLpCqjanqxokINbgUAcpDzIlDgdhs35Z2/RM X47D C=US SP=Missouri L=Mexico O=Audrain Medical Center CN=Michele Trammell [EMAIL PROTECTED] And here is my config file: [ ca ] default_ca = PhysempCA # The default ca section [ PhysempCA ] dir = /var/ssl/PhysempCA certs = /var/ssl/PhysempCA/certs crl_dir = /var/ssl/PhysempCA/crl database= /var/ssl/PhysempCA/index.txt new_certs_dir = /var/ssl/PhysempCA/newcerts certificate = /var/ssl/PhysempCA/cacert.pem serial = /var/ssl/PhysempCA/serial crl = /var/ssl/PhysempCA/crl.pem private_key = /var/ssl/PhysempCA/private/cakey.pem.decoded RANDFILE= /var/ssl/PhysempCA/private/.rand x509_extensions = usr_cert default_days= 366 default_md = md5 preserve= no policy = policy_anything [ policy_anything ] countryName= optional stateOrProvinceName= optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [ req ] default_bits = 1024 default_keyfile= privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no string_mask= nombstr req_extensions = v3_req [ req_distinguished_name ] countryName_default = US stateOrProvinceName_default = Missouri localityName_default= Mexico organizationName_default= Audrain Medical Center commonName_default = Michele Trammell emailAddress_default= [EMAIL PROTECTED] [ req_attributes ] challengePassword = unstructuredName = Michele Trammell [ usr_cert ] basicConstraints = CA:FALSE nsCertType = client, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment nsComment = OpenSSL Generated Certificate Issued by Physician's Employment CA subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always subjectAltName = email:copy issuerAltName = issuer:copy [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment If any one needs to see the resulting cert, I'd be more than happy to email it as an attachment. --Christopher __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem reading HTTPS response
[[ cc openssl-users for mailing list archival ]] Plamen Ratchev wrote: Hi Josh! I was able to isolate the problem down to the proxy. Last night I tried the same script at my office, which doesn't have a proxy and everything worked fine. The proxy on my client's site is MS Proxy Server 2.0. I can access any HTTP page but when I switch to HTTPS the response is just a blank page HTML/HTML. I tried testing with lwp_ssl_test and net_ssl_test with no luck: lwp_ssl_test completes normal with no errors; net_ssl_test result is an unknown error in module SSL.pm line 44. If lwp_ssl_test works, then you got it! You just need to script like what's in lwp_ssl_test. LWP::UserAgent functions (I already tested all possible proxy options with it)? Or maybe another module that provides this capability. Yes, look at lwp_ssl_test for the right %ENV settings, or perldoc Crypt::SSLeay, and check out the PROXY section. The trick is setting: $ENV{HTTPS_PROXY} = 'http://proxy_hostname_or_ip:port'; but not using any LWP proxy settings explicitly. --Josh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ASN.1 encoding of negative integers
hi, what are the rules or known-good examples of negative number encoding? I'm trying to encode -2 as part of currency-amount-power sequence and Peter Gutmann's dumpasn1 tool shows it as -254. Any problem regarding negative number handling at the code attached? Hope it's good enough to drive debugger thank you, Vadim 0 30 11: SEQUENCE { 2 022: INTEGER 840 6 022: INTEGER 735 10 021: INTEGER -254 : Warning: Integer has a negative value : } /* ASN.1 handling code (c) Vadim Fedukovich 2001 * work-in-progress; please use for bug hunting only */ #include stdio.h #include openssl/asn1t.h typedef enum {CURRENCY_USD=840} CurrencyCode; struct set_CurrencyAmount_st { ASN1_INTEGER *code; ASN1_INTEGER *amount; ASN1_INTEGER *power; }; typedef struct set_CurrencyAmount_st SET_CurrencyAmount; ASN1_SEQUENCE(SET_CurrencyAmount) = { ASN1_SIMPLE(SET_CurrencyAmount, code, ASN1_INTEGER), ASN1_SIMPLE(SET_CurrencyAmount, amount, ASN1_INTEGER), ASN1_SIMPLE(SET_CurrencyAmount, power, ASN1_INTEGER) } ASN1_SEQUENCE_END(SET_CurrencyAmount) IMPLEMENT_ASN1_FUNCTIONS(SET_CurrencyAmount) #define SZ 2048 int main() { SET_CurrencyAmount *amt; int sz, amount = 735; // 7 dollars 35 cents, power -2 unsigned char buff[SZ], *pp; amt = SET_CurrencyAmount_new(); ASN1_INTEGER_set(amt-code, (long)CURRENCY_USD); ASN1_INTEGER_set(amt-amount, (long)amount); ASN1_INTEGER_set(amt-power, -2L); pp = buff; sz = i2d_SET_CurrencyAmount(amt, pp); fwrite(buff, sz, 1, stderr); return 0; } amt Description: Binary data
Re: Do you know where I can get license terms for Open SSL 2.0?
From: Maruta, Eric [EMAIL PROTECTED] Eric.Maruta We are planning to embed Open SSL 2.0 into our products Eric.Maruta for commercial purpose. 2.0? You must come from the future, because we're still at 0.9.6b this year. Eric.Maruta I am trying to get license terms and conditions for Open Eric.Maruta SSL, but so far no luck. Do you know how I can get Eric.Maruta license terms for Open SSL? In the top of the source tree, you'll find LICENSE (in version 0.9.x, that is. I've no idea how that will look in the far future). -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl 0.9.6 install fails on tru64 Unix
I am trying to install openssl version 0.9.6 on a Tru64 Unix box. After running 'make install', I get the following errors when I do a 'make test' to test the installation: Left shift test failed!a=C64F43042AEACA6E5836805BE8C99B045D4836C2FD16C964F0b=3193D0C10ABAB29B960DA016FA3266C117520DB0BF45B2593C0c=4d=-20002*** Exit 1Stop.*** Exit 1Stop. Any ideas on what could be causing this to fail? Thanks Ramdas
RE: How to use OpenSSL in MS-Windows Environment
I have build openssl-engine-0-9.6 on NT4 SP4 with gcc-2.95.2-msvcrt compiler and GNU make-3.76.1 : no problem. Now I wolud like to add the crypto/pkcs11 source code from AdNovum (the one sent by Eric Laroche in a message of 15-6-01) but I've the following questions: 1) what is the procedure for re-build openssl with this pkcs11 addition? (should I modify the configure file? if so how?) 2) what is the procedure for apply the patch? (in NT4) I hope in an answer expecially from Richard Levitte or Zoran relplies. Thanks in advance Paolo Rossi [EMAIL PROTECTED] From: Jared Clinton [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: How to use OpenSSL in MS-Windows Environment Date: Wed, 17 Oct 2001 17:15:06 +1000 MIME-Version: 1.0 Received: from [62.208.181.50] by hotmail.com (3.2) with ESMTP id MHotMailBD96846A000F400437223ED0B53213270; Wed, 17 Oct 2001 00:55:49 -0700 Received: by mail.ossp.org (Sendmail 8.11.0+/smtpfeed 1.12) for openssl-users-L2id f9H7FHi13752; Wed, 17 Oct 2001 09:15:17 +0200 (CEST) Received: by mail.ossp.org (Sendmail 8.11.0+) via ESMTP for [EMAIL PROTECTED]from opensource.ee.ethz.ch id f9H7FGU13743; Wed, 17 Oct 2001 09:15:16 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2/smtpfeed 1.06) for openssl-users-Lid JAA09592; Wed, 17 Oct 2001 09:14:13 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for [EMAIL PROTECTED]from firewall.nec.com.au id JAA09568; Wed, 17 Oct 2001 09:13:33 +0200 (MET DST) Received: from frodo.nec.com.au (root@[147.76.52.2])by firewall.nec.com.au (8.11.1/8.11.1/Debian 8.11.0-6) with ESMTP id f9H7DP632096for [EMAIL PROTECTED]; Wed, 17 Oct 2001 17:13:25 +1000 Received: from trendserver2 (mhuba128-16.neca.nec.com.au [147.76.128.16])by frodo.nec.com.au (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id RAA11272for [EMAIL PROTECTED]; Wed, 17 Oct 2001 17:30:10 +1000 Received: from 147.76.128.7 by trendserver2 (InterScan E-Mail VirusWall NT); Wed, 17 Oct 2001 17:07:43 +1000 Received: from esdmfs.esd.nec.com.au (esdmfs.esd.nec.com.au [147.76.204.60])by necagmx.neca.nec.com.au (8.9.3/8.9.2) with ESMTP id RAA12552for [EMAIL PROTECTED]; Wed, 17 Oct 2001 17:13:25 +1000 Received: by esdmfs.esd.nec.com.au with Internet Mail Service (5.5.2650.21)id TVAYPJQN; Wed, 17 Oct 2001 17:15:14 +1000 From [EMAIL PROTECTED] Wed, 17 Oct 2001 00:57:47 -0700 X-Authentication-Warning: frodo.nec.com.au: Host mhuba128-16.neca.nec.com.au [147.76.128.16] claimed to be trendserver2 Message-ID: [EMAIL PROTECTED] X-Mailer: Internet Mail Service (5.5.2650.21) Sender: [EMAIL PROTECTED] Precedence: bulk X-Sender: Jared Clinton [EMAIL PROTECTED] X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Lawrence, Download the Tar : http://www.openssl.org/source/openssl-0.9.6b.tar.gz Untar this to your local hard disk and follow the instructions in the INSTALL.W32 file. You will need to compile the source so that you can get the program, but the make process is quite straight forward. Jared Clinton. -Original Message- From: lawrence [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 17 October 2001 4:58 PM To: '[EMAIL PROTECTED]' Subject: How to use OpenSSL in MS-Windows Environment I would like to use SSL in my project. However, I don't have any idea how to do it. I have some questions listed below: 1. What is the files that I need to download in order to use OpenSSL in my program? 2. Is there any compiled DLL for MS-Windows? If yes, where can I download the DLL, DLL source code and the documentation? Thanks and Regards, LAWRENCE LOW __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using own CA certs with various clients
Hello, I think you have to install the CAcertificates in your client browser. I know two techniques you can use: your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CAcertificate I' hope that my answer, be helpful bye Zachary Denison a crit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] begin:vcard n:MEJRI;haikel tel;fax:216 1 320 210 tel;work:216 1 359 402 x-mozilla-html:FALSE org:Agence Nationale de Certification Electronique;Dept. PKI version:2.1 email;internet:hhm@certificationtn title:Ingénieur Principal adr;quoted-printable:;;3 bis, Rue d'Angleterre=0D=0AMinist=E8re des Technologies de la Communication;Tunis;;1000;Tunisie x-mozilla-cpt:;30752 fn:haikel MEJRI end:vcard
Re: using own CA certs with various clients
under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for less than this) you can install the certificate in each client by hand quite easily... if the file name has ending .cer then windows appears to recognize it and calls it Security Certificate... double click on this and hit Install Certificate... / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: Hello, I think you have to install the CA certificates in your client browser. I know two techniques you can use: 1. your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) 2. or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CA certificate I' hope that my answer, be helpful bye Zachary Denison a écrit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: using own CA certs with various clients
Try converting into pkcs12 and then import openssl pkcs12 -export -in file -inkey key -certfile cert -out outfile.p12 - Original Message - From: Steve Barnes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 17, 2001 2:41 PM Subject: RE: using own CA certs with various clients I have the same problem... (sort of).. I have been trying a similar thing, and failing... I'm trying to be my own CA and generate a server cert so I can enable SSL on a IIS4 webserver. I made myself a CA by running the command... #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout ./certs/CAkey.pem -out ./certs/CAcert.pem -days 365 Then I made a Certificate request in IIS Key Manager and signed it using the command... #openssl ca -policy policy_match -days 365 -md md5 -out ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert ./certs/CAcert.pem -outdir ./certs -infiles ./certs/iis-ssl-req.txt ... where iis-ssl-req.txt is the file from IIS Key Manager. I can then import the cert into IIS Key Manager and enable Secure Channel for my web server, but when I connect to https://secure-server, it gives me an error saying the cert is ok apart from the fact that it was issued by a company you have chosen not to trust . When I try importing the cert into IE, it imports it ok, but then it doesn't appear in the Trusted Root Certificate Authorities . So everytime I go to the site, it gives me the same error over over If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', Windows Exploder recognises it as a Security Certificate, when i double click, I get Windows does not have enough information to verify this certificate Any way I'm lost... I've gotten this far and it's really bugging me now... Can anyone help...? -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 09:53 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for less than this) you can install the certificate in each client by hand quite easily... if the file name has ending .cer then windows appears to recognize it and calls it Security Certificate... double click on this and hit Install Certificate... / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: Hello, I think you have to install the CA certificates in your client browser. I know two techniques you can use: 1. your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) 2. or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CA certificate I' hope that my answer, be helpful bye Zachary Denison a écrit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] The information contained in this e-mail transmission is confidential and may be privileged. It is intended only for the addressee(s) stated above. If you are not an addressee, any use, dissemination, distribution, publication, or copying of the information contained in this e-mail is strictly
Re: using own CA certs with various clients
sorry, I was unclear - the client needs BOTH the server cert and your CA cert. what i did was i puts the certs in a shared directory... and then each machine that wanted them just double clicked on the CA.cer and server.cer ... done... cheers, Sean Steve Barnes wrote: I have the same problem... (sort of).. I have been trying a similar thing, and failing... I'm trying to be my own CA and generate a server cert so I can enable SSL on a IIS4 webserver. I made myself a CA by running the command... #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout ./certs/CAkey.pem -out ./certs/CAcert.pem -days 365 Then I made a Certificate request in IIS Key Manager and signed it using the command... #openssl ca -policy policy_match -days 365 -md md5 -out ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert ./certs/CAcert.pem -outdir ./certs -infiles ./certs/iis-ssl-req.txt ... where iis-ssl-req.txt is the file from IIS Key Manager. I can then import the cert into IIS Key Manager and enable Secure Channel for my web server, but when I connect to https://secure-server, it gives me an error saying the cert is ok apart from the fact that it was issued by a company you have chosen not to trust . When I try importing the cert into IE, it imports it ok, but then it doesn't appear in the Trusted Root Certificate Authorities . So everytime I go to the site, it gives me the same error over over If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', Windows Exploder recognises it as a Security Certificate, when i double click, I get Windows does not have enough information to verify this certificate Any way I'm lost... I've gotten this far and it's really bugging me now... Can anyone help...? -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 09:53 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for less than this) you can install the certificate in each client by hand quite easily... if the file name has ending .cer then windows appears to recognize it and calls it Security Certificate... double click on this and hit Install Certificate... / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: Hello, I think you have to install the CA certificates in your client browser. I know two techniques you can use: 1. your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) 2. or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CA certificate I' hope that my answer, be helpful bye Zachary Denison a écrit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] The information contained in this e-mail transmission is confidential and may be privileged. It is intended only for the addressee(s) stated above. If you are not an addressee, any use, dissemination, distribution, publication, or copying of the information contained in this e-mail is strictly prohibited. If you
Re: using own CA certs with various clients
You need to install the root certificate into the clients browsers. You can distribute root certificates to clients by incliding the root certificate within the pkcs12 file or As all browsers act differently in accecpting certificates I use a perl script get to format the certificate for the presented browser and add some javascript to help send the cert straight to the clients browser. - Original Message - From: Sunil Dangwal [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 17, 2001 7:50 PM Subject: Re: using own CA certs with various clients Try converting into pkcs12 and then import openssl pkcs12 -export -in file -inkey key -certfile cert -out outfile.p12 - Original Message - From: Steve Barnes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 17, 2001 2:41 PM Subject: RE: using own CA certs with various clients I have the same problem... (sort of).. I have been trying a similar thing, and failing... I'm trying to be my own CA and generate a server cert so I can enable SSL on a IIS4 webserver. I made myself a CA by running the command... #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout ./certs/CAkey.pem -out ./certs/CAcert.pem -days 365 Then I made a Certificate request in IIS Key Manager and signed it using the command... #openssl ca -policy policy_match -days 365 -md md5 -out ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert ./certs/CAcert.pem -outdir ./certs -infiles ./certs/iis-ssl-req.txt ... where iis-ssl-req.txt is the file from IIS Key Manager. I can then import the cert into IIS Key Manager and enable Secure Channel for my web server, but when I connect to https://secure-server, it gives me an error saying the cert is ok apart from the fact that it was issued by a company you have chosen not to trust . When I try importing the cert into IE, it imports it ok, but then it doesn't appear in the Trusted Root Certificate Authorities . So everytime I go to the site, it gives me the same error over over If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', Windows Exploder recognises it as a Security Certificate, when i double click, I get Windows does not have enough information to verify this certificate Any way I'm lost... I've gotten this far and it's really bugging me now... Can anyone help...? -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 09:53 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for less than this) you can install the certificate in each client by hand quite easily... if the file name has ending .cer then windows appears to recognize it and calls it Security Certificate... double click on this and hit Install Certificate... / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: Hello, I think you have to install the CA certificates in your client browser. I know two techniques you can use: 1. your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) 2. or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CA certificate I' hope that my answer, be helpful bye Zachary Denison a écrit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ OpenSSL
RE: using own CA certs with various clients
I installed the CA Cert on my machine hey presto !! it worked. I think i'll email the Certs out to everyone I need to use the SSL server. Nice one !! -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 11:05 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients sorry, I was unclear - the client needs BOTH the server cert and your CA cert. what i did was i puts the certs in a shared directory... and then each machine that wanted them just double clicked on the CA.cer and server.cer ... done... cheers, Sean Steve Barnes wrote: I have the same problem... (sort of).. I have been trying a similar thing, and failing... I'm trying to be my own CA and generate a server cert so I can enable SSL on a IIS4 webserver. I made myself a CA by running the command... #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout ./certs/CAkey.pem -out ./certs/CAcert.pem -days 365 Then I made a Certificate request in IIS Key Manager and signed it using the command... #openssl ca -policy policy_match -days 365 -md md5 -out ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert ./certs/CAcert.pem -outdir ./certs -infiles ./certs/iis-ssl-req.txt ... where iis-ssl-req.txt is the file from IIS Key Manager. I can then import the cert into IIS Key Manager and enable Secure Channel for my web server, but when I connect to https://secure-server, it gives me an error saying the cert is ok apart from the fact that it was issued by a company you have chosen not to trust . When I try importing the cert into IE, it imports it ok, but then it doesn't appear in the Trusted Root Certificate Authorities . So everytime I go to the site, it gives me the same error over over If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', Windows Exploder recognises it as a Security Certificate, when i double click, I get Windows does not have enough information to verify this certificate Any way I'm lost... I've gotten this far and it's really bugging me now... Can anyone help...? -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 09:53 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for less than this) you can install the certificate in each client by hand quite easily... if the file name has ending .cer then windows appears to recognize it and calls it Security Certificate... double click on this and hit Install Certificate... / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: Hello, I think you have to install the CA certificates in your client browser. I know two techniques you can use: 1. your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) 2. or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CA certificate I' hope that my answer, be helpful bye Zachary Denison a écrit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager
Please help. Apache openssl problems.
Title: Message No matter what I do, I can't seem to connect via https. I keep getting the error: [Wed Oct 17 07:02:10 2001] [error] [client 66.65.3.10] Invalid method in requestt From what I have read, this means that I am trying to talk https on a port that only speaks http. I have tried everything that I can think of. I have commented out the virtual servers. That did nothing. I put them back in, then I read something about putting an sslengine on directive in the virtual hosts, so Idid that. Same thing. This is apache 1.3.22 on a sparc/Solaris 7 box. Here's what's in the conf. Main section: # Support for Random Seed Generation#SSLRandomSeed startup builtinSSLRandomSeed connect builtin ## Port: The port to which the standalone server listens. For# ports 1023, you will need httpd to be run as root initially.#Port 80 SSL Support When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port##IfDefine SSLListen 80Listen 443/IfDefine# VirtualHost 66.65.3.10:80 ScriptAlias /cgi-bin/ "/export/apache/877baskets/cgi-bin/" Directory "/export/apache/877baskets/cgi-bin/" AllowOverride All Options None Order allow,deny Allow from all /Directory ServerAdmin [EMAIL PROTECTED] DocumentRoot /export/apache/877baskets ServerName www.877baskets.com ErrorLog logs/877baskets.com-error_log CustomLog logs/87baskets.com-access_log common TransferLog logs/877baskets.com-access_log /VirtualHost VirtualHost 66.65.3.10:443 ScriptAlias /cgi-bin/ "/export/apache/877baskets/cgi-bin/" Directory "/export/apache/877baskets/cgi-bin/" AllowOverride All Options None Order allow,deny Allow from all /Directory ServerAdmin [EMAIL PROTECTED] DocumentRoot /export/apache/877baskets ServerName www.877baskets.com ErrorLog logs/877baskets.com-error_log CustomLog logs/87baskets.com-access_log common TransferLog logs/877baskets.com-access_log SSLEngine On/VirtualHost Any ideas? Thanks in advance Scott
Re: Certificate Management
Moved to openssl-users... Tanya Karpina wrote: I have the same problem verifying the server certificate. I tried to run s_server and s_client tests so everything work fine a part from certificate verification. I get an verify error: num=20:unable to get local issuer certificate verify return: 1 Then I decided to run verify test with the same parameters. I have done cert req for server and sent it to THAWTE. Then I got certificate signed by THAWTE (myCert.pem). I addition I have the THAWTE root cert (CA cert below) thawte.pem I do openssl verify -CAfile E:\openssl\certs\thawte.pem -purpose sslserver E:\openssl\files\myCert.pem and got the same error. I also tried to use -CApath that points to dir where all trusted certs are located. (BTW what does it mean The certificates should have names of the form: hash.0 how to convert *.pem to ...?) openssl verify -CApath E:\openssl\certs\ -purpose sslserver E:\openssl\files\myCert.pem I'm tired to search for solution. I took a look at many mailing lists but still can't solve the problem -CApath doesn't work automatically under Windows because it currently uses symbolic links. If its giving that error then it can't find either the root or an intermediate CA. It isn't apparent which because you haven't included the error from the verify command which would include a depth parameter. OpenSSL includes two Thawte root CAs in its standard distribution: try the one called thawteCp.pem Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ASN.1 encoding of negative integers
Vadim Fedukovich wrote: hi, what are the rules or known-good examples of negative number encoding? I'm trying to encode -2 as part of currency-amount-power sequence and Peter Gutmann's dumpasn1 tool shows it as -254. Any problem regarding negative number handling at the code attached? Hope it's good enough to drive debugger thank you, Vadim 0 30 11: SEQUENCE { 2 022: INTEGER 840 6 022: INTEGER 735 10 021: INTEGER -254 : Warning: Integer has a negative value : } Try getting a newer version of dumpasn1. My version lists it as -2. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl.org and modssl.org are down
$ date Wed Oct 17 14:28:14 CEST 2001 $ $ telnet www.openssl.org 80 Trying 129.132.7.153... telnet: connect to address 129.132.7.153: Connection refused telnet: Unable to connect to remote host $ $ telnet www.modssl.org 80 Trying 129.132.7.171... telnet: connect to address 129.132.7.171: Connection refused telnet: Unable to connect to remote host $ cu, -- Toni Andjelkovic [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ERROR IN SSL CONNECTION
Hi I had installed OpenSSL on Hp UX11.00 because I want to use it for an LDAP connection. I'm using OpenLDAPv2.0 and an LDAP client. When I run slapd (the LDAP's daemon) with debug I read the following messages. I think server break connection because it not receive client's certificate (Is it true?). In this casecan you help me about how I can configure ssl to not require Client certificate?. @(#) $OpenLDAP: slapd 2.0.15-Release (Tue Oct 9 10:27:48 METDST 2001) $ @rh0009:/users/michele/PACKAGE/openldap-2.0.15/servers/slapddaemon_init: listen on ldap://daemon_init: listen on ldaps://daemon_init: 2 listeners to open...ldap_url_parse_ext(ldap://)daemon: initialized ldap://ldap_url_parse_ext(ldaps://)daemon: initialized ldaps://daemon_init: 2 listeners openedslapd init: initiated server.slapd startup: initiated.slapd startingconnection_get(8): got connid=0connection_read(8): checking for input on id=0TLS trace: SSL_accept:before/accept initializationTLS trace: SSL_accept:SSLv3 read client hello ATLS trace: SSL_accept:SSLv3 write server hello ATLS trace: SSL_accept:SSLv3 write certificate ATLS trace: SSL_accept:SSLv3 write server done ATLS trace: SSL_accept:SSLv3 flush dataTLS trace: SSL_accept:error in SSLv3 read client certificate ATLS trace: SSL_accept:error in SSLv3 read client certificate ATLS: can't accept.connection_read(8): TLS accept error error=-1 id=0, closingconnection_closing: readying conn=0 sd=8 for closeconnection_close: conn=0 sd=8 Ciao, Fabio
Re: ASN.1 encoding of negative integers
On Wed, 17 Oct 2001, Vadim Fedukovich wrote: what are the rules or known-good examples of negative number encoding? I'm trying to encode -2 as part of currency-amount-power sequence and Peter Gutmann's dumpasn1 tool shows it as -254. It surely looks like a simple error in the dump tool, to me. An eight-bit signed value of -2 would be 254 if interpreted as unsigned. I can recommend Olivier Dubuisson's book on ASN.1, but my copy is at home now so I can't refer to it. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Make a good day. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PEM_read_bio
Title: Message I am getting an error message , PEM_read_bio: No start line. Now I am assuming this may have to do with the pem certificate im trying to read, but all my certificates are fine. Could anyone give me some insight on what causes this error. Thanks! -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
Re: using own CA certs with various clients
Thank you all for posting solutions.. It was just a matter of importing the rootCA into the client. On my systems (outlook and netscape), I just needed to import the rootCA and then it stopped complaining about all certs signed by that root. It seems to have worked Do I need to import the server cert as well? --- Sean O'Riordain [EMAIL PROTECTED] wrote: sorry, I was unclear - the client needs BOTH the server cert and your CA cert. what i did was i puts the certs in a shared directory... and then each machine that wanted them just double clicked on the CA.cer and server.cer ... done... cheers, Sean Steve Barnes wrote: I have the same problem... (sort of).. I have been trying a similar thing, and failing... I'm trying to be my own CA and generate a server cert so I can enable SSL on a IIS4 webserver. I made myself a CA by running the command... #openssl req -new -x509 -newkey rsa:1024 -md5 -keyout ./certs/CAkey.pem -out ./certs/CAcert.pem -days 365 Then I made a Certificate request in IIS Key Manager and signed it using the command... #openssl ca -policy policy_match -days 365 -md md5 -out ./certs/iis-ssl-cert.pem -keyfile ./certs/CAkey.pem -cert ./certs/CAcert.pem -outdir ./certs -infiles ./certs/iis-ssl-req.txt ... where iis-ssl-req.txt is the file from IIS Key Manager. I can then import the cert into IIS Key Manager and enable Secure Channel for my web server, but when I connect to https://secure-server, it gives me an error saying the cert is ok apart from the fact that it was issued by a company you have chosen not to trust . When I try importing the cert into IE, it imports it ok, but then it doesn't appear in the Trusted Root Certificate Authorities . So everytime I go to the site, it gives me the same error over over If I rename the file from 'iis-ssl-cert.pem' to 'iis-ssl-cert.cer', Windows Exploder recognises it as a Security Certificate, when i double click, I get Windows does not have enough information to verify this certificate Any way I'm lost... I've gotten this far and it's really bugging me now... Can anyone help...? -Original Message- From: Sean O'Riordain [mailto:[EMAIL PROTECTED]] Sent: 17 October 2001 09:53 To: [EMAIL PROTECTED] Subject: Re: using own CA certs with various clients under windows 2000 (and nt4 afaik) with outlook 2000 and IE5 (don't know if works for less than this) you can install the certificate in each client by hand quite easily... if the file name has ending .cer then windows appears to recognize it and calls it Security Certificate... double click on this and hit Install Certificate... / Next / Next / Finish / OK / OK ... thats it... getting the cert to the client is another matter :-) Sean Haikel wrote: Hello, I think you have to install the CA certificates in your client browser. I know two techniques you can use: 1. your client can download your CA certificate from you web site ( you need to use the mime type application/x-x509-ca-cert in your httpd.conf file) 2. or you can generate, for each one of your end users, a PKCS#12 file containing his private key his certificate and your CA certificate I' hope that my answer, be helpful bye Zachary Denison a écrit : Hi, I am using openssl to secure a number of services in my organization: http, imap, smtp, ldap etc... For our internal servers we have been able to generate CA certs with openssl and sign our own certificates and all the services work great, EXCEPT the client software always complains that the certificate chain doesn't end with a trusted CA. I am speaking specifically about MS-outlook and netscape. outlook complains every single session where netscape at least gives you the option to accept the certificate forever. Anyway I am sure other clients would complain too. My question is how can I prevent these messages, how can I get the client software to trust our own CA cert. On the web I searched and someone said to make a pkcs12 client cert.. anyway I tried that in a number of ways and it didnt work... And I really dont care about verifying the client... I to just make the client trust the homegrown ca. Any help would be much appreciated. Thanks Zachary. __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com _ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Pem_read_bio -.... expecting certificate.
Hi all I have looked in the archives but not found an examale or assistance there. I am having difficulty with a CA certificate (created with ./CA -newca) I am getting the following error 1895:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:662:Expecting: CERTIFICATE. The certificate is included bellow. I can find nothing wrong with it. -BEGIN CERTIFICATE- MIIC4zCCAkygAwIBAgIBADANBgkqhkiG9w0BAQQFADBbMQswCQYDVQQGEwJaQTEK MAgGA1UECBMBQTEKMAgGA1UEBxMBQTEKMAgGA1UEChMBQTEKMAgGA1UECxMBQTEK MAgGA1UEAxMBQTEQMA4GCSqGSIb3DQEJARYBQTAeFw0wMTEwMTYxMzQ4MTVaFw0w MjEwMTYxMzQ4MTVaMFsxCzAJBgNVBAYTAlpBMQowCAYDVQQIEwFBMQowCAYDVQQH EwFBMQowCAYDVQQKEwFBMQowCAYDVQQLEwFBMQowCAYDVQQDEwFBMRAwDgYJKoZI hvcNAQkBFgFBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDKcM9jJufpvGm CSMIuDIrmqzPn34F18KdDLn5FZ3JZCLEvVSK0g3dmtYkI3aa45QDEEZnH2uEq309 o2pHgmcMO1/jOhIzSe9QZoTYNNhaqtgxkRbukt8SIZlz2McVXEjO7Ne65hmOKtk0 d5Q1TQMm+On8r0QDOinzniUMeG+KuwIDAQABo4G2MIGzMB0GA1UdDgQWBBRuB42r x2+tzhQvQjcsTqviN/63uTCBgwYDVR0jBHwweoAUbgeNq8dvrc4UL0I3LE6r4jf+ t7mhX6RdMFsxCzAJBgNVBAYTAlpBMQowCAYDVQQIEwFBMQowCAYDVQQHEwFBMQow CAYDVQQKEwFBMQowCAYDVQQLEwFBMQowCAYDVQQDEwFBMRAwDgYJKoZIhvcNAQkB FgFBggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEACInmVXY+Qs62 QmYRBgnkM8ys8dNnn17UVeHZ3clpP80udnGVWvUivmkJzZbSoiMvXgIlWNuAtGgI Aqz5LPthYy8/VUlurOjWL7xlYTBlDJQa8+c/JliAi/6LNC7oIu2lxN/hA1kbG4Pr qSIBiYNSrJaA4ktpK0bfncqSPGu/BpM= -END CERTIFICATE- openssl reads it correctly. I am doing the following in trying to read it. Please can some one point out my mistake. SSL_load_error_strings(); SSL_library_init(); // actions_to_seed_PRNG(); ERR_load_crypto_strings(); SSLeay_add_ssl_algorithms(); pMETHOD = SSLv3_client_method(); ERR_print_errors_fp(stdout); fflush(stdout); No error here printf(%s\n, CASERVCERTF); fflush(stdout); X509_stack = SSL_load_client_CA_file(CASERVCERTF); ERR_print_errors_fp(stdout); fflush(stdout); error shown here SSL_CTX_set_client_CA_list(pCTX, X509_stack); ERR_print_errors_fp(stdout); fflush(stdout); Thanks guys. I am lost on this one. Hylton __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PEM_read_bio
Title: Message I am having the same problem. If I find anything I will let you know -Original Message-From: Andrew Finnell [mailto:[EMAIL PROTECTED]]Sent: 17 October 2001 04:11To: 'Openssl ([EMAIL PROTECTED])'Subject: PEM_read_bio I am getting an error message , PEM_read_bio: No start line. Now I am assuming this may have to do with the pem certificate im trying to read, but all my certificates are fine. Could anyone give me some insight on what causes this error. Thanks! -Andrew T. FinnellSoftware EngineereSecurity Inc(321) 394-2485
Re: using own CA certs with various clients
On Wed, Oct 17, 2001 at 07:06:15AM -0700, Zachary Denison wrote: Thank you all for posting solutions.. It was just a matter of importing the rootCA into the client. On my systems (outlook and netscape), I just needed to import the rootCA and then it stopped complaining about all certs signed by that root. It seems to have worked Do I need to import the server cert as well? No, importing the rootCA certificate is sufficient. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
uninstall
is there some way to uninstall openssl in order to install a newer versionon a linux system???, or update it??, please help me. Juan Carlos Albores Aguilar
crl question
Hi, i'm using openssl and i've created my own CA so i can sign certificates, revocate them and everything, my question is when i revoke a certificate and i watch the no encrypted form of my crl file, it says no certificates revoked, however in the records of the certificates signed, it does appear as revoked, should my crl file notify the number or something of the revoked certificate??? i suppose so but i don't know what's wrong, please help me. i revoke certificates with openssl ca -revoke cert.pem, is it ok?, am i doing it in the wrong place or something??? any clue will help. Thanks. Juan Carlos Albores Aguilar