Re: Secret sharing partial signature
On Mon, 13 May 2002, Rakeshbabu Bobba wrote: here is the link http://crypto.stanford.edu/~dabo/ITTC/dist-files/ittc-1.0.tar.gz rakesh On 13 May 2002, Aleix Conchillo wrote: On Mon, 2002-05-13 at 19:34, Rakeshbabu Bobba wrote: you might want to take a look at IITC project of Dan Boneh at stanford, it might be the one you are looking for. ITTS is about generating key-shares of private keys and using them in shares. However, one better look at the source code. yours, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
error: SSL_CTX_use_PrivateKey_file
Hi, I encountered the following problem: STARTTLS=server, error: SSL_CTX_use_PrivateKey_file(/etc/mail/certs/MYkey.pem) failed anyone has any idea to overcome this problem? Thank you. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Unable to load
Hello... I'm tryng to compile a Open SSL 0.9.6 in a AIX 4.3.3, and i received the following message: risc# ./openssl req -new -nodes -keyout private.key -out public.csr Using configuration from /usr/local/ssl/openssl.cnf unable to load 'random state' This means that the random number generator has not been seeded with much random data. Generating a 1024 bit RSA private key 174970:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('//.oid','r') 174970:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:106: 174970:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 174970:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: risc# if anybody can help me!!! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl make test failure
Hi all, Iam using Sun workstation with solaris version 8. I have successfully did a make but 'make test' fails It says bc doesnot work properly (SunOStest failed) and finally it says no working bc found. What could be the reason? Iam stuck at this point help me out. Iam new to Unix and also to ssl. At the end of make test i get one more error 3260:error:0200100D system library:fopen:Permission denied:bss_file.c:245:fopen('testkey.pem','w') 3260:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c247: problems creating request. What should i do. Iam trying to do open ssl install in a local directory. I did following steps. ./configure --openssldir=/mascoma2/src/openssl-0.9.6c/ssl_install threads shared make make test Thats all Any help is appreciated. Thanks Sri _ Send and receive Hotmail on your mobile device: http://mobile.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Basic OpenSSL Client w/Pthreads
You are correct, it was timeouts. My pthread application was overloading the SSL server and it wasn't returning within the timeout, so that is why I kept receiving Error with sockets. I have an additional question related to SSL_write on a non-blocking IO. What is the proper method to check and make sure that the SSL write was performed properly? I've seen a few errors in my SSL server log that look like this that have actually been crashing my SSL daemon: There are no problems with service_data-servicesend, this is always a simple HTTP HEAD request, I've already checked this. [Mon May 13 16:10:40 2002] [error] [client xxx.xx.x.xx] Invalid method in request ^A^C^A [Mon May 13 16:11:58 2002] [error] [client xxx.xx.x.xx] Invalid method in request ^A^C^A [Mon May 13 16:13:24 2002] [error] [client xxx.xx.x.xx] Invalid method in request ^A^C^A [Mon May 13 16:18:26 2002] [error] SSL_accept failed Below is the code: ssl = SSL_new(ssl_ctx); SSL_set_fd(ssl, sockfd); if(SSL_connect(ssl) == 0) { close(sockfd); SSL_free(ssl); return(2); } SSL_write(ssl, service_data-servicesend, strlen(service_data-servicesend)); numbytes = 1; FD_ZERO(rset); FD_SET(sockfd, rset); while(numbytes != 0) // run select as below and cycle until we get what we want. Best Regards, Nicholas Gaugler CommuniTech.Net Development - Kansas City 2001 Small Business of the Year - A HostIndex.com Top 15 Web Hosting Company - Member of the BBB On-Line Reliability Program - Member of the Web Host Guild VeriHost -Original Message- From: Nick Gaugler [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 09, 2002 5:53 PM To: [EMAIL PROTECTED] Subject: Basic OpenSSL Client w/Pthreads I've come up with the following BASIC OpenSSL client from the cli.cpp example and I am trying to turn it into a multi threaded application with pthreads. Each thread will open a brand new connection, it will not read off of the same connection, so it should not be any different. I've added the th-lock.c library into it before the threads are created and after they are destroyed, from the limited documentation I've found, that should cover everything. The only thing I have changed with the basic cli.cpp is that I am using non-blocking IO through SELECT/FD_ISSET. By doing this I have also added support for SSL_ERROR_WANT_READ, so that shouldn't be the issue. The problem I am seeing is within the select/FD_ISSET. My FD_ISSET is failing. (Enclosed below) c = select(sockfd+900, readfds, NULL, NULL, tv); if (c 0) { perror(SELECT); fprintf(stderr, Error with the select\n); break; } if (!FD_ISSET(sockfd, readfds)) { perror(Error); fprintf(stderr,Error with socket\n); break; } Should I not be using this with OpenSSL and/or pthreads? Are there any known issues or can anyone shed some light onto the subject for me? Thanks in advance, Nick __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl make test failure
sridhar Kondoji wrote: Hi all, Iam using Sun workstation with solaris version 8. I have successfully did a make but 'make test' fails It says bc doesnot work properly (SunOStest failed) and finally it says no working bc found. What could be the reason? Iam stuck at this point help me out. Iam new to Unix and also to ssl. At the end of make test i get one more error 3260:error:0200100D system library:fopen:Permission denied:bss_file.c:245:fopen('testkey.pem','w') 3260:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c247: problems creating request. What should i do. Iam trying to do open ssl install in a local directory. I did following steps. ./configure --openssldir=/mascoma2/src/openssl-0.9.6c/ssl_install threads shared make make test Thats all Any help is appreciated. Thanks Sri _ Send and receive Hotmail on your mobile device: http://mobile.msn.com __ OpenSSL Projecthttp://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Hello! I'm new to to openssl, and run it on a Sparc with Solaris 8, so the only thing I can help you with is the first point. You have to visit GNU:s homepage and get the gnu-version. The URL is: http://www.gnu.org/software/software.html You have to compile and install it. I had the same problem then installing openssl on my SPARC box, and please check the path-string. I hope this will help you with the first problem. Regards Lars-Erik __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: The digital certificate disapear.....
On Tue, 14 May 2002, Franck Martin wrote: I can tell you, now it works... What about your configurastion? [snip] Why are you testing your stuff on the OpenSSL-Users mailing list? Can't you create your own mailing list for that purpose? Why sending unnecessary emails to everybody for something that doesn't even concern OpenSSL? Please think next time. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - et sinon, quand on s'interesse a un media que l'on ne maitrise pas, on essaye de le comprendre d'abord. (Suivi par l'intégralité du message initial de 45 lignes.) -+-BM in : GNU - La maîtrise est un long apprentissage petit scarabé -+- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Unable to load
Hello Leandro, Thursday, May 13, 2004, 10:25:39 PM, you wrote: LSdP seeded:md_rand.c:501:You need to read the OpenSSL FAQ, LSdP http://www.openssl.org/support/faq.html Have you done as suggested ? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Unable to load
Try this... for a quick solution create a file 'random_file' and type a few junk characters in it (save it :-)). Then... ./openssl req -new -rand random_file -nodes -keyout private.key -out public.csr this should solve your problem. Regards, Umesh Leandro Silveira de Paula wrote: Hello... I'm tryng to compile a Open SSL 0.9.6 in a AIX 4.3.3, and i received the following message: risc# ./openssl req -new -nodes -keyout private.key -out public.csr Using configuration from /usr/local/ssl/openssl.cnf unable to load 'random state' This means that the random number generator has not been seeded with much random data. Generating a 1024 bit RSA private key 174970:error:02001002:system library:fopen:No such file or directory:bss_file.c:104:fopen('//.oid','r') 174970:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:106: 174970:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 174970:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: risc# if anybody can help me!!! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: The digital certificate disapear.....
Because openssl is broken when handling smime and I need to know from expert people what client works and how good it is when handling certificates created by openssl.. Moreover, I need to know what client is doing what. It seems that some clients make some internet connection to verify certificates... What the use of having openssl if you can't use it, on a wide range of platforms. So I think it DOES concern this mailing list. Cheers. On Tue, 2002-05-14 at 08:51, Erwann ABALEA wrote: On Tue, 14 May 2002, Franck Martin wrote: I can tell you, now it works... What about your configurastion? [snip] Why are you testing your stuff on the OpenSSL-Users mailing list? Can't you create your own mailing list for that purpose? Why sending unnecessary emails to everybody for something that doesn't even concern OpenSSL? Please think next time. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - et sinon, quand on s'interesse a un media que l'on ne maitrise pas, on essaye de le comprendre d'abord. (Suivi par l'intgralit du message initial de 45 lignes.) -+-BM in : GNU - La matrise est un long apprentissage petit scarab -+- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Which product to buy?
On Tue, 14 May 2002, Franck Martin wrote: [snip] Who can't see that this message is digitaly signed and do you know why? I can see that it is signed, but pine doesn't know what to do with an Application/X-PKCS7-SIGNATURE bodypart. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of user. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Securing Telnet
Sorry if this is a lame question, but I've not been able to find the answers to my question anywhere else. We've been given the task of giving an external company access to a AIX 4.1 box which only runs telnet. And since it looks like OpenSSH needs AIX 4.3 we are not able to nativly support SSH on the box. Is it possible to set up a SSH session on a linux host in DMZ which will forward any SSH connections on a given port to the AIXs telnet port? There will be a couple of users needing access, and we need to be able to have them log on to the AIX box with their own username/password. From the examples I've seeen it is possible to set up SSH forwarding to a telnet session that is already logged on, but tha's not quite what we need. We are looking for a proxy type SSH gateway. The clients will be running Windows. I hope someone can give me a good idea on how to solve this. Best Regards, Thomas __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Securing Telnet
You other option is to install a Secure Telnet Daemon on the AIX server. See http://www.kermit-project.org/telnetd.html for some options. Sorry if this is a lame question, but I've not been able to find the answers to my question anywhere else. We've been given the task of giving an external company access to a AIX 4.1 box which only runs telnet. And since it looks like OpenSSH needs AIX 4.3 we are not able to nativly support SSH on the box. Is it possible to set up a SSH session on a linux host in DMZ which will forward any SSH connections on a given port to the AIXs telnet port? There will be a couple of users needing access, and we need to be able to have them log on to the AIX box with their own username/password. From the examples I've seeen it is possible to set up SSH forwarding to a telnet session that is already logged on, but tha's not quite what we need. We are looking for a proxy type SSH gateway. The clients will be running Windows. I hope someone can give me a good idea on how to solve this. Best Regards, Thomas __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Jeffrey Altman * Sr.Software Designer Kermit 95 1.1.21 available now!!! The Kermit Project @ Columbia University SSH plus Telnet, FTP and HTTP http://www.kermit-project.org/ secured with Kerberos, SRP, and [EMAIL PROTECTED]OpenSSL. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Securing Telnet
How about building SSH from source? There is a gcc for AIX 4.1 if you don't have the IBM compiler. Thomas Nilsen wrote: Sorry if this is a lame question, but I've not been able to find the answers to my question anywhere else. We've been given the task of giving an external company access to a AIX 4.1 box which only runs telnet. And since it looks like OpenSSH needs AIX 4.3 we are not able to nativly support SSH on the box. Is it possible to set up a SSH session on a linux host in DMZ which will forward any SSH connections on a given port to the AIXs telnet port? There will be a couple of users needing access, and we need to be able to have them log on to the AIX box with their own username/password. From the examples I've seeen it is possible to set up SSH forwarding to a telnet session that is already logged on, but tha's not quite what we need. We are looking for a proxy type SSH gateway. The clients will be running Windows. I hope someone can give me a good idea on how to solve this. Best Regards, Thomas __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[OT] Re: Securing Telnet
On Tue, May 14, 2002 at 12:49:16PM +0200, Thomas Nilsen wrote: Is it possible to set up a SSH session on a linux host in DMZ which will forward any SSH connections on a given port to the AIXs telnet port? There will be a couple of users needing access, and we need to be able to have them log on to the AIX box with their own username/password. From the examples I've seeen it is possible to set up SSH forwarding to a telnet session that is already logged on, but tha's not quite what we need. We are looking for a proxy type SSH gateway. See FWTK; for ssh-gw if that is what your after.. Another route is to use the browser based ssh client .. do a search for that.. Since I have not followed for a long time don't know if it does ssh2 or not. -- /* Security is a work in progress - dreamwvr */ # # Note: To begin Journey type man afterboot,man help,man hier[.] # // Who's Afraid of Schrodinger's Cat? /var/(.)?mail/me \? ;-] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How do I change the public key in a DER file?
Hi all! How do I change the public key in a DER file? I am using C but I can't se an easy way to do it... Best regards, -- Pär Ahrén, [EMAIL PROTECTED] GSM: +46-703-247367, Fax: +46(0)702-035519 begin:vcard n:Ahrén;Pär tel;cell:+46 (0)703 24 73 67 tel;fax:+46 (0)702 03 55 19 x-mozilla-html:TRUE org:InfraSec Sweden AB adr:;;;Stockholm;Stockholm;;Sweden version:2.1 email;internet:[EMAIL PROTECTED] title:IT Specialist x-mozilla-cpt:;6336 fn:Pär Ahrén end:vcard
Large files with smime
Hi everyone, Openssl smime is not able to handle big files ( We tried with a 500MB file). It doesn't report any error message. On stepping through the source, we found that it's failing in OPENSSL_malloc. However openssl enc works fine with files larger than 2 GB. There is a bug in one of those pkcs7_ routines. Is there a workaround for this problem? We are using Openssl 0.9.6c 21 Dec 2001 version. Any help is greatly appreciated. Thanks and regards, Girish
Re: Large files with smime
On Tue, 14 May 2002, Girish Venkatachalam wrote: Hi everyone, Openssl smime is not able to handle big files ( We tried with a 500MB file). It doesn't report any error message. On stepping through the source, we found that it's failing in OPENSSL_malloc. However openssl enc works fine with files larger than 2 GB. There is a bug in one of those pkcs7_ routines. Is there a workaround for this problem? Doesn't the PKCS#7 routines keep all the data in memory? I think that's how it's done. If that's correct, then you should consider adding more memory (either physical or swap) to your system. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - moi je veux bien lire les FAQ, mais c'est pareil, je sait pas ou elle sont... Ne faudrait il pas faire une FAQ qui dit ou sont les FAQs ? -+- M.D. in Guide du Neuneu Usenet : Oû sont les FQ -+- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Cert for iPlanet webserver
I signed a request for a server-certificate. That should secure an iPlanet webserver. But when I try to install it in the webserver I get this message: Internal Error The administration server was unable to fulfill your request. Whats wrong with the certificate? Same certificate runs in IIS and Apache. I saw that Verisign sent 2 certificates für iPlanet. There also was an Server Cert Chain. Whats this and how to create this? Why does iPlanet need this and IIS not? Can anybody help me? Thank you for help. Carsten Schwant --- Diplomand bei BASF IT-Services ES-SE Rathausplatz 17 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: create opensll, ssldump keyfile
Davidson, Stuart [EMAIL PROTECTED] writes: The following ssldump trace records the following 'su' sequence and shows that an su from a non privileged account does not work. # su - dav $ id uid=4001 gid=401 +++ su from root to dav works OK +++ $ su - dav Password: su: Sorry +++ su from dav to dav does NOT work +++ $ Questions: 1. any idea why the su from a non privileged account is not working? This is a Solaris question. My guess, offhand, would be that DAV has a '*'-ed out password field so you can't su to it if you're not root. 2. how do I invoke ssldump to decrypt the complete dialog? (e.g. all Handshakes and application data) You need to ensure that it has the server's private key, using the -k and -p arguments. 3. how do I convert the certificates exported from Microsoft Enterprise Certificate Authority to a format which can be read by ssldump? I'm not sure what yu're trying to do here. There seem to be two ways to read this message: (1) You want ssldump to decode the certificates when it parses the transaction. This is a simple matter of giving it the -N flag to tell it to parse the ASN.1. (Assuming, of course, ssldump was linked with OpenSSL when you built it.) (2) You want ssldump to read the server's private key (not certificate). There's no need to read the server's certificate. All you need to do for this is convert it into an OpenSSL keyfile. It's not clear what kind of keyfile you're starting with here... -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: The digital certificate disapear.....
On 15 May 2002, Franck Martin wrote: Because openssl is broken when handling smime and I need to know from expert people what client works and how good it is when handling certificates created by openssl.. Do you have an example of such S/MIME mail that can't be handled correctly by OpenSSL? BTW: there's really no difference between a certificate created by OpenSSL and one created by a classic certificate vendor (such as VeriSign, Thawte, or any other). The only important things are what you put in your certificates, and for what purposes the Root CA is trusted in your client software. Moreover, I need to know what client is doing what. It seems that some clients make some internet connection to verify certificates... Yes, if the certificate that the client would like to verify contains for example a CRLDistributionPoint extension, then the client software needs to grab the CRL pointed by this extension, and validate the certificate based on this CRL. Same if the client software tries to validate the certificate by asking an OCSP responder. What the use of having openssl if you can't use it, on a wide range of platforms. OpenSSL can now be considered mature, and works perfectly on a very wide platform range. On Tue, 2002-05-14 at 08:51, Erwann ABALEA wrote: On Tue, 14 May 2002, Franck Martin wrote: +AD4 I can tell you, now it works... +AD4 +AD4 What about your configurastion? +AFs-snip+AF0 Why are you testing your stuff on the OpenSSL-Users mailing list? Can't you create your own mailing list for that purpose? Why sending unnecessary emails to everybody for something that doesn't even concern OpenSSL? Please think next time. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - ha bon donc dés qu'on ose faire la promotion de l'annonymitée on deviens un criminel et un filtre de plus -+- Y63 in: GNU - Faf, con, trouillard et fier de l'être -+- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Large files with smime
Althougth no such a big files, we also create big PKCS7 files (tens of Mbytes) using detached PKCS7.I don´t know exactly if this is supported by OpenSSL now, but there is a "detached" attribute for files in PKCS7 routines, and working in PKCS7_verify(),PKCS7_init(),PKCS7_data() you can do it.You have to change memory BIOs (yes,all the data is handled in memory) by file BIOs. Pablo J. Royo - Original Message - From: Girish Venkatachalam To: [EMAIL PROTECTED] Sent: Tuesday, May 14, 2002 3:28 PM Subject: Large files with smime Hi everyone, Openssl smime is not able to handle big files ( We tried with a 500MB file). It doesn't report any error message. On stepping through the source, we found that it's failing in OPENSSL_malloc. However openssl enc works fine with files larger than 2 GB. There is a bug in one of those pkcs7_ routines. Is there a workaround for this problem? We are using Openssl 0.9.6c 21 Dec 2001 version. Any help is greatly appreciated. Thanks and regards, Girish
RE: create opensll, ssldump keyfile
2. when I try using the -k and -p arguments using the iPlanet cert7.db, ssldump gives the error: Problem loading private key Error: Couldn't create network handler 3. I think I need option (2) but I don't know how to convert the existing iPlanet key3.db, cert7.db or Microsoft Enterprise Certtificate Authority Server certificates to a format which can be read by ssldump. The ssldump man page specifies an OpenSSL format keyfile but how do I create one? Step by step instructions would be great. Last but not least, any idea why the failed su coincides with 81 byte application_data and 20 byte Handshake? Thanks, Stuart -Original Message- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 6:51 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: create opensll, ssldump keyfile Davidson, Stuart [EMAIL PROTECTED] writes: The following ssldump trace records the following 'su' sequence and shows that an su from a non privileged account does not work. # su - dav $ id uid=4001 gid=401 +++ su from root to dav works OK +++ $ su - dav Password: su: Sorry +++ su from dav to dav does NOT work +++ $ Questions: 1. any idea why the su from a non privileged account is not working? This is a Solaris question. My guess, offhand, would be that DAV has a '*'-ed out password field so you can't su to it if you're not root. 2. how do I invoke ssldump to decrypt the complete dialog? (e.g. all Handshakes and application data) You need to ensure that it has the server's private key, using the -k and -p arguments. 3. how do I convert the certificates exported from Microsoft Enterprise Certificate Authority to a format which can be read by ssldump? I'm not sure what yu're trying to do here. There seem to be two ways to read this message: (1) You want ssldump to decode the certificates when it parses the transaction. This is a simple matter of giving it the -N flag to tell it to parse the ASN.1. (Assuming, of course, ssldump was linked with OpenSSL when you built it.) (2) You want ssldump to read the server's private key (not certificate). There's no need to read the server's certificate. All you need to do for this is convert it into an OpenSSL keyfile. It's not clear what kind of keyfile you're starting with here... -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
create opensll, ssldump keyfile
The following ssldump trace records the following 'su' sequence and shows that an su from a non privileged account does not work. # su - dav $ id uid=4001 gid=401 +++ su from root to dav works OK +++ $ su - dav Password: su: Sorry +++ su from dav to dav does NOT work +++ $ Questions: 1. any idea why the su from a non privileged account is not working? 2. how do I invoke ssldump to decrypt the complete dialog? (e.g. all Handshakes and application data) 3. how do I convert the certificates exported from Microsoft Enterprise Certificate Authority to a format which can be read by ssldump? Thanks, Stuart Note: I have tried various openssl commands to convert the Microsoft Enterprise Certificates to a formate suitable for ssldump but without success. The server certificate exported from Microsoft Enterprise Certificate Authority have been added to the Netscape/iPlanet format cert7.db using keyutil and certutil. This allows passwords stored in Active Directory to be changed from Solaris proving, I think, that the certificates are OK. Overall objective is to integrate Solaris with Active Directory so that user accounts are served from AD. Environment: Solaris 8, PAM ldap built with iPlanet ldapcsdk5[1].08, Windows 2000 Service Pack 2, Active Directory, Microsoft Enterprise Certificate Authority ssldump follows, comments prefixed with +++ # ssldump -i hme0 -AdX New TCP connection #1: sun6.reo.cpqcorp.net(32829) - cpqtestdc1.cpqunix.net(636) 1 1 0.0026 (0.0026) CS SSLv2 compatible client hello Version 3.1 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xfeff TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xfefe TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 1 2 0.0041 (0.0014) SCV3.1(3977) Handshake ServerHello Version 3.1 random[32]= 73 9e a3 ec 7b 3c 59 cb 82 43 dd 8b 87 03 8e e5 c8 c6 98 06 96 25 18 16 69 33 74 e8 aa 2e 9d 5d session_id[32]= fa 0b 00 00 a6 73 5b 52 9e f4 3d 99 dd b8 c7 98 68 26 ac 42 c7 3a 7f 9f fd 0f 18 4d c8 29 6e be cipherSuite TLS_RSA_WITH_RC4_128_MD5 compressionMethod NULL Certificate CertificateRequest certificate_types rsa_sign certificate_authority 30 81 c1 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0a 13 0e 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 31 3c 30 3a 06 03 55 04 0b 13 33 43 6c 61 73 73 20 31 20 50 75 62 6c 69 63 20 50 72 69 6d 61 72 79 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 20 2d 20 47 32 31 3a 30 38 06 03 55 04 0b 13 31 28 63 29 20 31 39 39 38 20 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 20 2d 20 46 6f 72 20 61 75 74 68 6f 72 69 7a 65 64 20 75 73 65 20 6f 6e 6c 79 31 1f 30 1d 06 03 55 04 0b 13 16 56 65 72 69 53 69 67 6e 20 54 72 75 73 74 20 4e 65 74 77 6f 72 6b certificate_authority 30 81 c1 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 17 30 15 06 03 55 04 0a 13 0e 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 31 3c 30 3a 06 03 55 04 0b 13 33 43 6c 61 73 73 20 34 20 50 75 62 6c 69 63 20 50 72 69 6d 61 72 79 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 20 2d 20 47 32 31 3a 30 38 06 03 55 04 0b 13 31 28 63 29 20 31 39 39 38 20 56 65 72 69 53 69 67 6e 2c 20 49 6e 63 2e 20 2d 20 46 6f 72 20 61 75 74 68 6f 72 69 7a 65 64 20 75 73 65 20 6f 6e 6c 79 31 1f 30 1d 06 03 55 04 0b 13 16 56 65 72 69 53 69 67 6e 20 54 72 75 73 74 20 4e 65 74 77 6f 72 6b certificate_authority 30 81 d1 31 0b 30 09 06 03 55 04 06 13 02 5a 41 31 15 30 13 06 03 55 04 08 13 0c 57 65 73 74 65 72 6e 20 43 61 70 65 31 12 30 10 06 03 55 04 07 13 09 43 61 70 65 20 54 6f 77 6e 31 1a 30 18 06 03 55 04 0a 13 11 54 68 61 77 74 65 20 43 6f 6e 73 75 6c 74 69 6e 67 31 28 30 26 06 03 55 04 0b 13 1f 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 53 65 72 76 69 63 65 73 20 44 69 76 69 73 69 6f 6e 31 24 30 22 06 03 55 04 03 13 1b 54 68 61 77 74 65 20 50 65 72 73 6f 6e 61 6c 20 46 72 65 65 6d 61 69 6c 20 43 41 31 2b 30 29 06 09 2a 86 48 86 f7 0d 01 09 01 16 1c 70 65 72 73 6f 6e 61 6c 2d 66 72 65 65 6d 61 69 6c 40 74 68 61 77 74 65 2e 63 6f 6d certificate_authority 30 75 31 0b
Re: RE: The digital certificate disapear.....
I have seen this Certificate Discussion goin on too long. SO I am also interested to know more about it, All I know is what a CA is. Also I donot know, why is OPenssl being given so much importance for certificate?? and how do I use this certificate if I have it? (just give me practical details, thinking that I am on a linux machine connected to internet, and what commands I type so that my CA is put on net etc..) Thanks On Tue, 14 May 2002 Erwann ABALEA wrote : On 15 May 2002, Franck Martin wrote: Because openssl is broken when handling smime and I need to know from expert people what client works and how good it is when handling certificates created by openssl.. Do you have an example of such S/MIME mail that can't be handled correctly by OpenSSL? BTW: there's really no difference between a certificate created by OpenSSL and one created by a classic certificate vendor (such as VeriSign, Thawte, or any other). The only important things are what you put in your certificates, and for what purposes the Root CA is trusted in your client software. Moreover, I need to know what client is doing what. It seems that some clients make some internet connection to verify certificates... Yes, if the certificate that the client would like to verify contains for example a CRLDistributionPoint extension, then the client software needs to grab the CRL pointed by this extension, and validate the certificate based on this CRL. Same if the client software tries to validate the certificate by asking an OCSP responder. What the use of having openssl if you can't use it, on a wide range of platforms. OpenSSL can now be considered mature, and works perfectly on a very wide platform range. On Tue, 2002-05-14 at 08:51, Erwann ABALEA wrote: On Tue, 14 May 2002, Franck Martin wrote: +AD4 I can tell you, now it works... +AD4 +AD4 What about your configurastion? +AFs-snip+AF0 Why are you testing your stuff on the OpenSSL-Users mailing list? Can't you create your own mailing list for that purpose? Why sending unnecessary emails to everybody for something that doesn't even concern OpenSSL? Please think next time. -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - ha bon donc dés qu'on ose faire la promotion de l'annonymitée on deviens un criminel et un filtre de plus -+- Y63 in: GNU - Faf, con, trouillard et fier de l'être -+- __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
IP address
I want to know the IP Address of a site I connect to. For example www.hotmail.com How can I know it from a linux terminal. Thanks (I am writing some progs so in between them I need this) _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IP address
nslookup and the URL - Original Message - From: shalen chhabra [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 14, 2002 3:58 PM Subject: IP address I want to know the IP Address of a site I connect to. For example www.hotmail.com How can I know it from a linux terminal. Thanks (I am writing some progs so in between them I need this) _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: IP address
Use host, nslookup became deprecated ex: [sidney@host sidney]$ host www.hotmail.com www.hotmail.com. has address 64.4.44.7 www.hotmail.com. has address 64.4.45.7 www.hotmail.com. has address 64.4.52.7 www.hotmail.com. has address 64.4.53.7 www.hotmail.com. has address 64.4.54.7 www.hotmail.com. has address 64.4.43.7 - Original Message - From: Chamby [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 14, 2002 4:37 PM Subject: Re: IP address nslookup and the URL - Original Message - From: shalen chhabra [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 14, 2002 3:58 PM Subject: IP address I want to know the IP Address of a site I connect to. For example www.hotmail.com How can I know it from a linux terminal. Thanks (I am writing some progs so in between them I need this) _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Large files with smime
On Tue, May 14, 2002, Girish Venkatachalam wrote: Hi everyone, Openssl smime is not able to handle big files ( We tried with a 500MB file). It doesn't report any error message. On stepping through the source, we found that it's failing in OPENSSL_malloc. That's not surprising. The ASN1 routines currently are purely memory based. That is you need to have the whole structure in memory for it to work. Trying to allocate 500Mb of memory is probably producing a malloc failure. It should however give an error message. However openssl enc works fine with files larger than 2 GB. The 'enc' command streams data in chunks and never needs to have the whole file in memory. There is a bug in one of those pkcs7_ routines. Is there a workaround for this problem? The fix is to add ASN1 routines that are I/O based instead of memory based. In 0.9.6 you'd have to rewrite almost all the ASN1 code, in 0.9.7 and later it is less difficult and will need a new or additional BIO based ASN1 encoder and decoder. This is still a big job though. Handling non blocking I/O is particylarly messy, but blocking I/O is somewhat easier. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [offtopic] Importing openssl RSA keys to gnupg.
Hi, I've already done this with PGP for Windows. It works Ok and we can see the certificate common fields. I'd like to import X.509 certificates and private keys do gnupg also. But I think (not for sure) that gnupg doesn't support it. If anyone know how to do it and if it's possible, I also want to know. regards, Augusto Marcacini On 23 Apr 2002 at 23:34, Kalyan Varma wrote: I have a small issue. I have couple of RSA keys ( generated by openssl ). Now I want to import them and use them in gnupg. I know we cant do this directly, but does anyone have any idea ?? thanks, - kalyan __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]