Query about DES-CBC3-SHA
Hi, I am using openssl-0.9.6d to establish a secure web server. I am having some problems with the DES-CBC3-SHA (TLS_RSA_WITH_3DES_EDE_CBC_SHA)cipher suite. Details below: Platform: Unix. - openssl req -x509 -new -keyout srvkey.pem -out srvcert.pem -days 365 -newkey rsa:1024 -nodes - openssl s_server -cert srvcert.pem -key srvkey.pem -cipher DES-CBC3-SHA -WWW (I intend to use only one cipher suite, DES-CBC3-SHA). - I create/copy a html file (say temp.html) to the directory where I ran the above commands. - I tried to connect from a browser using https://IP ADDRESS:PORT/temp.html (PORT=default)In Internet Explorer I get an error: The page cannot be displayed. I get this error even after I install the certificate. In Netscape, I am able to install the certificate and successfully open the html page. This problem does not arise in openssl-0.9.6b version. This problem does not arise in openssl-0.9.6d, if I am using low encryption strengths (128 bit or 40 bit). I have read the CHANGES document (from 0.9.6b to 0.9.6d) and it mentions some changes (from 0.9.6b to 0.9.6c) for block cipher padding. I read the details of the new padding method in http://www.openssl.org/~bodo/tls-cbc.txt, but that didn't help much. Can anyone suggest a solution for my problem? -Umesh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
3DES ECB
Hi, I was wondering if someone could clarify this for me. I'm trying to decrypt a string which has been encrypted in 3DES ECB mode. I'm using the command line utility and a program I have written to do this. According to the EVP_EncryptInit.html, I should use the cipher EVP_des_ede3(). However in the command line utility I don't see any 3DES ECB cipher. According to the 'enc' man page the cipher 'des-ede3' is an alias for 'des-ede3-cbc'. Are both of these correct? If so, shouldn't there be a standard naming convention for these ciphers? and how do I encrypt/decrypt a string in 3DES EC mode using the command line utility? Thanks, Stella __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 3DES ECB
Hello Stella, Tuesday, June 04, 2002, 11:14:59 AM, you wrote: SP Hi, SP I was wondering if someone could clarify this for me. I'm trying to decrypt SP a string which has been encrypted in 3DES ECB mode. SP I'm using the command line utility and a program I have written to do this. SP According to the EVP_EncryptInit.html, I should use the cipher SP EVP_des_ede3(). This is correct! SP However in the command line utility I don't see any 3DES ECB cipher. SP According to the 'enc' man page the cipher 'des-ede3' is an alias for SP 'des-ede3-cbc'. Maybe if you supply an IV then it is aliased to des-ede3-cbc ?! SP Are both of these correct? If so, shouldn't there be a standard naming SP convention for these ciphers? and how do I encrypt/decrypt a string in 3DES SP EC mode using the command line utility? openssl des-ede3 -iv 0 -other-options-here __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Signed Documents from a Webserver
Yo! I'm playing around with openSSL now for a while and set up my own CA. I would like to create now signed binary Documents (Word, Excel, PDF etc.) which can be downloaded from a Webserver. My Idea is that the signature of the binary document will be validated from the Browser at the Download like with Jar archives. Is that possible? Which MIME Type would be suitable for the Signed Documents? How to create the Signed Documents? PGP offered the possiblity to generate a detached ASCII Signature File, but I don't like to depend on a client based validation tool. Any ideas? Stefan -- = Stefan Thom - MobilCom Multimedia GmbH System Technology - Standardization Hollerstraße 126, 24782 Büdelsdorf, Germany 54°N18'56 09°E42'04 GMT-1:00 + Phone: +49(4331)69-3733 | [EMAIL PROTECTED] Fax: +49(4331)69-2105 | [EMAIL PROTECTED] = smime.p7s Description: S/MIME Cryptographic Signature
Errors
I need some help 1. I am able to generate Certificate and Private Key using command line options in Openssl. can someone tell me are they considered good? and if they are good why do we need Certificates from companies like Microsoft, Verisign??? 2. I have downloaded the OpenSSL 0.9.6 24 Sep 2000 version. In openssl-0.9.6d/openssl-0.9.6d/demos/maurice when I write make I get the following errors cc -g -I../../include -Wall -c -o loadkeys.o loadkeys.c loadkeys.c: In function `ReadPublicKey': loadkeys.c:36: too few arguments to function `PEM_ASN1_read' loadkeys.c: In function `ReadPrivateKey': loadkeys.c:67: too few arguments to function `PEM_ASN1_read' make: *** [loadkeys.o] Error 1 when I open loadkeys.c, line 36 is x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509, PEM_STRING_X509, fp, NULL, NULL); and line 67 is pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey, PEM_STRING_EVP_PKEY, fp, NULL, NULL); But when I went to openssl.org I could not find whats the syntax of the PEM_ASN1_read function. Please help what the arguments should be??? Thanks Shalendra _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
zlib double free bug and openssl question.
I've tried to search the archives/bug reports/faq's and didn't find any definitive answers on the zlib Double Free Bug CERT's Advisory CA-2002-07 issue. Does openssl v0.9.6b or above have this issue? I know if you do a stings on libcrypto.a you find zlib alot, so I assume somehow the zlib library is used in crypto/comp/c_zlib.c or somewhere. Thanks for any help you can give me. Please mail me directly since I'm not on this list. Thanks for your time and help, Lenny Miceli __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Help
I have downloaded the OpenSSL 0.9.6 24 Sep 2000 version. In openssl-0.9.6d/openssl-0.9.6d/demos/maurice when I write make I get the following errors cc -g -I../../include -Wall -c -o loadkeys.o loadkeys.c loadkeys.c: In function `ReadPublicKey': loadkeys.c:36: too few arguments to function `PEM_ASN1_read' loadkeys.c: In function `ReadPrivateKey': loadkeys.c:67: too few arguments to function `PEM_ASN1_read' make: *** [loadkeys.o] Error 1 when I open loadkeys.c, line 36 is x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509, PEM_STRING_X509, fp, NULL, NULL); and line 67 is pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey, PEM_STRING_EVP_PKEY, fp, NULL, NULL); But when I went to openssl.org I could not find whats the syntax of the PEM_ASN1_read function. Please help what the arguments should be??? Thanks Shalendra - Chaa...nd Tarr...e Too...r Laa...yoon Sarr...ee Dunn..iya Par Chaa Jayoon! Bus Itnaa Saa Kwaab Hei (in Hindi) Shalendra Chhabra Laboratoire Specification et Verification, Ecole Normale Superieure De Cachan, Pavillon Des Jardins, Chambre n 215, 61 Avenue Du President Wilson, Cachan Cedex France ph office 33.01.47.40.28.46 www.angelfire.com/linux/shalu __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Openssl 0.9.6d coredumps
Hi all, I've tried to use the following certificate and private key to sign my own requested certificate but for some reason, openssl coredumps. Coredumps occur also when trying to obtain information from private key (with commands like pkcs8, rsa). Any idea why this is happening? (I can provide the coredump file if necessary) -BEGIN PRIVATE KEY- MIIB5DANBgkqhkiG9w0BAQEFADCCAdECgYBTAI9HrMBfEfuTiT9NyUD2jGsWIi1YKqsLt3SdTwi 9Bh/k7/x68GpTRcAzDpklvs4ZaJBXwiJxs6cLJabV+dCHZnH9X3SSrn8Hz1zYrcNgkHqm3Jx6jE aZxjN4MwRQd3KOjwmdZAvHd3+5IXRZPbmYdM1gC0QMiQpCP8rXXJzkZwIBIwKBgANzDplBB1Roe ioJsYI8Oo3nP6ErT66NaNqV65QrLj5hVcWw30WbnLBYAqsD7m1JwhUBBVVvIgNlOM/sSW1MNeGs RTOxpo6hbqe6WRqqtTEIopyOx/RUNM33NQ6Rfvo27/Sop4/xUe8DUQsnYJ0pJ5QStwOjlSXo9KV mT3nkuQYLAkEAgwz57Wdk9dGOxyYKHsWTk2Y4NlV87/+/QNRO5Wfl/YNKIDuHxLFTin7netad7X MFp43TPtBaNceNzx1UmctmuwJBAKIj149VZaw21RQ2vONV4R1Ll3qblnIQPnjyesCdBbABVVSOH gCW7K0ytUMY9aH+N8rrxTw+0h3D6ILVHbMtXEUCQCwSZx1ZSpxyRU6/6SWMZDibdjxd5Zh03GZh XxLSxzoiRyMygmB65OS5wFncscrd9CYmlpMpAKmatE7G0p+IrVE= -END PRIVATE KEY- The matching public key: (this seems to work) -BEGIN CERTIFICATE- MIICRzCCAbCgAwIBAgIEATEF8TANBgkqhkiG9w0BAQQFADBVMQswCQYDVQQGEwJGSTEoMCYGA1U EChMfVGhlIEZpbm5pc2ggQmFua2VycyBBc3NvY2lhdGlvbjEcMBoGA1UECxMTQ2xpZW50IENBIF VudHJ1c3RlZDAeFw0wMDA2MTQwNjMwMDBaFw0yNzEwMzEwODMwMDBaMFUxCzAJBgNVBAYTAkZJM SgwJgYDVQQKEx9UaGUgRmlubmlzaCBCYW5rZXJzIEFzc29jaWF0aW9uMRwwGgYDVQQLExNDbGll bnQgQ0EgVW50cnVzdGVkMIGcMA0GCSqGSIb3DQEBAQUAA4GKADCBhgKBgFMAj0eswF8R+5OJP03 JQPaMaxYiLVgqqwu3dJ1PCL0GH+Tv/HrwalNFwDMOmSW+zhlokFfCInGzpwslptX50Idmcf1fdJ KufwfPXNitw2CQeqbcnHqMRpnGM3gzBFB3co6PCZ1kC8d3f7khdFk9uZh0zWALRAyJCkI/ytdcn ORnAgEjoycwJTAPBgNVHQ8BAf8EBQMDB4AAMBIGA1UdEwEB/wQIMAYBAf8CAQIwDQYJKoZIhvcN AQEEBQADgYEAUQu1peUXTmTBcNvNXAc8bQ5TDW8vL5Sl9zPNJsWD99pAqjIyMXLx02+96g46fUA ujxTzsVFNlnJ+tbejvTDZcWqSc6r/H1TeGOc14HAAFIRGV3ifI65Kj3XAHYRAuaVQtb69DAvWxM 7VINWzZp1Ip3kM1MC1J7GjlbW5yyxDiGM= -END CERTIFICATE- Regards, Jarmo __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Query about DES-CBC3-SHA
On Tue, 2002-06-04 at 09:26, Umesh wrote: Hi, I am using openssl-0.9.6d to establish a secure web server. I am having some problems with the DES-CBC3-SHA (TLS_RSA_WITH_3DES_EDE_CBC_SHA)cipher suite. Details below: Platform: Unix. - openssl req -x509 -new -keyout srvkey.pem -out srvcert.pem -days 365 -newkey rsa:1024 -nodes - openssl s_server -cert srvcert.pem -key srvkey.pem -cipher DES-CBC3-SHA -WWW (I intend to use only one cipher suite, DES-CBC3-SHA). Run this command with the -state argument as well and include the output in the email. That would give a better indication as to what went wrong. - I create/copy a html file (say temp.html) to the directory where I ran the above commands. - I tried to connect from a browser using https://IP ADDRESS:PORT/temp.html (PORT=default)In Internet Explorer I get an error: The page cannot be displayed. I get this error even after I install the certificate. In Netscape, I am able to install the certificate and successfully open the html page. This problem does not arise in openssl-0.9.6b version. This problem does not arise in openssl-0.9.6d, if I am using low encryption strengths (128 bit or 40 bit). I have read the CHANGES document (from 0.9.6b to 0.9.6d) and it mentions some changes (from 0.9.6b to 0.9.6c) for block cipher padding. I read the details of the new padding method in http://www.openssl.org/~bodo/tls-cbc.txt, but that didn't help much. Can anyone suggest a solution for my problem? -Umesh __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Errors
See answers below. I hope it helps. Best Regards, Sharon Hezy. ---Original Message- --From: Shalendra Chhabra [mailto:[EMAIL PROTECTED]] --Sent: Tue, June 04, 2002 3:01 PM --To: [EMAIL PROTECTED] --Subject: Errors -- -- --I need some help -- --1. I am able to generate Certificate and Private Key --using command line options in Openssl. --can someone tell me are they considered good? and if they are good --why do we need Certificates from companies like --Microsoft, Verisign??? -- You're right that you can generate private key certificate *request* using openssl command line tool. As well you can use browsers/servers U/I for certificate request and private key generation. But, creation of certificate - it's already another thing. When you're signing certificate request - you should be a *valid* certificate authority. The regular ca tool of openssl signs your request using test certificate authority (which is inside OpenSSL by courtesy of OpenSSL developers). If you choose to trust it - you should add it to your browsers' trusted certificates list (or to your servers' trusted certificates list). Anyway, if you will send this certificate signed by test CA to anybody else (not your server/browser) - your certificate will not be trusted by anybody because nobody else except you knows who's test CA is. But, known companies as Verisign, Thawte, etc. - are known worldwide and if they sign your certificate you will not have verification problems (at least not CA verification problems...:-) ). For example, their certificates are part of default trusted CA list which you get when you're installing IE or Netscape browsers. Simply, it's all a matter of trust: are other people trust person who signes your personal certificate. ;-) -- -- --2. I have downloaded the OpenSSL 0.9.6 24 Sep 2000 --version. In --openssl-0.9.6d/openssl-0.9.6d/demos/maurice --when I write make --I get the following errors --cc -g -I../../include -Wall -c -o loadkeys.o loadkeys.c --loadkeys.c: In function `ReadPublicKey': --loadkeys.c:36: too few arguments to function `PEM_ASN1_read' --loadkeys.c: In function `ReadPrivateKey': --loadkeys.c:67: too few arguments to function `PEM_ASN1_read' --make: *** [loadkeys.o] Error 1 -- --when I open loadkeys.c, line 36 is -- --x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509, --PEM_STRING_X509, --fp, NULL, NULL); -- -- --and line 67 is -- -- pkey = (EVP_PKEY*)PEM_ASN1_read ((char --*(*)())d2i_PrivateKey, -- PEM_STRING_EVP_PKEY, -- fp, -- NULL, NULL); -- --But when I went to openssl.org I could not find whats the syntax --of the --PEM_ASN1_read function. Please help what the arguments should --be??? How about checking the appropriate .h file? You can find the function with grep in Unix or find on Windows. --Thanks --Shalendra --_ --Click below to visit monsterindia.com and review jobs in India or --Abroad --http://monsterindia.rediff.com/jobs -- --_ --_ --OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to renew a Cert generated by my own CA
I have only just subscribed to this list so I apologise if I don't follow protocol. I thought this would be easy but my Web searches have led to nothing and I can't find a archive for this list :-( I have had my own CA for a little over a year now (key point). This has been done using openssl and the clues from Ralf's mod_ssl FAQ (including the sign.sh script from the mod_ssl distrib). All works fine and I have used the certificates for HTTPS and IMAPS on my intranet and for some personal services over the Internet ... No problems. However, my certificates have now started to expire and I am getting warning dialogs from my apps. Not really a big deal as all the secured services are private and are still usable, but it is annoying. I have searched for a way to renew the existing certs and read through the openssl ca man page several times but I just can't work out what I'm supposed to do. I did find one page that seemed to suggest that I revoke my expired certificates and then resign the CSRs but this doesn't seem right to me. Hopefully someone has a quick explanation, I can't imagine this is that complicated I'm just feeling really dumb at the moment. TIA for any help /dan -- Daniel Sutcliffe [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Help
I have also run into this problem, and have not been able to resolve it. I'd guess that the example was originally compiled against an older version of the library. -Original Message- From: Shalendra Chhabra [mailto:[EMAIL PROTECTED]] Sent: Monday, June 03, 2002 10:05 PM To: [EMAIL PROTECTED] Subject: Help I have downloaded the OpenSSL 0.9.6 24 Sep 2000 version. In openssl-0.9.6d/openssl-0.9.6d/demos/maurice when I write make I get the following errors cc -g -I../../include -Wall -c -o loadkeys.o loadkeys.c loadkeys.c: In function `ReadPublicKey': loadkeys.c:36: too few arguments to function `PEM_ASN1_read' loadkeys.c: In function `ReadPrivateKey': loadkeys.c:67: too few arguments to function `PEM_ASN1_read' make: *** [loadkeys.o] Error 1 when I open loadkeys.c, line 36 is x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509, PEM_STRING_X509, fp, NULL, NULL); and line 67 is pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey, PEM_STRING_EVP_PKEY, fp, NULL, NULL); But when I went to openssl.org I could not find whats the syntax of the PEM_ASN1_read function. Please help what the arguments should be??? Thanks Shalendra - Chaa...nd Tarr...e Too...r Laa...yoon Sarr...ee Dunn..iya Par Chaa Jayoon! Bus Itnaa Saa Kwaab Hei (in Hindi) Shalendra Chhabra Laboratoire Specification et Verification, Ecole Normale Superieure De Cachan, Pavillon Des Jardins, Chambre n 215, 61 Avenue Du President Wilson, Cachan Cedex France ph office 33.01.47.40.28.46 www.angelfire.com/linux/shalu __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to use ExtensionRequest attribute.
Hi, I have a question regarding the Extension Request attributes. 1. What is a ExtensionRequest attribute? 2. How to add ExtensionRequest attibute to a certificate request? Awaiting for your valuable response. Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Errors
Whether the certificates are good or not depends on your usage of them. As far as securing your own communications, yes they are good(If properly created with a decent key etc.). The Microsoft, Verisign, Thawte, etc... certificates are for the general public's peace of mind. They are normally used on commercial websites or publicly distributed software. The reason these commercial certificate companies are important although their certificates are functionally the same as yours, is they are established as trusted companies by the software community at large. They are known to verify the people that they distribute signed certificates to as being who they say they are. If you have a certificate from some no name certificate authority ( http://www.theregister.co.uk/content/30/25547.html :) ) instead of a well known one like Verisign that says it is for Microsoft corporation, it will work for securing your code. But it does not mean that the company is actually Microsoft. But if you have a certificate from Verisign saying it was signed for Microsoft, then you can feel fairly confident that you aren't being misled by whoever is using the certificate. The issue is Trust. You have to believe that whoever is issuing the certificate is verifying who they sign it for. And they charge enough money for their seal of approval also. :/ -Original Message- From: Shalendra Chhabra [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 9:01 AM To: [EMAIL PROTECTED] Subject: Errors I need some help 1. I am able to generate Certificate and Private Key using command line options in Openssl. can someone tell me are they considered good? and if they are good why do we need Certificates from companies like Microsoft, Verisign??? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to build a unique file with two certificates (chained)
I have created a CA certificate : ca.der I have create a client certificate : client.der I wonder how is possible to create a single certificate which includes them both, that is a single file in der format. I tried to put them both in pem format, then copy one file to the other and then convert to der format but without result. Please help me Paolo Rossi [EMAIL PROTECTED] _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Errors
On 4 Jun 2002, Shalendra Chhabra wrote: 1. I am able to generate Certificate and Private Key using command line options in Openssl. can someone tell me are they considered good? and if they are good why do we need Certificates from companies like Microsoft, Verisign??? Considered good by whom, and what does good mean? Certificates produced using OpenSSL ought to be just as good in the mathematical sense as anyone else's. What those certificates *mean* depends on just how hard the issuer works to prove that the entity requesting the certificate is providing a valid identity to be bound to the requested certificate. Certificates from recognized commercial CAs have considerable value because we believe that those CAs do a reasonable job of verifying identity. Certificates issued by the experimental OpenSSL-based CA I have on my office workstation have no particular value, and in fact my CPS says so. Certificates issued by random CAs set up with Microsoft's cert. management tools have value in proportion to the trust you place in the person running the CA and the security of the CA host machine. Commercial certificates for e.g. web servers have other value as well, in that most Web browsers will already be set up to trust those CAs. If you mint your own cert.s using OpenSSL or the Windows gadget, nobody will have heard of your CA so you have to convince them that you're trustworthy before they'll add your CA's self-signed cert. to their store of trusted authorities. (Of course, some people don't require much convincing.) A private CA is probably best used for internal projects only, since it's a lot easier to develop the necessary trust within a small, closed community. The MS gadget has one other thing going for it: it's all wrapped up in a pretty package so that you can just push a few buttons and have a private CA ready for use. OTOH OpenSSL lets you see what it is doing, and it's flexible enough to do a lot more than just issue magic numbers. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of user. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
qcStatements
Does anyone know how to configure openssl.cnf to include the 'qcStatements' extension in a user certificate? Thanks... __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RSA_sign second param: the message or the digest?
As I understand, signing a message means getting its hash/digest and then encrypting the digest with your private key. So I would assume that RSA_sign would take as parameter the message, the hash algorithm ID and the private key. However, according to the documentation of RSA_sign (3), it takes the digest itself rather than the message. So I should compute the digest myself, using whatever hash algorithm, and then pass both the algorithm ID and the digest to RSA_sign? Then why does it need the algorithm identifier if I have hashed it already? And what's the difference between RSA_sign and RSA_private_encrypt then? Thanks for any help Judith __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Errors
I sort of agree with the sentiments expressed by Shalendra Chhabra. The value added by M$ or verisign is questionable. I would rather I could pop over to my local bank and get a cert. They know me and I trust them. I do not trust Verisign. I have said this before in this group and I will repeat it. I see nothing that would stop a felon in prison from incorporating a company and getting a cert. The bottom line is that the theory is fine... but in practice I feel commercial CA's should be institututions that we already trust - like the local bank or law office. Trusting verisign or Microsoft is questionable. I also feel it is somewhat ludicrus that my local bank should be expected to shell out $1000's so they can get a cert that allows them to re-issue certs. IMHO this is just a racket. In practice I think good works like this. Any cert that does not fire up a warning message from the windows machine running the browser would be considered good. This means that one can use any of many ways to load a good cert into the machine. Windows has a LOT of exploits. Security is only as strong as the weakest link. This means the end user is probably the biggest security weakness in most cases. Simply pop up a dialog that asks the user to download the cert you want as a prior step. Perhaps write a signed active-x control and use it to install your own cert. If the machine is vulnerable to a virus then one can use that hole to install a cert. Am I wrong? On Tue, Jun 04, 2002 at 10:27:34AM -0500, Mark H. Wood wrote: On 4 Jun 2002, Shalendra Chhabra wrote: 1. I am able to generate Certificate and Private Key using command line options in Openssl. can someone tell me are they considered good? and if they are good why do we need Certificates from companies like Microsoft, Verisign??? Considered good by whom, and what does good mean? Certificates produced using OpenSSL ought to be just as good in the mathematical sense as anyone else's. What those certificates *mean* depends on just how hard the issuer works to prove that the entity requesting the certificate is providing a valid identity to be bound to the requested certificate. Certificates from recognized commercial CAs have considerable value because we believe that those CAs do a reasonable job of verifying identity. Certificates issued by the experimental OpenSSL-based CA I have on my office workstation have no particular value, and in fact my CPS says so. Certificates issued by random CAs set up with Microsoft's cert. management tools have value in proportion to the trust you place in the person running the CA and the security of the CA host machine. Commercial certificates for e.g. web servers have other value as well, in that most Web browsers will already be set up to trust those CAs. If you mint your own cert.s using OpenSSL or the Windows gadget, nobody will have heard of your CA so you have to convince them that you're trustworthy before they'll add your CA's self-signed cert. to their store of trusted authorities. (Of course, some people don't require much convincing.) A private CA is probably best used for internal projects only, since it's a lot easier to develop the necessary trust within a small, closed community. The MS gadget has one other thing going for it: it's all wrapped up in a pretty package so that you can just push a few buttons and have a private CA ready for use. OTOH OpenSSL lets you see what it is doing, and it's flexible enough to do a lot more than just issue magic numbers. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] MS Windows *is* user-friendly, but only for certain values of user. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to use X509 -hash command
Hi, I'm a new user to OpenSSL Lib. I'm trying to validate an S/MIME message. I've got the senders certificate and the CA's certificates. There are 2 CAs involved (itermediate and root). The problem I'm having is telling the smime utility to use both certificates to validate the sender's certificate The command I'm using is: openssl smime -verify -in msg.txt -inform SMIME -certfile sender.cer -CAfile CA1.cer -CAfile CA1.cer I got the error UNABLE TO GET LOCAL ISSUER CERTIFICATE or UNABLE TO GET ISSUER CERTIFICATE, dependig the order I placed CA1 and CA2. I read the documentation, and I found the -CApath option, the problem is I don't know how to create a standard certificate directory in Windows 2000. I checked the X509 documentation but I still can't create the directory... Can anyone explain me how to create it ? Thanks, DG. --- Daniel H. Gomes THINK - Tecnologias de Informacao [EMAIL PROTECTED] http://www.think.pt Tel: +351.919.056.640 ou +351.213.590.285 Fax: +351.213.580.006 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: zlib double free bug and openssl question.
On Mon, Jun 03, 2002 at 04:01:38PM -0400, Lenny Miceli wrote: I've tried to search the archives/bug reports/faq's and didn't find any definitive answers on the zlib Double Free Bug CERT's Advisory CA-2002-07 issue. Does openssl v0.9.6b or above have this issue? I know if you do a stings on libcrypto.a you find zlib alot, so I assume somehow the zlib library is used in crypto/comp/c_zlib.c or somewhere. Thanks for any help you can give me. If not explicitely selected, OpenSSL is not compiled with zlib-support. And even if it would be compiled in, it won't be used by default, unless an application enables it. I am not aware of any publicly available application using zlib functionality inside OpenSSL. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
rsa_st copy function
Greetings! I have been searching the OpenSSL headers for a copy function, which would take a const pointer to a rsa_st structure and return another pointer to a copy of it, but have not found any. My question is why isn't there such a function? Are there any tricks in the copying process of the mentioned struct? I wrote a function which reads: RSA* RsaKeyCopy (const RSA* CopyKey) { // Allocate memory RSA*retValue = RSA_new(); // The method pointer is copied as a reference, the rest will be copied // by value. retValue-pad = CopyKey-pad; retValue-version = CopyKey-version; retValue-meth = CopyKey-meth; if (!BN_copy(retValue-n, CopyKey-n)) return NULL; if (!BN_copy(retValue-e, CopyKey-e)) return NULL; if (!BN_copy(retValue-d, CopyKey-d)) return NULL; if (!BN_copy(retValue-p, CopyKey-p)) return NULL; if (!BN_copy(retValue-q, CopyKey-q)) return NULL; if (!BN_copy(retValue-e, CopyKey-e)) return NULL; if (!BN_copy(retValue-dmp1, CopyKey-dmp1)) return NULL; if (!BN_copy(retValue-dmq1, CopyKey-dmq1)) return NULL; if (!BN_copy(retValue-iqmp, CopyKey-iqmp)) return NULL; retValue-references = CopyKey-references; retValue-flags = CopyKey-flags; retValue-bignum_data = NULL; // These are cache values copied only to avoid possible trouble. BN_MONT_CTX_copy(retValue-_method_mod_n, CopyKey-_method_mod_n); BN_MONT_CTX_copy(retValue-_method_mod_p, CopyKey-_method_mod_p); BN_MONT_CTX_copy(retValue-_method_mod_q, CopyKey-_method_mod_q); // Copy the BN_BLINDING field retValue-blinding-init = CopyKey-blinding-init; if (!BN_copy(retValue-blinding-A, CopyKey-blinding-A)) return NULL; if (!BN_copy(retValue-blinding-Ai, CopyKey-blinding-Ai)) return NULL; if (!BN_copy(retValue-blinding-mod, CopyKey-blinding-mod)) return NULL; // The CRYPTO_EX_DATA ex_data includes a stack, which will not be copied // here (and let's hope OpenSSL does the trick without it.) return retValue; } My question is whether this should do a copy of the struct, or if there is something (important) missing. Thanks in advance for the help! _ Federico Sauter [EMAIL PROTECTED] Software EntwicklungTel: +49 89 7465 4778 TESIS Sysware GmbH Fax: +49 89 7465 4788 Implerstraße 26 * D-81371 München * Deutschland __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
REMOVE
REMOVE
What format is this PKCS7 signature in? (No, it's not PEM or DER)
Could someone tell me what format this PKCS7 signature is in, and how I can work with such a format using OpenSSL? Thanks! - Bob MysteryPKCS7.bin Description: Binary data
RE: REMOVE
NO! You are NOT allowed to leave You HAVE to stay. (sorry to the list members for the noise, but I couldna help maself) -Original Message-From: Sidney Fortes [mailto:[EMAIL PROTECTED]]Sent: Tuesday, June 04, 2002 2:30 PMTo: [EMAIL PROTECTED]Subject: REMOVE REMOVE
Re: Errors
At 09:16 04/06/02 -0600, you wrote: I have said this before in this group and I will repeat it. I see nothing that would stop a felon in prison from incorporating a company and getting a cert. And she should be allowed to. The certificate will say that it was issued to that company. The certificate is entirely legitimate and should be trusted, because what it says is true: company X exists, and this certificate was issued to company X. The bottom line is that the theory is fine... but in practice I feel commercial CA's should be institututions that we already trust - like the local bank or law office. I don't trust your local bank or law office. I don't even know who or where they are. In practice I think good works like this. Any cert that does not fire up a warning message from the windows machine running the browser would be considered good. This means that one can use any of many ways to load a good cert into the machine. Windows has a LOT of exploits. Security is only as strong as the weakest link. This means the end user is probably the biggest security weakness in most cases. Simply pop up a dialog that asks the user to download the cert you want as a prior step. Perhaps write a signed active-x control and use it to install your own cert. If the machine is vulnerable to a virus then one can use that hole to install a cert. This is entirely true. The only browser that can really be trusted is one into which new certificates can never be installed and which refuses to connect to a site if the certificate can't be verified. Whether such a browser would be useful in the real world is another matter. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: zlib double free bug and openssl question.
Date sent: Tue, 4 Jun 2002 19:45:55 +0200 From: Lutz Jaenicke [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject:Re: zlib double free bug and openssl question. Organization: BTU Cottbus, Allgemeine Elektrotechnik Send reply to: [EMAIL PROTECTED] I know of several public applications that uses zlib with OpenSSL. Probably more that I don't know about. In general, anything that uses SSL enabled telnet can make use of the OpenSSL zlib feature. Ken On Mon, Jun 03, 2002 at 04:01:38PM -0400, Lenny Miceli wrote: I've tried to search the archives/bug reports/faq's and didn't find any definitive answers on the zlib Double Free Bug CERT's Advisory CA-2002-07 issue. Does openssl v0.9.6b or above have this issue? I know if you do a stings on libcrypto.a you find zlib alot, so I assume somehow the zlib library is used in crypto/comp/c_zlib.c or somewhere. Thanks for any help you can give me. If not explicitely selected, OpenSSL is not compiled with zlib- support. And even if it would be compiled in, it won't be used by default, unless an application enables it. I am not aware of any publicly available application using zlib functionality inside OpenSSL. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: Errors
Greetings I did not get this piece of line.. This is entirely true. The only browser that can really be trusted is one into which new certificates can never be installed and which refuses to connect to a site if the certificate can't be verified.?? what does this mean ?? than how will the certificates be installed (Please dont mind I am new and weak in concepts) Whether such a browser would be useful in the real world is another matter. OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Click below to visit monsterindia.com and review jobs in India or Abroad http://monsterindia.rediff.com/jobs __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: rsa_st copy function
Federico, You can either encode and decode CopyKey (i.e., call i2d followed by d2i) or increment the rsa_st's references element using CRYPTO_add. For example: CRYPTO_add (CopyKey-references, 1, CRYPTO_LOCK_RSA); See crypto/threads/mttest.c for setting up mutexes for a multithreaded application. Frank Message History From: Federico Sauter [EMAIL PROTECTED]@openssl.org on 06/04/2002 04:17 PM ZE2 Please respond to [EMAIL PROTECTED] DELEGATED - Sent by:[EMAIL PROTECTED] To:[EMAIL PROTECTED] cc: Subject:rsa_st copy function Greetings! I have been searching the OpenSSL headers for a copy function, which would take a const pointer to a rsa_st structure and return another pointer to a copy of it, but have not found any. My question is why isn't there such a function? Are there any tricks in the copying process of the mentioned struct? I wrote a function which reads: RSA* RsaKeyCopy (const RSA* CopyKey) { // Allocate memory RSA*retValue = RSA_new(); // The method pointer is copied as a reference, the rest will be copied // by value. retValue-pad = CopyKey-pad; retValue-version = CopyKey-version; retValue-meth = CopyKey-meth; if (!BN_copy(retValue-n, CopyKey-n)) return NULL; if (!BN_copy(retValue-e, CopyKey-e)) return NULL; if (!BN_copy(retValue-d, CopyKey-d)) return NULL; if (!BN_copy(retValue-p, CopyKey-p)) return NULL; if (!BN_copy(retValue-q, CopyKey-q)) return NULL; if (!BN_copy(retValue-e, CopyKey-e)) return NULL; if (!BN_copy(retValue-dmp1, CopyKey-dmp1)) return NULL; if (!BN_copy(retValue-dmq1, CopyKey-dmq1)) return NULL; if (!BN_copy(retValue-iqmp, CopyKey-iqmp)) return NULL; retValue-references = CopyKey-references; retValue-flags = CopyKey-flags; retValue-bignum_data = NULL; // These are cache values copied only to avoid possible trouble. BN_MONT_CTX_copy(retValue-_method_mod_n, CopyKey-_method_mod_n); BN_MONT_CTX_copy(retValue-_method_mod_p, CopyKey-_method_mod_p); BN_MONT_CTX_copy(retValue-_method_mod_q, CopyKey-_method_mod_q); // Copy the BN_BLINDING field retValue-blinding-init = CopyKey-blinding-init; if (!BN_copy(retValue-blinding-A, CopyKey-blinding-A)) return NULL; if (!BN_copy(retValue-blinding-Ai, CopyKey-blinding-Ai)) return NULL; if (!BN_copy(retValue-blinding-mod, CopyKey-blinding-mod)) return NULL; // The CRYPTO_EX_DATA ex_data includes a stack, which will not be copied // here (and let's hope OpenSSL does the trick without it.) return retValue; } My question is whether this should do a copy of the struct, or if there is something (important) missing. Thanks in advance for the help! _ Federico Sauter [EMAIL PROTECTED] Software EntwicklungTel: +49 89 7465 4778 TESIS Sysware GmbH Fax: +49 89 7465 4788 Implerstraße 26 * D-81371 München * Deutschland __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: What format is this PKCS7 signature in? (No, it's not PEM or DER)
Try use dumpasn. Paolo From: Bob Steele [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: What format is this PKCS7 signature in? (No, it's not PEM or DER) Date: Tue, 4 Jun 2002 11:45:10 -0700 MIME-Version: 1.0 Received: from [195.27.130.252] by hotmail.com (3.2) with ESMTP id MHotMailBEC656D2003B4136E857C31B82FC041E0; Tue, 04 Jun 2002 11:50:14 -0700 Received: by mmx.engelschall.com (Postfix)id DEB491956B; Tue, 4 Jun 2002 20:49:10 +0200 (CEST) Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch [129.132.7.153])by mmx.engelschall.com (Postfix) with ESMTP id 5D3891938Cfor [EMAIL PROTECTED]; Tue, 4 Jun 2002 20:49:10 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-users-Lid UAA29375; Tue, 4 Jun 2002 20:48:46 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP for [EMAIL PROTECTED]from ptldpop5.ptld.uswest.net id UAA29325; Tue, 4 Jun 2002 20:47:29 +0200 (MET DST) Received: (qmail 57484 invoked by alias); 4 Jun 2002 18:47:27 - Received: (qmail 57467 invoked by uid 0); 4 Jun 2002 18:47:26 - Received: from 216-99-218-126.dsl.aracnet.com (HELO stan) (216.99.218.126) by ptldpop5.ptld.uswest.net with SMTP; 4 Jun 2002 18:47:26 - From [EMAIL PROTECTED] Tue, 04 Jun 2002 11:51:22 -0700 Delivered-To: [EMAIL PROTECTED]@fixme Message-ID: 000301c20bf7$f4977730$8d0a@stan X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 Importance: Normal In-Reply-To: [EMAIL PROTECTED] X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600. Sender: [EMAIL PROTECTED] Precedence: bulk X-Sender: Bob Steele [EMAIL PROTECTED] X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-users Could someone tell me what format this PKCS7 signature is in, and how I can work with such a format using OpenSSL? Thanks! - Bob MysteryPKCS7.bin Paolo Rossi [EMAIL PROTECTED] _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Anyone used OC4J with OpenSSL certs?
[Oracle Container for Java is a Java web server, similar to Tomcat] This is probably more of an oc4j question, but it deals with cryptography/OpenSSL so I was hoping for some input from folks who may have encountered this. If nothing else, it will be nice to have in the archives for those who use OpenSSL in lieu of other tools. [BTW, many thanks to the OpenSSL dev team--very straightforward and functional.] I'm working on an intranet that will use SSL/Client certs for certain authentications. I've set up our own CA using OpenSSL, and have successfully issued server and client certs that work via IIS and Apache (mod_ssl). We've made SSL work on a development workstation via OC4j using a Thawte test cert. However, we can't get our OpenSSL CA certs to work. We have successfully imported our CA root into his cacerts file using the java keytool. However when you hit the OC4J site, the browser has no certificates to choose from in the Client Authentication box. Again, I've made the same certificates work in IIS and Apache. My hunch is that oc4j is not picking up our custom CA (even though keytool -list on the cacerts keystore lists us right along side thawte, verisign, etc) so the browser has no legitimate client certs to choose from (this is the way it works isn't it?). The second problem is that I cant seem to get OC4j to like a web server SSL key Ive generated and signed with our own CA. After importing using keytool, a keytool list only shows the imported key as trustedCertEntry and not a keyEntry. Thanks for any and all input. -Mike __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Naina announce (was: [ANNOUNCE] OpenSSL 0.9.1 beta 1 released)
hi list, Naina library may be considered an ASN.1 test; it handles some Secure Electronic Transactions messages. http://www.unity.net/~vf/naina_r1.tgz It works with 0.9.7-beta-1, on linux, gcc 2.9.5 It could be great to include SET-specific objects into openssl; patch is there inside regards, Vadim On Sun, Jun 02, 2002 at 11:46:25PM +0200, Lutz Jaenicke wrote: The first beta release of OpenSSL 0.9.7 is now available from the OpenSSL FTP site URL: ftp://ftp.openssl.org/source/. Quite a lot of code changed between the 0.9.6 release and the 0.9.7 release, so a series of 3 or 4 beta releases is planned before the final release. To make sure that it will work correctly, please test this version (especially on less common platforms), and report any problems to [EMAIL PROTECTED]. Application developers that use OpenSSL to provide cryptographic routines or SSL/TLS support are kindly requested to test their software against this new release to make sure that necessary adaptions can be made. Changes between 0.9.6x and 0.9.7 include: o New library section OCSP. o Complete rewrite of ASN1 code. o CRL checking in verify code and openssl utility. o Extension copying in 'ca' utility. o Flexible display options in 'ca' utility. o Provisional support for international characters with UTF8. o Support for external crypto devices ('engine') is no longer a separate distribution. o New elliptic curve library section. o New AES (Rijndael) library section. o Change DES API to clean up the namespace (some applications link also against libdes providing similar functions having the same name). Provide macros for backward compatibility (will be removed in the future). o Unifiy handling of cryptographic algorithms (software and engine) to be available via EVP routines for asymmetric and symmetric ciphers. o NCONF: new configuration handling routines. o Change API to use more 'const' modifiers to improve error checking and help optimizers. o Finally remove references to RSAref. o Reworked parts of the BIGNUM code. o Support for new engines: Broadcom ubsec, Accelerated Encryption Processing, IBM 4758. o PRNG: query at more locations for a random device, automatic query for EGD style random sources at several locations. o SSL/TLS: allow optional cipher choice according to server's preference. o SSL/TLS: allow server to explicitly set new session ids. o SSL/TLS: support Kerberos cipher suites (RFC2712). o SSL/TLS: allow more precise control of renegotiations and sessions. o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: add draft AES ciphersuites (disabled unless explicitly requested). -- Lutz Jaenicke [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~jaenicke/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
strange error SSL_ERROR_SSL
Hi, I'm trying to add SSL-support to my application. What I'm doing is basically this: init (same for client and server): - SSL_library_init(); SSL_load_error_strings(); bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); meth = SSLv23_method(); ctx = SSL_CTX_new(meth); Client: -- socket_h_to = connect(...); ssl_h_to = SSL_new(ctx); sbio = BIO_new_socket(socket_h_to, BIO_NOCLOSE); SSL_set_bio(ssl_h_to, sbio, sbio); int dummy = SSL_connect(ssl_h_to); if (dummy = 0) { log(LOG_INFO, do_http_request(): problem starting SSL connection %d, SSL_get_error(ssl_h_to, dummy)); } dummy gets = 0 and the logging tells me an error 1 (SSL_ERROR_SSL) occured server: -- socket_h_from = accept(...); // and fork sbio = BIO_new_socket(socket_h_from, BIO_NOCLOSE); ssl_h_to = SSL_new(cpnt - ctx); SSL_set_bio(ssl_h_to, sbio, sbio); if (SSL_accept(ssl_h_to) = 0) { // log error } dummy gets = 0 and the logging tells me an error 1 (SSL_ERROR_SSL) occured Anyone who knows what I'm doing wrong here? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]