Few general questions
Title: Few general questions Is it possible to do gather writes with OpenSSL? For example, instead of SSL_write(), is there something like SSL_writev()? When doing SSL_read(), the bytes read have already been unencrypted. Is there a way to figure out how much data was read before decrypting? Similarly, is there a way to figure out how much data is written out with SSL_write() after encrypting? I want to keep track of bytes being transferred over the wire, but the numbers I have now are pre-encryption and post-decryption so it is not an accurate number. Has anybody used OpenSSL on Windows, but with Windows native Async I/O? I'm currently using SSL_read() and SSL_write(), so I can't take advantage of true async i/o. Instead, I've created my own by using my own thread pool and select. But I'd like to use native async i/o cuz it's much faster. Thanks, Ed
making and signing new certificates
Eric Meyer [EMAIL PROTECTED] wrote:--HiEric Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case).So, I recommends you some really useful links: http://www.columbia.edu/~ariel/ssleay/- the base library, I think http://www2.psy.uq.edu.au/~ftp/Crypto/- some FAQ's http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html-Programmer reference http://www.opensslbook.com/code.html And of course this mailing list .. There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies. Follows my certification process protocol: X509 *x=NULL, *xreq=NULL, **b=NULL;X509_REQ *req=NULL, **sr=NULL;ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;BIO *in=NULL, *incer=NULL, *buf=NULL; - Receive the CSR (in my case by socket connection) or read this froma file. - Decode the CSR: buf = BIO_new (BIO_s_mem()); in = BIO_new_mem_buf(mensaje, strlen(mensaje));req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL); - Retrieve and Decode the signer cert: incer = BIO_new_mem_buf(cert, strlen((const char*)cert));x = PEM_read_bio_X509(incer, b, NULL, NULL); - verify the CSR with the signer pubkey: if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1){//Error code } - Create and fillthe new cert: xreq = X509_new(); X509_set_version(xreq,VERSION);ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie);X509_gmtime_adj(X509_get_notBefore(xreq),0);X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS);X509_set_issuer_name(xreq,"CA_subject"); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0); // The client public key X509_set_pubkey(xreq, X509_REQ_get_pubkey(req)); // X509v3 Extensionsres=add_ext(xac, xreq, NID_basic_constraints, "your options");res=add_ext(xac, xreq, NID_key_usage, "your optionskey usage");res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage");res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice");res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice");res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff");res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff");res=add_ext(xac, xreq, NID_netscape_comment, "some stuff"); //signing the new certX509_sign (xreq, dec_key_ac, EVP_sha1()); // write out in some format (PEM or DER) res = PEM_write_bio_X509(buf, xreq); This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group. Hope this helps Best regards ZainosDo You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
making and signing new certificates
Eric Meyer [EMAIL PROTECTED] wrote:--HiEric Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case).So, I recommends you some really useful links: http://www.columbia.edu/~ariel/ssleay/- the base library, I think http://www2.psy.uq.edu.au/~ftp/Crypto/- some FAQ's http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html-Programmer reference http://www.opensslbook.com/code.html And of course this mailing list .. There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies. Follows my certification process protocol: X509 *x=NULL, *xreq=NULL, **b=NULL;X509_REQ *req=NULL, **sr=NULL;ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL;BIO *in=NULL, *incer=NULL, *buf=NULL; - Receive the CSR (in my case by socket connection) or read this froma file. - Decode the CSR: buf = BIO_new (BIO_s_mem()); in = BIO_new_mem_buf(mensaje, strlen(mensaje));req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL); - Retrieve and Decode the signer cert: incer = BIO_new_mem_buf(cert, strlen((const char*)cert));x = PEM_read_bio_X509(incer, b, NULL, NULL); - verify the CSR with the signer pubkey: if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1){//Error code } - Create and fillthe new cert: xreq = X509_new(); X509_set_version(xreq,VERSION);ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie);X509_gmtime_adj(X509_get_notBefore(xreq),0);X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS);X509_set_issuer_name(xreq,"CA_subject"); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "CN", MBSTRING_ASC, "The Common Name", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "OU", MBSTRING_ASC, "The OU", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "O", MBSTRING_ASC,"The ORG", -1, -1, 0);X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), "C", MBSTRING_ASC, "The country", -1, -1, 0); // The client public key X509_set_pubkey(xreq, X509_REQ_get_pubkey(req)); // X509v3 Extensionsres=add_ext(xac, xreq, NID_basic_constraints, "your options");res=add_ext(xac, xreq, NID_key_usage, "your optionskey usage");res=add_ext(xac, xreq, NID_ext_key_usage, "the extend key usage");res=add_ext(xac, xreq, NID_subject_key_identifier, "Your choice");res=add_ext(xac, xreq, NID_authority_key_identifier, "your choice");res=add_ext(xac, xreq, NID_issuer_alt_name, "some stuff");res=add_ext(xac, xreq, NID_netscape_cert_type, "some stuff");res=add_ext(xac, xreq, NID_netscape_comment, "some stuff"); //signing the new certX509_sign (xreq, dec_key_ac, EVP_sha1()); // write out in some format (PEM or DER) res = PEM_write_bio_X509(buf, xreq); This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group. Hope this helps Best regards ZainosDo You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
RE: Few general questions
Is it possible to do gather writes with OpenSSL? For example, instead of SSL_write(), is there something like SSL_writev()? No. If you're going to use SSL_write, you should gather the data into your own buffer first. When doing SSL_read(), the bytes read have already been unencrypted. Is there a way to figure out how much data was read before decrypting? Similarly, is there a way to figure out how much data is written out with SSL_write() after encrypting? I want to keep track of bytes being transferred over the wire, but the numbers I have now are pre-encryption and post-decryption so it is not an accurate number. Use bio pairs and do the network I/O yourself. You can then keep track of the number of bytes sent and received. Has anybody used OpenSSL on Windows, but with Windows native Async I/O? Definitely. I'm currently using SSL_read() and SSL_write(), so I can't take advantage of true async i/o. Shame on you. ;) Instead, I've created my own by using my own thread pool and select. But I'd like to use native async i/o cuz it's much faster. Again, bio pairs. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSH Hangs
I've configured 2 servers to communicate via on demand dial-up PPP links. telnet, http, ping, etc work fine but ssh hangs. The minute I execute the ssh command the modem dials but ssh hangs forever. On top of that pppd terminates and dials back due to inactivity. Apparently from the keepalive probes. [EMAIL PROTECTED] openssh-3.9p1]$ /usr/local/bin/ssh -1Cvvv [EMAIL PROTECTED] OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 debug1: Reading configuration data /usr/local/etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 192.168.5.2 [192.168.5.2] port 22. debug1: Connection established. debug1: identity file /usr/local/tomcat/.ssh/identity type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1 debug1: match: OpenSSH_3.8p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.9p1 debug2: fd 3 setting O_NONBLOCK debug1: Waiting for server public key. Really weird __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Few general questions
So to use native windows async i/o, I need to do the I/O myself (using bio pairs). Then I assume there is an easy way to figure out the ciphers and things agreed upon during the ssl handshake? Is this stuff readily available in the SSL object? At the risk of sounding lazy, what API's do I need to use to determine this info? :) Thanks, Ed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Schwartz Sent: Thursday, September 02, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: Few general questions Is it possible to do gather writes with OpenSSL? For example, instead of SSL_write(), is there something like SSL_writev()? No. If you're going to use SSL_write, you should gather the data into your own buffer first. When doing SSL_read(), the bytes read have already been unencrypted. Is there a way to figure out how much data was read before decrypting? Similarly, is there a way to figure out how much data is written out with SSL_write() after encrypting? I want to keep track of bytes being transferred over the wire, but the numbers I have now are pre-encryption and post-decryption so it is not an accurate number. Use bio pairs and do the network I/O yourself. You can then keep track of the number of bytes sent and received. Has anybody used OpenSSL on Windows, but with Windows native Async I/O? Definitely. I'm currently using SSL_read() and SSL_write(), so I can't take advantage of true async i/o. Shame on you. ;) Instead, I've created my own by using my own thread pool and select. But I'd like to use native async i/o cuz it's much faster. Again, bio pairs. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: making and signing new certificates
Carlos, Thank you very much for the links. The link http://www2.psy.uq.edu.au/~ftp/Crypto/certs.html is exactly what I was looking for. Thanks again Eric On Sep 2, 2004, at 11:36 AM, Carlos Roberto Zainos H wrote: Eric Meyer [EMAIL PROTECTED] wrote:-- Hi Eric Yes, You are right, the openssl documents are not well detailed and, in some cases, out-to-date; also sometimes, ,just like you, I feel a little confused an desperate but this makes you self learning about the library (crypto lib,in my particular case). So, I recommends you some really useful links: http://www.columbia.edu/~ariel/ssleay/ - the base library, I think http://www2.psy.uq.edu.au/~ftp/Crypto/ - some FAQ's http://www2.psy.uq.edu.au/~ftp/Crypto/ssl.html -Programmer reference http://www.opensslbook.com/code.html And of course this mailing list .. There are some recommendations and security standars to verify a CSR, to create and sign a new certificate, you must read them and select the proper according to your needs and/or to your system or organization policies. Follows my certification process protocol: X509 *x=NULL, *xreq=NULL, **b=NULL; X509_REQ *req=NULL, **sr=NULL; ASN1_GENERALIZEDTIME *N_after_gmt=NULL, **out_asn=NULL; BIO *in=NULL, *incer=NULL, *buf=NULL; - Receive the CSR (in my case by socket connection) or read this from a file. - Decode the CSR: buf = BIO_new (BIO_s_mem()); in = BIO_new_mem_buf(mensaje, strlen(mensaje)); req = PEM_read_bio_X509_REQ(in, sr, NULL, NULL); - Retrieve and Decode the signer cert: incer = BIO_new_mem_buf(cert, strlen((const char*)cert)); x = PEM_read_bio_X509(incer, b, NULL, NULL); - verify the CSR with the signer pubkey: if (X509_REQ_verify (req, X509_get_pubkey(x)) != 1) { // Error code } - Create and fill the new cert: xreq = X509_new(); X509_set_version(xreq,VERSION); ASN1_INTEGER_set(X509_get_serialNumber(xreq), num_serie); X509_gmtime_adj(X509_get_notBefore(xreq),0); X509_gmtime_adj(X509_get_notAfter(xreq),(long)60*60*24*DAYS); X509_set_issuer_name(xreq,CA_subject); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), CN, MBSTRING_ASC, The Common Name, -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), OU, MBSTRING_ASC, The OU, -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), O, MBSTRING_ASC,The ORG, -1, -1, 0); X509_NAME_add_entry_by_txt(X509_get_subject_name(xreq), C, MBSTRING_ASC, The country, -1, -1, 0); // The client public key X509_set_pubkey(xreq, X509_REQ_get_pubkey(req)); // X509v3 Extensions res=add_ext(xac, xreq, NID_basic_constraints, your options); res=add_ext(xac, xreq, NID_key_usage, your options key usage); res=add_ext(xac, xreq, NID_ext_key_usage, the extend key usage); res=add_ext(xac, xreq, NID_subject_key_identifier, Your choice); res=add_ext(xac, xreq, NID_authority_key_identifier, your choice); res=add_ext(xac, xreq, NID_issuer_alt_name, some stuff ); res=add_ext(xac, xreq, NID_netscape_cert_type, some stuff); res=add_ext(xac, xreq, NID_netscape_comment, some stuff); / / signing the new cert X509_sign (xreq, dec_key_ac, EVP_sha1()); // write out in some format (PEM or DER) res = PEM_write_bio_X509(buf, xreq); This is a wide vision of my CertSign protocol, there are some things that are not mentioned here like the CDP (CRL Distribution Point), a suitable guideline is the PKI Forum and the IETF PKI Work group. Hope this helps Best regards Zainos Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Few general questions
So to use native windows async i/o, I need to do the I/O myself (using bio pairs). Then I assume there is an easy way to figure out the ciphers and things agreed upon during the ssl handshake? Is this stuff readily available in the SSL object? At the risk of sounding lazy, what API's do I need to use to determine this info? :) Yes, you do the I/O yourself. And you can get any information you want once the handshake is complete. There is example code in the 'openssl' application source. For the very lazy: SSL_is_init_finished SSL_get_current_cipher SSL_CIPHER_get_bits SSL_get_version SSL_CIPHER_get_name SSL_CIPHER_get_version SSL_get_peer_certificate SSL_get_finished SSL_get_peer_finsihed And so on. One tip about working with BIO pairs -- totally forget that input has anything to do with output! Just think -- there are four things I need to do: 1) If my application needs to send any unencrypted data, I need to get it to OpenSSL 2) If OpenSSL comes up with any decrypted output, I need to get it to my application 3) If OpenSSL wants to send any encrypted data, I have to give it to the socket 4) If the socket received any encrypted data, I have to give it to OpenSSL But do not assume any connection between these things. They're just four different things you need to do. Do not ever, for example, assume that OpenSSL will have decrypted data for you just because you sent it encrypted data or that OpenSSL can't possibly have any encypted data to send because you haven't sent it any plaintext. (Though, of course, it's rational to check for decrypted data after you hand OpenSSL encypted data. However, this is not the only time you should check. One simple technique is to always check for any way to make forward progress before giving up.) DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]