Re: RSA public key
Hi, thanks for the help, I havn't got it to work yet though. One question. The RFC states An RSA encrypted value is encoded with PKCS #1 block type 2 as described in [PKCS1]. should I use d2i_X509 for that? thanks! From: Tan Eng Ten [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: RSA public key Date: Tue, 07 Sep 2004 13:46:56 +0800 Vadym Fedyukovych wrote: Tan Eng Ten wrote: If you have the cert buffer in ASN1 DER encoding, why don't you just use the d2i function like this: - unsigned char *ptr; X509 *x509; EVP_PKEY *pubkey; ptr = cert; I think there should be x509 = NULL; before x509 = d2i_X509(x509, ptr, cert_len); pubkey = X509_get_pubkey(x509); - There is an RSA object encapsulated in EVP_PKEY, but I am unsure if we should access it directly or must we get a handle through the function EVP_PKEY_get1_RSA(). Anyone can help out? Niklas Olsson wrote: Hi, thanks for the reply. I have two questions. The first: Is PEM and ASN1 two different formats on how to represent a certificate? because I think TLS v1.0 uses ASN1. I'm not certain I should use the PEM_* functions? the next question is about your code, I get a certificate from the server containing the public key, but you wrote PEM_read_bio_PrivateKey(mem_ptr, 0, 0, 0); should I use a PrivateKey function when I'm only after the public key (and when the certificate doesn't contain a private key) thanks! /Niklas From: Sid Hegde [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: RSA public key Date: Mon, 6 Sep 2004 04:27:11 -0700 (PDT) This is how I read a RSA key from a string buffer where private_key is char * terminated by a \0 RSA *pub_key=NULL; BIO *mem_ptr=NULL; EVP_PKEY *pkey = NULL; mem_ptr = BIO_new(BIO_s_mem()); BIO_puts(mem_ptr, private_key); pkey = PEM_read_bio_PrivateKey(mem_ptr, 0, 0, 0); pub_key = EVP_PKEY_get1_RSA(pkey); Hope this helps - Sid --- Niklas Olsson [EMAIL PROTECTED] wrote: Hi, I have been look through this mailing list to try to understand how to read the public key and encrypt my message. so far I think I should use PEM_read_bio_RSAPublicKey and RSA_public_encrypt I get the certificate in a buffer from the server (TLS - ServerHello message) I would think I should use BIO *in=NULL; in = BIO_new_mem_buf(cert, 1558); //cert if the buffer with the certifiate RSA *pKey=NULL; pKey = PEM_read_bio_RSAPublicKey(in,NULL, NULL, NULL); but pKey is always NULL, I thought maybe the in buffer should only be the public key so I copied that only, but again I only get a pKey that is NULL. How am I supposed to read my certificate and get a correct RSA *pKey? thanks! _ Chat: Ha en fest på Habbo Hotel http://habbohotel.msn.se/habbo/sv/channelizer Checka in här! __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Chatt: Träffa nya nätkompisar på Habbo Hotel http://habbohotel.msn.se/habbo/sv/channelizer __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] g __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Lättare att hitta drömresan med MSN Resor http://www.msn.se/resor/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Mobile Phones
I'm not familiar with that product. I mainly use OpenSSL in conjunction with Apache Web Server. You could join the list at http://www.openssl.organd ask your question there. Additional info on ssl is available at -Original Message-From: Guilherme G. Rafare / IN3 Technologies S.A. [mailto:[EMAIL PROTECTED]Sent: Monday, September 06, 2004 6:44 PMTo: [EMAIL PROTECTED]Subject: Mobile PhonesImportance: High Hi, Sorry to trouble you. We are planning to implement OpenSSL in one of wireless data projects for mobile phones, using BREW (mainly C/C++). Do you know where we can find a detailed message flow and protocol, including the use of the encryption algorithms in each piece? We would really appreciateany input. Thanks and regards. GR Um abraço // Best regards, Guilherme G. Rafare Diretor Gerente // Managing Director IN3 Technologies S.A.http://www.in3.com.br MadGam.com http://www.madgam.com e-mail: [EMAIL PROTECTED] ICQ: 163.046.989 MSN:[EMAIL PROTECTED] Yahoo Msgr: guilhermerafare Skype: guilhermerafare===As informações transmitidas nesta mensagem e nos seus arquivos anexos, bem como nas mensagens posteriores ou anteriores que podem compor esta seqüência de mensagens (em conjunto Informações) são privilegiadas e/ou confidenciais e para conhecimento exclusivo da empresa destinatária, suas afiliadas, seus funcionários e demais pessoas por ela autorizadas (em conjunto Empresa), estando regulada pelas leis aplicáveis e/ou por documentos de sigilo ou de confidencialidade em vigor entre a IN3 Technologies S/A (IN3) e a Empresa. São vedadas, quando não expressa e previamente autorizados por escrito pela IN3, o uso, a impressão, a divulgação ou a retransmissão das Informações a terceiros, estando o destinatário original, o agente facilitador, a Empresa e o receptor das Informações, sujeitos às penalidades e sanções legais aplicáveis. Caso você não esteja autorizado a receber esta mensagem ou a tenha recebido de forma não-autorizada ou não-intencional, solicitamos que você não leia, não copie, não imprima, não divulgue, não retransmita esta mensagem e não faça uso dos seus anexos, e destrua e apague imediatamente esta mensagem, seu conteúdo e os seus arquivos anexos, comunicando imediatamente o seu recebimento indevido ao seu remetente original ou para [EMAIL PROTECTED]. Comunicações eletrônicas não são seguras e sujeitas a alteração no seu conteúdo, portanto, a IN3 não se responsabiliza por qualquer dano causado, inclusive por vírus, na medida que a mesma trafegou por rede pública. ===
RE: Mobile Phones
Hi, Thanks. We need to implement OpenSSL on the BREW environment, it will probablycommunicate with Apache,and in order to accomplish that we would need some info, like protocols, flows and etc... to allow the exchange of messages. So, if you have any information that could be useful, I would really appreciate your help. Thanks GR -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Goehring, Chuck, RCI - San DiegoSent: Tuesday, September 07, 2004 12:37 PMTo: [EMAIL PROTECTED]Subject: RE: Mobile Phones I'm not familiar with that product. I mainly use OpenSSL in conjunction with Apache Web Server. You could join the list at http://www.openssl.organd ask your question there. Additional info on ssl is available at -Original Message-From: Guilherme G. Rafare / IN3 Technologies S.A. [mailto:[EMAIL PROTECTED]Sent: Monday, September 06, 2004 6:44 PMTo: [EMAIL PROTECTED]Subject: Mobile PhonesImportance: High Hi, Sorry to trouble you. We are planning to implement OpenSSL in one of wireless data projects for mobile phones, using BREW (mainly C/C++). Do you know where we can find a detailed message flow and protocol, including the use of the encryption algorithms in each piece? We would really appreciateany input. Thanks and regards. GR Um abraço // Best regards, Guilherme G. Rafare Diretor Gerente // Managing Director IN3 Technologies S.A.http://www.in3.com.br MadGam.com http://www.madgam.com e-mail: [EMAIL PROTECTED] ICQ: 163.046.989 MSN:[EMAIL PROTECTED] Yahoo Msgr: guilhermerafare Skype: guilhermerafare===As informações transmitidas nesta mensagem e nos seus arquivos anexos, bem como nas mensagens posteriores ou anteriores que podem compor esta seqüência de mensagens (em conjunto Informações) são privilegiadas e/ou confidenciais e para conhecimento exclusivo da empresa destinatária, suas afiliadas, seus funcionários e demais pessoas por ela autorizadas (em conjunto Empresa), estando regulada pelas leis aplicáveis e/ou por documentos de sigilo ou de confidencialidade em vigor entre a IN3 Technologies S/A (IN3) e a Empresa. São vedadas, quando não expressa e previamente autorizados por escrito pela IN3, o uso, a impressão, a divulgação ou a retransmissão das Informações a terceiros, estando o destinatário original, o agente facilitador, a Empresa e o receptor das Informações, sujeitos às penalidades e sanções legais aplicáveis. Caso você não esteja autorizado a receber esta mensagem ou a tenha recebido de forma não-autorizada ou não-intencional, solicitamos que você não leia, não copie, não imprima, não divulgue, não retransmita esta mensagem e não faça uso dos seus anexos, e destrua e apague imediatamente esta mensagem, seu conteúdo e os seus arquivos anexos, comunicando imediatamente o seu recebimento indevido ao seu remetente original ou para [EMAIL PROTECTED]. Comunicações eletrônicas não são seguras e sujeitas a alteração no seu conteúdo, portanto, a IN3 não se responsabiliza por qualquer dano causado, inclusive por vírus, na medida que a mesma trafegou por rede pública. ===
Re: storing PEM encoded certs in database
Hi I'm not an expert, but I think that could be some different depending on the DBMS and the driver connection being used. For example, I'm using Oracle DB 10g with ODBCbased client connection to the DB. I'm storing PEM certificates making a copy of it to a buffer and then storing it into the DB via INSERT with the apropiate convertions: unsigned char cert[2*1024];BIO *buf; buf = BIO_new (BIO_s_mem()); res = PEM_write_bio_X509(buf, xreq);//xreq is the X509 cert longitud = sizeof(cert);res = BIO_read(buf, cert, (int)longitud);cert[res]='\0';//executing the INSERT via exec_sql_comm(sentence) function, where sentence = "insert into certificados (estadocer,fechacaducidad,numserie,certificado) values ('V',to_date('%s','-MM-DD HH24:MI:SS'),'%i','%s')",fecha_cad, num_serie, cert)" Holpe this helps. ZainosSmith Baylor [EMAIL PROTECTED] wrote: Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
Removing passphrase for Apache server
Hi, I sent a query last week about removing a passphrase from an Apache server I have set up with openssl-0.9.7d and compiled with the gcc compiler. I thought I'd provide a little more information. When I try to remove the passphrase, it says I need a minimum of 4 characters in the passphrase. Is this something in this version of openssl, as I don't remember having this requirement with earlier versions? I generated the key with $openssl genrsa -des3 -rand randfile1:randfile2:randfile3 1024 \ /usr/local/apache2/conf/ssl.key/server.key I made a copy of server.key to server.bak and then tried the following command to redo the passphrase and get the following: # /usr/local/ssl/bin/openssl rsa -in server.bak -out server.key Enter pass phrase for server.bak: 21202:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:847:You must type in 4 to 4095 characters Is there a way around this? Joe DeBattista UCSF, ITS INTERNET: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 3 des implementation - help needed
Title: 3 des implementation - help needed encryption key IV are only the state at start of encryption, this state evolves during encryption, so thatif you store only the key and IV at the beginning of first packet, youmust decrypt in same order as when you encrypted, this way the state evolves equivalently and it works Regards Armel - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 07, 2004 2:13 PM Subject: RE: 3 des implementation - help needed Thanks. I have tried the same. And end up in same results, But if I decrypt buffers (sizes of 4352, 2048, 1024) in the same sequence as that of encryption. It is giving proper output. ( it is matching with the original buffer). What could be the reason? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, September 07, 2004 1:56 PMTo: [EMAIL PROTECTED]Subject: Re: 3 des implementation - help needed Try p.s. out must be allocatedchar[(i_len+(8-i_len%8))] BOOL SSL_encrypt_key(EVP_CIPHER_CTX ctx, char *in, char *out, int i_len,int *o_len ){ int o_final_len; EVP_EncryptUpdate(ctx,out, o_len, in, i_len); EVP_EncryptFinal(ctx,out+*o_len, o_final_len); *o_len+=o_final_len; return SUCCESS; } BOOL SSL_decrypt_key(EVP_CIPHER_CTX ctx,char *in, char *out, int i_len,int *o_len){ int o_final_len; EVP_DecryptUpdate(ctx,out, o_len, in, i_len); EVP_DecryptFinal(ctx,out+*o_len, o_final_len); *o_len+=o_final_len; return SUCCESS; } Francesco Petruzzi [EMAIL PROTECTED] The information contained in this electronic message and any attachments (the "Message") is intended for one or more specific individuals or entities, and may be confidential, proprietary, privileged or otherwise protected by law. If you are not the intended recipient, please notify the sender immediately, delete this Message and do not disclose, distribute, or copy it to any third party or otherwise use this Message. Electronic messages are not secure or error free and can contain viruses or may be delayed, and the sender is not liable for any of these occurrences. The sender reserves the right to monitor, record and retain electronic messages.Le informazioni contenute in questo messaggio e gli eventuali allegati (il "Messaggio") si intendono inviate a uno o piú specifici destinatari. Il contenuto del Messaggio puó essere confidenziale, riservato e comunque protetto dalla legge applicabile. Se non siete i destinatari del Messaggio, siete pregati di informare immediatamente il mittente, cancellare questo Messaggio, non rivelarlo, non distribuirlo ne' inoltrarlo a terzi, non copiarlo né farne alcun uso. I messaggi di posta elettronica non sono sicuri e sono soggetti ad alterazioni, possono essere trasmettitori di Virus informatici o soggetti a ritardi nella distribuzione. Il mittente del Messaggio non puó essere in alcun modo considerato responsabile per queste evenienze. Il mittente si riserva il diritto di archiviare, ritenere e controllare i messaggi di posta elettronica. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, September 07, 2004 9:29 AM Subject: 3 des implementation - help needed Hi., I am planning to use 3 des implementation. I am encrypting the chunk of data (1024/2048/4352 bytes) with randomly generated keys and vectors. I have stored the keys and vectors in non volatile memory or a file. During decryption I have taken the key and vector from the file or non volatile memory. The first 8 bytes are overwritten. Means the decrypted data is not matching!!! In this case I am having two applications which are running independently. I have used EVP_des_ede3_cfb() cipher for encryption. I would like to know that apart from key and vector used for encryption do I need to store something else also for decryption? P.S: If I have a sample application in which decryption and encryption are not done, in that case Unencrypted data is matching with the original one!! Thanks., Sakthi S G Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any
Re: RSA public key
On Tue, Sep 07, 2004, Niklas Olsson wrote: Hi, thanks for the help, I havn't got it to work yet though. One question. The RFC states An RSA encrypted value is encoded with PKCS #1 block type 2 as described in [PKCS1]. should I use d2i_X509 for that? d2i_X509() is for DER format certificates only. RSA encrypted data should be just read in verbatim into a buffer. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Removing passphrase for Apache server
When I try this, it tells me that this isn't a option in my version. This was compiled on an AIX version 5.1 box. # /usr/local/ssl/bin/openssl rsa -in server.bak -out server.key -nodes unknown option -nodes Joe DeBattista UCSF, ITS INTERNET: [EMAIL PROTECTED] On Tue, 7 Sep 2004, Oliver Welter wrote: # /usr/local/ssl/bin/openssl rsa -in server.bak -out server.key Enter pass phrase for server.bak: 21202:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:847:You must type in 4 to 4095 characters Add -nodes to the command Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Removing passphrase for Apache server
hi Joe, Joe DeBattista wrote: When I try this, it tells me that this isn't a option in my version. This was compiled on an AIX version 5.1 box. # /usr/local/ssl/bin/openssl rsa -in server.bak -out server.key -nodes unknown option -nodes sorry my mistake - the nodes option is valid in req node only... I dont know Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature
Re: RSA public key
maybe I have misunderstood but I havn't encrypted the data yet I'm trying to understand how to read my certificate so I can get the RSA *rsa to point to the public key in the certicate so I am able to encrypt my data. The certificate comes to me in a TLS serverhello message and I just want to encrypt the pre master key and send it back... thanks! RSA encrypted data should be just read in verbatim into a buffer. From: Niklas Olsson [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: RSA public key Date: Tue, 07 Sep 2004 17:33:30 +0200 Hi, thanks for the help, I havn't got it to work yet though. One question. The RFC states An RSA encrypted value is encoded with PKCS #1 block type 2 as described in [PKCS1]. should I use d2i_X509 for that? thanks! From: Tan Eng Ten [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: RSA public key Date: Tue, 07 Sep 2004 13:46:56 +0800 Vadym Fedyukovych wrote: Tan Eng Ten wrote: If you have the cert buffer in ASN1 DER encoding, why don't you just use the d2i function like this: - unsigned char *ptr; X509 *x509; EVP_PKEY *pubkey; ptr = cert; I think there should be x509 = NULL; before x509 = d2i_X509(x509, ptr, cert_len); pubkey = X509_get_pubkey(x509); - There is an RSA object encapsulated in EVP_PKEY, but I am unsure if we should access it directly or must we get a handle through the function EVP_PKEY_get1_RSA(). Anyone can help out? Niklas Olsson wrote: Hi, thanks for the reply. I have two questions. The first: Is PEM and ASN1 two different formats on how to represent a certificate? because I think TLS v1.0 uses ASN1. I'm not certain I should use the PEM_* functions? the next question is about your code, I get a certificate from the server containing the public key, but you wrote PEM_read_bio_PrivateKey(mem_ptr, 0, 0, 0); should I use a PrivateKey function when I'm only after the public key (and when the certificate doesn't contain a private key) thanks! /Niklas From: Sid Hegde [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: RSA public key Date: Mon, 6 Sep 2004 04:27:11 -0700 (PDT) This is how I read a RSA key from a string buffer where private_key is char * terminated by a \0 RSA *pub_key=NULL; BIO *mem_ptr=NULL; EVP_PKEY *pkey = NULL; mem_ptr = BIO_new(BIO_s_mem()); BIO_puts(mem_ptr, private_key); pkey = PEM_read_bio_PrivateKey(mem_ptr, 0, 0, 0); pub_key = EVP_PKEY_get1_RSA(pkey); Hope this helps - Sid --- Niklas Olsson [EMAIL PROTECTED] wrote: Hi, I have been look through this mailing list to try to understand how to read the public key and encrypt my message. so far I think I should use PEM_read_bio_RSAPublicKey and RSA_public_encrypt I get the certificate in a buffer from the server (TLS - ServerHello message) I would think I should use BIO *in=NULL; in = BIO_new_mem_buf(cert, 1558); //cert if the buffer with the certifiate RSA *pKey=NULL; pKey = PEM_read_bio_RSAPublicKey(in,NULL, NULL, NULL); but pKey is always NULL, I thought maybe the in buffer should only be the public key so I copied that only, but again I only get a pKey that is NULL. How am I supposed to read my certificate and get a correct RSA *pKey? thanks! _ Chat: Ha en fest på Habbo Hotel http://habbohotel.msn.se/habbo/sv/channelizer Checka in här! __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ Chatt: Träffa nya nätkompisar på Habbo Hotel http://habbohotel.msn.se/habbo/sv/channelizer __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] g __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager
AW: How to create a certificate silently
Hello, I also have a little question, with this methode I can also send the passphase of the seckey of the CA?? The basic idea is great! Simply great and very useful. But how to make and secure the passphrase? thanks Stephan -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Charles B Cranston Gesendet: Freitag, 3. September 2004 21:00 An: [EMAIL PROTECTED] Betreff: Re: How to create a certificate silently If you're using Unix or another system that supports the Environment variables, you can write a fixed openssl conf file that references appropriate variables in appropriate places. If you don't have Environment you can still write a custom openssl conf file for each instance of signing. Lule Chen wrote: Hi, I use the openssl to create a self signed certificate, but it needs interactively input country name, province name, ... Common name. I am wondering if there is a way to do it silently, i.e. let it read those response from a configure file? Because I want to run the openssl command in a script and don't want user to input any thing. I badly need your help! Thanks, Louis -- Charles B (Ben) Cranston mailto: [EMAIL PROTECTED] http://www.wam.umd.edu/~zben __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: AW: How to create a certificate silently
The issue of the passphrase is a little more subtle. Since on some Unix implementations anybody can see the contents of the environment of a process, it might not be a good idea to send secret things that way. What I do is to build a pipe from a program that creates and prints (to standard output) the passphrase, to the OpenSSL program, which is told to expect to read the passphrase on the pipe. Here's an example: # # PKEYTRAN # # Translate passphrase for private key # Prepare a private key for delivery by unencrypting with the # private key storage passphrase and optionally re-encrypting with # the passphrase given by the caller. sub pkeytran { my ($vault,$vkey,$openssl,$key,$outpass) = @_; # Arguments my ($pid, $error, $newkey); # Proc ID, err result strs { $^F = 99; # FORCE CLOSE-ON-WRITE OFF!!! pipe KDR,KDW; # Kid Decode Read/Write if ($outpass) { pipe KCR,KCW; # Kid Code Read/Write print KCW $outpass;# New passphrase to PE pipe close KCW; # Make EOF } } # Copy old passphrase from the vault into the KD pipe. if ( !perlfork(sub{ # Run in forked process close KDR;# Close parent's pipe end open STDOUT,'KDW'; # Bind std out to the KD pipe exec $vault,$vkey;# Send passphrase to KDW die Could not EXEC vault (pkeytran): $!; # NOT REACHED }) ) { htmlfail Could not FORK (pkeytran): $!; } close KDW; # Close kid's pipe end # Run OpenSSL rsa to change the passphrase pipe KIR,KIW;# Kid std Input Read/Write pipe KOR,KOW;# Kid std Output Read/Write pipe KER,KEW;# Kid std Error Read/Write if ( !($pid=perlfork(sub{# Run in forked process close KIW;# Close pipe end parent will use close KOR;# Close pipe end parent will use close KER;# Close pipe end parent will use open STDIN, 'KIR'; # Bind pipe to standard in open STDOUT,'KOW'; # Bind pipe to standard out open STDERR,'KEW'; # Bind pipe to standard err exec $openssl.' rsa -passin file:/dev/fd/'.fileno(KDR). ($outpass?' -des3 -passout file:/dev/fd/'.fileno(KCR):''); die Could not EXEC OpenSSL (trankey): $!; # NOT REACHED })) ) { htmlfail Could not FORK (pkeytran): $!; } close KDR; # Close pipe from vault if ($outpass) { close KCR;# Close pipe from here } close KIR; # Close pipe end used by kid close KOW; # Close pipe end used by kid close KEW; # Close pipe end used by kid print KIW $key; # Old key is input for OpenSSL close KIW; # Make EOF on the KI pipe read KER,$error,4096;# Read any errors from kid read KOR,$newkey,4096; # Read any output from kid waitpid($pid,0); # Wait for kid to terminate if ($?) {# If error in kid htmlfail OpenSSL rsa failed (pkeytran): $?\n.$error; } close KOR; # Close pipe from kid close KER; # Close pipe from kid return $newkey; # Return rekeyed private key } # pkeytran NOTE ** This code uses /dev/fd which may or may not be implemented in your version of Unix! If you don't want to use this way of doing it, you COULD write the passphrases to two files in /tmp and give the filenames as arguments in the 'exec $openssl call, but note that if more than one process may be doing this at any given time, you want to edit the process number into the filename, that NOBODY you don't want to read the passphrase can read those /tmp files, and that they get deleted really quick after they are used. In some other cases it may be possible to condition OpenSSL to read the pass phrase from standard input, which makes the pipe stuff a little easier, however, I was not able to make openssl rsa do this. There is a section in the FAQ/Readme about passing pass phrases. I condidered it WELL worth reading. When should I have broken down and just started writing C code that calls the library directly, or a Perl module to call the library directly, instead of trying to shoe-horn the existing main programs??? Webmaster wrote: Hello, I also have a little question, with this methode I can also send the passphase of the seckey of the CA?? The basic idea is great! Simply great and very useful. But how to make and secure the passphrase? thanks Stephan -Ursprungliche Nachricht-
Re: storing PEM encoded certs in database
Hi, I am using C as the programming language and MySQL as the db. unsigned char *cert_data; Instead of storing in PEM format directly, I am storing it in base64 format - I believe this is more safer - feel free to prove me otherwise. Once I store the cert_data value, I also pad this with '\0' - string terminator. I get something like this at the end of the encoding: TGZ3am0wTDNjeTN3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= ¡½Úø7HZm which the db insert or update commands don't like. /Shivaram - Original Message - From: Carlos Roberto Zainos H [EMAIL PROTECTED] Date: Tue, 7 Sep 2004 12:36:44 -0500 (CDT) Subject: Re: storing PEM encoded certs in database To: [EMAIL PROTECTED] Hi I'm not an expert, but I think that could be some different depending on the DBMS and the driver connection being used. For example, I'm using Oracle DB 10g with ODBC based client connection to the DB. I'm storing PEM certificates making a copy of it to a buffer and then storing it into the DB via INSERT with the apropiate convertions: unsigned char cert[2*1024]; BIO *buf; buf = BIO_new (BIO_s_mem()); res = PEM_write_bio_X509(buf, xreq);//xreq is the X509 cert longitud = sizeof(cert); res = BIO_read(buf, cert, (int)longitud); cert[res]='\0'; //executing the INSERT via exec_sql_comm(sentence) function, where sentence = insert into certificados (estadocer,fechacaducidad,numserie,certificado) values ('V',to_date('%s','-MM-DD HH24:MI:SS'),'%i','%s'),fecha_cad, num_serie, cert) Holpe this helps. Zainos Smith Baylor [EMAIL PROTECTED] wrote: Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: storing PEM encoded certs in database
I was also pointed to this document by an other member privately http://www.openssl.org/docs/crypto/d2i_X509.html and it did not help much --Smith On Tue, 7 Sep 2004 13:12:16 -0700, Smith Baylor [EMAIL PROTECTED] wrote: Hi, I am using C as the programming language and MySQL as the db. unsigned char *cert_data; Instead of storing in PEM format directly, I am storing it in base64 format - I believe this is more safer - feel free to prove me otherwise. Once I store the cert_data value, I also pad this with '\0' - string terminator. I get something like this at the end of the encoding: TGZ3am0wTDNjeTN3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= ¡½Úø7HZm which the db insert or update commands don't like. /Shivaram - Original Message - From: Carlos Roberto Zainos H [EMAIL PROTECTED] Date: Tue, 7 Sep 2004 12:36:44 -0500 (CDT) Subject: Re: storing PEM encoded certs in database To: [EMAIL PROTECTED] Hi I'm not an expert, but I think that could be some different depending on the DBMS and the driver connection being used. For example, I'm using Oracle DB 10g with ODBC based client connection to the DB. I'm storing PEM certificates making a copy of it to a buffer and then storing it into the DB via INSERT with the apropiate convertions: unsigned char cert[2*1024]; BIO *buf; buf = BIO_new (BIO_s_mem()); res = PEM_write_bio_X509(buf, xreq);//xreq is the X509 cert longitud = sizeof(cert); res = BIO_read(buf, cert, (int)longitud); cert[res]='\0'; //executing the INSERT via exec_sql_comm(sentence) function, where sentence = insert into certificados (estadocer,fechacaducidad,numserie,certificado) values ('V',to_date('%s','-MM-DD HH24:MI:SS'),'%i','%s'),fecha_cad, num_serie, cert) Holpe this helps. Zainos Smith Baylor [EMAIL PROTECTED] wrote: Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl gprof
Hello, I want to use gprof with my openssl applications and I can get the spent time for the several openssl functions that I used in my application. I don't know how to compile my applications and neither how to execute gprof with my applications My application is simple, only I have a client and a server. The client connect with a server, everyone has a certificate; they do the handshake and select the apropiate cipher of the cipher list and the client send x bytes to the server. Then they close the connection. Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
DES-EDE3-CBC
Does someone know which 3DES algorithms openssl supports? As far as I know there are various possiblites to apply Tripple DES: with 2 keys with 3 keys Encryption Decryption Encryption (EDE) Encryption Encryption Encryption (EEE) thx. Karsten __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DES-EDE3-CBC
Just type: man enc des-ede3-cbc Three key triple DES EDE in CBC mode des-ede3 Alias for des-ede3-cbc des3 Alias for des-ede3-cbc des-ede3-cfb Three key triple DES EDE CFB mode des-ede3-ofb Three key triple DES EDE in OFB mode [EMAIL PROTECTED] wrote: Does someone know which 3DES algorithms openssl supports? As far as I know there are various possiblites to apply Tripple DES: with 2 keys with 3 keys Encryption Decryption Encryption (EDE) Encryption Encryption Encryption (EEE) thx. Karsten __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: storing PEM encoded certs in database
The PEM format is already Base64. Also, your sample includes characters that are invalid for a Base64 encoded data, which is explicitly 7 bit safe, so would not include an accented character. It looks like your null byte is in the wrong place. It probably should have come after the = sign. Eric On Sep 7, 2004, at 1:12 PM, Smith Baylor wrote: Hi, I am using C as the programming language and MySQL as the db. unsigned char *cert_data; Instead of storing in PEM format directly, I am storing it in base64 format - I believe this is more safer - feel free to prove me otherwise. Once I store the cert_data value, I also pad this with '\0' - string terminator. I get something like this at the end of the encoding: TGZ3am0wTDNjeTN3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 7HZm which the db insert or update commands don't like. /Shivaram - Original Message - From: Carlos Roberto Zainos H [EMAIL PROTECTED] Date: Tue, 7 Sep 2004 12:36:44 -0500 (CDT) Subject: Re: storing PEM encoded certs in database To: [EMAIL PROTECTED] Hi I'm not an expert, but I think that could be some different depending on the DBMS and the driver connection being used. For example, I'm using Oracle DB 10g with ODBC based client connection to the DB. I'm storing PEM certificates making a copy of it to a buffer and then storing it into the DB via INSERT with the apropiate convertions: unsigned char cert[2*1024]; BIO *buf; buf = BIO_new (BIO_s_mem()); res = PEM_write_bio_X509(buf, xreq);//xreq is the X509 cert longitud = sizeof(cert); res = BIO_read(buf, cert, (int)longitud); cert[res]='\0'; //executing the INSERT via exec_sql_comm(sentence) function, where sentence = insert into certificados (estadocer,fechacaducidad,numserie,certificado) values ('V',to_date('%s','-MM-DD HH24:MI:SS'),'%i','%s'),fecha_cad, num_serie, cert) Holpe this helps. Zainos Smith Baylor [EMAIL PROTECTED] wrote: Do You Yahoo!? Yahoo! Net: La mejor conexin a internet y 25MB extra a tu correo por $100 al mes. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error during Cert Request
Im using the OpenSSL Certificate Authority to generate X.509 v3 certs for TLS Client Authentication. After creating the CA Root cert and the private key, I generate a certificate request and then issue the command to get it signed by the CA. At this point I get the following error: 780:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_li b.c:329:group=CA_default name=unique_subject Could anyone please help me understand what this refers to. Thank you! -Areg
Re: storing PEM encoded certs in database
This is the progam snippet: BIO *mbio; int bio_store_bytes; unsigned char *cert_data, *cert_data_ptr; unsigned char *cert_data_tmp; //create a read/write BIO mbio = BIO_new(BIO_s_mem()); //Assume x is of X509 type and is a result of X509_sign PEM_write_bio_X509(mbio, x); BIO_flush(mbio); bio_store_bytes = BIO_pending(mbio); BIO_get_mem_data(mbio, (unsigned char *)cert_data_tmp); cert_data_ptr = (unsigned char *) OPENSSL_malloc(bio_store_bytes + 1); /* for \0 */ if (cert_data_ptr != NULL) { cert_data = cert_data_ptr; strncpy(cert_data, cert_data_tmp, bio_store_bytes); for (i = (bio_store_bytes); i == strlen(cert_data_tmp); i++) { cert_data[i] = '\0'; } } BIO_free_all(mbio); I still see the garbage characters: ukOjszaLTZuAFA== -END CERTIFICATE- [EMAIL PROTECTED] --Smith On Tue, 07 Sep 2004 14:39:19 -0700, Eric Meyer [EMAIL PROTECTED] wrote: The PEM format is already Base64. Also, your sample includes characters that are invalid for a Base64 encoded data, which is explicitly 7 bit safe, so would not include an accented character. It looks like your null byte is in the wrong place. It probably should have come after the = sign. Eric On Sep 7, 2004, at 1:12 PM, Smith Baylor wrote: Hi, I am using C as the programming language and MySQL as the db. unsigned char *cert_data; Instead of storing in PEM format directly, I am storing it in base64 format - I believe this is more safer - feel free to prove me otherwise. Once I store the cert_data value, I also pad this with '\0' - string terminator. I get something like this at the end of the encoding: TGZ3am0wTDNjeTN3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= 7HZm which the db insert or update commands don't like. /Shivaram - Original Message - From: Carlos Roberto Zainos H [EMAIL PROTECTED] Date: Tue, 7 Sep 2004 12:36:44 -0500 (CDT) Subject: Re: storing PEM encoded certs in database To: [EMAIL PROTECTED] Hi I'm not an expert, but I think that could be some different depending on the DBMS and the driver connection being used. For example, I'm using Oracle DB 10g with ODBC based client connection to the DB. I'm storing PEM certificates making a copy of it to a buffer and then storing it into the DB via INSERT with the apropiate convertions: unsigned char cert[2*1024]; BIO *buf; buf = BIO_new (BIO_s_mem()); res = PEM_write_bio_X509(buf, xreq);//xreq is the X509 cert longitud = sizeof(cert); res = BIO_read(buf, cert, (int)longitud); cert[res]='\0'; //executing the INSERT via exec_sql_comm(sentence) function, where sentence = insert into certificados (estadocer,fechacaducidad,numserie,certificado) values ('V',to_date('%s','-MM-DD HH24:MI:SS'),'%i','%s'),fecha_cad, num_serie, cert) Holpe this helps. Zainos Smith Baylor [EMAIL PROTECTED] wrote: Do You Yahoo!? Yahoo! Net: La mejor conexin a internet y 25MB extra a tu correo por $100 al mes. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Removing passphrase for Apache server
Title: RE: Removing passphrase for Apache server If you notice carefully, the openssl rsa command is asking for the server.bak passphrase. Once you provide that passphrase (the one that you specified when using genrsa command), server.key will contain your un-passphrased private key. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joe DeBattista Sent: Tuesday, September 07, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: [BULK] - Removing passphrase for Apache server Hi, I sent a query last week about removing a passphrase from an Apache server I have set up with openssl-0.9.7d and compiled with the gcc compiler. I thought I'd provide a little more information. When I try to remove the passphrase, it says I need a minimum of 4 characters in the passphrase. Is this something in this version of openssl, as I don't remember having this requirement with earlier versions? I generated the key with $openssl genrsa -des3 -rand randfile1:randfile2:randfile3 1024 \ /usr/local/apache2/conf/ssl.key/server.key I made a copy of server.key to server.bak and then tried the following command to redo the passphrase and get the following: # /usr/local/ssl/bin/openssl rsa -in server.bak -out server.key Enter pass phrase for server.bak: 21202:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:847:You must type in 4 to 4095 characters Is there a way around this? Joe DeBattista UCSF, ITS INTERNET: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RSA public key
On Tue, Sep 07, 2004, Niklas Olsson wrote: maybe I have misunderstood but I havn't encrypted the data yet I'm trying to understand how to read my certificate so I can get the RSA *rsa to point to the public key in the certicate so I am able to encrypt my data. The certificate comes to me in a TLS serverhello message and I just want to encrypt the pre master key and send it back... Then d2i_X509() will get you an X509 structure and X509_get_pubkey() will produce an EVP_PKEY structure. From that you can call EVP_PKEY_get1_RSA() to retrieve the RSA structure containing the public key which you can use with the RSA_*() functions. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Mobile Phones
Guilherme, Sorry for the earlier post MS Outlook did not indicate your emailwas from the list. But I have here is what I would suggest.Others may have more info for you. Ok, I found out what BREW is. Since it is an operating system, you would need to build openssl for it like any other operating system. I don't know if it is supported so you will need to look at the code readme and docs of OpenSSL to see. If it is not supported, you will need to hunt for one, or port it yourself. Since Qualcom is pushing BREW, they may have a port of OpenSSL or some other implementation. That would save you the effort to build and/or port it. The source code will show you what ciphers are supported. The protocol (SSL https) was documented on Netscape's site, but I can't find it anymore.The handshake process and other details of ssl were covered in documents at the Netscape web site somewhere. TLS is the newer name for the standardized version of ssl. The O'Reilly book on OpenSSL is pretty good. For the low level stuff, there is a book on TLS but I don't remember the exact name - search for tls on amazon.com. There is a lot of docs with OpenSSL and mod_ssl in the Apache 2 source distribution. Chuck -Original Message-From: Guilherme G. Rafare / IN3 Technologies S.A. [mailto:[EMAIL PROTECTED]Sent: Monday, September 06, 2004 6:44 PMTo: [EMAIL PROTECTED]Subject: Mobile PhonesImportance: High Hi, Sorry to trouble you. We are planning to implement OpenSSL in one of wireless data projects for mobile phones, using BREW (mainly C/C++). Do you know where we can find a detailed message flow and protocol, including the use of the encryption algorithms in each piece? We would really appreciateany input. Thanks and regards. GR Um abraço // Best regards, Guilherme G. Rafare Diretor Gerente // Managing Director IN3 Technologies S.A.http://www.in3.com.br MadGam.com http://www.madgam.com e-mail: [EMAIL PROTECTED] ICQ: 163.046.989 MSN:[EMAIL PROTECTED] Yahoo Msgr: guilhermerafare Skype: guilhermerafare===As informações transmitidas nesta mensagem e nos seus arquivos anexos, bem como nas mensagens posteriores ou anteriores que podem compor esta seqüência de mensagens (em conjunto Informações) são privilegiadas e/ou confidenciais e para conhecimento exclusivo da empresa destinatária, suas afiliadas, seus funcionários e demais pessoas por ela autorizadas (em conjunto Empresa), estando regulada pelas leis aplicáveis e/ou por documentos de sigilo ou de confidencialidade em vigor entre a IN3 Technologies S/A (IN3) e a Empresa. São vedadas, quando não expressa e previamente autorizados por escrito pela IN3, o uso, a impressão, a divulgação ou a retransmissão das Informações a terceiros, estando o destinatário original, o agente facilitador, a Empresa e o receptor das Informações, sujeitos às penalidades e sanções legais aplicáveis. Caso você não esteja autorizado a receber esta mensagem ou a tenha recebido de forma não-autorizada ou não-intencional, solicitamos que você não leia, não copie, não imprima, não divulgue, não retransmita esta mensagem e não faça uso dos seus anexos, e destrua e apague imediatamente esta mensagem, seu conteúdo e os seus arquivos anexos, comunicando imediatamente o seu recebimento indevido ao seu remetente original ou para [EMAIL PROTECTED]. Comunicações eletrônicas não são seguras e sujeitas a alteração no seu conteúdo, portanto, a IN3 não se responsabiliza por qualquer dano causado, inclusive por vírus, na medida que a mesma trafegou por rede pública. ===
Certificate expired error
Title: Certificate expired error Hi there, I had created a certificate to test with using OpenSSL. It is supposed to expire in Aug. 2005. I have been using it for the past few weeks. Then all of a sudden, I'm getting sslv3 alert certificate expired from SSL_accept(). What's going on? Thanks, Ed
RE: Removing passphrase for Apache server
Thanks, Himanshu. That did the trick. Joe DeBattista UCSF, ITS INTERNET: [EMAIL PROTECTED] On Tue, 7 Sep 2004, Himanshu Soni wrote: If you notice carefully, the openssl rsa command is asking for the server.bak passphrase. Once you provide that passphrase (the one that you specified when using genrsa command), server.key will contain your un-passphrased private key. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joe DeBattista Sent: Tuesday, September 07, 2004 10:53 AM To: [EMAIL PROTECTED] Subject: [BULK] - Removing passphrase for Apache server Hi, I sent a query last week about removing a passphrase from an Apache server I have set up with openssl-0.9.7d and compiled with the gcc compiler. I thought I'd provide a little more information. When I try to remove the passphrase, it says I need a minimum of 4 characters in the passphrase. Is this something in this version of openssl, as I don't remember having this requirement with earlier versions? I generated the key with $openssl genrsa -des3 -rand randfile1:randfile2:randfile3 1024 \ /usr/local/apache2/conf/ssl.key/server.key I made a copy of server.key to server.bak and then tried the following command to redo the passphrase and get the following: # /usr/local/ssl/bin/openssl rsa -in server.bak -out server.key Enter pass phrase for server.bak: 21202:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:847:You must type in 4 to 4095 characters Is there a way around this? Joe DeBattista UCSF, ITS INTERNET: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Mobile Phones
Chuck, Thanks a lot for your e-mail. The problem is that Qualcomm has implemented SSL protocol but it is a black box meaning that we dont have access to the source code, so far. Our intention is to build up an open source implementation of TLS, first for BREW and right after for J2ME (Java). I have tried to find the Netscape docs you mention, but I couldnt find them, unfortunately. We are now trying to get info from books and I will order the one you mention, as soon as I find it. If you remember anything that might be interesting, please let me know. Regards GR -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Goehring, Chuck, RCI - San DiegoSent: Tuesday, September 07, 2004 9:07 PMTo: [EMAIL PROTECTED]Subject: RE: Mobile Phones Guilherme, Sorry for the earlier post MS Outlook did not indicate your emailwas from the list. But I have here is what I would suggest.Others may have more info for you. Ok, I found out what BREW is. Since it is an operating system, you would need to build openssl for it like any other operating system. I don't know if it is supported so you will need to look at the code readme and docs of OpenSSL to see. If it is not supported, you will need to hunt for one, or port it yourself. Since Qualcom is pushing BREW, they may have a port of OpenSSL or some other implementation. That would save you the effort to build and/or port it. The source code will show you what ciphers are supported. The protocol (SSL https) was documented on Netscape's site, but I can't find it anymore.The handshake process and other details of ssl were covered in documents at the Netscape web site somewhere. TLS is the newer name for the standardized version of ssl. The O'Reilly book on OpenSSL is pretty good. For the low level stuff, there is a book on TLS but I don't remember the exact name - search for tls on amazon.com. There is a lot of docs with OpenSSL and mod_ssl in the Apache 2 source distribution. Chuck -Original Message-From: Guilherme G. Rafare / IN3 Technologies S.A. [mailto:[EMAIL PROTECTED]Sent: Monday, September 06, 2004 6:44 PMTo: [EMAIL PROTECTED]Subject: Mobile PhonesImportance: High Hi, Sorry to trouble you. We are planning to implement OpenSSL in one of wireless data projects for mobile phones, using BREW (mainly C/C++). Do you know where we can find a detailed message flow and protocol, including the use of the encryption algorithms in each piece? We would really appreciateany input. Thanks and regards. GR Um abraço // Best regards, Guilherme G. Rafare Diretor Gerente // Managing Director IN3 Technologies S.A.http://www.in3.com.br MadGam.com http://www.madgam.com e-mail: [EMAIL PROTECTED] ICQ: 163.046.989 MSN:[EMAIL PROTECTED] Yahoo Msgr: guilhermerafare Skype: guilhermerafare===As informações transmitidas nesta mensagem e nos seus arquivos anexos, bem como nas mensagens posteriores ou anteriores que podem compor esta seqüência de mensagens (em conjunto Informações) são privilegiadas e/ou confidenciais e para conhecimento exclusivo da empresa destinatária, suas afiliadas, seus funcionários e demais pessoas por ela autorizadas (em conjunto Empresa), estando regulada pelas leis aplicáveis e/ou por documentos de sigilo ou de confidencialidade em vigor entre a IN3 Technologies S/A (IN3) e a Empresa. São vedadas, quando não expressa e previamente autorizados por escrito pela IN3, o uso, a impressão, a divulgação ou a retransmissão das Informações a terceiros, estando o destinatário original, o agente facilitador, a Empresa e o receptor das Informações, sujeitos às penalidades e sanções legais aplicáveis. Caso você não esteja autorizado a receber esta mensagem ou a tenha recebido de forma não-autorizada ou não-intencional, solicitamos que você não leia, não copie, não imprima, não divulgue, não retransmita esta mensagem e não faça uso dos seus anexos, e destrua e apague imediatamente esta mensagem, seu conteúdo e os seus arquivos anexos, comunicando imediatamente o seu recebimento indevido ao seu remetente original ou para [EMAIL PROTECTED]. Comunicações eletrônicas não são seguras e sujeitas a alteração no seu conteúdo, portanto, a IN3 não se responsabiliza por qualquer dano causado, inclusive por vírus, na medida que a mesma trafegou por rede pública. ===
RE: Mobile Phones
Guilherme, There is a Java "clean room implementation of the JCE 1.2.1" at http://www.bouncycastle.org/. It has source code and a non-restrictive license. You could make a lite system using pieces from OpenSSL. Don't know if it would be easier than porting all of OpenSSL. It may depend on the tools for BREW. Chuck -Original Message-From: Guilherme G. Rafare / IN3 Technologies S.A. [mailto:[EMAIL PROTECTED]Sent: Tuesday, September 07, 2004 5:28 PMTo: [EMAIL PROTECTED]Subject: RE: Mobile Phones Chuck, Thanks a lot for your e-mail. The problem is that Qualcomm has implemented SSL protocol but it is a black box meaning that we dont have access to the source code, so far. Our intention is to build up an open source implementation of TLS, first for BREW and right after for J2ME (Java). I have tried to find the Netscape docs you mention, but I couldnt find them, unfortunately. We are now trying to get info from books and I will order the one you mention, as soon as I find it. If you remember anything that might be interesting, please let me know. Regards GR -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Goehring, Chuck, RCI - San DiegoSent: Tuesday, September 07, 2004 9:07 PMTo: [EMAIL PROTECTED]Subject: RE: Mobile Phones Guilherme, Sorry for the earlier post MS Outlook did not indicate your emailwas from the list. But I have here is what I would suggest.Others may have more info for you. Ok, I found out what BREW is. Since it is an operating system, you would need to build openssl for it like any other operating system. I don't know if it is supported so you will need to look at the code readme and docs of OpenSSL to see. If it is not supported, you will need to hunt for one, or port it yourself. Since Qualcom is pushing BREW, they may have a port of OpenSSL or some other implementation. That would save you the effort to build and/or port it. The source code will show you what ciphers are supported. The protocol (SSL https) was documented on Netscape's site, but I can't find it anymore.The handshake process and other details of ssl were covered in documents at the Netscape web site somewhere. TLS is the newer name for the standardized version of ssl. The O'Reilly book on OpenSSL is pretty good. For the low level stuff, there is a book on TLS but I don't remember the exact name - search for tls on amazon.com. There is a lot of docs with OpenSSL and mod_ssl in the Apache 2 source distribution. Chuck -Original Message-From: Guilherme G. Rafare / IN3 Technologies S.A. [mailto:[EMAIL PROTECTED]Sent: Monday, September 06, 2004 6:44 PMTo: [EMAIL PROTECTED]Subject: Mobile PhonesImportance: High Hi, Sorry to trouble you. We are planning to implement OpenSSL in one of wireless data projects for mobile phones, using BREW (mainly C/C++). Do you know where we can find a detailed message flow and protocol, including the use of the encryption algorithms in each piece? We would really appreciateany input. Thanks and regards. GR Um abraço // Best regards, Guilherme G. Rafare Diretor Gerente // Managing Director IN3 Technologies S.A.http://www.in3.com.br MadGam.com http://www.madgam.com e-mail: [EMAIL PROTECTED] ICQ: 163.046.989 MSN:[EMAIL PROTECTED] Yahoo Msgr: guilhermerafare Skype: guilhermerafare===As informações transmitidas nesta mensagem e nos seus arquivos anexos, bem como nas mensagens posteriores ou anteriores que podem compor esta seqüência de mensagens (em conjunto Informações) são privilegiadas e/ou confidenciais e para conhecimento exclusivo da empresa destinatária, suas afiliadas, seus funcionários e demais pessoas por ela autorizadas (em conjunto Empresa), estando regulada pelas leis aplicáveis e/ou por documentos de sigilo ou de confidencialidade em vigor entre a IN3 Technologies S/A (IN3) e a Empresa. São vedadas, quando não expressa e previamente autorizados por escrito pela IN3, o uso, a impressão, a divulgação ou a retransmissão das Informações a terceiros, estando o destinatário original, o agente facilitador, a Empresa e o receptor das Informações, sujeitos às penalidades e sanções legais aplicáveis. Caso você não esteja autorizado a
RE: Mobile Phones
Chuck, Thanks a lot! Mobile phones and BREW are yet a very limited environment for app development: Low CPU speed (33Mhz), low storage(1Mb),limited app size (300kb)and perhaps the worst part of it, we can only work with INT32 (DWORD32). We can't use floats, doubles, global variables and etc...So, the life is not easy. I will take a look on the link you send, perhaps we can start porting some of the code and see how it can be integrated to OpenSSL. Comments are very welcome. Regards GR -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Goehring, Chuck, RCI - San DiegoSent: Tuesday, September 07, 2004 10:12 PMTo: [EMAIL PROTECTED]Subject: RE: Mobile PhonesGuilherme, There is a Java "clean room implementation of the JCE 1.2.1" at http://www.bouncycastle.org/. It has source code and a non-restrictive license. You could make a lite system using pieces from OpenSSL. Don't know if it would be easier than porting all of OpenSSL. It may depend on the tools for BREW. Chuck -Original Message-From: Guilherme G. Rafare / IN3 Technologies S.A. [mailto:[EMAIL PROTECTED]Sent: Tuesday, September 07, 2004 5:28 PMTo: [EMAIL PROTECTED]Subject: RE: Mobile Phones Chuck, Thanks a lot for your e-mail. The problem is that Qualcomm has implemented SSL protocol but it is a black box meaning that we dont have access to the source code, so far. Our intention is to build up an open source implementation of TLS, first for BREW and right after for J2ME (Java). I have tried to find the Netscape docs you mention, but I couldnt find them, unfortunately. We are now trying to get info from books and I will order the one you mention, as soon as I find it. If you remember anything that might be interesting, please let me know. Regards GR -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Goehring, Chuck, RCI - San DiegoSent: Tuesday, September 07, 2004 9:07 PMTo: [EMAIL PROTECTED]Subject: RE: Mobile Phones Guilherme, Sorry for the earlier post MS Outlook did not indicate your emailwas from the list. But I have here is what I would suggest.Others may have more info for you. Ok, I found out what BREW is. Since it is an operating system, you would need to build openssl for it like any other operating system. I don't know if it is supported so you will need to look at the code readme and docs of OpenSSL to see. If it is not supported, you will need to hunt for one, or port it yourself. Since Qualcom is pushing BREW, they may have a port of OpenSSL or some other implementation. That would save you the effort to build and/or port it. The source code will show you what ciphers are supported. The protocol (SSL https) was documented on Netscape's site, but I can't find it anymore.The handshake process and other details of ssl were covered in documents at the Netscape web site somewhere. TLS is the newer name for the standardized version of ssl. The O'Reilly book on OpenSSL is pretty good. For the low level stuff, there is a book on TLS but I don't remember the exact name - search for tls on amazon.com. There is a lot of docs with OpenSSL and mod_ssl in the Apache 2 source distribution. Chuck -Original Message-From: Guilherme G. Rafare / IN3 Technologies S.A. [mailto:[EMAIL PROTECTED]Sent: Monday, September 06, 2004 6:44 PMTo: [EMAIL PROTECTED]Subject: Mobile PhonesImportance: High Hi, Sorry to trouble you. We are planning to implement OpenSSL in one of wireless data projects for mobile phones, using BREW (mainly C/C++). Do you know where we can find a detailed message flow and protocol, including the use of the encryption algorithms in each piece? We would really appreciateany input. Thanks and regards. GR Um abraço // Best regards, Guilherme G. Rafare Diretor Gerente // Managing Director IN3 Technologies S.A.http://www.in3.com.br MadGam.com http://www.madgam.com e-mail: [EMAIL PROTECTED] ICQ: 163.046.989 MSN:[EMAIL PROTECTED] Yahoo Msgr: guilhermerafare Skype:
SSL alert number 46
I start up my Tomcat server with a keystore, truststore and clientAuth=true, and tried connecting it via openssl s_client and everything works well. Setting up my OC4J (Oracle 9ias) using the same keystore, truststore and needs-client-auth=true, I get the following error when I try to connect to it using openssl s_client: 1893:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:964:SSL alert number 46 1893:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226: If I turn off client-authentication on my OC4J server, it works fine. This makes me think there's something wrong with my client certificate, but I use the same client certificate when testing with Tomcat and it works fine. =( Btw, if you're not familiar with the openssl s_client testing utility and it's error messages, I conducted the same tests using a standalone JAVA client, and the error I received (for the same scenario as above) is: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect (DashoA6275) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLCon nection.java:574) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Dash oA6275) at java.net.URL.openStream(URL.java:960) at sendHTTPs.send(sendHTTPs.java:72) at sendHTTPs.main(sendHTTPs.java:109) Thanks for any help! Liam _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]