Re(2): RE(2): Re(2): Decryption Problem
Steve Many thanks for this; I should have persevered with delving into the relevant RFCs and checking the ASN.1 was valid and well formed. So Im assuming Outlook is tolerant (to some extent) of badly formed ASN.1 whereas openssl adheres to the standards (which is how it should be). One other observation (Im much more familiar with BER than DER, having had the pleasure and honour of working alongside Professors Chadwick [Mr X500] and Larmouth [Mr ASN1] in the 1980s); openssl uses unspecified length strings in the encoding, whereas the (errant) ASN.1 I posted uses absolute length strings, the question is (having not read the ISO standard for DER .. too expensive to buy) is this the only variable thing in the DER encoding? because I thought DER, unlike BER, did a 1:1 encoding so you could use the diff command (et al) to compare two independent encodings of the same thing. Just wondering, enquiring minds etc ;-) Once again many thanks. Peter "Dr. Stephen Henson" [EMAIL PROTECTED] wrote: On Sun, Mar 06, 2005, Peter Cope wrote: I'm using openssl 0.9.7e on Unix (The example output below is from Windows version of openssl [a 0.9.7X derived binary version from stunnel.org], but is consistent with AIX version as regards the failure. I will repeat this tomorrow when I have access to the Unix box if that helps). openssl pkcs7 -inform DER -in file.der This outputs a PEM file (topped and tailed with the '-- PKCS7 -' line) *But* openssl smime -decrypt -in file.der -inform DER -recip cert.pem -inkey private.pem gives Error decrypting PKCS#7 structure 172:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:140: 172:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:crypto/asn1/tasn_dec.c:935: 172:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:crypto/asn1/tasn_dec.c:628: 172:error:0D08606D:asn1 encoding routines:ASN1_TYPE_get_int_octetstring:data is wrong:crypto/asn1/evp_asn1.c:179: 172:error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error:crypto/pkcs7/pk7_smime.c:414: (If the file.der originated from one of our own computers, using the same public key to encrypt then the above decrypt line works). [If I redirect the output from the pkcs7 line into say fred.pem, and try decrypting this (using -in fred.pem -inform PEM ) naturally get the same error.] It may be our client is doing something wrong, but as with any interoperability testing I always assume the fault is my end until I have proof it isn't. Ah, that explains it. Going back to your output from asn1parse:355:d=5 hl=2 l= 8 prim: OBJECT :rc2-cbc365:d=5 hl=2 l= 3 cons: SEQUENCE367:d=6 hl=2 l= 1 prim: INTEGER :3Awhat this should be is an AlgorithmIdentifier structure. The parameter field(second and third lines) should be:RC2CBCParameter ::= SEQUENCE {rc2ParameterVersion INTEGER,iv OCTET STRING } -- exactly 8 octetsas you can see the 'iv' parameter is missing.Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: [openssl-users] Requirements for valid CA certs within a cert chain
Bonjour, Hodie pr. Non. Mar. MMV est, ohaya scripsit: This is the self-signed root CA cert. It is now V3, and has the AKI and SKI. Good. It still has Digital Signature, as I wasn't sure about what to do with that on the root CA cert: It's useless, as you'll really use the Root certificate to sporadically sign new sub-CA certificates when the need occurs. But it's also harmless. You'll also have to sign a CRL with this Root, with a large validity period (it can even be as large as the certificate itself, you're allowed to create new CRLs anytime). Validity Not Before: Mar 6 07:26:33 2005 GMT Not After : Mar 7 07:26:29 2013 GMT 1024 bits might be a bit short by 2013. 1024 may not be broken by that date, but the margin will be pretty thin. X509v3 extensions: X509v3 Basic Constraints: CA:TRUE If you want your certificates to be RFC3280 compliant, then this extension MUST be critical. The X.509 standard tells you that if this extension is not critical and not recognized by the software, then this certificate is considered an end-user certificate. Not what you want. So the X.509 standard recommends it to be flagged critical. This is the subordinated CA cert, signed by the ROOT CA. It is now V3 also, and has the AKI and SKI. It does not have Digital Signature: [...] Not Before: Mar 6 07:30:41 2005 GMT Not After : Mar 4 07:27:05 2013 GMT Same remark about the key size and the validity period of the certificate. Subject: [EMAIL PROTECTED], C=US, O=JimDept, OU=JimCo, CN=ATEST7-SUBROOT-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:dc:ca:a8:d1:c8:41:91:82:91:fe:d8:c2:8d:2d: . snip . 8c:b1:b2:de:b8:6c:7a:74:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 Extension flagged critical, and pathlen restricted, good. X509v3 Key Usage: critical Certificate Sign, CRL Sign Good. Finally, just for completeness, this is a client cert that I created from the subroot CA cert: Certificate: Data: Version: 3 (0x2) Serial Number: 0a:ba:76:83:46:f0:87:10:18:b0:36:b6:98:5e:24:15 Signature Algorithm: sha1WithRSAEncryption Issuer: [EMAIL PROTECTED], C=US, O=JimDept, OU=JimCo, CN=ATEST7-SUBROOT-CA Validity Not Before: Mar 6 07:54:13 2005 GMT Not After : Mar 1 07:27:49 2013 GMT Subject: [EMAIL PROTECTED], C=US, O=JimDept, OU=JimCo, CN=USER30-ATEST7 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:aa:b0:98:d9:66:4a:fa:7c:73:28:f3:fc:43:cd: . snip . 53:84:c8:4c:60:f1:48:48:97:15:8e:85:89:5c:ad: 9a:aa:76:e7:a2:6b:2e:51:43 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature So this certificate can't be used for decrypting messages (emails for example). Netscape Cert Type: SSL Client This extension is an old one, and honestly can raise more problems than solutions. It was 'invented' by Netscape before the extendedKeyUsage came and fulfills the same goal (provide usage information with more accuracy than the keyUsage extension alone), but as it isn't standard, applications are free to ignore it. Today, I know that Netscape+Mozilla products use it, Java crypto API does, and maybe OpenSSL recognizes it, but I'm not sure. This extension is checked with others (keyUsage, extendedKeyUsage), also with certificate characteristics (fields of the DN of the subject), and criticality status of those extensions. It can really be a mess. Now, next point. The revocation status. You must either generate CRLs of provide a way to check the revocation status of any certificate (OCSP for example). That means an additional extension can be added to all certificates (but the Root). -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
convert certifikate to opensll
Hi, I have the following problem. I get my certificate form my Netkey smartcard with opensc. Now, I want to use it with openssl. But my program exit with error code -3: #include string #include openssl/bio.h #include openssl/pem.h #include openssl/bn.h #include openssl/sha.h #include openssl/rsa.h #include openssl/objects.h #include iostream #include "verify.h" using namespace std; int verify::verifyHash(const string hash, const string sign, string cert ){ cert="-BEGIN CERTIFICATE-\nMIICDjCCAXqgAwIBAgIEANLehDAKBgYrJAMDAQIFADBQMQswCQYDVQQGEwJERTEc\nMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEjMAwGBwKCBgEKBxQTATEwEwYD\nVQQDFAxOS1MgQ0EgMTY6UE4wIhgPMjAwNDA5MjcxMDUyMDdaGA8yMDA3MDkyNzEw\nNTIwN1owNDELMAkGA1UEBhMCREUxJTAMBgcCggYBCgcUEwExMBUGA1UEAxQOTktT\nIDA0IEEgOTAxNjAwgaAwDQYJKoZIhvcNAQEBBQADgY4AMIGKAoGBAImVDgcZSW6W\nu6c19kBPVON6/dpnUdWFiKCW346+KoRNWZzeqwoGF6ikF1Ws6YntVHFtx/486aYh\n5s9jYRHqjlYqtY8wO9Raw4JMb0BeuonqLufwe5HU4BWV+Y1irCDnz8FEceOKFGrZ\ndQzxaDW52wpCsjMaWOcdSZD9O4vUSXABAgRAAACBoxIwEDAOBgNVHQ8BAf8EBAMC\nBsAwCgYGKyQDAwECBQADgYEAWVSghI9COFd97KTyq1pDn3JsJCXBoMMratVMG2vJ\nJbokEQJeVbwdaEHVKi3LYUFMoWfkxi1e9LwQaVWzppDhpg4lmkThxCYX2TLTmTtZ\nqxB4EXyKd1WXcJyLLKDzJJHyIQYQi/tc9vNcptEvGQwd38Yei7PmN7OZ49SrDK+w\nLcs=\n-END CERTIFICATE-\n\n"; if(hash.length() != 20) return -1; if(sign.length() != 128) return -2; char sha1[21]; char signature[129]; RSA *r; X509 *x509Cert; hash.copy(sha1, 20); sign.copy(signature, 20); char buffer[99]; cert.copy(buffer,cert.length()); //! I kown it is not secure (only for testing) unsigned char *cp = (unsigned char *) buffer; cerr cp; x509Cert = d2i_X509(0, cp , cert.length()); if (x509Cert == NULL) return -3; Thanks Thomas
Using CryptoAPI to verify a cert
Title: Using CryptoAPI to verify a cert Does anybody know how to use the Microsoft Crypto API's to verify a cert. Given an X509 object, I've created a CERT_CONTEXT using the Crypto API, CertCreateCertificateContext(). And I've got a handle to the Windows certificate store, using CertOpenSystemStore(). But I have no idea how to verify the cert. Can anyone help? Examples, documentation? Thanks, Ed
Re: convert certifikate to opensll
On Mon, Mar 07, 2005, T. Quirin wrote: Hi, I have the following problem. I get my certificate form my Netkey smartcard with opensc. Now, I want to use it with openssl. But my program exit with error code -3: #include string #include openssl/bio.h #include openssl/pem.h #include openssl/bn.h #include openssl/sha.h #include openssl/rsa.h #include openssl/objects.h #include iostream #include verify.h using namespace std; int verify::verifyHash(const string hash, const string sign, string cert ){ cert=-BEGIN CERTIFICATE-\nMIICDjCCAXqgAwIBAgIEANLehDAKBgYrJAMDAQIFADBQMQswCQYDVQQGEwJERTEc\nMBoGA1UEChQTRGV1dHNjaGUgVGVsZWtvbSBBRzEjMAwGBwKCBgEKBxQTATEwEwYD\nVQQDFAxOS1MgQ0EgMTY6UE4wIhgPMjAwNDA5MjcxMDUyMDdaGA8yMDA3MDkyNzEw\nNTIwN1owNDELMAkGA1UEBhMCREUxJTAMBgcCggYBCgcUEwExMBUGA1UEAxQOTktT\nIDA0IEEgOTAxNjAwgaAwDQYJKoZIhvcNAQEBBQADgY4AMIGKAoGBAImVDgcZSW6W\nu6c19kBPVON6/dpnUdWFiKCW346+KoRNWZzeqwoGF6ikF1Ws6YntVHFtx/486aYh\n5s9jYRHqjlYqtY8wO9Raw4JMb0BeuonqLufwe5HU4BWV+Y1irCDnz8FEceOKFGrZ\ndQzxaDW52wpCsjMaWOcdSZD9O4vUSXABAgRAAACBoxIwEDAOBgNVHQ8BAf8EBAMC\nBsAwCgYGKyQDAwECBQADgYEAWVSghI9COFd97KTyq1pDn3JsJCXBoMMratVMG2vJ\nJbokEQJeVbwdaEHVKi3LYUFMoWfkxi1e9LwQaVWzppDhpg4lmkThxCYX2TLTmTtZ\nqxB4EXyKd1WXcJyLLKDzJJHyIQYQi/tc9vNcptEvGQwd38Yei7PmN7OZ49SrDK+w\nLcs=\n-END CERTIFICATE-\n\n; if(hash.length() != 20) return -1; if(sign.length() != 128) return -2; char sha1[21]; char signature[129]; RSA *r; X509 *x509Cert; hash.copy(sha1, 20); sign.copy(signature, 20); char buffer[99]; cert.copy(buffer,cert.length()); //! I kown it is not secure (only for testing) unsigned char *cp = (unsigned char *) buffer; cerr cp; x509Cert = d2i_X509(0, cp , cert.length()); if (x509Cert == NULL) return -3; You are using d2i_X509() which is for DER format on a PEM format certificate. You should either convert the certificate to DER or use a memory BIO and call PEM_read_bio_X509() on it. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using CryptoAPI to verify a cert
On Sun, Mar 06, 2005, Edward Chan wrote: Does anybody know how to use the Microsoft Crypto API's to verify a cert. Given an X509 object, I've created a CERT_CONTEXT using the Crypto API, CertCreateCertificateContext(). And I've got a handle to the Windows certificate store, using CertOpenSystemStore(). But I have no idea how to verify the cert. Can anyone help? Examples, documentation? That's nothing to do with OpenSSL. I suggest you ask in microsoft.public.platformsdk.security Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Re(2): RE(2): Re(2): Decryption Problem
On Mon, Mar 07, 2005, Peter Cope wrote: Steve Many thanks for this; I should have persevered with delving into the relevant RFCs and checking the ASN.1 was valid and well formed. So Im assuming Outlook is tolerant (to some extent) of badly formed ASN.1 whereas openssl adheres to the standards (which is how it should be). One other observation (Im much more familiar with BER than DER, having had the pleasure and honour of working alongside Professors Chadwick [Mr X500] and Larmouth [Mr ASN1] in the 1980s); openssl uses unspecified length strings in the encoding, whereas the (errant) ASN.1 I posted uses absolute length strings, the question is (having not read the ISO standard for DER .. too expensive to buy) is this the only variable thing in the DER encoding? because I thought DER, unlike BER, did a 1:1 encoding so you could use the diff command (et al) to compare two independent encodings of the same thing. Just wondering, enquiring minds etc ;-) OpenSSL uses DER for just about everything when encoding ASN1 whereas the decoder will tolerate DER or BER. There are some hooks for BER and streaming S/MIME in OpenSSL 0.9.8 but that's only at an early stage and no one's really been that interested in it at present. I'm not sure what Outlook is doing with that structure. Many ASN1 compilers would reject something like that. There isn't an IV either though it may be using all zeroes. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Re(2): RE(2): Re(2): Decryption Problem
There are some hooks for BER and streaming S/MIME in OpenSSL 0.9.8 but that's only at an early stage and no one's really been that interested in it at present. My program has to handle big PKCS7 files, so I´d be very interested in that streaming. I had to modify PKCS7_doit( ) routines to do that with *detached* signatures/envelopes, so I can create/read the big content apart from signature in a loop without using up my RAM, but I would prefer to leave that work to OpenSSL internals. But, in case a big *non-detached* PKCS7 is generated (maybe this is nowadays more usual), I have no option but to load all big content in memory because the internal d2i_XXX, i2d_XXX routines use only memory pointers. Something as a stream BIO instead of pointers could be a solution. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BIGNUM to binary representation: any function??
Hello SSLites, Is there a function which gives binary representation of a BIGNUM? Regards, Vishwas. PS: Am trying to get number of multiplications performed while decrypting a cipher-text using the value of KEY-D __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl-users] Requirements for valid CA certs within a cert chain
Erwann, Thanks for all the detailed comments!! Jim __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Command Line Params
Hello all, I am using the following commands to create a self-cert: *** req -config openssl.cnf -new -out myserver.csr rsa -in privkey.pem -out key.pem x509 -in myserver.csr -out cert.pem -req -signkey key.pem -days 365 *** I would like to be able to perform this through code (Win32 Delphi App). Shelling out to openssl.exe is no problem. What I am not sure about is the second command, rsa -in privkey.pem -out key.pem, which successively prompts for data. Is there a way that I can feed this data (passphrase, State, City, common name, etc) to the command line through a text file or such? I've looked through the command line params docs, but didn't notice anything. Thank you for any help, Warm Regards, Lee __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: BIGNUM to binary representation: any function??
On Mon, Mar 07, 2005, Vishwas wrote: Hello SSLites, Is there a function which gives binary representation of a BIGNUM? Regards, Vishwas. PS: Am trying to get number of multiplications performed while decrypting a cipher-text using the value of KEY-D In the Fine Manual there's BN_bn2bin() and BN_bin2bn(). Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Command Line Params
On Mon, Mar 07, 2005, Lee Jenkins wrote: Hello all, I am using the following commands to create a self-cert: *** req -config openssl.cnf -new -out myserver.csr rsa -in privkey.pem -out key.pem x509 -in myserver.csr -out cert.pem -req -signkey key.pem -days 365 *** I would like to be able to perform this through code (Win32 Delphi App). Shelling out to openssl.exe is no problem. What I am not sure about is the second command, rsa -in privkey.pem -out key.pem, which successively prompts for data. Is there a way that I can feed this data (passphrase, State, City, common name, etc) to the command line through a text file or such? I've looked through the command line params docs, but didn't notice anything. The -passin command line switch will do that but... That command sequence would give you an obsolete V1 certificate so its not a good idea. You can do the whole thing in a single command by using the -x509 option to 'req'. You might want to use alternative extensions though because that will use CA ones by default. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Using CryptoAPI to verify a cert
Title: Using CryptoAPI to verify a cert See documentation of CertGetIssuerCertificateFromStore Thanks Anupam -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Edward ChanSent: Sunday, March 06, 2005 8:16 PMTo: openssl-users@openssl.orgSubject: Using CryptoAPI to verify a cert Does anybody know how to use the Microsoft Crypto API's to verify a cert. Given an X509 object, I've created a CERT_CONTEXT using the Crypto API, CertCreateCertificateContext(). And I've got a handle to the Windows certificate store, using CertOpenSystemStore(). But I have no idea how to verify the cert. Can anyone help? Examples, documentation? Thanks, Ed
SSL_connect problem
hi i have ported openssl on to vxworks mips processor. i have written a simple code for sercure server-client interaction. SSL_connect is giving me problems. the error is SSL_ERROR_SYSCALL. ERR_get_error is returning a 0. but ERR_error_string_n( ..) is returning error: :lib(0):func(0):reason(0). could someone tell me what might be wrong? thank you vijay__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: SSL_connect problem
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vijay basav Sent: Monday, March 07, 2005 8:22 AM To: openssl-users@openssl.org Subject: SSL_connect problem hi i have ported openssl on to vxworks mips processor. i have written a simple code for sercure server-client interaction. SSL_connect is giving me problems. the error is SSL_ERROR_SYSCALL. ERR_get_error is returning a 0. but ERR_error_string_n( ..) is returning error: :lib(0):func(0):reason(0). Have you called the SSL_library_init() at the beginning ? Vu __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Segmentation fault after RSA_check_key
Hi, thank you Steve my verification function works now. But I want to check the RSA key before I use it. If I run "if(RSA_check_key(r) != 1) return -5;" I get a "Segmentation fault ". It works without this line. #include string #include openssl/bio.h #include openssl/pem.h #include openssl/bn.h #include openssl/sha.h #include openssl/rsa.h #include openssl/x509.h #include openssl/objects.h #include openssl/evp.h #include iostream #include "../base64/base64.h" #include "verify.h" using namespace std; int verify::verifyHash(const string hash, const string sign, string cert ){ if(hash.length() != 20) return -1; if(sign.length() != 128) return -2; char sha1[21]; char signature[129]; RSA *r; X509 *x509Cert; hash.copy(sha1, 20); sign.copy(signature, 128); char* buffer = new(char[cert.length() + 1]); cert.copy(buffer,cert.length()); unsigned char *cp = (unsigned char *) buffer; x509Cert = d2i_X509(0, cp , cert.length()); if (x509Cert == NULL) return -3; EVP_PKEY* evpKey = X509_get_pubkey(x509Cert); if (evpKey == 0) return -4; r = EVP_PKEY_get1_RSA(evpKey); if (r == 0) return -4; BN_CTX *c; int ret; if(RSA_check_key(r) != 1) return -5; if(!(c = BN_CTX_new())) return -6; if(!RSA_blinding_on(r, c)){ BN_CTX_free(c); return -7; }; ret = RSA_verify(NID_sha1, (unsigned char *) sha1, 20, (unsigned char *) signature, 128, r); RSA_blinding_off(r); BN_CTX_free(c); RSA_free(r); if (ret 0) return -8; if(ret == 1) return 1; return 0; }; Thanks Thomas
Re: Segmentation fault after RSA_check_key
On Mon, Mar 07, 2005, T. Quirin wrote: Hi, thank you Steve my verification function works now. But I want to check the RSA key before I use it. If I run if(RSA_check_key(r) != 1) return -5; I get a Segmentation fault . It works without this line. RSA_check_key() will only check a private key, not a public key. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Command Line Params
You can do the whole thing in a single command by using the -x509 option to 'req'. You might want to use alternative extensions though because that will use CA ones by default. Could I impose upon your for an example? Lee __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Command Line Params
Steve Wrote: that will create a certificate and key with the CA extensions in openssl.cnf. These are in the section 'v3_ca'. An alternative is to use the certificate extensions in the section v3_usr. This can be done with: openssl req -x509 -new -out cert.pem -keyout key.pem -extensions usr_cert Thanks Steve, I will give that a try. Lee __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_ERROR_SSL while SSL_read from version (TLS1_VERSION)
HI, Recently we encounter SSL_ERROR_SSL error on client side. Our application code(initialization, handshaking, read and write) is common for sslv2 and sslv3. It happens when we turn on sslv3. But when we turn off sslv3 but using sslv2, the problem goes away. The following are the setup we are using. freebsd 4.9 and freebsd 5.3 For freebsd 5.3, we use openssl-0.9.7d_1.tbz we are using TLS1_VERSION for ssl client and ssl server. The messages we send and read are fairly small. It is less 1K. When we send messages fast from ssl client to ssl server, on the ssl client side sometimes we get SSL_ERROR_SSL(read:1) reason='error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry'. When we turn of sslv3 dynamically and using sslv2, everything goes fine. We suspect something like 1. Is there any initialization, handshaking, read and write interfaces that we should call differently between sslv2 and sslv3? 2. Has anyone seen this behavior. The following is the struct ssl_st content at the moment the ssl client encounter SSL_ERROR_SSL. (gdb) print *sinfo-ssl $1 = {version = 769, type = 4096, method = 0x28367d80, rbio = 0x83bb700, wbio = 0x83bb700, bbio = 0x0, rwstate = 3, in_handshake = 0, handshake_func = 0x2834a5e0 ssl3_connect, server = 0, new_session = 0, quiet_shutdown = 0, shutdown = 0, state = 3, rstate = 240, init_buf = 0x0, init_msg = 0x8498004, init_num = 0, init_off = 0, packet = 0x8493000 \027\003\001, packet_length = 0, s2 = 0x0, s3 = 0x83fdc00, read_ahead = 0, msg_callback = 0, msg_callback_arg = 0x0, hit = 0, purpose = 0, trust = 0, cipher_list = 0x0, cipher_list_by_id = 0x0, enc_read_ctx = 0x84a6700, read_hash = 0x2844b520, expand = 0x0, enc_write_ctx = 0x84a6500, write_hash = 0x2844b520, compress = 0x0, cert = 0x83bdf00, sid_ctx_length = 0, sid_ctx = '\0' repeats 31 times, session = 0x83f6e00, generate_session_id = 0, verify_mode = 0, verify_depth = -1, verify_callback = 0, info_callback = 0, error = 0, error_code = 0, ctx = 0x83f9200, debug = 0, verify_result = 20, ex_data = { sk = 0x0, dummy = 0}, client_CA = 0x0, references = 1, options = 0, mode = 0, max_cert_list = 102400, first_packet = 0, client_version = 769} Thanks -Eric
Multiple Threads accessing an SSL connection
Hi, I read many posts about multiple threads accessing a single SSL connection for read/write. I am still confused about the usage. What exactly is the truth? If I have a client SSL connection that has 3 to 4 threads accessing the same SSL connection for read/write to the server, will it cause a problem?? If yes, then can I make use of mutex locks to allow only one thread access the SSL connection (for read/write) at a time??? If no, I am happy :) Thanks in advance, Sanjay Acharya Wichita State University __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]