Re: Removal from mailing list
if you find out? PLEASE LET ME KNOW? HELP! -Original Message- From: Daniel Arguello [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Tue, 17 Jun 2008 3:53 pm Subject: Removal from mailing list Hi. I'd like to get myself removed from the mailing list. What do I do? Thanks, Dan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to extract subjectAltName
Thanks for that tip. It works now this way: UaPkiCertificateInfo UaPkiCertificate::info() const { UaPkiCertificateInfo ret; X509_EXTENSION *pExt; char *pBuffer = 0; int length = 0; GENERAL_NAMES *subjectAltNames; subjectAltNames = ( GENERAL_NAMES* ) X509_get_ext_d2i ( m_pCert, NID_subject_alt_name, NULL, NULL ); if ( subjectAltNames ) { int numalts; int i; /* get amount of alternatives, RFC2459 claims there MUST be at least one, but we don't depend on it... */ numalts = sk_GENERAL_NAME_num ( subjectAltNames ); /* loop through all alternatives */ for ( i=0; ( inumalts ); i++ ) { /* get a handle to alternative name number i */ const GENERAL_NAME *pName = sk_GENERAL_NAME_value ( subjectAltNames, i ); switch ( pName-type ) { case GEN_OTHERNAME: break; case GEN_EMAIL: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.eMail = pBuffer; OPENSSL_free(pBuffer); break; case GEN_DNS: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.DNS = pBuffer; OPENSSL_free(pBuffer); break; case GEN_X400: break; case GEN_DIRNAME: break; case GEN_EDIPARTY: break; case GEN_URI: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.URI = pBuffer; OPENSSL_free(pBuffer); break; case GEN_IPADD: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.IP = pBuffer; OPENSSL_free(pBuffer); break; case GEN_RID: break; } } } return ret; } On Tuesday 17 June 2008 23:56:26 Goetz Babin-Ebell wrote: GeneralNames *names; STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null(); names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); if (names) { /* you now can use OpenSSL to transform the names into some printable format... */ i2v_GENERAL_NAMES(NULL, names, vals); sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); } for(int i = 0; i sk_CONF_VALUE_num(vals); i++) { CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i); ret.subjectAltName.appendNameValue(conf-name, conf-value); } sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free); -- mit freundlichen Grüßen / best regards Gerhard Gappmeier ascolab GmbH - automation system communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to extract subjectAltName
i have n o t one idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP -Original Message- From: Gerhard Gappmeier [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Wed, 18 Jun 2008 1:09 am Subject: Re: How to extract subjectAltName Thanks for that tip. It works now this way: UaPkiCertificateInfo UaPkiCertificate::info() const { UaPkiCertificateInfo ret; X509_EXTENSION *pExt; char *pBuffer = 0; int length = 0; GENERAL_NAMES *subjectAltNames; subjectAltNames = ( GENERAL_NAMES* ) X509_get_ext_d2i ( m_pCert, NID_subject_alt_name, NULL, NULL ); if ( subjectAltNames ) { int numalts; int i; /* get amount of alternatives, RFC2459 claims there MUST be at least one, but we don't depend on it... */ numalts = sk_GENERAL_NAME_num ( subjectAltNames ); /* loop through all alternatives */ for ( i=0; ( inumalts ); i++ ) { /* get a handle to alternative name number i */ const GENERAL_NAME *pName = sk_GENERAL_NAME_value ( subjectAltNames, i ); switch ( pName-type ) { case GEN_OTHERNAME: break; case GEN_EMAIL: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.eMail = pBuffer; OPENSSL_free(pBuffer); break; case GEN_DNS: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.DNS = pBuffer; OPENSSL_free(pBuffer); break; case GEN_X400: break; case GEN_DIRNAME: break; case GEN_EDIPARTY: break; case GEN_URI: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.URI = pBuffer; OPENSSL_free(pBuffer); break; case GEN_IPADD: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.IP = pBuffer; OPENSSL_free(pBuffer); break; case GEN_RID: break; } } } return ret; } On Tuesday 17 June 2008 23:56:26 Goetz Babin-Ebell wrote: GeneralNames *names; STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null(); names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); if (names) { /* you now can use OpenSSL to transform the names into some printable format... */ i2v_GENERAL_NAMES(NULL, names, vals); sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); } for(int i = 0; i sk_CONF_VALUE_num(vals); i++) { CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i); ret.subjectAltName.appendNameValue(conf-name, conf-value); } sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free); -- mit freundlichen Grüßen / best regards Gerhard Gappmeier ascolab GmbH - automation system communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to unsubsribe from OpenSSL Users ML
Ups, wrong address before. Send a message to [EMAIL PROTECTED] with the following text in the body. unsubscribe openssl-users For more info see below. I hope this helps you :-) -- Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users or from another account, besides [EMAIL PROTECTED]: unsubscribe openssl-users [EMAIL PROTECTED] If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to [EMAIL PROTECTED] . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: This open mailing list is used for discussions between the OpenSSL users. Everyone can post. [EMAIL PROTECTED] schrieb: *i haven o tone idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP* -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
Re: Removal from mailing list
Hi, if you find out? PLEASE LET ME KNOW? HELP! if you read instructions this is the first email you ever got from this list: Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
I'm having trouble getting an ssl client programmed in java
I am attempting to connect to an ssl server that isn't a web site. I have C++ client code that works and would like to get a java client working. My initial attempt fails with a Exception in thread main gnu.javax.net.ssl.provider.AlertException: ILLEGAL_PARAMETER: remotely generated; FATAL message. That's not surprising since it is a simple program that does essentially: SocketFactory sf = SSLSocketFactory.getDefault(); Socket s = sf.createSocket(args[0], Integer.parseInt(args[1])); BufferedOutputStream bro = new BufferedOutputStream(s.getOutputStream()); bro.write(buf,0,msgLen); And fails on the write. So I decided to add a context, since that's what the C++ code did. SSLContext sc = SSLContext.getInstance ( SSLv3 ) ; sc.init (null,null,null) ; sc.createSSLEngine(); SocketFactory sf = sc.getSocketFactory(); This gives the same result. In the C++ code I specify a cipher, like: if (!SSL_CTX_set_cipher_list (ptrCTX, ADH)) { ptrSSL = SSL_new (ptrCTX); int xx = SSL_set_fd (ptrSSL, fdSocket); But I can't find a way to set a cipher into the context. The only mention of ciphers in the API seem to be in the SSLEngine class and I can't find a way to link that class into what I'm doing, so I'm pretty well stuck at this point. So one question, is that SSLv3 an acceptable protocol? The only examples I've found set that to SSL but in the C++ code I have: SSL_METHOD *method; method = SSLv3_client_method (); ptrCTX = SSL_CTX_new (method); I have no idea if that's the equivalent or not, I'm searching in the dark. I have read the SSL and TLS book but it like most examples assumes an http client which this is not. Another question is how do I specify a cipher and/or do I have to? Thanks for any pointers. Jim. -- View this message in context: http://www.nabble.com/I%27m-having-trouble-getting-an-ssl-client-programmed-in-java-tp17980660p17980660.html Sent from the OpenSSL - User mailing list archive at Nabble.com.
openssl+openvpn+gost89
(sorry for my english) Hi all. I'm trying to make openvpn tunnel using gost89 as cipher for traffic. For this purpose I generated my CA, public/private keys for client and server, and then trying to connect them all going ok: Wed Jun 18 13:26:34 2008 us=231723 10.1.1.110:1194 VERIFY OK: depth=1, /C=qw/ST=qw/L=qw/O=qw/OU=qw/CN=qw/emailAddress=qw Wed Jun 18 13:26:34 2008 us=233111 10.1.1.110:1194 VERIFY OK: depth=0, /C=qw/ST=er/L=er/O=er/OU=er/CN=er/emailAddress=er except Assertion failed at crypto.c :168 in openvpn file, after first data going from client to server. This bug in configuration of openvpn or openssl? server.conf dev tun ifconfig 10.1.1.112 10.1.1.111 ca cacert.pem cert newcert.pem engine gost cipher gost89 comp-lzo client.conf remote 10.1.1.107 dev tun cert servA.pem ca cacert.pem ifconfig 10.1.1.111 10.1.1.112 engine gost cipher gost89 comp-lzo as I can see in http://cryptocom.ru/OpenSource/OpenSSL_rus.html, there is no info about openvpn. -- Software is like sex, it is better when it's free
Reference Counters in OpenSSL
Hi some functions like X509_PUBKEY_get increment the internal reference counter of the object so that EVP_PKEY_free( pKey ) has to be called. Other functions like X509_get_X509_PUBKEY just return an internal pointer and I have to care myself about reference counting. Is there a general rule or naming convention to know how to use that? Or is the only possibilty to figure that out debugging into the code? -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 . 91058 Erlangen . Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
Re: Reference Counters in OpenSSL
On Wed, Jun 18, 2008, Gerhard Gappmeier wrote: Hi some functions like X509_PUBKEY_get increment the internal reference counter of the object so that EVP_PKEY_free( pKey ) has to be called. Other functions like X509_get_X509_PUBKEY just return an internal pointer and I have to care myself about reference counting. Is there a general rule or naming convention to know how to use that? Or is the only possibilty to figure that out debugging into the code? If the function has a '1' in the name it ups the reference count. If it has a '0' it doesn't. Unfortunately there are quiet a few functions around which existed before this convention was decided on which can do either :-( Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Extracting certificate serial numbers from a CRL
Dear list, I am receiving a CRL. After checking its validity against the issuer's certificate, I would like to use the API to access the certificate serial numbers of the revoked certificates. With the command line and asn1parse I can check the serial numbers and the dates of revocation as INTEGER and UTCTIME, but I could not find a method to retrieve the serial numbers since these data is not stored as an extension in the CRL. Could anyone provide me with some hints ? I'll keep on trying ! Best regards, Jordi
Re: I'm having trouble getting an ssl client programmed in java
Your code is fine. Don't use /usr/bin/java (the gnu jvm)! Install a JVM from Sun or IBM or BEA or Blackdown, or Kaffe, at the very least, and use that instead. After installing a vendor's JVM, make sure you use the java executable they provide. For example: /opt/java/ibm-java-ppc-60/bin/java yours, Julius On Wed, Jun 18, 2008 at 6:07 AM, AverageGuy [EMAIL PROTECTED] wrote: I am attempting to connect to an ssl server that isn't a web site. I have C++ client code that works and would like to get a java client working. My initial attempt fails with a Exception in thread main gnu.javax.net.ssl.provider.AlertException: ILLEGAL_PARAMETER: remotely generated; FATAL message. That's not surprising since it is a simple program that does essentially: SocketFactory sf = SSLSocketFactory.getDefault(); Socket s = sf.createSocket(args[0], Integer.parseInt(args[1])); BufferedOutputStream bro = new BufferedOutputStream(s.getOutputStream()); bro.write(buf,0,msgLen); And fails on the write. So I decided to add a context, since that's what the C++ code did. SSLContext sc = SSLContext.getInstance ( SSLv3 ) ; sc.init (null,null,null) ; sc.createSSLEngine(); SocketFactory sf = sc.getSocketFactory(); This gives the same result. In the C++ code I specify a cipher, like: if (!SSL_CTX_set_cipher_list (ptrCTX, ADH)) { ptrSSL = SSL_new (ptrCTX); int xx = SSL_set_fd (ptrSSL, fdSocket); But I can't find a way to set a cipher into the context. The only mention of ciphers in the API seem to be in the SSLEngine class and I can't find a way to link that class into what I'm doing, so I'm pretty well stuck at this point. So one question, is that SSLv3 an acceptable protocol? The only examples I've found set that to SSL but in the C++ code I have: SSL_METHOD *method; method = SSLv3_client_method (); ptrCTX = SSL_CTX_new (method); I have no idea if that's the equivalent or not, I'm searching in the dark. I have read the SSL and TLS book but it like most examples assumes an http client which this is not. Another question is how do I specify a cipher and/or do I have to? Thanks for any pointers. Jim. View this message in context: I'm having trouble getting an ssl client programmed in java Sent from the OpenSSL - User mailing list archive at Nabble.com. -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: I'm having trouble getting an ssl client programmed in java
Julius Davies-2 wrote: Your code is fine. Don't use /usr/bin/java (the gnu jvm)! Install a JVM from Sun or IBM or BEA or Blackdown, or Kaffe, at the very least, and use that instead. After installing a vendor's JVM, make sure you use the java executable they provide. For example: /opt/java/ibm-java-ppc-60/bin/java yours, Julius OK [EMAIL PROTECTED]:~/java/sslSocket$ echo $JAVA_HOME /opt/jdk1.5.0_15/ [EMAIL PROTECTED]:~/java/sslSocket$ which java /opt/jdk1.5.0_15//bin//java It changed the error. I suspect it has to do with my inability to set the cipher as I mentioned before. Exception in thread main javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Thanks, Jim. -- View this message in context: http://www.nabble.com/I%27m-having-trouble-getting-an-ssl-client-programmed-in-java-tp17980660p17988839.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: I'm having trouble getting an ssl client programmed in java
On Wed, Jun 18, 2008 at 2:14 PM, AverageGuy [EMAIL PROTECTED] wrote: Julius Davies-2 wrote: Your code is fine. Don't use /usr/bin/java (the gnu jvm)! Install a JVM from Sun or IBM or BEA or Blackdown, or Kaffe, at the very least, and use that instead. After installing a vendor's JVM, make sure you use the java executable they provide. For example: /opt/java/ibm-java-ppc-60/bin/java yours, Julius OK [EMAIL PROTECTED]:~/java/sslSocket$ echo $JAVA_HOME /opt/jdk1.5.0_15/ [EMAIL PROTECTED]:~/java/sslSocket$ which java /opt/jdk1.5.0_15//bin//java It changed the error. I suspect it has to do with my inability to set the cipher as I mentioned before. Exception in thread main javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Thanks, Jim. Let me add this. This is the guts of the C++ program I'm trying to duplicate. I ripped out the non essential code such as error checking, debug output and statistic gathering. Any suggestions on how to implement this in Java would be helpful. SSL_library_init (); SSL_METHOD *method; method = SSLv3_client_method (); ptrCTX = SSL_CTX_new (method); if (!SSL_CTX_set_cipher_list (ptrCTX, ADH)) { ptrSSL = SSL_new (ptrCTX); int xx = SSL_set_fd (ptrSSL, fdSocket); SSL_load_error_strings (); SSL_set_connect_state (ptrSSL); sbio = BIO_new_socket (fdSocket, BIO_NOCLOSE); SSL_set_bio (ptrSSL, sbio, sbio); retcode = SSL_connect (ptrSSL); retcode = SSL_write (ptrSSL, (const void *) message.c_str (), message.length ()); retcode = SSL_read (ptrSSL, response, 200); SSL_shutdown(ptrSSL); SSL_free(ptrSSL); SSL_CTX_free(ptrCTX); Thanks, Jim.
Cannot install via Cygwin
I am trying to build and install openssl via Cygwin. I followed the instructions and I only hit a bump when I attempt make install During which I get a boatload of errors. The last few lines of output were: /SSL_want.3man3 : No such file or directoryl/ssl/man/man3 /: No such file or directoryocal/ssl/man/man3 /SSL_write.3an3 : No such file or directoryl/ssl/man/man3 /: No such file or directoryocal/ssl/man/man3 /d2i_SSL_SESSION.3 : No such file or directoryl/ssl/man/man3 /: No such file or directoryocal/ssl/man/man3 /ssl.3ling man3 : No such file or directoryl/ssl/man/man3 /: No such file or directoryocal/ssl/man/man3 make: *** [install_docs] Error 1 There is no definitive error reported but openssl is not known within my Cygwin shell afterwards. Help! I have no clue as to the work-around here. Eric Chamberlain VentriPoint, Inc. | www.ventripoint.com | Software Engineer Helping heart care through innovative diagnostic solutions attachment: winmail.dat
HTTPS put file in perl
Anybody have some code snippets that uses https to put a file on a webserver? I can't seem to get anything to work. I do have an example in java that works. But I'm no java coder. I would like to convert to perl. + java.net.URL sendUrl =new java.net.URL( http://10.2.0.232:28100/file?cmd=ftname=testfile.msetfilter=mset; ); java.net.HttpURLConnection conn =( java.net.HttpURLConnection )sendUrl.openConnection(); //sendFile.setChunkedStreamingMode( -1 ); conn.setUseCaches( false ); conn.setRequestMethod( PUT ); conn.setDoOutput( true ); conn.connect(); java.io.OutputStreamWriter txtWriter = new java.io.OutputStreamWriter( conn.getOutputStream() ); java.io.BufferedReader br = new java.io.BufferedReader(new java.io.FileReader(new java.io.File(c:\\mark\\testFile2.txt))); String temp=new String(); while((temp=br.readLine())!=null){ txtWriter.write( temp ); txtWriter.write( \n ); } br.close(); txtWriter.close(); //int resp = conn.getResponseCode(); out.write( response Code:+conn.getResponseMessage() ); conn.disconnect();= + TIA, David M. Funk President/CEO Tivoli Certified Enterprise Consultant Specializing in Network and Systems Management Solutions Trinity Solutions 604 Cassandra Dr. Cranberry Twp., PA 16066 Phone: 724-316-0721 Fax: 724-772-7889 email: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] www:http://www.trinityITsolutions.com http://www.trinityITsolutions.com attachment: winmail.dat
Re: How to extract subjectAltName
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerhard Gappmeier wrote: | Thanks for that tip. | | It works now this way: | | UaPkiCertificateInfo UaPkiCertificate::info() const | { [...] | switch ( pName-type ) | { | case GEN_OTHERNAME: | break; | case GEN_EMAIL: | ASN1_STRING_to_UTF8((unsigned char**)pBuffer, | pName-d.ia5); ia5String is basically ASCII, especially in email, since email addresses are limited to the ASCII character set... And every ASCII character is also a valid UTF-8 character... | ret.eMail = pBuffer; | OPENSSL_free(pBuffer); | break; | case GEN_DNS: | ASN1_STRING_to_UTF8((unsigned char**)pBuffer, | pName-d.ia5); also here... | ret.DNS = pBuffer; | OPENSSL_free(pBuffer); | break; | case GEN_X400: | break; | case GEN_DIRNAME: | break; | case GEN_EDIPARTY: | break; | case GEN_URI: | ASN1_STRING_to_UTF8((unsigned char**)pBuffer, | pName-d.ia5); and here... | ret.URI = pBuffer; | OPENSSL_free(pBuffer); | break; | case GEN_IPADD: | ASN1_STRING_to_UTF8((unsigned char**)pBuffer, | pName-d.ia5); here you are wrong. the IP address is stored as binary. So IPv4 - 4 byte data, IPv6 - 16 byte data... Bye Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIWWg62iGqZUF3qPYRAhaYAJ45hFKmn7Vm87KLaG9oS/SuopcFhACfWNrQ CkV2vZpn+OzFacij2YxoRZ4= =2Qz7 -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
how to check if I hv openssl
All, I´m told that having the directives in httpd.conf IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule means that my apache is configured with mod_ssl (and in fact it has). As far as I know, in order to have the mod_ssl working, have to have the library openssl, right? Well, I dont know if my apache has, so I want to check. I dont know what is the command to check it. If you can help, it´ll be appreciated. Here are the environment configuration: Web server: Apache/2.0.46 (Unix) mod_jk/1.2.4 Server: -HP-UX Tomcat: 4.0 Thanks for your attention. Ingrid __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to extract subjectAltName
thank you so much for the help i hope that the info i just sent works! thank you -Original Message- From: [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Wed, 18 Jun 2008 1:26 am Subject: Re: How to extract subjectAltName i have n o t one idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP -Original Message- From: Gerhard Gappmeier [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Wed, 18 Jun 2008 1:09 am Subject: Re: How to extract subjectAltName Thanks for that tip. It works now this way: UaPkiCertificateInfo UaPkiCertificate::info() const { UaPkiCertificateInfo ret; X509_EXTENSION *pExt; char *pBuffer = 0; int length = 0; GENERAL_NAMES *subjectAltNames; subjectAltNames = ( GENERAL_NAMES* ) X509_get_ext_d2i ( m_pCert, NID_subject_alt_name, NULL, NULL ); if ( subjectAltNames ) { int numalts; int i; /* get amount of alternatives, RFC2459 claims there MUST be at least one, but we don't depend on it... */ numalts = sk_GENERAL_NAME_num ( subjectAltNames ); /* loop through all alternatives */ for ( i=0; ( inumalts ); i++ ) { /* get a handle to alternative name number i */ const GENERAL_NAME *pName = sk_GENERAL_NAME_value ( subjectAltNames, i ); switch ( pName-type ) { case GEN_OTHERNAME: break; case GEN_EMAIL: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.eMail = pBuffer; OPENSSL_free(pBuffer); break; case GEN_DNS: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.DNS = pBuffer; OPENSSL_free(pBuffer); break; case GEN_X400: break; case GEN_DIRNAME: break; case GEN_EDIPARTY: break; case GEN_URI: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.URI = pBuffer; OPENSSL_free(pBuffer); break; case GEN_IPADD: ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pName-d.ia5); ret.IP = pBuffer; OPENSSL_free(pBuffer); break; case GEN_RID: break; } } } return ret; } On Tuesday 17 June 2008 23:56:26 Goetz Babin-Ebell wrote: GeneralNames *names; STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null(); names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); if (names) { /* you now can use OpenSSL to transform the names into some printable format... */ i2v_GENERAL_NAMES(NULL, names, vals); sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); } for(int i = 0; i sk_CONF_VALUE_num(vals); i++) { CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i); ret.subjectAltName.appendNameValue(conf-name, conf-value); } sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free); -- mit freundlichen Grüßen / best regards Gerhard Gappmeier ascolab GmbH - automation system communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Get the Moviefone Toolbar. Showtimes, theaters, movie news, more!
Re: How to extract subjectAltName
Gerhard Gappmeier wrote: Hi, I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work. For the X509_NAME entries the same procedure works, but this ASN1_STRING seems to be different. In the debugger I can already see the ASN1_STRING: pString-length = 43 pString-type = 4 pString-data = 0)†urn:x:bla‚ xxx pString-flags = 0 Code snippet: UaPkiCertificateInfo UaPkiCertificate::info() const { UaPkiCertificateInfo ret; X509_EXTENSION *pExt; char *pBuffer = 0; int length = 0; int loc = X509_get_ext_by_NID(m_pCert, NID_subject_alt_name, -1); pExt = X509_get_ext(m_pCert, loc); if (pExt) { ASN1_STRING *pString = X509_EXTENSION_get_data(pExt); length = ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pString); ret.subjectAltName = pBuffer; OPENSSL_free(pBuffer); } return ret; } regards, Gerhard __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] Hello, TO get data from X509V3 cert, i use bio function : BIO *bio = BIO_new(BIO_s_mem()); X509_EXTENSION * ex = X509_get_ext( _d_cert,i); // get the type if(!X509V3_EXT_print(bio, ex, 0, 0))// read the text of this extention M_ASN1_OCTET_STRING_print(bio,ex-value); len = BIO_read(bio, buffer, BUFFER_SIZE);// here buffer contain the text, len the lenght of it. buffer[len] = '\0';// add the EOT sign, buffer contain a readable text. Hope it can help you ;) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to unsubsribe from OpenSSL Users ML
Send a message to openssl-users@openssl.org with the following text in the body. unsubscribe openssl-users For more info see below. I hope this helps you :-) -- Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users or from another account, besides [EMAIL PROTECTED]: unsubscribe openssl-users [EMAIL PROTECTED] If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to [EMAIL PROTECTED] . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: This open mailing list is used for discussions between the OpenSSL users. Everyone can post. [EMAIL PROTECTED] schrieb: *i haven o tone idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP* -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
pkey?
I'm trying to convert a pgp key and crt using the pkey parameter/flag, but when I type in openssl pkey I get the following error openssl pkey openssl:Error: 'pkey' is an invalid command. I've tried upgrading to the latest version, why is there comprehensive documentation on this command when it doesn't exist? http://www.openssl.org/docs/apps/pkey.html Thanks for your time. Dan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: I'm having trouble getting an ssl client programmed in java
Your very first code example (without the context) should be fine! There is no need to set any ciphers. Java has a list of ciphers it will automatically try to use. If you like downloading jar files, here's another way: http://juliusdavies.ca/commons-ssl/ssl.html yours, Julius On Wed, Jun 18, 2008 at 11:27 AM, Jim Lynch [EMAIL PROTECTED] wrote: On Wed, Jun 18, 2008 at 2:14 PM, AverageGuy [EMAIL PROTECTED] wrote: Julius Davies-2 wrote: Your code is fine. Don't use /usr/bin/java (the gnu jvm)! Install a JVM from Sun or IBM or BEA or Blackdown, or Kaffe, at the very least, and use that instead. After installing a vendor's JVM, make sure you use the java executable they provide. For example: /opt/java/ibm-java-ppc-60/bin/java yours, Julius OK [EMAIL PROTECTED]:~/java/sslSocket$ echo $JAVA_HOME /opt/jdk1.5.0_15/ [EMAIL PROTECTED]:~/java/sslSocket$ which java /opt/jdk1.5.0_15//bin//java It changed the error. I suspect it has to do with my inability to set the cipher as I mentioned before. Exception in thread main javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Thanks, Jim. Let me add this. This is the guts of the C++ program I'm trying to duplicate. I ripped out the non essential code such as error checking, debug output and statistic gathering. Any suggestions on how to implement this in Java would be helpful. SSL_library_init (); SSL_METHOD *method; method = SSLv3_client_method (); ptrCTX = SSL_CTX_new (method); if (!SSL_CTX_set_cipher_list (ptrCTX, ADH)) { ptrSSL = SSL_new (ptrCTX); int xx = SSL_set_fd (ptrSSL, fdSocket); SSL_load_error_strings (); SSL_set_connect_state (ptrSSL); sbio = BIO_new_socket (fdSocket, BIO_NOCLOSE); SSL_set_bio (ptrSSL, sbio, sbio); retcode = SSL_connect (ptrSSL); retcode = SSL_write (ptrSSL, (const void *) message.c_str (), message.length ()); retcode = SSL_read (ptrSSL, response, 200); SSL_shutdown(ptrSSL); SSL_free(ptrSSL); SSL_CTX_free(ptrCTX); Thanks, Jim. -- yours, Julius Davies 250-592-2284 (Home) 250-893-4579 (Mobile) http://juliusdavies.ca/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: how to check if I hv openssl
Liao [EMAIL PROTECTED] wrote: As far as I know, in order to have the mod_ssl working, have to have the library openssl, right? Well, I dont know if my apache has, so I want to check. This really isn't an OpenSSL question -- it has to do with your platform. If you were on Linux, I'd tell you to check using your package manager -- yum or apt or emerge. But on HP-UX, I have no idea what the package manager is. You could check to see if you have a command called `openssl`. The first, easiest check is with `which`: :; which openssl If it gives you a path, great! You have OpenSSL. Let us hope it was the one your Apache module was built against... If you can't find it that way, you could snoop around with `find` or `locate`: :; find / -type f -name 'openssl' :; locate openssl These will be a lot more verbose. If you need more help, please email me off list. -- _jsn __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to unsubscribe from OpenSSL Users ML
Actually, I wasn’t requesting to be removed from your mailing list. The mailing list I requested to be removed from was reunion.com. they send hundreds (No! not kidding) of unsolicited e-mails to my address. Brenda Herrera is the target name. the lady who runs the service tells people she found Brenda Herrera and gives them my e-mail address, she then collects money from them. By the time they receive my standard, wise up stupid e-mail it’s too late. She also sells e-mail addresses to the time wasting trash of the universe. Open SSL has some of the only useful information I ever get in e-mails. I rarely submit things. I prefer to read and observe. Back to work for wicked me. Carrie From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier Sent: Wednesday, June 18, 2008 2:47 AM To: openssl-users@openssl.org; [EMAIL PROTECTED] Subject: Re: How to unsubsribe from OpenSSL Users ML Send a message to openssl-users@openssl.org with the following text in the body. unsubscribe openssl-users For more info see below. I hope this helps you :-) -- Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users or from another account, besides [EMAIL PROTECTED]: unsubscribe openssl-users [EMAIL PROTECTED] If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: This open mailing list is used for discussions between the OpenSSL users. Everyone can post. [EMAIL PROTECTED] schrieb: i haven o tone idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP -- mit freundlichen Grüßen / best regards Gerhard Gappmeier ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- ascolab GmbH Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth __ Information from ESET NOD32 Antivirus, version of virus signature database 2888 (20080220) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 2888 (20080220) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Non Repudiation error in MIC calculation
Hi, This is for AS2, specifically Signed, then Encrypted message. Before I encrypt I simply checksum SHA1 the file with the muitipart content: EDI data on first part and signature on second. Mime Headers are canonical crlf at end of each mime header. Signature is binary because my trading partner wants it like that. Anyway. There is a whole package with multipart content, boundaries, etc. I attached it here: http://www.nabble.com/file/p17994998/mictest.txt mictest.txt Ok, if you do a SHA1 over it you get 229585b2927684ac1f8dae4290e3e70d6d9cb53f and if the sha1 is run as binary to then be injected in a base64 encoder (openssl sha1 -binary mictest.txt|openssl enc -a, you get: IpWFspJ2hKwfja5CkOPnDW2ctT8= Though, my trading partner with his WPG says that's not the value of the MIC, he gets Uiaz1kOChhlSb/f3SJsmJ/O/8SI= instead. Because the message is encrypted (asymetric, so one needs a certificate and private key to open) , the decryption brings out a quite monolithic unit, headers are canonical and there is a crlf after the last boundary too, ¿what then could be the error in the MIC calculation? Thanks for the help -- View this message in context: http://www.nabble.com/Non-Repudiation-error-in-MIC-calculation-tp17994998p17994998.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]