Re: Removal from mailing list
if you find out? PLEASE LET ME KNOW? HELP! -Original Message- From: Daniel Arguello [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Tue, 17 Jun 2008 3:53 pm Subject: Removal from mailing list Hi. I'd like to get myself removed from the mailing list. What do I do? Thanks, Dan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to extract subjectAltName
Thanks for that tip.
It works now this way:
UaPkiCertificateInfo UaPkiCertificate::info() const
{
UaPkiCertificateInfo ret;
X509_EXTENSION *pExt;
char *pBuffer = 0;
int length = 0;
GENERAL_NAMES *subjectAltNames;
subjectAltNames = ( GENERAL_NAMES* ) X509_get_ext_d2i ( m_pCert,
NID_subject_alt_name, NULL, NULL );
if ( subjectAltNames )
{
int numalts;
int i;
/* get amount of alternatives, RFC2459 claims there MUST be at least
one, but we don't depend on it... */
numalts = sk_GENERAL_NAME_num ( subjectAltNames );
/* loop through all alternatives */
for ( i=0; ( inumalts ); i++ )
{
/* get a handle to alternative name number i */
const GENERAL_NAME *pName = sk_GENERAL_NAME_value (
subjectAltNames, i );
switch ( pName-type )
{
case GEN_OTHERNAME:
break;
case GEN_EMAIL:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.eMail = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_DNS:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.DNS = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_X400:
break;
case GEN_DIRNAME:
break;
case GEN_EDIPARTY:
break;
case GEN_URI:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.URI = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_IPADD:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.IP = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_RID:
break;
}
}
}
return ret;
}
On Tuesday 17 June 2008 23:56:26 Goetz Babin-Ebell wrote:
GeneralNames *names;
STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null();
names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (names) {
/* you now can use OpenSSL to transform the names into
some printable format... */
i2v_GENERAL_NAMES(NULL, names, vals);
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
for(int i = 0; i sk_CONF_VALUE_num(vals); i++) {
CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i);
ret.subjectAltName.appendNameValue(conf-name, conf-value);
}
sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free);
--
mit freundlichen Grüßen / best regards
Gerhard Gappmeier
ascolab GmbH - automation system communication laboratory
Tel.: +49 9131 691 123
Fax: +49 9131 691 128
Web: http://www.ascolab.com
GPG-Key: http://www.ascolab.com/gpg/gg.asc
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: How to extract subjectAltName
i have n o t one idea what that means... i got out on this list by
accident or type-o I have no way of looking at any of the thousands of emails
i have rec'd and been able to find one thing i could understand. please
HELP
-Original Message-
From: Gerhard Gappmeier [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Wed, 18 Jun 2008 1:09 am
Subject: Re: How to extract subjectAltName
Thanks for that tip.
It works now this way:
UaPkiCertificateInfo UaPkiCertificate::info() const
{
UaPkiCertificateInfo ret;
X509_EXTENSION *pExt;
char *pBuffer = 0;
int length = 0;
GENERAL_NAMES *subjectAltNames;
subjectAltNames = ( GENERAL_NAMES* ) X509_get_ext_d2i ( m_pCert,
NID_subject_alt_name, NULL, NULL );
if ( subjectAltNames )
{
int numalts;
int i;
/* get amount of alternatives, RFC2459 claims there MUST be at least
one, but we don't depend on it... */
numalts = sk_GENERAL_NAME_num ( subjectAltNames );
/* loop through all alternatives */
for ( i=0; ( inumalts ); i++ )
{
/* get a handle to alternative name number i */
const GENERAL_NAME *pName = sk_GENERAL_NAME_value (
subjectAltNames, i );
switch ( pName-type )
{
case GEN_OTHERNAME:
break;
case GEN_EMAIL:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.eMail = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_DNS:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.DNS = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_X400:
break;
case GEN_DIRNAME:
break;
case GEN_EDIPARTY:
break;
case GEN_URI:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.URI = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_IPADD:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.IP = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_RID:
break;
}
}
}
return ret;
}
On Tuesday 17 June 2008 23:56:26 Goetz Babin-Ebell wrote:
GeneralNames *names;
STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null();
names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (names) {
/* you now can use OpenSSL to transform the names into
some printable format... */
i2v_GENERAL_NAMES(NULL, names, vals);
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
for(int i = 0; i sk_CONF_VALUE_num(vals); i++) {
CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i);
ret.subjectAltName.appendNameValue(conf-name, conf-value);
}
sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free);
--
mit freundlichen Grüßen / best regards
Gerhard Gappmeier
ascolab GmbH - automation system communication laboratory
Tel.: +49 9131 691 123
Fax: +49 9131 691 128
Web: http://www.ascolab.com
GPG-Key: http://www.ascolab.com/gpg/gg.asc
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: How to unsubsribe from OpenSSL Users ML
Ups, wrong address before. Send a message to [EMAIL PROTECTED] with the following text in the body. unsubscribe openssl-users For more info see below. I hope this helps you :-) -- Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users or from another account, besides [EMAIL PROTECTED]: unsubscribe openssl-users [EMAIL PROTECTED] If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to [EMAIL PROTECTED] . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: This open mailing list is used for discussions between the OpenSSL users. Everyone can post. [EMAIL PROTECTED] schrieb: *i haven o tone idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP* -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
Re: Removal from mailing list
Hi, if you find out? PLEASE LET ME KNOW? HELP! if you read instructions this is the first email you ever got from this list: Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
I'm having trouble getting an ssl client programmed in java
I am attempting to connect to an ssl server that isn't a web site. I have
C++ client code that works and would like to get a java client working. My
initial attempt fails with a
Exception in thread main gnu.javax.net.ssl.provider.AlertException:
ILLEGAL_PARAMETER: remotely generated; FATAL
message. That's not surprising since it is a simple program that does
essentially:
SocketFactory sf = SSLSocketFactory.getDefault();
Socket s = sf.createSocket(args[0], Integer.parseInt(args[1]));
BufferedOutputStream bro = new
BufferedOutputStream(s.getOutputStream());
bro.write(buf,0,msgLen);
And fails on the write.
So I decided to add a context, since that's what the C++ code did.
SSLContext sc = SSLContext.getInstance ( SSLv3 ) ;
sc.init (null,null,null) ;
sc.createSSLEngine();
SocketFactory sf = sc.getSocketFactory();
This gives the same result. In the C++ code I specify a cipher, like:
if (!SSL_CTX_set_cipher_list (ptrCTX, ADH)) {
ptrSSL = SSL_new (ptrCTX);
int xx = SSL_set_fd (ptrSSL, fdSocket);
But I can't find a way to set a cipher into the context. The only mention
of ciphers in the API seem to be in the SSLEngine class and I can't find a
way to link that class into what I'm doing, so I'm pretty well stuck at this
point.
So one question, is that SSLv3 an acceptable protocol? The only examples
I've found set that to SSL but in the C++ code I have:
SSL_METHOD *method;
method = SSLv3_client_method ();
ptrCTX = SSL_CTX_new (method);
I have no idea if that's the equivalent or not, I'm searching in the dark.
I have read the SSL and TLS book but it like most examples assumes an http
client which this is not.
Another question is how do I specify a cipher and/or do I have to?
Thanks for any pointers.
Jim.
--
View this message in context:
http://www.nabble.com/I%27m-having-trouble-getting-an-ssl-client-programmed-in-java-tp17980660p17980660.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
openssl+openvpn+gost89
(sorry for my english) Hi all. I'm trying to make openvpn tunnel using gost89 as cipher for traffic. For this purpose I generated my CA, public/private keys for client and server, and then trying to connect them all going ok: Wed Jun 18 13:26:34 2008 us=231723 10.1.1.110:1194 VERIFY OK: depth=1, /C=qw/ST=qw/L=qw/O=qw/OU=qw/CN=qw/emailAddress=qw Wed Jun 18 13:26:34 2008 us=233111 10.1.1.110:1194 VERIFY OK: depth=0, /C=qw/ST=er/L=er/O=er/OU=er/CN=er/emailAddress=er except Assertion failed at crypto.c :168 in openvpn file, after first data going from client to server. This bug in configuration of openvpn or openssl? server.conf dev tun ifconfig 10.1.1.112 10.1.1.111 ca cacert.pem cert newcert.pem engine gost cipher gost89 comp-lzo client.conf remote 10.1.1.107 dev tun cert servA.pem ca cacert.pem ifconfig 10.1.1.111 10.1.1.112 engine gost cipher gost89 comp-lzo as I can see in http://cryptocom.ru/OpenSource/OpenSSL_rus.html, there is no info about openvpn. -- Software is like sex, it is better when it's free
Reference Counters in OpenSSL
Hi some functions like X509_PUBKEY_get increment the internal reference counter of the object so that EVP_PKEY_free( pKey ) has to be called. Other functions like X509_get_X509_PUBKEY just return an internal pointer and I have to care myself about reference counting. Is there a general rule or naming convention to know how to use that? Or is the only possibilty to figure that out debugging into the code? -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 . 91058 Erlangen . Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
Re: Reference Counters in OpenSSL
On Wed, Jun 18, 2008, Gerhard Gappmeier wrote: Hi some functions like X509_PUBKEY_get increment the internal reference counter of the object so that EVP_PKEY_free( pKey ) has to be called. Other functions like X509_get_X509_PUBKEY just return an internal pointer and I have to care myself about reference counting. Is there a general rule or naming convention to know how to use that? Or is the only possibilty to figure that out debugging into the code? If the function has a '1' in the name it ups the reference count. If it has a '0' it doesn't. Unfortunately there are quiet a few functions around which existed before this convention was decided on which can do either :-( Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Extracting certificate serial numbers from a CRL
Dear list, I am receiving a CRL. After checking its validity against the issuer's certificate, I would like to use the API to access the certificate serial numbers of the revoked certificates. With the command line and asn1parse I can check the serial numbers and the dates of revocation as INTEGER and UTCTIME, but I could not find a method to retrieve the serial numbers since these data is not stored as an extension in the CRL. Could anyone provide me with some hints ? I'll keep on trying ! Best regards, Jordi
Re: I'm having trouble getting an ssl client programmed in java
Your code is fine. Don't use /usr/bin/java (the gnu jvm)! Install a
JVM from Sun or IBM or BEA or Blackdown, or Kaffe, at the very least,
and use that instead.
After installing a vendor's JVM, make sure you use the java
executable they provide. For example:
/opt/java/ibm-java-ppc-60/bin/java
yours,
Julius
On Wed, Jun 18, 2008 at 6:07 AM, AverageGuy [EMAIL PROTECTED] wrote:
I am attempting to connect to an ssl server that isn't a web site. I have
C++ client code that works and would like to get a java client working. My
initial attempt fails with a
Exception in thread main gnu.javax.net.ssl.provider.AlertException:
ILLEGAL_PARAMETER: remotely generated; FATAL
message. That's not surprising since it is a simple program that does
essentially:
SocketFactory sf = SSLSocketFactory.getDefault();
Socket s = sf.createSocket(args[0], Integer.parseInt(args[1]));
BufferedOutputStream bro = new
BufferedOutputStream(s.getOutputStream());
bro.write(buf,0,msgLen);
And fails on the write. So I decided to add a context, since that's what the
C++ code did.
SSLContext sc = SSLContext.getInstance ( SSLv3 ) ;
sc.init (null,null,null) ;
sc.createSSLEngine();
SocketFactory sf = sc.getSocketFactory();
This gives the same result. In the C++ code I specify a cipher, like:
if (!SSL_CTX_set_cipher_list (ptrCTX, ADH)) {
ptrSSL = SSL_new (ptrCTX);
int xx = SSL_set_fd (ptrSSL, fdSocket);
But I can't find a way to set a cipher into the context. The only mention of
ciphers in the API seem to be in the SSLEngine class and I can't find a way
to link that class into what I'm doing, so I'm pretty well stuck at this
point. So one question, is that SSLv3 an acceptable protocol? The only
examples I've found set that to SSL but in the C++ code I have:
SSL_METHOD *method;
method = SSLv3_client_method ();
ptrCTX = SSL_CTX_new (method);
I have no idea if that's the equivalent or not, I'm searching in the dark. I
have read the SSL and TLS book but it like most examples assumes an http
client which this is not.
Another question is how do I specify a cipher and/or do I have to?
Thanks for any pointers.
Jim.
View this message in context: I'm having trouble getting an ssl client
programmed in java
Sent from the OpenSSL - User mailing list archive at Nabble.com.
--
yours,
Julius Davies
250-592-2284 (Home)
250-893-4579 (Mobile)
http://juliusdavies.ca/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: I'm having trouble getting an ssl client programmed in java
Julius Davies-2 wrote: Your code is fine. Don't use /usr/bin/java (the gnu jvm)! Install a JVM from Sun or IBM or BEA or Blackdown, or Kaffe, at the very least, and use that instead. After installing a vendor's JVM, make sure you use the java executable they provide. For example: /opt/java/ibm-java-ppc-60/bin/java yours, Julius OK [EMAIL PROTECTED]:~/java/sslSocket$ echo $JAVA_HOME /opt/jdk1.5.0_15/ [EMAIL PROTECTED]:~/java/sslSocket$ which java /opt/jdk1.5.0_15//bin//java It changed the error. I suspect it has to do with my inability to set the cipher as I mentioned before. Exception in thread main javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Thanks, Jim. -- View this message in context: http://www.nabble.com/I%27m-having-trouble-getting-an-ssl-client-programmed-in-java-tp17980660p17988839.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: I'm having trouble getting an ssl client programmed in java
On Wed, Jun 18, 2008 at 2:14 PM, AverageGuy [EMAIL PROTECTED] wrote:
Julius Davies-2 wrote:
Your code is fine. Don't use /usr/bin/java (the gnu jvm)! Install a
JVM from Sun or IBM or BEA or Blackdown, or Kaffe, at the very least,
and use that instead.
After installing a vendor's JVM, make sure you use the java
executable they provide. For example:
/opt/java/ibm-java-ppc-60/bin/java
yours,
Julius
OK
[EMAIL PROTECTED]:~/java/sslSocket$ echo $JAVA_HOME
/opt/jdk1.5.0_15/
[EMAIL PROTECTED]:~/java/sslSocket$ which java
/opt/jdk1.5.0_15//bin//java
It changed the error. I suspect it has to do with my inability to set the
cipher as I mentioned before.
Exception in thread main javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
Thanks,
Jim.
Let me add this. This is the guts of the C++ program I'm trying to
duplicate. I ripped out the non essential code such as error checking,
debug output and statistic gathering.
Any suggestions on how to implement this in Java would be helpful.
SSL_library_init ();
SSL_METHOD *method;
method = SSLv3_client_method ();
ptrCTX = SSL_CTX_new (method);
if (!SSL_CTX_set_cipher_list (ptrCTX, ADH)) {
ptrSSL = SSL_new (ptrCTX);
int xx = SSL_set_fd (ptrSSL, fdSocket);
SSL_load_error_strings ();
SSL_set_connect_state (ptrSSL);
sbio = BIO_new_socket (fdSocket, BIO_NOCLOSE);
SSL_set_bio (ptrSSL, sbio, sbio);
retcode = SSL_connect (ptrSSL);
retcode =
SSL_write (ptrSSL, (const void *) message.c_str (),
message.length ());
retcode = SSL_read (ptrSSL, response, 200);
SSL_shutdown(ptrSSL);
SSL_free(ptrSSL);
SSL_CTX_free(ptrCTX);
Thanks,
Jim.
Cannot install via Cygwin
I am trying to build and install openssl via Cygwin. I followed the instructions and I only hit a bump when I attempt make install During which I get a boatload of errors. The last few lines of output were: /SSL_want.3man3 : No such file or directoryl/ssl/man/man3 /: No such file or directoryocal/ssl/man/man3 /SSL_write.3an3 : No such file or directoryl/ssl/man/man3 /: No such file or directoryocal/ssl/man/man3 /d2i_SSL_SESSION.3 : No such file or directoryl/ssl/man/man3 /: No such file or directoryocal/ssl/man/man3 /ssl.3ling man3 : No such file or directoryl/ssl/man/man3 /: No such file or directoryocal/ssl/man/man3 make: *** [install_docs] Error 1 There is no definitive error reported but openssl is not known within my Cygwin shell afterwards. Help! I have no clue as to the work-around here. Eric Chamberlain VentriPoint, Inc. | www.ventripoint.com | Software Engineer Helping heart care through innovative diagnostic solutions attachment: winmail.dat
HTTPS put file in perl
Anybody have some code snippets that uses https to put a file on a
webserver? I can't seem to get anything to work. I do have an example in
java that works. But I'm no java coder. I would like to convert to perl.
+
java.net.URL sendUrl =new java.net.URL(
http://10.2.0.232:28100/file?cmd=ftname=testfile.msetfilter=mset; );
java.net.HttpURLConnection conn =( java.net.HttpURLConnection
)sendUrl.openConnection();
//sendFile.setChunkedStreamingMode( -1 );
conn.setUseCaches( false );
conn.setRequestMethod( PUT );
conn.setDoOutput( true );
conn.connect();
java.io.OutputStreamWriter txtWriter = new java.io.OutputStreamWriter(
conn.getOutputStream() );
java.io.BufferedReader br = new java.io.BufferedReader(new
java.io.FileReader(new java.io.File(c:\\mark\\testFile2.txt)));
String temp=new String();
while((temp=br.readLine())!=null){
txtWriter.write( temp );
txtWriter.write( \n );
}
br.close();
txtWriter.close();
//int resp = conn.getResponseCode();
out.write( response Code:+conn.getResponseMessage() );
conn.disconnect();=
+
TIA,
David M. Funk
President/CEO
Tivoli Certified Enterprise Consultant
Specializing in Network and Systems Management Solutions
Trinity Solutions
604 Cassandra Dr.
Cranberry Twp., PA 16066
Phone: 724-316-0721
Fax: 724-772-7889
email: mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]
www:http://www.trinityITsolutions.com
http://www.trinityITsolutions.com
attachment: winmail.dat
Re: How to extract subjectAltName
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard Gappmeier wrote:
| Thanks for that tip.
|
| It works now this way:
|
| UaPkiCertificateInfo UaPkiCertificate::info() const
| {
[...]
| switch ( pName-type )
| {
| case GEN_OTHERNAME:
| break;
| case GEN_EMAIL:
| ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
| pName-d.ia5);
ia5String is basically ASCII, especially in email, since email addresses
are limited to the ASCII character set...
And every ASCII character is also a valid UTF-8 character...
| ret.eMail = pBuffer;
| OPENSSL_free(pBuffer);
| break;
| case GEN_DNS:
| ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
| pName-d.ia5);
also here...
| ret.DNS = pBuffer;
| OPENSSL_free(pBuffer);
| break;
| case GEN_X400:
| break;
| case GEN_DIRNAME:
| break;
| case GEN_EDIPARTY:
| break;
| case GEN_URI:
| ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
| pName-d.ia5);
and here...
| ret.URI = pBuffer;
| OPENSSL_free(pBuffer);
| break;
| case GEN_IPADD:
| ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
| pName-d.ia5);
here you are wrong.
the IP address is stored as binary.
So IPv4 - 4 byte data, IPv6 - 16 byte data...
Bye
Goetz
- --
DMCA: The greed of the few outweighs the freedom of the many
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIWWg62iGqZUF3qPYRAhaYAJ45hFKmn7Vm87KLaG9oS/SuopcFhACfWNrQ
CkV2vZpn+OzFacij2YxoRZ4=
=2Qz7
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
how to check if I hv openssl
All, I´m told that having the directives in httpd.conf IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule means that my apache is configured with mod_ssl (and in fact it has). As far as I know, in order to have the mod_ssl working, have to have the library openssl, right? Well, I dont know if my apache has, so I want to check. I dont know what is the command to check it. If you can help, it´ll be appreciated. Here are the environment configuration: Web server: Apache/2.0.46 (Unix) mod_jk/1.2.4 Server: -HP-UX Tomcat: 4.0 Thanks for your attention. Ingrid __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: How to extract subjectAltName
thank you so much for the help i hope that the info i just sent
works! thank you
-Original Message-
From: [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Wed, 18 Jun 2008 1:26 am
Subject: Re: How to extract subjectAltName
i have n o t one idea what that means... i got out on this list by
accident or type-o I have no way of looking at any of the thousands of emails
i have rec'd and been able to find one thing i could understand. please
HELP
-Original Message-
From: Gerhard Gappmeier [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Wed, 18 Jun 2008 1:09 am
Subject: Re: How to extract subjectAltName
Thanks for that tip.
It works now this way:
UaPkiCertificateInfo UaPkiCertificate::info() const
{
UaPkiCertificateInfo ret;
X509_EXTENSION *pExt;
char *pBuffer = 0;
int length = 0;
GENERAL_NAMES *subjectAltNames;
subjectAltNames = ( GENERAL_NAMES* ) X509_get_ext_d2i ( m_pCert,
NID_subject_alt_name, NULL, NULL );
if ( subjectAltNames )
{
int numalts;
int i;
/* get amount of alternatives, RFC2459 claims there MUST be at least
one, but we don't depend on it... */
numalts = sk_GENERAL_NAME_num ( subjectAltNames );
/* loop through all alternatives */
for ( i=0; ( inumalts ); i++ )
{
/* get a handle to alternative name number i */
const GENERAL_NAME *pName = sk_GENERAL_NAME_value (
subjectAltNames, i );
switch ( pName-type )
{
case GEN_OTHERNAME:
break;
case GEN_EMAIL:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.eMail = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_DNS:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.DNS = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_X400:
break;
case GEN_DIRNAME:
break;
case GEN_EDIPARTY:
break;
case GEN_URI:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.URI = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_IPADD:
ASN1_STRING_to_UTF8((unsigned char**)pBuffer,
pName-d.ia5);
ret.IP = pBuffer;
OPENSSL_free(pBuffer);
break;
case GEN_RID:
break;
}
}
}
return ret;
}
On Tuesday 17 June 2008 23:56:26 Goetz Babin-Ebell wrote:
GeneralNames *names;
STACK_OF(CONF_VALUE) *vals = sk_CONV_VALUE_new_null();
names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
if (names) {
/* you now can use OpenSSL to transform the names into
some printable format... */
i2v_GENERAL_NAMES(NULL, names, vals);
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
}
for(int i = 0; i sk_CONF_VALUE_num(vals); i++) {
CONF_VALUE *conf = sk_CONF_VALUE_value(vals, i);
ret.subjectAltName.appendNameValue(conf-name, conf-value);
}
sk_CONF_VALUE_pop_free(vals, CONF_VALUE_free);
--
mit freundlichen Grüßen / best regards
Gerhard Gappmeier
ascolab GmbH - automation system communication laboratory
Tel.: +49 9131 691 123
Fax: +49 9131 691 128
Web: http://www.ascolab.com
GPG-Key: http://www.ascolab.com/gpg/gg.asc
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Get the Moviefone Toolbar. Showtimes, theaters, movie news, more!
Re: How to extract subjectAltName
Gerhard Gappmeier wrote:
Hi,
I try to read subjectAltName, but ASN1_STRING_to_UTF8 seems not to work.
For the X509_NAME entries the same procedure works,
but this ASN1_STRING seems to be different.
In the debugger I can already see the ASN1_STRING:
pString-length = 43
pString-type = 4
pString-data = 0)†
urn:x:bla‚ xxx
pString-flags = 0
Code snippet:
UaPkiCertificateInfo UaPkiCertificate::info() const
{
UaPkiCertificateInfo ret;
X509_EXTENSION *pExt;
char *pBuffer = 0;
int length = 0;
int loc = X509_get_ext_by_NID(m_pCert, NID_subject_alt_name, -1);
pExt = X509_get_ext(m_pCert, loc);
if (pExt)
{
ASN1_STRING *pString = X509_EXTENSION_get_data(pExt);
length = ASN1_STRING_to_UTF8((unsigned char**)pBuffer, pString);
ret.subjectAltName = pBuffer;
OPENSSL_free(pBuffer);
}
return ret;
}
regards,
Gerhard
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Hello,
TO get data from X509V3 cert, i use bio function :
BIO *bio = BIO_new(BIO_s_mem());
X509_EXTENSION * ex = X509_get_ext( _d_cert,i); // get
the type
if(!X509V3_EXT_print(bio, ex, 0, 0))// read the text of this
extention
M_ASN1_OCTET_STRING_print(bio,ex-value);
len = BIO_read(bio, buffer, BUFFER_SIZE);// here buffer contain
the text, len the lenght of it.
buffer[len] = '\0';// add the EOT sign, buffer
contain a readable text.
Hope it can help you ;)
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: How to unsubsribe from OpenSSL Users ML
Send a message to openssl-users@openssl.org with the following text in the body. unsubscribe openssl-users For more info see below. I hope this helps you :-) -- Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users or from another account, besides [EMAIL PROTECTED]: unsubscribe openssl-users [EMAIL PROTECTED] If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to [EMAIL PROTECTED] . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: This open mailing list is used for discussions between the OpenSSL users. Everyone can post. [EMAIL PROTECTED] schrieb: *i haven o tone idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP* -- mit freundlichen Grüßen / best regards *Gerhard Gappmeier* ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- *ascolab GmbH* Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth
pkey?
I'm trying to convert a pgp key and crt using the pkey parameter/flag, but when I type in openssl pkey I get the following error openssl pkey openssl:Error: 'pkey' is an invalid command. I've tried upgrading to the latest version, why is there comprehensive documentation on this command when it doesn't exist? http://www.openssl.org/docs/apps/pkey.html Thanks for your time. Dan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: I'm having trouble getting an ssl client programmed in java
Your very first code example (without the context) should be fine!
There is no need to set any ciphers. Java has a list of ciphers it
will automatically try to use.
If you like downloading jar files, here's another way:
http://juliusdavies.ca/commons-ssl/ssl.html
yours,
Julius
On Wed, Jun 18, 2008 at 11:27 AM, Jim Lynch [EMAIL PROTECTED] wrote:
On Wed, Jun 18, 2008 at 2:14 PM, AverageGuy [EMAIL PROTECTED] wrote:
Julius Davies-2 wrote:
Your code is fine. Don't use /usr/bin/java (the gnu jvm)! Install a
JVM from Sun or IBM or BEA or Blackdown, or Kaffe, at the very least,
and use that instead.
After installing a vendor's JVM, make sure you use the java
executable they provide. For example:
/opt/java/ibm-java-ppc-60/bin/java
yours,
Julius
OK
[EMAIL PROTECTED]:~/java/sslSocket$ echo $JAVA_HOME
/opt/jdk1.5.0_15/
[EMAIL PROTECTED]:~/java/sslSocket$ which java
/opt/jdk1.5.0_15//bin//java
It changed the error. I suspect it has to do with my inability to set the
cipher as I mentioned before.
Exception in thread main javax.net.ssl.SSLHandshakeException: Received
fatal alert: handshake_failure
Thanks,
Jim.
Let me add this. This is the guts of the C++ program I'm trying to
duplicate. I ripped out the non essential code such as error checking,
debug output and statistic gathering.
Any suggestions on how to implement this in Java would be helpful.
SSL_library_init ();
SSL_METHOD *method;
method = SSLv3_client_method ();
ptrCTX = SSL_CTX_new (method);
if (!SSL_CTX_set_cipher_list (ptrCTX, ADH)) {
ptrSSL = SSL_new (ptrCTX);
int xx = SSL_set_fd (ptrSSL, fdSocket);
SSL_load_error_strings ();
SSL_set_connect_state (ptrSSL);
sbio = BIO_new_socket (fdSocket, BIO_NOCLOSE);
SSL_set_bio (ptrSSL, sbio, sbio);
retcode = SSL_connect (ptrSSL);
retcode =
SSL_write (ptrSSL, (const void *) message.c_str (),
message.length ());
retcode = SSL_read (ptrSSL, response, 200);
SSL_shutdown(ptrSSL);
SSL_free(ptrSSL);
SSL_CTX_free(ptrCTX);
Thanks,
Jim.
--
yours,
Julius Davies
250-592-2284 (Home)
250-893-4579 (Mobile)
http://juliusdavies.ca/
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: how to check if I hv openssl
Liao [EMAIL PROTECTED] wrote: As far as I know, in order to have the mod_ssl working, have to have the library openssl, right? Well, I dont know if my apache has, so I want to check. This really isn't an OpenSSL question -- it has to do with your platform. If you were on Linux, I'd tell you to check using your package manager -- yum or apt or emerge. But on HP-UX, I have no idea what the package manager is. You could check to see if you have a command called `openssl`. The first, easiest check is with `which`: :; which openssl If it gives you a path, great! You have OpenSSL. Let us hope it was the one your Apache module was built against... If you can't find it that way, you could snoop around with `find` or `locate`: :; find / -type f -name 'openssl' :; locate openssl These will be a lot more verbose. If you need more help, please email me off list. -- _jsn __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to unsubscribe from OpenSSL Users ML
Actually, I wasn’t requesting to be removed from your mailing list. The mailing list I requested to be removed from was reunion.com. they send hundreds (No! not kidding) of unsolicited e-mails to my address. Brenda Herrera is the target name. the lady who runs the service tells people she found Brenda Herrera and gives them my e-mail address, she then collects money from them. By the time they receive my standard, wise up stupid e-mail it’s too late. She also sells e-mail addresses to the time wasting trash of the universe. Open SSL has some of the only useful information I ever get in e-mails. I rarely submit things. I prefer to read and observe. Back to work for wicked me. Carrie From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerhard Gappmeier Sent: Wednesday, June 18, 2008 2:47 AM To: openssl-users@openssl.org; [EMAIL PROTECTED] Subject: Re: How to unsubsribe from OpenSSL Users ML Send a message to openssl-users@openssl.org with the following text in the body. unsubscribe openssl-users For more info see below. I hope this helps you :-) -- Welcome to the openssl-users mailing list! Please save this message for future reference. Thank you. If you ever want to remove yourself from this mailing list, you can send mail to mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] with the following command in the body of your email message: unsubscribe openssl-users or from another account, besides [EMAIL PROTECTED]: unsubscribe openssl-users [EMAIL PROTECTED] If you ever need to get in contact with the owner of the list, (if you have trouble unsubscribing, or have questions about the list itself) send email to mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] . This is the general rule for most mailing lists when you need to contact a human. Here's the general information for the list you've subscribed to, in case you don't already have it: This open mailing list is used for discussions between the OpenSSL users. Everyone can post. [EMAIL PROTECTED] schrieb: i haven o tone idea what that means... i got out on this list by accident or type-o I have no way of looking at any of the thousands of emails i have rec'd and been able to find one thing i could understand. please HELP -- mit freundlichen Grüßen / best regards Gerhard Gappmeier ascolab GmbH - automation systems communication laboratory Tel.: +49 9131 691 123 Fax: +49 9131 691 128 Web: http://www.ascolab.com GPG-Key: http://www.ascolab.com/gpg/gg.asc -- ascolab GmbH Geschäftsführer: Gerhard Gappmeier, Matthias Damm, Uwe Steinkrauß Sitz der Gesellschaft: Am Weichselgarten 7 • 91058 Erlangen • Germany Registernummer: HRB 9360 Registergericht: Amtsgericht Fürth __ Information from ESET NOD32 Antivirus, version of virus signature database 2888 (20080220) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 2888 (20080220) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Non Repudiation error in MIC calculation
Hi, This is for AS2, specifically Signed, then Encrypted message. Before I encrypt I simply checksum SHA1 the file with the muitipart content: EDI data on first part and signature on second. Mime Headers are canonical crlf at end of each mime header. Signature is binary because my trading partner wants it like that. Anyway. There is a whole package with multipart content, boundaries, etc. I attached it here: http://www.nabble.com/file/p17994998/mictest.txt mictest.txt Ok, if you do a SHA1 over it you get 229585b2927684ac1f8dae4290e3e70d6d9cb53f and if the sha1 is run as binary to then be injected in a base64 encoder (openssl sha1 -binary mictest.txt|openssl enc -a, you get: IpWFspJ2hKwfja5CkOPnDW2ctT8= Though, my trading partner with his WPG says that's not the value of the MIC, he gets Uiaz1kOChhlSb/f3SJsmJ/O/8SI= instead. Because the message is encrypted (asymetric, so one needs a certificate and private key to open) , the decryption brings out a quite monolithic unit, headers are canonical and there is a crlf after the last boundary too, ¿what then could be the error in the MIC calculation? Thanks for the help -- View this message in context: http://www.nabble.com/Non-Repudiation-error-in-MIC-calculation-tp17994998p17994998.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
