Re: Error signing certificates with my own CA... Configuration file?
Hi Chris: Although it sounds a bit overkill for what you are looking for, as part of our CertiPath Test CA using OpenSSL Howto, a goodly portion of the various settings and possible configurations of the parameters are explained, and scripts are also provided for generation of a number of different kinds of certificates. It can be found at: http://www.carillon.ca/library/openssl_testca_howto_1.3.pdf Have fun. Patrick. On 2010-09-28, at 11:05 AM, Chris Rider wrote: Not discouraged at all (just short on time trying to meet a deadline). I'll check out TinyCA (and the like) in the meantime, but actually do hope to delve into the source and figure out those directives when I get some time. I do appreciate your time and attention!! On 09/28/2010 09:41 AM, Mark H. Wood wrote: I don't want to discourage you from learning the details yourself, but you may want to look at some wrapper software that is already worked out and takes care of these things for you. For example, I usually find TinyCA adequate to my minuscule certificate-processing needs. Even if you decide not to use such a tool, you may learn some useful things by studying the code. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
[Fwd: Compiling Squid with ssl enable]
Why has no nobody attended to me, i need solution urgently. Original Message Subject: Compiling Squid with ssl enable From:sq...@sourcesystemsonline.com Date:Tue, September 28, 2010 6:06 am To: openssl-users@openssl.org -- Hello, brothers and sisters help me. See attached for details. I use Windows 7 64bit OS on ASRock Motherboard, MinGW-5.1.6 + MSYS-1.0.11, msysDTK-1.0.1, other windows platform requirements for squid, squid-2.7.STABLE8, and also squid-2.7.STABLE9 it gives stack.o error, Win64OpenSSL_light-1_0_0a from http://www.slproweb.com/products/Win32OpenSSL.html, vcredist_x64, ActivePerl-5.12.2.1202-MSWin32-x64-293621, openssl-0.9.8h-1-setup (i copied some files from lib and include into MinGW lib and include respectively). I am trying to compile squid-2.7.STABLE8 or squid-2.7.STABLE9 with --enable-ssl has one of the options, after the ./configure command and during the make command it gives error. I sent the above message to squi...@acmeconsulting.it, see reply below: You must use a full 32 bit build environment. 64 bit build tools or libraries are not supported (and never developed) on Windows. Regards Guido Serassio - Squid Core Developer Acme Consulting S.r.l. Microsoft Gold Certified Partner VMware Professional Partner Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.seras...@acmeconsulting.it WWW: http://www.acmeconsulting.it I subsequently use 32 bit build environment: Win32OpenSSL_light-1_0_0a and later try Win32OpenSSL-1_0_0a from http://www.slproweb.com/products/Win32OpenSSL.html, vcredist_x32, ActivePerl-5.12.2.1202-MSWin32-x32-293621 the error still persist. The issue now is that i am trying to compile squid-2.7.STABLE8 or squid-2.7.STABLE9 with --enable-ssl option and i got the error (see attachemts). I have tried the compilation on different environmentg x86 or x64 all give the same error i told you before (could not find lssleay32on squid-2.7.8 and stack.o error on squid-2.7.9). I wanted to install another version of openssl say 10.0.0a but couldn't find a suitable binary that could address the problem but i find a clue somewhere http://old.nabble.com/OpenSSL-code-on-Windows-crashes.-td24003641.html and http://openssl.org/support/faq.html#PROG2 that ask me to do the following: To build, I needed to modify the first lines of the example openssl-10.0.0a.tar.gz source code's Makefile as follows: OPENSSLDIR=c:/openssl32 CFLAGS=-g -I$(OPENSSLDIR)/include MD=-Lc:/openssl32/lib -llibeay32 -lssleay32 Honestly, i dont know how to compile openssl talk less of modify any file in it but later i surmon courage to do something. See the attached again for the error message i got when am trying to compile openssl-1.0.0a. OPENSSL USERS:Please, what can i do to resolve the error ? OR Kindly help compile or link me to any suitable openssl version that can work in windows7 x32 or x64 environments. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [Fwd: Compiling Squid with ssl enable]
On Wed, Sep 29, 2010 at 16:04, sq...@sourcesystemsonline.com wrote: Why has no nobody attended to me, i need solution urgently. then higher a consultant -mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Issues with c_rehash utility in FIPS mode
We are trying to generate the hash of the subject name in certificates in fips mode by using the ³openssl x509 hash² command. Apparently this utility uses md5 algorithm to calculate the hash of the subject name and therefore this operation is not allowed in FIPS mode. My question is , is there any flag that can be set in the environment or the OpenSSL config file that would allow subject name hash operation in FIPS mode? I know there is a flag that can be used programatically - EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW). But I am concerned about using the OpenSSL binary and allow the hash operation by it in FIPS mode. What would be the way to achieve that? Thanks Anamitra
Re: Issues with c_rehash utility in FIPS mode
On Wed, Sep 29, 2010, anmajumd wrote: We are trying to generate the hash of the subject name in certificates in fips mode by using the ³openssl x509 hash² command. Apparently this utility uses md5 algorithm to calculate the hash of the subject name and therefore this operation is not allowed in FIPS mode. The way MD5 is used for certificate hashes is not cryptographic: it is just used a a way of generating a 32 bit value from a DN and a full comparison is used later so weakness of the hash is not a security concern. As a result it is allowed in FIPS mode: we did specifically ask about this issue. My question is , is there any flag that can be set in the environment or the OpenSSL config file that would allow subject name hash operation in FIPS mode? I know there is a flag that can be used programatically - EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW). But I am concerned about using the OpenSSL binary and allow the hash operation by it in FIPS mode. What would be the way to achieve that? The function X509_NAME_hash() sets that flag so it should work in FIPS mode already. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
(Help) Verification using OCSP
Hi all, i try to do the ocsp verification in my application by using openssl-0.9.8o, but when call OCSP_basic_verify, it always return me -1. i test to print the error message. and it show me this line 4616:error:0D0C50A1:lib(13):func(197):reason(161):.\crypto\asn1\a_verify.c:146: 4616:error:27069075:lib(39):func(105):reason(117):.\crypto\ocsp\ocsp_vfy.c:98: this certificate can successfully verify in openssl application. attached is my sample code. can anyone help to solve my problem? http://old.nabble.com/file/p29845022/file.cpp file.cpp -- View this message in context: http://old.nabble.com/%28Help%29-Verification-using-OCSP-tp29845022p29845022.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org