[1.0.1] Nested CMS structures
(tl;dr : see questions at the end) I'm trying to build nested CMS structures, as in, having a file F, a signer S and a recipient R, I want to build a CMS-compliant message M which looks like: M = SignedData(ECI, SignerInfo(S)) ECI = EncapsulatedContentInfo( EnvelopedData( RecipientInfo(R) ) Where RecipientInfo(R) contains: [ F ] = encrypted file, [ K ] = file-encryption key, encrypted with R's public key. Now the code compiles, I figure I can parse that back, but when I run `openssl cms` or `openssl asn1parse` on the generated DER file, the whole EnvelopedData show up as one big OctetString. Is that normal? Here's my code (all error checking has been left out for brevity): /* Make EnvelopedData structure */ BIO* in = BIO_new_file(in_path, rb); int flags = CMS_BINARY | CMS_USE_KEYID | CMS_PARTIAL; CMS_ContentInfo* edata = CMS_encrypt(NULL, NULL, cipher, flags); CMS_RecipientInfo* r_info = CMS_add1_recipient_cert(edata, r_cert, flags); CMS_final(edata, in, NULL, flags); BIO* tmp = BIO_new(BIO_s_mem()); i2d_CMS_bio(tmp, edata);/* [1] */ /* Make SignedData structure */ flags|= CMS_NOSMIMECAP | CMS_NOCERTS; CMS_ContentInfo* sdata = CMS_sign(NULL, NULL, NULL, NULL, flags); ASN1_OBJECT* ectype_edata = OBJ_nid2obj(NID_pkcs7_enveloped); CMS_set1_eContentType(sdata, ectype_edata); CMS_SignerInfo* s_info = CMS_add1_signer(sdata, s_cert, s_key, NULL, flags); CMS_SignerInfo_sign(s_info); CMS_final(sdata, tmp, NULL, flags); BIO* out = BIO_new_file(out_path, wb); i2d_CMS_bio(out, sdata); BIO_flush(out); Now, here's the output from cms: CMS_ContentInfo: contentType: pkcs7-signedData (1.2.840.113549.1.7.2) d.signedData: version: 3 digestAlgorithms: algorithm: sha1 (1.3.14.3.2.26) parameter: ABSENT encapContentInfo: eContentType: pkcs7-envelopedData (1.2.840.113549.1.7.3) eContent: LARGE OCTET STRING, A BIT LARGER THAN THE FILE certificates: EMPTY crls: EMPTY signerInfos: version: 3 d.subjectKeyIdentifier: KEY ID IS HERE digestAlgorithm: algorithm: sha1 (1.3.14.3.2.26) parameter: ABSENT signedAttrs: object: contentType (1.2.840.113549.1.9.3) value.set: OBJECT:pkcs7-envelopedData (1.2.840.113549.1.7.3) ALSO UTC TIME WHATEVER object: messageDigest (1.2.840.113549.1.9.4) value.set: OCTET STRING: HASH GOES HERE signatureAlgorithm: algorithm: ecdsa-with-SHA1 (1.2.840.10045.4.1) parameter: ABSENT signature: SIG GOES HERE unsignedAttrs: EMPTY If I output what the BIO at [1] contains, I see this: CMS_ContentInfo: contentType: pkcs7-envelopedData (1.2.840.113549.1.7.3) d.envelopedData: version: ABSENT originatorInfo: ABSENT recipientInfos: d.ktri: version: 2 d.subjectKeyIdentifier: KEY ID IS HERE keyEncryptionAlgorithm: algorithm: rsaEncryption (1.2.840.113549.1.1.1) parameter: NULL encryptedKey: 256-BYTES LONG OCTET STRING, SINCE RSA-2048 encryptedContentInfo: contentType: pkcs7-data (1.2.840.113549.1.7.1) contentEncryptionAlgorithm: algorithm: aes-256-cbc (2.16.840.1.101.3.4.1.42) parameter: OCTET STRING: 16 BYTES IV encryptedContent: LARGE OCTET STRING, ABOUT THE SIZE OF MY FILE PLUS AES PADDING I FIGURE unprotectedAttrs: EMPTY So I guess my questions are: - Does the code look OK to people who regularly use the API? - Should I be worried the EnvelopedData show up as one big OctetString when cms/asn1parse parse the SignedData? - Should I be worried the version field in the EnvelopedData shows ABSENT? Bonus points for anyone who can tell, on the spot, me how to recover: - the signature; - the bytes this signature actually signs; - the encrypted key; - the encrypted file. ... So that I may process them by some other, non-OpenSSL means on the receiving end. (I'm giving bonus points for this since OpenSSL implements all CMS types as opaque structures, and I haven't digged enough yet to see how to recover those fields. I'm starting to think maybe I should not use OpenSSL on the receiving end...) Thanks in advance! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
whichever certificate loading first wins
We have a webserver with an SSL self-signed certificate that uses our company CA cert in its chain to authenticate along with a user certificate on the client browser. The Client cert loads and shows issued to server-unc and the only other chain portion is our Self-Signed CA Cert. This has been working fine for some time. Today we uploaded a new server SSL Certificate onto a different system (also a load balancer). This cert loaded today was generated from the same Self-Signed CA and we tested it by going right to said server in a browser and it worked fine. However, we are unable to get both certificates to work at the same time. If we load one of them first it works but the other will not load (fails). We can't seem to understand why whichever SSL is the 2nd to be read fails. Thoughts? Ideas? -- View this message in context: http://openssl.6102.n7.nabble.com/whichever-certificate-loading-first-wins-tp49869.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: whichever certificate loading first wins
Did you give them the same serial number? Because that will break things. On Thu, May 1, 2014 at 2:37 PM, foxtrot dsy...@qualbe.com wrote: We have a webserver with an SSL self-signed certificate that uses our company CA cert in its chain to authenticate along with a user certificate on the client browser. The Client cert loads and shows issued to server-unc and the only other chain portion is our Self-Signed CA Cert. This has been working fine for some time. Today we uploaded a new server SSL Certificate onto a different system (also a load balancer). This cert loaded today was generated from the same Self-Signed CA and we tested it by going right to said server in a browser and it worked fine. However, we are unable to get both certificates to work at the same time. If we load one of them first it works but the other will not load (fails). We can't seem to understand why whichever SSL is the 2nd to be read fails. Thoughts? Ideas? -- View this message in context: http://openssl.6102.n7.nabble.com/whichever-certificate-loading-first-wins-tp49869.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about rationale for function X509_check_akid()
Am 30.04.14 16:13, schrieb Viktor Dukhovni: The function is part of the public API (its name starts with an upper case X509 not x509 as with internal interfaces), so changing its semantics would introduce an incompatibility with applications that rely on the old behaviour. Well, bug fixes in general tend to introduce incompatibility :-) I'm not yet claiming that this is a bug, but consider the following test case: 1) Certificate that has an Authority Key Identifier extension (save as file testcert.pem): -BEGIN CERTIFICATE- MIIBvzCCASigAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdUZXN0 IENBMB4XDTE0MDUwMjA5MDI1OFoXDTE0MDYwMTA5MDI1OFowFDESMBAGA1UEAwwJ VGVzdCBDZXJ0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCwnv66JvZTVaf Z3tqMo5od80yv9J0rxUMlAPXFiRM3P/JgDjW5NVIt2Ryaqwd7qZFN1f0HpcQAM5m SJsQpi8ZxbfGB9BIt7SgRuKdj5ntDX1WJ84gl4C8R2t75B8d0WrJBJUYL2XCOEnu S0RpfxvLZryH8Pr48Wp8NM6gONAjgQIDAQABoyMwITAfBgNVHSMEGDAWgBQLHOwh WWaA9y49g7bt77DLa5/RKjANBgkqhkiG9w0BAQsFAAOBgQB7Md75mT3aHcR1vyf7 q8t5+x2JzbXxY3bSF1eRreaC65luDGwHrwd8e6vsYQGfOL35Q9lz+6eJRQWFsLkV LoILyOEJlfJIN2hX7ZOphTsQ4xhgUanBtQBh7a3if4ywF6YMS8XgBwCxXcmrndGm OZLjSWhsx6spsyLl56iduRWtzQ== -END CERTIFICATE- 2) Test program that loads the certificate and invokes X509_check_akid() for the certificate with its own Authority Key Identifier (all error checks omitted for brevity): snip --- /* * Test program for X509_check_akid() * * The program loads a certificate that has the * X509v3 Authority Key Identifier and invokes X509_check_akid() * with this authority key identifier and the certificate itself. */ #include stdio.h #include openssl/err.h #include openssl/bio.h #include openssl/evp.h #include openssl/x509.h #include openssl/x509v3.h #include openssl/pem.h int main() { BIO *pem; const char *file = testcert.pem; X509 *cert; int akid_check; pem = BIO_new(BIO_s_file()); BIO_read_filename(pem, file); cert = PEM_read_bio_X509_AUX(pem, NULL, NULL, NULL); X509_check_purpose(cert, -1, -1); akid_check = X509_check_akid(cert, cert-akid); printf(X509_check_akid result %d '%s'\n, akid_check, X509_verify_cert_error_string(akid_check)); return 0; } --- snip --- When compiled and executed with a current OpenSSL build from the OpenSSL_1_0_2-stable branch the program prints: X509_check_akid result 0 'ok' It is hard to argue whether this is a bug as there's no documentation what X509_check_akid() is actually supposed to do. Nevertheless I think it's wrong that it identifies a certificate as it's own issuer although it's not self-signed. As far as I understand fixing this borderline case would not have an impact on the normal usage where the Authority Key Identifier if a certificate is checked against a different certificate. Stephan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Revoking a suspended certificate
Hy! If I have suspended (crlReason=certificateHold) a certificate in the past an now want to really revoke it using openssl ca, I get an error message ERROR:Already revoked, serial number 01. Is there some way to make openssl automaticalls upgrade the suspension to a revocation with having to remove the hold from the index file first? cheers Mat signature.asc Description: This is a digitally signed message part.
Re: Revoking a suspended certificate
A further related question: Is there some way to remove a suspended certificate from a CRL without manually editing the index file? Using the - crl_reason removeFromCRL option on the ca command does not work. cheers Mat On Friday 02. May 2014 14:35:23 you wrote: Hy! If I have suspended (crlReason=certificateHold) a certificate in the past an now want to really revoke it using openssl ca, I get an error message ERROR:Already revoked, serial number 01. Is there some way to make openssl automaticalls upgrade the suspension to a revocation with having to remove the hold from the index file first? cheers Mat signature.asc Description: This is a digitally signed message part.
RE: whichever certificate loading first wins
We have a webserver with an SSL self-signed certificate that uses our company CA cert in its chain I can't parse that -- either it's self-signed (usually only done by root CA's), or it's using an internal company CA. Can you post x509 -text for both certs? /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: whichever certificate loading first wins
Here are the text outputs of the certs: 1) app server cert (not the new server) Data: Version: 3 (0x2) Serial Number: 242 (0xf2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Texas, O=QBI, OU=Information Technology, CN=QB Root CA Validity Not Before: Feb 27 22:35:58 2013 GMT Not After : Feb 27 22:35:58 2023 GMT Subject: C=US, ST=Texas, L=Fort Worth, O=QBI, OU=Information Technology, CN=app1.qb.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a7:22:75:61:e6:91:80:e8:35:96:09:98:20:e7: . . . 17:e6:c8:53:df:87:f5:93:ce:22:39:3d:af:5c:c6: 9c:bc:bf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 24:..redacted..:B4 X509v3 Authority Key Identifier: keyid:25:..redacted..:9C Signature Algorithm: sha1WithRSAEncryption 61:51:3f:5a:b9:ce:af:ab:69:14:c8:88:80:e3:8f:3a:e2:0b: . . . 25:ab:85:16:62:3c:ee:00:80:13:50:47:e5:9b:0d:b4:bf:17: 88:f4 2) Here is our CA cert Certificate: Data: Version: 3 (0x2) Serial Number: 15219766957112807379 (0xd3377968e2efcfd3) Signature Algorithm: sha512WithRSAEncryption Issuer: C=US, ST=Texas, L=Fort Worth, O=QMG LLC, OU=Certificate Authority, CN=ca.qb.com/emailAddress=i...@qb.com Validity Not Before: Mar 21 16:13:02 2013 GMT Not After : Mar 16 16:13:02 2033 GMT Subject: C=US, ST=Texas, L=Fort Worth, O=QMG LLC, OU=Certificate Authority, CN=ca.qb.com/emailAddress=i...@qb.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:a7:86:bd:48:da:44:2a:35:4e:2c:56:c2:e2:d6: . . . 4f:80:7d:8f:9e:0f:e2:23:be:67:48:1d:1a:d3:a2: 3a:1d:0d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:TRUE X509v3 Subject Key Identifier: 25:...redacted...:8A X509v3 Authority Key Identifier: keyid:25:...redacted...:8A DirName:/C=US/ST=Texas/L=Fort Worth/O=QMG LLC/OU=Certificate Authority/CN=ca.qb.com/emailAddress=i...@qb.com serial:D3:37:79:68:E2:EF:CF:D3 X509v3 Subject Alternative Name: email:i...@qb.com X509v3 Issuer Alternative Name: email:i...@qb.com Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA Netscape Comment: QMG LLC Internal Certification Authority Certificate Netscape CA Revocation Url: http://www.qb.com/ca/cacrl.crl Netscape Revocation Url: http://www.qb.com/ca/cacrl.crl Signature Algorithm: sha512WithRSAEncryption 6f:22:96:de:3f:f2:49:81:c6:53:8a:9c:82:58:87:2b:cb:0b: . . . 21:cc:8f:af:c6:81:eb:23 3) Here is the new cert we are trying to introduce (sales.1d.qb.com) Certificate: Data: Version: 1 (0x0) Serial Number: 2 (0x2) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Texas, L=Fort Worth, O=QMG LLC, OU=Certificate Authority, CN=ca.qb.com/emailAddress=i...@qb.com Validity Not Before: Apr 28 22:46:57 2014 GMT Not After : Apr 25 22:46:57 2024 GMT Subject: C=US, ST=Texas, L=Fort Worth, O=QMG, OU=IT, CN=sales.1d.qb.com/emailAddress=doma...@qb.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:b5:18:6c:2d:b0:fa:be:92:f8:eb:57:90:fe:e3: . . . 89:5a:77:79:ee:23:b0:27:28:43:8d:18:76:51:3f: 36:d2:d3 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 78:04:4f:50:98:7e:fb:b7:0a:bc:41:34:45:d5:82:c8:40:28: . . . cf:99:56:4b:ea:3b:31:03 -- View this message in context:
Re: whichever certificate loading first wins
no. I posted the text versions of our CA and both certs. -- View this message in context: http://openssl.6102.n7.nabble.com/whichever-certificate-loading-first-wins-tp49869p49896.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: whichever certificate loading first wins
Nothing jumps out at me, sorry. Hopefully others will find something. -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows CE (VC-CE) Compilation problem !
Hello, I recommend you have a look at here, where I compiled 1.0.0a. http://delaage.pierre.free.fr/ There is a lot of compilation issues to compile for WCE. I am NOT using VC compiler, but a free compiler for WCE from MS, called EVC. Basically, compilations options are very similar to ones for VC, but you have also to use the proper WCE SDK, and take care to adapt some script from MS that are NOT always instantly usable as is. See my web page for guidelines for that. I presently do not have time to recompile the last version of openssl. And some issues around my patches are to be clarified with openssl team before being included in the openssl mainstream. On my page, you will find specific instructions to compile wcecompat. Best regards, Pierre Delaage Le 28/04/2014 14:58, karan.reddy a écrit : Hi, I am very new to Openssl. My aim is to compile openssl for WINCE 6.0 OS. After spending lot of time on google , i found procedure to build openssl for WINCE 6.0. But my attempt to build the wcecompat WINCE runtime libraries is unsuccessful. Below is my environment Host Platform : WINDOWS 7 Visual Studio : 2008 TargetCpu : x86 Below are the steps followed to build wcecompat: 1) Downloaded the source from https://github.com/mauricek/wcecompat/tree/master; git. 2) Using Visual Studio Command prompt for build. Declared the env following variables: set OSVERSION=WCE600 set TARGETCPU=x86 set PLATFORM=VC-CE 3) Created the make files using perl config.pl command. 4) Executed nmake command. The build fails with compilation errors. Below are the logs: -- args.cpp C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(235) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(237) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(239) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(241) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(243) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(245) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(247) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(249) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(251) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(253) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(255) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(257) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(258) : error C2059: syntax error : '(' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(994) : error C2556: 'const wchar_t *wcschr(const wchar_t *,wchar_t)' : overloaded function differs only by return type from 'wchar_t *wcschr(const wchar_t *,wchar_t)' include\string.h(36) : see declaration of 'wcschr' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(994) : error C2373: 'wcschr' : redefinition; different type modifiers include\string.h(36) : see declaration of 'wcschr' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(1026) : error C2556: 'const wchar_t *wcspbrk(const wchar_t *,const wchar_t *)' : overloaded function differs only by return type from 'wchar_t *wcspbrk(const wchar_t *,const wchar_t *)' include\string.h(46) : see declaration of 'wcspbrk' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(1026) : error C2373: 'wcspbrk' : redefinition; different type modifiers include\string.h(46) : see declaration of 'wcspbrk' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(1027) : error C2556: 'const wchar_t *wcsrchr(const wchar_t *,wchar_t)' : overloaded function differs only by return type from 'wchar_t *wcsrchr(const wchar_t *,wchar_t)' include\string.h(47) : see declaration of 'wcsrchr' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(1027) : error C2373: 'wcsrchr' : redefinition; different type modifiers include\string.h(47) : see declaration of 'wcsrchr' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(1029) : error C2556: 'const wchar_t *wcsstr(const wchar_t *,const wchar_t *)' : overloaded function differs only by return type from 'wchar_t *wcsstr(const wchar_t *,const wchar_t *)' include\string.h(49) : see declaration of 'wcsstr' C:\Program Files\Microsoft Visual Studio 9.0\VC\INCLUDE\wchar.h(1029) : error C2373: 'wcsstr' : redefinition; different type modifiers
OpenSSL / GnuTLS / Certificate Installation HowTo
I would like to create a TCP client/server scenario: - a simple C server on a VPS - a simple C client on another device And I would like to secure the TCP connection between them. GnuTLS seems to be a good choice (they also propose some client/server samples). My web hosting provider gave me a SSL certificate. So from now, I don't know how to install and configure everything in order to work properly: - from the SSL certificate installation (if I need to), - how to use GnuTLS in my client/server program with those certificates (if needed), - ... Can somebody explain the all thing please ? Thanks. B.R. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: whichever certificate loading first wins
On Thu, May 01, 2014 at 02:37:59PM -0700, foxtrot wrote: However, we are unable to get both certificates to work at the same time. If we load one of them first it works but the other will not load (fails). We can't seem to understand why whichever SSL is the 2nd to be read fails. Thoughts? Ideas? What do you mean by at the same time. Barring SNI, a single server can have at most one private key + leaf certificate per algorithm: * One RSA certificate * One ECDSA certificate * One DSS certificate Additional RSA leaf certificates cannot be loaded, you can only load additional *chain* certificates (of issuing CAs). -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: whichever certificate loading first wins
I open my browser on my client windows workstation. I open the URL to webserver1 and the certificate on that server shows a green lock, no warnings...allows me access. I open a 2nd browser tab with the URL of webserver2 and I get an SSL Error and cannot get there...not even a warning...just cannot get there. I then close and reopen my browser and open the tabs in the reverse order (webserver2 and then webserver1) and now webserver2 allows me to connect just fine, good green lock and I can see the certificate by clicking the lock and all is well. But then when I try to go to webserver1 (that just worked on the previous test), it now failsnot even a warning to continue anyway...It will not let me move forward to the web content. This is what I mean by at the same time (where I can switch back and forth). -- View this message in context: http://openssl.6102.n7.nabble.com/whichever-certificate-loading-first-wins-tp49869p49904.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: State of EBCDIC support in OpenSSL
Hello, in the request tracker under item #843 there are patches for 0.9.7c (created and tested on Fujitsu BS2000) and 0.9.7j (updated by Jeremy Grieshop for z/OS). Because i saw no actions to incorporate the patches into the official sources in the last ten years i saved afterwards the work to commit our patches for newer OpenSSL versions. If there is interest i can provide patches for lines 0.9.8, 1.0.0 and 1.0.1 too; it will probably take some days because i have first to look at the patches and maybe remove some non-EBCDIC related parts. Best regards, Richard Am 29.04.2014 13:52, schrieb mclellan, dave: We are active and continuing users of the z/OS port of OpenSSL, have just rebuilt 1.0.1c without heartbeats on a maintenance stream and are upgrading to 1.0.g on a future release stream. Just as example of staying current on z/OS. We use z/OS on the server side only, and generates server certs from a Windows machine, and transfer the certs to USS using binary FTP. The server does not require a client cert since we couldn't get that working and have never had time to look into it. We don't use the openssl CLI on z/OS. We have even considered the port for Fujitsu BS2000 but don't have a business priority for it. All this to say that we sure hope that z/OS and OpenSSL continue to be real, and I'm glad to have read Tim's response. +-+-+-+-+-+-+-+-+- Dave McLellan, VMAX Software Engineering, EMC Corporation, 176 South St. Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 Office:508-249-1257, Mobile: 978-500-2546, dave.mclel...@emc.com +-+-+-+-+-+-+-+-+- -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Stephan Mühlstrasser Sent: Tuesday, April 29, 2014 4:48 AM To: Tim Hudson; openssl-users@openssl.org Subject: Re: State of EBCDIC support in OpenSSL Am 29.04.14 10:28, schrieb Tim Hudson: Bug reports on EBCDIC with patches are definitely interesting as there is an active community of OpenSSL z/OS users - at the very least the other users will benefit from any work you have already done. I can provide bug reports, but at the moment I cannot promise that I can come up with corresponding patches as well. I did some research in the OpenSSL mailing list archives, and from that I have the impression that there's little activity from OpenSSL z/OS users over the last few years. Are there other places where you see the active community of OpenSSL z/OS users? For the broader context I think you'll find the issue for handling such platforms will usually be the typical one of regular platform access. Checking, adjusting, and confirming patches which are platform specific that are non-trivial basically requires access to the platform. One thing to consider is if you (or anyone else) is able to provide permanent (or semi-permanent) access (via ssh) to a z/OS platform with USS installed that places the user into a standard shell environment with the compilers accessible. I'm sorry, but I can't help with platform access, as we only have a z/OS development system for porting our software, not even a real zSeries machine. I would expect that IBM itself should be interested in a working OpenSSL port for zSeries. We have a very old version of OpenSSL on our system that we downloaded from the IBM website in the past. This version is for example able to print out certificates correctly. Today the IBM website about open source software available for z/OS point to openssl.org for getting OpenSSL: http://www-03.ibm.com/systems/z/os/zos/features/unix/bpxa1ty1.html The free unsupported version of OpenSSL previously offered here is no longer available. Instead, we refer you to the functionally equivalent version available from the official OpenSSL project website. If someone from IBM is reading this, please consider the request by Tim for access to a z/OS platform. Stephan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: whichever certificate loading first wins
Maybe I'm missing something, but: - The app server cert is not signed by the CA cert, so there's no point in sending the CA cert as part of the chain for that server. - The app server cert isn't self-signed, either (contrary to what the original message claimed). - The new cert is an X.509v1 certificate - why isn't it v3? I admit I don't understand the problem description from the original note, but it doesn't seem to match what we have with these three certificates. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: whichever certificate loading first wins
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of foxtrot Sent: Friday, 02 May, 2014 11:47 I open my browser on my client windows workstation. I open the URL to webserver1 and the certificate on that server shows a green lock, no warnings...allows me access. I open a 2nd browser tab with the URL of webserver2 and I get an SSL Error and cannot get there...not even a warning...just cannot get there. I then close and reopen my browser and open the tabs in the reverse order (webserver2 and then webserver1) and now webserver2 allows me to connect just fine, good green lock and I can see the certificate by clicking the lock and all is well. But then when I try to go to webserver1 (that just worked on the previous test), it now failsnot even a warning to continue anyway...It will not let me move forward to the web content. Well, *that* certainly wasn't clear from the original description. I hate to bring this up, but: http://catb.org/~esr/faqs/smart-questions.html When you post a question to a technical forum like this, you need to be precise about what the problem is: what you're using, what other components are involved, what you're doing, what happens, and what you expected to happen. I don't know that it will help, but: What version of what browser, running on what OS? When you say you get an SSL Error, what *exactly* do you see? In your original notes you also mentioned client certificates. Are you using a client certificate in the browser? Is it configured to send the certificate automatically, or to prompt you? Where did the client certificate come from? -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: OpenSSL / GnuTLS / Certificate Installation HowTo
From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Frederic Nivor Sent: Friday, 02 May, 2014 11:18 To: openssl-users@openssl.org Subject: OpenSSL / GnuTLS / Certificate Installation HowTo I would like to create a TCP client/server scenario: - a simple C server on a VPS - a simple C client on another device And I would like to secure the TCP connection between them. GnuTLS seems to be a good choice (they also propose some client/server samples). My web hosting provider gave me a SSL certificate. So from now, I don't know how to install and configure everything in order to work properly: - from the SSL certificate installation (if I need to), - how to use GnuTLS in my client/server program with those certificates (if needed), - ... Can somebody explain the all thing please ? OpenSSL and GnuTLS are two completely different software packages. Perhaps you should ask this on a GnuTLS list. (Personally, I wouldn't consider GnuTLS a good choice for any task that required security, or a decent-quality implementation. Heartbleed was bad, but the GnuTLS goto bug of a few weeks back was inexcusable.) Regardless of what implementation you use, though, I'd suggest picking up a copy of Rescorla's /SSL and TLS/ book, or a similar reference. Trying to get a crash course in configuring and administering SSL and TLS by email is an enterprise fraught with danger and disappointment. If I understand your requirements, a better approach would probably be a generic SSL/TLS tunnel utility like STunnel, or a VPN. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com :��IϮ��r�m (Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���