Re: [openssl-users] Problems with se...rver mode of openssl ocsp

2017-09-07 Thread Robert Moskowitz 



On 09/07/2017 04:13 PM, Dr. Stephen Henson wrote:

On Thu, Sep 07, 2017, Robert Moskowitz wrote:


Good progress.  A few questions:

on 
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html

The sample server test command is:

openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
   -index intermediate/index.txt \
   -CA intermediate/certs/ca-chain.cert.pem \
   -rkey intermediate/private/ocsp.example.com.key.pem \
   -rsigner intermediate/certs/ocsp.example.com.cert.pem \
   -nrequest 1

Turns out this is a wrong format for -port.  Only the portnum is
allowed, not the host.  Turns out that

-port 2560

works as it seems to be listening on localhost.  But how DO you set
up which address to listen on?  -host seems to be only for client
mode, and I don't see how I would use -url.


There is currently no option to do that.


OK.  It does listen on localhost, so I'm OK with just -port 2560.  I 
will have to send Jamie a note...



The -sha256 option results in the error:

ocsp: Digest must be before -cert or -serial
ocsp: Use -help for summary.

I don't see either -cert or -serial in that command.  If I leave the
hash out, it defaults to sha1.  How do I specify the hash?


Do you mean the digest the response is signed with? Try the -rmd option if so.


No such option documented at:

https://www.openssl.org/docs/man1.1.0/apps/ocsp.html

but 'openssl ocsp -help' does list it.  I am assuming that I would use:

-rmd sha256

Be a bit to I get back to that part of the test

thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Problems with server mode of openssl ocsp

2017-09-07 Thread Dr. Stephen Henson 
On Thu, Sep 07, 2017, Robert Moskowitz wrote:

> Good progress.  A few questions:
> 
> on 
> https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html
> 
> The sample server test command is:
> 
> openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
>   -index intermediate/index.txt \
>   -CA intermediate/certs/ca-chain.cert.pem \
>   -rkey intermediate/private/ocsp.example.com.key.pem \
>   -rsigner intermediate/certs/ocsp.example.com.cert.pem \
>   -nrequest 1
> 
> Turns out this is a wrong format for -port.  Only the portnum is
> allowed, not the host.  Turns out that
> 
> -port 2560
> 
> works as it seems to be listening on localhost.  But how DO you set
> up which address to listen on?  -host seems to be only for client
> mode, and I don't see how I would use -url.
> 

There is currently no option to do that.

> The -sha256 option results in the error:
> 
> ocsp: Digest must be before -cert or -serial
> ocsp: Use -help for summary.
> 
> I don't see either -cert or -serial in that command.  If I leave the
> hash out, it defaults to sha1.  How do I specify the hash?
> 

Do you mean the digest the response is signed with? Try the -rmd option if so.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Problems with server mode of openssl ocsp

2017-09-07 Thread Robert Moskowitz 

Good progress.  A few questions:

on 
https://jamielinux.com/docs/openssl-certificate-authority/online-certificate-status-protocol.html


The sample server test command is:

openssl ocsp -port 127.0.0.1:2560 -text -sha256 \
  -index intermediate/index.txt \
  -CA intermediate/certs/ca-chain.cert.pem \
  -rkey intermediate/private/ocsp.example.com.key.pem \
  -rsigner intermediate/certs/ocsp.example.com.cert.pem \
  -nrequest 1

Turns out this is a wrong format for -port.  Only the portnum is 
allowed, not the host.  Turns out that


-port 2560

works as it seems to be listening on localhost.  But how DO you set up 
which address to listen on?  -host seems to be only for client mode, and 
I don't see how I would use -url.


The -sha256 option results in the error:

ocsp: Digest must be before -cert or -serial
ocsp: Use -help for summary.

I don't see either -cert or -serial in that command.  If I leave the 
hash out, it defaults to sha1.  How do I specify the hash?


thanks

Bob

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SMIME -sign subcommand

2017-09-07 Thread Scott Neugroschl 
Run it in a debugger?

From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Carlos Caraccia
Sent: Thursday, September 07, 2017 5:02 AM
To: openssl-users@openssl.org
Subject: [openssl-users] SMIME -sign subcommand

Hello, is there a way to debug or watch line by line which functions are 
executed when I run a this command:

openssl smime -sign -signer certificadoWSASS.cer -inkey MiClave 
-out ticket.xml.cms -in Ticket.xml -outform PEM -nodetach

I know there I can see the smile.c here

/apps

I want to know how to compile if it is possible to compile it and to run it in 
Xcode and watch step by step the functions involved.

Thanks

Carlos
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] SMIME -sign subcommand

2017-09-07 Thread Jakob Bohm 

On 07/09/2017 14:02, Carlos Caraccia wrote:
Hello, is there a way to debug or watch line by line which functions 
are executed when I run a this command:


openssl smime -sign -signer certificadoWSASS.cer -inkey MiClave -out 
ticket.xml.cms -in Ticket.xml -outform PEM -nodetach


I know there I can see the smile.c here

/apps 

I want to know how to compile if it is possible to compile it and to 
run it in Xcode and watch step by step the functions involved.



Get the source code from https://www.openssl.org/source/

Build it for your Mac using commands such as:
(Note these steps are based on a build script for OpenSSL 1.0.2k)

tar xzf openssl-1.something.tar.gz
cd openssl-1.something

CC=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang
export CC
MACOSX_SDK=/Developer/SDKs/MacOSX10.12.sdk
[ -d ${MACOSX_SDK} ] || 
MACOSX_SDK=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.12.sdk


./Configure debug-darwin64-x86_64-cc --openssldir="$(pwd)-x86_64"
perl -i -pe 's|static volatile sig_atomic_t intr_signal|static volatile 
int intr_signal|' crypto/ui/ui_openssl.c
perl -i -pe "s|^CC= gcc|CC= ${CC} -arch x86_64 
-mmacosx-version-min=10.6|g" Makefile
perl -i -pe "s|^CFLAG= |CFLAG= -arch x86_64 -mmacosx-version-min=10.6 
-isysroot ${MACOSX_SDK} |g" Makefile

make MAKEDEPPROG=${CC} depend
make
make test
make install

Now debug the program in openssl-1.something-x86_64/bin/openssl

(Sorry, I don't know how to tell XCode to debug a program already
compiled with the XCode command line clang)

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] SMIME -sign subcommand

2017-09-07 Thread Carlos Caraccia 
Hello, is there a way to debug or watch line by line which functions are 
executed when I run a this command:

openssl smime -sign -signer certificadoWSASS.cer -inkey MiClave -out 
ticket.xml.cms -in Ticket.xml -outform PEM -nodetach

I know there I can see the smile.c here

/apps 

I want to know how to compile if it is possible to compile it and to run it in 
Xcode and watch step by step the functions involved. 

Thanks 

Carlos-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl -check

2017-09-07 Thread Jakob Bohm 

On 07/09/2017 07:58, "Georg Höllrigl" wrote:

*Gesendet:* Mittwoch, 06. September 2017 um 18:06 Uhr
*Von:* "Jakob Bohm" 
*An:* openssl-users@openssl.org
*Betreff:* Re: [openssl-users] openssl -check
On 06/09/2017 16:18, "Georg Höllrigl" wrote:
> Hello,
> Is there a way to verifiy a cert?
> I'm thinking about some equivalent to
> openssl rsa -noout -in example.key -check
> but for the public part.
> I found some broken certifiate (lines in the PEM encoding got swapped)
> openssl x509 -in broken.cer but see no way to verify...
> compareing with the original cert shows different thumbprint... but
> shouldn't there be some kind of checksum to verify?
The signature on a certificate is a very strong checksum.

For certificates that are not self-signed, openssl x509 -verify should
do it.
Agreed. That would be exactly what I had in mind - but it's not working.
-verify only exists for "openssl req" to check a CSR?
I've created an example broken certificate from google:


Sorry, I got the syntax wrong.

It's simply openssl verify

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users