Re: Country wide anti terrorism demonstration !
The PC Doctor wrote: This is innappropriate for this group. I resent it, and I am against it. -- I support peace and justice for everyone, not just for those on my own side. What say we get rid of the sides and just do the arithmetic for peace and justice? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ADV: I bet that I make more money in the Web design business thanyou do. Time:5:40:46 PM
[EMAIL PROTECTED] wrote: Hey, what is it with you people today? Can't you keep enough sense to stay out of the professional groups? Go harass the porn fans or something. I'm having a hard enough time keeping up with the technical stuff I have to read! This message uses a character set that is not supported by the Internet Service. To view the original message content, open the attached message. If the text doesn't display correctly, save the attachment to disk, and then open it using a viewer that can display the original character set. message.txt Name: message.txt message.txtType: Plain Text (text/plain) Encoding: quoted-printable -- I support peace and justice for everyone, not just for those on my own side. What say we get rid of the sides and just do the arithmetic for peace and justice? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSC with explicit Not Before Not After dates
Jean-Marc Desperrier wrote:
Xeno Campanoli wrote:
I want to explicitly set the Not Before and Not After dates on my self
signed certificate, for testing purposes. My only example for making
the self signed certificate with the OpenSSL applications, however, is
with the openssl req facility, which only allows you to specify days,
from what I can tell. Does anyone out there know a method for making
such an explicitly dated self signed certificate? Please do tell.
I know one.
Generate a self signed certificate with -req.
I've only generated self signed certificates with openssl req -x509. I
can't seem to find the combination that you might mean with openssl
x509. When I generate a self signed certificate with openssl req -x509
and then try to use it as a request, I get:
Error reading certificate request in {filespec} when I try to re-sign
it.
I may be leaving something out. Can you give me some examples? My
config files are okay I think, as I generate them dynamically for the
circumstance, and they are working elsewhere.
then use openssl ca by telling it to use for the ca certificate the
self-signed certificate you generated ( -cert ss.pem ) and for the request
the same self-signed certificate (-ss_cert ss.pem).
This gives you access to the options -startdate -enddate in the call to
openssl ca to set the start/end date of the certificate.
You will have to play with openssl.cnf to set the correct parameters for this
micro CA to work.
Xeno Campanoli wrote:
By the way, I just tried setting -days 0 for opensslreq to try and get a
certificate with no valid duration, and this gives a default of 30
days. Didn't anybody think of test data when they wrote this stuff?
So what ? For openssl setting 0 is equivalent to not setting this option, and
you will get the default value instead.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
--
===: [EMAIL PROTECTED] :
Collecting pledges for the Courage Classic Bicycle ride. It funds two
children's charities: www.courageclassic.com. I have 29 contributers
so far, for $465.75 ($399.75 from Aventail folks), presuming I finish.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: SSC with explicit Not Before Not After dates
Xeno Campanoli wrote:
Jean-Marc Desperrier wrote:
Xeno Campanoli wrote:
I want to explicitly set the Not Before and Not After dates on my self
signed certificate, for testing purposes. My only example for making
the self signed certificate with the OpenSSL applications, however, is
with the openssl req facility, which only allows you to specify days,
from what I can tell. Does anyone out there know a method for making
such an explicitly dated self signed certificate? Please do tell.
I know one.
Generate a self signed certificate with -req.
Okay, I seem to have done this after all. Among other things I was
getting a failure because the times between my server and client were
not in sync. Anyway, my missing step was mostly not reading your email
closely enough for the switches you recommended, -ss_cert and -cert, as
opposed to -out which I was still trying to use. My apologies. I also
was a bit confused until I found the resulting certificate apparently
couldn't be redirected explicitly, and please correct me if I'm wrong
about this, but rather I ended up extracting it from the 01.pem file
that ends up in the newcerts directory. Perhaps there is a config file
item on this I haven't seen, but at any rate I couldn't do it with any
command line switch.
Any feedback suggesting ways to further clean up this process is
shamelessly pleaded for. Thanks for the help thus far though, as this
makes my test system a lot better.
Sincerely, Xeno
I've only generated self signed certificates with openssl req -x509. I
can't seem to find the combination that you might mean with openssl
x509. When I generate a self signed certificate with openssl req -x509
and then try to use it as a request, I get:
Error reading certificate request in {filespec} when I try to re-sign
it.
I may be leaving something out. Can you give me some examples? My
config files are okay I think, as I generate them dynamically for the
circumstance, and they are working elsewhere.
then use openssl ca by telling it to use for the ca certificate the
self-signed certificate you generated ( -cert ss.pem ) and for the request
the same self-signed certificate (-ss_cert ss.pem).
This gives you access to the options -startdate -enddate in the call to
openssl ca to set the start/end date of the certificate.
You will have to play with openssl.cnf to set the correct parameters for this
micro CA to work.
Xeno Campanoli wrote:
By the way, I just tried setting -days 0 for opensslreq to try and get a
certificate with no valid duration, and this gives a default of 30
days. Didn't anybody think of test data when they wrote this stuff?
So what ? For openssl setting 0 is equivalent to not setting this option, and
you will get the default value instead.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
--
===: [EMAIL PROTECTED] :
Collecting pledges for the Courage Classic Bicycle ride. It funds two
children's charities: www.courageclassic.com. I have 29 contributers
so far, for $465.75 ($399.75 from Aventail folks), presuming I finish.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
--
===: [EMAIL PROTECTED] :
Collecting pledges for the Courage Classic Bicycle ride. It funds two
children's charities: www.courageclassic.com. I have 29 contributers
so far, for $465.75 ($399.75 from Aventail folks), presuming I finish.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
perl -cw warning on Net::SSLeay::randomize
Not like this is a deadly sin, but it would be nice if the following bug
were fixed. The $rnsf variable yields a warning from perl -w on the
following line, when a blank
or false $rn_seed_file is passed:
unless ($rnsf || -r $Net::SSLeay::random_device || $seed || || -S
$egd_path) {
--
Email: [EMAIL PROTECTED] (home home page:
http://www.aa.net/~xeno)
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: HTTPS
Michael wrote: hi, i'd like to know how to do GET / POST requests over HTTPS. there's some demos/bio example, but doesn't compile on Linux. perl+ Net::SSLeay I'm not sure I understand your question. Examples of doing this in my application are in the files HTTPing.pm and ATLSS.pm, and they both use Net::SSLeay. Please feel free to peruse this and ask me questions about it. I'll attach a tarball of a recent installation of FuncRegr. If you extract it, then look in the plibs directory for the aforementioned source files, you'll see what I do do run the security procedures in the various password cases. There are also some examples in files called sh-bin/*hhack.pl, but these are very stale, so you can't depend on them working anymore, but they are close. [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Email: [EMAIL PROTECTED] (home home page: http://www.aa.net/~xeno) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: HTTPS
Michael wrote: hi, i'd like to know how to do GET / POST requests over HTTPS. there's some demos/bio example, but doesn't compile on Linux. perl+ Net::SSLeay [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] My mistake. I guess I'm tired. I thought you were an internal Michael. Sorry. Here's some examples of code that I can pass on because it's basically stuff I got from someone else on this group: pstoev.pl is attached. Mr. Stoev is another contributor. -- Email: [EMAIL PROTECTED] (home home page: http://www.aa.net/~xeno) pstoev.pl
certificate / privatekey passing
I think I just verified that my certificate is sane. At the suggestion
of a co-worker, I prompted for my certificate private key password to
verify it was right with:
./openssl pkcs8 -in ~me/theoneinquestion.cert -inform PEM
It prompts with:
Enter Password:
and providing the known password yields successful behavior with the
privatekey displayed. But with my own program, I get a different
prompt:
Enter PEM pass phrase:
which gets me into the PEM_ASN1_read_bio routine to call "def_callback"
with apparent success. I then get back the password I typed, its length
of greater than zero, but I then get a null returned from the
M_PKCS8_decrypt routine and at that point it falls out with a zero
return (failed decryption). Is this thing broken, or am I (more likely)
doing something badly? My call to using the SSL_CTX_use_PrivateKey_file
facility from the Net::SSLeay.pm Perl facility looks as follows, and
seems to have reasonable input:
Net::SSLeay::CTX_use_PrivateKey_file($this-{ctx},
$this-{privatekey_filespec},
Net::SSLeay::FILETYPE_PEM);
The privatekey_filespec item is the same filespec as the certificate
filespec, but I showed above this works with openssl directly, I think.
Please I'm dying for some enlightenment here. I'll RTF any M but I
haven't found an M which seems to be pertinent.
Sincerely, Xeno campanoli
--
Email: [EMAIL PROTECTED] (home home page:
http://www.aa.net/~xeno)
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Can't figure out SSL_CTX_use_PrivateKey_file
I'm trying this on a certificate file that has a known and verified private key and when it prompts me for the password, and I type it in, it always fails. I'm not sure of the problem. I tried inserting fprintf(stderr,"trace here\n"); statements and I get no output from anywhere where it seems I should. Can anyone make some suggestions. I'm completely stumped. -- Email: [EMAIL PROTECTED] (home home page: http://www.aa.net/~xeno) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: https post
"Ray, Marla S" wrote: Please pardon what might seem like a simple question but I am very new to using the lwp and ssl modules and need some help. We are trying to use Perl to do a POST to an HTTPS location. Our post includes a file and optionally other form input. I can access and accomplish the POST just fine with my browser. I have some test code that works fine if we don't go through our proxy but if I use our proxy it returns an error indicating that the proxy did not like the format of the request. I had someone help with sniffing packets and it looks like my code is only generating a POST request and that there is no CONNECT request first. I have done several searches and can find what I would call bits and pieces of the puzzle but can't find enough to bring it all together. Every module that I find that I think we need seems to refer me to anther that needs installed. We are testing on NT but will be moving to HPUX for production. This is close to a problem I've worked on for over a week. I decided for my purposes the LWP morass is too messed up to fix for this purpose for now. It really needs some serious rewriting to make it work, or at least to make it work in a way which is reasonably understandable and changeable by someone who wants to feel solid about the results. I passed some code around with Philip Stoev that ended up helping me a lot. His modified code is attached. Among other things, you need to be using Net::SSLeay, instead of IO::Socket::SSLeay, and you need to add the get_session function to the export list in the Net/SSLeay.pm file...I think you need to do the latter, but you're welcome to try without. Now that I think about it, I didn't get around to that. I don't want to hurt anybody's feelings about LWP. I know it's a big piece of code that has gotten inputs from many people, which often results in messes. However, I really think it could be refactored to be a lot better than it is, AND, I think the first step would be a if one person like me could just spend the time to do some initial refactoring design. Unfortunately, I'm green in HTTP, not the most expert in Perl, and am getting too old to stay up all night and keep my job, so I'm not likely to get to it this week. If I can make some contributions or suggestions that are helpful, I will try. I wish the code could follow some basic OO precepts like simplicity, cleanliness, encapsulation of obsure aspects. However, I realize that the big problem is probably that so many people use the thing that any changes break thousands of programs. Perhaps we need an HWP. This is a pretty high profile package though, and it's what a lot of people point to when they say how awful the Perl world can be. It's in the interest of Perl users to improve it. Does anyone have experience with this kind of program? Can anyone help me with a list of modules that I will need to install and with some sample code that will get the request properly formatted? Thanks, Marla __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Xeno Campanoli (erstwhile Xeno Whitenack, and Rick Burgess) Email: [EMAIL PROTECTED] (Web pages: http://www.aa.net/~xeno) "...That side was made for you and me..." - Woody Guthrie pstoev1.pl
Re: MARC: msg 'Crypt::SSLeay - session support?']
Philip Stoev wrote: The NET::SSLeay module uses persistent session IDs and I have been using it successfully in such situations. Please let me know if you can not make it work and I will give you a code sample. Yeah, I just tried something that Andrew Leppard kindly suggested worked for him, and it didn't change my behavior. The problem is with a handshake on a private proxy that I cannot give further information out about, but I'm using LWP with SSLeay, and I go through the handshake sequence and then try to access the internal web page only to be given the password page again. All feedback is appreciated. I know it's hard to give good information since I can't be clear about the entire context of my situation. Code sample would definitely be welcomed. Protocol enlightenment might also be part of what I need, but according to what I saw on some other posts, the problem may be more towards the LWP side. To be clear though, part of the outstanding problem is that the sessionID changes in the middle of the handshake, and that is apparently why I get the password page again. Also, it's not a server problem because it works with Netscape. It only fails with my Perl/LWP script doing the handshake. Sincerely, Xeno Philip - Original Message - From: Xeno Campanoli To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Friday, March 09, 2001 1:29 AM Subject: [Fwd: MARC: msg 'Crypt::SSLeay - session support?'] Say Andrew, Did you ever get this problem figured out? I seem to be having a similar situation. I try to do this negotiation which works just fine from netscape, but somehow, though for the first few steps the session ID stays the same, at one point I get a new session Id back to LWP and the content is the original password prompt page again. Any feedback is appreciated. One of the things I was wondering was whether I needed to somehow use the "proxy" method or some proxy specific facility to make this go. I really want to do things step by step, but if there's a trick that makes it work for now, it would be better than nothing. I read the two replies on the group too. Nothing helps so far. Again, any response is welcome. Sincerely, Xeno -- Xeno Campanoli (erstwhile Xeno Whitenack, and Rick Burgess) Email: [EMAIL PROTECTED] (Web pages: http://www.aa.net/~xeno) "...That side was made for you and me..." - Woody Guthrie __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Xeno Campanoli (erstwhile Xeno Whitenack, and Rick Burgess) Email: [EMAIL PROTECTED] (Web pages: http://www.aa.net/~xeno) "...That side was made for you and me..." - Woody Guthrie
Re: MARC: msg 'Crypt::SSLeay - session support?']
Xeno Campanoli wrote: Sorry to sound dumb, but is it okay just to take the SSLeay.pm object inside LWP and set the SessionID in it at some strategic point so that the session is effectively preserved? Seems like that would be straightforward. >From what I saw, there were a lot of Autoloaded C functions, one of which must be the thing to use for that...if I knew the right syntax requirements. Philip Stoev wrote: The NET::SSLeay module uses persistent session IDs and I have been using it successfully in such situations. Please let me know if you can not make it work and I will give you a code sample. Yeah, I just tried something that Andrew Leppard kindly suggested worked for him, and it didn't change my behavior. The problem is with a handshake on a private proxy that I cannot give further information out about, but I'm using LWP with SSLeay, and I go through the handshake sequence and then try to access the internal web page only to be given the password page again. All feedback is appreciated. I know it's hard to give good information since I can't be clear about the entire context of my situation. Code sample would definitely be welcomed. Protocol enlightenment might also be part of what I need, but according to what I saw on some other posts, the problem may be more towards the LWP side. To be clear though, part of the outstanding problem is that the sessionID changes in the middle of the handshake, and that is apparently why I get the password page again. Also, it's not a server problem because it works with Netscape. It only fails with my Perl/LWP script doing the handshake. Sincerely, Xeno Philip - Original Message - From: Xeno Campanoli To: [EMAIL PROTECTED] ; [EMAIL PROTECTED] Sent: Friday, March 09, 2001 1:29 AM Subject: [Fwd: MARC: msg 'Crypt::SSLeay - session support?'] Say Andrew, Did you ever get this problem figured out? I seem to be having a similar situation. I try to do this negotiation which works just fine from netscape, but somehow, though for the first few steps the session ID stays the same, at one point I get a new session Id back to LWP and the content is the original password prompt page again. Any feedback is appreciated. One of the things I was wondering was whether I needed to somehow use the "proxy" method or some proxy specific facility to make this go. I really want to do things step by step, but if there's a trick that makes it work for now, it would be better than nothing. I read the two replies on the group too. Nothing helps so far. Again, any response is welcome. Sincerely, Xeno -- Xeno Campanoli (erstwhile Xeno Whitenack, and Rick Burgess) Email: [EMAIL PROTECTED] (Web pages: http://www.aa.net/~xeno) "...That side was made for you and me..." - Woody Guthrie __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Xeno Campanoli (erstwhile Xeno Whitenack, and Rick Burgess) Email: [EMAIL PROTECTED] (Web pages: http://www.aa.net/~xeno) "...That side was made for you and me..." - Woody Guthrie -- Xeno Campanoli (erstwhile Xeno Whitenack, and Rick Burgess) Email: [EMAIL PROTECTED] (Web pages: http://www.aa.net/~xeno) "...That side was made for you and me..." - Woody Guthrie
[Fwd: MARC: msg 'Crypt::SSLeay - session support?']
Say Andrew, Did you ever get this problem figured out? I seem to be having a similar situation. I try to do this negotiation which works just fine from netscape, but somehow, though for the first few steps the session ID stays the same, at one point I get a new session Id back to LWP and the content is the original password prompt page again. Any feedback is appreciated. One of the things I was wondering was whether I needed to somehow use the "proxy" method or some proxy specific facility to make this go. I really want to do things step by step, but if there's a trick that makes it work for now, it would be better than nothing. I read the two replies on the group too. Nothing helps so far. Again, any response is welcome. Sincerely, Xeno -- Xeno Campanoli (erstwhile Xeno Whitenack, and Rick Burgess) Email: [EMAIL PROTECTED] (Web pages: http://www.aa.net/~xeno) "...That side was made for you and me..." - Woody Guthrie http://marc.theaimsgroup.com/?l=openssl-usersm=98302390820605w=2 -- Xeno Campanoli - Aspiring and self-appointed member of the Diligentsia, generally eschewing Dilatorian digressions and Obnoxioso expenditures. Email: [EMAIL PROTECTED] (home home page: http://www.aa.net/~xeno Title: MARC: msg 'Crypt::SSLeay - session support?' [prev in list] [next in list] [prev in thread] [next in thread] List: openssl-users Subject: Crypt::SSLeay - session support? From: Andrew Leppard [EMAIL PROTECTED] Date: 2001-02-24 14:13:31 [Download message RAW] I think I've missed something *really* basic with this: Im trying to access a secure web site using Crypt::SSLeay and it connects ok and Im trying to authenticate myself to this web site - which I can do using a POST operation passing my username/password. So far so good. But then all subsequent requests I make, the server thinks I haven't entered my username/password. Now the doc pages of LWP Agent say that each request/response pair is independant of past/previous ones - so how can I log onto a secure web site and access its information - dont i need some sort of session??? My code is pretty simple so far: use HTTP::Request; use LWP; my $ua = LWP::UserAgent-new; # # Post my username/password to the website via its form. Now I know this works on \ some level # because if i enter the password wrong it says something along the lines \ of # access denied. If I get it right the response is a 302 (Moved) and redirects me # to some web page - which I can't access cause it asks me for my password again! # my $res = $ua-request(POST 'https://www.somesecurewebsite.com/login.html', [ username = 'my user name', password = 'my password']); # # Now assuming the above post worked (which it kind of does) - id now like to access # one of the web pages on the secure site under my login above # my $res = $ua-request(GET \ 'https://www.somesecurewebsite.com/YouCanViewThisIfYouLogIn.html'); # # But the secure web server just thinks Im not logged in and returns a web page here \ saying 'please log in' # any help appreciated!! thanks, bye Andrew Leppard __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] [prev in list] [next in list] [prev in thread] [next in thread] Log in / Log out About MARC We're Hiring! Want to add a list? Tell us about it. The AIMS Group
