Newbie questions: extracting public key's exponent and modules.
Hi All,
Here is the part of the code that was previously developed. The code
successfully extract a public key from some secure server, now I like to
know how to extract the exponent and modules of the public key
(rsa_public_key).
EVP_PKEY *public_key = NULL;
RSA *rsa_public_key = NULL;
...
...
public_key = ENGINE_load_public_key(e1, file_nm_public,
UI_OpenSSL(), NULL);
if (public_key == NULL)
{
...
exit (-1);
}
rsa_public_key = EVP_PKEY_get1_RSA(public_key);
Many thanks in advance,
Bizhan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
RE: Newbie questions: extracting public key's exponent and modules.
what about
rsa_public_key-n
and
rsa_public_key-e
You could do
BN *n = BN_dup(rsa_public_key-n);
BN *e = BN_dup(rsa_public_key-e);
And do what you want with them (don't forget to free them)
If you are wanting to display them
char *n_txt = BN_bn2dec(n);
char *e_txt = BN_bn2dec(e);
or
char *n_hextxt = BN_bn2hex(n);
char *e_hextxt = BN_bn2hex(e);
if you want the data in a non-openssl format for some other library you can get
the bits
int n_len = BN_num_bytes(n);
int e_len = BN_num_bytes(e);
unsigned char *raw_n,*raw_e
if (! raw_n = malloc(n_len)) { fail ...}
if (! raw_e = malloc(e_len)) { fail ...}
if (BN_bn2bin(n,raw_n)!= n_len) { fail...}
if (BN_bn2bin(e,raw_e)!= e_len) { fail...}
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Bizhan Gholikhamseh (bgholikh)
Sent: Thursday, October 22, 2009 6:20 AM
To: openssl-users@openssl.org
Subject: Newbie questions: extracting public key's exponent and modules.
Hi All,
Here is the part of the code that was previously developed. The code
successfully extract a public key from some secure server, now I like to
know how to extract the exponent and modules of the public key
(rsa_public_key).
EVP_PKEY *public_key = NULL;
RSA *rsa_public_key = NULL;
...
...
public_key = ENGINE_load_public_key(e1, file_nm_public,
UI_OpenSSL(), NULL);
if (public_key == NULL)
{
...
exit (-1);
}
rsa_public_key = EVP_PKEY_get1_RSA(public_key);
Many thanks in advance,
Bizhan
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: Newbie Questions
On January 6, 2009 12:20:47 pm Richard Lichvar wrote: A newbieto OpenSSL here. (Mainly used to using 3rd party authorities.) Not very good at command line stuff either. 1. Cert request generated from IIS 6 but it is against the default website with .txt extension. Can a cert be generated using this request? Depends - is the file a PKCS#10 request? If so, then as long as the private key is the same as that which will be used by your site, then it could be used for requesting a Certificate from a CA. 2. Used the example in CA.pl doc to generate a new CA and request. When doing CA.pl -signreq getting an error re. unable to load CA private key followed by a 2072:error:0906D06C:PEM Sounds like you haven't properly set up your CA. 3. How can I generate a cert using the original certreq.txt generated by IIS? CA.pl -signreq is one way. But only after properly setting up the CA. 4. How do I insure any cert generated will be recognized by IIS? I'm not sure that I understand - once loaded and configured into IIS, the certificate is PRESENTED by IIS to the browser. Thus, it is the browser that will be recognising the Certificate, not IIS. Now, if you are just deploying this internally in a test environment, you can just tell your test browsers to not care about trusting the Certificate. If you are deploying this to the world, or even within your organisation, you will get a lot fewer problems if you don't try and generate the certificate yourself, and instead, go and buy your certificate from someone that has their CA certificate in the browser trust list. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Newbie Questions
A newbieto OpenSSL here. (Mainly used to using 3rd party authorities.) Not very good at command line stuff either. 1. Cert request generated from IIS 6 but it is against the default website with .txt extension. Can a cert be generated using this request? 2. Used the example in CA.pl doc to generate a new CA and request. When doing CA.pl -signreq getting an error re. unable to load CA private key followed by a 2072:error:0906D06C:PEM 3. How can I generate a cert using the original certreq.txt generated by IIS? 4. How do I insure any cert generated will be recognized by IIS? Many thanks in advance for your help to this newbie. Rich Lichvar P.S. Yes, I know there is a cert generation tool in the IIS Reskit; however, it will not generate a cert against the Default IIS web site.
Re: Newbie questions
Much appreciated Endhy. Garyc --- Endhy Aziz [EMAIL PROTECTED] wrote: I wrote : One of the chapter, Designing With SSL may help . Should be : One of the chapter, Coding With SSL may help Regards, --Endhy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
See SSL and TLS by Eric Rescorla. It describes SSL protocol completely, including how to program with SSL. One of the chapter, Designing With SSL may help you. --Endhy
Re: Newbie questions
I wrote : One of the chapter, Designing With SSL may help . Should be : One of the chapter, Coding With SSL may help Regards, --Endhy
RE: Newbie questions
Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie questions
Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
I believe a PDF is available for free on the Internet. I googled for it a few weeks ago thinking I would find an abstract of it and instead found the entire book. Chaz On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
Hey Chas, You dont happen to know the link. Did a quick search and just got the pdf with just the first 5 chapters? Much appreciated, Garyc --- Chas. [EMAIL PROTECTED] wrote: I believe a PDF is available for free on the Internet. I googled for it a few weeks ago thinking I would find an abstract of it and instead found the entire book. Chaz On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
When I get back to my house this evening I will send you the file. Will that be alright? Chas. On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Chas, You dont happen to know the link. Did a quick search and just got the pdf with just the first 5 chapters? Much appreciated, Garyc --- Chas. [EMAIL PROTECTED] wrote: I believe a PDF is available for free on the Internet. I googled for it a few weeks ago thinking I would find an abstract of it and instead found the entire book. Chaz On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
Excellent Chas. Thanks, Garyc --- Chas. [EMAIL PROTECTED] wrote: When I get back to my house this evening I will send you the file. Will that be alright? Chas. On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Chas, You dont happen to know the link. Did a quick search and just got the pdf with just the first 5 chapters? Much appreciated, Garyc --- Chas. [EMAIL PROTECTED] wrote: I believe a PDF is available for free on the Internet. I googled for it a few weeks ago thinking I would find an abstract of it and instead found the entire book. Chaz On 5/23/07, gary clark [EMAIL PROTECTED] wrote: Hey Mark, Yep I think your right. Ordered the Network Security with OpenSSL book. Thanks, Garyc --- Mark [EMAIL PROTECTED] wrote: Hi, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? I don't think this are any simple examples for OpenSSL ;-) The best bet IMHO is to buy a few books and read them thoroughly before attempting to anything. I have Network Security with OpenSSL, and SSL and TLS by Eric Rescorla. M __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie questions
Hello, I downloaded and installed open-ssl on a windows environment. I then used the openssl application to start the s_client and s_server. I ran the client and server with the following commands. I then attempted to connect my client to the s_server. I managed to connect to the server but failed to transmit data. Can anybody point me to a simple example I can use to get me rolling on this? Much appreciated, Garyc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie Questions
I am a newbie with both openssl security in general. So excuse me if my questions are naive. 1) I have installed openssl sources. In the certs directory, there are various certificates. I looked at a couple of them - aol1.pem vsign1.pem. The vsign1.pem starts with subject=/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority notBefore=Jan 29 00:00:00 1996 GMT notAfter=Jan 7 23:59:59 2020 GMT then BEGIN_CERTIFICATE - the certificate itself then END_CERTIFICATE. The aol1.pem directly starts with BEGIN_CERTIFICATE - i.e. it doesn't have the subject field the notBefore/notAfter. Why this difference between aol1.pem vsign1.pem? 2) I can run the command openssl x509 -hash -in [pem filename] on either of the pem files I get a hash (for eg. bda4cc84) for aol1.pem What exactly is being hashed here - is it the part between BEGIN_CERTIFICATE END_CERTIFICATE? What hashing algorithm in being used? 3) I have firefox installed on my machine. I go to tools - options - advanced- Encryption Tab. Then I click on view certificates. I get the certificate manager dialog with 4 tabs - Your certs, other people's certs, web sites authorites. All these 4 tabs have the Import Button. I am able to import aol1.pem etc using the import button on the last 2 tabs, but not the first 2 tabs. Trying to import it using the Your certs Other people's certs asks me for the password? Why this difference? i.e. are people's certificates different from authorities website's certs? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie Questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rocky S schrieb: 1) I have installed openssl sources. In the certs directory, there are various certificates. I looked at a couple of them - aol1.pem vsign1.pem. The vsign1.pem starts with [...] The aol1.pem directly starts with BEGIN_CERTIFICATE - i.e. it doesn't have the subject field the notBefore/notAfter. Why this difference between aol1.pem vsign1.pem? The differences are only cosmetically. The important part is between the -BEGIN CERTIFICATE- and - -END CERTIFICATE- lines. The other data is for humans to see what is between these lines... 2) I can run the command openssl x509 -hash -in [pem filename] on either of the pem files I get a hash (for eg. bda4cc84) for aol1.pem What exactly is being hashed here - is it the part between BEGIN_CERTIFICATE END_CERTIFICATE? The subject name of the certificate stored between the BEGIN... / END... lines. What hashing algorithm in being used? It is the first 4 bytes of the MD5 hash of the certificate subject name. 3) I have firefox installed on my machine. I go to tools - options - advanced- Encryption Tab. Then I click on view certificates. I get the certificate manager dialog with 4 tabs - Your certs, other people's certs, web sites authorites. All these 4 tabs have the Import Button. I am able to import aol1.pem etc using the import button on the last 2 tabs, but not the first 2 tabs. This indicates that firefox still has some issues handling certificates. These certificates are CA certificates (and for example aol1.pem clearly marked as one) so it should only be possible to import it in the authorities tab. Bye Goetz - -- DMCA: The greed of the few outweights the freedom of the many -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGE4W12iGqZUF3qPYRAkPoAJ4g+FaXz63dkL6DlzXW9kwW4hpEqQCbB0Qf l+raxPF/NCktluLTFYf/B9Y= =Sr8E -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
Thanks Kyle. I had not been aware of the registration authority option. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Hamilton Sent: Monday, 3 April 2006 2:21 p.m. To: openssl-users@openssl.org Subject: Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco. On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: I can set the Cisco certificate to authenticate to the W2K domain. That's reasonably simple. Deciding what to do about things after that gets a little interesting but that's another topic... :-) The anonymous connection requirements for expired passwords I understand but surely that's just a case of allowing access to the certificate server on the appropriate ports? (port 80 if web-based authentication is used, for instance)? If an account (or its password) is expired, it cannot authenticate. That's part of the problem, and the only way to change it is to allow anonymous RPC connections. I have read that Windows will not support port-based IPSec rules but that won't apply in this case. I'm not sure what you mean by port-based IPSec rules -- it does allow for the creation of policy that states that traffic, incoming or outgoing, over a given port or set of ports, MUST be IPsec'd. I wasn't thinking of using the Suse server as a passthrough for webclient certificate generation; as you surmise I suspect that would be more trouble than it's worth. There's enough written about how it's clumsy with ISA server to put me off that. I was considering using the Suse server as a certificate issuer in it's own right backed by a higher-level certificate on the W2K machine. (I don't want web users to authenticate on the domain; at least that's not a requirement yet, and if so, that should still be possible depending on the type of certificate issued by the W2K machine). There are two ways that you could do this -- have the webserver be a registration authority, i.e. it accepts CSRs from clients and sends them on to the certifying authority. Or, you can have it be an issuer in its own right, which will require that it have a certificate which is authorized to be a CA (ca:true, maxDepth=[something greater than 1]) by signing its certificate with the W2K CA in a CA mode. (The idea being that anything signed by the CA is authenticated by that CA.) -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
Title: Message First some background. First issue: I'm wanting to establishcertificate-driven, IPSec-based authentication and access on my local LAN. Participants are mainly Windows XP machines (including some laptops via wireless access points which started this process) and a SUSE Linux webserver. The current Windows 2000 server will have Group Policies implemented restricting access to authenticated domain members.(Obviously, the webserver will be excluded from some of these policies). Essentially. access to the domain and the domainserver should be restricted to known machines. What also needs to occur is that these same known machines require internet access via a Cisco 800 series router. (thus the same IPsec policies on the domain need to be applied as authentication-only policies on the router). Incoming traffic (as distinct from return traffic) needs to be allowed to the webserver. Second issue is that I wish the Linux webserver to be able to distribute subordinate certificates to web clients. Started to look at the planning for this and my brain started to hurt. Anyone tried this and can share some gotchas, do's and don'ts? Regards, Brett Davidson
Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
The Cisco also needs to be exempted from the authenticated domain members rule, unless you can set its identifying certificate up as authenticatable to the domain. (You are authenticating against the Windows 2000 domain, correct?) There are known issues with restricting access to known machines only. See the Microsoft knowledge base for details. (Primarily, computers can't change their account passwords, users can't change their passwords after they expire, since that requires an anonymous connection, and a couple other things that are fairly annoying.) 'subordinate certificates to web clients'? Do you mean end-user TLS authentication certificates? If so... It should be possible to set up Certificate Services on a domain controller, then create a new Certificate Policy that will allow you to create a subordinate CA. Then, create an LDAP client (to run on the webserver) that has a certificate or other means to authenticate as something has permission to modify user attributes, specifically user-certificate. While it should theoretically be possible to send CSRs and then certificates through the Apache (SuSE) server via mod_proxy, I'm not entirely certain how the interactions between the domain server and the client would work in that case. Hire me as a consultant, and I can help more? ;) -Kyle H On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: First some background. First issue: I'm wanting to establish certificate-driven, IPSec-based authentication and access on my local LAN. Participants are mainly Windows XP machines (including some laptops via wireless access points which started this process) and a SUSE Linux webserver. The current Windows 2000 server will have Group Policies implemented restricting access to authenticated domain members. (Obviously, the webserver will be excluded from some of these policies). Essentially. access to the domain and the domainserver should be restricted to known machines. What also needs to occur is that these same known machines require internet access via a Cisco 800 series router. (thus the same IPsec policies on the domain need to be applied as authentication-only policies on the router). Incoming traffic (as distinct from return traffic) needs to be allowed to the webserver. Second issue is that I wish the Linux webserver to be able to distribute subordinate certificates to web clients. Started to look at the planning for this and my brain started to hurt. Anyone tried this and can share some gotchas, do's and don'ts? Regards, Brett Davidson __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
I take it that the easiest solution is to establish a certificate-authenticated VPN instead then? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Hamilton Sent: Monday, 3 April 2006 11:26 a.m. To: openssl-users@openssl.org Subject: Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco. The Cisco also needs to be exempted from the authenticated domain members rule, unless you can set its identifying certificate up as authenticatable to the domain. (You are authenticating against the Windows 2000 domain, correct?) There are known issues with restricting access to known machines only. See the Microsoft knowledge base for details. (Primarily, computers can't change their account passwords, users can't change their passwords after they expire, since that requires an anonymous connection, and a couple other things that are fairly annoying.) 'subordinate certificates to web clients'? Do you mean end-user TLS authentication certificates? If so... It should be possible to set up Certificate Services on a domain controller, then create a new Certificate Policy that will allow you to create a subordinate CA. Then, create an LDAP client (to run on the webserver) that has a certificate or other means to authenticate as something has permission to modify user attributes, specifically user-certificate. While it should theoretically be possible to send CSRs and then certificates through the Apache (SuSE) server via mod_proxy, I'm not entirely certain how the interactions between the domain server and the client would work in that case. Hire me as a consultant, and I can help more? ;) -Kyle H On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: First some background. First issue: I'm wanting to establish certificate-driven, IPSec-based authentication and access on my local LAN. Participants are mainly Windows XP machines (including some laptops via wireless access points which started this process) and a SUSE Linux webserver. The current Windows 2000 server will have Group Policies implemented restricting access to authenticated domain members. (Obviously, the webserver will be excluded from some of these policies). Essentially. access to the domain and the domainserver should be restricted to known machines. What also needs to occur is that these same known machines require internet access via a Cisco 800 series router. (thus the same IPsec policies on the domain need to be applied as authentication-only policies on the router). Incoming traffic (as distinct from return traffic) needs to be allowed to the webserver. Second issue is that I wish the Linux webserver to be able to distribute subordinate certificates to web clients. Started to look at the planning for this and my brain started to hurt. Anyone tried this and can share some gotchas, do's and don'ts? Regards, Brett Davidson __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
I can set the Cisco certificate to authenticate to the W2K domain. That's reasonably simple. Deciding what to do about things after that gets a little interesting but that's another topic... :-) The anonymous connection requirements for expired passwords I understand but surely that's just a case of allowing access to the certificate server on the appropriate ports? (port 80 if web-based authentication is used, for instance)? I have read that Windows will not support port-based IPSec rules but that won't apply in this case. I wasn't thinking of using the Suse server as a passthrough for webclient certificate generation; as you surmise I suspect that would be more trouble than it's worth. There's enough written about how it's clumsy with ISA server to put me off that. I was considering using the Suse server as a certificate issuer in it's own right backed by a higher-level certificate on the W2K machine. (I don't want web users to authenticate on the domain; at least that's not a requirement yet, and if so, that should still be possible depending on the type of certificate issued by the W2K machine). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Hamilton Sent: Monday, 3 April 2006 11:26 a.m. To: openssl-users@openssl.org Subject: Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco. The Cisco also needs to be exempted from the authenticated domain members rule, unless you can set its identifying certificate up as authenticatable to the domain. (You are authenticating against the Windows 2000 domain, correct?) There are known issues with restricting access to known machines only. See the Microsoft knowledge base for details. (Primarily, computers can't change their account passwords, users can't change their passwords after they expire, since that requires an anonymous connection, and a couple other things that are fairly annoying.) 'subordinate certificates to web clients'? Do you mean end-user TLS authentication certificates? If so... It should be possible to set up Certificate Services on a domain controller, then create a new Certificate Policy that will allow you to create a subordinate CA. Then, create an LDAP client (to run on the webserver) that has a certificate or other means to authenticate as something has permission to modify user attributes, specifically user-certificate. While it should theoretically be possible to send CSRs and then certificates through the Apache (SuSE) server via mod_proxy, I'm not entirely certain how the interactions between the domain server and the client would work in that case. Hire me as a consultant, and I can help more? ;) -Kyle H On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: First some background. First issue: I'm wanting to establish certificate-driven, IPSec-based authentication and access on my local LAN. Participants are mainly Windows XP machines (including some laptops via wireless access points which started this process) and a SUSE Linux webserver. The current Windows 2000 server will have Group Policies implemented restricting access to authenticated domain members. (Obviously, the webserver will be excluded from some of these policies). Essentially. access to the domain and the domainserver should be restricted to known machines. What also needs to occur is that these same known machines require internet access via a Cisco 800 series router. (thus the same IPsec policies on the domain need to be applied as authentication-only policies on the router). Incoming traffic (as distinct from return traffic) needs to be allowed to the webserver. Second issue is that I wish the Linux webserver to be able to distribute subordinate certificates to web clients. Started to look at the planning for this and my brain started to hurt. Anyone tried this and can share some gotchas, do's and don'ts? Regards, Brett Davidson __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions : 2 issues relating to interaction between Linux, Windows 2000 and Cisco.
On 4/2/06, Davidson, Brett (Managed Services) [EMAIL PROTECTED] wrote: I can set the Cisco certificate to authenticate to the W2K domain. That's reasonably simple. Deciding what to do about things after that gets a little interesting but that's another topic... :-) The anonymous connection requirements for expired passwords I understand but surely that's just a case of allowing access to the certificate server on the appropriate ports? (port 80 if web-based authentication is used, for instance)? If an account (or its password) is expired, it cannot authenticate. That's part of the problem, and the only way to change it is to allow anonymous RPC connections. I have read that Windows will not support port-based IPSec rules but that won't apply in this case. I'm not sure what you mean by port-based IPSec rules -- it does allow for the creation of policy that states that traffic, incoming or outgoing, over a given port or set of ports, MUST be IPsec'd. I wasn't thinking of using the Suse server as a passthrough for webclient certificate generation; as you surmise I suspect that would be more trouble than it's worth. There's enough written about how it's clumsy with ISA server to put me off that. I was considering using the Suse server as a certificate issuer in it's own right backed by a higher-level certificate on the W2K machine. (I don't want web users to authenticate on the domain; at least that's not a requirement yet, and if so, that should still be possible depending on the type of certificate issued by the W2K machine). There are two ways that you could do this -- have the webserver be a registration authority, i.e. it accepts CSRs from clients and sends them on to the certifying authority. Or, you can have it be an issuer in its own right, which will require that it have a certificate which is authorized to be a CA (ca:true, maxDepth=[something greater than 1]) by signing its certificate with the W2K CA in a CA mode. (The idea being that anything signed by the CA is authenticated by that CA.) -Kyle H __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
a couple of newbie questions regarding ssl lib
dear all: i am new to the open ssl library, after a couple of days source code reading, my understanding is that one can either use bio (come with the open ssl lib) or standard socket interface to connect ssl protocol to the underlying tcp protocol, if i would like to use standard socket to do that, the basic flow is as follows: as tcp client: socket --- connect (blocked!) --- SSL_new --- SSL_write SSL_set_fd SSL_read (blocked!) SSL_connect (blocked!) as tcp server: socket --- accept (blocked!) --- SSL_new--- SSL_write bind SSL_set_fd SSL_read (blocked!) listen SSL_accept (blocked!) the SSL_connect/SSL_accept implement a (pretty complicate) state machine that is used to do the ssl handshaking, for that purpose, these two functions are blocked multiple times on the underlying socket id. after SSL_connect/SSL_accept returns, the corresponding ssl link is established and ready for io. in the io phase, SSL_read will again be blocked on the undelying socket id until data for that link is available. the questions i have are: 1. do i understand right? 2. if my understanding is correct, standard socket works pretty well in this picture. why we still need bio? what are things that the bio can do and the standard socket can not? 3. anybody know if there is any doc available about the state machines implemented in SSL_connect/SSL_accept? thanks a lot. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: a couple of newbie questions regarding ssl lib
On Sat, Nov 19, 2005, Chong Peng wrote: dear all: i am new to the open ssl library, after a couple of days source code reading, my understanding is that one can either use bio (come with the open ssl lib) or standard socket interface to connect ssl protocol to the underlying tcp protocol, if i would like to use standard socket to do that, the basic flow is as follows: Well whatever technique you use it still ends up using a BIO. Its is just that when you tell the ssl library to use a socket it sets up a socket BIO internally. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: a couple of newbie questions regarding ssl lib
I'm far from an expert, but your flow below seems mostly right. What you describe is how we have used SSL in our application. We do not use BIOs for a number of reasons, one of which is that we have an existing non-SSL application over which we laid SSL. The initial sequence of system calls (that is, accept and connect, initial handshake) is followed by the SSL sequences. BIOs seemed unnecessary for our situation, but I can see where there are scenarios where BIOs are the cool way to go. Also, when I last looked, using BIOs seemed to preclude IPv6 addressing. So using raw system calls followed by SSLconnect/accept could be done without regard to IP protocol. The SSL protocol is well-defined and books describe many aspects of it. Google SSL and TLS and you'll find the good ones. If you really need to care about the connect/accept state machine (do you really?) FWIW. Dave McLellan - Consulting Software Engineer Storage Platforms, Enablers, and Applications EMC Corporation 228 South St. Hopkinton MA 01748 phone: 508-249-1257 fax 508-497-8030 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chong Peng Sent: Saturday, November 19, 2005 1:46 PM To: openssl-users@openssl.org Subject: a couple of newbie questions regarding ssl lib dear all: i am new to the open ssl library, after a couple of days source code reading, my understanding is that one can either use bio (come with the open ssl lib) or standard socket interface to connect ssl protocol to the underlying tcp protocol, if i would like to use standard socket to do that, the basic flow is as follows: as tcp client: socket --- connect (blocked!) --- SSL_new --- SSL_write SSL_set_fd SSL_read (blocked!) SSL_connect (blocked!) as tcp server: socket --- accept (blocked!) --- SSL_new--- SSL_write bind SSL_set_fd SSL_read (blocked!) listen SSL_accept (blocked!) the SSL_connect/SSL_accept implement a (pretty complicate) state machine that is used to do the ssl handshaking, for that purpose, these two functions are blocked multiple times on the underlying socket id. after SSL_connect/SSL_accept returns, the corresponding ssl link is established and ready for io. in the io phase, SSL_read will again be blocked on the undelying socket id until data for that link is available. the questions i have are: 1. do i understand right? 2. if my understanding is correct, standard socket works pretty well in this picture. why we still need bio? what are things that the bio can do and the standard socket can not? 3. anybody know if there is any doc available about the state machines implemented in SSL_connect/SSL_accept? thanks a lot. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: a couple of newbie questions regarding ssl lib
Woops. What I meant instead of Google is Amazon - they, along with many other booksellers have the good ones. Here are two that helped me: O'Reilly (John Viega): Network Security with OpenSSL Eric Recorla's: SSL and TLS: Desinging and Building Secure Systems FWIW2 Dave McLellan - Consulting Software Engineer Storage Platforms, Enablers, and Applications EMC Corporation 228 South St. Hopkinton MA 01748 phone: 508-249-1257 fax 508-497-8030 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mclellan, dave Sent: Saturday, November 19, 2005 3:46 PM To: 'openssl-users@openssl.org' Subject: RE: a couple of newbie questions regarding ssl lib I'm far from an expert, but your flow below seems mostly right. What you describe is how we have used SSL in our application. We do not use BIOs for a number of reasons, one of which is that we have an existing non-SSL application over which we laid SSL. The initial sequence of system calls (that is, accept and connect, initial handshake) is followed by the SSL sequences. BIOs seemed unnecessary for our situation, but I can see where there are scenarios where BIOs are the cool way to go. Also, when I last looked, using BIOs seemed to preclude IPv6 addressing. So using raw system calls followed by SSLconnect/accept could be done without regard to IP protocol. The SSL protocol is well-defined and books describe many aspects of it. Google SSL and TLS and you'll find the good ones. If you really need to care about the connect/accept state machine (do you really?) FWIW. Dave McLellan - Consulting Software Engineer Storage Platforms, Enablers, and Applications EMC Corporation 228 South St. Hopkinton MA 01748 phone: 508-249-1257 fax 508-497-8030 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chong Peng Sent: Saturday, November 19, 2005 1:46 PM To: openssl-users@openssl.org Subject: a couple of newbie questions regarding ssl lib dear all: i am new to the open ssl library, after a couple of days source code reading, my understanding is that one can either use bio (come with the open ssl lib) or standard socket interface to connect ssl protocol to the underlying tcp protocol, if i would like to use standard socket to do that, the basic flow is as follows: as tcp client: socket --- connect (blocked!) --- SSL_new --- SSL_write SSL_set_fd SSL_read (blocked!) SSL_connect (blocked!) as tcp server: socket --- accept (blocked!) --- SSL_new--- SSL_write bind SSL_set_fd SSL_read (blocked!) listen SSL_accept (blocked!) the SSL_connect/SSL_accept implement a (pretty complicate) state machine that is used to do the ssl handshaking, for that purpose, these two functions are blocked multiple times on the underlying socket id. after SSL_connect/SSL_accept returns, the corresponding ssl link is established and ready for io. in the io phase, SSL_read will again be blocked on the undelying socket id until data for that link is available. the questions i have are: 1. do i understand right? 2. if my understanding is correct, standard socket works pretty well in this picture. why we still need bio? what are things that the bio can do and the standard socket can not? 3. anybody know if there is any doc available about the state machines implemented in SSL_connect/SSL_accept? thanks a lot. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: a couple of newbie questions regarding ssl lib
Hi there, Your second question happens to concern what I'm working on right now. Sometimes rather than developping an application on top (think layer architecture) of OpenSSL, you might want to give your application control over the network access but still use OpenSSL as a security module that doesn't encapsulate communication. A generic illustration of this kind of scenario is given in the documentation for BIO pairs. In my case, I have an API to build applications over a structured peer-to-peer network. I want to use OpenSSL for security but I want to use this structured network instead of TCP as SSL/TLS's transport layer. Then BIOs and BIO pairs are the way to go. (ssltest.c is the place to dive into if you ever want to figure out how to use these). Another elegant way of doing this is to write a custom BIO... I hope this helps ! Regards, Chong Peng wrote: dear all: i am new to the open ssl library, after a couple of days source code reading, my understanding is that one can either use bio (come with the open ssl lib) or standard socket interface to connect ssl protocol to the underlying tcp protocol, if i would like to use standard socket to do that, the basic flow is as follows: as tcp client: socket --- connect (blocked!) --- SSL_new --- SSL_write SSL_set_fd SSL_read (blocked!) SSL_connect (blocked!) as tcp server: socket --- accept (blocked!) --- SSL_new--- SSL_write bind SSL_set_fd SSL_read (blocked!) listen SSL_accept (blocked!) the SSL_connect/SSL_accept implement a (pretty complicate) state machine that is used to do the ssl handshaking, for that purpose, these two functions are blocked multiple times on the underlying socket id. after SSL_connect/SSL_accept returns, the corresponding ssl link is established and ready for io. in the io phase, SSL_read will again be blocked on the undelying socket id until data for that link is available. the questions i have are: 1. do i understand right? 2. if my understanding is correct, standard socket works pretty well in this picture. why we still need bio? what are things that the bio can do and the standard socket can not? 3. anybody know if there is any doc available about the state machines implemented in SSL_connect/SSL_accept? thanks a lot. chong peng __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- Alain Damiral, Université Catholique de Louvain - student alain.damiral'at'student.info.ucl.ac.be __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Newbie questions
Hello there, I have some queries in SSL, [#]. Do I need to sign the certificate from some CAs, before making use of SSL in local network? [#]. How does the client verify the server's certificate? Any help will be highly appreciated. Thanks -Rohan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions update ....
On Tue, Sep 14, 2004, Steve Ankeny wrote: Here's the commands I used to create my own CA and my own certificate and key CA.pl -newca CA.pl -newreq CA.pl -signreq Everything went well (no errors), and I wound up with newcert.pem and newreq.pem (as well as cacert.pem as expected). I renamed newcert.pem and newreq.pem to help identify them. mv newcert.pem server.net.pem mv newreq.pem server.net.key I copied them to the Apache directories ssl.crt and ssl.key and edited the vhost-ssl.conf file to point to the proper files. Here's the output of openssl s_client -connect server.net:443 root:~ # openssl s_client -connect server.net:443 CONNECTED(0003) depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] i:/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED] --- Server certificate -BEGIN CERTIFICATE- MIIDcjCCAtugAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJVUzEQ MA4GA1UECBMHSW5kaWFuYTEiMCAGA1UEChMZUHlyYW1pZCBNb3J0Z2FnZSBBdWRp dGluZzEQMA4GA1UEAxMHcG1hY2VydDEkMCIGCSqGSIb3DQEJARYVc2Fua2VueUBu [redacted] 7IJxQa5W/bwcEKU+MoBlUYO1d+HDng== -END CERTIFICATE- subject=/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] issuer=/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED] --- No client certificate CA names sent --- SSL handshake has read 1450 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: A526ACD02BA92C111FFA4E63FA293521429D1827014D2B57390FA99715ED7CDB Session-ID-ctx: Master-Key: 09A5F29D451372431FF71B3037A9943AA3106328D8EEA7422E88750FA4102F05F39FBB5C9906B2465D6B Key-Arg : None Start Time: 1095188189 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- closed Here are the lines that bother me . verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate Is there anything wrong with how I created these? No nothing wrong its just that's what the s_client utility does when presented with a CA it doesn't trust. If you include -CAfile cacert.pem on the command line you shouldn't get that any more. Mozilla times out when trying to connect to the server (with or without the certificate). What am I doing wrong? Thanks for getting me this far. You should type in the URL https://myhostname.whatever.org/ into Mozilla. Its not clear why you get a timeout error. Is that the exact error Mozilla comes up with? Are you connecting from the same machine you did the s_client test on? If not then its possible the route is blocked by a firewall or something like that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions update ....
Exactly right! openssl s_client -CAfile demoCA/cacert -connect server.net:443 This returns no errors. However, I still get the following when I try to connect from Mozilla. The connection was refused when trying to contact 192.168.1.103 Stupid me! I was using http://;! It works perfectly with https://; Thanks for all of the help! I think I understand how to do this much better now and can get on with my work. The only real change I made (other than to rename the files) was to change the default days in CA.pl to 3650 [ I don't want to do this again for awhile. ] It just goes to show that stupid errors can make all the difference. And, I see the value of CA.pl (having read it). Thanks again. Dr. Stephen Henson wrote: On Tue, Sep 14, 2004, Steve Ankeny wrote: Here's the commands I used to create my own CA and my own certificate and key CA.pl -newca CA.pl -newreq CA.pl -signreq Everything went well (no errors), and I wound up with newcert.pem and newreq.pem (as well as cacert.pem as expected). I renamed newcert.pem and newreq.pem to help identify them. mv newcert.pem server.net.pem mv newreq.pem server.net.key I copied them to the Apache directories ssl.crt and ssl.key and edited the vhost-ssl.conf file to point to the proper files. Here's the output of openssl s_client -connect server.net:443 root:~ # openssl s_client -connect server.net:443 CONNECTED(0003) depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] i:/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED] --- Server certificate -BEGIN CERTIFICATE- MIIDcjCCAtugAwIBAgIBATANBgkqhkiG9w0BAQQFADB7MQswCQYDVQQGEwJVUzEQ MA4GA1UECBMHSW5kaWFuYTEiMCAGA1UEChMZUHlyYW1pZCBNb3J0Z2FnZSBBdWRp dGluZzEQMA4GA1UEAxMHcG1hY2VydDEkMCIGCSqGSIb3DQEJARYVc2Fua2VueUBu [redacted] 7IJxQa5W/bwcEKU+MoBlUYO1d+HDng== -END CERTIFICATE- subject=/C=US/ST=State/O=Company/CN=server.net/[EMAIL PROTECTED] issuer=/C=US/ST=State/O=Company/CN=servercert/[EMAIL PROTECTED] --- No client certificate CA names sent --- SSL handshake has read 1450 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: A526ACD02BA92C111FFA4E63FA293521429D1827014D2B57390FA99715ED7CDB Session-ID-ctx: Master-Key: 09A5F29D451372431FF71B3037A9943AA3106328D8EEA7422E88750FA4102F05F39FBB5C9906B2465D6B Key-Arg : None Start Time: 1095188189 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- closed Here are the lines that bother me . verify error:num=20:unable to get local issuer certificate verify error:num=27:certificate not trusted verify error:num=21:unable to verify the first certificate Is there anything wrong with how I created these? No nothing wrong its just that's what the s_client utility does when presented with a CA it doesn't trust. If you include -CAfile cacert.pem on the command line you shouldn't get that any more. Mozilla times out when trying to connect to the server (with or without the certificate). What am I doing wrong? Thanks for getting me this far. You should type in the URL https://myhostname.whatever.org/ into Mozilla. Its not clear why you get a timeout error. Is that the exact error Mozilla comes up with? Are you connecting from the same machine you did the s_client test on? If not then its possible the route is blocked by a firewall or something like that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Well, you know what my dad always said? Having dreams is what makes life tolerable! -- Pete, Rudy's friend __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions update ....
On Sat, Sep 11, 2004, Steve Ankeny wrote: Sorry about the html First of all, I am using Mozilla. I never use IE What version of Mozilla are you using? If you have a newer version then you will have an Import button. You select Edit-Preferences-Private Security-Certificates. Then click on Manage Certificates and the Authorities tab. Then try the Import button. If, as I suspect, you are trying the Import button under Your certificates then it will expect a PKCS#12 file. Secondly, every time I try to import the 'server.crt' it complains that it is not in 'pkcs12' format. Thirdly, the CA.pl guides are just as confusing as the OpenSSL guides. You just need the examples. This will do the trick... CA.pl -newca CA.pl -newreq CA.pl -signreq The CA certificate is then in demoCA/cacert.pem, the new certificate in newcert.pem and the private key in newreq.pem. I have yet to find a clear-cut description of how to create your own CA; certificate signing requests and certificates without finding error somewhere in the commands. No one has been clear on this subject. Well if you get errors with the above commands please say what they are, that is assuming they aren't answered in the FAQ. You are correct in your observation that I should be able to connect without importing the certificate. But I don't know what is wrong. It would help if you said what error Mozilla is giving. Well you can check the webserver is OK using OpenSSLs s_client command: openssl s_client -connect myhostname.org:443 If that connects OK then at least the secure server is running and seeing the certificates. Then the error might be that Mozilla doesn't like the certificates: some guides suggest ways that produce invalid certficates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions update ....
Very good suggestions! Thanks I will not have time to try these until this evening, but I will report any errors, etc. You guys are the best. Dr. Stephen Henson wrote: On Sat, Sep 11, 2004, Steve Ankeny wrote: Sorry about the html First of all, I am using Mozilla. I never use IE What version of Mozilla are you using? If you have a newer version then you will have an Import button. You select Edit-Preferences-Private Security-Certificates. Then click on Manage Certificates and the Authorities tab. Then try the Import button. If, as I suspect, you are trying the Import button under Your certificates then it will expect a PKCS#12 file. Secondly, every time I try to import the 'server.crt' it complains that it is not in 'pkcs12' format. Thirdly, the CA.pl guides are just as confusing as the OpenSSL guides. You just need the examples. This will do the trick... CA.pl -newca CA.pl -newreq CA.pl -signreq The CA certificate is then in demoCA/cacert.pem, the new certificate in newcert.pem and the private key in newreq.pem. I have yet to find a clear-cut description of how to create your own CA; certificate signing requests and certificates without finding error somewhere in the commands. No one has been clear on this subject. Well if you get errors with the above commands please say what they are, that is assuming they aren't answered in the FAQ. You are correct in your observation that I should be able to connect without importing the certificate. But I don't know what is wrong. It would help if you said what error Mozilla is giving. Well you can check the webserver is OK using OpenSSLs s_client command: openssl s_client -connect myhostname.org:443 If that connects OK then at least the secure server is running and seeing the certificates. Then the error might be that Mozilla doesn't like the certificates: some guides suggest ways that produce invalid certficates. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Well, you know what my dad always said? Having dreams is what makes life tolerable! -- Pete, Rudy's friend __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie questions update ....
Here's what I did Command Usage openssl genrsa -des3 -out ca.key 1024 Created key for my own CA Remained in /etc/ssl openssl req -new -x509 -days 3650 -key ca.key -out ca.crt Created the CA certificate Also remained in /etc/ssl openssl genrsa -des3 -out server.key 1024 Created server key Placed in /etc/apache2/ssl.key mv server.key server.key.secure Created a back up for the key openssl rsa -in server.key.secure -out server.key Encoded key so not required at boot openssl req -new -days 3650 -key server.key -out server.csr Created server signing request ./sign.sh server.csr Used script to 'sign' request Created server.crt Placed in /etc/apache2/ssl.crt openssl pkcs12 -export -in server.crt -inkey server.key -certfile server.crt -out server.p12 Exported to Windows format After importing into my browser and restarting the webserver, it failed to connect. I am uncertain whether the export command is correct. And, I am uncertain whether the CA is trusted. What am I doing wrong? Can anyone help? Thanks. I have followed the documentation found here http://www.modssl.org/docs/ http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24 http://lamps.efactory.de/e-lamps-2-0.shtml#inst-apachessl __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions update ....
On Sat, Sep 11, 2004, Steve Ankeny wrote: Please don't post in HTML. As to your query. This is much easier if you follow the CA.pl instructions. Some guides suggest you do all manner of strange and in some cases insecure things. You do *not* import the server private key and certificate into the browser nor do you create a PKCS#12 file from it. Since the server security depends on the secrecy of the private key you do *not* want to give that away! You need to trust the root CA certificate *only*. There are several ways to do this. One is to select the root CA store in MSIE. From the Tools menu select Internet Options then the Content Tab. Click on the Certificates... button and select Trusted Root Authorities and finally the Import button. Browse to the appropriate file and it should allow you to add the certificate as a trusted root CA. However there may be something else amiss because normally even if you haven't added the root CA you can still connect to a secure server with some warnings. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions update ....
Sorry about the html First of all, I am using Mozilla. I never use IE Secondly, every time I try to import the 'server.crt' it complains that it is not in 'pkcs12' format. Thirdly, the CA.pl guides are just as confusing as the OpenSSL guides. I have yet to find a clear-cut description of how to create your own CA; certificate signing requests and certificates without finding error somewhere in the commands. No one has been clear on this subject. And, even more confusing than how to create the certificates is where to put them when you are done. I have tried to follow the Apache documentation both in my distro and on the web, but it is still unclear. As you can tell, I am frustrated. I am impressed with the knowledge and experience of those posting to this group. But most of it is over my head. All I want is to get my problem resolved. Thanks for the ideas you gave here. And, thanks for answering You are correct in your observation that I should be able to connect without importing the certificate. But I don't know what is wrong. That's why I took the approach of providing the commands I used and what I did with the results. That was in hopes that someone might see where I made my mistake. Thanks again. Dr. Stephen Henson wrote: On Sat, Sep 11, 2004, Steve Ankeny wrote: Please don't post in HTML. As to your query. This is much easier if you follow the CA.pl instructions. Some guides suggest you do all manner of strange and in some cases insecure things. You do *not* import the server private key and certificate into the browser nor do you create a PKCS#12 file from it. Since the server security depends on the secrecy of the private key you do *not* want to give that away! You need to trust the root CA certificate *only*. There are several ways to do this. One is to select the root CA store in MSIE. From the Tools menu select Internet Options then the Content Tab. Click on the Certificates... button and select Trusted Root Authorities and finally the Import button. Browse to the appropriate file and it should allow you to add the certificate as a trusted root CA. However there may be something else amiss because normally even if you haven't added the root CA you can still connect to a secure server with some warnings. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Well, you know what my dad always said? Having dreams is what makes life tolerable! -- Pete, Rudy's friend __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie questions ....
I am designing a secure webserver for use in a small company. The connection must be secure. My plan is to use SSL/TLS and 'AuthConfig/htpasswd' to make the connections. I have reviewed various explanations of how to create my own Certificate Authority and how to create both server and client certs/keys. The confusion comes from knowing what to do with them after they are created. SuSE 9.1 Apache 2.0.49 OpenSSL 0.9.7d TLS 1.5.0 Apache 2 places the certs in various directories in '/etc/apache2' such as 'ssl.crt,' 'ssl.csr' and 'ssl.key' Here is my plan ... Will it work? Command Questions / Usage openssl genrsa -des3 -out ca.key 1024 This creates the Certificate Authority key. Place this in /etc/apache2/ssl.key Should this have any sort of unique name? openssl req -new -x509 -days 365 -key ca.key -out ca.crt This creates the CA certificate. Place this in /etc/apache2/ssl.crt Should this follow the same name as above? openssl genrsa -des3 -out server.key 1024 This creates the server key. Place this in /etc/apache2/ssl.key Should this follow the FQDN? server.name.crt? mv server.key server.key.secure openssl rsa -in server.key.secure -out server.key The first command backs up the key. The second encodes it so it is not requested after each reboot. openssl req -new -days 365 -key server.key -out server.csr This creates the server certificate. Place this in /etc/apache2/ssl.csr Should this follow the same name as above? ./sign.sh server.csr Use Ralf Engelschall's script to 'sign' the certificate. To create client certificates follow a similar process ... ... if needed openssl req -new -days 365 -key server.key -out client.csr openssl pkcs12 -export -in client.csr -inkey server.key \ -certfile server.crt -out client.p12 Convert these to 'p12' format Use a unique client name ... Import into the client's browser... Is this even required? I can see separate client certificates if I were using IPSec to make VPN connections. What about creating a CRL? And, what about trust for my CA? What about converting my server.csr for use with Windows clients? Do I insert them into the MMC or merely the browser? Thanks for your help __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions ....
Hi Steve, Here are a couple books that helped me understand SSL and the X.509 security model: Network Security with OpenSSL, ISBN 059600270X Planning for PKI, ISBN 0471397024 Joe On Sep 10, 2004, at 1:17 PM, Steve Ankeny wrote: I am designing a secure webserver for use in a small company. The connection must be secure. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SMIME newbie questions
First, as to my previous question: Thanks to Dr Hanson for figuring out my sender
sent a file with an extra data(really a second message) stuck on the end.
I'll cut to the chase: I need to come up with a set of openssl commands that will
decrypt and verify an incoming SMIME message and just end up with the data payload.
The message is a two part, signed, encrypted message. I can decrypt but can't seem to
verify. I apologize for being so ignorant but this is only my second project with
Openssl SMIME and the first was canceled (-;
In short, I think I am approaching this wrong - I don't think there is anything wrong
with the signature itself. But I digress: First, I could have sworn you could
decrypt and verify in one step but it didn't work. Here is the command I used to
decrypt and verify
openssl -decrypt -verify -in {filename} -recip {mycert} -signer {theircert} -inkey
{mykey.pem}
This doesn't work and throws a content-type error. I suspect verify is looking at
the message Content-type and not the signature part content-type. So I decide to
decrypt first and then verify. When I decrypt I get the following output:
Content-Type: multipart/signed; protocol=application/pkcs7-signature; micalg=sha1;
boundary==_IPNet_20040405135357409_44
Content-Disposition: attachment
--=_IPNet_20040405135357409_44
Content-Type: APPLICATION/EDI-X12
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=01006203210P-2.edi
...snip one data part ...
--=_IPNet_20040405135357409_44^M
Content-Type: application/pkcs7-signature; name=smime.p7s^M
Content-Transfer-Encoding: binary^M
Content-Disposition: attachment; filename=smime.p7s^M
^M
...snip signature
and then push this through openssl smime -verify -signer {theircert.pem}, I get the
following
Error reading S/MIME message
9970:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_
lib.c:140:
9970:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142:
9970:error:2107A08C:PKCS7 routines:SMIME_read_PKCS7:pkcs7 sig parse error:pk7_mi
me.c:289:
I suspected because it wasn't a fully compliant email message (ie no headers). But if
I pipe to formail first to get some headers, I get the same message.
Any idea as to why I am not able to verify and just end up with the data part? Can
anyone help this newbie?
Thanks in advance to everyone for your help and time,
Spencer
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: SMIME newbie questions
On Wed, Apr 07, 2004, Spencer Yost wrote:
First, as to my previous question: Thanks to Dr Hanson for figuring out my
sender sent a file with an extra data(really a second message) stuck on the
end.
I'll cut to the chase: I need to come up with a set of openssl commands
that will decrypt and verify an incoming SMIME message and just end up with
the data payload. The message is a two part, signed, encrypted message. I
can decrypt but can't seem to verify. I apologize for being so ignorant but
this is only my second project with Openssl SMIME and the first was canceled
(-;
In short, I think I am approaching this wrong - I don't think there is
anything wrong with the signature itself. But I digress: First, I could
have sworn you could decrypt and verify in one step but it didn't work.
Here is the command I used to decrypt and verify
openssl -decrypt -verify -in {filename} -recip {mycert} -signer {theircert}
-inkey {mykey.pem}
This doesn't work and throws a content-type error. I suspect verify is
looking at the message Content-type and not the signature part
content-type. So I decide to decrypt first and then verify. When I
decrypt I get the following output:
Content-Type: multipart/signed; protocol=application/pkcs7-signature;
micalg=sha1;
boundary==_IPNet_20040405135357409_44 Content-Disposition: attachment
--=_IPNet_20040405135357409_44 Content-Type: APPLICATION/EDI-X12
Content-Transfer-Encoding: binary Content-Disposition: attachment;
filename=01006203210P-2.edi
...snip one data part ...
--=_IPNet_20040405135357409_44^M Content-Type: application/pkcs7-signature;
name=smime.p7s^M Content-Transfer-Encoding: binary^M Content-Disposition:
attachment; filename=smime.p7s^M ^M
...snip signature
and then push this through openssl smime -verify -signer {theircert.pem},
I get the following
Error reading S/MIME message 9970:error:0D07207B:asn1 encoding
routines:ASN1_get_object:header too long:asn1_ lib.c:140:
9970:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode
error:pk7_mime.c:142: 9970:error:2107A08C:PKCS7
routines:SMIME_read_PKCS7:pkcs7 sig parse error:pk7_mi me.c:289:
I suspected because it wasn't a fully compliant email message (ie no
headers). But if I pipe to formail first to get some headers, I get the
same message.
Any idea as to why I am not able to verify and just end up with the data
part? Can anyone help this newbie?
Thanks in advance to everyone for your help and time,
There isn't a command to decrypt and verify all in one go. For one thing there
are various ways to do that.
You seem to be OK with the decryption part its the actual signed message
that's causing problems.
It looks like the signature is not base64 encoded and the initial part isn't
text either. OpenSSLs MIME parser is a rather primitive thing and not designed
for more complex forms: its basically just enough to tolerate the typical stuff an
S/MIME mail clients will throw out.
So what I suspect you have to do is to take the S/MIME data and extract the
content and signature parts and then feed the result into the OpenSSL smime
command with the -inform DER -content whatever switches.
If you can send me a zipped version of the data you are trying to verify I'll
see if the MIME parser can be updated to work on that form.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
newbie questions and ssl_write problem
Hi
I have some easy (I hope) questions:
I wrote a multithreaded ftp bouncer in c++
So far everything works
But if I use certain ftp clients (for example flashfxp v2.1.923) sometimes
some bytes disappear
And if I transfer a textfile, there is a ? at every lineend
The datafiles are not corrupted every time but often enough
If I use a newer flashfxp version this problem doesn't appear
Any ideas?
Here some lines from the cource code:
-
// init ssl stuff
clientsslctx = NULL;
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
if (RAND_status()) { debugmsg(RAND_status ok); }
else { cout RAND_status not ok\n; return 0; }
clientsslctx = SSL_CTX_new(SSLv23_server_method());
if (clientsslctx == NULL)
{
cout error creating ctx\n;
return 0;
}
SSL_CTX_set_options(clientsslctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_default_verify_paths(clientsslctx);
//SSL_CTX_set_options(clientsslctx,SSL_OP_ALL);
CRYPTO_thread_setup();
if
(SSL_CTX_use_certificate_file(clientsslctx,dsa.pem,SSL_FILETYPE_PEM) = 0)
{
cout error loading cert file!\n;
return 0;
}
if (SSL_CTX_use_PrivateKey_file(clientsslctx, dsa.pem,
SSL_FILETYPE_PEM) =0 )
{
cout error loading private key!\n;
return 0;
}
if ( !SSL_CTX_check_private_key(clientsslctx))
{
cout key invalid\n;
return 0;
}
//SSL_CTX_set_default_verify_paths(clientsslctx);
//SSL_CTX_set_session_id_context(clientsslctx, (const unsigned
char*)1, 1);
SSL_CTX_set_tmp_dh_callback(clientsslctx, tmp_dh_cb);
char*tls_cipher_list = ALL:!EXP;
SSL_CTX_set_cipher_list(clientsslctx, tls_cipher_list);
-
This is my init part for the ssl ctx running in my server part
This is my init part for thread handling
//-
void CRYPTO_thread_setup(void);
void CRYPTO_thread_cleanup(void);
static void pthreads_locking_callback(int mode,int type,const char *file,int
line);
static unsigned long pthreads_thread_id(void );
static pthread_mutex_t *lock_cs;
static long *lock_count;
void CRYPTO_thread_setup(void)
{
int i;
lock_cs = (pthread_mutex_t*)OPENSSL_malloc(CRYPTO_num_locks() *
sizeof(pthread_mutex_t));
lock_count = (long *)OPENSSL_malloc(CRYPTO_num_locks() *
sizeof(long));
for (i=0; iCRYPTO_num_locks(); i++)
{
lock_count[i]=0;
pthread_mutex_init((lock_cs[i]),NULL);
}
CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
CRYPTO_set_locking_callback(pthreads_locking_callback);
}
void thread_cleanup(void)
{
int i;
CRYPTO_set_locking_callback(NULL);
for (i=0; iCRYPTO_num_locks(); i++)
{
pthread_mutex_destroy((lock_cs[i]));
}
OPENSSL_free(lock_cs);
OPENSSL_free(lock_count);
}
void pthreads_locking_callback(int mode, int type, const char *file,
int line)
{
#if 0
fprintf(stderr,thread=%4d mode=%s lock=%s %s:%d\n,
CRYPTO_thread_id(),
(modeCRYPTO_LOCK)?l:u,
(typeCRYPTO_READ)?r:w,file,line);
#endif
#if 0
if (CRYPTO_LOCK_SSL_CERT == type)
fprintf(stderr,(t,m,f,l) %ld %d %s %d\n,
CRYPTO_thread_id(),
mode,file,line);
#endif
if (mode CRYPTO_LOCK)
{
pthread_mutex_lock((lock_cs[type]));
lock_count[type]++;
}
else
{
pthread_mutex_unlock((lock_cs[type]));
}
}
unsigned long pthreads_thread_id(void)
{
unsigned long ret;
ret=(unsigned long)pthread_self();
return(ret);
}
//-
And this is the send function I use
int total = 0;
int bytesleft = nrbytes;
int rc,len;
len = nrbytes;
while(total len)
{
if (sslcon == NULL)
{
rc = send(sock,data+total,bytesleft,0);
}
else
{
rc = SSL_write(sslcon, data+total, bytesleft);
}
if (rc == -1) { break; }
total += rc;
bytesleft -= rc;
}
if (bytesleft == 0) { return 1; }
else { return 0; }
perhaps someone can tell if this is totally nonsense of if I forgort
something important
Thanks in advance
Stephan
__
OpenSSL Project
Newbie questions
Hi -
I am working on a perl SSL wget type program, and I have a few questions
regarding certificate authentication. I am sorry if these are silly
questions; I have been trying to find documentation for quite some time and
cant seem to find anything. So my questions are, basically, how do I set up
something to verify a host's x509's issuer against a list of trusted
issuers? I would assume this is part of the set_verify callback, however
there is no doc's on how to use that function. I have been able to extract
from other peoples source that I need .pem certificate files, but what
exactly is a .pem? And how would I interface with them? I really just need
to compare the issuer fingerprint against a trusted issuers file, but I can
find nothing on how to extract that. And the callbacks do not seem to allow
you to either. Once again, I apologize for these very very newbie'ish
questions, but I can not find anything regarding this. To quote the perl
module doc's:
The corresponding Perl function should be something like this:
sub verify {
my ($ok, $subj_cert, $issuer_cert, $depth, $errorcode,
$arg, $chain) = @_;
print "Verifying certificate...\n";
...
return $ok;
}
It is used like this:
Net::SSLeay::set_verify ($ssl, Net::SSLeay::VERIFY_PEER, \verify);
And that is the entire section on verification, and the most verbose
explaination I've seen yet. ;-)
So what do I do? Thanks for the help.
-Ian
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
Hello, Many thanks to all who answered my questions. I'm on the way to install ssh. Best regards, Serban On Mon, Nov 01, 1999 at 12:01:59PM +, Pete Chown wrote: On Fri, Oct 29, 1999 at 02:33:41PM -0100, Serban Udrea wrote: This mail is mainly focusing on SSLtelnet which I intend to use. I wanted to post this message to the ssl-users list but I got: I don't think a great deal is being done to SSLtelnet at the moment. It doesn't implement secured telnet the way the current Internet draft does, and some people have raised security issues with it. As another contributor said, one answer is to use SSH. Alternatively I will shortly have an implementation of the Internet draft for secured telnet, as part of the SafeGossip package. The URL for SafeGossip is at: http://www.skygate.co.uk/safegossip but it is currently in alpha release and does not include the telnet code. The next release will be a beta and will include telnet as well as various other goodies. It should be out in a couple of weeks. -- phone +44 (0) 20 8542 7856, fax +44 (0) 20 8543 0176, post: Skygate Technology Ltd, 8 Lombard Road, Wimbledon, London, SW19 3TZ Here we are at the end of your message -- Serban Udrea GSI - Plasma Physics Department Darmstadt, Germany __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Newbie questions
SSH is nice, but I would also like to build SSL-telnet, and ran into the same problem. Is anyone maintaining SSL telnet? Has anyone gotten an SSL-enabled telnet to build against a recent version of OpenSSL? -Mike Slass WRQ, Inc. "Dr. Greg Quinn" wrote: What about SSH instead? On Fri, 29 Oct 1999, Serban Udrea wrote: Hello everybody, This mail is mainly focusing on SSLtelnet which I intend to use. I wanted to post this message to the ssl-users list but I got: info ssl-users This list is closed. Its users have migrated to openssl-users, see http://www.openssl.org/support/. So here I am. I first installed SSLeay 0.9.0b (didn't know about openssl at that time) and then SSLtelnet 0.13. During the build of SSLtelnet I got the following errors/warnings: make: [all] Error 1 (ignored) utilities.c: In function `printsub': utilities.c:426: warning: comparison is always 1 due to limited range of data type utilities.c:448: warning: comparison is always 1 due to limited range of data type utilities.c:592: warning: comparison is always 1 due to limited range of data type utilities.c:681: warning: comparison is always 1 due to limited range of data type utilities.c:803: warning: comparison is always 1 due to limited range of data type utility.c: In function `printsub': utility.c:754: warning: comparison is always 1 due to limited range of data type utility.c:861: warning: comparison is always 1 due to limited range of data type utility.c:1006: warning: comparison is always 1 due to limited range of data type utility.c:1033: warning: comparison is always 1 due to limited range of data type utility.c:1161: warning: comparison is always 1 due to limited range of data type The questions are: 1. Should I move from SSLeay to openssl and compile SSLtelnet with it? 2. If this is not possible, could the above warnings mean serious problems at run-time? 3. If it's possible are there any changes to be made to SSLtelnet 0.13 or is there a newer version which compiles with openssl? Best regards, Serban Udrea NOTE: I'm using Slackware 4.0 (still libc5 dist), kernel 2.2.6, gcc 2.7.2.3 -- Serban Udrea GSI - Plasma Physics Department Darmstadt, Germany __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
