Re: SSL_CTX_use_PrivateKey_file
On 25/05/14 13:11, Mody, Darshan (Darshan) wrote: Hi, When I try to read the EC Private Key file I get an error from the openssl. Is there another way to use the Elliptic curved Private key. Please note that I generate the Public and Private keys via the command lines and use the public-private key in my program I think we need a bit more to go on. Can you post the commands you used to generate your keys, the error you are getting, and the code you are using to read the private key? Thanks Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: SSL_CTX_use_PrivateKey_file
I use below command openssl ecparam -out key.pem -name prime256v1 -genkey. I am using another 3rd Party tool SIPp. Below is the method that sets the SSL CTX ssl_init_status FI_init_ssl_context (void) { sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx == NULL ) { ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed); return SSL_INIT_ERROR; } sip_trp_ssl_ctx_client = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx_client == NULL) { ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed); return SSL_INIT_ERROR; } /* Load the trusted CA's */ SSL_CTX_load_verify_locations(sip_trp_ssl_ctx, tls_cert_name, NULL); SSL_CTX_load_verify_locations(sip_trp_ssl_ctx_client, tls_cert_name, NULL); /* CRL load from application specified only if specified on the command line */ if (strlen(tls_crl_name) != 0) { if(sip_tls_load_crls(sip_trp_ssl_ctx,tls_crl_name) == -1) { ERROR(FI_init_ssl_context: Unable to load CRL file (%s), tls_crl_name); return SSL_INIT_ERROR; } if(sip_tls_load_crls(sip_trp_ssl_ctx_client,tls_crl_name) == -1) { ERROR(FI_init_ssl_context: Unable to load CRL (client) file (%s), tls_crl_name); return SSL_INIT_ERROR; } /* The following call forces to process the certificates with the */ /* initialised SSL_CTX*/ SSL_CTX_set_verify(sip_trp_ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, sip_tls_verify_callback); SSL_CTX_set_verify(sip_trp_ssl_ctx_client, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, sip_tls_verify_callback); } /* Selection Cipher suits - load the application specified ciphers */ SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx, (void *)CALL_BACK_USER_DATA ); SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx_client, (void *)CALL_BACK_USER_DATA ); SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx, passwd_call_back_routine ); SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx_client, passwd_call_back_routine ); if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx, tls_cert_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_certificate_file failed); return SSL_INIT_ERROR; } if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx_client, tls_cert_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_certificate_file (client) failed); return SSL_INIT_ERROR; } if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_PrivateKey_file failed); return SSL_INIT_ERROR; } if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx_client, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_PrivateKey_file (client) failed); return SSL_INIT_ERROR; } return SSL_INIT_NORMAL; } Thanks in Advance Regards Darshan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Matt Caswell Sent: Sunday, May 25, 2014 6:31 PM To: openssl-users@openssl.org Subject: Re: SSL_CTX_use_PrivateKey_file On 25/05/14 13:11, Mody, Darshan (Darshan) wrote: Hi, When I try to read the EC Private Key file I get an error from the openssl. Is there another way to use the Elliptic curved Private key. Please note that I generate the Public and Private keys via the command lines and use the public-private key in my program I think we need a bit more to go on. Can you post the commands you used to generate your keys, the error you are getting, and the code you are using to read the private key? Thanks Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl
Re: SSL_CTX_use_PrivateKey_file
sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx == NULL ) { ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed); return SSL_INIT_ERROR; } Well, EC support was added to SSL/TLS at TLS 1.2. You did not include the error you are receiving. Jeff On Sun, May 25, 2014 at 9:40 AM, Mody, Darshan (Darshan) darshanm...@avaya.com wrote: I use below command openssl ecparam -out key.pem -name prime256v1 -genkey. I am using another 3rd Party tool SIPp. Below is the method that sets the SSL CTX ssl_init_status FI_init_ssl_context (void) { sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx == NULL ) { ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed); return SSL_INIT_ERROR; } sip_trp_ssl_ctx_client = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx_client == NULL) { ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed); return SSL_INIT_ERROR; } /* Load the trusted CA's */ SSL_CTX_load_verify_locations(sip_trp_ssl_ctx, tls_cert_name, NULL); SSL_CTX_load_verify_locations(sip_trp_ssl_ctx_client, tls_cert_name, NULL); /* CRL load from application specified only if specified on the command line */ if (strlen(tls_crl_name) != 0) { if(sip_tls_load_crls(sip_trp_ssl_ctx,tls_crl_name) == -1) { ERROR(FI_init_ssl_context: Unable to load CRL file (%s), tls_crl_name); return SSL_INIT_ERROR; } if(sip_tls_load_crls(sip_trp_ssl_ctx_client,tls_crl_name) == -1) { ERROR(FI_init_ssl_context: Unable to load CRL (client) file (%s), tls_crl_name); return SSL_INIT_ERROR; } /* The following call forces to process the certificates with the */ /* initialised SSL_CTX*/ SSL_CTX_set_verify(sip_trp_ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, sip_tls_verify_callback); SSL_CTX_set_verify(sip_trp_ssl_ctx_client, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, sip_tls_verify_callback); } /* Selection Cipher suits - load the application specified ciphers */ SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx, (void *)CALL_BACK_USER_DATA ); SSL_CTX_set_default_passwd_cb_userdata(sip_trp_ssl_ctx_client, (void *)CALL_BACK_USER_DATA ); SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx, passwd_call_back_routine ); SSL_CTX_set_default_passwd_cb( sip_trp_ssl_ctx_client, passwd_call_back_routine ); if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx, tls_cert_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_certificate_file failed); return SSL_INIT_ERROR; } if ( SSL_CTX_use_certificate_file(sip_trp_ssl_ctx_client, tls_cert_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_certificate_file (client) failed); return SSL_INIT_ERROR; } if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_PrivateKey_file failed); return SSL_INIT_ERROR; } if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx_client, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_PrivateKey_file (client) failed); return SSL_INIT_ERROR; } return SSL_INIT_NORMAL; } -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Matt Caswell Sent: Sunday, May 25, 2014 6:31 PM To: openssl-users@openssl.org Subject: Re: SSL_CTX_use_PrivateKey_file On 25/05/14 13:11, Mody, Darshan (Darshan) wrote: When I try to read the EC Private Key file I get an error from the openssl. Is there another way to use the Elliptic curved Private key. Please note that I generate the Public and Private keys via the command lines and use the public-private key in my program I think we need a bit more to go on. Can you post the commands you used to generate your keys, the error you are getting, and the code you are using to read the private key
Re: SSL_CTX_use_PrivateKey_file
On Sun, May 25, 2014 at 11:28:04AM -0400, Jeffrey Walton wrote: sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx == NULL ) { ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed); return SSL_INIT_ERROR; } Well, EC support was added to SSL/TLS at TLS 1.2. That's not the case. ECDSA and ECDHE predate TLSv1.2. Full support for EC in OpenSSL starts in OpenSSL 1.0.0, while support for TLSv1.2 was added in 1.0.1 IIRC. $ openssl ciphers -v 'aECDSA:!TLSv1.2' ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 ECDHE-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 $ openssl ciphers -v 'aECDSA+TLSv1.2' ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_use_PrivateKey_file
On 25/05/14 14:40, Mody, Darshan (Darshan) wrote: I use below command openssl ecparam -out key.pem -name prime256v1 -genkey. I am using another 3rd Party tool SIPp. Below is the method that sets the SSL CTX Whilst I don't think its the cause of your problem, I would suggest adding -noout to the above command (prevents both the parameters and the key being written out separately to the key file, which is probably not what you intended). I took your code and stripped it down to just the code to load the private key. I also created a key file using the command line you provided. My code below. This works fine. What error are you seeing, and what version of openssl are you using. Matt #include openssl/ssl.h #define ERROR printf #define SSL_INIT_ERROR -1 #define SSL_INIT_NORMAL 0 typedef int ssl_init_status; static char *tls_key_name = key.pem; ssl_init_status FI_init_ssl_context (void) { SSL_CTX *sip_trp_ssl_ctx; sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx == NULL ) { ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed); return SSL_INIT_ERROR; } if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_PrivateKey_file failed); return SSL_INIT_ERROR; } printf(Success\n); return SSL_INIT_NORMAL; } int main(void) { ssl_init_status ret; SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); ret = FI_init_ssl_context(); } __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_use_PrivateKey_file
On Sun, May 25, 2014 at 11:39 AM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Sun, May 25, 2014 at 11:28:04AM -0400, Jeffrey Walton wrote: sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx == NULL ) { ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed); return SSL_INIT_ERROR; } Well, EC support was added to SSL/TLS at TLS 1.2. That's not the case. ECDSA and ECDHE predate TLSv1.2. Full support for EC in OpenSSL starts in OpenSSL 1.0.0, while support for TLSv1.2 was added in 1.0.1 IIRC. Indeed. RFC 4492 (ECC for TLS) from May 2006 states it applies to TLS 1.0 and above. My bad. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: SSL_CTX_use_PrivateKey_file
Seems to be issue with the ceritificate and the oprivate key SSL error 0 : error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch. My bad Thanks a million Regards Darshan -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jeffrey Walton Sent: Sunday, May 25, 2014 9:28 PM To: OpenSSL Users List Subject: Re: SSL_CTX_use_PrivateKey_file On Sun, May 25, 2014 at 11:39 AM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Sun, May 25, 2014 at 11:28:04AM -0400, Jeffrey Walton wrote: sip_trp_ssl_ctx = SSL_CTX_new( TLSv1_method() ); if ( sip_trp_ssl_ctx == NULL ) { ERROR(FI_init_ssl_context: SSL_CTX_new with TLSv1_method failed); return SSL_INIT_ERROR; } Well, EC support was added to SSL/TLS at TLS 1.2. That's not the case. ECDSA and ECDHE predate TLSv1.2. Full support for EC in OpenSSL starts in OpenSSL 1.0.0, while support for TLSv1.2 was added in 1.0.1 IIRC. Indeed. RFC 4492 (ECC for TLS) from May 2006 states it applies to TLS 1.0 and above. My bad. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: SSL_CTX_use_PrivateKey_file does not work with Elliptic Curve Private Key
On 19/05/14 14:12, Darshan Mody wrote: -BEGIN EC PARAMETERS- -END EC PARAMETERS- -BEGIN EC PRIVATE KEY- -END EC PRIVATE KEY- My Private key looks as above How did you generate your private key? Try deleting the EC PARAMETERS section in the file. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: SSL_CTX_use_PrivateKey_file does not work with Elliptic Curve Private Key
http://www.openssl.org/support/faq.html#PROG6 and if you haven't loaded error strings http://www.openssl.org/support/faq.html#PROG7 From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Darshan Mody Sent: Monday, May 19, 2014 09:13 To: openssl-users@openssl.org Subject: SSL_CTX_use_PrivateKey_file does not work with Elliptic Curve Private Key Hi, I am new to openssl APIs. However I am using the current code from SIPp. Below is the code snippet for the Private Key if ( SSL_CTX_use_PrivateKey_file(sip_trp_ssl_ctx_client, tls_key_name, SSL_FILETYPE_PEM ) != 1 ) { ERROR(FI_init_ssl_context: SSL_CTX_use_PrivateKey_file (client) failed); return SSL_INIT_ERROR; } When I provide the Elliptic Private Key it always returns an Error. -BEGIN EC PARAMETERS- -END EC PARAMETERS- -BEGIN EC PRIVATE KEY- -END EC PRIVATE KEY- My Private key looks as above Thanks Darshan
Re: SSL_CTX_use_PrivateKey_file
On Tue, Jan 07, 2003 at 04:06:34PM -0800, Fisk, Kevin wrote: Is there any way to pass a string with the private key, instead of reading it from a file, such as read it from a database and pass it to the function, without writing it to disk? Please look into SSL_CTX_use_PrivateKey_ASN1(), which loads the private key from a memory region. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL_CTX_use_PrivateKey_file
Okay. Right now, I call SSL_CTX_use_PrivateKey_file with the parameter SSL_FILETYPE_PEM. What do I pass for the type PK (first parameter) to pass this. Do I need to convert the PEM file before it can be passed as an ASN.1 certificate? I tried only passing the private key portion as a string, the entire thing as a string, and I tried using SSL_CTX_use_RSAPrivateKey_ASN1 with both strings. My PEM file looks like the following: -BEGIN RSA PRIVATE KEY- MIICXQIBAAKBgQCamuFIkojgw5GQGNEsb3vazceGiflAdiHLdGnQhTX8Ihxrshpz iy2K1lWmX+YRXUXTdk+d+bVtP/a1i1tBLFssL0j6rmyt3z+WuGHinKdOIFYZ9uzU RTemcUQ3WSN/ngvK68lnA5kqdWVkGgFqdMGyP/QmdlQvvrq9vD3TmQVxhQIDAQAB AoGAFrJIAlRovb5YHzRVeNWA9DUjZm/Y5IqzGWAkrJTxwOrtCy5hTbcP34LpnfwU FVaBCrMiqwlehgRO3oXvxpiRZae8uki0RSLld2XLkyb3EoAJb+HpUgW9FbjqZwYm hKxFqVlyyrDQait352txTtlGQGTIglSaV+KFL5810ybEM50CQQDJf2WVA9J4doY9 /aRnyDix5oIRnOwS2wfwSvQ773Q0a/A+XETaXE1MGbBsr06aYOQo6AR/6yv/iD18 Bp7LhFn3AkEAxGxs9lMs5hdCQWxwlq2bMHCbStg5Uwi8rYNO93wUEOBWKhVLkwe6 LJ6rho84fq7G0zLKrw4UnslJj1Za6rzRYwJBAKJhRi2WTPDDI1+lne38zqOfDUbA XQa8+GLPJI+AYvcz3QGEPgByzd/7+886X2/NkVDd2XJ0xJpC4rmmZCXCXPUCQBCV Stm9CfRfEFPvsM232HtNdn7qJGTTPwKzLE6Opi8KkZu58oh2RYyQ1NBmdRGU9epM xnnjCXCic9hrJP/ecxsCQQCZ6E3Ww8p+R5ssVCWL5Lm4RNgqhH1Dw+KC0jHBG31B HDQFIAxi9C0Jfzx6jUFJ8xWA93SAJFkSFPw5IVVWa2BT -END RSA PRIVATE KEY- -BEGIN CERTIFICATE- MIICMTCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwYTELMAkGA1UECBMCQ0ExETAPBgNV BAcTCE1vb3JwYXJrMQwwCgYDVQQKEwNWTFAxDDAKBgNVBAMTA1ZMUDEjMCEGCSqG SIb3DQEJARYUYmtvemluQGxpbmtwb2ludC5jb20wHhcNMDExMTA2MTg1MDE3WhcN MzExMTA0MTg1MDE3WjBhMQswCQYDVQQIEwJDQTERMA8GA1UEBxMITW9vcnBhcmsx DDAKBgNVBAoTA1ZMUDEMMAoGA1UEAxMDVkxQMSMwIQYJKoZIhvcNAQkBFhRia296 aW5AbGlua3BvaW50LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmprh SJKI4MORkBjRLG972s3Hhon5QHYhy3Rp0IU1/CIca7Iac4stitZVpl/mEV1F03ZP nfm1bT/2tYtbQSxbLC9I+q5srd8/lrhh4pynTiBWGfbs1EU3pnFEN1kjf54LyuvJ ZwOZKnVlZBoBanTBsj/0JnZUL766vbw905kFcYUCAwEAATANBgkqhkiG9w0BAQQF AAOBgQAxTU7cJG7nE44VW8hMGp6/5eOtHL0K7hsBQ7U0ZO8jESipAyBjWOZuEo9i Cbfs452f4YjEPnJbqbQxJbScf0P50k1S7pMI1elBdSjPKIQXAC5qzDWJGq8gvB9/ cDc/4JOgy8AVC2B0TioKtsxE3k9t/u43oEzlHHrGkSuMRFd+BQ== -END CERTIFICATE- Thanks, Kevin __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file
On Wed, Jan 08, 2003 at 09:40:58AM -0800, Fisk, Kevin wrote: Okay. Right now, I call SSL_CTX_use_PrivateKey_file with the parameter SSL_FILETYPE_PEM. What do I pass for the type PK (first parameter) to pass this. Do I need to convert the PEM file before it can be passed as an ASN.1 certificate? I tried only passing the private key portion as a string, the entire thing as a string, and I tried using SSL_CTX_use_RSAPrivateKey_ASN1 with both strings. ASN1 (in OpenSSL also referred to as DER format) is a binary representation in ASN.1 format. PEM is the base64 encoded DER format. You can use the int PEM_read(FILE *fp, char **name, char **header, unsigned char **data, long *len) or PEM_read_bio() routines. Please refer to the pem manual page. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file()
Try /* set callback for passphrases on private key files */ SSL_CTX_set_default_passwd_cb( context, pem_passwd_cb); before calling SSL_CTX_use_PrivateKey_file(), where pem_passwd_cb could be for non-crypted private key files /* callback for private key files passphrase */ static int pem_passwd_cb(char *buf, int size, int rwflag, void *password) { return 0; } Ales Privetivy Hi, can somebody help me out. when i use the SSL_CTX_use_PrivateKey_file() function in my client and server program, both the server and client progarm asks on the command prompt to Enter PEM pass phrase: I dont want the user to enter the pass phrase , how to avoid this situation. Is there anyway ? biswaksen __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file() problem
could do all sorts of certificate verification stuff here before deallocating the certificate. */ X509_free (server_cert); } } catch(Exception* e) { disconnect(); printf(Exception caught in connectToHost\n); printf(%s\n, e-getMsg()); throw e; } return m_oSocket; } Dr Stephen Henson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 23.06.2000 17:30 Please respond to openssl-users To:[EMAIL PROTECTED] cc: Subject:Re: SSL_CTX_use_PrivateKey_file() problem Hmmm. Are you manually calling PKC5_pbe_set() and EVP_PBE_CipherInit()? You shouldn't have to. This kind of thing should be automatically handled by the PKCS#8 code when you call SSL_CTX_use_PrivateKey_file(), the salt and interation count are part of the encoded structure. Try the openssl 'pkcs8' utility on the key: openssl pkcs8 -in key.pem and see if you get the same error. If you do then if you can send me a sample key (not an important one!) with the password I'll see if I can see what is wrong. The PKCS#8 code has been tested against a number of other implementations and it should be OK. Setting 0 for the iteration count is in any case unlikely to work because OpenSSL then uses a reasonable large value, 2048 by default. It doesn't follow any particular standard for that but this doesn't matter in practice. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file() problem
[EMAIL PROTECTED] wrote: Hello everybody I am new to working with openssl so this may seem like a stupid question, but I just can't seem to get past this problem. The error that I am getting is: 425:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:.crypto\evp\evp_pbe.c:89:Type=pbeWithMD5AndDes-CBC I think something similar is in the FAQ. You need to load OpenSSL's internal algorithm table with OpenSSL_add_all_algorithms(). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file() problem
Thank you for your quick response Dr. Henson. I thought to myself: but I've done that!, although I call the SSLeay_add_ssl_algorithms() but it's now defined as OpenSSL_add_all_algorithms()... no wait a minute... it defined as OpenSSL_add_ssl_algorithms(). Well, a stupid mistake on my behalf. Now all I have to do is to find a way to place the correct salt into the function. Because of this error message: 474:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:.\cryp to\evp\evp_enc.c:243: This seems not to be doing the trick: X509_ALGOR *alg = PKCS5_pbe_set(NID_pbeWithMD5AndDES_CBC, /*iter*/0, (unsigned char*)salt , saltlen); EVP_PBE_CipherInit(alg-algorithm, /*password*/password, /*passwordlen*/8,alg-parameter, ctx, 0); Because this is still failing, SSL_CTX_use_PrivateKey_file(m_pCtx,key_file,SSL_FILETYPE_PEM) only now with the error previously described. Well I will be calling it the quits today because we're having a incredibly beautyful summerday here in Iceland, and we only have a couble of those each summer. :) cheers, Ragnar Dr Stephen Henson [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 23.06.2000 13:56 Please respond to openssl-users To:[EMAIL PROTECTED] cc: Subject:Re: SSL_CTX_use_PrivateKey_file() problem [EMAIL PROTECTED] wrote: Hello everybody I am new to working with openssl so this may seem like a stupid question, but I just can't seem to get past this problem. The error that I am getting is: 425:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:.crypto\evp\evp_pbe.c:89:Type=pbeWithMD5AndDes-CBC I think something similar is in the FAQ. You need to load OpenSSL's internal algorithm table with OpenSSL_add_all_algorithms(). Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_PrivateKey_file() problem
[EMAIL PROTECTED] wrote: Now all I have to do is to find a way to place the correct salt into the function. Because of this error message: "474:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:.\cryp to\evp\evp_enc.c:243:" This seems not to be doing the trick: "X509_ALGOR *alg = PKCS5_pbe_set(NID_pbeWithMD5AndDES_CBC, /*iter*/0, (unsigned char*)salt , saltlen); EVP_PBE_CipherInit(alg-algorithm, /*password*/"password", /*passwordlen*/8,alg-parameter, ctx, 0);" Because this is still failing, "SSL_CTX_use_PrivateKey_file(m_pCtx,key_file,SSL_FILETYPE_PEM)" only now with the error previously described. Hmmm. Are you manually calling PKC5_pbe_set() and EVP_PBE_CipherInit()? You shouldn't have to. This kind of thing should be automatically handled by the PKCS#8 code when you call SSL_CTX_use_PrivateKey_file(), the salt and interation count are part of the encoded structure. Try the openssl 'pkcs8' utility on the key: openssl pkcs8 -in key.pem and see if you get the same error. If you do then if you can send me a sample key (not an important one!) with the password I'll see if I can see what is wrong. The PKCS#8 code has been tested against a number of other implementations and it should be OK. Setting 0 for the iteration count is in any case unlikely to work because OpenSSL then uses a "reasonable" large value, 2048 by default. It doesn't follow any particular standard for that but this doesn't matter in practice. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]