Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread 杨俊 
Hi openssl-er,

> Does cacert.pem contain the CA certificate that issued the certificate for
> https://curl.haxx.se ?

I think the cacert.pem is right. Because, I can get the ok result in my PC
by this command:

​
> If your embedded file system does not support symlinks, you can instead
> rename the PEM files to the names of the symlinks that c_rehash generates
> on a more full-blown development computer.

I don't know if my way is right. I do it like this:


1. In my device, I can't use the c_rehash. It said no perl. I input the
command like this:
/tmp # ./openssl x509 -hash -fingerprint -noout -in
/home/georgeyang/workspace/s
peech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
5ad8a5d6
SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C

2. input command:
/etc/ssl/certs # ln -s
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
5ad8a5d6.0
/etc/ssl/certs # ls -l
total 511
lrwxrwxrwx1 root root88 Jan  1 06:53 5ad8a5d6.0 ->
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem

Is this right?

3. the result is still NG
/tmp # ./openssl s_client -connect curl.haxx.se:443 -CApath /etc/ssl/certs/
CONNECTED(0003)
depth=0 CN = anja.haxx.se
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---

4. NG again
CONNECTED(0003)
depth=0 CN = anja.haxx.se
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-
---
-END CERTIFICATE-
subject=/CN=anja.haxx.se
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3143 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
3EA8329E6101B72FDA48B82E57049D637925CBC73064598B5B418270FFA5907C
Session-ID-ctx:
Master-Key:
61172C067AE0758A1BE71C7577B6A6E8EFD896516F602BCA30E4E369B61A4093702406403CF41FF3B9CFC2E9E76BE611
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
---

Start Time: 24915
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
closed

Thank you :-(
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a way to get the numeric-value for a openssl-cipher-suite

2016-12-14 Thread Matt Caswell 


On 14/12/16 08:09, Ajay Garg wrote:
> Hi All.
> 
> I am using the following script at myu laptop, to test for the available
> cipher-suites :
> 
> 
> #!/usr/bin/env bash
> 
> # OpenSSL requires the port number.
> SERVER=server.ip.com:12345 
> DELAY=1
> ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
> 
> echo Obtaining cipher list from $(openssl version).
> 
> for cipher in ${ciphers[@]}
> do
> # echo -n Testing $cipher...
> result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
> if [[ "$result" =~ ":error:" ]] ; then
> true
> else
>   if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher:"
> ]] ; then
> echo ${cipher}
>   else
>   true
>   fi
> fi
> sleep $DELAY
> done
> 
> 
> 
> Above script works, and I am able to get the supported-ciphers-listing.
> But all those ciphers are in stringified-form.
> 
> 
> Is there a way, so that I can get the supported-ciphers in their
> corrsponding numeric-values form?

Try the -V option to the ciphers command.

Matt


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Is there a way to get the numeric-value for a openssl-cipher-suite

2016-12-14 Thread Ajay Garg 
Hi All.

I am using the following script at myu laptop, to test for the available
cipher-suites :


#!/usr/bin/env bash

# OpenSSL requires the port number.
SERVER=server.ip.com:12345
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
# echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $SERVER 2>&1)
if [[ "$result" =~ ":error:" ]] ; then
true
else
  if [[ "$result" =~ "Cipher is ${cipher}" || "$result" =~ "Cipher:" ]]
; then
echo ${cipher}
  else
  true
  fi
fi
sleep $DELAY
done



Above script works, and I am able to get the supported-ciphers-listing.
But all those ciphers are in stringified-form.


Is there a way, so that I can get the supported-ciphers in their
corrsponding numeric-values form?
I ask this, because a particular device supports only a restricted set of
ciphers, and I am not able to properly match the cipher-suites using their
stringified-forms.


Looking forward to some help from the experts :)



Thanks and Regards,
Ajay
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread Jakob Bohm 

On 14/12/2016 09:42, 杨俊 wrote:

Hi openssl-er,

> Does cacert.pem contain the CA certificate that issued the certificate for
> https://curl.haxx.se  ?

I think the cacert.pem is right. Because, I can get the ok result in 
my PC by this command:


​
> If your embedded file system does not support symlinks, you can instead
> rename the PEM files to the names of the symlinks that c_rehash generates
> on a more full-blown development computer.


Just to be sure (sometimes OpenSSL checks its default -CApath even
if you specify a -CAfile) try this command on the development machine:

openssl x509 -subject -noout -in cacert.pem

Compare to the deepest value from the screenshot above.


I don't know if my way is right. I do it like this:


1. In my device, I can't use the c_rehash. It said no perl. I input 
the command like this:
/tmp # ./openssl x509 -hash -fingerprint -noout -in 
/home/georgeyang/workspace/s

peech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
5ad8a5d6
SHA1 
Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C


2. input command:
/etc/ssl/certs # ln -s 
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 
5ad8a5d6.0

/etc/ssl/certs # ls -l
total 511
lrwxrwxrwx1 root root88 Jan  1 06:53 5ad8a5d6.0 -> 
/home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem


Is this right?

3. the result is still NG
/tmp # ./openssl s_client -connect curl.haxx.se:443 
 -CApath /etc/ssl/certs/

CONNECTED(0003)
depth=0 CN = anja.haxx.se 
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se 
verify error:num=21:unable to verify the first certificate
verify return:1
---

4. NG again
CONNECTED(0003)
depth=0 CN = anja.haxx.se 
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se 
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se 
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-
---
-END CERTIFICATE-
subject=/CN=anja.haxx.se 
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3143 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 
3EA8329E6101B72FDA48B82E57049D637925CBC73064598B5B418270FFA5907C

Session-ID-ctx:
Master-Key: 
61172C067AE0758A1BE71C7577B6A6E8EFD896516F602BCA30E4E369B61A4093702406403CF41FF3B9CFC2E9E76BE611

PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
---

Start Time: 24915
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
closed



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread 杨俊 
Hi Jakob & openssl-er,

1. My cross compile command is :
---

#export
CROSSCOMP_DIR=/home/georgeyang/workspace/hisi/hi3516a_v100/Hi3516A_SDK_V1.0.6.0/osdrv/opensource/toolchain/arm-hisiv400-linux/arm-hisiv400-linux/bin

#export INSTALL_DIR=/home/georgeyang/workspace/speech_code/openssl

#./Configure -DOPENSSL_NO_HEARTBEATS linux-generic32 shared
--prefix=$INSTALL_DIR --openssldir=$INSTALL_DIR/openssl/final
--cross-compile-prefix=$CROSSCOMP_DIR/arm-hisiv400-linux-gnueabi-

Make

Make install


2. This is my openssl's details.
--
/tmp # ./openssl version -a
OpenSSL 1.1.0c  10 Nov 2016
built on: reproducible build, date unspecified
platform: linux-generic32
compiler:
/home/georgeyang/workspace/hisi/hi3516a_v100/Hi3516A_SDK_V1.0.6.0/osdrv/opensource/toolchain/arm-hisiv400-linux/arm-hisiv400-linux/bin/arm-hisiv400-linux-gnueabi-gcc
-DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS
-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_NO_HEARTBEATS
-DOPENSSLDIR="\"/home/georgeyang/workspace/speech_code/openssl/openssl/final\""
-DENGINESDIR="\"/home/georgeyang/workspace/speech_code/openssl/lib/engines-1.1\""
OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final"
ENGINESDIR: "/home/georgeyang/workspace/speech_code/openssl/lib/engines-1.1"
/tmp #

Is there something wrong in my parameters?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Signing an XML file

2016-12-14 Thread Dr. Stephen Henson 
On Wed, Dec 14, 2016, Salz, Rich wrote:

> > Is there some equivalent to PHP's openssl_sign_pkcs7 function for C/C++ 
> > users?
> 
> Look at the apps/pkcs7.c file as a starting point.  Get the command line 
> doing what you want, and then work through the code to pull out only the bits 
> you need.
> 

Actually smime.c is the utility you want for PKCS#7. Alternatively cms.c if
you want CMS (the successor to PKCS#7).

Those though are general purpose utilities which do all sorts of things which
most appications don't care about. There are some demos in demos/smime and
demos/cms which are much simpler.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread Michael Wojcik 
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of ??
> Sent: Wednesday, December 14, 2016 07:53

> I get the log from the embedded linux device and my PC.
> Sorry, I don't get the deference in the platform, but there is some deference 
> between the platform and PC.

(You want "difference" there, not "deference". Just another of English's many 
homonyms and orthographic peculiarities.)

I just did a quick check, and it appears curl.haxx.se sends two certificates: 
the server certificate (signed by Let's Encrypt) and an intermediate (signed by 
Digital Signature Trust).

On the PC, s_client shows a chain of three certificates, ending in the DST 
root. That means OpenSSL found that root certificate somewhere - it didn't get 
it from the server, and it's not the first certificate in cacert-2016-11-02.pem.

So: either there's more than one certificate in cacert-2016-11-02.pem, or 
OpenSSL on the PC is searching its default CA certificate directory in addition 
to cacert-2016-11-02.pem. Since we don't know what's actually in 
cacert-2016-11-02.pem, we can't provide much further help.

Note that if there are multiple certificates in cacert-2016-11-02.pem, you'll 
have to split them up into separate files and create the correct hash link for 
each one, if you want to use a certificate directory.


Also, there's this from your previous note:

> /tmp # ./openssl x509 -subject -noout -in cacert-2016-11-02.pem 
> subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

Did you actually capture that, or did you retype it? Because it's not valid 
openssl x509 output. Note that it doesn't match what you reported from the PC:

> subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

Michael Wojcik 
Distinguished Engineer, Micro Focus 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

2016-12-14 Thread 杨俊 
Hi Jakob & openssl-er,

> Just to be sure (sometimes OpenSSL checks its default -CApath even
> if you specify a -CAfile) try this command on the development machine:

> openssl x509 -subject -noout -in cacert.pem

> Compare to the deepest value from the screenshot above.


I get the log from the embedded linux device and my PC.
Sorry, I don't get the deference in the platform, but there is some
deference between the platform and PC.
Is this help?

--from embedded platform NG log--
/tmp # ./openssl x509 -subject -noout -in cacert-2016-11-02.pem
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

/tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile
./cacert-2016-11-02.pem
CONNECTED(0003)
depth=0 CN = anja.haxx.se
 /always
 depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-

-END CERTIFICATE-
subject=/CN=anja.haxx.se
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3143 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
AB3322B63747715342DB68B4D18C27F98CF84D4A0E2711719E8B96FA5DA5C1FD
Session-ID-ctx:
Master-Key:
240CC5C33C7185E49C74076133DF385AB0282A3C68D6D6DC3CB74D0DB845E4242F61DA09A28B544CB5B1D39FA839E6AD
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
.
Start Time: 39804
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
closed
/tmp #


--from PC ok
log--
georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$
openssl x509 -subject -noout -in cacert-2016-11-02.pem
subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$
openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert-2016-11-02.pem
CONNECTED(0003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
   //depth
0,1,2/
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = anja.haxx.se
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-
   
-END CERTIFICATE-
subject=/CN=anja.haxx.se
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3148 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Session-ID:
5640820B2C49B9B2E68563DFDFC7303BE01DE69E7EB4C6C833B4F7872CD173E5
Session-ID-ctx:
Master-Key:
48783D2D0E03CE5EACB7AF2577E0E2AFE4F056B191BFB2641D08E602C54BF651B9C195DCFBD2AECC2092B035848B005B
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 ---
Start Time: 1481718602
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---
closed
georgeyang@georgeyang-virtual-machine
:/mnt/hgfs/share/task/danale_task/3516a$



thank you for your help.
Thanks a lot.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Signing an XML file

2016-12-14 Thread Thomas J. Hruska 

On 12/14/2016 3:28 AM, Dr. Stephen Henson wrote:

On Wed, Dec 14, 2016, Salz, Rich wrote:


Is there some equivalent to PHP's openssl_sign_pkcs7 function for C/C++ users?


Look at the apps/pkcs7.c file as a starting point.  Get the command line doing 
what you want, and then work through the code to pull out only the bits you 
need.



Actually smime.c is the utility you want for PKCS#7. Alternatively cms.c if
you want CMS (the successor to PKCS#7).

Those though are general purpose utilities which do all sorts of things which
most appications don't care about. There are some demos in demos/smime and
demos/cms which are much simpler.


PHP is open source software written in C.

A quick lookup in PHP's git repository (it's source code) turns up:

http://git.php.net/?p=php-src.git;a=blob;f=ext/openssl/openssl.c;h=a4b302bd303579d8f3eb62abdd9f312d3fba264d;hb=HEAD#l5148

Now the OP has a model to follow for writing a similar wrapper function 
for their project.



I've found that when people mention a specific language (in this case, 
PHP), they are infatuated with the language but have never bothered to 
crack open that language's source code to dig into how the language 
actually works.  To some extent, they view the language as magical.  And 
to some other extent, they irrationally fear looking at the source code 
of the language.  Now is the perfect opportunity for the OP to start 
learning how one of their favorite languages operates behind the scenes 
with the goal of porting a single function that they are interested in. 
This approach solves multiple core developer problems at the same time.


--
Thomas Hruska
Shining Light Productions

Home of BMP2AVI and Win32 OpenSSL.
http://www.slproweb.com/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is there a way to get the numeric-value for a openssl-cipher-suite

2016-12-14 Thread Salz, Rich 
Does the -V flag not do what you want?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Signing an XML file

2016-12-14 Thread Anibal F. Martinez Cortina 
2016-12-14 11:17 GMT-03:00 Thomas J. Hruska 
:

> On 12/14/2016 3:28 AM, Dr. Stephen Henson wrote:
>
>> On Wed, Dec 14, 2016, Salz, Rich wrote:
>>
>> Is there some equivalent to PHP's openssl_sign_pkcs7 function for C/C++
 users?

>>>
>>> Look at the apps/pkcs7.c file as a starting point.  Get the command line
>>> doing what you want, and then work through the code to pull out only the
>>> bits you need.
>>>
>>>
>> Actually smime.c is the utility you want for PKCS#7. Alternatively cms.c
>> if
>> you want CMS (the successor to PKCS#7).
>>
>> Those though are general purpose utilities which do all sorts of things
>> which
>> most appications don't care about. There are some demos in demos/smime and
>> demos/cms which are much simpler.
>>
>
> PHP is open source software written in C.
>
> A quick lookup in PHP's git repository (it's source code) turns up:
>
> http://git.php.net/?p=php-src.git;a=blob;f=ext/openssl/opens
> sl.c;h=a4b302bd303579d8f3eb62abdd9f312d3fba264d;hb=HEAD#l5148
>
> Now the OP has a model to follow for writing a similar wrapper function
> for their project.
>
>
> I've found that when people mention a specific language (in this case,
> PHP), they are infatuated with the language but have never bothered to
> crack open that language's source code to dig into how the language
> actually works.  To some extent, they view the language as magical.  And to
> some other extent, they irrationally fear looking at the source code of the
> language.  Now is the perfect opportunity for the OP to start learning how
> one of their favorite languages operates behind the scenes with the goal of
> porting a single function that they are interested in. This approach solves
> multiple core developer problems at the same time.
>
> --
> Thomas Hruska
> Shining Light Productions
>
> Home of BMP2AVI and Win32 OpenSSL.
> http://www.slproweb.com/
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>

As a matter of facts, you're indeed right. I was daunted by the idea of
going through PHP's source myself..
Thanks for the pointers, guys.
I'll report back as soon as I get some progress.

Kind regards,
Anibal.-
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Signing an XML file

2016-12-14 Thread silvioprog 
On Wed, Dec 14, 2016 at 11:47 AM, Anibal F. Martinez Cortina <
linuxkid.z...@gmail.com> wrote:
[...]

> As a matter of facts, you're indeed right. I was daunted by the idea of
> going through PHP's source myself..
> Thanks for the pointers, guys.
> I'll report back as soon as I get some progress.
>
> Kind regards,
> Anibal.-
>

Add xmlsec to your wishlist. :-)

https://www.aleksey.com/xmlsec/api/xmlsec-examples.html

--
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] AECDH problem: works in 1.0.2, fails in 1.1

2016-12-14 Thread Norm Green 

That was it. Thanks Matt!

On 12/13/16 15:48, Matt Caswell wrote:


On 13/12/16 21:09, Norm Green wrote:

I have a simple C program that works in 1.0.2 but fails with the same
code in 1.1.
Here's the psuedo code for the client and server:

Server:
   const SSL_METHOD *meth = TLSv1_2_server_method();
   SSL_CTX *ctx = SSL_CTX_new(meth);
   SSL_CTX_set_ecdh_auto(ctx, 1);
   SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
   SSL_CTX_set_cipher_list(ctx, "AECDH");
   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
   SSL *ssl = SSL_new(ctx);
   SSL_accept(ssl);


Client:
   const SSL_METHOD *meth = TLSv1_2_client_method();
   SSL_CTX *ctx = SSL_CTX_new(meth);
   SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
   SSL_CTX_set_cipher_list(ctx, "AECDH");
   SSL *ssl = SSL_new(ctx);
   SSL_connect(ssl);


In 1.1, the client gets this error from SSL_connect()

SSL_connect returned SSL_ERROR_SSL
Details: error:141640B5:SSL routines:tls_construct_client_hello:no
ciphers available
ssl/statem/statem_clnt.c at 815


What do I need to do to make AECDH work in 1.1 ?

AECDH is in security level 0 but the default security level is 1. Read
about security levels here:

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html

You need to set the security level to 0 either through a call to
SSL_CTX_set_security_level() or similar; or via the cipherstring using
"AECDH:@SECLEVEL=0". See:

https://www.openssl.org/docs/manmaster/man1/ciphers.html

Matt





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Compiling for an old embedded device ARM7T armv4t platform?

2016-12-14 Thread Sean Graham 
Hello everyone,

I'm trying to do my research, and not sure if this should go into the -dev
or -user mailing list...

I have an embedded device which runs an ARM7T armv4t 16-bit thumb platform.

I'm not finding much info other than the compile guide telling me to modify
$cflags and $ldflags (which actually don't appear to be used in
./Configure?)

The IDE for development is typically done in GUI mode - and I have no clue
how I could compile OpenSSL in this manner.

I'm hopeful that I can just link in the library, it seems to have a built
in arm-elf compiler/linker and has its own internal library files as .elf

I noticed that there are linux-armv4 and linux-elf compilation targets in
./Configure, so I'm hopeful that I can go in this direction, but I'm
struggling to find documentation on how to approach it in this manner.

Alternately is it possible to direct-compile with an IDE? I assume it's not
just as simple as adding all the .c files in...

I'm normally a windows guy :)

Thanks in advance!

--
Sean Graham
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users