Certificate purpose
Hello! Is it possible to add some new purpose to the alredy created certificate request by using only command tools of openssl??? For example Certificate purpose CodeSigning with OID= 1.3.6.1.5.5.7.3.3 I hope somebody can help me?
Time Diff?
Hi all, Perhaps someone noticed this: When I create a certificate there is difference between system (OS) time and creation time of certificate. Approximately one hour. certificate info: Validity Not Before: Sep 14 09:57:24 2001 GMT Not After : Sep 13 09:57:24 2006 GMT and immediately after signing: Fri Sep 14 10:58:32 BST 2001 Any ideas? Regards -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # Network Security Auditor (NSA) # e-fingerprint = 73B7 2559 2968 5094 3B95 5C70 4E85 5F94 6068 1DD8 # http://www.keyserver.net/en/ # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Time Diff?
Averroes wrote: Hi all, Perhaps someone noticed this: When I create a certificate there is difference between system (OS) time and creation time of certificate. Approximately one hour. certificate info: Validity Not Before: Sep 14 09:57:24 2001 GMT Not After : Sep 13 09:57:24 2006 GMT -- GMT time and immediately after signing: Fri Sep 14 10:58:32 BST 2001 --- local time zone Any ideas? Regards __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Time Diff?
On Fri, 14 Sep 2001, Averroes wrote: Hi all, Perhaps someone noticed this: When I create a certificate there is difference between system (OS) time and creation time of certificate. Approximately one hour. certificate info: Validity Not Before: Sep 14 09:57:24 2001 GMT Not After : Sep 13 09:57:24 2006 GMT and immediately after signing: Fri Sep 14 10:58:32 BST 2001 I don't know what timezone BST is, but if I were you, I'd look at this first (the timeshift between BST and GMT). -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - ``Numbers talk, bullshit walks.'' Anonymous __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Time Diff?
-Original Message- From: Averroes [mailto:[EMAIL PROTECTED]] Sent: 14 September 2001 10:03 To: [EMAIL PROTECTED] Subject: Time Diff? Hi all, Perhaps someone noticed this: When I create a certificate there is difference between system (OS) time and creation time of certificate. Approximately one hour. certificate info: Validity Not Before: Sep 14 09:57:24 2001 GMT Not After : Sep 13 09:57:24 2006 GMT and immediately after signing: Fri Sep 14 10:58:32 BST 2001 Any ideas? There isn't a time difference. These are the same time! 9:58:32 GMT (or more correctly UTC) is 10:58:32 BST, although only between (at present) 1:00AM UTC on the last Sunday in March and 1:00AM UTC on the last Sunday in October. This is the same across the whole of the EU. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Time Diff?
Ooops... Sorry, Sorry!!! zhu qun-ying wrote: Averroes wrote: Hi all, Perhaps someone noticed this: When I create a certificate there is difference between system (OS) time and creation time of certificate. Approximately one hour. certificate info: Validity Not Before: Sep 14 09:57:24 2001 GMT Not After : Sep 13 09:57:24 2006 GMT -- GMT time and immediately after signing: Fri Sep 14 10:58:32 BST 2001 --- local time zone Any ideas? Regards __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # Network Security Auditor (NSA) # e-fingerprint = 73B7 2559 2968 5094 3B95 5C70 4E85 5F94 6068 1DD8 # http://www.keyserver.net/en/ # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Time Diff?
On Fri, Sep 14, 2001 at 11:03:20AM +0200, Averroes wrote: Hi all, Perhaps someone noticed this: When I create a certificate there is difference between system (OS) time and creation time of certificate. Approximately one hour. certificate info: Validity Not Before: Sep 14 09:57:24 2001 GMT Not After : Sep 13 09:57:24 2006 GMT and immediately after signing: Fri Sep 14 10:58:32 BST 2001 Timezone? GMT and BST? Any ideas? Regards -- # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- # Averroes A. Aysha # Think Linux, Think Slackware! # Network Security Auditor (NSA) # e-fingerprint = 73B7 2559 2968 5094 3B95 5C70 4E85 5F94 6068 1DD8 # http://www.keyserver.net/en/ # .- ...- . .-. .-. --- . ... .- .-.-.- .- -.-- ... .- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- rgdz curly http://www.e-card.bg PGP keyID: 0xCB6681D8 Key fingerprint = 5A 7B 24 E3 9F CE FF 03 E9 FE D0 BD 81 27 08 2C CB 66 81 D8 PGP signature
RE: Export laws
-Original Message- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: 14 September 2001 02:22 To: [EMAIL PROTECTED] Subject: Re: Export laws Michael Sierchio [EMAIL PROTECTED] writes: The code was simply reverse-engineered. It's a small, simple piece of code. Reverse-engineering is the determination of someone else's trade secret information via examination and testing of publicly available information. It's legal. RSA required a prohibition on reverse engineering as part of the pass-through license which they imposed on their licensees (at least they did for us). Thus, whoever reverse engineered the code likely violated the license in the process. It's certainly debatable whether such a prohibition is enforceable but it's not a slam-dunk that it isn't, either. Just to enter the fray, it's worth pointing out that Samba was reverse engineered also, and Microsoft support it in all but name. Actually, you could probably reverse engineer Windows as well but it probably wouldn't be worth it. Also, to say that ARC4 violates the RC4 trademark is as daft as stating that the name Christina Saunders violates the right to the initials NASA. I believe someone with a name like this was once refused the right to register a domain name. Closer to home, Does NASDAQ violate the trademark name ASDA? I don't think so! However, like Eric I would be concerned about being sued by RSA. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Split private Key
Michael Sierchio wrote: Götz Babin-Ebell wrote: Don't underestimate XOR. With a good random source and a secure way to seperate key and data it is one of the best crypt algorithms available. XOR only permits N-of-N threshold schemes, not K-of-N with K N. But that is exacly that the original poster wanted... So if a simple algorithm matches the requirements, why use a complicated one ? By Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 S/MIME Cryptographic Signature
RE: How to load a P12 certificate?
Title: ??: How to load a P12 certificate?
Dear
Yong Yue
It is
you again that helps me :D Thousand thanks.
But
could you please direct me to a documentation about this
codes?
So
that I could understand it more :)
Thousand thanks again for your
kindness
Wish
you all the best
Best
regards,Jordan Cheun Ngen,
ChongINF-4067 Universiteit TwentePostbus 2177500 AE EnschedeThe
NetherlandsDistributed and Embedded Systems
(DIES)Office Phone: +31 53
4894655Web site: http://www.cs.utwente.nl/~chongEmail Add.:
[EMAIL PROTECTED]
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
Behalf Of YONG.YUESent: Thursday, September 13, 2001 10:54
AMTo: '[EMAIL PROTECTED]'Subject: ??: How to
load a P12 certificate?
just refer to this code
// new bio mem
area m_biopkcs12 = BIO_new_file(szpkcsfile, "rb");
if(m_biopkcs12 ==
NULL) {
bError = false;
goto finish;
}
// parse
pkcs12 m_pkcs12 = d2i_PKCS12_bio(m_biopkcs12, NULL);
if(m_pkcs12 ==
NULL) {
bError = false;
goto finish;
}
//
nLen =
PKCS12_parse(m_pkcs12, szpkcspasswd, m_pkey, m_pcert, NULL);
if(nLen
0) {
bError = false;
goto finish;
}
//
BIO_free_all(m_biopkcs12);
return
true;
Look at PKCS12_Parse(). You provide it a buffer
with the PKCS#12 and the password for the private
key, and it returns an X509 object and a EVP_PKEY
object.
Could you please tell me, which document should I look to
regards this? Thanks again for your help. Wish you all
the best.
__
OpenSSL
Project
http://www.openssl.org User Support
Mailing
List
[EMAIL PROTECTED] Automated List
Manager
[EMAIL PROTECTED]
Trouble with HTTPS: and PERL
I apologize for what I'm sure is a basic
question. I'm trying to automate a testing script
that accesses an https:// site under Windows NT
using ActivePerl. I've have the latest version
of ActiverPerl and to my knowledge the latest
version of openssl (openssl-engine-0.9.6b). I've
successfully compiled and linked the openssl code
using GNU C (Mingw32) GNU C (Cygwin32), and VC++ w/NASM,
but am not apparently copying the right files to the right
place(s). In each case, I get 501 Protocol scheme
'https' is not supported when running the following
perl code.
#Start of Program
use LWP::UserAgent;
my $ua = LWP::UserAgent-new;
my $req = HTTP::Request-new(GET = 'https://www.helsinki.fi/');
my $res = $ua-request($req);
if ($res-is_success) {
print $res-as_string;
} else {
print Failed: , $res-status_line, \n;
}
#End of progerm
Any hints or suggestions would be greatly appreciated!
Thanks in advance,
Andy Donaldson
_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Encryption and Decryption (as/symmetric)
Dear all, I am terribly sorry for keep spamming you with these questions. I am too fresh and too new to OpenSSL cryptography, and wishing desperately for some documents (I have looked at the SSLeay Documentation) or some information on this useful technology. I really appreciate your help, advices and time for solving my problems. Till now, most of my problems are solved because of your valuable effort. Now, I have several questions which I guess I could solve myself (if I am really good in OpenSSL technology). 1. I get bothered by the unsigned char * and char *. I have to decrypt a symmetric key with a RSA private key. Now, the symmetric key is encoded by Base64 form. It basically is char *. Thanks to Yue's help, I manage to decode the char * using BIO routines. Now, I am not sure I could extract the private key from P12, and I also not sure how to decrypt the char * of key using that private key... ... I tried to use EVP routine (EVP_PKEY_decrypt) but as I said the unsigned thing really bothers me, and the whole application crashed when I run it... PLEASE HELP ME WITH SOME ADVICES OR HINTS... 2. Symmetric decryption with Blowfish. Even if the number 1 is succeded. How to load the char * (or unsigned char *) of the key for the Blowfish decryption?? PLEASE HELP ME WITH SOME HINTS... Thousand thanks for everything. For at least reading this long email. And sorry to bother you again and again. Wish you all the best. Best regards, Jordan Cheun Ngen, Chong INF-4067 Universiteit Twente Postbus 217 7500 AE Enschede The Netherlands Distributed and Embedded Systems (DIES) Office Phone: +31 53 4894655 Web site: http://www.cs.utwente.nl/~chong Email Add.: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_OP_NON_EXPORT_FIRST question
On Wed, Aug 29, 2001 at 03:57:07PM +0200, Peter Sommerlad wrote: How do I ensure browsers with both export grade and non-export grade ciphers connect using stronger encryption? Or is that done automatically today? Yes, this should always happen automatically. The client presents its list of supported ciphers ordered by preference, which hopefully means that full-strength ciphers come first. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_accept timeout
On Fri, Sep 07, 2001 at 11:06:06AM +0300, Andrew Popov wrote: We need to set timeout on SSL_accept() Seting with SSL_CTX_set_timeout(SSL_CTX *ctx, long t) has no effect No, this function is not about connection timeouts (it is about the session cache). To impose a timeout on SSL_accept, use non-blocking sockets and loop around SSL_accept(). See the SSL_get_error() manual page for details. You will have to do your own time bookkeeping and call select() with appropriate timeouts. -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_accept timeout
Bodo Moeller [EMAIL PROTECTED] writes: On Fri, Sep 07, 2001 at 11:06:06AM +0300, Andrew Popov wrote: We need to set timeout on SSL_accept() Seting with SSL_CTX_set_timeout(SSL_CTX *ctx, long t) has no effect No, this function is not about connection timeouts (it is about the session cache). To impose a timeout on SSL_accept, use non-blocking sockets and loop around SSL_accept(). See the SSL_get_error() manual page for details. You will have to do your own time bookkeeping and call select() with appropriate timeouts. Alternately, if you are writing some simple program that doesn't need to do anything else while waiting for accept(), just use alarm(). -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM_read_bio_X509
Hi What's the difference between PEM_read_bio_X509 and PEM_read_bio_X509_AUX? Yiqiang - Original Message - From: Dr S N Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 13, 2001 9:57 PM Subject: Re: PEM_read_bio_X509 Ajay Nerurkar wrote: Can PEM_read_bio_X509 handle x509v3 certificates? Yes. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Country wide anti terrorism demonstration !
First I am sorry to use the mailing list for this, but in this case Im making an exception to my no spam type postings... please forgive me. Please also foward this info to everyone you know ! Friday Night at 7:00 p.m. step out your door, stop your car, or step out of your establishment and light a candle. We will show the world that Americans are strong and united together against terrorism. Please pass this to everyone on your e-mail list. We need to reach everyone across the United States quickly. The message: WE STAND UNITED - WE WILL NOT TOLERATE TERRORISM. We need press to cover this -- we need the world to see Thank you, Mike Keefer __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Installation problem
Missing file wincrypt.h when compiling version 0.9.6a and 0.9.6b using VC on file .\crypto\rand\rand_win.c Any help? Luiz Filipe __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Can't -verify Global Server ID certs from Verisign
Title: RE: Can't -verify Global Server ID certs from Verisign Steve, Thanks so much, this did the trick. A small thing, but had us stymied. Appreciate your help, Dan -Original Message- From: Dr S N Henson [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 13, 2001 11:20 AM To: [EMAIL PROTECTED] Subject: Re: Can't -verify Global Server ID certs from Verisign Dan Boerner (InfoSpace Inc) wrote: Hello, I'm a new poster, so forgive me if this question has been addressed earlier (though I couldn't find it in archives). We have our own webserver and are trying to determine what we need to do to support GSIDs with OpenSSL. Our OpenSSL-based SSID support works fine, but the GSIDs we get from Verizon don't even read properly when we use openssl verify on the command line. Shouldn't we be able to verify these certs? We've tried breaking them into the Intermediate and Server certs and then using: openssl verify -CAfile d:\intermediate.pem d:\server.pem which we believe to be the correct cmd line. The result is shown below d:\server.pem: unable to load certificate file 2104:error:0D0A2007:asn1 encoding routines:d2i_X509_CINF:expecting an asn1 sequence:.\crypto\asn1\x_cinf.c:106:address=9568330 offset=02104:error:0D09F004:asn1 encoding routines:d2i_X509:nested asn1 error:.\crypto\asn1\x_x509.c:102:address=9568328 offset=22104:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:.\crypto\pem\pem_lib.c:290: Any help is greatly appreciated. Anticipating the request, I am including the two certs that make up the GSID we received from Verizon. Thank you for including the certificates. Its amazing the number of people give incomplete reports and say stuff like this doesn't work or I've got this certificate that doesn't work. Anyway the server certificate isn't a PEM encoded certificate at all but several certificates in a PKCS#7 wrapper. Use the command line: openssl pkcs7 -in server.pem -print_certs -out certs.pem you'll then get several certificates in 'certs.pem' which you can manually extract using a text editor or whatever. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Country wide anti terrorism demonstration !
The PC Doctor wrote: This is innappropriate for this group. I resent it, and I am against it. -- I support peace and justice for everyone, not just for those on my own side. What say we get rid of the sides and just do the arithmetic for peace and justice? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
x509v3 certificate purpose
Hello, My company is setting up a B2Bi integration network. As an optional part of this, we would like to use x509 certificate based client and server authentication. We found out that the typical server certificates we and our clients buy from Verisign have a specified purpose of 'SSL Server'. When we try to use the same certificate to authenticate one server to another server, modssl/openssl rejects the certificate from the client side, saying '[error] Certificate Verification: Error (26): unsupported certificate purpose' We could not find a way to get a certificate from Verisign which is valid as both a server and a client. We would rather not become a certificate issuer ourselves. How do people solve the issue of mutual certificate based authentication? Is there a way to turn off the certificate purpose in modssl/openssl without changing the source code? What kinds of security holes are we likely to run into if we try to turn off the check for certificate purpose? Regards. Sumit __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PEM_read_bio_X509
Ding Yiqiang wrote: Hi What's the difference between PEM_read_bio_X509 and PEM_read_bio_X509_AUX? X509 is a the traditional PEM format which is just a base64 DER encoded structure with header and footer lines. X509_AUX is a trusted certificate format, unique to OpenSSL, which allows an application to tag extra data associated with the certificate such as a friendly name, a key ID, and the trusted purposes for which a certificate can be used as a root CA, it uses different header and footer lines too. You can read in any certificate (trusted or otherwise) using PEM_read_bio_X509 but no extra data will be included. With PEM_read_bio_X509_AUX if the certificate is trusted then the extra data will be included. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Newbie q:where can find - libssl.so.0.9.6
Hi Folks, I am trying to install mailman software and it keeps asking libssl.so.0.9.6. Can someone please tell me where I can find this? I thought openssll will do the trick but to no avail. TIA PS: Please send answer directly to me as I have not subscribed to the group. -- Nalinda __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: x509v3 certificate purpose
Sumit Bandyopadhyay wrote: How do people solve the issue of mutual certificate based authentication? Have different certs, with different keypairs, for different purposes. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
StartTLS patch for OpenSSL.
Hello -
Advice or a reference for compilation instruction are very much appreciated.
I downloaded a patch from the sendmail page: starttls.tar.gz, added it to
teh apps directory of openssl.0.9.6a, applied the patch in it, then
attempted to recompile OpenSSL. However, I receive this error:
gcc -o
openssl -DMONOLITH -I../include -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DH
AVE_DLFCN_H -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_
DIV2W -DULTRASPARC -DMD5_ASM openssl.o verify.o asn1pars.o req.o dgst.o dh.o
dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o
rsautl.o dsa.o dsaparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o
speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o
ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o
rand.o -L.. -lssl -L.. -lcrypto -lsocket -lnsl -ldl
Undefined first referenced
symbol in file
starttls_main openssl.o
ld: fatal: Symbol referencing errors. No output written to openssl
collect2: ld returned 1 exit status
make[1]: *** [openssl] Error 1
make[1]: Leaving directory
`/space/sources/apache_1.3.19/openssl-0.9.6a/apps'
make: *** [sub_all] Error 1
PATCH:
-- progs.h.origMon Mar 13 15:54:07 2000
+++ progs.h Tue May 16 09:01:30 2000
@@ -20,6 +20,7 @@
extern int genrsa_main(int argc,char *argv[]);
extern int gendsa_main(int argc,char *argv[]);
extern int s_server_main(int argc,char *argv[]);
+extern int starttls_main(int argc,char *argv[]);
extern int s_client_main(int argc,char *argv[]);
extern int speed_main(int argc,char *argv[]);
extern int s_time_main(int argc,char *argv[]);
@@ -85,6 +86,9 @@
#endif
#if !defined(NO_SOCK) !(defined(NO_SSL2) defined(NO_SSL3))
{FUNC_TYPE_GENERAL,s_client,s_client_main},
+#endif
+#if !defined(NO_SOCK) !(defined(NO_SSL2) defined(O_SSL3))
+ {FUNC_TYPE_GENERAL,starttls,starttls_main},
#endif
{FUNC_TYPE_GENERAL,speed,speed_main},
#if !defined(NO_SOCK) !(defined(NO_SSL2) defined(NO_SSL3))
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
RE: Crypt::SSLeay - problems connecting to 128 bit sites (not 56bit sites) Solaris 2.7 and openssl .96b, latest version of Crypt::SSLeay
Screw the latest versions... I fixed this by downgrading to: Crypt-SSLeay-0.22 and libwww-perl-5.51 For Solaris 2.7 perl 5.6.1 and for Linux RedHat 6.2 perl 5.005_03 What a complete waste of 2 days. - George -Original Message- From: Joshua Chamas [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 13, 2001 12:14 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Crypt::SSLeay - problems connecting to 128 bit sites (not 56bit sites) Solaris 2.7 and openssl .96b, latest version of Crypt::SSLeay George Richman wrote: Support, Does Crypt::SSLeay support 128 bit encrypted sites?? When I use lwp-request https://login.zeborg.com , it does not connect properly. I get a: ... Then when I try it against a lower bit encrypted site (56bit), it actually works: lwp-request https://laborla.zeborg.com/ I am using Solaris 2.7 and openssl .96b. My version of Crypt::SSLeay, v.31, seems to work, see below, note that .31 is a dev version, but nothing about connections changed in it, only build debugging config stuff. .29 was the last release to CPAN and should work the same, so I'd guess its openssl 0.9.6b that's the problem. You could try a downgrade to 0.9.6a, and see how it goes. --Josh WinNT perl5.004_04 works fine, same as below #define OPENSSL_VERSION_TEXTOpenSSL 0.9.6a 5 Apr 2001 Linux perl5.005xx works fine [ see below ] #define OPENSSL_VERSION_TEXTOpenSSL 0.9.6a 5 Apr 2001 # lwp-request -ed https://login.zeborg.com Cache-Control: no-store Connection: Close Pragma: no-cache Server: WebLogic 5.1.0 Service Pack 8 12/20/2000 16:34:54 #95137 Content-Length: 3797 Content-Type: text/html Expires: 1 Client-Date: Thu, 13 Sep 2001 07:10:35 GMT Client-Peer: 209.10.152.150:443 Client-SSL-Cert-Issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign Client-SSL-Cert-Subject: /C=US/ST=New York/L=New York/O=Zeborg/OU=Globix/CN=login.zeborg.com Client-SSL-Cipher: RC4-SHA Client-SSL-Warning: Peer certificate not verified Set-Cookie: SSOTengahSession=O6BcHo7TTTFGTM6VKA2SdX568dvuw1zNuuLbwDFXDPSDteEvXWGo|680802 4995186924964/-1062726649/6/3530/3530/3535/3535/3530/-1; path=/ Title: Zeborg Login __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ChangeCipherSpec
SC ChangeCipherSpec seems to be taking the longest time in the SSL transactions. Is there a reason for this? Pls CC me, thanks, vijo. = I am a friend of http://www.find-life.com __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ADV: I bet that I make more money in the Web design business than you do. Time:5:40:46 PM
I bet that I make more money in the Web design business than you do. From the customers I received last month I made $1560 income. I also profited on these people $1000 up front. And you know the funniest part? I didn't even design their sites! They did it for themselves! I bet your sales pitch doesn't come anywhere near mine. My sales pitch looks like this: Free Website! Free .com, .net, or .org name! Free First Month! Free Shopping Cart for E-commerce! Free Secure Credit Card Transaction Server Access! Free Website Editor! (Allows you to control your entire site from anywhere in the world with nothing more than your Internet browser!) Free Website Statistics Analysis! Unlimited everything! Unlimited Email Addresses! Unlimited Hosting Space! Unlimited Bandwidth! Unlimited Pages! Unlimited Capacity of items in the Shopping Cart! Fastest Websites!!! (Hosted on the best servers and bandwidth anywhere!) Website Promotion Options... There is nothing left to add to this service! If you can use a word processor, You can manage your own website! Only $35/month after your first FREE month! Everything you need to be doing business online NOW is here for only $25! (Limited time offer) I have been advertising this pitch on the front of my website for my design business 1 month, I have received over 40 signups. People SIGNUP EVERY SINGLE DAY. Almost, they bunch up on the weekends often. 1 month= $1560 income that comes in every month with no work! I will beat that number this month easily, but assuming I just keep up the same pace, next month will net $3,120 PROFIT. FOR A FACT I will be netting at least $10,720 a month by the end of the year. I got that number after subtracting $8000 to account for cancellations down the line. That is a ton of money! I can not even think of a way to not hit that number unless I completely stopped doing everything. My service is also better. You can't give anyone the as much value as I can. You can't give them the power to control their site as I can. You can't give them the prices that I can. You can't get them online as fast as I can. And even if somehow you found a way to do all that, you won't able to keep your customers as long as I do. Wow. Don't believe me? The interface I give my customers is easier to use than any other I have seen. It is by far the best web based interface you will ever see. A monkey would have a hard time making a site look bad with the software I include for my Customers. I charge them $35 a month and I only pay $10! I know I could charge a lot more for the service, but I am more interested in getting as many customers as possible now, than I am on making more on them. If you did the numbers to make sure I wasn't making them up, you'll see $560 missing this month. Where did it come from? There is an optional search engine submission program, that 70 percent of the people that signup opt for, I charge them $30/month. I pay $10. If they do decide they would like custom work done, no problem. I do it for them, and they don't try to bother me to change little things all the time on their site, because I give them the power to do it themselves, which they prefer. I like it to, keeps my time free for things I enjoy. In addition to being able to get at customers you can't, and being able to upsell them to all the custom design work I like, when ever I like, I bet I have a whole bunch of other things you DO NOT HAVE. Private Labeled to me Website Builder/Store Builder (Best Anywhere) Private Labeled to me Shopping Cart Private Labeled to me WebMail and Pop3 Service Private Labeled to me Secure Server Hosting Private Labeled to me Domain Name Registration Private Labeled to me Search Engine Submission Private Labeled to me Control Panel for FTP, email, user access... I can make as many new templates as I like to start them out from too. I also never have to pay for custom CGI work to provide E-Commerce solutions anymore. It is all done for me already, even the payment gateway integration. I use the same service my end-users use to do design work and It has cut my design time in more than half. I can make a complete E-Commerce enabled site in 15-30 minutes, email, shopping cart, ftp, running on the net! Can you do that?? Long story short. Unless you have some plans I don't know about, My business will be beating yours for sure in about 12 months. Can you compete? Are you getting customers as fast as I am? Are you making as much on them as I am? Is that money you are making staying with you every month? Is there a way for you to provide my customers something I don't? Can you say the same for yourself? I am going to let you in on SECRET now. Even though I know that my business will most likely be making a lot more than yours in 12 months, I am not greedy. I know that BIG money is not in being greedy. I know that No matter how much money my design company makes next year, If I combined
Re: Alert Messages in SSL/TLS
Aslam [EMAIL PROTECTED] writes: I have a general question about : If while in ssl/tls handshake, one encounters an error, whether to send alert that time only or let the handshake get complete and then send an alert to the peer for closing the session.. Consider server authentication fails on client side, then should client send an alert right now or waits for the handshake to get complete and later send a alert close notify.. In Openssl, it send the alert at the moment it gets an error like certificate verification failed, but Microsoft Secured Channel continues to do handshake and it the application responsibility to send a close notify alert.. What you're seeing here is the difference between an error being handled by the toolkit (OpenSSL) and being handled by the application (SChannel). In general, it makes more sense to handle the error at the time it is detected. This saves time on both sides and gives the server a better idea of what happened. Don't think of the close_notify as an error. It's not. It's simply what happens when you close an SSL connection properly. -Ekr __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OOPS- was Re:Installation problem
My apologies for posting that large attachment to the list. It was meant to be an offlist reply. ( I'm not sure why it wasn't - but I'll try and ensure that I get it right in future.) Cheers, Rob __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Free Teddy Screen Saver at the Teddy Bears Den
Hello from the Teddy Bears Den, We were just writing to tell you about our free Teddy Bear Screen Saver. You can download it at: http://www.teddybearsden.com/screensaver/installden.exe or just visit our site to learn more about the art of making your own bears. We hope this email wasn't an inconvenience. Thanks... the bear team. A home for bearaholics everywhere. www.teddybearsden.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Using a proxy to my advantage
Hello all, I have a question I need some guidance on. I have built this app using OpenSSL for transport and a protocol of my design to transfer the data it is similar to HTTP. Any way at the moment I am running it over port 1977. However, in most networks this port is going to be locked; however from experience 99% of companies will at a minimum have either 443 and 80 open or they will be proxied. I want to verify if my understanding of using SSL over a proxy is correct. This is what I have gathered from doing some packet sniffing: client: CONNECT SERVER:PORT HTTP/1.0 Proxy-authorization: Basic Base_64(USER:PASS) \n\n server: connection OK client then does all SSL sends and Recv's to the proxy. is this about all there is to it. I have looked on google and no one can give me a clear definition of proxy auth at least not at a protocol level. I basically want to make my program so that pretty much no matter what I can connect out to the net, and this seems like it would be a good step in that direction. Thank you in advance. V-T __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ADV: I bet that I make more money in the Web design business thanyou do. Time:5:40:46 PM
[EMAIL PROTECTED] wrote: Hey, what is it with you people today? Can't you keep enough sense to stay out of the professional groups? Go harass the porn fans or something. I'm having a hard enough time keeping up with the technical stuff I have to read! This message uses a character set that is not supported by the Internet Service. To view the original message content, open the attached message. If the text doesn't display correctly, save the attachment to disk, and then open it using a viewer that can display the original character set. message.txt Name: message.txt message.txtType: Plain Text (text/plain) Encoding: quoted-printable -- I support peace and justice for everyone, not just for those on my own side. What say we get rid of the sides and just do the arithmetic for peace and justice? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Trouble with HTTPS: and PERL
Hi,
I don't think LWP supports 'https' protocol. Note that '$req' is a
'HTTP::Request' (not 'HTTPS::Request) object.
You'll need to install 'Net::SSLeay' or 'Crypt::SSLeay' modules.
Cheers,
Rob
- Original Message -
From: Andy Donaldson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, September 14, 2001 8:48 PM
Subject: Trouble with HTTPS: and PERL
I apologize for what I'm sure is a basic
question. I'm trying to automate a testing script
that accesses an https:// site under Windows NT
using ActivePerl. I've have the latest version
of ActiverPerl and to my knowledge the latest
version of openssl (openssl-engine-0.9.6b). I've
successfully compiled and linked the openssl code
using GNU C (Mingw32) GNU C (Cygwin32), and VC++ w/NASM,
but am not apparently copying the right files to the right
place(s). In each case, I get 501 Protocol scheme
'https' is not supported when running the following
perl code.
#Start of Program
use LWP::UserAgent;
my $ua = LWP::UserAgent-new;
my $req = HTTP::Request-new(GET = 'https://www.helsinki.fi/');
my $res = $ua-request($req);
if ($res-is_success) {
print $res-as_string;
} else {
print Failed: , $res-status_line, \n;
}
#End of progerm
Any hints or suggestions would be greatly appreciated!
Thanks in advance,
Andy Donaldson
_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: x509v3 certificate purpose
Sumit Bandyopadhyay wrote: Hello, My company is setting up a B2Bi integration network. As an optional part of this, we would like to use x509 certificate based client and server authentication. We found out that the typical server certificates we and our clients buy from Verisign have a specified purpose of 'SSL Server'. When we try to use the same certificate to authenticate one server to another server, modssl/openssl rejects the certificate from the client side, saying '[error] Certificate Verification: Error (26): unsupported certificate purpose' We could not find a way to get a certificate from Verisign which is valid as both a server and a client. We would rather not become a certificate issuer ourselves. How do people solve the issue of mutual certificate based authentication? Is there a way to turn off the certificate purpose in modssl/openssl without changing the source code? What kinds of security holes are we likely to run into if we try to turn off the check for certificate purpose? The OpenSSL purpose checking it customisable. The default behaviour is to verify client certificates using client certificate purpose and server certificates for server purpose. You can override this and supply your own purposes using the calls SSL_set_purpose and SSL_CTX_set_purpose. So for your case you might do: SSL_set_purpose(ssl, X509_PURPOSE_SSL_SERVER); Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Has anybody ever succeeded in getting OpenSSL to work on Windows 2000?
I'm trying to connect to a site that wants the full certificate chain.
Connecting from the command line works perfectly.
Using the code fragment below gives an error when I try to read the first
packet (using receiveData, which just sits in a loop), and the server
indicates that I have a BAD certificate (usually signifies that it can't
find the chain).
Does anybody have a working example of this
Unfortunately, this is the only example that even gets close, and it uses
BIO instead of sockets. As BIO is essentially undocumented, I'm in the
dark...
Thanks!
void handleConnection(char *param)
{
int i, err;
char *buf;
char *host_port;
char *commands [4] = {create, check, info, delete};
char *xml_command;
char *xml_login;
struct greeting_message *greeting;
struct server_message *serverMessage;
xmlDocPtr xml_stream;
xmlNsPtr ns;
xmlNodePtr cur;
SSL_CTX *ctx;
SSL *ssl;
SSL_METHOD *meth;
BIO *out;
BIO *ssl_bio;
/* SSL stuff */
OpenSSL_add_ssl_algorithms();
meth = SSLv3_client_method();
ctx = SSL_CTX_new(meth);
CHK_NULL(ctx);
SSL_CTX_set_cipher_list(ctx,getenv(SSL_CIPHER));
err = SSL_CTX_use_certificate_file(ctx, remote-pemcert,
SSL_FILETYPE_PEM);
CHK_SSL(err);
err = SSL_CTX_use_PrivateKey_file(ctx, remote-pemprivatekey,
SSL_FILETYPE_PEM);
CHK_SSL(err);
err = SSL_CTX_load_verify_locations(ctx, remote-pemcacert, NULL);
CHK_SSL(err);
err = SSL_CTX_set_default_verify_paths(ctx);
CHK_SSL(err);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
NULL);
ssl = SSL_new(ctx);
CHK_NULL(ssl);
SSL_set_connect_state(ssl);
ssl_bio = BIO_new(BIO_f_ssl());
BIO_set_ssl(ssl_bio, ssl, BIO_NOCLOSE);
host_port = (char *)malloc(sizeof(char) * 100);
memset(host_port, '\0', 100);
sprintf(host_port, %s:%s, remote-remoteHost,remote-remotePort);
printf(%s:%s\n, remote-remoteHost,remote-remotePort);
out = BIO_new(BIO_s_connect());
BIO_set_conn_hostname(out, host_port);
BIO_set_nbio(out, 1);
out = BIO_push(ssl_bio, out);
/* When connection is made the server sends greeting message
First get the greeting message, parse it and login. */
buf = receiveData(out);
/* Initialize gnome-xml parser */
initializeXML(xml_stream, ns, cur, buf);
parseServerGreeting(xml_stream, cur, greeting);
printf(%s\n, greeting-server);
printf(%s\n\n, greeting-date);
/* Build the login xml structure to send to server */
xml_login = buildLoginXML();
printf(Sending login message...\n);
sendData(out, xml_login);
printf(Response from server\n);
/* Receive the login response from server and parse. */
buf = receiveData(out);
initializeXML(xml_stream, ns, cur, buf);
if(parseServerMessage(xml_stream, cur, serverMessage) == -1)
{
printf(Error: %s\n code: %d\n, serverMessage-message_text,
serverMessage-response_code);
exit(1);
}
/* show message from server */
printf(Response text: %s\n, serverMessage-message_text);
printf(Response code: %d\n\n, serverMessage-response_code);
}
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
