Re: [openssl-users] Non-self-signed SSL certificates for private hosted DNS zones

2017-03-07 Thread Traiano Welcome 
Hi Viktor

Thanks for this confirmation. I think the correct approach would be to use
our internal CA.


On Tue, Mar 7, 2017 at 7:16 PM, Viktor Dukhovni 
wrote:

>
> > On Mar 7, 2017, at 2:21 AM, Traiano Welcome  wrote:
> >
> > I have a private DNS zone hosted on AWS route 53, only resolvable from
> > within some specific VPCs.
> > It appears some applications require an SSL certificate associated with
> > the private DNS zone, and this SSL certificate should come from a
> trusted,
> > external certificate provider (cannot be self-signed).
>
> The "trusted external" CA that issues the not-self-signed end-entity cert
> can almost certainly (with appropriate configuration of the client app)
> be a private CA that you create and provide to the SSL clients.
>
> In which case the question below is moot.
>
> > My questions are:
> >
> > a) Is this a known use-case? i.e private dns zones requiring
> non-self-signed
> > certificates?
>
> I usually use private CA certs for use on non-public networks.
>
> > b) Since the DNS zone is not resolvable on the public internet,
> > how would the certificate validation process occur for applications
> > communicating with systems in the private zone ?
>
> There is some prior history of public CAs issuing certificates for
> private namespaces, but IIRC this practice is discouraged and going
> away.
>
> > c) Do SSL certificate providers issue trusted SSL certificates  for
> private DNS zones?
>
> It is not really possible for them to know that the names in question
> are used in another "private" deployment elsewhere.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] error making Private RSA

2017-03-07 Thread Salz, Rich via openssl-users 
> > My source can be viewed at: mt-umunhum-wireless.net/Sources/rsa/rsa.c

Gives a 403.

> > My main guess is that your allocation for the PEM buffer is too small
> > -- is key/key_len pointing to a static buffer?
> 
>  It points to a char string

Not sure what that means.  Please post your code here.  It should be something 
like
char key[2048];
int keylen = sizeof key;
 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] error making Private RSA

2017-03-07 Thread william estrada 

> Not sure this is the proper way to use this mailing system?
>
> My source can be viewed at: mt-umunhum-wireless.net/Sources/rsa/rsa.c
> What version of openssl?  I'm guessing 1.0.2.
>
> Put this line inyour code
>   ERR_load_ERR_strings();
> And youll get a more informative message.

  Did this and no improvement.
>
> I'm using: openssl version
> OpenSSL 1.0.1t  3 May 2016

openssl version
OpenSSL 1.0.2j-fips  26 Sep 2016

>
>
> My main guess is that your allocation for the PEM buffer is too small --
> is key/key_len pointing to a static buffer?

 It points to a char string

>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>


-- 
William Estrada
Mt Umunhum, CA, USA, Earth
HTTP:// Mt-Umunhum-Wireless.net
Skype: MrUmunhum

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] undefined symbol fabs in file test/ct_test.o in openssl 1.1.0e on solaris

2017-03-07 Thread Michael Wojcik 
> From: markus.sondereg...@juliusbaer.com
> [mailto:markus.sondereg...@juliusbaer.com]
> Sent: Tuesday, March 07, 2017 10:49
> To: Michael Wojcik
> Subject: Re: undefined symbol fabs in file test/ct_test.o in openssl 1.1.0e on
> solaris

For threads that originated on openssl-users, please send messages to the list, 
rather than to me directly.

> 
> 
>> For the record, we've always just changed the Solaris configuration we use
>> in Configure to add -lm.
> 
> I am not an experienced C developer so please can you tell me where in the
> Configure file I have to add -lm.

This has nothing to do with C development. The OpenSSL Configure process, while 
conceptually related to that used by some other packages, is an OpenSSL 
invention. And the use of -lm is an artifact of the toolchain (common to many 
toolchains for UNIX-like systems); it too has nothing to do with the C language.

Also, I've just looked at our Configure and apparently I misremembered; we do 
not add -lm for the Solaris builds. (We make a number of other changes for that 
platform, though.) It seems it's not needed for the version of OpenSSL we're 
currently building.

Where you would add -lm depends on what configuration you're using, which in 
turn depends on which system architecture and toolchain you're using. It also 
may depend on what version of OpenSSL you're building. I don't have that 
information, obviously.

In OpensSSL 1.0.2j's Configure (and generally for all the 1.0.2 releases, I 
believe), all the Solaris configure entries have -ldl in their library list. So 
you can search Configure for "solaris (with the double-quote) at the beginning 
of a line, then add -lm (with a space) after -ldl on each such line. For 
example, in vi:

:%s/^"solaris.* -ldl/& -lm

Whether this also applies to OpenSSL 1.1.0 or whatever you're building, I can't 
say.

Michael Wojcik 
Distinguished Engineer, Micro Focus 
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Non-self-signed SSL certificates for private hosted DNS zones

2017-03-07 Thread Viktor Dukhovni 

> On Mar 7, 2017, at 2:21 AM, Traiano Welcome  wrote:
> 
> I have a private DNS zone hosted on AWS route 53, only resolvable from
> within some specific VPCs.
> It appears some applications require an SSL certificate associated with
> the private DNS zone, and this SSL certificate should come from a trusted,
> external certificate provider (cannot be self-signed).

The "trusted external" CA that issues the not-self-signed end-entity cert
can almost certainly (with appropriate configuration of the client app)
be a private CA that you create and provide to the SSL clients.

In which case the question below is moot.

> My questions are:
> 
> a) Is this a known use-case? i.e private dns zones requiring non-self-signed
> certificates?

I usually use private CA certs for use on non-public networks.

> b) Since the DNS zone is not resolvable on the public internet,
> how would the certificate validation process occur for applications
> communicating with systems in the private zone ?

There is some prior history of public CAs issuing certificates for
private namespaces, but IIRC this practice is discouraged and going
away.

> c) Do SSL certificate providers issue trusted SSL certificates  for private 
> DNS zones?

It is not really possible for them to know that the names in question
are used in another "private" deployment elsewhere.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] How to compile the static binary version of openssl

2017-03-07 Thread Viktor Dukhovni 

> On Mar 7, 2017, at 5:28 AM, Yu Chen  wrote:
> 
> Currently I'm trying to get a static binary of openssl command via
> compilng the openssl-1.1.0e.

What do you mean by "static binary"?  Is it enough for the "ssl" and
"crypto" libraries to be statically linked into the "openssl"
executable?  Or do you also want the C-library to be statically
linked?

You may need to disable support for dynamically loadable engines
(the "no-engine" option) and dynamic loading of any kind (via the
"no-dso" option) in order to get a completely static executable.
Is that what you want?

> I've tried to configure with no-shared, but the bin/openssl is still
> dynamic linked.

But it should have static copies of the "ssl" and "crypto" libraries.

> Thus I added -static to the end of CFLAG, it just can not get compiled.
> Anyone know how to get a static openssl command? thanks in advance.

Perhaps "engine" and/or "dso" support requires a dynamic C-library.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] How to compile the static binary version of openssl

2017-03-07 Thread Yu Chen 
Hi,
Currently I'm trying to get a static binary of openssl command via
compilng the openssl-1.1.0e.
I've tried to configure with no-shared, but the bin/openssl is still
dynamic linked.
Thus I added -static to the end of CFLAG, it just can not get compiled.
Anyone know how to get a static openssl command? thanks in advance.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users