date:19990914

Using X509 cert from a PKCS#12 certificate.

1999-09-14 Thread James Darwin


Hi,

I am having trouble using the "X509* ssl_public_cert" created from the code
at the end of this message. This code runs fine without error, but when I
call: 

SSL_use_certificate(ssl_con, ssl_public_cert) (or
SSL_CTX_use_certificate(...) )

It fails with SSL_R_UNKNOWN_CERTIFICATE_TYPE. I did some debugging and it
fails trying to find out what "type" 

type=OBJ_obj2nid(ASN1_OBJECT *x-cert_info-key-algor-algorithm);

this gives back a invalid type. Everything seems fine till it tries to
search the ASN1_OBJECT.

I have tryed using many different p12 certificates and all give the same
error, and yet all appear find when using the openssl tool. Even a PEM
certificate which works fine, when converted to pkcs#12 format fails.

I am using version Openssl 0.9.3a, and the same thing happens on NT,
Solaris and OSF1.

Any ideas would be greatly appreciated. Thanks.

Best Regards,

Jimmy

/* PKCS12 format */
   PKCS12 *p12=NULL;
   EVP_PKEY *pkey;
   X509 *cert;

   if ((fp=fopen(certificate_file, "r"))==NULL)
   dce_svc_printf(WAND_S_CANT_FOPEN_MSG, certificate_file, "r",
errno);   
   
   if ((ssl_public_cert=X509_new()) == NULL)
   dce_svc_printf(WAND_S_NO_MEMORY_MSG);

   if ((ssl_private_key=RSA_new()) == NULL)
   dce_svc_printf(WAND_S_NO_MEMORY_MSG);

   if (!(p12 = d2i_PKCS12_fp(fp,NULL))) {
   dce_svc_printf(SDG_S_PKCS12_READ_MSG,
certificate_file, sslerrno());
   }
   if (!PKCS12_parse(p12, pass_key, pkey, cert, NULL)) {
   dce_svc_printf(SDG_S_PKCS12_PARSE_MSG,
certificate_file, sslerrno());
   }
   memcpy((void *)ssl_public_cert, (void *)cert, sizeof (X509));
   X509_free(cert);

   if (pkey-type == EVP_PKEY_RSA) {
  memcpy((void *)ssl_private_key, pkey-pkey.ptr, sizeof(struct
rsa_st))
;
   }
   else {
 dce_svc_printf(SDG_S_X509_READ_MSG,
key_file, sslerrno());
   }
   PKCS12_free(p12);
   EVP_PKEY_free(pkey);
   fclose(fp);
 
--
James Darwin   [EMAIL PROTECTED]
 Senior Software Engineer  http://www.dascom.com
  DASCOM Australia.  
--

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [REPOST] internal SSL session cache question(s)

1999-09-14 Thread Bodo Moeller


On Tue, Sep 14, 1999 at 12:22:56PM -0700, [EMAIL PROTECTED] wrote:

[...]
 This is all theory at this point, but it seems as though there is a problem
 with SSL_set_timeout(...) (or my use of it).

What functions and macros do you use?  Usually you should not need
SSL_set_timeout; what you need is SSL_CTX_set_timeout on the SSL_CTX
before any sessions are created.  SSL_set_timeout on an SSL_SESSION
does not affect the copy of that session that may be in an external
cache.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [REPOST] internal SSL session cache question(s)

1999-09-14 Thread Bodo Moeller


On Tue, Sep 14, 1999 at 10:25:55AM +0100, Ben Laurie wrote:
 [EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED] (Bodo Moeller) writes:

 I have not looked too closesly at this issue, but shouldn't this part
 of ssl_get_prev_session (which is exectuted right before the succesful
 return) appropriately take care of it?

 Hmm... The behavior is a bit more like what I would expect if this is
 moved up so that it is invoked /before/ the get_session_cb?  I'll have to
 look into this a bit more closely.

 In the case of an external session cache, it is its responsibility to
 enforce whatever aging policy it has.

You have to implement your own policy for getting rid of stale entries,
but I don't think the SSL library will continue to actually use them
when the timeout has expired.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [REPOST] internal SSL session cache question(s)

1999-09-14 Thread Ben Laurie


[EMAIL PROTECTED] wrote:
 
 [EMAIL PROTECTED] (Bodo Moeller) writes:
 
  I have not looked too closesly at this issue, but shouldn't this part
  of ssl_get_prev_session (which is exectuted right before the succesful
  return) appropriately take care of it?
 
 Hmm... The behavior is a bit more like what I would expect if this is
 moved up so that it is invoked /before/ the get_session_cb?  I'll have to
 look into this a bit more closely.

In the case of an external session cache, it is its responsibility to
enforce whatever aging policy it has.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
 - Indira Gandhi
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

ssl and g++ conflict

1999-09-14 Thread David Marwood



I've looked on the openssl-* lists and was surprised not to find this
already discussed.  g++ version 2.95.2 prerelease gives warnings on
including openssl/ssl.h.  This is because ssl.h uses the C++ "export"
keyword as a variable name.  The fix is obviously straight-forward --
use a different variable name.

Here's the log.  Apologies for my NO_nothing ssl compile.

[patricia:~]g++ -c -DNO_RSA -DNO_IDEA -DNO_BF -DNO_MD2 -DNO_CAST -DNO_MDC2 -DNO_RC4 
-DNO_RC2 -DNO_RC5 -I/usr/local/openssl-0.9.3a-norsa/include main.cpp
In file included from main.cpp:1:
/usr/local/openssl-0.9.3a-norsa/include/openssl/ssl.h:1099: warning: keyword 'export' 
not implemented and will be ignored
/usr/local/openssl-0.9.3a-norsa/include/openssl/ssl.h:1101: warning: keyword 'export' 
not implemented and will be ignored
[patricia:~]g++ -v
Reading specs from /usr/lib/gcc-lib/i386-linux/2.95.2/specs
gcc version 2.95.2 19990906 (prerelease)
[patricia:~]cat main.cpp
#include openssl/ssl.h
[patricia:~]

David Marwood

--
--
David Marwood, M.Sc.[EMAIL PROTECTED]
Director, Internet Technologies Phone: 604-921-5993
InfraNet Solutions  Fax: 604-921-5909
West Vancouver, BC, Canada
--
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [REPOST] internal SSL session cache question(s)

1999-09-14 Thread tvaughan


Bodo Moeller [EMAIL PROTECTED] writes:

 On Tue, Sep 14, 1999 at 12:22:56PM -0700, [EMAIL PROTECTED] wrote:
 
 [...]
  This is all theory at this point, but it seems as though there is a problem
  with SSL_set_timeout(...) (or my use of it).
 
 What functions and macros do you use?  Usually you should not need
 SSL_set_timeout; what you need is SSL_CTX_set_timeout on the SSL_CTX
 before any sessions are created.  SSL_set_timeout on an SSL_SESSION
 does not affect the copy of that session that may be in an external
 cache.

A bastardized mod_ssl 2.1.3.

ssl = ap_ctx_get(c-client-ctx, "ssl");
if (ssl == NULL)
return 0;

session = SSL_get_session(ssl);
if (session == NULL)
return 0;

/*
 * Set the timeout also for the internal SSLeay cache, because this way
 * our inter-process cache is consulted only when it's really necessary.
 */
sc = mySrvConfig(mc-rCtx.pConn-server);
t = SSL_get_time(session) + sc-nSessionCacheTimeout;
SSL_set_timeout(session, t);

In my case, I'd like to be able to re-set the session timeout so I can
extend the lifetime of a session.

-Tom

-- 
Tom Vaughan tvaughan at aventail dot com
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Using X509 cert from a PKCS#12 certificate.

Re: [REPOST] internal SSL session cache question(s)

Re: [REPOST] internal SSL session cache question(s)

Re: [REPOST] internal SSL session cache question(s)

ssl and g++ conflict

Re: [REPOST] internal SSL session cache question(s)

6 matches

Site Navigation

Mail list logo

Footer information