Using X509 cert from a PKCS#12 certificate.
Hi, I am having trouble using the "X509* ssl_public_cert" created from the code at the end of this message. This code runs fine without error, but when I call: SSL_use_certificate(ssl_con, ssl_public_cert) (or SSL_CTX_use_certificate(...) ) It fails with SSL_R_UNKNOWN_CERTIFICATE_TYPE. I did some debugging and it fails trying to find out what "type" type=OBJ_obj2nid(ASN1_OBJECT *x-cert_info-key-algor-algorithm); this gives back a invalid type. Everything seems fine till it tries to search the ASN1_OBJECT. I have tryed using many different p12 certificates and all give the same error, and yet all appear find when using the openssl tool. Even a PEM certificate which works fine, when converted to pkcs#12 format fails. I am using version Openssl 0.9.3a, and the same thing happens on NT, Solaris and OSF1. Any ideas would be greatly appreciated. Thanks. Best Regards, Jimmy /* PKCS12 format */ PKCS12 *p12=NULL; EVP_PKEY *pkey; X509 *cert; if ((fp=fopen(certificate_file, "r"))==NULL) dce_svc_printf(WAND_S_CANT_FOPEN_MSG, certificate_file, "r", errno); if ((ssl_public_cert=X509_new()) == NULL) dce_svc_printf(WAND_S_NO_MEMORY_MSG); if ((ssl_private_key=RSA_new()) == NULL) dce_svc_printf(WAND_S_NO_MEMORY_MSG); if (!(p12 = d2i_PKCS12_fp(fp,NULL))) { dce_svc_printf(SDG_S_PKCS12_READ_MSG, certificate_file, sslerrno()); } if (!PKCS12_parse(p12, pass_key, pkey, cert, NULL)) { dce_svc_printf(SDG_S_PKCS12_PARSE_MSG, certificate_file, sslerrno()); } memcpy((void *)ssl_public_cert, (void *)cert, sizeof (X509)); X509_free(cert); if (pkey-type == EVP_PKEY_RSA) { memcpy((void *)ssl_private_key, pkey-pkey.ptr, sizeof(struct rsa_st)) ; } else { dce_svc_printf(SDG_S_X509_READ_MSG, key_file, sslerrno()); } PKCS12_free(p12); EVP_PKEY_free(pkey); fclose(fp); -- James Darwin [EMAIL PROTECTED] Senior Software Engineer http://www.dascom.com DASCOM Australia. -- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [REPOST] internal SSL session cache question(s)
On Tue, Sep 14, 1999 at 12:22:56PM -0700, [EMAIL PROTECTED] wrote: [...] This is all theory at this point, but it seems as though there is a problem with SSL_set_timeout(...) (or my use of it). What functions and macros do you use? Usually you should not need SSL_set_timeout; what you need is SSL_CTX_set_timeout on the SSL_CTX before any sessions are created. SSL_set_timeout on an SSL_SESSION does not affect the copy of that session that may be in an external cache. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [REPOST] internal SSL session cache question(s)
On Tue, Sep 14, 1999 at 10:25:55AM +0100, Ben Laurie wrote: [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Bodo Moeller) writes: I have not looked too closesly at this issue, but shouldn't this part of ssl_get_prev_session (which is exectuted right before the succesful return) appropriately take care of it? Hmm... The behavior is a bit more like what I would expect if this is moved up so that it is invoked /before/ the get_session_cb? I'll have to look into this a bit more closely. In the case of an external session cache, it is its responsibility to enforce whatever aging policy it has. You have to implement your own policy for getting rid of stale entries, but I don't think the SSL library will continue to actually use them when the timeout has expired. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [REPOST] internal SSL session cache question(s)
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Bodo Moeller) writes: I have not looked too closesly at this issue, but shouldn't this part of ssl_get_prev_session (which is exectuted right before the succesful return) appropriately take care of it? Hmm... The behavior is a bit more like what I would expect if this is moved up so that it is invoked /before/ the get_session_cb? I'll have to look into this a bit more closely. In the case of an external session cache, it is its responsibility to enforce whatever aging policy it has. Cheers, Ben. -- http://www.apache-ssl.org/ben.html "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ssl and g++ conflict
I've looked on the openssl-* lists and was surprised not to find this already discussed. g++ version 2.95.2 prerelease gives warnings on including openssl/ssl.h. This is because ssl.h uses the C++ "export" keyword as a variable name. The fix is obviously straight-forward -- use a different variable name. Here's the log. Apologies for my NO_nothing ssl compile. [patricia:~]g++ -c -DNO_RSA -DNO_IDEA -DNO_BF -DNO_MD2 -DNO_CAST -DNO_MDC2 -DNO_RC4 -DNO_RC2 -DNO_RC5 -I/usr/local/openssl-0.9.3a-norsa/include main.cpp In file included from main.cpp:1: /usr/local/openssl-0.9.3a-norsa/include/openssl/ssl.h:1099: warning: keyword 'export' not implemented and will be ignored /usr/local/openssl-0.9.3a-norsa/include/openssl/ssl.h:1101: warning: keyword 'export' not implemented and will be ignored [patricia:~]g++ -v Reading specs from /usr/lib/gcc-lib/i386-linux/2.95.2/specs gcc version 2.95.2 19990906 (prerelease) [patricia:~]cat main.cpp #include openssl/ssl.h [patricia:~] David Marwood -- -- David Marwood, M.Sc.[EMAIL PROTECTED] Director, Internet Technologies Phone: 604-921-5993 InfraNet Solutions Fax: 604-921-5909 West Vancouver, BC, Canada -- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [REPOST] internal SSL session cache question(s)
Bodo Moeller [EMAIL PROTECTED] writes: On Tue, Sep 14, 1999 at 12:22:56PM -0700, [EMAIL PROTECTED] wrote: [...] This is all theory at this point, but it seems as though there is a problem with SSL_set_timeout(...) (or my use of it). What functions and macros do you use? Usually you should not need SSL_set_timeout; what you need is SSL_CTX_set_timeout on the SSL_CTX before any sessions are created. SSL_set_timeout on an SSL_SESSION does not affect the copy of that session that may be in an external cache. A bastardized mod_ssl 2.1.3. ssl = ap_ctx_get(c-client-ctx, "ssl"); if (ssl == NULL) return 0; session = SSL_get_session(ssl); if (session == NULL) return 0; /* * Set the timeout also for the internal SSLeay cache, because this way * our inter-process cache is consulted only when it's really necessary. */ sc = mySrvConfig(mc-rCtx.pConn-server); t = SSL_get_time(session) + sc-nSessionCacheTimeout; SSL_set_timeout(session, t); In my case, I'd like to be able to re-set the session timeout so I can extend the lifetime of a session. -Tom -- Tom Vaughan tvaughan at aventail dot com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]