RE: Client Authentication Windows NT
Hi Oliver, You need to install the CA certificate on the webserver as well, but not in the normal registry location. It needs to be installed in the Local Machine folder of the "Trusted Root" or "Intermediate" folder. You can do this following the normal GUI, but selecting the Certificate Location manually. Then I think the machine needs a restart but a complete restart of W3SVC and IISAdmin might suffice. Gerard -Original Message- From: Oliver Bode [SMTP:[EMAIL PROTECTED]] Sent: Friday, April 06, 2001 5:44 AM To: [EMAIL PROTECTED] Subject:Client Authentication Windows NT Windows NT and 2000 presents other problems, and I was wondering if anyone has an answer or can point me in the right direction. On NT or 2000 you select a directory for client authentication. When you go to that page it brings up the authentication box, but only Verisign certificates are displayed there. What do you have to do to replace the Verisign certificate with my own CA's root certificate for client authentication, so it works in a similar way to Apache mod_ssl. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Encrypting Cookie data with server private key
Hi I'm trying to write up a module which will encrypt cookie data with the server's private key. And another module which will decrypt this cookie data using the server's public key. Could you please provide hints and/or resources which might help with this. Thanks Mevlana Sari [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PRNG not seeded ERROR
Openssl is correctly installed. Here is the report : OpenSSL self-test report: OpenSSL version: 0.9.6 Last change: In ssl23_get_client_hello, generate an error message wh... OS (uname): AIX spirou 3 4 0055B8AA4C00 OS (config): 0055B8AA4C00-ibm-aix Target (default): ?? Target: aix-gcc Compiler: gcc version 2.95.2.1 19991024 (release) Test passed. EGD is correctly installed and running. Here is the report for the "ps" command 35310 pts/3 0:03 perl -w /usr/local/bin/egd.pl /etc/egd-pool But I still get this error : root@spirou:/usr/local/ssl echo $RANDFILE /etc/egd-pool root@spirou:/usr/local/ssl ./bin/openssl req -new Using configuration from /usr/local/ssl/openssl.cnf unable to load 'random state' This means that the random number generator has not been seeded with much random data. Generating a 1024 bit RSA private key 30850:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:474:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 30850:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: What's wrong ??? Thanks for help. Etienne de Closmadeuc ([EMAIL PROTECTED]) Logica SA 183, route de Canjan 33173 GRADIGNAN CEDEX Tl : 05.56.75.77.00 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OCSP memory leaks
Anyone using the OCSP beta stuff in the snapshot of openSSL? I am getting memory leaks for it, but when I do add the free'ing code it crashes. Here's the sequence OCSP_REQUEST_free(pOCSPRequest); OCSP_RESPONSE_free(pResponse); // Next line crashes OCSP_BASICRESP_free(pOCSPBasic); OCSP_CERTID_free(pID); I am following what the demo app does. However, I don't sign the OCSP requests. Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Encrypting Cookie data with server private key
Why do you wish to use public key encryption for this - why not just use a symetric encryption algorithm like blowfish or something? It just seems like an expensive way to do the same thing. Anyway, you could use http://www.openssl.org/docs/apps/smime.html for encryting and decrypting on the server. Oliver - Original Message - From: "Mevlana Sari" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 06, 2001 5:31 PM Subject: Encrypting Cookie data with server private key Hi I'm trying to write up a module which will encrypt cookie data with the server's private key. And another module which will decrypt this cookie data using the server's public key. Could you please provide hints and/or resources which might help with this. Thanks Mevlana Sari [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP memory leaks
From: Tat Sing Kong [EMAIL PROTECTED] tsk OCSP_REQUEST_free(pOCSPRequest); tsk OCSP_RESPONSE_free(pResponse); tsk tsk // Next line crashes tsk OCSP_BASICRESP_free(pOCSPBasic); tsk OCSP_CERTID_free(pID); I haven't looked closely at the code yet, so I may be wrong. However, it strikes me that a BASICRESP is usually part of a RESPONSE, so the stuff that pOCSPBasic points might have been free'd already through freeing pResponse, and if that is the case, you're doing a double free of the same memory blob, which is never a good thing. -- Richard Levitte \ Spannvgen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re[2]: Need to sign Microsoft CA by openssl
Hi! I gues there isn't anyone who is able to answer and have free time for this. Anyway we'll dig and we'll have found the solution. P.S. Especially my thank for Noor - only one who've answered. We'll win! :-) -Original Message- From: Noor Haizad Mohd Said [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Thu, 05 Apr 2001 16:38:32 +0800 Subject: Re: Need to sign Microsoft CA by openssl Dear Marat, I also faced a problem same as you. I want to issue CA cert by signing a request generated by Windows2000. I also tried to cross certify their CA certificate.Both of them are failed. The reasons that might happens are:- 1) For generating a certificate by signing W2000 request, the certificate is succesfully created. But, the certificate must contain CRL Distributions and CA Version fields. CA Version oid is important because it is being used as a reference in the W2000 Cert Services. Please refer to W2000 Certificate Services. 2) To cross certify their CA cert., the Subject Key Identifier must be retreived correctly. I used different engine to cross certify W2000 CA cert. It was failed. I hope this can give you some guidance. Maybe somebody can gives some answers for these matters. Regards, Noor Haizad "Marat S. Salimov" wrote: Hi there! We have working Certification Authority based on openssl. But we plan to deploy a W2000 based corporate network. One of the tasks we have is to start using included Microsoft CA. We want to keep inheritance and we want to sign new CA by openssl issued certificate. I tryed to do this but failed every time. Maybe my hands are curve... Can you give me any suggestion about "what to do" or any links about "where to look for". Thanks in advance Marat S. Salimov __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- Noor Haizad Mohd Said Senior Systems Analyst Digicert Sdn. Bhd. Lot 2-1, Enterprise 1, Taman Teknologi Malaysia, 57000 Kuala Lumpur, Malaysia Tel: 603-89961600 Fax: 603-89961054 Web: http://www.digicert.com.my __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Client Authentication Windows NT
Have a look in the archive: http://marc.theaimsgroup.com/?l=openssl-users under the author 'Dale Peakall' and look for the subject 'Client Auth in IE'. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Crypt::SSLeay
On Thu, Apr 05, 2001 at 04:51:26PM -0700, Marcus Carey wrote: It does not matter which server I connect to I still get the warning. Ok, I just downloaded libwww-perl and found the offending message in it, but see below. Date: Thu, 05 Apr 2001 23:21:19 GMT Accept-Ranges: bytes Server: Apache/1.3.6 (Unix) mod_perl/1.20 mod_ssl/2.3.5 OpenSSL/0.9.3a DAV/0.9.8 Content-Length: 5847 Content-Type: text/html ETag: "2f71e-16d7-38b2f62a" Last-Modified: Tue, 22 Feb 2000 20:48:42 GMT Client-Date: Thu, 05 Apr 2001 23:24:58 GMT Client-Peer: 129.132.7.153:443 Client-SSL-Cert-Issuer: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Server [EMAIL PROTECTED] Client-SSL-Cert-Subject: /C=DE/ST=Bavaria/L=Munich/O=Ralf S. Engelschall/OU=Security Services Division/CN=www.engelschall.com Client-SSL-Cipher: EDH-RSA-DES-CBC3-SHA Client-SSL-Warning: Peer certificate not verified These headers are not sent from the server but added on the fly by LWP. They are created by lib/LWP/Protocol/https.pm: ... $res-header("Client-SSL-Cipher" = $sock-get_cipher); my $cert = $sock-get_peer_certificate; if ($cert) { $res-header("Client-SSL-Cert-Subject" = $cert-subject_name); $res-header("Client-SSL-Cert-Issuer" = $cert-issuer_name); } $res-header("Client-SSL-Warning" = "Peer certificate not verified"); So as you can see, the "not verified" warning is added unconditionally. In order to get this to run, SSL_get_verify_result() needs to be evaluated. In order to get this running, the SSL_CTX_load_verify_locations() functionality is neeed, which is (also?) missing from Crypt::SSLeay. Therefore, your program as of now _cannot_ work, since the fundamental functionality is missing. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OCSP memory leaks
Tat Sing Kong wrote: Anyone using the OCSP beta stuff in the snapshot of openSSL? I am getting memory leaks for it, but when I do add the free'ing code it crashes. Here's the sequence OCSP_REQUEST_free(pOCSPRequest); OCSP_RESPONSE_free(pResponse); // Next line crashes OCSP_BASICRESP_free(pOCSPBasic); OCSP_CERTID_free(pID); I am following what the demo app does. However, I don't sign the OCSP requests. Difficult to tell without seeing the rest of your code. However as a general rule functions which have a '0' in their name return internal pointers and the result must *not* be freed. Those with '1' in the name allocate or copy new structures and should be freed. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need to sign Microsoft CA by openssl
Noor Haizad Mohd Said wrote: Dear Marat, I also faced a problem same as you. I want to issue CA cert by signing a request generated by Windows2000. I also tried to cross certify their CA certificate.Both of them are failed. The reasons that might happens are:- 1) For generating a certificate by signing W2000 request, the certificate is succesfully created. But, the certificate must contain CRL Distributions and CA Version fields. CA Version oid is important because it is being used as a reference in the W2000 Cert Services. Please refer to W2000 Certificate Services. 2) To cross certify their CA cert., the Subject Key Identifier must be retreived correctly. I used different engine to cross certify W2000 CA cert. It was failed. I hope this can give you some guidance. Maybe somebody can gives some answers for these matters. Well if you're signing a CA certificate you have to ensure you are using the correct extensions. By default the OpenSSL utilities sign an end user certificate so that's one thing to watch out for. Wrt unsupported extensions, are they present in the certificate request? If so then the latest development release of OpenSSL's 'ca' utility has some options which will copy extensions from a request to the signed certificate. Even if they aren't supported this will still work if they are in the request. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re[2]: Need to sign Microsoft CA by openssl
-Original Message- From: Dr S N Henson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 06 Apr 2001 12:54:32 +0100 Subject: Re: Need to sign Microsoft CA by openssl Noor Haizad Mohd Said wrote: Dear Marat, I also faced a problem same as you. I want to issue CA cert by signing a request generated by Windows2000. I also tried to cross certify their CA certificate.Both of them are failed. The reasons that might happens are:- 1) For generating a certificate by signing W2000 request, the certificate is succesfully created. But, the certificate must contain CRL Distributions and CA Version fields. CA Version oid is important because it is being used as a reference in the W2000 Cert Services. Please refer to W2000 Certificate Services. 2) To cross certify their CA cert., the Subject Key Identifier must be retreived correctly. I used different engine to cross certify W2000 CA cert. It was failed. I hope this can give you some guidance. Maybe somebody can gives some answers for these matters. Well if you're signing a CA certificate you have to ensure you are using the correct extensions. By default the OpenSSL utilities sign an end user certificate so that's one thing to watch out for. Wrt unsupported extensions, are they present in the certificate request? If so then the latest development release of OpenSSL's 'ca' utility has some options which will copy extensions from a request to the signed certificate. Even if they aren't supported this will still work if they are in the request. Thank you for your answer Steve. Please correct me if I'm wrong. As I've got my plan should be like this one: -I take the latest release of OpenSSL's 'ca'. BTW which one? -I upgrade my old OpenSSL's 'ca' with the last obtained -I look for the options which copy extensions from the request to the certificate -I use this certificate to sign my Microsoft CA Do anybody know about such situations that have succeeded? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Need to sign Microsoft CA by openssl
"Marat S. Salimov" wrote: Thank you for your answer Steve. Please correct me if I'm wrong. As I've got my plan should be like this one: -I take the latest release of OpenSSL's 'ca'. BTW which one? -I upgrade my old OpenSSL's 'ca' with the last obtained -I look for the options which copy extensions from the request to the certificate -I use this certificate to sign my Microsoft CA Do anybody know about such situations that have succeeded? No you need to get the latest snapshot for 0.9.7. If you can send me the certificate request then I'll tell you whether its likely to work or not. It all depends on what extensions are present. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
openssl on a Sun Sparc Solaris 7 with ssh
Hello all...I've been having a bit of trouble with ssh on a machine that I recently put openssl on...I was wondering if anyone had a similiar experience or could offer any suggestions... #!/usr/bin/perl# Chad.pm -package Chad;my $ref = {name = 'Chad Alan Billigmeier',title = 'Assistant Software Engineer',company = 'YesMail | CRM Group',email = '[EMAIL PROTECTED]',phone = '978.247.5719',fax = '978.684.3112',}1; # it compiles!!!
Re: How to build openssl without certain license-encumbered algorithms ?
RC4 is not license-encumbered but rather trademarked. However, to answer your question, add the no-* flags to the perl lines in the ms\do_masm.bat file. _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 05, 2001 4:46 PM Subject: How to build openssl without certain license-encumbered algorithms ? This should be an easy question for the experts. How can I build openssl.exe on the Windows NT platform without the license-encumbered algorithms ? The instructions within the INSTALL.W32 file are clear, but they don't seem to work. I am using the OpenSSL 0.9.3a source tree (for reasons which I won't describe here). I am following the "Visual C++" instructions at the beginning of the "INSTALL.W32" file. To build openssl.exe I typically run the following command sequence: - perl Configure VC-WIN32 - ms\do_ms - nmake -f ms\nt.mk openssl.exe builds fine. To build openssl.exe to remove the "rc4, rc5 and idea" algorithms, for example, I am instructed to modify the above command sequence as follows: - perl Configure VC-WIN32 no-rc4 no-rc5 no-idea - ms\do_ms - nmake -f ms\nt.mk This doesn't work. No additional defines are used in the compilations and the same size executable is generated as before. Manually adding -DNO_RC4 -DNO_RC5 and -DNO_IDEA to the CFLAGS and LIBFLAGS macros within nt.mak doesn't help. It only causes certain compilations to die within rc4.h, rc5.h, and idea.h respectively. Each of these header files is written to fail to compile if its respective -DNO_* define exists. Please reply to"[EMAIL PROTECTED]". Thanks, Mike Internet Address: [EMAIL PROTECTED] Phone: (512)-436-9735 Lotus Notes Address: MIKEAULT/TIVOLI SYSTEMS@TIVOLI SYSTEMS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PRNG not seeded ERROR
What about the error message "You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html " didn't you understand? The specified FAQ includes a lengthy dissertation about what the problem is and what you can do to fix the problem. J. Edward Ellis Battelle, Pacific Northwest National Laboratory (509) 375-3627 voice (509) 375-2379 FAX mailto:[EMAIL PROTECTED] -Original Message- From: De Closmadeuc, Etienne [mailto:[EMAIL PROTECTED]] Sent: Friday, April 06, 2001 12:48 AM To: openssl-users Subject:PRNG not seeded ERROR Openssl is correctly installed. Here is the report : OpenSSL self-test report: OpenSSL version: 0.9.6 Last change: In ssl23_get_client_hello, generate an error message wh... OS (uname): AIX spirou 3 4 0055B8AA4C00 OS (config): 0055B8AA4C00-ibm-aix Target (default): ?? Target: aix-gcc Compiler: gcc version 2.95.2.1 19991024 (release) Test passed. EGD is correctly installed and running. Here is the report for the "ps" command 35310 pts/3 0:03 perl -w /usr/local/bin/egd.pl /etc/egd-pool But I still get this error : root@spirou:/usr/local/ssl echo $RANDFILE /etc/egd-pool root@spirou:/usr/local/ssl ./bin/openssl req -new Using configuration from /usr/local/ssl/openssl.cnf unable to load 'random state' This means that the random number generator has not been seeded with much random data. Generating a 1024 bit RSA private key 30850:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:474:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 30850:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: What's wrong ??? Thanks for help. Etienne de Closmadeuc ([EMAIL PROTECTED]) Logica SA 183, route de Canéjan 33173 GRADIGNAN CEDEX Tél : 05.56.75.77.00 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Encrypting Cookie data with server private key
You could try the smime function. http://www.openssl.org/docs/apps/smime.html I use the smime function to encrypt and decrypt credit card numbers and to send me encrypted receipts of transactions. However, you could just as easily use it to encrypt and decrypt cookies - if that's what you want to do. As cookies are only valid within the one domain, I can't see a point in encryting them to your servers "public key" and decrypting them with your servers "private key" and password. When I want to securely maintain state between forms, I create a psudeo random string, I write a temporary file and name it with that psudeo random string, I encrypt the string using a symetric algorithm and create a cookie using the encrypted string. On the next page I retrieve the cookie from the client, decrypt it, and then I can retrieve and open the temp file I created, containing the info I'm after. At the end of the process the file is deleted. Is there a better/more efficient way to maintain state securely? Hi I'm trying to write up a module which will encrypt cookie data with the server's private key. And another module which will decrypt this cookie data using the server's public key. Could you please provide hints and/or resources which might help with this. Thanks Mevlana Sari [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSH doesn't configure with OpenSSL
Hello All: I would greatly appreciate any help you can give me on this. I'm trying to install OpenSSH on a Dec Alpha 1200. I think I have OpenSSL correctly installed (based on the make test). During the configure for OpenSSH I get a "can't find OpenSSL" message. I found a patch in the FAQ for OpenSSL but I can't get it to work (keep getting those dreaded "Hunk FAILED" messages). I'm positive this is my error and ignorance - but how to use the patch? I tried a simple 'patch patch_file'. I tried combinations of '-pnum'. I don't think I have a DOS file on UNIX. Thanks in advance for any ideas. Have a great weekend! Ross Hoopchuk ACXIOM Corporation Phone: (501) 342-1990 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Encrypting Cookie data with server private key
I believe you could make modifications to the mod_usertrack Apache module. Link in openssl and use either the core RSA functions or smime. Technically, it looks rather straightforward. Good luck, simos - Original Message - From: "Mevlana Sari" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 06, 2001 3:31 AM Subject: Encrypting Cookie data with server private key Hi I'm trying to write up a module which will encrypt cookie data with the server's private key. And another module which will decrypt this cookie data using the server's public key. Could you please provide hints and/or resources which might help with this. Thanks Mevlana Sari [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded ERROR
Something like this may help you out: rand_buf = "0123456789ABCDEF0"; RAND_seed(rand_buf, 17); /* One or the other will do */ RAND_add(rand_buf, 17, 17); Seeding with a static stream is as worthless as no seeding at all. Try using something *random* for your RAND_seed. If you don't have /dev/urandom, then grab egd/prgd and use it as a source instead. Or worst case use a file with RAND_load_file which you overwrite each time with new random info via RAND_write_file. And no, current system time/pid/ppid/num procs/etc is *not* sufficient. -- Brian Hatch"The next time you want a revelation Systems and could you possibly find a way that isn't Security Engineerquite so ... uncomfortable?" http://www.ifokr.org/bri/ Every message PGP signed PGP signature
Re: PRNG not seeded ERROR
On Fri, Apr 06, 2001 at 11:34:48AM -0400, [EMAIL PROTECTED] wrote: Something like this may help you out: rand_buf = "0123456789ABCDEF0"; RAND_seed(rand_buf, 17); /* One or the other will do */ RAND_add(rand_buf, 17, 17); First: fortunately it would not help out, since as of 0.9.6, 20 bytes are needed. Second: this is an extremely bad advice, as it would lead to weak keys. If I can obtain knowledge about your init string, I can easily guess all of your keys. (They may look different on the first glance, but the seeding is only changed by the pid and time, so the search space is negligible.) Now: the reason of the failure is: RANDFILE is a file that is used to read entropy from on startup and to write seed back to on exit of the "openssl" application. (RANDFILE does not apply to the library, only to the "openssl" commandline application.) RANDFILE is _not_ considered to be a EGD socket, so setting RANDFILE to the egd-socket does not work. The original other must explicitly use the "-rand" commandline option to specify the EGD socket. Maybe the documentation does not make this point clear enough... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
beginner question
Hello, I have a question for which I can't find the response. Is open SSL executed in Apache process, or is it running in a separate process (such as a servlet engine for example) ? Thanks, Xavier Marjou
Re: Encrypting Cookie data with server private key
why do you want to do this? Do you know the difference between a private and public key? _ Greg Stark Ethentica, Inc. [EMAIL PROTECTED] _ - Original Message - From: "Mevlana Sari" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, April 06, 2001 3:31 AM Subject: Encrypting Cookie data with server private key Hi I'm trying to write up a module which will encrypt cookie data with the server's private key. And another module which will decrypt this cookie data using the server's public key. Could you please provide hints and/or resources which might help with this. Thanks Mevlana Sari [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: VAX Install problems
Thanks. I don't really understand what that means though. I couldn't find any COMMON sections of the MD5_DGST.C code, so I commented out the following line from the [.CRYPTO.MD5]MD5_DGST.C: const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT; And now it compiles and tests OK. Is this OK to do? I noticed many other programs had similar lines, but only this one is tripping me up. Any more ideas? I appreciate all input and help. Thanks, Bryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 05, 2001 12:44 PM To: [EMAIL PROTECTED] Subject: Re: VAX Install problems Here is what HELP/MESSAGE has to say ... OUTSIMGP, attempted store location 'address' is outside 'name' ('address' to 'address') in psect 'psect-name' module 'module-name' file 'file- name' Facility: LINK, Linker Utility Explanation: An attempt was made to store an address outside the specified program segment. This is generally due to an attempt to initialize a shared COMMON of a shareable image when linking against the shareable image. This message is issued if the psect name is known. User Action: Initialize the data at execution time. OR OUTSIMG, attempted store location 'address' is outside 'name' ('address' to 'address') in module 'module-name' file 'file-name' Facility: LINK, Linker Utility Explanation: An attempt was made to store outside the specified program segment. This may be caused by an attempt to initialize a shared COMMON of a shareable image when linking against the shareable image. User Action: Initialize the data either at execution time or when linking the shareable image containing the COMMON. Hope this helps, Kevin. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: VAX Install problems
Thanks. I don't really understand what that means though. I couldn't find any COMMON sections of the MD5_DGST.C code, so I commented out the following line from the [.CRYPTO.MD5]MD5_DGST.C: const char *MD5_version="MD5" OPENSSL_VERSION_PTEXT; And now it compiles and tests OK. Is this OK to do? I noticed many other programs had similar lines, but only this one is tripping me up. Any more ideas? I appreciate all input and help. Thanks, Bryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 05, 2001 12:44 PM To: [EMAIL PROTECTED] Subject: Re: VAX Install problems Here is what HELP/MESSAGE has to say ... OUTSIMGP, attempted store location 'address' is outside 'name' ('address' to 'address') in psect 'psect-name' module 'module-name' file 'file- name' Facility: LINK, Linker Utility Explanation: An attempt was made to store an address outside the specified program segment. This is generally due to an attempt to initialize a shared COMMON of a shareable image when linking against the shareable image. This message is issued if the psect name is known. User Action: Initialize the data at execution time. OR OUTSIMG, attempted store location 'address' is outside 'name' ('address' to 'address') in module 'module-name' file 'file-name' Facility: LINK, Linker Utility Explanation: An attempt was made to store outside the specified program segment. This may be caused by an attempt to initialize a shared COMMON of a shareable image when linking against the shareable image. User Action: Initialize the data either at execution time or when linking the shareable image containing the COMMON. Hope this helps, Kevin. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSH doesn't configure with OpenSSL
On Fri, Apr 06, 2001 at 12:50:47PM -0500, Hoopchuk Ross - rhoopc wrote: I would greatly appreciate any help you can give me on this. I'm trying to install OpenSSH on a Dec Alpha 1200. I think I have OpenSSL correctly installed (based on the make test). During the configure for OpenSSH I get a "can't find OpenSSL" message. This error message is more or less an FAQ for OpenSSH (even though the particular reason may be different depending on platform and setup): Check out config.log: there you will find the error message triggered during the test compilations. It will tell you (and us) what in detail to look for. I found a patch in the FAQ for OpenSSL but I can't get it to work (keep getting those dreaded "Hunk FAILED" messages). I'm positive this is my error and ignorance - but how to use the patch? I tried a simple 'patch patch_file'. I tried combinations of '-pnum'. I don't think I have a DOS file on UNIX. I suppose that you are talking about the latest version of OpenSSH, which is 2.5.2p2. It already has the necessary patches applied. It would probably be best if you examine the config.log file and if you do not find the reason in it yourself, you should send another request to the openssh-unix-dev mailing list, where issues of the portable OpenSSH implementation are discussed. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client Authentication Windows NT
Thanks, I'm sure this will sort it out. It's the same problem we've experienced. Tell me on Win2000 and NT can you have client authentication that will check multiple root certificates? Oliver Have a look in the archive: http://marc.theaimsgroup.com/?l=openssl-users under the author 'Dale Peakall' and look for the subject 'Client Auth in IE'. - Dale. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: OCSP memory leaks
To avoid crashes, you should first check the pointer to be cleaned. if it is NULL, do not free it any more. In your case, pOCSPBasic, pID may be already cleaned by previous clean ups. Hope this help. Heyun Zheng [EMAIL PROTECTED] -Original Message- From: tsk [mailto:[EMAIL PROTECTED]] Sent: Friday, April 06, 2001 3:23 AM To: openssl-users Cc: tsk Subject: OCSP memory leaks Anyone using the OCSP beta stuff in the snapshot of openSSL? I am getting memory leaks for it, but when I do add the free'ing code it crashes. Here's the sequence OCSP_REQUEST_free(pOCSPRequest); OCSP_RESPONSE_free(pResponse); // Next line crashes OCSP_BASICRESP_free(pOCSPBasic); OCSP_CERTID_free(pID); I am following what the demo app does. However, I don't sign the OCSP requests. Tat. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Is there a Telnet app?
Does anyone know if there is a telnet application available that uses the latest version of the SSL toolkit? Thanks in advance, Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
hi
hi... i would like to receive mailing list ... thanks...
Re: Is there a Telnet app?
Date sent: Fri, 06 Apr 2001 15:33:24 -0400 From: Steve Roche [EMAIL PROTECTED] Organization: Powerlan USA, Inc. To: [EMAIL PROTECTED] Subject:Is there a Telnet app? Send reply to: [EMAIL PROTECTED] Steve Depends upon what you mean by SSL Toolkit, but SecureNetTerm does support and use the latest version of OpenSSL with both telnet and SSH. You can contact me for additional information/questions. Ken Does anyone know if there is a telnet application available that uses the latest version of the SSL toolkit? Thanks in advance, Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Support InterSoft International, Inc. Voice: 888-823-1541, International 281-398-7060 Fax: 888-823-1542, International 281-560-9170 [EMAIL PROTECTED] http://www.securenetterm.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[to VincentLue]_ SSL doc requet
Hi. I see the title of "SSL doc request" Mr. VincentLue want to send email personally. But i don't know what is Mr. VincentLue's email address. So I send the request of "SSL doc request" to mailing list. Please Send "SSL doc request" My email address is as follows. [ [EMAIL PROTECTED]] --- This e-mail was sent by ºÎ°æ´ëÇÐ Mail System at http://pknu.ac.kr/ ---
Re: Need to sign Microsoft CA by openssl
Hi Marat, I have signed a Win2K subordinate CA cert with openssl (v0.9.6) as root CA. The following extensions are used: subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always basicConstraints = critical,CA:true,pathlen:0 keyUsage = critical, cRLSign, keyCertSign nsCertType = sslCA, emailCA crlDistributionPoints=URI:https://host_stored_crls/root.crl The Win2K sub-CA cert can then be used to issue certs for AD users and computers. SSL auth with those end-user certs is fine but smartcard logon doesn't work (OK if the root CA is Win2K CA). Rgds. Martin Dr S N Henson wrote: "Marat S. Salimov" wrote: Thank you for your answer Steve. Please correct me if I'm wrong. As I've got my plan should be like this one: -I take the latest release of OpenSSL's 'ca'. BTW which one? -I upgrade my old OpenSSL's 'ca' with the last obtained -I look for the options which copy extensions from the request to the certificate -I use this certificate to sign my Microsoft CA Do anybody know about such situations that have succeeded? No you need to get the latest snapshot for 0.9.7. If you can send me the certificate request then I'll tell you whether its likely to work or not. It all depends on what extensions are present. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]