Too Long !!!
hi ... has anyone try to generate their Private Key using this command openssl genrsa -rand /dev/urandom -out domain.key 1024 ??? i'm trying this and it already took 5 days ... any comment r welcome Regards, Wong Nyook Yeen Email : [EMAIL PROTECTED] Tel no : 03 - 2018228 ext. 1031 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
non blocking
Hi all, I am writing one server program which accepts the connections from clients and process the connections. I am using openssl-0.9.6b version. I am crating one socket with non blocking mode and bounded to the SSL port with any ipaddress. i am listening on that socket to serve the client connections. My question is when i am trying to browse the server, the server is accepting the connection but SSL_accept is failing( non blocking) with return value as -1. I done SSL_get_error on the return value it shows 2. i am unable to find the reason. Any Help is appreciated. From RKP -- Rama Krishna Prasad Chunduru Software engineer Intoto Software(I) Pvt Ltd Kharkhana Secundrabad __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
libcrypto.so.2 libssl.so.2
Hi I have a question which I haven't been able to answer myself, I tried to update my current Kde 2.1 to Kde 2.2 and then kdebase-2.2-3 asks for libcrypto.so.2 libssl.so.2 which I have been able to locate in openssl-0.9.6b-6.i386.rpm. The problem is that I have a newer (I think, becouse when trying install 0.9.6b-6 it says it is older than current) version of opensll namely openssl-0.9.6-9. In openssl-0.9.6-9 I can't locate libcrypto.so.2 libssl.so.2. If I remember correctly openssl-0.9.6-9 is an update from RH. Currently using RH 7.1 kernelversion 2.4. How do I install libcrypto.so.2 libssl.so.2 so that RPM understands that they are there? With regards //Ola P. O. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
detecting and removing memory leaks using openssl supported apis...
Hi, Can any one of u guys tell me how to use the memory check support thing of Openssl.. Following code does output the memory leaks, but how to read the output and narrow the cause of memory leak.. Code: void Openssl_Init() { OpenSSL_add_all_algorithms(); CRYPTO_malloc_debug_init(); CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); g_pBioStdOut = BIO_new(BIO_s_file()); BIO_set_fp(g_pBioStdOut, stdout, BIO_NOCLOSE); BIO_printf(g_pBioStdOut, OpenSSL Application Starting.\n); //g_fp = fopen(d:\\work\\MemoryLeaks.txt, w); } void Openssl_Exit() { BIO_printf(g_pBioStdOut, OpenSSL Application Exiting.\n); BIO_printf(g_pBioStdOut, \n\n); BIO_free(g_pBioStdOut); CRYPTO_mem_leaks_fp(stderr); //CRYPTO_mem_leaks_fp(fp); ERR_free_strings(); ERR_remove_state(0); EVP_cleanup(); if(g_fp) fclose(g_fp); } Output: [11:21:51] 245 file=.\crypto\err\err.c, line=696, thread=480, number=332, addr ess=00D0B830 [11:21:51] 248 file=.\crypto\lhash\lhash.c, line=193, thread=480, number=12, a ddress=00D0BC10 [11:21:51] 246 file=.\crypto\lhash\lhash.c, line=119, thread=480, number=96, a ddress=00D0B9E0 [11:21:51] 247 file=.\crypto\lhash\lhash.c, line=121, thread=480, number=64, a ddress=00D0BB08 504 bytes leaked in 4 chunks Question: How to read this and figure out where excatly is the memory leak ?? Thanks Aslam __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
pod2man.pl-related compilation error. Help!
I wrote about this a few days ago and have not yet been able to solve it; I'd appreciate anybody's input... See http://marc.theaimsgroup.com/?l=openssl-usersm=99922122232541w=2 for details. Thanks! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: non blocking
On Tue, Sep 04, 2001 at 12:09:16PM +0530, Rama krishna Prasad Chunduru wrote: I am crating one socket with non blocking mode and bounded to the SSL port with any ipaddress. i am listening on that socket to serve the client connections. My question is when i am trying to browse the server, the server is accepting the connection but SSL_accept is failing( non blocking) with return value as -1. I done SSL_get_error on the return value it shows 2. i am unable to find the reason. 2 = SSL_ERROR_WANT_READ man SSL_get_error ! Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Too Long !!!
On Mon, Sep 03, 2001 at 01:21:33PM +1000, [EMAIL PROTECTED] wrote: hi ... has anyone try to generate their Private Key using this command openssl genrsa -rand /dev/urandom -out domain.key 1024 ??? Yes. In the past we have seen several similar reports. Solution: do not specify /dev/urandom with -rand. genrsa will try to read from /dev/urandom until the end of the file is reached. /dev/urandom has no end, so you are hanging in an infinite loop. /dev/urandom is automatically queried by OpenSSL, you can omit the -rand option if you have /dev/urandom. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Too Long !!!
My Guess is its just sitting there reading your /dev/urandom (aka sounds like a blocking/non-blocking issue), even on a 386 it should not take more than a minute or so to generate the key. Take a look at the FAQ for information on gathering entropy. Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, September 02, 2001 8:22 PM To: [EMAIL PROTECTED] Subject: Too Long !!! hi ... has anyone try to generate their Private Key using this command openssl genrsa -rand /dev/urandom -out domain.key 1024 ??? i'm trying this and it already took 5 days ... any comment r welcome Regards, Wong Nyook Yeen Email : [EMAIL PROTECTED] Tel no : 03 - 2018228 ext. 1031 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Completion Notification
I am a C++ Programmer developing a program that combines OpenSSL and I/O Completion Ports using WinSock 2.2. I would like to know whether the SSL_write() and SSL_read() send completion notification to the I/O Completion Port mechanism. Further more, I would like to know if I set SSL_set_fd() to a NonBlocking SOCKET, will the calls to SSL_write() and SSL_read() will return immedietly or will they return only upon success or failiur. Thanks, shep
Re: question on DSA_verify vs EVP_VerifyFinal
On Saturday 01 September 2001 07:49 am, you wrote: Thanks for getting back to me. What you are saying makes sense, I just do not know why EVP_VerifyFinal passes a signature coming from Java, and DSA_verify fails it? There must be some difference between the two. Mark W. Webb wrote: I have two programs that sign information. One written in C, and one in Java. The signature is verified on another program written in C. The C based apps are using openssl 0.9.6a. The Java program is using standard JDK functions. The signature that is created by the C based app is verified using DSA_verify. This seems to be working fine. The signature that is created by the Java app is verified using the EVP_VerifyFinal function. If I use the DSA_verify function on the Java created signature, it fails. I use openssl command line args to have openssl verify a signature placed in a file created by Java. Here is the command line argument: openssl dgst -dss1 -verify PEM Pub key -signature DSA Signature created by java datafile is tracing through the code, I found that this command line argument depends on to work. My question is, how come I need 2 different functions to verify signatures that originate from the same private key? Note : The Java app uses a PKCS8 form of the private key and the C app uses a DER form of the private key. This should be in openssl-users... Anyway. EVP_Verify*() digests data and then verifies the signature using the digest and the relevant public key algorithm. They are high level functions in that all you need to do to use a different algorithm is change the parameters. DSA_verify on the other hand is a lower level function that will only work with DSA. Also it doesn't do the digesting itself you have to pass it the digest rather than the data to be digested. Steve. -- Mark Webb Software Engineer Dolphin Technology 1300B Floyd Ave Rome, NY 13440 Phone: (315) 334-4892 x222 Fax: (315) 339-4846 Email: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Completion notification
I am a C++ Programmer developing a program that combines OpenSSL and I/O Completion Ports using WinSock 2.2. I would like to know whether the SSL_write() and SSL_read() send completion notification to the I/O Completion Port mechanism. Further more, I would like to know if I set SSL_set_fd() to a NonBlocking SOCKET, will the calls to SSL_write() and SSL_read() will return immedietly or will they return only upon success or failiur. Thanks, shep
Errors with CRL.
Title: Errors with CRL. I just installed openssl and I created a RSA cert. I'm trying to use CRL to check issuer info, last update etc as this information is going to be important for audit but when i try to use it it just gives me an error. this is my command line: openssl crl -in test.pem -text And this is the error message: unable to load CRL 1340:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib .c:662:Expecting: X509 CRL Please help Thanks Eldi
RE: Errors with CRL.
Title: Errors with CRL. What CA generated the CRL? Are you sure it is in PEM? Does it have the PEM armor (- BEGIN..., END)? Ryan -Original Message- From: Eldi Espinosa (InfoSpace Inc) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 04, 2001 1:01 PM To: '[EMAIL PROTECTED]' Subject: Errors with CRL. I just installed openssl and I created a RSA cert. I'm trying to use CRL to check issuer info, last update etc as this information is going to be important for audit but when i try to use it it just gives me an error. this is my command line: openssl crl -in test.pem -text And this is the error message: unable to load CRL 1340:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib .c:662:Expecting: X509 CRL Please help Thanks Eldi
SSL without certificate
Hi, Is it possible to build an SSL server without server certificate, so that an encrypted SSL connection can be created without any certificate? Thanks in advance. Yiqiang
Re:
From the BIO_f_cipher() man page: BIO_flush() on an encryption BIO that is being written through is used to signal that no more data is to be encrypted: this is used to flush and possibly pad the final block through the BIO. . ... . NOTES When encrypting BIO_flush() must be called to flush the final block through the BIO. If it is not then the final block will fail a subsequent decrypt == Greg Stark [EMAIL PROTECTED] == - Original Message - From: Shaheed Bacchus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 04, 2001 4:55 PM Subject: Re: hello, i am trying to write a piece of code that will take an unsigned char* (called Data) and 3DES encode it and then store it in another unsigned char *. at the bottom of this message are two code snippets, #1 writes the encrypted data to a file BIO while #2 writes it to a mem BIO. #1 appears to work perfectly, if i use the openssl des3 command with the appropiate flags and key i can decrypt the file that was written. #2 does not work, the encrypted data produced is always shorter than the data produced by #1 and i cannot decrypt it. any ideas on why #2 will not work? code snippet #1: const EVP_CIPHER *cipher=NULL; unsigned char *SaltPtr=NULL; unsigned char Salt[PKCS5_SALT_LEN]; unsigned char Key[24], MD[MD5_DIGEST_LENGTH]; BIO *OutData, *EncBio=NULL; BUF_MEM *OutDataBuf=NULL; static const char magic[]=Salted__; int DataLen=0; OpenSSL_add_all_algorithms(); cipher = EVP_get_cipherbyname(des3); OutData = BIO_new(BIO_s_file()); if (BIO_write_filename(OutData, mytest.des) = 0) { printf(Error with BIO_write\n); goto end; } if (RAND_pseudo_bytes(Salt, PKCS5_SALT_LEN) 0) { printf(Error with RAND_pseudo_bytes\n); return (1); } if ((BIO_write(OutData, magic, sizeof(magic)-1) != sizeof(magic)-1) || (BIO_write(OutData, (char *) Salt, PKCS5_SALT_LEN) != PKCS5_SALT_LEN)) { printf(Error writing salt\n); goto end; } SaltPtr = Salt; EVP_BytesToKey(cipher, EVP_md5(), SaltPtr, (unsigned char *) Passwd, strlen(Passwd), 1, Key, MD); if (!(EncBio=BIO_new(BIO_f_cipher( goto end; BIO_set_cipher(EncBio, cipher, Key, MD, 1); if (EncBio) { OutData = BIO_push(EncBio, OutData); } if (BIO_write(OutData, (char *)Data, strlen(Data)) != strlen(Data)) { printf(Error writing Data\n); goto end; } - code snippet #2: -- const EVP_CIPHER *cipher=NULL; unsigned char *SaltPtr=NULL; unsigned char Salt[PKCS5_SALT_LEN]; unsigned char Key[24], MD[MD5_DIGEST_LENGTH]; BIO *OutData, *EncBio=NULL; BUF_MEM *OutDataBuf=NULL; static const char magic[]=Salted__; int DataLen=0, ret=0; OpenSSL_add_all_algorithms(); cipher = EVP_get_cipherbyname(des3); OutData = BIO_new(BIO_s_mem()); if (RAND_pseudo_bytes(Salt, PKCS5_SALT_LEN) 0) { printf(Error with RAND_pseudo_bytes \n); return (1); } if ((BIO_write(OutData, magic, sizeof(magic)-1) != sizeof(magic)-1) || (BIO_write(OutData, (char *) Salt, PKCS5_SALT_LEN) != PKCS5_SALT_LEN)) { printf(Error writing salt\n); goto end; } EVP_BytesToKey(cipher, EVP_md5(), SaltPtr, (unsigned char *) Passwd, strlen(Passwd), 1, Key, MD); if (!(EncBio=BIO_new(BIO_f_cipher( goto end; BIO_set_cipher(EncBio, cipher, Key, MD, 1); if (EncBio) { OutData = BIO_push(EncBio, OutData); } if (BIO_write(OutData, (char *)Data, strlen(Data)) != strlen(Data)) { printf(Error writing Data\n); goto end; } BIO_get_mem_ptr(OutData, OutDataBuf); DataLen = OutDataBuf-length; OutBuf = OutDataBuf-data; __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No Subject
HI, I am a green hand in SSL programming. If I have got a certificate with the postfix of .pem or .cer, how can I get the subject , public key and other related infomation from the file? I mean what kind of functions I should employ? thank you. ___IP¿¨¡¢ÉÏÍø¿¨Á½ÕÛÊ·Å«±È¡¢À¯±ÊСÐÂÈ«¼Ò¸£»ªÓïÅÅÐаñ°ä½±µäÀñ¼ÓÈëÊéÓÑ»á»ñ¾«ÃÀÀñÆ·
Re:
thank you very much, you nailed it on the head. Gregory Stark wrote: From the BIO_f_cipher() man page: BIO_flush() on an encryption BIO that is being written through is used to signal that no more data is to be encrypted: this is used to flush and possibly pad the final block through the BIO. . ... . NOTES When encrypting BIO_flush() must be called to flush the final block through the BIO. If it is not then the final block will fail a subsequent decrypt == Greg Stark [EMAIL PROTECTED] == - Original Message - From: Shaheed Bacchus [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 04, 2001 4:55 PM Subject: Re: hello, i am trying to write a piece of code that will take an unsigned char* (called Data) and 3DES encode it and then store it in another unsigned char *. at the bottom of this message are two code snippets, #1 writes the encrypted data to a file BIO while #2 writes it to a mem BIO. #1 appears to work perfectly, if i use the openssl des3 command with the appropiate flags and key i can decrypt the file that was written. #2 does not work, the encrypted data produced is always shorter than the data produced by #1 and i cannot decrypt it. any ideas on why #2 will not work? code snippet #1: const EVP_CIPHER *cipher=NULL; unsigned char *SaltPtr=NULL; unsigned char Salt[PKCS5_SALT_LEN]; unsigned char Key[24], MD[MD5_DIGEST_LENGTH]; BIO *OutData, *EncBio=NULL; BUF_MEM *OutDataBuf=NULL; static const char magic[]=Salted__; int DataLen=0; OpenSSL_add_all_algorithms(); cipher = EVP_get_cipherbyname(des3); OutData = BIO_new(BIO_s_file()); if (BIO_write_filename(OutData, mytest.des) = 0) { printf(Error with BIO_write\n); goto end; } if (RAND_pseudo_bytes(Salt, PKCS5_SALT_LEN) 0) { printf(Error with RAND_pseudo_bytes\n); return (1); } if ((BIO_write(OutData, magic, sizeof(magic)-1) != sizeof(magic)-1) || (BIO_write(OutData, (char *) Salt, PKCS5_SALT_LEN) != PKCS5_SALT_LEN)) { printf(Error writing salt\n); goto end; } SaltPtr = Salt; EVP_BytesToKey(cipher, EVP_md5(), SaltPtr, (unsigned char *) Passwd, strlen(Passwd), 1, Key, MD); if (!(EncBio=BIO_new(BIO_f_cipher( goto end; BIO_set_cipher(EncBio, cipher, Key, MD, 1); if (EncBio) { OutData = BIO_push(EncBio, OutData); } if (BIO_write(OutData, (char *)Data, strlen(Data)) != strlen(Data)) { printf(Error writing Data\n); goto end; } - code snippet #2: -- const EVP_CIPHER *cipher=NULL; unsigned char *SaltPtr=NULL; unsigned char Salt[PKCS5_SALT_LEN]; unsigned char Key[24], MD[MD5_DIGEST_LENGTH]; BIO *OutData, *EncBio=NULL; BUF_MEM *OutDataBuf=NULL; static const char magic[]=Salted__; int DataLen=0, ret=0; OpenSSL_add_all_algorithms(); cipher = EVP_get_cipherbyname(des3); OutData = BIO_new(BIO_s_mem()); if (RAND_pseudo_bytes(Salt, PKCS5_SALT_LEN) 0) { printf(Error with RAND_pseudo_bytes \n); return (1); } if ((BIO_write(OutData, magic, sizeof(magic)-1) != sizeof(magic)-1) || (BIO_write(OutData, (char *) Salt, PKCS5_SALT_LEN) != PKCS5_SALT_LEN)) { printf(Error writing salt\n); goto end; } EVP_BytesToKey(cipher, EVP_md5(), SaltPtr, (unsigned char *) Passwd, strlen(Passwd), 1, Key, MD); if (!(EncBio=BIO_new(BIO_f_cipher( goto end; BIO_set_cipher(EncBio, cipher, Key, MD, 1); if (EncBio) { OutData = BIO_push(EncBio, OutData); } if (BIO_write(OutData, (char *)Data, strlen(Data)) != strlen(Data)) { printf(Error writing Data\n); goto end; } BIO_get_mem_ptr(OutData, OutDataBuf); DataLen = OutDataBuf-length; OutBuf = OutDataBuf-data; __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED]
RE: Too Long !!!
Have you tried the genrsa and dsaparam followed by a gendsa command? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 03, 2001 5:55 PM To: [EMAIL PROTECTED] Subject: RE: Too Long !!! so ... have anyone try to create a private key using openssl command ... pls show me the way ... Regards, Wong Nyook Yeen Email : [EMAIL PROTECTED] Tel no : 03 - 2018228 ext. 1031 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
doubt regarding X509_verify_cert
Hi all, I have a doubt regarding the x509_verify_cert(). When we have a TRUSTED certificate with the authority-key-identifier extension, and when we are trying to verify a SELF certificate using the function X509_verify_cert(), the verification is failing. Upon a deeper look into the function, the function is failing as follows... When we call the X509_verify_cert() with the CTX, Before calling this function we are initializing the CTX-cert with the self-certificate, and we are adding the trusted-certificates in X509_STORE using the function X509_STORE_add_cert(). In the X509_verify_cert() 1. checks whether CTX-cert (self-certificate) is self-signed certificate or not by PUSHing the certificates into a chain. 2. It is looking for Trusted certificates whose subject name is same as the Issuer Name of CTX-cert(ie., self-certificate) and pushing the certificates into the chain in the CTX. Now we are checking the Trusted certificates are Self-signed or not by calling the function X509_check_issued( ). 3. We are passing the subject and issuer certificates the same Trusted Certificate. In this function we are checking the Serial Number of the Issuer certificate with the Serial number in the extension Authorithy Key Identifier of the Subject Certificate. Here we are facing problem. The problem is ASN1_INTEGER_cmp( ) is failing. The QUESTION is whether the Serial Number in the Trusted Certificate should be SAME as the Serial Number in the Authority Key Identifier extension? If the two need not be the same then we feel that there is a bug in the X509_check_issued ( ) function as we are using it to verify whether the certificate is self-signed or not. I would be thankful for any help regarding this question.. Regards Suram __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Simple question
Hi all, How do I serialize an RSA private key into DER? I tried by using the i2d_RSAPrivateKey(...) but it crashed. My code snippet: --- RSA *rsa = RSA_generate_key(1024, 0x10001, NULL, NULL); unsigned char der[1]; // ought to be enough? i2d_RSAPrivateKey(rsa, (unsigned char**)der); // crashes here --- Thanks ET. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]