RE: more inetd trouble
Hi I have come into this thread a bit late. Having just completed Inetd.d /openssl I might be able to help butI do not have the original question. Inetd uses stdin and stdout (0,1). I have noted that any debugging indormation (printf etc) sent to these ports intereferes with the comminication. In my implementation I am not using the bio functions but was able to get away with SSL_set_rfd(pSSL, fileno(stdin)); SSL_set_wfd(pSSL, fileno(stdout)); to set up the reading and writing options of SSL If I can help any more please let me know. Hylton I may be able to post portions of source code if it would be relevnt. -Original Message- From: Matthew Fleming [mailto:[EMAIL PROTECTED]] Sent: 16 November 2001 05:45 To: [EMAIL PROTECTED] Subject: more inetd trouble Matthew Fleming [EMAIL PROTECTED] writes: But what I have written is, not a standalone server program, but a daemon which is invoked by inetd. It seems to me that this should work the same as the standalone, except that the tcp_listen() and accept() calls should be unnecessary; inetd should hand the daemon a socket descriptor which should be usable in the BIO_new_socket call; and this socket descriptor should be accessible as fd 0, 1, or 2 (inetd makes all 3 descriptors available, but there is really only one socket, so each of the descriptors should refer to the same thing). I'm not sure that it's safe to write file descriptor 0. Have you tried creating one bio for reading on stdin and one for writing on stdout and passing them both to SSL? -Ekr By this I assume you mean something like the following: int sock,s; - BIO *sbio_in, *sbio_out; SSL_CTX *ctx; SSL *ssl; int r; /* Build our SSL context*/ ctx=initialize_ctx(KEYFILE,PASSWORD); load_dh_params(ctx,DHFILE); generate_eph_rsa_key(ctx); SSL_CTX_set_session_id_context(ctx,(void*)s_server_session_id_context, sizeof s_server_session_id_context); /* sock=tcp_listen(); while(1){ if((s=accept(sock,0,0))0) err_exit(Problem accepting); */ - sbio_in=BIO_new_socket(0,BIO_NOCLOSE); - sbio_out=BIO_new_socket(1,BIO_NOCLOSE); ssl=SSL_new(ctx); - SSL_set_bio(ssl,sbio_in,sbio_out); if((r=SSL_accept(ssl)=0)) berr_exit(SSL accept error); This still does not work with inetd. Actually I don't see why you should have to use 2 sbio objects when the program is invoked by inetd, but can get away with one when the server is invoked from the command line; it seems to me that it should be the same either way. I'm strictly an amateur, but I would think that the difference between starting the program from the command line and from inetd shouldn't have to do so much with the socket descriptors, but with the things that inetd does *before* invoking the daemon (eg, Chapter 12, UNIX Network Programming, Stevens). -- Matthew Fleming, MD Associate Professor Dept. of Dermatology Medical College of Wisconsin E-mail: [EMAIL PROTECTED] S-mail: Dept. of Dermatology Medical College of Wisconsin 8701 Watertown Plank Rd. Milwaukee, WI 53226 Phone:414.456.4072 Fax:414.456.6518 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] smime.p7s Description: application/pkcs7-signature
HowTo extract publickey and privatekey
Hi, I am a newbie to openssl. How can I extract the publickey and privatekey... when I have xx.p12 and xxx.cer. Could you give an example? Thanks in advance. Aqualic, [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Installation problem with OpenSSL..
Dear OpenSSL team, I am a user of "OpenSSH" and when I try to self-compile openssh for my PowerPC, it needs also the OpenSSL libraries. So, due to the above reasons, I had to also get OpenSSL installed on my powerPC inorder to get a running version of openSSL. But during the installation (at "make") of openSSL, I have a problem. I have just pasted down the output which appeared after the make process on my PowerPC. Please do suggest me with some solutions. PS: I had mounted the sources required for the OpenSSL for my PowerPC from a PC, where already a pre-complied version of openSSH and OpenSSL were existing. Your's sincerely, Suja. Output: File in wrong format: failed to merge target specific data of file ../libcrypto.a(rc5_skey.o) sh: syntax error near unexpected token `../libcrypto.a(r' root:/openssh-2.9p1 > /usr/powerpc-hardhat-linux/bin/ld: r586-elf.o: compiled for a little endian system and target is big endian sh: /usr/powerpc-hardhat-linux/bin/ld:: No such file or directory root:/openssh-2.9p1 > File in wrong format: failed to merge target specific data of file ../libcrypto.a(r586-elf.o) -- Sujatha Mukunthan SW-Technology(PTT) ++41 (0)1 / 922 - 69 42 (Tel) Siemens Building Technology AG ++41 (0)1 / 922 - 69 69 (Fax) CH-8708, Switzerland. mailto: [EMAIL PROTECTED]
Re: Installation problem with OpenSSL..
Hi At 10:08 21.11.2001 +0100, you wrote: PS: I had mounted the sources required for the OpenSSL for my PowerPC from a PC, where already a pre-complied version of openSSH and OpenSSL were existing. Your's sincerely, Suja. Output: File in wrong format: failed to merge target specific data of file ../libcrypto.a(rc5_skey.o) sh: syntax error near unexpected token `../libcrypto.a(r' root:/openssh-2.9p1 /usr/powerpc-hardhat-linux/bin/ld: r586-elf.o: compiled for a little endian system and target is big endian sh: /usr/powerpc-hardhat-linux/bin/ld:: No such file or directory root:/openssh-2.9p1 File in wrong format: failed to merge target specific data of file ../libcrypto.a(r586-elf.o) make clean may help regards Erich Titl __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
pkcs12 seems to export keys even if -nokeys is used
Hi Folks This refers to openssl 0.9.6b I try to export a cacert to a pkcs12 file using openssl pkcs12 -export -inkey RufCA/private/cakey.pem -out cacerts.p12 -cacerts -nokeys -name Ruf CA Certificate RufCA/cacert.pem Maybe I havent fully understood this but the -nokey should prevent the private key to be exported. If I do openssl pkcs12 -in cacerts.p12 I still get a private key displayed. What am I missing here Thanks Erich Titl __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SMTP server questions
Title: SMTP server questions Hi All, I know this is not the place to ask this question but I need to start somewhere. I'm in the midlle of implementing event-sinks for a SMTP-server. Where can I ask some technical questions concerning authentication-issues. Thank you very much for the help, Ulrichts Erik Software engineer Hypertrust NV Belgium
ERROR VALIDATE CERTIFICATE
Hi, I create a certificate request to CA with keytool (JDK tool) keytool -certreq -alias firmacliente -file reqclien.csr -keystore cliente I export to file in CA path (copy ...). I will validate the reqclien.csr And then i execute: Openssl ca -in reqclien.csr -verbose And then appear a error: wrong number of fields on line 1 (looking for field 6, got 1, '' left) Can you help me? Thanks IS VERY IMPORTANT,PLEASE HELP ME!! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
CRL adds 00 to the certificate serial number
Dear, I have some trouble with CRL creations and some certificates serial number. I wrote some code using OpenSSL 0.9.6 to create and sign a CRL. I can specify the serial number (hex) of the certificates which I want to revoke. Everything works fine, except for some serial number: If a my serial number starts with a number higher than 7, OpenSSL adds 00 before it. Ex: 7FF5A2 - 7FF5 A2 : Correct 8FF5A2 - 008F F5A2 : Incorrect FFF5A2 - 00FF F5A2 : Incorrect I suspect that there is a trouble with a conversion (signed - unsigned). This is my code to add a revoked certificate: (void)BIO_reset(hex); if (!BIO_puts(hex,pp[DB_serial])) goto err; if (!a2i_ASN1_INTEGER(hex,r-serialNumber,buf[0],BSIZE)) goto err; sk_X509_REVOKED_push(ci-revoked,r); What can I do to solve this problem? Blaise --- Blaise Lugeon Nagracard (+41) 021-732 07 18 KUDELSKI SA Route de Genève 22 1033 Cheseaux SWITZERLAND __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Setting CA cert for verification.
Hi all, Iam working on a TLS client using OpenSSL on VxWorks. I need to do server authentication. The openssl function SSL_CTX_load_verify_locations() takes a file as a parameter for the CA certificate. In my application, there is no standard file system and I have the CA cert(DER form) in memory. Is there a way to set the CA cert memory buffer as trusted cert for an SSL context? Any pointers will be very much appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pkcs12 seems to export keys even if -nokeys is used
Erich Titl wrote: Hi Folks This refers to openssl 0.9.6b I try to export a cacert to a pkcs12 file using openssl pkcs12 -export -inkey RufCA/private/cakey.pem -out cacerts.p12 -cacerts -nokeys -name Ruf CA Certificate RufCA/cacert.pem Maybe I havent fully understood this but the -nokey should prevent the private key to be exported. If I do openssl pkcs12 -in cacerts.p12 I still get a private key displayed. What am I missing here You can't use a PKCS#12 file to import a CA certificate only into a browser. Read the FAQ for more info. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Identifying peer cert in verify_callback
Hi all, Iam using a certificate verification callback function as follows SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, cert_verify_cb); In the callback function, in addition to the standard certificate verification done by OpenSSL, i need to check the subject-name of the peer certificate. Since the callback function is called for every certificate in the certificate chain, from the parameter X509_STORE_CTX *, how do I know if the current certificate is the peer certificiate? Any inputs/pointers will be greatly appreciated. thanks, Krishna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: pkcs12 seems to export keys even if -nokeys is used
Hi Steve At 12:48 21.11.2001 +, you wrote: You can't use a PKCS#12 file to import a CA certificate only into a browser. Read the FAQ for more info. Sorry if this was pure RTFM Erich __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SMTP server questions
Hi, For authentication-issues, you should start at www.linuxsecurity.com, they have a good security-discuss list ! At 10:13 AM CN=111553.OU=Pa01L +0100, you wrote: Hi All, I know this is not the place to ask this question but I need to start somewhere. I'm in the midlle of implementing event-sinks for a SMTP-server. Where can I ask some technical questions concerning authentication-issues. Thank you very much for the help, Ulrichts Erik Software engineer Hypertrust NV Belgium Eric Daigneault Administrateur Systemes Vacances Air Canada -- Play with the best, die like the rest -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [Fwd: SSL not listening.- Need Help]
I obvioulsy had abrain lapse :) Never copied over new httpd.conf-dist, thanks for saving me ! man im glad we have 4 days off this week ! Have a good T-Day and some Sam Admins to boot. Thanks to all who replied ! -D Cdowns wrote: Subject: Re: SSL not listening.- Need Help Date: Tue, 20 Nov 2001 21:56:24 -0800 (PST) From: "J. Johnson" [EMAIL PROTECTED]> To: Cdowns [EMAIL PROTECTED]> CC: [EMAIL PROTECTED] First of all, port 443 should (if the server is setup right, and running) be the https port. It sort of looks like you have http on port 443, and your browser is smart enough to ask why it isn't seeing https. Second, check your log directory: you should (if you've gone the straight untouched default) have two ssl logs. Check the dates to see how current they are, and then check the messages. Third, mod_ssl doesn't tell you how or where to add SSL things in httpd.conf because it should be doing it for you: you should not have to. Does your httpd.conf file have a number of "IfDefine SSL>" lines? If not, you are not using the right file. Possibly it was created, but not copied to the conf directory because of an existing file. Check in your Apache source area for a 'httpd.conf-dist' file, and see if it has SSL lines. If not, mod_ssl may have failed. (Hopefully you captured the output of your various install steps, including 'make install', so you could review them for errors. Right?) === JJ = On Tue, 20 Nov 2001, Cdowns wrote: > Ok, > Im really starting to wonder what is going on or am I totally crazy. I > have everything compiled and started /usr/local/apache/apachestl startssl: > > [root@mail1 logs]# /usr/local/apache/bin/apachectl startssl > /usr/local/apache/bin/apachectl startssl: httpd started > [root@mail1 logs]#cat /usr/local/apache/logs/error_log > -snip for brevity --- > [Tue Nov 20 22:07:22 2001] [info] Server built: Nov 20 2001 21:37:40 > [Tue Nov 20 22:07:22 2001] [notice] Accept mutex: sysvsem (Default: sysvsem) > [Tue Nov 20 22:17:44 2001] [info] removed PID file > /usr/local/apache/logs/httpd.pid (pid=6289) > [Tue Nov 20 22:17:44 2001] [notice] caught SIGTERM, shutting down > [Tue Nov 20 22:17:49 2001] [info] created shared memory segment #3456 > [Tue Nov 20 22:17:49 2001] [notice] Apache/1.3.22 (Unix) mod_ssl/2.8.5 > OpenSSL/0.9.6b configured -- resuming normal operations > [Tue Nov 20 22:17:49 2001] [info] Server built: Nov 20 2001 21:37:40 > [Tue Nov 20 22:17:49 2001] [notice] Accept mutex: sysvsem (Default: sysvsem) > [root@mail1 logs]# cat ../conf/httpd.conf | grep Listen > # Listen: Allows you to bind Apache to specific IP addresses and/or > #Listen 3000 > #Listen 12.34.56.78:80 > Listen 443 > # See also the VirtualHost> and Listen directives. > > I added the Listen 443 to httpd.conf by hand but it does not say anywhere on > the mod-ssl-2.8.5 INSTALL Doc to do so. > > [root@mail1 logs]# netstat -na | grep 443 > tcp 0 0 127.0.0.1:4443 127.0.0.1:389 TIME_WAIT > tcp 0 0 127.0.0.1:4439 127.0 .0.1:389 TIME_WAIT > > tcp 0 0 127.0.0.1:4438 127.0.0.1:389 TIME_WAIT > tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN > [root@mail1 logs]# netstat -na | grep 80 > [root@mail1 logs]# > > when I try to access http://www.server.com:443 the site comes up but with no > SSL ? and When I try https://www.server.com I get Network IO error ? Ive read > the INSTALL docs upside down and dont understand what is happening. If anyone > has any ideas about this one I would really appreciate it. > > Sincerely, > Christopher M Downs > -- Network Security Administrator Christopher M Downs Skillsoft Corporation http://www.skillsoft.com "you can't point and click your way to super cracker status -"
Re: CRL adds 00 to the certificate serial number
On Wed, 21 Nov 2001, Lugeon Blaise wrote: Everything works fine, except for some serial number: If a my serial number starts with a number higher than 7, OpenSSL adds 00 before it. Ex: 7FF5A2 - 7FF5 A2 : Correct 8FF5A2 - 008F F5A2 : Incorrect FFF5A2 - 00FF F5A2 : Incorrect I suspect that there is a trouble with a conversion (signed - unsigned). The serial number is an integer. An integer can be either positive or negative, so there should be something to store the sign of it. Actually, the sign is specified by the highest order bit of the number (the one on the left when you display it). If it's 1, then the number is negative. If your number 8ff5a2 is a positive one, you must add a leading 00 before it's representation, (because 8 has it's highest order bit set, a number starting by 8 in it's representation should be negative). Fortunately, that doesn't change the value of the number. If you thought you could perform a byte by byte comparison to test the serial numbers, you're wrong. Remember that serial numbers are in fact integers, not binary blobs. You have to perform an arithmetic comparison. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - Against stupidity, the Gods themselves, contend in vain! __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SMTP server questions
Here are some RFC's containing security discussions regarding SMTP that you might find helpful: http://www.ietf.org/rfc/rfc2449.txt http://www.ietf.org/rfc/rfc2487.txt http://www.ietf.org/rfc/rfc2554.txt http://www.ietf.org/rfc/rfc2595.txt -Original Message- From: Eric Daigneault [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 9:05 AM To: [EMAIL PROTECTED] Subject: Re: SMTP server questions Hi, For authentication-issues, you should start at www.linuxsecurity.com, they have a good security-discuss list ! At 10:13 AM CN=111553.OU=Pa01LS +0100, you wrote: Hi All, I know this is not the place to ask this question but I need to start somewhere. I'm in the midlle of implementing event-sinks for a SMTP-server. Where can I ask some technical questions concerning authentication-issues. Thank you very much for the help, Ulrichts Erik Software engineer Hypertrust NV Belgium Eric Daigneault Administrateur Systemes Vacances Air Canada -- Play with the best, die like the rest -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
FW: is there any ssl opensource implemented using cdsa available?
Hello Group, Resending, somehow it didn't go through the first time. Regards, Prashant. http://developer.intel.com/ial/security/documentation.htm Look for Integrating CDSA into OpenSsl[It in PDF format] in the white papers section. Also look for SSL and CDSA in presentations section. Also I think they already provide an Enhanced adaption layer for the OpenSsl cryptographic plug-in. Look under http://developer.intel.com/ial/security/download.htm Regards, Prashant Kumar. -Original Message- From: Mads [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 20, 2001 11:27 AM To: openssl-users Subject: RES: is there any ssl opensource implemented using cdsa available? Would it be possible for you to find a URL? -Mensagem original- De: Prashant Kumar [mailto:[EMAIL PROTECTED]] Enviada em: quarta-feira, 21 de novembro de 2001 00:05 Para: openssl-users Cc: openssl-dev Assunto: RE: is there any ssl opensource implemented using cdsa available? I saw a paper on Intel or IBM website where they have explained few facts about integrating OpenSsl in CDSA. Also I think some effort is in progress. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Identifying peer cert in verify_callback
On Wed, Nov 21, 2001 at 06:17:21PM +0530, Krishnaswamy R. wrote: Iam using a certificate verification callback function as follows SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, cert_verify_cb); In the callback function, in addition to the standard certificate verification done by OpenSSL, i need to check the subject-name of the peer certificate. Since the callback function is called for every certificate in the certificate chain, from the parameter X509_STORE_CTX *, how do I know if the current certificate is the peer certificiate? man SSL_CTX_set_verify: The depth count is level 0:peer certificate, level 1: CA certificate, level 2: higher level CA certificate, and so on. with depth = X509_STORE_CTX_get_error_depth(ctx); Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Setting CA cert for verification.
On Wed, Nov 21, 2001 at 04:39:52PM +0530, Krishnaswamy R. wrote: Iam working on a TLS client using OpenSSL on VxWorks. I need to do server authentication. The openssl function SSL_CTX_load_verify_locations() takes a file as a parameter for the CA certificate. In my application, there is no standard file system and I have the CA cert(DER form) in memory. Is there a way to set the CA cert memory buffer as trusted cert for an SSL context? openssl/crypto/x509/by_file.c: ... X509_STORE_add_cert(ctx-store_ctx,x); ... No documentation available, but it should be self-explanatory :-). Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: RPM Source code version
-Original Message- From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Sent: 20 November 2001 19:42 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: RPM Source code version From: Eric Daigneault [EMAIL PROTECTED] scouby At 03:40 PM CN=a2011in.O=acv0111 +, you wrote: scouby RedHat use libcrypto.so.1 (name of the file), but when you install the scouby source, the name of the file is libcrypto.so.0. Go ask RH why they did scouby that, cause it's was stupid ! The reason is probably that RH started producing shared libraries of OpenSSL before we had gotten started on it. So they probably had some idea of what scheme they wanted to use and went ahead with it. The stupid part was probably that they didn't bother talking with us (or perhaps they did, but that was before my time as OpenSSL developer then). I think openssl was released for RedHat 6.2 on April 17th this year (see http://www.redhat.com/support/errata/RHSA-2001-051.html) although this may have been an update to a previous version. I never touched it, as it wasn't necessary and the OS didn't require it. Since RedHat 7.0 it's basically been an essential part of the OS (although I've only tried it on 7.1 and 7.2). It does look like they didn't consult openssl developers before they produced their shared libraries, but I don't think they would object to being contacted now. Any changes could be put into a future edition. However, the version they package has a number of changes, eg they remove certain crypto algorithms that are patented in the US. I had a brief discussion with one of their staff on this list about making a non-US package available, but the sticking point with that is how to integrate it with their up2date tool. Unless we have US and non-US versions of RedHat I think we'll be stuck with that one. Incidentally, the hack of using a symlink doesn't work for all packages, eg openssh still doesn't like the existence of different libraries to the libraries it was compiled against. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Errors in Apache
Hi Mark Nazzaro, Mark (Mark) wrote: We are getting the following error messages in our Apache error_log: [Wed Nov 21 08:43:40 2001] [error] mod_ssl: SSL handshake failed (server mylucent.web.lucent.com:443, client 135.103.93.70) (OpenSSL library error follows) [Wed Nov 21 08:43:40 2001] [error] OpenSSL: error:27066221::lib(39) :func(102) :reason(545) [Wed Nov 21 08:43:40 2001] [error] OpenSSL: error:1409B004::lib(20) :func(155) :reason(4) Any help would be greatly appreciated. Was your server running OK befor, or is it a new error? Which service: apache wih mod_ssl or apache_ssl? Which version? Laurent Jouannic http:/www.d2i.fr (in french) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RPM Source code version
Anyone knows how to install Redhat 7.2 RPM version of openssl over the Redhat 7.1 RPM version openssl? It seems that even if I do this rpm -Fvh --nodeps openssl-0.9.6b-8.i386.rpm there will be some ssl library files missing when I launch KDE or some other apps. Thanks Joe Orton wrote: On Tue, Nov 20, 2001 at 03:40:32PM +, [EMAIL PROTECTED] wrote: Hi Sirs, I'm running RedHat 7.1 with kernel 2.4.3-12 on my Intel P3 866 system. Recently, I just removed the openssl package that came with RedHat 7.1 and I installed the source package from the openssl website. After this I was not able to use most of my apps(like ssh, dig, nslookup, KDE) There is always an error saying libcrypto.so.1 not found. I really need the source code version cause sendmail STARTTLS requires it. In general it is not a good idea to replace packaged system libraries with ones you have compiled yourself, this is a recipe for disaster. Can both type of openssl package work happily on the same machine? If its not possible, is there any way for me to use the source code version without affecting my other apps? I would reinstalling the RPM, and installing your compiled OpenSSL somewhere other than /usr, e.g. using ./Configure --prefix=/opt/myopenssl (and then make sendmail pick up your compiled OpenSSL rather than the system one) Regards, joe __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: https
Your CPAN is out of date. The current Crypt::SSleay version is 0.35. Additionally, LWP recommends Crypt::SSleay (see README.SSL in the source tree). I had problems in the past with both Net::SSLeay and Crypt::SSLeay installed when using LWP, which is why I recommended removing it. It's your choice which to use, though the read me states that Net::SSLeay doesn't directly support LWP, so I imagine you will get better results with LWP if you use the library recommended by the author. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Sean O'Riordain [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Nov 2001 08:44:40 + To: [EMAIL PROTECTED] Subject: Re: https Keary Suska wrote: I would recommend that you remove Net::SSLeay and install Crypt::SSLeay. The former is no longer being maintained (and is considered deprecated), and may not function properly with newer openssl versions, but the latter is being actively maintained and I have been having good results from it. 'cording to my local CPAN, Net_SSLeay.pm-1.09.tar.gz is dated 25 Sep 2001 and Crypt-SSLeay-0.31.tar.gz is dated 21 Sep 2001 so not much difference there :-) Sean __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RPM Source code version
On Thu, Nov 22, 2001 at 01:44:57AM +0800, Lim Kwang Eng wrote: Anyone knows how to install Redhat 7.2 RPM version of openssl over the Redhat 7.1 RPM version openssl? You need to get the openssl096 compatibility package; ftp://rpmfind.net/linux/redhat/7.2/en/os/i386/RedHat/RPMS/openssl096-0.9.6-6.i386.rpm then upgrade them in a single command; rpm -Uvh openssl-0.9.6b-8.i386.rpm openssl096-0.9.6-6.i386 (and add the new openssl-devel package in there too if you need that) Regards, joe __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Win32 Hair Loss
There may be a problem with the random generator code. The source has some specific treatment for win2000 and performance counter stuff, it seems that actually you can have the problem also on nt machines, it seems that this depends on what kind of software you have installed. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Installation problem with OpenSSL..
If I would offer my best guess, I would say that your openssl libs were compiled for a CISC architecture (such as Intel), the key words 586 and little endian giving clue. I can't imagine how if you compiled the openssl libs yourself, but it could happen if you installed an RPM built for CISC. Another possibility is that the configure script couldn't correctly guess your architecture (isn't hardhat for embedded systems?), and made a bad guess, though I am surprised the compile would have succeeded. I would recommend to recompile openssl with linux-ppc as the target, and see if you get better results. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Sujatha Mukunthan [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Nov 2001 10:08:23 +0100 To: [EMAIL PROTECTED] Subject: Installation problem with OpenSSL.. Dear OpenSSL team, I am a user of OpenSSH and when I try to self-compile openssh for my PowerPC, it needs also the OpenSSL libraries. So, due to the above reasons, I had to also get OpenSSL installed on my powerPC inorder to get a running version of openSSL. But during the installation (at make) of openSSL, I have a problem. I have just pasted down the output which appeared after the make process on my PowerPC. Please do suggest me with some solutions. PS: I had mounted the sources required for the OpenSSL for my PowerPC from a PC, where already a pre-complied version of openSSH and OpenSSL were existing. Your's sincerely, Suja. Output: File in wrong format: failed to merge target specific data of file ../libcrypto.a(rc5_skey.o) sh: syntax error near unexpected token `../libcrypto.a(r' root:/openssh-2.9p1 /usr/powerpc-hardhat-linux/bin/ld: r586-elf.o: compiled for a little endian system and target is big endian sh: /usr/powerpc-hardhat-linux/bin/ld:: No such file or directory root:/openssh-2.9p1 File in wrong format: failed to merge target specific data of file ../libcrypto.a(r586-elf.o) -- Sujatha Mukunthan SW-Technology(PTT) ++41 (0)1 / 922 - 69 42 (Tel) Siemens Building Technology AG ++41 (0)1 / 922 - 69 69 (Fax) CH-8708, Switzerland. mailto: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: questions about CRL check
It seems like there's a problem in concepts, a certifcate cannot contain a CRL, but a CRL can contain one or more certificates. Considering that, a certificate cannot even be sure to be contained in a CRL, that can only known by checking the CRL. Regarding your second question, a certificate cannot get a CRL, that's a CA job, the CA defines how often the CRL will be available, so you need to do this manually. i hope it helps, bye. Juan Carlos Albores Aguilar - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 20, 2001 8:49 PM Subject: questions about CRL check Hi, 1. Does a X.509 certificate be sure to contain a certification revocation list? 2. If a X.509 certificate contains a CRL, is there an interface defined in it on how to get the latest CRL from CA to replace the current CRL? Any RFC defined it? Thank you and have a nice day. Sincerely, Wooce ¼Óн£¬ÉýÖ°ÃÜóÅ http://www.englishtown.com/master/home/courseoverview.asp?etag=TOCNctr=cn === ÊÖ»úºÅÂëÊǵçÓÊ£¬´Ó´Ë½»·Ñ²»ÓóһºÅÔÚÊÖ¡°ËæÉíÓÊ¡± ¡ª¡ª 163¡°ËæÉíÓÊ¡±ÊÖ»úÓÊÏä ¡ª¡ª ¡ò ÊÖ»úºÅÂë¾ÍÊǵç×ÓÓÊÏäµØÖ·£¬·½±ã¼ÇÒä ¡ò ²»ÓÃÉÏÍø£¬Í¸¹ýÊÖ»ú¶ÌÐÅ£¬ËæʱÕÆÎÕÓʼþµÄ½ÓÊÕÇé¿ö ¡ò ¾ö²»´í¹ýÈκÎÉÌÒµÁ¼»ú ¡ò ·½±ãµÄ°´ÔÂÊÕ·Ñ·½Ê½£¬×îµÍÿÔÂÖ»Ðè5Ôª ÏêÇéÇëä¯ÀÀ http://vip.163.net/mobile/mobile.htm === __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: questions about CRL check
X.509 certificate does NOT contain ANYTHING related to CRL. but X.509 contains a serial number which WILL be included in VeriSign issued CRL list in case the certificate was revoked. http://onsitecrl.verisign.com/ in the site where you can check if you certificate was revoked. put serial number of revoked certificate and you will see it in the list. I believe in our case, VeriSign sends us CRL every 3hrs or smth. But, you also can use OSPF (smth like this) protocol to get real-time CRL list. Hope this helps! Leon -Original Message- From: Juan Carlos Albores Aguilar [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 1:31 PM To: [EMAIL PROTECTED] Subject: Re: questions about CRL check It seems like there's a problem in concepts, a certifcate cannot contain a CRL, but a CRL can contain one or more certificates. Considering that, a certificate cannot even be sure to be contained in a CRL, that can only known by checking the CRL. Regarding your second question, a certificate cannot get a CRL, that's a CA job, the CA defines how often the CRL will be available, so you need to do this manually. i hope it helps, bye. Juan Carlos Albores Aguilar - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 20, 2001 8:49 PM Subject: questions about CRL check Hi, 1. Does a X.509 certificate be sure to contain a certification revocation list? 2. If a X.509 certificate contains a CRL, is there an interface defined in it on how to get the latest CRL from CA to replace the current CRL? Any RFC defined it? Thank you and have a nice day. Sincerely, Wooce ¼Óн£¬ÉýÖ°ÃÜóÅ http://www.englishtown.com/master/home/courseoverview.asp?etag=TOCNctr=cn === ÊÖ»úºÅÂëÊǵçÓÊ£¬´Ó´Ë½»·Ñ²»ÓóһºÅÔÚÊÖ¡°ËæÉíÓÊ¡± ¡ª¡ª 163¡°ËæÉíÓÊ¡±ÊÖ»úÓÊÏä ¡ª¡ª ¡ò ÊÖ»úºÅÂë¾ÍÊǵç×ÓÓÊÏäµØÖ·£¬·½±ã¼ÇÒä ¡ò ²»ÓÃÉÏÍø£¬Í¸¹ýÊÖ»ú¶ÌÐÅ£¬ËæʱÕÆÎÕÓʼþµÄ½ÓÊÕÇé¿ö ¡ò ¾ö²»´í¹ýÈκÎÉÌÒµÁ¼»ú ¡ò ·½±ãµÄ°´ÔÂÊÕ·Ñ·½Ê½£¬×îµÍÿÔÂÖ»Ðè5Ôª ÏêÇéÇëä¯ÀÀ http://vip.163.net/mobile/mobile.htm === __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Creating a self-signed Digital Certificate for Outlook.
What are the steps for making a self-signed digital certificate that Outlook likes? I am trying to create a digital signature using a self-signed CA and Outlook keeps telling me that I have an invalid format. The procedure I'm following is below. In summary, I create my self-signed CA, I create my client.req then the ca signed client.cer. I've tried converting this to a PKCS#12 cert but it did not make a difference. Create CA: openssl dsaparam -out dsap.pem 1024 openssl gendsa -out ca.key -des3 -rand randfile dsap.pem openssl req -new -key ca.key -out ca.csr -config openssl.cnf openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.cer Create Client signed certificate: openssl gendsa -out client.key -des3 -rand randfile openssl req -new -key client.key -out client.csr -config openssl.cnf openssl x509 -req -days 365 -CA ca.cer -CAkey ca.key -CAcreateserial -in client.csr -out client.cer If converting to pkcs12: openssl pkcs12 -export -in client.cer -inkey client.key -certfile ca.cer -caname COMPANY -out ~nei/projects/client.pfx -name Client Certificate Thanks, Chris __ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: https
On Tue, 20 Nov 2001, Keary Suska wrote: ... I would recommend that you remove Net::SSLeay and install Crypt::SSLeay. The former is no longer being maintained (and is considered deprecated), and may not function properly with newer openssl versions, but the latter is being actively maintained and I have been having good results from it. i'm using the latest Net::SSLeay version (1.08) with no problems and it does support OpenSSL v0.9.6b quite well. Net::SSLeay is maintained and not depricated at all, IMHO. -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: https
On Wed, 21 Nov 2001, Keary Suska wrote: ... It's your choice which to use, though the read me states that Net::SSLeay doesn't directly support LWP, so I imagine you will get better results with LWP if you use the library recommended by the author. yes, this choice is a matter of opinion - to my knowledge there aren't any known reliability issues involved. it is true that Net::SSLeay doesn't directly support LWP. for this you need to install IO::Socket::SSL which is mainly why i originally recommended using Crypt::SSLeay in the LWP README.SSL, so that the installation would be as easy as possible for the average user. -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Qnx 6
I hope this isn't inappropriate for this list. This minor change in Configure allows openssl-0.9.6b to build on qnx 6.1.0. *** Configure.orig Mon Jul 9 10:08:37 2001 --- Configure Wed Nov 21 15:37:59 2001 *** *** 322,327 --- 322,330 # QNX 4 qnx4, cc:-DL_ENDIAN -DTERMIO::(unknown)::${x86_gcc_des} ${x86_gcc_opts}:, + # QNX 6 + qnx6, cc:-DL_ENDIAN -DTERMIOS::-lsocket::${x86_gcc_des} ${x86_gcc_opts}:, + # Linux on ARM linux-elf-arm,gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR), __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: dont want private key of the client in the ldap
Title: RE: dont want private key of the client in the ldap Steve, Could you please let me know the exact openssl commands for generating the CA cert and Client certs, both without compromising the private keys. As u told, CAs private key is sent to everyone in the following method. But I couldnt find how to stop this. And also, I want to generate the client certificates using just the CSR and also dont want to store anything else in the ldap entries except the certificate alone. I would like to know the openssl command steps for this also. All I did was follow some openssl cookbook found somewhere in the net. Couldnt find any specialist procedure (inc. step by step commands) for generating CA and client certs. Waiting for guidance. Sarath Hi everybody, I trying to do client authentication using self signed CA and client certificates. I want to store the client certificate in the ldap entries. The CA certificate is in the web server. I followed the below mentioned steps to create the CA and client certificates : CA Certificate # generate the key for the certificate and store it in .key file openssl genrsa -des3 -out $CA_DIR/CA.key 1024 # sign the request for the CA cert and store it in .csr file openssl req -new -x509 -days 365 -config $SSLDIR/openssl.cnf -key $CA_DIR/CA.key -out $CA_DIR/CA.crt # convert the cert into pkcs12 format so that it can imported into IE openssl pkcs12 -export -in $CA_DIR/CA.crt -inkey $CA_DIR/CA.key -out $CA_DIR/CA.pfx DO NOT DO THIS!! This gives away your CAs private key to everyone using it and renders it useless. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: questions about CRL check
Thanks to Leon and Juan. Maybe it should be OCSP(Online certificate status protocol) instead of OSPF. When choose Tools-Options-Security-Advanced in Outlook Express, There's an option about revocation checking, you can choose between only when online or never. If you choose only when online, then when a signed mail was received by Outlook Express, the certificate in the mail will be check about whether it's already revoked. How Outlook Express can perform this task? Does Outlook express use OCSP protocol to get real-time CRL list for the revocation checking task? And there exists a CRL distribution points extension(CDP) in X.509 v3 certificate, The CDP extension identifies how CRL information is obtained(see RFC2459). See below: cRLDistributionPoints ::= { CRLDistPointsSyntax } CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName[5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID[8] OBJECT IDENTIFIER} uniformResourceIdentifier can contain the LDAP URL infomation of the CRL issuer. So although a certificate don't contain a CRL, I still have question: When an application written by me (act as a secure mail client) receive a signed mail and if it would check the certificate in the mail has already been revoked by CA, does the CDP extension in the certificate give enough information(such as LDAP URL) for my application to retrieve the latest CRL from the LDAP server of CA? Or else how can my secure email client obtain the latest CRL list from CA on a regular periodic basis (e.g., hourly, daily, or weekly) to make the client more secure? have a nice day! Wooce - Original Message - From: ZILBER,LEONID (HP-NewJersey,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 21, 2001 10:58 AM Subject: RE: questions about CRL check X.509 certificate does NOT contain ANYTHING related to CRL. but X.509 contains a serial number which WILL be included in VeriSign issued CRL list in case the certificate was revoked. http://onsitecrl.verisign.com/ in the site where you can check if you certificate was revoked. put serial number of revoked certificate and you will see it in the list. I believe in our case, VeriSign sends us CRL every 3hrs or smth. But, you also can use OSPF (smth like this) protocol to get real-time CRL list. Hope this helps! Leon -Original Message- From: Juan Carlos Albores Aguilar [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 1:31 PM To: [EMAIL PROTECTED] Subject: Re: questions about CRL check It seems like there's a problem in concepts, a certifcate cannot contain a CRL, but a CRL can contain one or more certificates. Considering that, a certificate cannot even be sure to be contained in a CRL, that can only known by checking the CRL. Regarding your second question, a certificate cannot get a CRL, that's a CA job, the CA defines how often the CRL will be available, so you need to do this manually. i hope it helps, bye. Juan Carlos Albores Aguilar - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 20, 2001 8:49 PM Subject: questions about CRL check Hi, 1. Does a X.509 certificate be sure to contain a certification revocation list? 2. If a X.509 certificate contains a CRL, is there an interface defined in it on how to get the latest CRL from CA to replace the current CRL? Any RFC defined it? Thank you and have a nice day. Sincerely, Wooce __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: https
Yes, I am probably mistaken in that regard about the status of Net::SSLeay. I believe it was actually shelved for a while, and then picked up again, but this was some time ago and memory may not serve me. In any case, the issue is not operability with openssl, but with LWP. And as you can see from my previous email, it is best to use Crypt::SSLeay with LWP, at least according to the author of LWP. Keary Suska Esoteritech, Inc. Leveraging Open Source for a better Internet From: Marko Asplund [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 21 Nov 2001 23:12:14 +0200 (EET) To: OpenSSL [EMAIL PROTECTED] Subject: Re: https On Tue, 20 Nov 2001, Keary Suska wrote: ... I would recommend that you remove Net::SSLeay and install Crypt::SSLeay. The former is no longer being maintained (and is considered deprecated), and may not function properly with newer openssl versions, but the latter is being actively maintained and I have been having good results from it. i'm using the latest Net::SSLeay version (1.08) with no problems and it does support OpenSSL v0.9.6b quite well. Net::SSLeay is maintained and not depricated at all, IMHO. -- aspa __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
any SMIME v3
hey guys, I want to know if openssl or any other toolkit supports smime v3. Would be nice if u could send the links. thanx, vish. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: questions about CRL check
Wooce -- Outlooks support of revocation checking is done through CrptoAPI, see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/WinXPPro/support/tshtcrl.asp to better understand how chaining and status determination is done. As for its OCSP support, the answer is no it only supports CRL checking and only when the cert has a CRLdp extension in it. ValiCert has developed a revocation provider that can either replace or augment the existing revocation handling for CryptoAPI. It adds support for OCSP, SCVP, CRL, and CRL deltas. Additionally it provisions for creating a validation profile for a CA so even if a certificate does not contain a pointer to revocation information you as an administrator/user can set one. The product is called the ValiCert Desktop Validator. Ryan -Original Message- From: wooce [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 6:58 PM To: [EMAIL PROTECTED] Subject: Re: questions about CRL check Thanks to Leon and Juan. Maybe it should be OCSP(Online certificate status protocol) instead of OSPF. When choose Tools-Options-Security-Advanced in Outlook Express, There's an option about revocation checking, you can choose between only when online or never. If you choose only when online, then when a signed mail was received by Outlook Express, the certificate in the mail will be check about whether it's already revoked. How Outlook Express can perform this task? Does Outlook express use OCSP protocol to get real-time CRL list for the revocation checking task? And there exists a CRL distribution points extension(CDP) in X.509 v3 certificate, The CDP extension identifies how CRL information is obtained(see RFC2459). See below: cRLDistributionPoints ::= { CRLDistPointsSyntax } CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName[5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID[8] OBJECT IDENTIFIER} uniformResourceIdentifier can contain the LDAP URL infomation of the CRL issuer. So although a certificate don't contain a CRL, I still have question: When an application written by me (act as a secure mail client) receive a signed mail and if it would check the certificate in the mail has already been revoked by CA, does the CDP extension in the certificate give enough information(such as LDAP URL) for my application to retrieve the latest CRL from the LDAP server of CA? Or else how can my secure email client obtain the latest CRL list from CA on a regular periodic basis (e.g., hourly, daily, or weekly) to make the client more secure? have a nice day! Wooce - Original Message - From: ZILBER,LEONID (HP-NewJersey,ex1) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, November 21, 2001 10:58 AM Subject: RE: questions about CRL check X.509 certificate does NOT contain ANYTHING related to CRL. but X.509 contains a serial number which WILL be included in VeriSign issued CRL list in case the certificate was revoked. http://onsitecrl.verisign.com/ in the site where you can check if you certificate was revoked. put serial number of revoked certificate and you will see it in the list. I believe in our case, VeriSign sends us CRL every 3hrs or smth. But, you also can use OSPF (smth like this) protocol to get real-time CRL list. Hope this helps! Leon -Original Message- From: Juan Carlos Albores Aguilar [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 21, 2001 1:31 PM To: [EMAIL PROTECTED] Subject: Re: questions about CRL check It seems like there's a problem in concepts, a certifcate cannot contain a CRL, but a CRL can contain one or more certificates. Considering that, a certificate cannot even be sure to be contained in a CRL, that can only known by checking the CRL. Regarding your second question, a certificate cannot get a CRL, that's a CA job, the CA defines how often the CRL will be available, so you need to do this manually. i hope it helps, bye. Juan Carlos Albores Aguilar - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 20, 2001
Re: any SMIME v3
It is said that openssl only support SMIME v2, but you can try http://www.getronicsgov.com/hot/sfl_home.htm , it supports SMIME v3. hopes it will help. Wooce - Original Message - From: viswanath [EMAIL PROTECTED] To: openssl users [EMAIL PROTECTED] Sent: Wednesday, November 21, 2001 9:24 PM Subject: any SMIME v3 hey guys, I want to know if openssl or any other toolkit supports smime v3. Would be nice if u could send the links. thanx, vish. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Adding a name to the certificate
Hi I'm looking for what the parameters for X509_NAME_ENTRY_create_by_NID mean. I can see what they are in the source code but is there a site where the function(s) for creating a certificate is explained. After a search on X509_NAME_ENTRY_create_by_NID using google, no reference to the open ssl site is returned (except the mail archives). Is this documented or am I using the incorrect function here Hylton smime.p7s Description: application/pkcs7-signature