TLS extendsions (PGP)
Hello openssl-users, this issue seems to treat openssl-dev subscription, but i wouldn't bother them with possibly stupid discussion. so, i'd like you to disscuss (or say why not): is it possible to use PGP within opensssl(OpenPGP) and how, if it is? As you may now, TLSv1 specificaton supplies extensions (you may read draft-ietf-tls-openpgp-keys-01.txt for PGP extension from http://www.ietf.org/html.charters/tls-charter.html ). well, is any body interested at this? or does any body know whether it is or will be possible? Even more, i'm thinking over possibility of implementing such extension for ssleay, as far as i know, pgp is implemented on openssl library. thanks in advance for your keen interest. -- Best regards, Andrew mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: No certificates in popup dialog box.
Dr S N Henson wrote: Brandon Amundson wrote: I am trying to sign a server cert from IIS 5.0 with my CA (openssl) that runs on my linux webserver. I have successfully signed the cert and move it back into IIS but when I go to access the site, the certificate dialog box pops up but there are no available certificates. I would like to use pre-existing user certificates that I have issued for my other site because I am going to be letting the same people have access to the new site. Does anyone know if this is possible and what I am not doing correctly, (besides using MS)? I heard something about the v3 extensions being a possible cause. Any thoughts? The FAQ gives the reason for this and some more info. What it doesn't say is how to add your CA to the trusted list of IIS. IIRC you can do this via the certificate import wizard, something like clicking on the show physical stores box and trusted root-local computer. You may have to the reboot. You can check using s_client to see if your CA is then sent (see FAQ). Steve. -- ... your support is definitely wonderful... Now I can use the client-authentication under IIS5 ... thanks. The strange thing is that now in IIS5 there is an interface to the TRUSTED-CA-LIST, but seems to be unused, or better used in combination to the importing in the trusted root-local computer store. Obviously this is undocumented in the ms-site. Thanks. -- Dott. Sergio Rabellino Technical Staff Department of Computer Science University of Torino (Italy) Member of the Internet Society http://www.di.unito.it/~rabser Tel. +39-0116706701 Fax. +39-011751603 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Dreaded OpenSSL: error:140890C7
Hi, I'am trying to authenticate clients connecting to my server. [06/Mar/2002 18:45:19 25124] [info] Connection to child 3 established (server hub-1.trema.com:443, client 66.54.34.7) [06/Mar/2002 18:45:19 25124] [info] Seeding PRNG with 512 bytes of entropy [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Handshake: start [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: before/accept initialization [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 read client hello A [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 write server hello A [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 write certificate A [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 write certificate request A [06/Mar/2002 18:45:19 25124] [trace] OpenSSL: Loop: SSLv3 flush data [06/Mar/2002 18:45:20 25124] [trace] OpenSSL: Write: SSLv3 read client certificate B [06/Mar/2002 18:45:20 25124] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [06/Mar/2002 18:45:20 25124] [trace] OpenSSL: Exit: error in SSLv3 read client certificate B [06/Mar/2002 18:45:20 25124] [error] SSL handshake failed (server hub-1.trema.com:443, client 66.54.34.7) (OpenSSL library error follows) [06/Mar/2002 18:45:20 25124] [error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate [Hint: No CAs known to server for verification?] From the error message I can imagine two problems: - the client has not sent any certificate - the client has sent an unknown certificate. Can anybody help me sorting out this ? A Google lookup retrieves a lot of OpenSSL: error:140890C7. Most of the time, people have invoked the ClientAuthentication by mistake. Regards -- Jean-Claude Bourut Trema 1300, routes des Crêtes Sophia Antipolis 06560 Valbonne FRANCE Tel +33 4 92 38 81 04 Fax +33 4 92 38 81 99 begin:vcard n:Bourut;Jean-Claude tel;fax:+33 (0) 9238 8199 tel;work:+33 (0) 9238 8100 x-mozilla-html:TRUE org:Trema Laboratories adr:;;1300 route des cretes;Sophia Antipolis;;06560;FRANCE version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Software Engineer note;quoted-printable: (=0D=0A ))=0D=0A C|~~|=0D=0A `--' end:vcard
Question concerning signing of a certificate request
Hi! I' m experiencing difficulties while trying to sign a certificate request (openssl ca -keyfile ./private/caKey.pem -in ./private/gatewayReq.pem -out gatewayCert.pem -outdir ./certs). The error message is: wrong number of fields on line 2 (looking for field 6, got 1, '' left) Who can help solving this problem? Thanx in advance! Stefan Homberg
Re: SSL for a Single-user Workstation
Maybe what he's after is compartmented security or mandatory access controls on the single host. It would be an OS level thing to approach an orange book B level. If he's using Linux then a place to start would be: http://www.nsa.gov/selinux/index.html -Lance Nehring New Particles Corporation David Schwartz wrote: On Wed, 6 Mar 2002 20:06:31 -0500, Robert Krueger wrote: Well, I guess that's just my point. I haven't identified what SSL can do for ME, actually. If there are no security advantages to using SSL on a single-user workstation, then I simply need to know this, so I won't waste my time pouring over documentation for something not suited for my purpose. Is this the case? What kind of security do you need on a single-user workstation with no networking? Who or what are you trying to secure yourself from or against? DS __ OpenSSL Projecthttp://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL for a Single-user Workstation
Maybe what he's after is compartmented security or mandatory access controls on the single host. It would be an OS level thing to approach an orange book B level. If he's using Linux then a place to start would be: http://www.nsa.gov/selinux/index.html -Lance Nehring New Particles Corporation David Schwartz wrote: On Wed, 6 Mar 2002 20:06:31 -0500, Robert Krueger wrote: Well, I guess that's just my point. I haven't identified what SSL can do for ME, actually. If there are no security advantages to using SSL on a single-user workstation, then I simply need to know this, so I won't waste my time pouring over documentation for something not suited for my purpose. Is this the case? What kind of security do you need on a single-user workstation with no networking? Who or what are you trying to secure yourself from or against? DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question concerning signing of a certificate request
hi, your problem is in the index.txt file (located in your CA-directory). The individual entries in each line of that file must absolutely be separated by TABs, not by spaces! Your index.txt probably got messed up, meaning that the tabs were converted to spaces (maybe you saved it from a text editor?). This means OpenSSL's functions are not able to parse it any more - they find 1 item per line instead of the 6 expected. Take a look at http://www.dfn-pca.de/certify/ssl/handbuch/ossl095/ossl095-7.html#ss7.1 for an in-depth description of how to construct a valid index.txt Cheers, Steve Stefan Homberg wrote: Hi!I' m experiencing difficulties while trying to sign a certificate request (openssl ca -keyfile ./private/caKey.pem -in ./private/gatewayReq.pem -out gatewayCert.pem -outdir ./certs). The error message is: wrong number of fields on line 2 (looking for field 6, got 1, '' left)Who can help solving this problem?Thanx in advance!Stefan Homberg -- _ GINIT Technology GmbH [EMAIL PROTECTED] Steve Wirth PGP-Key: 0x17FA604D Emmy-Noether-Str. 11www.ginit-technology.com phone: +49-721-96681-0 D-76131 Karlsruhe fax: +49-721-96681-111 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
No certificates in client popup box.
I tried to do this; how can you get your CA to appear in the list of acceptable ca names? The FAQ gives the reason for this and some more info. What it doesn't say is how to add your CA to the trusted list of IIS. IIRC you can do this via the certificate import wizard, something like clicking on the show physical stores box and trusted root-local computer. You may have to the reboot. You can check using s_client to see if your CA is then sent (see FAQ). I do not have an option to show physical stores, that I can find.. Here is the output of the following command openssl s_client -connect 192.168.0.1:443 -prexit CONNECTED(0003) --- Certificate chain 0 s:/C=US/ST=Virginia/L=Arlington/O=BBN Technologies/OU=DAML/CN=xxx..orgserver cert i:/C=US/ST=Virginia/L=Arlington/O=DARPA/OU=DAML/CN=xxx.xx.org/Email=thas [EMAIL PROTECTED]root cert --- Server certificate -BEGIN CERTIFICATE- MIIDrDCCAxWgAwIBAgICANYwDQYJKoZIhvcNAQEEBQAwgYgxCzAJBgNVBAYTAlVT MREwDwYDVQQIEwhWaXJnaW5pYTESMBAGA1UEBxMJQXJsaW5ndG9uMQ4wDAYDVQQK EwVEQVJQQTENMAsGA1UECxMEREFNTDEVMBMGA1UEAxMMd3d3LmRhbWwub3JnMRww GgYJKoZIhvcNAQkBFg10aGFzaEBiYm4uY29tMB4XDTAyMDMwNzE1MjcwNloXDTA3 MDMwNjE1MjcwNlowdjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZpcmdpbmlhMRIw EAYDVQQHEwlBcmxpbmd0b24xGTAXBgNVBAoTEEJCTiBUZWNobm9sb2dpZXMxDTAL BgNVBAsTBERBTUwxFjAUBgNVBAMTDTE5Mi4yMzMuNDkuMjcwgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAOQHadKOAkDrMF9K4hwPvXt0UN7eLklhEcaZHb/H6aLK vR33eXNyeyfNaDYrxQbu/IZBSWjnbMGUer6Y1xnz+QtCfu1bF1G2c8lK+sb3Xb+B GwRJGJo8twh9HDWAcVSRr53sYUUPQNLcdH7SS+IAKBIvr7VPuPdurWJOj/1zi8Gp AgMBAAGjggE0MIIBMDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIEsDALBgNV HQ8EBAMCBeAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp ZmljYXRlMB0GA1UdDgQWBBTl5yV9Fy4QmAOfSyS5YEuBXkUJ2TCBtQYDVR0jBIGt MIGqgBQ2h6VlWKq11PvZuhUHGJBP/XH7lqGBjqSBizCBiDELMAkGA1UEBhMCVVMx ETAPBgNVBAgTCFZpcmdpbmlhMRIwEAYDVQQHEwlBcmxpbmd0b24xDjAMBgNVBAoT BURBUlBBMQ0wCwYDVQQLEwREQU1MMRUwEwYDVQQDEwx3d3cuZGFtbC5vcmcxHDAa BgkqhkiG9w0BCQEWDXRoYXNoQGJibi5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEA cwyqnF1sgtcqD93nCpNxE4jp0tIQZ0mM23dyC4ElXdgi+Ob0TJ2YkzZug5InBqsi c1gFU3iT36RAM0ty+XVCF9iBT007nZSsfDWlmKh5Syv1opE5qAM25JF4kGOUsG97 5yZgIRZSl94Xfi0dfKiPdsSrBBX7xzZfRco8OLZ01Wo= -END CERTIFICATE- subject=/C=US/ST=Virginia/L=Arlington/O=BBN Technologies/OU=DAML/CN=xxx..org issuer=/C=US/ST=Virginia/L=Arlington/O=DARPA/OU=DAML/CN=xxx..org/Email=t [EMAIL PROTECTED] --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Fr eemail [EMAIL PROTECTED] /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Pr emium [EMAIL PROTECTED] /C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Ba sic [EMAIL PROTECTED] /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/CN=GTE CyberTrust Root /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority --- SSL handshake has read 3471 bytes and written 318 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher: RC4-MD5 Session-ID: 100215ABAC4B2DAF9DA307389E76CECCAB468CBDCA06820AE0966D0C8C36 Session-ID-ctx: Master-Key: 0B0F9E1C622CE7CF0090411AF59DFA53062DC2BDA1929B2E210204753FDFD6E6F60ADB54D6C4 BD38B4C85737C8AA62 D9 Key-Arg : None Start Time: 1015519547 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first ce Brandon Amundson BBN Technologies LAB: 703 284 8189 [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED]
How to get certificate install on iPlanet
Hello, I'm a new user and trying to install and configure OpenSSL for iPlanet 4.1 web server on solaris 5.7 platform. I did installed the Openssl openssl-0.9.6c and don't know how to proceed next to get certificate and install. I appreciate any help. -Prasanna __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL Chain Of Trust
As I mentioned previously, I was mistaken in that I had made a SSL Email cert request from a free-email address. Much to my chagrin, I am now the technical contact on some SSL Server requests, and I can tell everyone here, first hand, that it is amazing how thorough you guys are in verifying identity. It's a good thing though, but, a lot of paperwork. I have a much better understanding of how the certification process works. This list has been more informative than any document I've read. Thanks to all. -Damian - Original Message - From: Trilli, Kevin To: [EMAIL PROTECTED] Sent: Tuesday, March 05, 2002 12:33 PM Subject: RE: OpenSSL Chain Of Trust Just to add one final data point to close this issue, since my private response was posted to the list. Damian, VeriSign has received two *SSL Server* cert requests from you as the technical contact, both of which you revoked either before authentication or after we completed authentication successfully. Neither of these were from a known freemail address, as, again, that is against our policy. I am happy to answer any of your questions concerning our authentication processes, or help you with anything else concerning VeriSign certs. Please contact me off-line if I can help. Thanks, sorry for the interruption everyone. Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 2:15 PM To: [EMAIL PROTECTED] Subject: Re: OpenSSL Chain Of Trust Woops. You are correct. I just checked, and indeed the certification part is quite different for Server ID's. I was under the assumption that there was not significant differences between certificates. Definitely extensive. Thanks though for the answers regarding the Chain of Trust establishment. - Original Message - From: Andrew T. Finnell [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 02, 2002 3:09 PM Subject: RE: OpenSSL Chain Of Trust From what I can see you bought an email certificate from Verisign. Not a certificate for web servers. They do extensive background checks before giving you a certificate that will work on a server. If this is the case you will not be able to use the certificate you obtained from Verisign for your website. You need to purchase the certificate for web servers not your email address. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gregory Stark Sent: Saturday, March 02, 2002 2:21 PM To: [EMAIL PROTECTED] Subject: Re: OpenSSL Chain Of Trust Amazing. Are you serious? What is the issuer Name in your certificate? I'd like to believe VeriSign did more than just identify your cash. == Greg Stark [EMAIL PROTECTED] == - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, February 28, 2002 5:16 PM Subject: OpenSSL Chain Of Trust I'm rather new to the SSL world, but I have a simple issue. I paid big $$$ to Verisign for a Certificate for my web server. It seems to me that the only reason I had to pay big $$$ is because Microsoft lists Verisign as a Trusted CA. Of course, the reason for this is so Verisign can Identify who I am, which I must say, is not verification. They took my Hotmail Email Address, and a Wire Transfer from Western Union. I never had to provide my identity. Can I do the following? Issue an openSSL certificate to another server, from the server where I installed the expensive Verisign certificate? My hope is that the certificate I issue will establish a chain of trust back to verisign, thus, users won't get that silly popup window in their browsers saying the site is dangerous, etc etc. I don't think my certificate is dangerous just because I have not paid Microsoft massive amounts of money to consider me a CA. Is their any way to do this? Thanks. __ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
secure mailinglists
Hi everybody, we have set up our own CA and generated for everybody user certificates for secure communication. It really works fine. The task: now we want to set up mailinglists (server side) like [EMAIL PROTECTED] where some users of our company and some from a customer should be able to write signed and encryted emails and everybody on the list should be able to read it. The question is how should this be done? The only solution I can imagine is to generate a certificate for the list and send the p12-file to everybody on the list. But does it really work with all mail programs, because for example: user A send an encrypted mail to [EMAIL PROTECTED] which is expanded to user B, but its not originally encrypted for B... Whats the best way solving such a mailinglist problem? What is your experience and solution? I am sure I not the only one beeing confronted with such a task (hope :-). thanx for your help, Damian -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: secure mailinglists
At 21:41 07.03.2002 +0100, you wrote: Hi everybody, we have set up our own CA and generated for everybody user certificates for secure communication. It really works fine. The task: now we want to set up mailinglists (server side) like [EMAIL PROTECTED] where some users of our company and some from a customer should be able to write signed and encryted emails and everybody on the list should be able to read it. The question is how should this be done? The only solution I can imagine is to generate a certificate for the list and send the p12-file to everybody on the list. But does it really work with all mail programs, because for example: user A send an encrypted mail to [EMAIL PROTECTED] which is expanded to user B, but its not originally encrypted for B... Whats the best way solving such a mailinglist problem? What is your experience and solution? I am sure I not the only one beeing confronted with such a task (hope :-). thanx for your help, Damian Message senders encrypt the message with the public key of the mailinglist. The mailinglist server decrypts the message using the private key for the mailinglist and encrypts it again individually for every recipient. The problematic part is the signature, I guess. Would it be possible to keep the original signature? Or does the server have to check the sender's signature and sign it again with it's private key if the original signature is correct? The email programs would handle the encryption part nicely, but I fear that you cannot keep the original signature.. Jörn Sierwald __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
newbie question on OCSP
Can someone please help a poor newbie understand exactly what this is for and how it's used? I've tried looking at the documentation, but I feel like I'm drowning, probably because I'm trying to understand the details, but not quite getting the simple stuff,.. Thanks in advance, Issac __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Error using openssl smime
Hi everyone, Having some trouble with openssl smime... Goal: To use openssl to create smime messages so that I can send encrypted email to people from the command line with aid of sendmail or something similar. Problem: I'm getting errors using openssl smime and I don't know why. Below is a description of what I have done. The Details = Get certificates in appropriate format; convert .p7b file to .pem file using openssl I have certificates for people in outlook express. Using that tool I can send them encrypted emails. I exported their certificates into the .p7b format (pkcs7). To use openssl it seems PEM is the preferred format so I converted the certs from .p7b to .pem via the following command: $ openssl pkcs7 -in LiamWalker.p7b -inform DER -out LiamWalker.pem -outform PEM This generated the appropriate output files so I assume they are ok. openssl pkcs7 with -print_certs was able to read these files. Attempted to produce a email message in SMIME format: --- I then was experimenting with with the openssl smime command to try and generate a properly formatted file to myself from myself. Later I would use sendmail or somethign to actuallydeliver the message. I used the following command: $ openssl smime -encrypt -des3 -nointern -nosigs -noverify -recip LiamWalker.pem -in msg.txt -out msg.enc -to "[EMAIL PROTECTED]" -from "[EMAIL PROTECTED]" -subject "Test using openssl" LiamWalker.pem The output for this command was as follows: Loading 'screen' into random state - doneunable to load certificate360:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:662:Expecting: TRUSTED CERTIFICATECan't read recipient certificate file ./LiamWalker.pem The-to email address matches the email address in the certificate specified by -recip and the -from email address matches the email address in the last option (LiamWalker.pem). Can anyone give me a hint as to what is going on here? Thanks, .maiL P.S. I assume that you use multiple -to and -recip options to have the message encrypted to multiple people?
I need to know how to generate a certificate in pkcs7 format with openSSL
Hi, If this can be done currently, can someone provide some details? I did look though the list: http://www.mail-archive.com/openssl-users@openssl.org/ I didn't find an answer there, but have found a draft at http://www.openssl.org/docs/HOWTO/certificates.txt that mentions generating certificates in other formats, but doesn't give the details on how it is done. Am I looking for something like: # openssl req -new -key privkey.p7b -out cert.csr or # openssl pkcs7 -new -key -out pkcs7 privkey.p7b -outform p7b Thanks, and please forgive the clueless nature of the question. Chet Golding Hewlett-Packard ESDO, Operations Engineering
Re: Error using openssl smime
Liam Walker wrote: $ openssl pkcs7 -in LiamWalker.p7b -inform DER -out LiamWalker.pem -outform PEM This command is converting a PKCS#7 structure from DER to PEM format... This generated the appropriate output files so I assume they are ok. openssl pkcs7 with -print_certs was able to read these files. If you include -print_certs it will output certificates in PEM format... Attempted to produce a email message in SMIME format: --- I then was experimenting with with the openssl smime command to try and generate a properly formatted file to myself from myself. Later I would use sendmail or somethign to actually deliver the message. I used the following command: $ openssl smime -encrypt -des3 -nointern -nosigs -noverify -recip LiamWalker.pem -in msg.txt -out msg.enc -to [EMAIL PROTECTED] -from [EMAIL PROTECTED] -subject Test using openssl LiamWalker.pem The smime command is expecting certificates in PEM format not PKCS#7 structures. You've also got a load of options which aren't used by the -encrypt option. In particular -nointern -nosigs -noverify -recip. The output for this command was as follows: Loading 'screen' into random state - done unable to load certificate 360:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib. c:662:Expecting: TRUSTED CERTIFICATE Can't read recipient certificate file ./LiamWalker.pem The -to email address matches the email address in the certificate specified by -recip and the -from email address matches the email address in the last option (LiamWalker.pem). Can anyone give me a hint as to what is going on here? Include the -print_certs option when you convert the .p7b file containing the certificates. If you get more than one certificate you'll have to sort out which is the actual user certificate, though its normally the first. Thanks, .maiL P.S. I assume that you use multiple -to and -recip options to have the message encrypted to multiple people? No. The -to command is just a convenience that produces something resembling the correct MIME format for an email message. If you want something readable by multiple certificates then include them on the command line to smime: you'll have to format the email message headers yourself or use one -to option and include manually include like CC: As I mentioned above -recip isn't use with smime -encrypt. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: No certificates in client popup box.
Brandon Amundson wrote: I tried to do this; how can you get your CA to appear in the list of acceptable ca names? The FAQ gives the reason for this and some more info. What it doesn't say is how to add your CA to the trusted list of IIS. IIRC you can do this via the certificate import wizard, something like clicking on the show physical stores box and trusted root-local computer. You may have to the reboot. You can check using s_client to see if your CA is then sent (see FAQ). I do not have an option to show physical stores, that I can find.. You need to start the certificate import wizard. I think its OK to do this using MSIE. If so then convert the root CA to DER format and with MSIE open select Tools-Internet Options-Content-Certificates, you may have an option in IIS to open this dialog box too. Anyway from the box click on Import... Select the file you want to import (the CA certificate in DER format). When you hit Next you'll have an option saying Place Certificates in the following store, select that and click on Browse. Its the dialog box that then appears that has the show physical stores checkbox. The follow the instructions above... If it works then your CA name should appear after the line in s_client saying: --- Acceptable client certificate CA names Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I need to know how to generate a certificate in pkcs7 format withopenSSL
If this can be done currently, can someone provide some details? What I presume you want to do is to package some certificates in a binary PKCS#7 structure, which is what .p7b is. To do this you can call: openssl crl2pkcs7 -nocrl -certfile cert1.pem -certfile cert2.pem -certfile cert3.pem -outform DER -out cert.p7b Where cert1.pem etc are the PEM encoded certificates you want to include. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: boolean default true
Vadim Fedukovich wrote: Hello, would this construct ASN1_SEQUENCE(SomeTypeDefinition) = { ASN1_IMP(, someFieldName, ASN1_FBOOLEAN, N) be fine for someFieldName [N] BOOLEAN DEFAULT FALSE in ASN.1? Should one use ASN1_IMP_OPT() instead? You should always use OPT with the ASN1_FBOOLEAN and ASN1_TBOOLEAN. The actual type is just applying a specific interpretation when the field is absent or taking the default value. For example in the ASN1_FBOOLEAN case it means that if the boolean value is set to FALSE it will not be encoded and if the field is absent it will be represented as FALSE. You don't have to use the ASN1_FBOOLEAN and ASN1_TBOOLEAN types as long as you interpret and set the value appropriately. Using them does have a disadvantage in that some encoders might incorrectly not omit a field having the default value. This would mean that decoding and reencoding the structure would not produce the same result. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: boolean default true
On Thu, 7 Mar 2002, Dr S N Henson wrote: Vadim Fedukovich wrote: Hello, would this construct ASN1_SEQUENCE(SomeTypeDefinition) = { ASN1_IMP(, someFieldName, ASN1_FBOOLEAN, N) be fine for someFieldName [N] BOOLEAN DEFAULT FALSE in ASN.1? Should one use ASN1_IMP_OPT() instead? You should always use OPT with the ASN1_FBOOLEAN and ASN1_TBOOLEAN. The actual type is just applying a specific interpretation when the field is absent or taking the default value. For example in the ASN1_FBOOLEAN case it means that if the boolean value is set to FALSE it will not be encoded and if the field is absent it will be represented as FALSE. Yes, this is exactly what I'm looking for You don't have to use the ASN1_FBOOLEAN and ASN1_TBOOLEAN types as long as you interpret and set the value appropriately. Using them does have a disadvantage in that some encoders might incorrectly not omit a field having the default value. This would mean that decoding and reencoding the structure would not produce the same result. Steve. many thanx for advise and for powerful ASN1 code, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: secure mailinglists
On Thu, 7 Mar 2002, Damian Hesse wrote: Hi everybody, we have set up our own CA and generated for everybody user certificates for secure communication. It really works fine. The task: now we want to set up mailinglists (server side) like [EMAIL PROTECTED] where some users of our company and some from a customer should be able to write signed and encryted emails and everybody on the list should be able to read it. The question is how should this be done? The only solution I can imagine is to generate a certificate for the list and send the p12-file to everybody on the list. But does it really work with all mail programs, because for example: user A send an encrypted mail to [EMAIL PROTECTED] which is expanded to user B, but its not originally encrypted for B... Some more cases are described in RFC 2634 Whats the best way solving such a mailinglist problem? What is your experience and solution? I am sure I not the only one beeing confronted with such a task (hope :-). List of expected mail readers and list of their features would help to choose the solution good luck, Vadim __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: I need to know how to generate a certificate in pkcs7 format withopenSSL
Thank you. Sorry, I didn't detail the situation well. The output file can be .pem that's not a problem, the internal format needs to be pkcs7. What I was asked to do is take a Linux box with OpenSSL already installed on it and set it up as a Root or Certificate Authority to supply certificate(s) to clients within a project that is using a good deal of SSL connections. The goal is to keep both the cost and exposure to a contained network area. So I need to generate a certificate rather than encode something that is pre-existing or requested form elsewhere. (If this is doable.) Then the Linux box will needs to supply this certificate function within a backend network. So can I use a variation of this: openssl crl2pkcs7 -nocrl -certfile cert1.pem -certfile cert2.pem -certfile cert3.pem -outform DER -out cert.p7b Where cert1.pem etc are the PEM encoded certificates you want to include. To do generate an internal format of pkcs7 that yields a new certificate? Again I think it is fine if the file format saved can be PEM encoded as long as the internal is pkcs7. Again, thanks for the help. Hey is there a book on OpenSSL? Chet Golding Hewlett-Packard ESDO, Operations Engineering __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: I need to know how to generate a certificate in pkcs7 format withopenSSL
GOLDING,CHARLTON (Non-HP-Corvallis,ex1) wrote: Thank you. Sorry, I didn't detail the situation well. The output file can be .pem that's not a problem, the internal format needs to be pkcs7. The certificate creation utilities in OpenSSL don't have an option to package a certificate in PKCS#7 format, however you can get them to create a PEM encoded certificate and then use crl2pkcs7 to convert them to PKCS#7 (PEM or DER encoded). The openssl docs describe how the certificate creation utilities work in some detail and there's a wrapper perl script CA.pl that calls the openssl utility using the most commonly used options. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Gemplus: http://www.gemplus.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Upgrading issues [0.9.6b to 0.9.6c and more]
In Makefile.ssl I find the following: @if [ -n $(SHARED_LIBS) ]; then \ tmp=$(SHARED_LIBS); \ for i in $${tmp:-x}; \ do \ if [ -f $$i ]; then \ ( echo installing $$i; \ cp -f $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done; \ ( here=`pwd`; \ cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ make -f $$here/Makefile link-shared ); \ fi Because the difference between 0.9.6b and 0.9.6c is NOT reflected in the library versions, doing an upgrade from 0.9.6b to 0.9.6c results in the library file being directly written into. This in turn causes programs that had that library mapped to fail. And sshd does so rather quickly. Normally this would not be an issue because normally, the version of the library source becomes the version of the library installed. In such cases, writing the upgraded library writes a whole new file and changing the symlinks does not impact currently mapped copies. Recompiling and forcibly reinstalling the very same version of most libraries could certainly be a problem. In the case of OpenSSL, it is a problem regardless. One fix is to name the library exactly the same as the source. That would result in files: libcrypto.so.0.9.6b (the old one) libcrypto.so.0.9.6c (newly created) and symlinks would then be: libcrypto.so.0.9.6 - libcrypto.so.0.9.6c libcrypto.so.0 - libcrypto.so.0.9.6 libcrypto.so - libcrypto.so.0 With this method, the old version is not destroyed. One can change the symlink back to the old version in case of problems that might occur in the future. Another way to make sure the library installation does not clobber existing processes is: @if [ -n $(SHARED_LIBS) ]; then \ tmp=$(SHARED_LIBS); \ for i in $${tmp:-x}; \ do \ if [ -f $$i ]; then \ ( echo installing $$i; \ cp -f $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/tmp-$$i; \ chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/tmp-$$i; \ ln -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/old-$$i; \ mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/tmp-$$i \ $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ fi \ done; \ ( here=`pwd`; \ cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ make -f $$here/Makefile link-shared ); \ fi This ensures not only saving the old library, but also makes the file switch atomic so that any active process trying to access the library file directly never sees a time window of none existing, and gets either the old one or the new one. This then allows cleanly restarting processes that use the new library files. In the case of SSH using shared libraries, it also keeps you from being locked out of remote machines (even if you had multiple instances of sshd on different ports, they all die with the current method). -- - | Phil Howard - KA9WGN | Dallas | http://linuxhomepage.com/ | | [EMAIL PROTECTED] | Texas, USA | http://phil.ipal.org/ | - __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: newbie question on OCSP
Hi, OCSP stands for Online Certificate Status Protocol. This, as the name suggests specifies a protocol to obtain the Status of a Certificate Online. There can be many reasons for a certificate to become invalid even before its actual lifetime for which it was issued. These may be Key Compromise etc etc.. Each CA maintains a list of all the revoked certificates. That list is called as the Certificate Revocation List (CRL). Our aim is to obtain the status of a certificate ie Valid or Invalid. To be more techincal Revoked or Not Revoked. One method of knowing this is using the LDAP protocol. Use this protocol a user can download the CRL and check it with the Serial Number of the Certificate in Question. If the serial number is found, it means the Certificate is revoked else the user can assume that the Certificate is not revoked. This requires a lot of memory in your system as the CRL size keep on increasing. For that reason the OCSP protocol was born. This might be the author's intention in bringing up this protocol. There is a server called an OCSP responder. This server will maintain all the certificates that are revoked for a particular CA. (The CA may itself be an OCSP responder also). User constructs an OCSP request as per the protocol with all the details of the Certificate for which the revocation status has to be found. The responder will respond with the status of that certificate saying whether it is GOOD, REVOKED or UNKOWN. This is my understanding of the OCSP protocol. I hope this helps... Regards Suram - Original Message - From: Issac Goldstand [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 08, 2002 1:17 AM Subject: newbie question on OCSP Can someone please help a poor newbie understand exactly what this is for and how it's used? I've tried looking at the documentation, but I feel like I'm drowning, probably because I'm trying to understand the details, but not quite getting the simple stuff,.. Thanks in advance, Issac __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
problem in handshake.
hi, i have a problem which i would like your help in solving. In my client-server application the client uses java jsse and server uses openssl. The application needs both sides to be authenticated. Also it requires that the session be cached as the client requires multiple connection to the server using the same session id to complete a job. For the first connection there is no problem and the both server and client authenticates themselves (this i know from the ssl states). But when the client wants to establish another ssl connection using the same ssl session then the server stops the handshake by giving the state SSL_accept error in SSLv3 read client hello C. If i remove client authentication from the server then i can establish many connections with session being reused. Its only when the client authentication is enabled i get the above problem and i cannot establish a new connection before invalidating the earlier session. i am using openssl 9.6b and java 1.3.1. thanks in advance kaushik vishwakarma Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy Music, Video, CD-ROM, Audio-Books and Music Accessories from http://www.planetm.co.in __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: secure mailinglists
Jörn, The task: now we want to set up mailinglists (server side) like [EMAIL PROTECTED] where some users of our company and some from a customer should be able to write signed and encryted emails and everybody on the list should be able to read it. The question is how should this be done? The only solution I can imagine is to generate a certificate for the list and send the p12-file to everybody on the list. But does it really work with all mail programs, because for example: user A send an encrypted mail to [EMAIL PROTECTED] which is expanded to user B, but its not originally encrypted for B... Message senders encrypt the message with the public key of the mailinglist. The mailinglist server decrypts the message using the private key for the mailinglist and encrypts it again individually for every recipient. The problematic part is the signature, I guess. Would it be possible to keep the original signature? Or does the server have to check the sender's signature and sign it again with it's private key if the original signature is correct? The email programs would handle the encryption part nicely, but I fear that you cannot keep the original signature.. Jörn Sierwald No the signature is not the (main) problem. The problem are the private keys of the users of the list. I don´t think thats a good idea to have private keys of users on a central mail server. They should remain on the client computers with password requests for every access to make sure that nobody except the user itself have access to the usage of their own certificates. Keep in mind that in your model even the customer needs to give us their private keys which is hardly possible, isn´t it? Damian -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]