Re: (No Subject)
On Tue, Jul 01, 2003 at 03:19:14PM +0100, Marius Cabas wrote: I want to check the client certificate from an SLL server. In the callback function passed to SSL_CTX_set_verify() I'm getting the error 18: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (self signed certificate). I suppose the certificate I'm using is not the right one. Can somebody help me to generate all type of certificates needed by an SSL server and client. Please, I'm new to OpenSSL. [ Retry. Apologies if you get this twice. ] (Without consulting the source...) Typically, clients certs are signed by a CA. To verify client certs, your server needs to know the CA's cert beforehand; the server loads the CA cert(s) via SSL_CTX_load_verify_locations. The above error indicates your client is supplying a self-signed cert. By definition, a self-signed cert's CA is itself. In this case, your server is seeing the self-signed cert's CA (meaning the cert itself) for the first time over the SSL connection and is thus unable to verify it. Check out how to run a CA using OpenSSL; there are numerous HOWTOs, one of which is here: http://www.post1.com/home/ngps/m2/ Create a CA, then try again with client certs signed by your CA. plug You might also want to check out M2Crypto, a Python interface to OpenSSL, found at the same URL. /plug HTH. -- Ng Pheng Siong [EMAIL PROTECTED] http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto SSL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Checking client certificate
I have already tested them and the same errors occures. --- - Original Message - DATE: Thu, 3 Jul 2003 01:08:17 From: Ng Pheng Siong [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: On Tue, Jul 01, 2003 at 08:20:40AM +0100, Marius Cabas wrote: I'm trying to check the client certificate from the server side but it's not working well. Below is a piece of code from a server and a client application. Is something wrong with my code? because the SSL_accept function is failing with SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate error. I have generating the certificate using OpenSSL like this: openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem Test your client with 'openssl s_server'. Test your server with 'openssl s_client'. -- Ng Pheng Siong [EMAIL PROTECTED] http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto SSL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail! http://login.mail.lycos.com/r/referral?aid=27005 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: session cacheing in OpenSSL
On Wed, Jul 02, 2003 at 02:31:26PM +1200, Jason Haar wrote: I've seen it all before. The problem with HTTPS+client auth is that clients don't know which page is going to require a client cert - so they default to making a standard HTTPS call first, get the SSL-error back saying they need to send a cert - then make the connection again with the cert - On first reading, I thought you were saying this: A browser makes an SSL connection to a server, makes a HTTP request over that connection, gets an SSL client-cert request, goes huh?, breaks off the SSL connection, then retries. But this doesn't sound right, since the SSL client cert exchange happens at a protocol layer lower than HTTP(S), and should be transparent to it. My (to-be-released) ZServerSSL for Zope with client cert authentication does not seem to exhibit this problem: I make a connection, the browser asks me which cert to use, I select one, then HTTPS things happen. When I leave a browser HTTPS connection (meaning a TCP connection to the SSL port of my Zope server) idle, evetually the server times the connection out. If I then click on some link in the browser window, the browser again asks me to select a cert, then does its thing again. (I've set up my browser to ask for a cert everytime for testing purposes.) Which server are you running? -- Ng Pheng Siong [EMAIL PROTECTED] http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto SSL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Checking client certificate
On Wed, Jul 02, 2003 at 06:38:08PM +0100, Marius Cabas wrote: I have already tested them and the same errors occures. What does this output? openssl s_client -connect your server -cert certfile -key keyfile -msg -showcerts -- Ng Pheng Siong [EMAIL PROTECTED] http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto SSL __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: License question: What is considered promoting?
On Wed, Jul 02, 2003, [EMAIL PROTECTED] wrote: Hi, I have a question regarding the combination of phrases 3 and 4 of the OpenSSL license: * 3. All advertising materials mentioning features or use of this *software must display the following acknowledgment: *This product includes software developed by the OpenSSL Project *for use in the OpenSSL Toolkit. (http://www.openssl.org/) * 4. The names OpenSSL Toolkit and OpenSSL Project must not be used to *endorse or promote products derived from this software without *prior written permission. For written permission, please contact *[EMAIL PROTECTED] Let's say I create a product which uses parts of the OpenSSL Toolkit, and I produce advertising material containing the acknowledgement sentence (according to phrase 3). Is this considered 'promoting products using the names OpenSSL Toolkit and OpenSSL Project' according to phrase 4? Do I need a written permission in this case? No you do not. I found that the Berkeley License (BSD), from which the OpenSSL license seems to be derived, has eliminated phrase 3 in 1999. In consequence my conflict described above wouldn't occur with the BSD license. Has phrase 3 of the OpenSSL license been left in effect with purpose? The SSLeay license (which is part of the OpenSSL license) has a similar phrase and we can't alter that part of the license. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: SSL_accept is too slow:(
3) Provide a better explanation of what's wrong and where. You say you're using a ppc603? What speed? My experience with a ppc603 at 133Mhz says an SSL_accept takes about 1.3 seconds, most of it at full throttle on the processor. If this is your experience (scaled by your processor speed) and that performance is not acceptable then there's little you can do other than a faster cpu (which is probably not likely) or crypto h/w (again, not likely). What rsa key sizes are you using for your certificates? __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Digital sign and verification
Hello Excuse me by me very poor English I must to program a digital sign (and verification) component based on PKCS7 files. I have to sign a document and this sign must be out in PKCS7 format file. The document is detached (¿not included?). I think when I'll verify this sign file I'd use PKCS7_verify function, but I'm not sure. If I use this function, ¿Should I write sign file with SMIME_write and read it with SMIME_read?. I attempt that, but I allways get error. What can I do? This is part of my code : /* Read PKCS7 signed file */ if ( ! (p7=SMIME_read_PKCS7(fp_Firma , bio_pkcs7)) ) return ( ERROR ); /* Open original document to verify sign */ if ( ! (bio_pkcs7=BIO_new_file(FICH_DOCUMENTO, rb)) ) return ( ERROR ); if ( p7 == NULL ) return ( ERROR ); if ( bio_pkcs7 == NULL ) return ( ERROR ); /* Verify PKCS7 with original document */ if ( ! PKCS7_verify(p7, NULL, NULL, bio_pkcs7, out, PKCS7_NOVERIFY) ) return ERROR; I'm no verifying certs. I suposse I must do it, but I don't know how to do it Can anybody help me ?? I'm desperated Thank you very much __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
wildcard certificates
Hi All, Can Openssl be used to create wildcard certificates? To what extend does OpenSSL support wildcard certs? Thanks, Steve __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: wildcard certificates
On Wed, Jul 02, 2003, Lu, Steve wrote: Hi All, Can Openssl be used to create wildcard certificates? To what extend does OpenSSL support wildcard certs? Yes it can create them since they just have components with certain characters like '*' in them e.g. *.foobarinc.com . Currently it is the applications responsibility to check that hostnames etc are consistent with the certificate details (CN matches hostname for example). There is no functionality for wildcard certificates, so it would also be an applications responsibility to check the wildcard name matched the expected hostname. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.6i generating invalid certificates
On Wed, Jul 02, 2003, Jeremy Wiebe wrote: Hello again, I was using OpenSSL 0.9.6g for my development. I noticed that 0.9.6i was released and decided to test it. I found that using the same scripts as for version 0.9.6g generates certificates that Windows deems invalid. I have a self-signed CA certificate that I use for various CA activities, including signing certificate requests from IIS. With version 0.9.6g I can sign these CSR's and import them successfully into IIS. After upgrading to 0.9.6i the generated certificates are invalid (according to Windows). The message displayed in the Certificate window (after double-clicking on the generated .cer file) is Certificate has a nonvalid digital signature. I tried generating a new CA certificate (using the CA.pl script) and it yields the same results. Has anyone seen this problem? For the time being this is strictly for my curiosity as I'm content releasing the software targetted specifically for version 0.9.6g. Can you send me an example of such a certificate? Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
