Der-coded .crt certificates

2004-03-29 Thread Johann Normann 
Hi.

Does anyone know the commands to export the root certificate to a
DER-encoded binary file with the .crt ending?
I run openssl on a Windows 2000 server.

Johann Normann



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: installation problems

2004-03-29 Thread Richard Levitte - VMS Whacker 
In message <[EMAIL PROTECTED]> on Mon, 29 Mar 2004 08:05:34 -0800, Brian Lauer <[EMAIL 
PROTECTED]> said:

brian8192> During configuration you need to specify whether you want
brian8192> shared libraries or archive files (./configure --shared).

Correction: ./config shared

brian8192> You can convert an archive file to a shared object by doing
brian8192> this:
brian8192> 
brian8192> gcc -o libssl.so --shared libssl.a
brian8192> gcc -o libcrypto.so --shared libcrypto.a

You need a little more than that, or you may end up with very little.
At the very least, you need to say that the whole static library
should be used to build the shared library, not just the "missing
symbols", with -Wl,--whole-library:

gcc -o libssl.so --shared -Wl,--whole-library libssl.a
gcc -o libcrypto.so --shared -Wl,--whole-library libcrypto.a

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[Announce] M2Crypto 0.13

2004-03-29 Thread Ng Pheng Siong 
Hi,

M2Crypto 0.13 is now available.

M2Crypto is a Python interface to OpenSSL featuring the following:

  * RSA, DSA, DH, HMACs, message digests, symmetric ciphers (including AES).
  * SSL functionality to implement clients and servers.
  * HTTPS extensions to Python's httplib, urllib, and xmlrpclib.
  * Unforgeable HMAC'ing AuthCookies for web session management.
  * FTP/TLS client and server.
  * S/MIME.
  * ZServerSSL: A HTTPS server for Zope.
  * ZSmime: An S/MIME messenger for Zope.

Get it here:

http://sandbox.rulemaker.net/ngps/m2/

Feedback is appreciated. Cheers.

-- 
Ng Pheng Siong <[EMAIL PROTECTED]> 

http://firewall.rulemaker.net -+- Firewall Change Management & Version Control
http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: installation problems

2004-03-29 Thread Brian Lauer 

During configuration you need to specify whether you want shared
libraries or archive files (./configure --shared).  You can convert an
archive file to a shared object by doing this:

gcc -o libssl.so --shared libssl.a
gcc -o libcrypto.so --shared libcrypto.a

Try that first, and if that fails for some reason.  Rebuild with the
--shared flag.


On Mon, 2004-03-29 at 14:07, Colleen Nagle wrote:
> Greetings,
> 
> I have just installed openssl for linux-elf, and followed the install 
> file instructions. I am utilizing a shopping cart that needs the 
> libcrypto.so and libssl.so files. The only files I have in the lib 
> directory are
> libcrypto.a, libssl.a and ssleay.conf. How do I generate the .so files?
> 
> Thanks!
> Colleen
> 
> 
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing List[EMAIL PROTECTED]
> Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

installation problems

2004-03-29 Thread Colleen Nagle 
Greetings,

I have just installed openssl for linux-elf, and followed the install 
file instructions. I am utilizing a shopping cart that needs the 
libcrypto.so and libssl.so files. The only files I have in the lib 
directory are
libcrypto.a, libssl.a and ssleay.conf. How do I generate the .so files?

Thanks!
Colleen
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Can't open CER certificate

2004-03-29 Thread Dr. Stephen Henson 
On Mon, Mar 29, 2004, Carlos Roberto Zainos H wrote:

> Hi Dr Stephen :
>  
> Thanks for your answer
>  
> As you told me I ran the openssl x509 command in win32 command line, and the result 
> was the next:
>  
> With a CA certificate:
> C:\openssl\bin>openssl x509 -in c:\crzh\progs\ac.cer -noout -text
> unable to load certificate
> 660:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.
> c:637:Expecting: TRUSTED CERTIFICATE
>  
> With an end_user certificate:
> C:\openssl\bin>openssl x509 -in c:\crzh\progs\agente_monitor.cer -noout -text
> unable to load certificate
> 1204:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
> .c:637:Expecting: TRUSTED CERTIFICATE
>  
> What does it mean??
>  
> What can I do?
>  
> I'm using openssl-0.9.7d
>  
> Thanks in advance
>  

Try it with the -inform DER switch.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: OpenSSL 0.9.7d test failures on HP-UX 11.00 (hpux-parisc2-cc)

2004-03-29 Thread Marko Asplund 
apparently my knowledge of HP compilers was a bit lacking. the 
hpux-parisc2-cc target seems to have been written with HP C/ANSI C, not 
HP aC++ compiler in mind. with the latest version (B.11.11.08) of HP 
C/ANSI C compiler OpenSSL 0.9.7d compiles without problems on HP-UX 
11.00 using the hpux-parisc2-cc target. but it seems to compile fine 
with aC++ 3.52 with the optimization level downgrade. also, makedepend 
seems to be part of the imake package.

best regards,
aspa
Marko Asplund wrote:
i've upgraded my C compiler from an older version of HP aC++ to v3.52 on 
HP-UX 11.00 and i'm trying to build OpenSSL v0.9.7d using the 
hpux-parisc2-cc target. using the old compiler version OpenSSL build 
went ok but using the new one some tests, e.g. destest, are failing (see 
attached typescript for details). i experimented with the optimization 
levels for this target and noticed that changing +O3 to +O2 fixes this 
problem. is this a bug in OpenSSL or the compiler?
>
i'm also getting some error messages about makedepend command not being 
found during 'make depend'. is this fatal when building from a fresh 
source tree? where can i get the makedepend program?


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Can't open CER certificate

2004-03-29 Thread Carlos Roberto Zainos H 
Hi Dr Stephen :
 
Thanks for your answer
 
As you told me I ran the openssl x509 command in win32 command line, and the result was the next:
 
With a CA certificate:
C:\openssl\bin>openssl x509 -in c:\crzh\progs\ac.cer -noout -textunable to load certificate660:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:637:Expecting: TRUSTED CERTIFICATE
 
With an end_user certificate:
C:\openssl\bin>openssl x509 -in c:\crzh\progs\agente_monitor.cer -noout -textunable to load certificate1204:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:637:Expecting: TRUSTED CERTIFICATE
 
What does it mean??
 
What can I do?
 
I'm using openssl-0.9.7d
 
Thanks in advance
 
ZainosDo You Yahoo!?
Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por 
$100 al mes.

Re: openssl errors

2004-03-29 Thread Dr. Stephen Henson 
On Mon, Mar 29, 2004, Neil Lowden wrote:

> Steve
> 
> Thanks for confirming my suspicions.
> 
> I think it's likely I am missing variables rather than having set them
> incorrectly. It doesn't seem appropriate to post my config here as that just
> means someone else taking the effort to see what's missing when I should be
> doing it. I have checked my file against most of the sample configs I found
> on the web and it looks ok.
> 
> Is there a definitive list of config file variables?
> 

If there was something mandatory missing it should result in a fatal error.

It seems like whatever error print function you are using isn't showing the
error string data otherwise it would show the variable it was attempting to
look up.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: openssl errors

2004-03-29 Thread Neil Lowden 
Steve

Thanks for confirming my suspicions.

I think it's likely I am missing variables rather than having set them
incorrectly. It doesn't seem appropriate to post my config here as that just
means someone else taking the effort to see what's missing when I should be
doing it. I have checked my file against most of the sample configs I found
on the web and it looks ok.

Is there a definitive list of config file variables?

-Neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: 29 March 2004 18:05
To: [EMAIL PROTECTED]
Subject: Re: openssl errors


On Mon, Mar 29, 2004, Neil Lowden wrote:

> I am experimenting with the openssl extension in PHP with generally a
great
> deal of success.
>
> However, certain functions, which otherwise suceed, leave errors on the
> openssl error stack. As you may know, PHP wraps most of the raw openssl
> functions so I am not sure exactly which raw functions are placing errors
on
> the stack. Nevertheless, it's pretty obvious that all these relate to some
> problem with my openssl.cnf file. The problem is these errors are rather
> terse. For instance the PHP call to generate a new key pair leaves 7 of
the
> following errors on the stack:
>
> error:0906D06C:configuration file routines:NOCONF_get_string:no value
>
> But as I said, the call certainly works and generates a valid key pair.
> Seems like a few variables are missing or bad in the file. So does anyone
> have any idea how I might establish what may be missing or misconfigured
in
> my openssl.cnf file?
>

When a config file variable lookup fails that error occurs. Normally this
just
means that the configuration file didn't include a certain option.

OpenSSL applications normally clear such errors so they don't appear in the
queue. Its possible that a few have been missed.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: openssl errors

2004-03-29 Thread Dr. Stephen Henson 
On Mon, Mar 29, 2004, Neil Lowden wrote:

> I am experimenting with the openssl extension in PHP with generally a great
> deal of success.
> 
> However, certain functions, which otherwise suceed, leave errors on the
> openssl error stack. As you may know, PHP wraps most of the raw openssl
> functions so I am not sure exactly which raw functions are placing errors on
> the stack. Nevertheless, it's pretty obvious that all these relate to some
> problem with my openssl.cnf file. The problem is these errors are rather
> terse. For instance the PHP call to generate a new key pair leaves 7 of the
> following errors on the stack:
> 
> error:0906D06C:configuration file routines:NOCONF_get_string:no value
> 
> But as I said, the call certainly works and generates a valid key pair.
> Seems like a few variables are missing or bad in the file. So does anyone
> have any idea how I might establish what may be missing or misconfigured in
> my openssl.cnf file?
> 

When a config file variable lookup fails that error occurs. Normally this just
means that the configuration file didn't include a certain option.

OpenSSL applications normally clear such errors so they don't appear in the
queue. Its possible that a few have been missed.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

openssl errors

2004-03-29 Thread Neil Lowden 
I am experimenting with the openssl extension in PHP with generally a great
deal of success.

However, certain functions, which otherwise suceed, leave errors on the
openssl error stack. As you may know, PHP wraps most of the raw openssl
functions so I am not sure exactly which raw functions are placing errors on
the stack. Nevertheless, it's pretty obvious that all these relate to some
problem with my openssl.cnf file. The problem is these errors are rather
terse. For instance the PHP call to generate a new key pair leaves 7 of the
following errors on the stack:

error:0906D06C:configuration file routines:NOCONF_get_string:no value

But as I said, the call certainly works and generates a valid key pair.
Seems like a few variables are missing or bad in the file. So does anyone
have any idea how I might establish what may be missing or misconfigured in
my openssl.cnf file?

-Neil

__
confidentiality notice

The contents of this e-mail are confidential to the ordinary user of the
e-mail address to which it was addressed and may also be privileged.  If you
are not the addressee of this e-mail you may not copy, forward, disclose or
otherwise use it or any part of it in any form whatsoever.  If you have
received this e-mail in error please e-mail the sender by replying to this
message.



__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Mac IE 'Security failure. Data decryption error.'

2004-03-29 Thread Randall Perry 
Getting the error 'Security Failure. Data decryption error.' in Mac
Internet Explorer 5.2.3 when connecting to my apache https. All other
browsers I've tested on Mac and PC (including IE) connect properly.

Using apache 1.3.29 with mod_ssl-2.8.16-1.3.29, mm-1.3.0,
openssl-0.9.7c on Mac OS X Server 10.3.2.

Checked the error.log and saw this:

[Thu Mar 25 19:14:15 2004] [error] mod_ssl: SSL handshake interrupted
by system [Hint: Stop button pressed in browser?!] (System error
follows)
[Thu Mar 25 19:14:15 2004] [error] System: Connection reset by peer
(errno: 54)

I know I tested this successfully in the past. I've got this enabled
in httpd.conf:
  BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0
  BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown

I'm sure it's a server-side config problem because I don't have any problems
connecting to apache based https servers with Mac IE.

HELP! 

-- 
Randall Perry
sysTame

Xserve Web Hosting/Co-location
Website Development/Promotion
Mac Consulting/Sales

http://www.systame.com/


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: order of extensions

2004-03-29 Thread Richard Levitte - VMS Whacker 
In message <[EMAIL PROTECTED]> on Mon, 29 Mar 2004 16:55:27 +0200 (MEST), "Claus 
Nagel" <[EMAIL PROTECTED]> said:

claus-nagel> hi, is there a certain order, in which for example
claus-nagel> extensions have to appear in the asn-code of a
claus-nagel> acertificate? do basicConstraints for example have to
claus-nagel> appear before the keyUsage?

Order is unimportant with extensions.

claus-nagel> and the same question for the subject and issuer
claus-nagel> information. do the country information have to appear
claus-nagel> for example before the commonName?

Order is important in directory names such as subject and issuer.

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: order of extensions

2004-03-29 Thread Dr. Stephen Henson 
On Mon, Mar 29, 2004, Claus Nagel wrote:

> hi, is there a certain order, in which for example extensions have to appear
> in the asn-code of a acertificate? do basicConstraints for example have to
> appear before the keyUsage?

No the order is arbitrary and applications should not make any assumptions
about the order.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

order of extensions

2004-03-29 Thread Claus Nagel 
hi, is there a certain order, in which for example extensions have to appear
in the asn-code of a acertificate? do basicConstraints for example have to
appear before the keyUsage? and the same question for the subject and issuer
information. do the country information have to appear for example before the
commonName?
thanx for answers,
claus nagel

-- 
+++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++
100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: IE's problem while visiting HTTPS

2004-03-29 Thread Dr. Stephen Henson 
On Mon, Mar 29, 2004, linux guy wrote:

> IE can not visit our HTTPS webserver while I create a self-signed certificate with a 
> RSA key
> which size is less than 365 bits,but they works well when the RSA size is more than 
> or eaqual to 
> 365.

I'm surprised it can handled 365 bits. For SSLv3 and TLS as I mentioned
recently the key size has to be large enough to send a 48 byte premaster
secret. Add the 11 bytes of padding and you get 472 bits as a minimum.

Are you using SSLv2 by any chance?

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]