CA certificate and multi-signatures
Hi I'm trying to double sign a CA certificate with two others CA (CA1 CA2) Unfortunately, I can't see such options with openssl. The command I usually use is the following : openssl ca -in ca3.req -out ca3.pem -keyfile ca2.key -cert ca2.pem -days 1095 -extensions CA_SSL -config I tried to copy CA1 and CA2 certificates in the same file (same thing for private keys) then execute the command above...but I have the same result. Thanks in advance for your help, Regards, The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. * email scanned for viruses, vandals and malicious content * __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: CA certificate and multi-signatures
In message [EMAIL PROTECTED] on Mon, 26 Apr 2004 08:27:12 +0200, testpgp [EMAIL PROTECTED] said: testpgp I'm trying to double sign a CA certificate with two others CA testpgp (CA1 CA2) Unfortunately, I can't see such options with testpgp openssl. The command I usually use is the following : testpgp openssl ca -in ca3.req -out ca3.pem -keyfile ca2.key -cert ca2.pem testpgp -days 1095 -extensions CA_SSL -config The reason you can't do it with OpenSSL is that the X.509 certificate format only allows one signature. Period. If you want to have your certificate signed by two CAs, you really need to have two certificates, each signed by one of the CAs. This is perfectly legal in a PKI, and it will be up to the relying party to check your certificate against the correct CA. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte \ Tunnlandsvägen 52 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-708-26 53 44 \ SWEDEN \ Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Issue with OpenSSL when attempting to gen a key
Hello, Has anyone seen this type of error on AIX 5.1?? Also, does anyone know how to override the path to the openssl.cnf file? openssl req -new -nodes -keyout private.key -out public.csr Using configuration from /ii/pa/openssl-0.9.6.7/usr/local/ssl/openssl.cnf Unable to load config info Generating a 512 bit RSA private key ... ... writing new private key to 'private.key' - unable to find 'distinguished_name' in config problems making Certificate Request 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: 26310:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:conf_lib.c:343: Thanks, Sheldon Anderson ITD Technical Services 1784 North Decatur Rd. Atlanta, GA 30322 404-727-0723
Windows fd/socket problem with BIO
Hi all, I'm working on a multi-clients server under Windows2k. My problem is about file descriptor / socket confusion when creating a BIO. In fact main code's jobe is to accept the socket in an int variable, then CreateProcess(). This function is called with newly accepted socket as argument, in place of file descriptor number 0 (input). ctrl = accept(); si.hStdInput = ctrl; si.hStdOutput = INVALID_HANDLE_VALUE; si.hStdError = INVALID_HANDLE_VALUE; si.dwFlags = STARTF_USESTDHANDLES; CreateProcess(..., si); New process will inherit socket as file descriptor 0. Then problems come : I create a BIO with BIO_new_socket(); then the ssl object and do the setbio() on this ssl object. Then SSL_accept() is called and application fails with memory could not be written message. I've tryied to set the BIO using BIO_new_fd(). Since windows has problems with file descriptor and socket mixing. Damned, with this BIO it works strangely, in fact my client dumps this error : SSL: error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned But i have no segfault. I have also tryed to use: BIO_new(BIO_s_socket()) in order to retrieve to right method. No success, application segfaults too. I really tought that with this BIO methods, the lib will gives me the desired BIO to create my ssl object. I think there is a problem with this file descriptor 0 used as a socket. In fact when i don't createProcess and manage only one client, the socket is always the descriptor retrieved from accept() call, and there is no problem when i do a BIO_new_socket(), setbio() and ssl_accept(). All works great. Do you think i have to try to inherit socket in another handler than stdin ? Or maybe it is a problem in the openssl lib ? Version used is: openssl-0.9.7d thanks in advance Regards, NB: Same code (ssl context init, client verification setting, calist loading ...) with fork() is used with success under Unix. The only difference is that unix handles sockets as well as file descriptors with no difference. Write/send, read/recv could be used with fd or socket, not under windows. Maybe the bio is not able to be correctly set and leads to errors. Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Intermittent crash in DH_free
Richard Levitte - VMS Whacker wrote: In message [EMAIL PROTECTED] on Mon, 26 Apr 2004 11:56:01 -0700, Geoffrey Huang [EMAIL PROTECTED] said: geoff I'm experiencing an intermittent crash in one of my geoff application's unit tests. When it crashes, it does so at geoff DH_free(). The call stack is: geoff geoff __int_free() from /lib/tls/libc.so.6 geoff free from /lib/tls/libc.so.6 geoff CRYPTO_free at mem.c:374 That's it? Nothing else at all, not even main() somewhere? Could it be that you're trashing your stack somewhere? Everytime I get a short traceback like that, that's exactly what's happened to me... Well, no that's not it. Above that, it was my own code. Actually, now that you bring up the stack, it's interesting that DH_free wasn't listed in the stack trace. I'll go back and look again. -g - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Socket Library Comments Request
On April 26, 2004 06:11 pm, Andrew Marlow wrote: [EMAIL PROTECTED] writes: I've written a C++ Socket wrapper library based upon the Berkeley Socket Interface. It also optionally supports SSL through the use of OpenSSL. Linux (Unix possibly) only currently supported. A Win32 port will be forthcoming. Documentation is included. I am requesting comments on any aspect of the library that might go towards improving it. There are lots of socket classes around, what's the motivation for this one? It's in the documentation :-) In part I wanted something easy to use, lightweight which didn't require users to jump through odd hoops to use. A number of socket library require you to re-implement the class to handle data reception - this is an ugly solution, IMHO, so I have written something else. I looked up the ACE library just now. Before doing this development, I searched online for such libraries didn't come across ACE until you mentioned it by name. I took a look at it, but from my _brief_ look at the sample tutorials available it seems to require class reimplementation and callback to get stuff to work. Look forward to your comments. - Garrett Kajmowicz __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Sample config file
Thank you for the reply. I do not have an openssl.cnf file anywhere in the Apache Group directory nor in its subdirectories. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: Sunday, April 25, 2004 12:07 PM To: [EMAIL PROTECTED] Subject: Re: Sample config file On Fri, Apr 23, 2004, Archer-Lampron wrote: Hello, I am a newbie trying to generate my first certificates with openssl for use with Apache on Windows XP. I seem to be missing a .CONF configuration file. Is a sample available somewhere? Thanks for any assistance that can be provided. openssl.cnf in the apps directory. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Sample config file
Hi ! Dr Henson refers to openssl-0.9.7.your-dist/apps (if you're working in a Linux/Unix box), in that directory there is an openssl.cnf file (openssl example configuraton file). If you're working in Win32 there must be an openssl.cnf in C:\openssl-folder\bin.In both cases you must customize (if you want) that file; for testing purposes, file without changes would be ok. ZainosArcher-Lampron [EMAIL PROTECTED] wrote: Thank you for the reply.I do not have an openssl.cnf file anywhere in the Apache Group directory norin its subdirectories.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen HensonSent: Sunday, April 25, 2004 12:07 PMTo: [EMAIL PROTECTED]Subject: Re: Sample config fileOn Fri, Apr 23, 2004, Archer-Lampron wrote: Hello, I am a newbie trying to generate my first certificates with openssl foruse with Apache on Windows XP. I seem to be missing a .CONF configurationfile. Is a sample available somewhere? Thanks for any assistance that can be provided.openssl.cnf in the apps directory.Steve.--Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepageOpenSSL project core developer and freelance consultant.Funding needed! Details on homepage.Homepage: http://www.drh-consultancy.demon.co.uk__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]__OpenSSL Project http://www.openssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
Windows fd/socket problem with BIO: solved !
It's good. I have found a solution on msdn. I have to duplicate the socket handler ; DuplicateHandle(GetCurrentProcess(),(HANDLE)ctrl, GetCurrentProcess(),(HANDLE*)ctrl_dup, 0, TRUE, /* inherit socket */ DUPLICATE_SAME_ACCESS); Then put ctrl_dup on cmd_line args for CreateProcess(); This value is retrieved easily parsing new process args. The retrieved handle could correctly be used as a socket with BIO_new_socket() and so on. I hope this could help somebody oneday. bye - previous message Hi all, I'm working on a multi-clients server under Windows2k. My problem is about file descriptor / socket confusion when creating a BIO. In fact main code's jobe is to accept the socket in an int variable, then CreateProcess(). This function is called with newly accepted socket as argument, in place of file descriptor number 0 (input). ctrl = accept(); si.hStdInput = ctrl; si.hStdOutput = INVALID_HANDLE_VALUE; si.hStdError = INVALID_HANDLE_VALUE; si.dwFlags = STARTF_USESTDHANDLES; CreateProcess(..., si); New process will inherit socket as file descriptor 0. Then problems come : I create a BIO with BIO_new_socket(); then the ssl object and do the setbio() on this ssl object. Then SSL_accept() is called and application fails with memory could not be written message. I've tryied to set the BIO using BIO_new_fd(). Since windows has problems with file descriptor and socket mixing. Damned, with this BIO it works strangely, in fact my client dumps this error : SSL: error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned But i have no segfault. I have also tryed to use: BIO_new(BIO_s_socket()) in order to retrieve to right method. No success, application segfaults too. I really tought that with this BIO methods, the lib will gives me the desired BIO to create my ssl object. I think there is a problem with this file descriptor 0 used as a socket. In fact when i don't createProcess and manage only one client, the socket is always the descriptor retrieved from accept() call, and there is no problem when i do a BIO_new_socket(), setbio() and ssl_accept(). All works great. Do you think i have to try to inherit socket in another handler than stdin ? Or maybe it is a problem in the openssl lib ? Version used is: openssl-0.9.7d thanks in advance Regards, NB: Same code (ssl context init, client verification setting, calist loading ...) with fork() is used with success under Unix. The only difference is that unix handles sockets as well as file descriptors with no difference. Write/send, read/recv could be used with fd or socket, not under windows. Maybe the bio is not able to be correctly set and leads to errors. Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSL_CTX_use_certificate_chain_file()
The man page for SSL_CTX_use_certificate_chain_file states: SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the certificate to the highest level (root CA). There is no corresponding function working on a single SSL object. My PKI hierarchy consists of three layers, a self-signed root CA that is owned by the corporate security group, a sub-CA that is responsible for distributing end-user certificates, and end users who receive certificates from the sub-CA. The server certificate is issued by the root CA. User certificates are issued by the sub-CA. The root certificate is loaded into the CTX using SSL_CTX_load_verify_locations() on both client and server applications. Now comes the question: o If I build a certificate chain file as described in the man page with all three certificates (user,sub-CA,root-CA), handshake fails. o If a build a certificate chain file with only two certificates (user,sub-CA), handshake succeeds. Why? Is this a bug? Or is there something more subtle going on? smime.p7s Description: S/MIME cryptographic signature
