Openssl 0.9.7 and Sendmail 8.13.0

2004-07-18 Thread The Doctor 
Are there any know issues??

I got

doctor.nl2k.ab.ca//usr/source/sendmail-8.13.0$ openssl s_client -starttls smtp 
-connect 127.0.0.1:25
CONNECTED(0003)
7464:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol:s23_clnt.c:478:

What??

-- 
Member - Liberal International  
This is [EMAIL PROTECTED]   Ici [EMAIL PROTECTED]
God Queen and country! Beware Anti-Christ rising!
Microsoft is not the solution; it is the question; what is the answer?? NO!!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Openssl 0.9.7 and Sendmail 8.13.0

2004-07-18 Thread George Theall 
On Sun, Jul 18, 2004 at 02:30:13PM -0600, The Doctor wrote:

 Are there any know issues??
...
 doctor.nl2k.ab.ca//usr/source/sendmail-8.13.0$ openssl s_client -starttls smtp 
 -connect 127.0.0.1:25
 CONNECTED(0003)
 7464:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
 protocol:s23_clnt.c:478:

Check whether there's a line such as srv_features:127.0.0.1 S in your
mail server's access DB -- that disables STARTTLS when the connecting
client is 127.0.0.1. 

George
-- 
[EMAIL PROTECTED]


pgpPvuvz9f1qs.pgp
Description: PGP signature

Re: Openssl 0.9.7 and Sendmail 8.13.0

2004-07-18 Thread The Doctor 
On Sun, Jul 18, 2004 at 04:50:49PM -0400, George Theall wrote:
 On Sun, Jul 18, 2004 at 02:30:13PM -0600, The Doctor wrote:
 
  Are there any know issues??
 ...
  doctor.nl2k.ab.ca//usr/source/sendmail-8.13.0$ openssl s_client -starttls smtp 
  -connect 127.0.0.1:25
  CONNECTED(0003)
  7464:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
  protocol:s23_clnt.c:478:
 
 Check whether there's a line such as srv_features:127.0.0.1 S in your
 mail server's access DB -- that disables STARTTLS when the connecting
 client is 127.0.0.1. 


in access.db?
 
 George
 -- 
 [EMAIL PROTECTED]



-- 
Member - Liberal International  
This is [EMAIL PROTECTED]   Ici [EMAIL PROTECTED]
God Queen and country! Beware Anti-Christ rising!
Microsoft is not the solution; it is the question; what is the answer?? NO!!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Openssl 0.9.7 and Sendmail 8.13.0

2004-07-18 Thread George Theall 
On Sun, Jul 18, 2004 at 03:18:48PM -0600, The Doctor wrote:
 On Sun, Jul 18, 2004 at 04:50:49PM -0400, George Theall wrote:
  
  Check whether there's a line such as srv_features:127.0.0.1 S in your
  mail server's access DB -- that disables STARTTLS when the connecting
  client is 127.0.0.1. 
 
 
 in access.db?

That depends on the type of database support sendmail was built with,
but probably yes. 

By the way, access.db is a database so you'll need to do something like
praliases -f access.db to read its contents.  And in that case, the
line will probably read srv_features:127.0.0.1:S. 

George
-- 
[EMAIL PROTECTED]


pgpmf6fP7PKL8.pgp
Description: PGP signature

Re: Openssl 0.9.7 and Sendmail 8.13.0

2004-07-18 Thread The Doctor 
On Sun, Jul 18, 2004 at 09:02:22PM -0400, George Theall wrote:
 On Sun, Jul 18, 2004 at 03:18:48PM -0600, The Doctor wrote:
  On Sun, Jul 18, 2004 at 04:50:49PM -0400, George Theall wrote:
   
   Check whether there's a line such as srv_features:127.0.0.1 S in your
   mail server's access DB -- that disables STARTTLS when the connecting
   client is 127.0.0.1. 
  
  
  in access.db?
 
 That depends on the type of database support sendmail was built with,
 but probably yes. 
 
 By the way, access.db is a database so you'll need to do something like
 praliases -f access.db to read its contents.  And in that case, the
 line will probably read srv_features:127.0.0.1:S. 


And praliases said:

 
Script started on Sun Jul 18 20:34:47 2004
doctor.nl2k.ab.ca//usr2/home/doctor$ps raliases -p /etc/mail/access.db
praliases: illegal option -- p
usage: praliases [-C cffile] [-f aliasfile]
doctor.nl2k.ab.ca//usr2/home/doctor$praliases -p 
/etc/mail/access.db /etc/mail/access.dbf 
/etc/mail/access.db
216.95.238:RELAY
204.209.81:RELAY
63.251.135.75:RELAY
63.251.135.103:RELAY
63.251.135.109:RELAY
64.95.77.163:RELAY
24.157.180.4:RELAY
24.114.240.99:RELAY
24.70.89:RELAY
24.71.223.10:RELAY
142.179.203.144:RELAY
150.210.226.1:REJECT
139.142.254.162:REJECT
24.16.43.183:REJECT
24.141.58.89:REJECT
142.165.135.109:REJECT
142.165.143.133:REJECT
205.206.70.2:RELAY
208.38.41.4:RELAY
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:REJECT
emitraining.com:RELAY
[EMAIL PROTECTED]:REJECT
from:[EMAIL PROTECTED]:ERROR:5.7.1:550 Probable Sobig.B worm rejected
[EMAIL PROTECTED]:ERROR:5.7.1:550 Sobig.A worm rejected
[EMAIL PROTECTED]:ERROR:5.7.1:550 Hybris worm rejected
[EMAIL PROTECTED]:ERROR:5.1.1:550 User unknown
[EMAIL PROTECTED]:ERROR:5.1.1:550 User unknown
[EMAIL PROTECTED]:ERROR:5.1.1:550 User unknown
clientrate:127.0.0.1:0
clientconn:127.0.0.1:0
127.0.0.1:RELAY
66.48.34:RELAY
63.251.135.74:RELAY
63.251.135.115:RELAY
63.251.135.98:RELAY
64.59.128.220:RELAY
64.95.77.162:RELAY
64.95.77.164:RELAY
24.65.203.159:RELAY
24.157.180.5:RELAY
24.67.170.33:RELAY
24.70.88:RELAY
24.67.72.85:RELAY
142.179.205.99:RELAY
199.185.130.39:RELAY
66.58.194:REJECT
80.162.0.239:REJECT
219.97.166:REJECT
198.53.7:REJECT
200.141.146:REJECT
24.80.93.168:REJECT
218.113.42.135:REJECT
221.124.64.23:REJECT
aci-internet.ca:REJECT
itwebtools.com:REJECT
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:RELAY
camcontacts.com:REJECT
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:REJECT
[EMAIL PROTECTED]:REJECT
to:[EMAIL PROTECTED]:POISON
[EMAIL PROTECTED]:ERROR:5.1.1:550 User unknown
[EMAIL PROTECTED]:ERROR:5.1.1:550 User unknown
[EMAIL PROTECTED]:ERROR:5.1.1:550 User unknown
[EMAIL PROTECTED]:ERROR:5.1.1:550 User unknown
[EMAIL PROTECTED]:ERROR:5.1.1:550 User unknown
[EMAIL PROTECTED]:ERROR:5.1.1:550 User unknown
clientrate::10
clientconn::10
doctor.nl2k.ab.ca//usr2/home/doctor$exit
exit

Script done on Sun Jul 18 20:35:11 2004
 George
 -- 
 [EMAIL PROTECTED]



-- 
Member - Liberal International  
This is [EMAIL PROTECTED]   Ici [EMAIL PROTECTED]
God Queen and country! Beware Anti-Christ rising!
Microsoft is not the solution; it is the question; what is the answer?? NO!!
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: X.509 certificates invalid certiifcates.

2004-07-18 Thread sakthi.subramaniam 

Its not clear what you want to do from this 30/31 years business.
The number of years difference between Not Valid before and Not valid
after  should not exceed 30 years in the certificates..How can I check
it ?

Thanks
Sakthi S G

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr.
Stephen Henson
Sent: Sunday, July 18, 2004 2:28 AM
To: [EMAIL PROTECTED]
Subject: Re: X.509 certificates invalid certiifcates.


On Thu, Jul 15, 2004, [EMAIL PROTECTED] wrote:


 Hi.,
   I am passing the certificates which will be valid for 31 years for
 openssl routines.. but the I need to have implementation that it
 should check only for 30 years..Is there any function available?
 Currently I am calling x509_verify() for this certificate
but it says
 it is valid.How can I check all fields (country, organisation,
 locality, unit) is present in the certificate?


Its not clear what you want to do from this 30/31 years business.
X509_verify() by itself will just check the signature.
X509_verify_cert() will do a more complete chain verification
including extensions and expiry times.

As for checking for the presence of certain fields you can do
that with the X509_NAME API. You could I suppose use the x509
program and parse the textual output but that's a bit yucky.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]


Confidentiality Notice

The information contained in this electronic message and any attachments to this 
message are intended
for the exclusive use of the addressee(s) and may contain confidential or privileged 
information. If
you are not the intended recipient, please notify the sender at Wipro or [EMAIL 
PROTECTED] immediately
and destroy all copies of this message and any attachments.
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

SSL_accept core dumps..

2004-07-18 Thread rohit_shukla 
Hi ,

My Secure server cores with dbx showing it in
SSL_accept under the following scenario..

1) Establish a succesful connection with the client.
2) Data sent by client is read line by line using
BIO_gets and simultaneously interpreted.
3) Due to an application error the complete data is
not read from the SSL layer.
4) The connection is closed using calls SSL_shutdown,
BIO_free_all, SSL_free.
5) Another client asks for a connection.
6) SSL is initialised
7) SSL_accept gives core

I have noticed that things work fine when the complete
data from the underlying SSL layer is read. But cores
whenever incomplete data reading is done in the
previous session.

Please let me know if there are any inputs so that I
could proceed to solve this.

Thanks and Regards,
Rohit
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: X.509 certificates invalid certiifcates.

2004-07-18 Thread Richard Levitte - VMS Whacker 
In message [EMAIL PROTECTED] on Mon, 19 Jul 2004 09:51:35 +0530, [EMAIL PROTECTED] 
said:

sakthi.subramaniam 
sakthi.subramaniam Its not clear what you want to do from this 30/31 years business.
sakthi.subramaniam The number of years difference between Not Valid
sakthi.subramaniam before and Not valid after  should not exceed 30
sakthi.subramaniam years in the certificates..How can I check it ?

Since you're doing this by programming:

- You get the validity limits, using the macros X509_get_notBefore() and
  X509_get_notAfter()

- extract the year from the limits, using the function
  ASN1_extract_year() (NOT TESTED!) below.

- subtract one year from the other and check that it's lower than 31.


int ASN1_extract_year(ASN1_TIME *tm)
{
  int i, y;
  char *v;

  i=tm-length;
  v=(char *)tm-data;

  if (tm-type == ASN1_UTCTIME)
{
  if (i  10) return 0; /* Bad value */

  y= (v[0]-'0')*10+(v[1]-'0');
  if (y  50) y+=100;
}
  else if (tm-type == ASN1_GENERALIZEDTIME)
{
  int i;
  char *v;

  i=tm-length;
  v=(char *)tm-data;

  if (i  12) return 0; /* Bad value */

  y = (v[0]-'0')*1000+(v[1]-'0')*100 + (v[2]-'0')*10+(v[3]-'0');
}
  else return 0; /* Bad time value */

  return y;
}


-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

-- 
Richard Levitte   \ Tunnlandsvägen 52 \ [EMAIL PROTECTED]
[EMAIL PROTECTED]  \ S-168 36  BROMMA  \ T: +46-708-26 53 44
\  SWEDEN   \
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/

-
A: Because it fouls the order in which people normally read text. 
Q: Why is top-posting such a bad thing? 
A: Top-posting. 
Q: What is the most annoying thing on usenet and in e-mail?
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]