RSA Key verification failure
Hello All, I am working on an IPF(Itanium Processor Family) HPUX machine. Using the configure option hpux-ia64-cc would be the appropriate configure option while building OpenSSL in this platform. But I have problems withOpenSSH authentication when I use this option. OpenSSH uses libcrypto of OpenSSL to generate the RSA key pair.Scenario 1 - SSH builtusing OpenSSL configured with hpux-ia64-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii.View the public key #cat //.ssh/identity.pub 1024 35 132930209076564001780747579042635122330299057445902509467023000 00349019205201074514728005030360980059713439703168643901029 101753840270447636402448290262026362746390202877148500919047739 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon rejects this key as a result the client authentication fails The compiler options for hpux-ia64-cc "hpux-ia64-cc","cc:-Ae +DD32 +O1 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_U NROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", Scenario 2 -SSH builtusing OpenSSL configured with hpux-cc i. Generate RSA key pair #/usr/bin/ssh-keygen -t rsa1 ii. View the public key #cat //.ssh/identity.pub 1024 35 1437122910944460067534870792490584153638875494206294171941680796472959390850506068660764130660092003114 6511827709926115182557164733137352007577919492698063416540177245308126918665480672846829658795559358482 1448512729384759808648867203588282392206887007723304276717097798871889974434155451797730883704857498211 [EMAIL PROTECTED] iii. Run the sshd daemon #/opt/ssh_hpux-cc/sbin/sshd -o'protocol 1' -ddd -e iv. Run the client #/opt/ssh_hpux-cc/bin/ssh -1 -l root -o 'PreferredAuthentications="pubkey"' localhost -vvv The sshd daemon accepts this key as a result the client authentication passes The Compiler options for hpux-cc are as follows : hpux-cc "hpux-cc", "cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O1 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROL L DES_RISC1::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", My Analysis of the problem so far. 1. The problem occurs while creation ofn in the public key part of the rsa key n=p*q (where p and q areprime big numbers) 2 . The value of dmax in the bignumber structure indicates the size of the big number 3. The following functionreturnsthe value of dmax #define bn_expand(a,bits) ((bits+BN_BITS2-1))/BN_BITS2)) = (a)-dmax)? (a):bn_expand2((a),(bits)/BN_BITS2+1)) In this macro dmax is calculated as (bits)/BN_BITS2+1 OpenSSL configure option is hpux-cc dmax=(512)/32 +1 = 17 OpenSSL configure option is hpux-ia64-cc dmax=(512)64 +1= 9 Is this change in the value of dmax causes the variation in the public key. 4. The compileroptions SIXTY_FOUR_BIT andasm/ia64-cpp.o in hpux-ia64-cc causes this problem. When SIXTY_FOUR_BITis replaced by BN_LLONGand the asm/ia64-cpp.o option is removed then hpux-ia64-cc configure option works fine. Please correct me if I am wrong ? Thanks, Prakash __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
setting certificate expiry to more than 30 days
Hello. I am posting this message again. Can someone help me over this. I am trying to create certificate using req command as follows, 1) First generated the cert request, openssl req -newkey rsa:1024 -config openssl.cnf -out xyz_careq.pem 2) Then generated the certificate as follows, openssl x509 -req -in xyz_careq.pem -extfile openssl.cnf -extensions req_extensions -signkey privatekey.pem -out xyz_cert.pem 3)When I see the expiry dates it shows as follows, openssl x509 -subject -issuer -dates -noout -in xyz_cert.pem subject= /C=US/O=XYZ/OU=XYZ Engineering Certification Authority/ST=KANSAS/L=Wichita/CN=XYZ Engineering CA/[EMAIL PROTECTED] issuer= /C=US/O=XYZ/OU=XYZ Engineering Certification Authority/ST=KANSAS/L=Wichita/CN=XYZ Engineering CA/Email=- notBefore=Feb 28 14:21:54 2005 GMT notAfter=Mar 30 14:21:54 2005 GMT Why is this happening? The certificate is generated fine with the x509 and -days 365 option. Can someone help me on this. Sanjay Acharya Wichita State University ---THE openssl.cnf FILE--- RANDFILE= $ENV::HOME/project/.rnd [ ca ] default_ca = my_ca_default [ my_ca_default ] dir = $ENV::HOME/project certs = $dir/certs crl_dir = $dir/crl database= $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/cacert.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/private/cakey.pem RANDFILE= $dir/private/.rand default_days= 365 default_crl_days = 1 default_md = sha1 x509_extensions = usr_cert policy = my_policy [ my_policy ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = supplied commonName = supplied emailAddress= supplied [ usr_cert ] basicConstraints=CA:false [ req ] default_bits= 2048 default_md = sha1 default_keyfile = privatekey.pem prompt = no distinguished_name = req_distinguished_name x509_extensions = req_extensions [ req_distinguished_name ] countryName = US organizationName = XYZ organizationalUnitName = XYZ Engineering Certification Authority stateOrProvinceName = KANSAS localityName= Wichita commonName = XYZ Engineering CA emailAddress= --- [ req_extensions ] basicConstraints = CA:true __ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: setting certificate expiry to more than 30 days
Sanjay Acharya wrote: Hello. I am posting this message again. Can someone help me over this. I am trying to create certificate using req command as follows, See http://www.openssl.org/docs/apps/req.html Use -days option. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
ASN1 stuff
Hi,all. Sorry for my english. Please help me to clarify the using of the such ASN1 structure in RDNSequence and in SubjectDirectoryAttributes. Why do they have different ASN1 structure, if they play the same role but in different contexts. For what reason there is SET OF? OpenSSL always used only one SEQ in every SET. Why is it used?.If standart would omit, what effect this can has? RDNSequence : := SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName : := SET OF AttributeTypeAndValue AttributeTypeAndValue: := SEQUENCE { type AttributeType, value AttributeValue} SubjectDirectoryAttributes ::= SEQUENCE SIZE (1..MAX) OF Attribute Attribute ::= SEQUENCE { type Attributetype, valuesSET OF AttributeValue } Why SET OF is used exactly in this place instead of place of previous ASN1 Structure. By the way, does OpenSSL support of SubjectDirectoryAttributes extension?If not,In what the most painless way this can be done? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: setting certificate expiry to more than 30 days
But Ted, if I have to use -days option then why do we need to specify default_days name-value pairs in the openssl.cnf? :( Sanjay Acharya Wichita State University --- Bernhard Froehlich [EMAIL PROTECTED] wrote: Sanjay Acharya wrote: Hello. I am posting this message again. Can someone help me over this. I am trying to create certificate using req command as follows, See http://www.openssl.org/docs/apps/req.html Use -days option. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: setting certificate expiry to more than 30 days
Sanjay Acharya wrote: But Ted, if I have to use -days option then why do we need to specify default_days name-value pairs in the openssl.cnf? :( Sanjay Acharya Wichita State University Hmm, default_days is in the CA-section of the config. So I think it applies to the CA-command only. It would be worth a try to enter a default_days in the req section, but since it's not documented I'd doubt that it will work. Hope it helps, Ted ;) smime.p7s Description: S/MIME Cryptographic Signature
Re: SSL over SOCKS
Essentially, lets say I have a file descriptor(int) for an existing SOCKS connection. I want SSL to use that existing file descriptor and to know that it doesn't need to open the actual TCP/IP connection. What are the BIO and such calls for this? Currently I'm using BIO_new_ssl_connect and BIO_do_connect but I need to somehow tell the SSL lib that the connection already exists and just give it the file descriptor of the socket. - Peter On Mar 1, 2005, at 10:53 AM, Peter wrote: Hi, I'm curious about SSLs behavior over a SOCKS connection. I would assume that it would function fine, but that the SSL client certificate passed would contain the inner ip address of the network behind the SOCKS proxy. Is there anyway to setup an SSL connection in a way so that the server being connected to thinks that the SOCKS proxy is the client for all intents and purposes. I.e., is there an ip address passed inside the SSL protocol (does anyone know off hand?) and if so, is there an easy way of removing that or modifying it before the packet is sent from the client? - Peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL over SOCKS solved?
I am using BIO_set_fd to set the file descriptor of a BIO created by BIO_new_connect to the socket of an existing SOCKS connection. This seems to work fine, lsof -i reports that indeed I am connected to the proxy. However, I want to be sure that my ip address is not embedded in the SSL connection in any way!!! Can anyone assure me of this? What is BIO_set_fd supposed to do? What is the behavior of openSSL when BIO_set_fd is used with an existing connection. Does BIO_do_connect not open a TCP connection if one already exists? Is the ip address of the client never used in the SSLv2/3/TLS protocol? - Peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS12 help needed
Hi there!!! I'm trying to usethe openssl pkcs12 option from command line but I don't undestand very well the options. I have a pair (private key and certificate file) both in PEM format. I want to get a PKCS#12 file which content both. I would like importa that (the PKCS12 file) into MS Outlook or Outlook Express. My command line looks like: C:\openssl pkcs12 -inkey llaveAM02.pem -certfile agente_monitor02.pem / -CAfile certac.pem -out prueba1.p12 -export The .p12 file is created but it's empty Another questionIf I want programming my ownspkcs12 apps with the openssl API where can I get examples o hints?? Any help is usefull TIA ZAINOS Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
Re: PKCS12 help needed
On Wed, Mar 02, 2005, Carlos Roberto Zainos H wrote: Hi there!!! I'm trying to use the openssl pkcs12 option from command line but I don't undestand very well the options. I have a pair (private key and certificate file) both in PEM format. I want to get a PKCS#12 file which content both. I would like importa that (the PKCS12 file) into MS Outlook or Outlook Express. My command line looks like: C:\openssl pkcs12 -inkey llaveAM02.pem -certfile agente_monitor02.pem / -CAfile certac.pem -out prueba1.p12 -export The .p12 file is created but it's empty There's an FAQ on my homepage and detailed examples. If you've got certificates and keys in separate files liek that then: openssl pkcs12 -in cert.pem -inkey key.pem -certfile cacerts.pem -export -name some name should do. Another question If I want programming my owns pkcs12 apps with the openssl API where can I get examples o hints?? Any help is usefull demos/pkcs12 has some samples. The manual pages for PKCS12_parse() and PKCS12_create() also contain detailed info. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL over SOCKS solved?
On Wed, Mar 02, 2005, Peter wrote: I am using BIO_set_fd to set the file descriptor of a BIO created by BIO_new_connect to the socket of an existing SOCKS connection. This seems to work fine, lsof -i reports that indeed I am connected to the proxy. However, I want to be sure that my ip address is not embedded in the SSL connection in any way!!! Can anyone assure me of this? What is BIO_set_fd supposed to do? What is the behavior of openSSL when BIO_set_fd is used with an existing connection. Does BIO_do_connect not open a TCP connection if one already exists? Is the ip address of the client never used in the SSLv2/3/TLS protocol? If you want to use BIOs then you can first create a socket BIO with BIO_new_socket(). A socket BIO is preferable because on some platforms sockets aren't fds. There are several other ways to achieve the same thing but that's the easiest. The IP address isn't embedded in the SSL connection. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
ssl routines problem
hi all, i m using syslog-ng with stunnel (to encrypt network transfer of logs). For some days i used the setup without any problem but after that i got some errors and stunnel dows not load. Actually i load my stunnel from rc.local (for starting it at boot) and exceptions are thrown related to openssl and i m confiremed that this is not the issue of stunnel. i m attaching my error log below this post. Any help will be appreciated. Thanks _ Feb 25 05:15:04 sysmanager stunnel[2251]: stunnel 4.07 on i686-pc-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7e 25 Oct 2004 Feb 25 05:15:04 sysmanager stunnel[2251]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib Feb 25 05:15:04 sysmanager stunnel[2251]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line Feb 25 05:36:17 sysmanager stunnel[2520]: stunnel 4.07 on i686-pc-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7e 25 Oct 2004 Feb 25 05:36:17 sysmanager stunnel[2520]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib Feb 25 05:36:17 sysmanager stunnel[2520]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line Feb 25 06:06:01 sysmanager stunnel[2510]: stunnel 4.07 on i686-pc-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7e 25 Oct 2004 Feb 25 06:06:01 sysmanager stunnel[2510]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib Feb 25 06:06:01 sysmanager stunnel[2510]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line Feb 25 06:10:51 sysmanager stunnel[2624]: stunnel 4.07 on i686-pc-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7e 25 Oct 2004 Feb 25 06:10:51 sysmanager stunnel[2624]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib Feb 25 06:10:51 sysmanager stunnel[2624]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line Mar 2 05:49:39 sysmanager stunnel[8553]: stunnel 4.07 on i686-pc-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7e 25 Oct 2004 Mar 2 05:49:39 sysmanager stunnel[8553]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib Mar 2 05:49:39 sysmanager stunnel[8553]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
BIO chaining and closing
Thanks, So BIO_new_socket would create a BIO around the socket of my choosing which would be more portable than doing BIO_set_fd afterwards? But then the current code uses BIO_new_ssl_connect to create the bio in the first place. I assume I would replace this with BIO_new_socket and BIO_new_ssl except I'm not sure how this chains the BIOs together. I would use BIO_push I assume but I'm not exactly sure of the order. And then the other thing, which probably has something to do with all of this, is that I can't seem to close the connection. It closes on exit of the program but BIO_ssl_shutdown, I guess, only shuts down the SSL bio and just doing BIO_get_fd and then close on the resulting socket doesn't seem to work. lsof -i still lists it as open until the program exits. - Peter On Mar 2, 2005, at 7:59 PM, Dr. Stephen Henson wrote: On Wed, Mar 02, 2005, Peter wrote: I am using BIO_set_fd to set the file descriptor of a BIO created by BIO_new_connect to the socket of an existing SOCKS connection. This seems to work fine, lsof -i reports that indeed I am connected to the proxy. However, I want to be sure that my ip address is not embedded in the SSL connection in any way!!! Can anyone assure me of this? What is BIO_set_fd supposed to do? What is the behavior of openSSL when BIO_set_fd is used with an existing connection. Does BIO_do_connect not open a TCP connection if one already exists? Is the ip address of the client never used in the SSLv2/3/TLS protocol? If you want to use BIOs then you can first create a socket BIO with BIO_new_socket(). A socket BIO is preferable because on some platforms sockets aren't fds. There are several other ways to achieve the same thing but that's the easiest. The IP address isn't embedded in the SSL connection. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]