SSL Communication behind Proxy
Hi All, I am trying to connect to a SSL server from behind proxy and using the following code. SS_library_init(); SSL_load_error_strings(); BIO*Socket= BIO_new_connect(proxy::port); If(BIO_do_connect(Socket)) { Char*Data = CONNECT abc.com:80 HTTP/1.0\r\n\r\n; BytesSent = BIO_write(Socket,Data,strlen(Data)); If(BytesSent0) { // if I try to get the response from proxy next , I receive 0 bytes from proxy, I am not sure whether I would get any response of my commands or not // so I continued converting it to ssl connection //initializing SSL socket and setting SSL connection options. SSL_CTX*ctx = SSL_ctx_new(sslv23_method()); SSL_CTX_set_verify(ctx,SSL_VERIFY_NONE,verify_cb); SSL_CTX_set_timeout(ctx,timeout); SSL_CTX_set_cipherlist(ctx,CIPHERLIST); SSL*sslSocket = SSL_new(ctx); //setting the bio to ssl socket SSL_set_bio(sslSocket,Socket,Socket); If(SSL_connect(sslSocket)) { ..ssl connection established } //but I get error here with no description lib(0) :status(0) } } I dont know whether I am not following the right procedure or there is something to do with proxy blocking what ever it is I am unable to receive response from the proxy.
openssl usage questions
Hello, I'm new to the OpenSSL community. Please help to clarify my following questions. 1) Can OpneSSL be used for IPsec certificate? 2) Does OpenSSL provide APIs to support the Cut-and-Paste certificate enrollment for the IPsec certificate with the non-OpenSSL CAs/PKIs, e.g. VeriSign PKI MicroSoft CA)? If so,what are theAPIs, how is it done, are there examples? 3) Does OpenSSL providecommand line interfaceto support the Cut-and-Paste certificate enrollmentfor the IPsec certificate with the non-OpenSSL CAs/PKIs, e.g. VeriSign PKI MicroSoft CA)? If so,what are thecommands, how is it done, are there examples? 4) In general, how is the root CA certificate retrieved in what format? Also, how is it used in the Cut-and-Paste certificate enrollment process? Which specific APIs and commands are used to validate an enrolled certificate with the root CA (certificate issuer's) certificate? Thank you in advance for answering the above questions! Jinn__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: EVP_SealInit and key length
On Mon, Mar 28, 2005, Michael D'Errico wrote: Is there any way to specify the key length to use in EVP_SealInit? (Besides AES where the EVP_CIPHER specifies the length.) If not, how do you figure out how long a key was used? Depends on how its used. In some cases the context implies the key length whereas in others the only way is to actually see what key length it sets after being called. Even then there are exceptions: for example some S/MIME mail clients use an RC2 physical key length of 192 bits but set the effective key length to a lower value such as 64 bits. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problems with EVP_DecryptFinal
Hello, I write the next c programming code that allow to do a test of encryption and decryption. I understand that I do bad, because the EVP_DecryptionFinal return 0 therefore the decrypted data are not match that the original data. Please help me. Thaks very much The code is this. I am using Microsoft windows with VC 6. #include stdio.h #include openssl/err.h #include openssl/evp.h #include openssl/x509v3.h #define DATA_LENGTH (int) 29 int encrypt( unsigned char *key, unsigned char *originalData, int length, unsigned char **cipheredData ) { EVP_CIPHER_CTX ctx; const EVP_CIPHER *des3 = EVP_des_ede3(); *cipheredData = new unsigned char[length + EVP_CIPHER_block_size( des3 ) - 1]; unsigned char *cipheredDataAux = *cipheredData; int cipheredDataLength = 0; EVP_CIPHER_CTX_init( ctx ); if( EVP_EncryptInit( ctx, des3, key, NULL ) == 0 ) ERR_print_errors_fp( stderr ); int cipheredNum = 0; printf( The original Data is: %s \nand the size is: %d\n\n, originalData, length ); while( cipheredDataLength length ) { if( EVP_EncryptUpdate( ctx, cipheredDataAux[cipheredNum], cipheredNum, originalData, length - cipheredNum ) == 0 ) ERR_print_errors_fp( stderr ); cipheredDataLength += cipheredNum; } printf( The ciphered Data is: %s \nand the size is: %d\n\n, cipheredDataAux, cipheredDataLength ); cipheredNum = 0; if( EVP_EncryptFinal( ctx, cipheredDataAux[cipheredDataLength], cipheredNum ) == 0 ) ERR_print_errors_fp( stderr ); cipheredDataLength += cipheredNum; printf( The ciphered Data is: %s \nand the size is: %d\n\n, cipheredDataAux, cipheredDataLength ); EVP_CIPHER_CTX_cleanup ( ctx); return cipheredDataLength; } int decrypt( unsigned char *key, unsigned char *cipheredData, int length, unsigned char **decipheredData ) { EVP_CIPHER_CTX ctx; const EVP_CIPHER *des3 = EVP_des_ede3(); *decipheredData = new unsigned char[length + EVP_CIPHER_block_size( des3 )]; unsigned char *decipheredDataAux = *decipheredData; int decipheredDataLength = 0; EVP_CIPHER_CTX_init( ctx ); if( EVP_DecryptInit( ctx, des3, key, NULL ) == 0 ) ERR_print_errors_fp( stderr ); int decipheredNum = 0; printf( The ciphered Data is: %s \nand the size is: %d\n\n, cipheredData, length ); while( decipheredDataLength length ) { if( EVP_DecryptUpdate( ctx, decipheredDataAux[decipheredNum], decipheredNum, cipheredData, length - decipheredNum ) == 0 ) ERR_print_errors_fp( stderr ); decipheredDataLength += decipheredNum; } printf( The deciphered Data is: %s \nand the size is: %d\n\n, decipheredDataAux, decipheredDataLength ); decipheredNum = 0; if( EVP_DecryptFinal( ctx, decipheredDataAux[decipheredDataLength], decipheredNum ) == 0 ) // ERR_print_errors_fp( stderr ); decipheredDataLength += decipheredNum; printf( The deciphered Data is: %s \nand the size is: %d\n\n, decipheredDataAux, decipheredDataLength ); EVP_CIPHER_CTX_cleanup ( ctx); return decipheredDataLength; } /**/ int main( int argc, char **argv ) { OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); unsigned char *key = new unsigned char[196]; int it = 0; for( ; it 196; it ++ ) key[it] = 'A'; unsigned char *data = new unsigned char[DATA_LENGTH]; for( it = 0; it DATA_LENGTH; it ++ ) data[it] = 'P'; unsigned char *cipheredData; int cipheredDataLength = encrypt( key, data, DATA_LENGTH, cipheredData ); unsigned char *decipheredData; decrypt(
Simultaneous SSL connect
I have a question regarding the openssl TLS API. My application has thousands of peer to peer TLS connections, where each peer has a X509.v3 certificate with extensions that allow the end point to be both a client and server. I would like to maintain only a single TLS connection between both peers but the connection is not persistent. I would like either peer to be able to establish a connection to the other. As long as the connection is open, either peer can send information through the single open TLS connection. Now to my problem. Given the behavior above, it is possible for both peers to establish a TLS connection at the same time. This would result in having two TLS connections between two peers where each connection was initiated from one or the other peer. I am interested in investigating if there is some efficient manner in which the openssl API can be leveraged to detect this situation. Is there anything in the openssl API that anyone can think of that we could do to quickly identify two TLS connections to the same peer? --- Steve Upp __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem deallocating memory using d2i_TS_RESP
Hi All, I am using the following code to create TS response object from DER encoded data, bool CreateResponseFromFile(const char * pszTSResponsePath) { char * buffer; long size; //C:\\ts\\TstResponse.tsr ifstream file (pszTSResponsePath, ios::in|ios::binary|ios::ate); size = file.tellg(); file.seekg (0, ios::beg); buffer = new char [size]; file.read (buffer, size); file.close(); if(CreateResponseFromData((unsigned char*)buffer,size)) { delete []buffer; return true; } else { delete []buffer; m_strLastError = GetLastTSError(); return false; } } bool CreateResponseFromData(unsigned char *pszData, long lDataLength) { m_pTSResponse = d2i_TS_RESP(NULL, pszData, lDataLength); . } But using some softwares and the windows debug options it gives a memory leak I need to know that how to delete this buffer that no memory leak remains Regards, Muhammad Aftab Alam __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl usage questions
Here are answer's to some of your questions: 1. OpenSsl supports the X509 v3 certificate format which is used by IPSEC. So certificates generated by OpenSsl can be used for IPSEC. 2. OpenSsl has support for cut and paste mechanism (you mean PKCS10/PKCS7!). Look at apps/req.c (generation of PKCS10 or CSR) and apps/pkcs7.c. The CSR generated using OpenSsl can be used with most of the CA (I have tested with Verisign, SSH, Thawte). Regards, Prashant. Jinn Su [EMAIL PROTECTED] wrote: Hello, I'm new to the OpenSSL community. Please help to clarify my following questions. 1) Can OpneSSL be used for IPsec certificate? 2) Does OpenSSL provide APIs to support the Cut-and-Paste certificate enrollment for the IPsec certificate with the non-OpenSSL CAs/PKIs, e.g. VeriSign PKI MicroSoft CA)? If so,what are theAPIs, how is it done, are there examples? 3) Does OpenSSL providecommand line interfaceto support the Cut-and-Paste certificate enrollmentfor the IPsec certificate with the non-OpenSSL CAs/PKIs, e.g. VeriSign PKI MicroSoft CA)? If so,what are thecommands, how is it done, are there examples? 4) In general, how is the root CA certificate retrieved in what format? Also, how is it used in the Cut-and-Paste certificate enrollment process? Which specific APIs and commands are used to validate an enrolled certificate with the root CA (certificate issuer's) certificate? Thank you in advance for answering the above questions! Jinn __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: openssl usage questions
Greetings, I am bit new to this. So if someone can help, I will be grateful. I downloaded because OpenSSL because I am trying to get define a htttp port on Tomcat. To do so I seem to need a keystore file. Searching on keystore led me to OpenSSL.Following some instructionsI found, I can generate a .key file ok. But, I blow up trying to generate the CSR. I make itthrough the prompts and then get the following error messages: 1764:error:0E06D06C:configuration file routines:NCONF_get_string:no value:.\crypto\conf\conf_lib.c:329:group=req_attributes name=unstructuredName_min1764:error:0E06D06C:configuration file routines:NCONF_get_string:no value:.\crypto\conf\conf_lib.c:329:group=req_attributes name=unstructuredName_max1764:error:04075070:rsa routines:RSA_sign:digest too big for rsa key:.\crypto\rsa\rsa_sign.c:118:1764:error:0D080006:asn1 encoding routines:ASN1_sign:EVP lib:.\crypto\asn1\a_sign.c:275: Thanks for any help. -SP
RE: openssl smime ability to create a multi-attachment message?
Does openssl support taking a mime message and doing this? Or is there something else I will need to convert a mime message to smime? Thank you, Victor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 6:22 PM To: openssl-users@openssl.org Subject: Re: openssl smime ability to create a multi-attachment message? On Mon, Mar 28, 2005, Chevalier, Victor T. wrote: Is it possible to have the command line of openssl create an smime message containing file(s)? Example. Sample e-mail: Hey here are some files. -Attachments: doc1.doc doc2.doc Is there a command line way to create the SMIME format for this? If not is there code built into openssl to handle this? Or has someone already run into this and sample code? Thank you. You have to create the MIME message in the appropriate format and send that to the smime command. This is however an area where many S/MIME clients have difficulties. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl smime ability to create a multi-attachment message?
On Tue, Mar 29, 2005, Chevalier, Victor T. wrote: Does openssl support taking a mime message and doing this? Or is there something else I will need to convert a mime message to smime? The input to the smime command is expected to be in MIME format unless you specify -text in which case it adds text/plain headers. However OpenSSL only does EOL=CRLF translation on the whole MIME document by default. If that is inappropriate you have to supply a canonical MIME document and turn off translation with the -binary option. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
EVP Public Key Interface X low level RSA
I was studing the EVP interface for public key to use RSA. I'd like to know if the low level interface using /openssl/rsa.h/ is better than EVP (hight level) solution. In symetric encryption the list told me that EVP interface was the best solution. Thanks in advance, Rafael Cividanes -- Rafael Cividanes Instituto Tecnológico de Aeronáutica - ITA Divisão de Ciência da Computação - IEC Pça. Mal.Eduardo Gomes, 50 Vila das Acácias CTA-ITA-IEP12.228-900 São José dos Campos,SP Prédio da Guerra Eletrônica - Sala 235 Tel 12-39476891 E-mail: [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem deallocating memory using d2i_TS_RESP
Aftab Alam wrote: Hi All, I am using the following code to create TS response object from DER encoded data, bool CreateResponseFromFile(const char * pszTSResponsePath) { char * buffer; long size; //C:\\ts\\TstResponse.tsr ifstream file (pszTSResponsePath, ios::in|ios::binary|ios::ate); size = file.tellg(); file.seekg (0, ios::beg); buffer = new char [size]; file.read (buffer, size); file.close(); if(CreateResponseFromData((unsigned char*)buffer,size)) { delete []buffer; return true; } else { delete []buffer; m_strLastError = GetLastTSError(); return false; } } bool CreateResponseFromData(unsigned char *pszData, long lDataLength) { m_pTSResponse = d2i_TS_RESP(NULL, pszData, lDataLength); . } But using some softwares and the windows debug options it gives a memory leak I need to know that how to delete this buffer that no memory leak remains Did you read the FAQ entry about mem leaks ? Does your mem debugger give more information where the leak should be ? Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: EVP Public Key Interface X low level RSA
Rafael Cividanes wrote: I was studing the EVP interface for public key to use RSA. I'd like to know if the low level interface using /openssl/rsa.h/ is better than EVP (hight level) solution. In symetric encryption the list told me that EVP interface was the best solution. unless you need features only supplied by the low level api I would recommend to use the EVP api. Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with EVP_DecryptFinal
Tyler Durden wrote: Hello, I write the next c programming code that allow to do a test of encryption and decryption. I understand that I do bad, because the EVP_DecryptionFinal return 0 therefore the decrypted data are not match that the original data. Please help me. Thaks very much The code is this. I am using Microsoft windows with VC 6. #include stdio.h #include openssl/err.h #include openssl/evp.h #include openssl/x509v3.h #define DATA_LENGTH (int) 29 int encrypt( unsigned char *key, unsigned char *originalData, int length, unsigned char **cipheredData ) { EVP_CIPHER_CTX ctx; const EVP_CIPHER *des3 = EVP_des_ede3(); *cipheredData = new unsigned char[length + EVP_CIPHER_block_size( des3 ) - 1]; unsigned char *cipheredDataAux = *cipheredData; int cipheredDataLength = 0; EVP_CIPHER_CTX_init( ctx ); if( EVP_EncryptInit( ctx, des3, key, NULL ) == 0 ) ERR_print_errors_fp( stderr ); int cipheredNum = 0; printf( The original Data is: %s \nand the size is: %d\n\n, originalData, length ); while( cipheredDataLength length ) { if( EVP_EncryptUpdate( ctx, cipheredDataAux[cipheredNum], cipheredNum, originalData, length - cipheredNum ) == 0 ) ERR_print_errors_fp( stderr ); cipheredDataLength += cipheredNum; } don't use the while-loop, on call to EVP_EncryptUpdate is enough here printf( The ciphered Data is: %s \nand the size is: %d\n\n, cipheredDataAux, cipheredDataLength ); cipheredNum = 0; if( EVP_EncryptFinal( ctx, cipheredDataAux[cipheredDataLength], cipheredNum ) == 0 ) ERR_print_errors_fp( stderr ); cipheredDataLength += cipheredNum; printf( The ciphered Data is: %s \nand the size is: %d\n\n, cipheredDataAux, cipheredDataLength ); EVP_CIPHER_CTX_cleanup ( ctx); return cipheredDataLength; } int decrypt( unsigned char *key, unsigned char *cipheredData, int length, unsigned char **decipheredData ) { EVP_CIPHER_CTX ctx; const EVP_CIPHER *des3 = EVP_des_ede3(); *decipheredData = new unsigned char[length + EVP_CIPHER_block_size( des3 )]; unsigned char *decipheredDataAux = *decipheredData; int decipheredDataLength = 0; EVP_CIPHER_CTX_init( ctx ); if( EVP_DecryptInit( ctx, des3, key, NULL ) == 0 ) ERR_print_errors_fp( stderr ); int decipheredNum = 0; printf( The ciphered Data is: %s \nand the size is: %d\n\n, cipheredData, length ); while( decipheredDataLength length ) { if( EVP_DecryptUpdate( ctx, decipheredDataAux[decipheredNum], decipheredNum, cipheredData, length - decipheredNum ) == 0 ) ERR_print_errors_fp( stderr ); decipheredDataLength += decipheredNum; } again, the while-loop is unneccesary. One invocation of EVP_DecryptUpdate + EVP_DecryptFinal is enough Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
SSL_shutdown returns 0 (retry) after EPIPE sys error.
stunnel implements openssl, and there is a case where it loops hard on retrying SSSL_shutdown. Basically I am wondering if this is a known (fixed?) problem. On Solaris, truss shows this: 18416: lwp_sigredirect(0, SIGPIPE, 0x) = 0 18416: write(13, 150301\018 3F1DBCCCBCAE3.., 29) Err#32 EPIPE 18416: poll(0xFEE219D0, 2, 4320) = 1 18416: write(13, 150301\018 3F1DBCCCBCAE3.., 29) Err#32 EPIPE 18416: poll(0xFEE219D0, 2, 4320) = 1 18416: write(13, 150301\018 3F1DBCCCBCAE3.., 29) Err#32 EPIPE And pfiles shows that FD 13 is a disconnected socket: 13: S_IFSOCK mode:0666 dev:290,0 ino:46258 uid:0 gid:0 size:0 O_RDWR|O_NONBLOCK FD_CLOEXEC sockname: AF_INET 0.0.0.0 port: 0 The stunnel log shows entry after entry like this: 2005.03.25 17:31:40 LOG7[3208:6]: SSL_shutdown retrying 2005.03.25 17:31:40 LOG7[3208:6]: SSL_shutdown retrying 2005.03.25 17:31:40 LOG7[3208:6]: SSL_shutdown retrying 2005.03.25 17:31:40 LOG7[3208:6]: SSL_shutdown retrying 2005.03.25 17:31:40 LOG7[3208:6]: SSL_shutdown retrying 2005.03.25 17:31:40 LOG7[3208:6]: SSL_shutdown retrying 2005.03.25 17:31:40 LOG7[3208:6]: SSL_shutdown retrying The stunnel source implies that it will retry the shutdown when SSL_shutdown returns 0. Stunnel does not check for system errors when SSL_shutdown returns 0 ( maybe it should?). Instead it assumes SSL_shutdown returns -1, if there is a system error, and then it checks errors. This seems reasonable to me. -- NOTICE: The information contained in this electronic mail transmission is intended by Convergys Corporation for the use of the named individual or entity to which it is directed and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by telephone (collect), so that the sender's address records can be corrected. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_shutdown returns 0 (retry) after EPIPE sys error.
On 2005-03-29, at 21:15, [EMAIL PROTECTED] wrote: On Solaris, truss shows this: 18416: poll(0xFEE219D0, 2, 4320) = 1 18416: write(13, 150301\018 3F1DBCCCBCAE3.., 29) Err#32 EPIPE What is your configuration? The stunnel source implies that it will retry the shutdown when SSL_shutdown returns 0. The manual claims: 0 The shutdown is not yet finished. Call SSL_shutdown() for a second time, if a bidirectional shutdown shall be performed. The output of SSL_get_error(3) may be misleading, as an erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred. -1 The shutdown was not successful because a fatal error occurred either at the protocol level or a connection failure occurred. It can also occur if action is need to continue the operation for non blocking BIOs. Call SSL_get_error(3) with the return value ret to find out the reason. So SSL_shutdown() should return -1 on a fatal error, shouldn't it? Stunnel does not check for system errors when SSL_shutdown returns 0 ( maybe it should?). I don't think so... In fact it's explicitly forbidden to check for an error here... Best regards, Mike (the author of stunnel) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How to get CRL in my application.
Given the Next update date of the CRL and the CA certificate how can I get the CRL? Is there a function in OpenSSL to retrieve the CRL? If not, can anyone explain how to do this? My application has a list of CA certificates, initially I have the CRLs too but depending on next update date the application has to get it. Or is there a script to do it in OpenSSL? Thank you. __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: openssl smime ability to create a multi-attachment message?
I am using mpack to create the mime message, it looks like openssl is putting S/MIME around the entire MIME message as if it were text...used this command: openssl smime -sign -inkey private/mykey.pem -signer mycert.pem -in mimemessage -out new.mail maybe the syntax is wrong? Or is it supposed to be like: MIME-Version: 1.0 Content-Type: ... This is an S/MIME signed message ---4DF5902840938 MIME MESSAGE HERE ---4DF5902840938 Content-Type: application/x-pkcs7-signature... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 11:04 AM To: openssl-users@openssl.org Subject: Re: openssl smime ability to create a multi-attachment message? On Tue, Mar 29, 2005, Chevalier, Victor T. wrote: Does openssl support taking a mime message and doing this? Or is there something else I will need to convert a mime message to smime? The input to the smime command is expected to be in MIME format unless you specify -text in which case it adds text/plain headers. However OpenSSL only does EOL=CRLF translation on the whole MIME document by default. If that is inappropriate you have to supply a canonical MIME document and turn off translation with the -binary option. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Decryption problem
I'm having a problem where after encrypting data and then decrypting it, the result is a few bytes of garbage (probably one block), and then the rest of the data is the same as the original. I'm using EVP_Seal* and EVP_Open* to perform the encryption. I tested with AES, DESX, and blowfish, and all have garbage at the beginning of the output. I've been thru the code several times, and checked that the initialization vector is the same when encrypting and decrypting. Since I am getting most of the data back, I must be recovering the session key correctly. Has anybody run into this sort of thing before? Do you have any suggestions? Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Decryption problem
I forgot to mention that this happens with CBC and CFB modes; OFB gives all garbage, but I'm hopeful that fixing CBC and CFB modes will also fix OFB mode. I am using OpenSSL 0.9.7f on mingw. Mike Michael D'Errico wrote: I'm having a problem where after encrypting data and then decrypting it, the result is a few bytes of garbage (probably one block), and then the rest of the data is the same as the original. I'm using EVP_Seal* and EVP_Open* to perform the encryption. I tested with AES, DESX, and blowfish, and all have garbage at the beginning of the output. I've been thru the code several times, and checked that the initialization vector is the same when encrypting and decrypting. Since I am getting most of the data back, I must be recovering the session key correctly. Has anybody run into this sort of thing before? Do you have any suggestions? Thanks, Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Decryption problem
Turns out there is wrong information in Network Security with OpenSSL about using EVP_SealInit. It indicates that you are to pass in an init vector, but EVP_SealInit generates one and passes it back to the caller. Once I figured this out, I got everything to work. Mike __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl-users] How to get CRL in my application.
Bonjour, Hodie IV Kal. Apr. MMV est, Calista scripsit: Is there a function in OpenSSL to retrieve the CRL? No, AFAIK. Depending on the retrieval method (ldap, http, ftp, X.500, ...), you have to write your own handler. If not, can anyone explain how to do this? wget will work for http and ftp, possibly https. curl will work for ftp, http, https, I don't know for ldap. My application has a list of CA certificates, initially I have the CRLs too but depending on next update date the application has to get it. Don't rely on the 'next update' field. It's an 'at last' date. A CA usually create CRLs that are valid for several days, and update them on a daily basis. For each CA you have, specify somewhere in your application the retrieval period, and make sure the period is no longer than the validity period of the CRL (don't less the 'next update' happen to be today). -- Erwann ABALEA [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]