Generate a CRL from an OCSP request
Hi all, I'm having an OCSP Responder on my CA and i want to use it in order to generate CRL's on others servers. So the idea is: +-+ | CA |ocsp request(1)===+---+(3)\ |ocsp |...|openvpn srv|..(CRL GENERATION) +-+=ocsp response===(2)==+---+(4)/ and with the ocsp response i want to generate a CRL. For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have several problems: _How can i request all certificates managed by my CA in one ocsp request ? (i don't want to copy all of these signed certificates on all of my openvpn servers) _How can i encode the response in PEM format in order to use it with OpenVPN ? I really want to use the OCSP protocol for several reason (including security consideration) so publication through HTTP protocol is not a good solution for me. Could you help me ?... :) -- J. VEHENT [EMAIL PROTECTED] -- Microgate | 02.47.66.95.01| www.microgate.fr binjQGQPL43RZ.bin Description: Clef publique PGP
libeay32.lib giving some link errors while using on Windows
Hi all, I am having some linking problems while using libeay32.lib on windows (see link errors below). I created libeay32.lib on windows by compiling openssl source as described in INSTALL.W32 by carrying out following steps: 1. perl Configure VC-WIN32 2. ms\do_ms 3. nmake -f ms\nt.mak (for static version) as a result of above stps libeay32.lib and ssleay32.lib were created. All tests passed successfuly! Now when I try to use these libraries in an application created in CodeWarrior, following link errors occur: -Link Errors Begin- Warning: Cannot locate library MSVCRT specified in #pragma comment(lib,...) referenced from tmp32\ssl_lib.obj Warning: Cannot locate library OLDNAMES specified in #pragma comment(lib,...) referenced from tmp32\ssl_lib.obj Link Error : Undefined symbol: '__declspec(dllimport) _abort (__imp__abort)' referenced from '_CRYPTO_add_lock' in tmp32\cryptlib.obj (libeay32.lib) referenced from '_CRYPTO_add_lock' in tmp32\cryptlib.obj (libeay32.lib) referenced from '_OpenSSLDie' in tmp32\cryptlib.obj (libeay32.lib) referenced from '_CRYPTO_lock' in tmp32\cryptlib.obj (libeay32.lib) Link Error : Undefined symbol: '__declspec(dllimport) __iob (__imp___iob)' referenced from '_CRYPTO_add_lock' in tmp32\cryptlib.obj (libeay32.lib) referenced from '_CRYPTO_add_lock' in tmp32\cryptlib.obj (libeay32.lib) referenced from '_OpenSSLDie' in tmp32\cryptlib.obj (libeay32.lib) referenced from '_RSA_verify' in tmp32\rsa_sign.obj (libeay32.lib) referenced from '_PEM_def_callback' in tmp32\pem_lib.obj (libeay32.lib) referenced from '_PEM_do_header' in tmp32\pem_lib.obj (libeay32.lib) referenced from '_open_console' in tmp32\ui_openssl.obj (libeay32.lib) referenced from '_open_console' in tmp32\ui_openssl.obj (libeay32.lib) ... Link Error : Undefined symbol: '__declspec(dllimport) __pctype (__imp___pctype)' referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '__dopr' in tmp32\b_print.obj (libeay32.lib) ... Link Error : Undefined symbol: '__declspec(dllimport) ___mb_cur_max (__impmb_cur_max)' referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '_X509_NAME_cmp' in tmp32\x509_cmp.obj (libeay32.lib) referenced from '__dopr' in tmp32\b_print.obj (libeay32.lib) ... Link Error : Undefined symbol: '__declspec(dllimport) __isctype (__imp___isctype)' referenced from '__dopr' in tmp32\b_print.obj (libeay32.lib) referenced from '__dopr' in tmp32\b_print.obj (libeay32.lib) referenced from '_X509V3_parse_list' in tmp32\v3_utl.obj (libeay32.lib) referenced from '_X509V3_parse_list' in tmp32\v3_utl.obj (libeay32.lib) referenced from '_X509V3_parse_list' in tmp32\v3_utl.obj (libeay32.lib) referenced from '_X509V3_parse_list' in tmp32\v3_utl.obj (libeay32.lib) referenced from '_X509V3_parse_list' in tmp32\v3_utl.obj (libeay32.lib) referenced from '_X509V3_parse_list' in tmp32\v3_utl.obj (libeay32.lib) ... Link Error : Undefined symbol: '__declspec(dllimport) __errno (__imp___errno)' referenced from '_BIO_new_file' in tmp32\bss_file.obj (libeay32.lib) Link Error : Undefined symbol: '__aulldiv' referenced from '_BN_div' in tmp32\bn_div.obj (libeay32.lib) referenced from '_bn_div_words' in tmp32\bn_asm.obj (libeay32.lib) referenced from '_fmtint' in tmp32\b_print.obj (libeay32.lib) Link Error : Undefined symbol: '__aullrem' referenced from '_fmtint' in tmp32\b_print.obj (libeay32.lib) Link Error : Undefined symbol: '__allmul' referenced from '_bn_mul_add_words' in tmp32\bn_asm.obj (libeay32.lib) referenced from '_bn_mul_add_words' in tmp32\bn_asm.obj (libeay32.lib) referenced from '_bn_mul_add_words' in tmp32\bn_asm.obj (libeay32.lib) referenced from '_bn_mul_add_words' in tmp32\bn_asm.obj (libeay32.lib) referenced from '_bn_mul_add_words' in tmp32\bn_asm.obj (libeay32.lib) referenced from '_bn_mul_add_words' in tmp32\bn_asm.obj (libeay32.lib) referenced from '_bn_mul_add_words' in tmp32\bn_asm.obj (libeay32.lib) referenced from '_bn_mul_words' in tmp32\bn_asm.obj (libeay32.lib) ... -Link Errors End- What I understand of these errors is that linker could not find definitions of following variables/functions in the library: 1. _abort 2. __iob 3.
SMIME decrypt: header too long
I have an intermediate SMIME decrypting problem. I'm using following commandline interface (little bit outdated openssl 0.9.6b @ HPUX-B.11.11): cat email | openssl smime -decrypt -inkey mykey -recip mycert This works usually without problems. But Emails from one particular address I can decrypt only most of the time. Sometimes I'll get following error message: openssl-0.9.6b: Error reading S/MIME message 27549:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:139: 27549:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 27549:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:299: same effect with openssl-0.9.7-beta6: Error reading S/MIME message 13482:error:0D06B08E:asn1 encoding routines:ASN1_d2i_bio:not enough data:a_d2i_fp.c:240: 13482:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 13482:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:299: When I'll try the same command later it might or might not get decrypted successful ... What does header too long mean in the context of SMIME decrypt (or not enough data)? Thanks, -- Beat __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SMIME decrypt: header too long
Try using the asn1parser (an option with openssl). If this doesn't complete without an error then you may have a problem with the way your originator is producing ASN.1 (we did here and I had to solve it by producing a bit of code to act as a 'filter' to correct the problem!). PeterBeat Jucker [EMAIL PROTECTED] wrote: I have an intermediate SMIME decrypting problem. I'm using following commandline interface (little bit outdated openssl 0.9.6b @ HPUX-B.11.11):cat email | openssl smime -decrypt -inkey mykey -recip mycertThis works usually without problems. But Emails from one particularaddress I can decrypt only most of the time. Sometimes I'll getfollowing error message:openssl-0.9.6b:Error reading S/MIME message27549:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:139:27549:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142:27549:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:299:same effect with openssl-0.9.7-beta6:Error reading S/MIME message13482:error:0D06B08E:asn1 encoding routines:ASN1_d2i_bio:not enough data:a_d2i_fp.c:240:13482:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142:13482:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:299:When I'll try the same command later it might or might not get decrypted successful ... What does "header too long" mean in the context of SMIME decrypt (or "not enough data")?Thanks,-- Beat__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
Re: how to sign as per PKCS1 v2.0.
On Wed, Jun 01, 2005, Suram Chandra Sekhar wrote: Hi, Thank you very much for the reply. I still have some confusion w.r.t to the version of the draft (PKCS#1 v2.0 and PKCS#1 v2.1 specification). I was referring to rfc3447 (PKCS#1 v2.1) and the older draft PKCS #1: RSA Cryptography Specifications Version 2.0. rfc3447(PKCS#1 v2.1) section 9.2 (EMSA-PKCS1-v1_5) says in step 5 as follows... 5. Concatenate PS, the DER encoding T, and other padding to form the encoded message EM as EM = 0x00 || 0x01 || PS || 0x00 || T. PKCS#1 v2.0 section 9.2.1 (EMSA_PKCS1-v1_5) says in step 5 as follows.. 5. Concatenate PS, the DER encoding T, and other padding to form the encoded message EM as: EM = 01 || PS || 00 || T When I use RSA_PKCS1_PADDING in Openssl function RSA_private_encrypt(), it is adding the stating bytes as 00 01 as defined in PKCS#1 v2.1. But as per PKCS#1 v2.0 specification, it must be only 01. The protocol requirement is to use PKCS#1v2.0. Then the PKCS#1v2.0 is wrong. That section is supposed to describe the system used by PKCS#1 v1.5 which includes the zero. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Generate a CRL from an OCSP request
On Wed, Jun 01, 2005, Julien VEHENT wrote: Hi all, I'm having an OCSP Responder on my CA and i want to use it in order to generate CRL's on others servers. So the idea is: +-+ | CA |ocsp request(1)===+---+(3)\ |ocsp |...|openvpn srv|..(CRL GENERATION) +-+=ocsp response===(2)==+---+(4)/ and with the ocsp response i want to generate a CRL. For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have several problems: _How can i request all certificates managed by my CA in one ocsp request ? (i don't want to copy all of these signed certificates on all of my openvpn servers) _How can i encode the response in PEM format in order to use it with OpenVPN ? I really want to use the OCSP protocol for several reason (including security consideration) so publication through HTTP protocol is not a good solution for me. Could you help me ?... :) OCSP can't really be used that way unless you include the serial numbers of *all* that CAs certificates in the request. That could result in a very large request and responder overhead. What is your problem with HTTP? A CRL is digitally signed so it can't be tampered with. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SMIME decrypt: header too long
On Wed, Jun 01, 2005 at 12:19:11PM +0100, Peter Cope wrote: Try using the asn1parser (an option with openssl). no problem: asn1parse tells me 0:d=0 hl=2 l=inf cons: SEQUENCE 2:d=1 hl=2 l= 9 prim: OBJECT:pkcs7-envelopedData ... But I'm realy confused because exactly the same message sometimes might/mightnot decrypt. Could it have something todo with openssl initialisation? Therefor I'm interested to know the possible reasons of openssl-0.9.6: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:139: openssl-0.9.7: error:0D06B08E:asn1 encoding routines:ASN1_d2i_bio:not enough data:a_d2i_fp.c:240: Thanks -- Beat I have an intermediate SMIME decrypting problem. I'm using following commandline interface (little bit outdated openssl 0.9.6b @ HPUX-B.11.11): cat email | openssl smime -decrypt -inkey mykey -recip mycert This works usually without problems. But Emails from one particular address I can decrypt only most of the time. Sometimes I'll get following error message: openssl-0.9.6b: Error reading S/MIME message 27549:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:139: 27549:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 27549:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:299: same effect with openssl-0.9.7-beta6: Error reading S/MIME message 13482:error:0D06B08E:asn1 encoding routines:ASN1_d2i_bio:not enough data:a_d2i_fp.c:240: 13482:error:21078082:PKCS7 routines:B64_READ_PKCS7:decode error:pk7_mime.c:142: 13482:error:2107A08B:PKCS7 routines:SMIME_read_PKCS7:pkcs7 parse error:pk7_mime.c:299: When I'll try the same command later it might or might not get decrypted successful ... What does header too long mean in the context of SMIME decrypt (or not enough data)? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
multiple SSL BIO chain error (regression from 0.9.6?)
Hello, I'd really appreciate help in porting code that works fine with 0.9.6b but fails in newer versions. I'd like to know if something has changed in the way BIOs should be used or is the newer openssl code that is broken. SYNOPSIS I want to create a BIO chain consisting of a socket BIO plus an SSL BIO plus another SSL BIO. It works fine with ancient version of openssl 0.9.6b but fails with 0.9.7x (including 0.9.7g). Haven't tryed with 0.9.8 beta yet. The error I get is: error:1409F080:SSL routines:SSL3_WRITE_PENDING:bio not set DESCRIPTION I create a socket BIO and then add two SSL BIOs like this: bio_socket = BIO_new_connect( localhost:1313 ); BIO_do_connect(bio_socket); BIO* bio_ssl= bio_ssl_push(bio_socket); BIO* bio_ssl_ssl = bio_ssl_push(bio_ssl); where I have defined bio_ssl_push as a wrapper for BIO_push that adds SSL to the chain: BIO* bio_ssl_push( BIO* append) { SSL_CTX* ctx = SSL_CTX_new( SSLv23_client_method() ); SSL* ssl = SSL_new(ctx); SSL_set_mode( ssl, SSL_MODE_AUTO_RETRY ); BIO* bio = BIO_new( BIO_f_ssl() ); BIO_set_ssl( bio, ssl, BIO_NOCLOSE ); BIO_push( bio, append ); int err = SSL_connect(ssl); printf(SSL_connect: %d\n, err); return bio; } which seems to work fine as both SSL_connect return '1' (success), but gives error when reading or writing like this: #define MESSAGE eureka!\n BIO_write( bio_ssl_ssl, MESSAGE, strlen(MESSAGE) ) the error being: error:1409F080:SSL routines:SSL3_WRITE_PENDING:bio not set Testing environment: I use stunnel.org redirected to ./openssl s_server -accept operating system: red hat Linux 2.4.9-e.35.2RS (but the same happens in windows XP) When it works I get the text Eureka! at the openssl server, and this is the program´s output: OpenSSL version: OpenSSL 0.9.6b [engine] 9 Jul 2001 SSL_connect: 1 SSL_connect: 1 When it doesn´t work the output of the test program is: OpenSSL version: OpenSSL 0.9.7g 11 Apr 2005 SSL_connect: 1 SSL_connect: 1 error:1409F080:SSL routines:SSL3_WRITE_PENDING:bio not set and the openssl server screen shows: CIPHER is DHE-RSA-AES256-SHA ERROR shutting down SSL CONNECTION CLOSED thanks in advance, Francesc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Unusual NMAKE warning.
Hello, Never had this happen before until I tried building 0.9.8 Beta 3, but it could cause problems in the future: NMAKE : warning U4004: too many rules for target 'tmp32\e_4758cca_err.h' copy nul+ .\engines\e_4758cca_err.h tmp32\e_4758cca_err.h nul Microsoft Visual C++ 6 SP5, latest Platform SDK, using a MASM build. This is part of a huge automated build sequence, but the warning occurs when attempting to run nmake -f ms\nt.mak. OpenSSL seems to build just fine, but the warning could be meaningful. Thomas J. Hruska [EMAIL PROTECTED] Shining Light Productions Home of the Nuclear Vision scripting language and ProtoNova web server. http://www.slproweb.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: libeay32.lib giving some link errors while using on Windows
Hi Qadeer, I just went through the exercise of building the openssl libraries for Win32 and for the Mac. I also built and installed libxml, libxslt, and xmlsec. This matters because xmlsec links against openssl. I discovered that the generated makefiles for Win32 hard code /MD into the compiler flags. This causes the link with your program to want the DLL runtime. (Note your error messages that mention dllimport.) I ran into all sorts of problems with the xmlsec link until I fixed this. I think that you can fix your problem if you edit ms\nt.mak after you run the configure. Find the line that begins with: CFLAG= /MD Change the /MD to something better, like /MT (multithreaded using LIBCMT.lib) or /ML (single threaded using LIBC.lib). Whatever you choose here must be the same as what you use for your program that links against this library. Now run the make and the install and try linking to your program. I hope this helps. - Rush __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Derving the root CA's cert from a given SSL cert
Hi, I was wondering if it's possible to derive (or extract?) the root CA's cert from an given SSL cert using openssl. What I mean by root CA's cert is the certficate that would be installed in a browsers list of trusted CAs. For instance if I have an SSL certificate signed by verisign, I would like to get verisign's certificate out of that cert that would have to be in the browser's trusted list (for it to be trust). Is this possible? Thanks, Davy __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Default CApath in Debian (OpenSSL 0.9.6c-2)
Hi, I ran in trouble with the following thing. There is a Debian woody, with OpenSSL 0.9.6c installed. I am trying to set OpenSSL so it per default uses CA certificates in /etc/ssl/certs (I want to force Sylpheed to actually use a CA certificate to verify server certificate). I put the CA files to /etc/ssl/certs and generated hash names. If I do openssl s_client -CApath /etc/ssl -connect ... then OpenSSL correctly finds the CA certificate and verifies the server certificate (return code 0). If I omit the CApath, using the default settins, the verification fails with Verify return code: 21 (unable to verify the first certificate) I searched Google and archives - the only relevant thing I found is that if it is my client app, I may ask it to use some CA cert. But how do I set a CApath per default? Thanks for any hint Vaclav Stepan -- Vaclav Stepan [EMAIL PROTECTED] http://linux.fjfi.cvut.cz/~w/ -- Vaclav Stepan [EMAIL PROTECTED] http://linux.fjfi.cvut.cz/~w/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
timeout vs. SSL_ERROR_WANT_XXXX
Hi everyone I want to use timeout with select and I wonder how to cancel operation (SSL_read or SSL_write non-blocking) that caused SSL_ERROR_WANT_READ (or *_WRITE). I've got messages queue to send (and one for received too). If I cannot send whole particular msg within some time (5 sec) I want to discard this message and start sending another one. The problem is, when not fully transmited (received) msg locks in state where I receive SSL_ERROR_WANT_XXX. From docs etc. I know, that when I've got SSL_ERROR_WANT_* I have to retry operation which caused this error but it require more time, which I haven't got becouse I want to send another message ! I can always close connection and open it again, but it is ugly solution. Is there any way, to do it in more polite way ? -- Mariusz Kedzierawski __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Help with Self Signed Cerificates.
Hello There. I wrote Client and Server Programs using SSL. They fail to hand-shake when I use self Signed Certificates and succeed when I use Certificates generated from a CA. The failure I get when using self Signed Certificate is ... 4904:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 ( This failure is on the Server side) On the client side the failure is ... 4902:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:843: I used the program mkcert.c to generate a self Signed Certificate. ( mkcert.c is an example program that comes with openssl installation and is under demos directory. ) Any help to know the problem is greatly appreicated. thanks, Lokesh. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problems in ssltest.c
Hello, I am new to openssl and am trying to compile libraries for Win32 environment. I used the "ms\do_ms fips" commandas I don't really care right now about recompiling the assembly.I am getting the following error: cl /Fotmp32\ssltest.obj -Iinc32 -Itmp32 /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 /Fdout32 -DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -c .\ssl\ssltest.cssltest.c.\ssl\ssltest.c(1979) : error C2065: 's' : undeclared identifier.\ssl\ssltest.c(1979) : error C2223: left of '-version' must point to struct/union.\ssl\ssltest.c(1984) : error C2223: left of '-version' must point to struct/unionNMAKE : fatal error U1077: 'cl' : return code '0x2'Stop. The following code is from ssltest.c. I don't see a structure variable called s in the function. Can you tell me if the bad section of code is needed or not? I have commented out the piece of code where the variable s is being called. static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) { int ok=1; struct app_verify_arg *cb_arg = arg; unsigned int letters[26]; /* only used with proxy_auth */ if (cb_arg-app_verify) { char *s = NULL,buf[256]; fprintf(stderr, "In app_verify_callback, allowing cert. "); fprintf(stderr, "Arg is: %s\n", cb_arg-string); fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n", (void *)ctx, (void *)ctx-cert); if (ctx-cert) s=X509_NAME_oneline(X509_get_subject_name(ctx-cert),buf,256); if (s != NULL) { fprintf(stderr,"cert depth=%d %s\n",ctx-error_depth,buf); } return(1); } if (cb_arg-proxy_auth) { int found_any = 0, i; char *sp; for(i = 0; i 26; i++) letters[i] = 0; for(sp = cb_arg-proxy_auth; *sp; sp++) { char c = *sp; if (isascii(c) isalpha(c)){if (islower(c)) c = toupper(c);letters[c - 'A'] = 1;} } fprintf(stderr, " Initial proxy rights = "); for(i = 0; i 26; i++) if (letters[i]){fprintf(stderr, "%c", i + 'A');found_any = 1;} if (!found_any) fprintf(stderr, "none"); fprintf(stderr, "\n"); X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(),letters); } if (cb_arg-allow_proxy_certs) { X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); } *** START OF BAD CODE #ifndef OPENSSL_NO_X509_VERIFY# ifdef OPENSSL_FIPS if(s-version == TLS1_VERSION) FIPS_allow_md5(1);# endif ok = X509_verify_cert(ctx);# ifdef OPENSSL_FIPS if(s-version == TLS1_VERSION) FIPS_allow_md5(0);# endif#endif * END OF BAD CODE ***if (cb_arg-proxy_auth) { if (ok) { const char *cond_end = NULL; ok = process_proxy_cond(letters,cb_arg-proxy_cond, cond_end); if (ok 0)EXIT(3); if (*cond_end){fprintf(stderr, "Stopped processing condition before it's end.\n");ok = 0;} if (!ok)fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n", cb_arg-proxy_cond); elsefprintf(stderr, "Proxy rights check with condition '%s' proved valid\n", cb_arg-proxy_cond); } } return(ok); }
SSL_CTX_set_verify
Title: SSL_CTX_set_verify Hi, I use the OpenSSL api ver 0.9.7e with Win32 and I have a problem: Is it possible to establish an SSL connection between a client and a server if the client have a certificate (and had to be verified) but the server don't have one? I have already try to change the parameters of SSL_CTX_set_verify in the client and server with SSL_VERIFY_PEER and SSL_VERIFY_NONE, I have tried to put a custom verification callback but if the server don't have a certificate all the methods fail (with the error: no shared cypher) Thank in advance ** This e-mail and any files attached are strictly confidential, may be legally privileged and are intended solely for the addressee. If you are not the intended recipient, note that any disclosure, copying, distribution, or use of the contents of this message and attachments is strictly prohibited. Please notify the sender immediately by return email, phone or fax and then delete the e-mail and any attachments immediately. The views and or opinions expressed in this e-mail are not necessarily the views of De La Rue plc or any of its subsidiaries and the De La Rue Group of companies, their directors, officers and employees make no representation about and accept no liability for its accuracy or completeness. Please ensure you have adequate virus protection before you open any attachment as the De La Rue Group of companies do not accept liability for any viruses.
Re: Getting Cisco 3kvpn to accept openssl signed certs - anyone done it?
Ok finally had time to work on this project again and solve the problem. To fix the problem I upgraded from vpn3000-4.1.5.B-k9.bin to vpn3000-4.1.7.E-k9.bin --- ray v [EMAIL PROTECTED] wrote: Yes, first thing I did was install the CA root certificate and the sub CA certificate which signs the cert reqs from the 3000. Cisco got back to me and are now telling me that it might be a problem with the code version I have loaded up on my 3k. Once I get it updated I'll try again to see if there is a difference. BTW Cisco has sent several documents on how to make this work, generally with all other products accept for openssl. Still the instructions are quite clear and should work with openssl just fine. FYI - Version 4.1.7.D --- David Gianndrea [EMAIL PROTECTED] wrote: Have you installed the CA cert on the cisco? David Gianndrea Senior Network Engineer Comsquared Systems, Inc. Email: [EMAIL PROTECTED] Web: www.comsquared.com ray v wrote: Has anyone been able to get a certificate signed by openssl CA to accept the identity certificate? 1. Gen manual pkcs10 req on 3kvpn 2. Sign 3kvpn req and make cert 3. install cert through cut and paste or file transfer error message Error installing SSL certificate: Incomplete chain. I verified the chain and for everything else not 3kvpn things are working peachy. On the other hand Cisco hasn't been much help at all, but I still have hope. __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Small Business - Try our new Resources site http://smallbusiness.yahoo.com/resources/ __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: libeay32.lib giving some link errors while using on Windows
Great thanks Rush! This exercise did solve the problems :-) Now I see that this problem with nt.mak has already been pointed out by Matyas Majzik in one of his emails to this group. Thanks and regards, -- Qadeer Baig On 6/1/05, Rush Manbert [EMAIL PROTECTED] wrote: Hi Qadeer, I just went through the exercise of building the openssl libraries for Win32 and for the Mac. I also built and installed libxml, libxslt, and xmlsec. This matters because xmlsec links against openssl. I discovered that the generated makefiles for Win32 hard code /MD into the compiler flags. This causes the link with your program to want the DLL runtime. (Note your error messages that mention dllimport.) I ran into all sorts of problems with the xmlsec link until I fixed this. I think that you can fix your problem if you edit ms\nt.mak after you run the configure. Find the line that begins with: CFLAG= /MD Change the /MD to something better, like /MT (multithreaded using LIBCMT.lib) or /ML (single threaded using LIBC.lib). Whatever you choose here must be the same as what you use for your program that links against this library. Now run the make and the install and try linking to your program. I hope this helps. - Rush __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]