8 bit characters in DN
I can not sign a request containing latin characters with the msb set. Openssl will escape the characters even i I set -esc_msb in the config file. I made a request containing norwegian characters and tried the following command: openssl ca -spkac test.spkac Setting the option name_opt= ca_default,-esc_msb will display the request confirmation properly, but if I sign the sequest bthe certificate ends up with ecaped characters. How can I avoid escaping in signed certificates? Øyvind Jelstad Cumulus IT AS begin:vcard fn;quoted-printable:=C3=98yvind Jelstad n;quoted-printable:Jelstad;=C3=98yvind email;internet:[EMAIL PROTECTED] tel;cell:977 48 392 version:2.1 end:vcard
Re: 8 bit characters in DN
On Mon, Nov 21, 2005, yvind Jelstad wrote: I can not sign a request containing latin characters with the msb set. Openssl will escape the characters even i I set -esc_msb in the config file. I made a request containing norwegian characters and tried the following command: openssl ca -spkac test.spkac Setting the option name_opt= ca_default,-esc_msb will display the request confirmation properly, but if I sign the sequest bthe certificate ends up with ecaped characters. How can I avoid escaping in signed certificates? If you are using UTF8Strings (as the standards now suggest and which newer versions of OpenSSL are configured to do it wont just include the characters verbatim: it will convert to UTF8 format first. What do you mean by escaped characters? If you include the -nameopt option with the 'x509' utility and appropriate values it should display correctly. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ASN1 OID values.
On Fri, Nov 11, 2005, Katie Lucas wrote: We're creating custom extensions, so I went off and registered us an OID under {2.25} to use. It's a UUID OID, so it's quite a long numerical string. Please try the latest 0.9.8 snapshot. This should fix the issue. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Session Caching Help
Can someone please tell me why my server application does not cache a session if It set the options to the following? SSL_CTX_set_session_cache_mode( ctx, SSL_SESS_CACHE_SERVER ); and I don't set the callback functions: SSL_CTX_sess_set_new_cb( ctx, NewSessionCallBack ); SSL_CTX_sess_set_remove_cb( ctx, RemoveSessionCallBack ); SSL_CTX_sess_set_get_cb( ctx, GetSessionCallBack ); If I don't set these I thought it would uses the default openssl callbacks for session caching no? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Session Caching Help
Perry L. Jones wrote: Can someone please tell me why my server application does not cache a session if It set the options to the following? SSL_CTX_set_session_cache_mode( ctx, SSL_SESS_CACHE_SERVER ); and I don't set the callback functions: SSL_CTX_sess_set_new_cb( ctx, NewSessionCallBack ); SSL_CTX_sess_set_remove_cb( ctx, RemoveSessionCallBack ); SSL_CTX_sess_set_get_cb( ctx, GetSessionCallBack ); If I don't set these I thought it would uses the default openssl callbacks for session caching no? I think you need to set at least one session ID context. Have a look at functions SSL_CTX_set_session_id_context() and SSL_set_session_id_context(). Arno Garrels __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Certificates
Hi, I am trying to add SSL to a propriatory tcp/ip application. I am reasonably confident in the programming side but I am utterly confused with regards to certificates. The more I read about this the more confused I get :-( I hope someone can help me understand how to set things up. We have a client server application which we wish to secure. As there are only a few clients I think we can act as the CA. I have followed the examples in the Book Network Security with OpenSSL but do not understand what all the files I have created are for. I would be grateful for some assistance and hopefully I will soon understand things enough to ask some more specific questions. TIA, Mark. # mkdir $ROOT_DIR # cd $ROOT_DIR # mkdir certs private # chmod g-rwx,o-rwx private # echo 01 serial # touch index.txt Contents of file $ROOT_DIR/openssl.cnf. - [ca ] default_ca = testca [ testca ] dir = /webserver/opt/testca certificate = $dir/cacert.pem database= $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days= 7 default_days= 365 default_md = md5 policy = testca_policy x509_extensions = certificate_extensions [ testca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress= supplied organizationName= supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints= CA:false [ req ] default_bits= 2048 default_keyfile = /webserver/opt/testca/private/cakey.pem # Must use full path! default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = test Test stateOrProvinceName = test countryName = CH emailAddress= [EMAIL PROTECTED] organizationName= Root Certification Authority [ root_ca_extensions ] basicConstraints= CA:true - # OPENSSL_CONF=${ROOT_DIR}/openssl.cnf # cd $ROOT_DIR # openssl req x509 newkey rsa:2048 out cacert.pem outform PEM nodes # cd $ROOT_DIR # unsetenv OPENSSL_CONF # openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem -nodes -outform PEM # setenv OPENSSL_CONF $ROOT_DIR/openssl.cnf # openssl ca -in nucreq.pem
Re: Session Caching Help
Sorry I left that line out yes I have set that too, maybe 10 is not a good value to set in this functions? SSL_CTX_set_session_id_context( ctx, Server, 10 ) Perry Arno Garrels wrote: Perry L. Jones wrote: Can someone please tell me why my server application does not cache a session if It set the options to the following? SSL_CTX_set_session_id_context( ctx, Server, 10 ) SSL_CTX_set_session_cache_mode( ctx, SSL_SESS_CACHE_SERVER ); and I don't set the callback functions: SSL_CTX_sess_set_new_cb( ctx, NewSessionCallBack ); SSL_CTX_sess_set_remove_cb( ctx, RemoveSessionCallBack ); SSL_CTX_sess_set_get_cb( ctx, GetSessionCallBack ); If I don't set these I thought it would uses the default openssl callbacks for session caching no? I think you need to set at least one session ID context. Have a look at functions SSL_CTX_set_session_id_context() and SSL_set_session_id_context(). Arno Garrels __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificates
Certificates are a lot like pgp keys with one difference the public key has be wrapped with the Public Key infrastructure (PKI). So a public cert will not only contain the public key but it will also contain information about what the key can be used for (signing, encrypting, server, client, CA signing, etc. ) who it was issued to and what CA signed it (issue DN) it. If you are going to build a client server application you I am guessing you will want at lest 3 certificates. CA - ( self sigen cert ) Client - ( certificate request signed by CA ) Server - ( certificate request signed by CA ) The certificate request is the public key and other information about the uses (subject DN, etc ...) that gets signed by the CA. After it is signed by the CA it is a PKI public cert. Hope this helps a little. Perry Mark wrote: Hi, I am trying to add SSL to a propriatory tcp/ip application. I am reasonably confident in the programming side but I am utterly confused with regards to certificates. The more I read about this the more confused I get :-( I hope someone can help me understand how to set things up. We have a client server application which we wish to secure. As there are only a few clients I think we can act as the CA. I have followed the examples in the Book Network Security with OpenSSL but do not understand what all the files I have created are for. I would be grateful for some assistance and hopefully I will soon understand things enough to ask some more specific questions. TIA, Mark. # mkdir $ROOT_DIR # cd $ROOT_DIR # mkdir certs private # chmod g-rwx,o-rwx private # echo ‘01’ serial # touch index.txt Contents of file $ROOT_DIR/openssl.cnf. - [ca ] default_ca = testca [ testca ] dir = /webserver/opt/testca certificate = $dir/cacert.pem database= $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days= 7 default_days= 365 default_md = md5 policy = testca_policy x509_extensions = certificate_extensions [ testca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress= supplied organizationName= supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints= CA:false [ req ] default_bits= 2048 default_keyfile = /webserver/opt/testca/private/cakey.pem # Must use full path! default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = test Test stateOrProvinceName = test countryName = CH emailAddress= [EMAIL PROTECTED] organizationName= Root Certification Authority [ root_ca_extensions ] basicConstraints= CA:true - # OPENSSL_CONF=${ROOT_DIR}/openssl.cnf # cd $ROOT_DIR # openssl req –x509 –newkey rsa:2048 –out cacert.pem –outform PEM –nodes # cd $ROOT_DIR # unsetenv OPENSSL_CONF # openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem -nodes -outform PEM # setenv OPENSSL_CONF $ROOT_DIR/openssl.cnf # openssl ca -in nucreq.pem __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Certificates
Mark, I am assuming that you are aware of the need for certificates (need for public key Cryptography). Now reg ur query on creating those files to set up a CA, the need for a CA (in u r client server arch and very simple terms) is to provide all the clients with some credentials that will provide a level of trust for the server when a communication channel is to be established and vice versa if we need client authentication. For this to happen all the clients must have some credentials (which is the certificate signed by the CA). This is in general about the need for a CA. Now the different files u need to create for setting up the CA, dir = /webserver/opt/testca The dir where u want all the details regarding this ca will be stored... certificate = $dir/cacert.pem Every client or a server can be identified using the certificate provided by that machine/user. A certificate will contain two parts public and private keys, as the name implies the public can be provided to anyone and the private should be kept confidential. Here the CA must have these keys setup before they could be used as a CA. The file created here is the ca's public key (public certificate). The pem is the file format. database= $dir/index.txt This is for the CA to keep a track of all the entities who has requested CA for the service and who the CA has provided the service. In here the CA will contain all the clients that they have certified ( certification is the process of signing the public key with the CA's private key.. Just to provide a trust to other 3rd party tat CA has validated the credentials provided by this entity and is trustworthy... ) new_certs_dir = $dir/certs This dir will contain the list of public keys that this CA has certified. In your case this will contain all the public key (public certificate) of u r clients .. private_key = $dir/private/cakey.pem This file will contain the private key corresponding to the cacert.pem file. (this is the ca's private key) serial = $dir/serial Every certificate which CA sign's must have a serial number for the CA to validate any details in future.. This file is created with some values normally 01. which is like the starting number for the serial numbers. The serial number gets incremented as and when u use this ca to sign certificate for u r clients. And each clients are identified by the serial number by the CA. I could keep explaining on and on ... But I will leave it now and wait for u to come back with more specific doubts... Hope this helped.. Cheers, Dinesh Kallath -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Sent: 21 November 2005 15:25 To: openssl-users@openssl.org Subject: Certificates Hi, I am trying to add SSL to a propriatory tcp/ip application. I am reasonably confident in the programming side but I am utterly confused with regards to certificates. The more I read about this the more confused I get :-( I hope someone can help me understand how to set things up. We have a client server application which we wish to secure. As there are only a few clients I think we can act as the CA. I have followed the examples in the Book Network Security with OpenSSL but do not understand what all the files I have created are for. I would be grateful for some assistance and hopefully I will soon understand things enough to ask some more specific questions. TIA, Mark. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Certificates
Hi Dinesh All, Now the different files u need to create for setting up the CA, ok, I think understand the purpose of the files cacert.pem (public key), private/cakey.pem (private key), index.txt and serial. What I don't understand is what files require signing and what to do with the private keys that are created as a result of a request. I have seen many examples which differ. For example some examples take the root CA public and private keys and concatenate them before signing them both. What is the reason for this? In addition I am not sure what is involved in creating a certificate for the client. I have more questions but I'll leave these for now. TIA, Mark. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificates
Mark, I am not sure why you would want to sign the private key but I am sure there might be a reason some where. All you should need to sign is the certificate request (cert.req) after signing the certificate request it is likely that you will want to put your related certificates and keys into some storage format such as a pkcs12 keystore. You don't have to include the CA public certificate but it is good if you are creating a keystore to include all of the public certificates in the store up to some trust point (Trusted CA or self signed Root cert). cat CA_public_cert.pem new_cert.pem new_cert_private_key.pem new_cert.pem openssl pkcs12 -export -in new_cert.pem -out new_cert.p12 This p12 file should contain all of the information need to create an ssl connection. Perry Mark wrote: Hi Dinesh All, Now the different files u need to create for setting up the CA, ok, I think understand the purpose of the files cacert.pem (public key), private/cakey.pem (private key), index.txt and serial. What I don't understand is what files require signing and what to do with the private keys that are created as a result of a request. I have seen many examples which differ. For example some examples take the root CA public and private keys and concatenate them before signing them both. What is the reason for this? In addition I am not sure what is involved in creating a certificate for the client. I have more questions but I'll leave these for now. TIA, Mark. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Certificates
1) you create a private key ( this is the secret key ... ) 2) you create a public key corresponding to the private key. This key can not be reversed to get a private key, tat is the main advantage of public key cryptography. Ok. I understand this. Would the following command do these two steps in one (combined with my openssl.cnf file)? # openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -nodes Effectively these 2 keys are enough for u to communicate to any others. But there are potential vulnerabilities on using a self signed certificate What are the potential vulnerabilities? okie now wat is a self signed certificate.. As of now u have only 2 keys pub and priv .. Now u have to convert a pub key to a certificate.. Here u create a certificate by signing the public key with u r private key.. If u do it with the same private key corr to the pub key then it is called a self signed certificate.. Confusing.. Okie think it like this.. Pub (mark) -- public key of urs Priv (mark) - Private key of urs... U sign [ pub(mark) ] with the priv (mark) to get a self signed cert.. There are diff types or cert format .. Some certificate format like x.509 does not need a private key to bundle with the public key.. Some format like PKCS 12 need both pub and private key to be bundled together.. It is not a very gud option to bundle the private key because u do not want any one to see u r private key.. I'm not sure what X509 or PKCS12 are. Now u need to have a certificate signed by a CA.. In this case u will send the pub(mark) to the CA and CA signs it with the Priv (CA).. For that CA must verify tat u r public key is derived from u r private key else I can impose tat I am Mark.. For this purpose u prob use a PKCS 12 format or even a CSR.. Certification sign request.. This is a format which will show to the CA tat the person who has requested the CSR contain both pub and priv key... Make sense ... I am beginning to get confused again! What is a CSR? The following command seems to create a new public and private key: # openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem -nodes -outform PEM What are these key files for? How can I create a certificate for a client? TIA, Mark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Session Memory Leek?
I have been trying to figure this out for days now and can't seem to find the solution? Someone please give me guidance or I am going to cry! I have a server application using session caching. I have used the following function to setup session caching: SSL_CTX_set_session_id_context( ctx, sessionIdContext, sIdLen); SSL_CTX_set_session_cache_mode( ctx, SSL_SESS_CACHE_NO_INTERNAL|SSL_SESS_CACHE_SERVER ); SSL_CTX_set_timeout( ctx, sessionCacheTimeout ); SSL_CTX_sess_set_new_cb( ctx, NewSessionCallBack ); SSL_CTX_sess_set_remove_cb( ctx, RemoveSessionCallBack ); SSL_CTX_sess_set_get_cb( ctx, GetSessionCallBack ); If the client connects with a session the GetSessionCallBack function is called and loads the session from a file on disk. session = PEM_read_bio_SSL_SESSION( bio, NULL, NULL, cachePassword ); retrun session; If the session has expired then it looks like the session is not freed before the connection renegotiate a new session? Should I check in the GetSessionCallBack if a session has already expired before returning it or do I need to call something else to clean this session up? Thanks, Perry __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificates
Mark wrote: 1) you create a private key ( this is the secret key ... ) 2) you create a public key corresponding to the private key. This key can not be reversed to get a private key, tat is the main advantage of public key cryptography. Ok. I understand this. Would the following command do these two steps in one (combined with my openssl.cnf file)? # openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -nodes Effectively these 2 keys are enough for u to communicate to any others. But there are potential vulnerabilities on using a self signed certificate What are the potential vulnerabilities? Ahh, now I think we are coming back to the thing that seems to confuse most beginners. There are two problems in cryptography, one is secrecy (encryption) and the other is authenticity. The best encryption algorithms will not help you anything if you are encrypting your data with the key of your evil adversary. If you do this the evil one can intercept the message, decrypt it with his private key, re-encrypt it (after having read it) with the true key of your trusted partner and resent it to him. So you have to be sure that the public key you are using to encrypt really belongs to your trusted partner and not your evil adversary. This is where a CA enters the game. A CA signs other public keys and assures that they belong to those entities which are described in the certificate in form of a Canonical Name (CN). So a CA is something like a government which issues passports so you can be sure that the person on the other side on the desk is the one described in the passport if his face is the one on the passport's photo. If you choose to trust a CA you assume that this CA is doing good work and will not let itself trick into signing keys of your evil adversary which contain the CN of your trusted partner. So you do not have to check all your partner's keys yourself. Now a self signed certificate is something like someone saying I am your Trusted Partner. You can trust me because I have a passport which I issued myself. You can believe in this if for example you can check the key's fingerprints with your partner over telephone. But if you received the certificate (which, by the way, contains the public keys) in an unauthenticated eMail this eMail cold as well have been sent by your evil adversary... [...] I'm not sure what X509 or PKCS12 are. Those are standards on how to format certificates and how to package public and private keys. [...] I am beginning to get confused again! What is a CSR? It's a Certificate Signing Request. A file containing the public key and additional data (for example the CN) about the owner of this key. A CA should check if those additional data indeed describes the owner and if it is so the CA can generate a certificate (and send this certificate to the owner) which the owner of the key can use to authenticate himself (or herself). The following command seems to create a new public and private key: # openssl req -newkey rsa:1024 -keyout nuckey.pem -keyform PEM -out nucreq.pem -nodes -outform PEM What are these key files for? How can I create a certificate for a client? You described it yourself, by doing openssl ca -in nucreq.pem. But I guess your problem is how to use this certificate/key in an application like an internet browser or mail client. If this is so there are different ways depending on your application. You should be more specific on your (client and server) applications... Hope it helps, Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
question about data transfer
HI: I am trying to use ssl to secure a persistent data stream which is read form some sensors outside, and transfer it to a fixed pc on the interent. The most common use of ssl is Https,but i am confused that can https realize this application? i mean , as i know ,the Https is always works in Browser/Server mode ,is it realizable to use Https to transfer a persitent data stream,or i should choose otherprotocol like ftp? anyone who can help me isthankful Sun Yingming请使用 MSN Messenger 与联机的朋友进行交流 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Can SSL_accept() return SSL_ERROR_WANT_READ/WRITE for blocking sockets?
Title: Can SSL_accept() return SSL_ERROR_WANT_READ/WRITE for blocking sockets? SSL_accept() is returning = 0. And when I trace out the err msg using the following code int iRet = SSL_accept(m_pSSL); if (iRet = 0) {// handshake failed char buf[256]; ERR_error_string_n(ERR_get_error(), buf, sizeof(buf)); printf(buf); } I get the following error string: error::lib(0):func(0):reason(0) Either I'm not getting the error string properly? Or SSL_accept() failed with some valid error? Unfortunately, I don't know whether 0 or -1 was returned. Would I be correct in assuming that if 0 was returned, that ERR_get_error() would return 0, and that I should be calling SSL_get_error() instead? In which case, I'm wondering what the possible conditions are for this to happen. Could it be that SSL_accept() is failing with an SSL_ERROR_WANT_READ/WRITE error? The socket is non-blocking. The client did not close its end during the handshake, and it should be capable of supporting all the ciphers and protocol versions that the server does. Thanks, Ed
Re: question about data transfer
When you say data stream, how much data are you talking about? If it's occasional data (e.g., updated every 5 minutes) it would probably be easiest to use a HTTPS client using a post form. That lets you use a standard web server on the other end. One less thing to worry about. Another possibility is secured email, SMTP + TLS. If you have a relatively smart sensor (e.g., an embedded Linux system) you could write a straightforward mail client that sends mail to the local mail server (on localhost). You can then let sendmail/postfix/exim/whatever forward the mail to your system with a secure connection. Again, one less thing to worry about. If it's close to continuous you should probably establish your own network connection instead of trying to piggyback on an existing service. In any case you need to think about how you will handle network connectivity problems... and you will have dropped connections, high latency, etc. Can you drop the data on the floor? If not you'll need to have an accurately timestamped data queue. That's not hard to do (hint: NTP), but it will drive the design. Bear sun yingming wrote: I am trying to use ssl to secure a persistent data stream which is read form some sensors outside, and transfer it to a fixed pc on the interent. The most common use of ssl is Https,but i am confused that can https realize this application? i mean , as i know ,the Https is always works in Browser/Server mode ,is it realizable to use Https to transfer a persitent data stream,or i should choose other protocol like ftp? anyone who can help me is thankful Sun Yingming __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]