Re: What does PEM mean?
PEM : Privacy Enhanced Mail - Original Message - From: Gayathri Sundar [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Tuesday, August 01, 2006 9:28 AM Subject: RE: What does PEM mean? Wow, I was thinking its Privacy Enhanced Mode!! ?? No? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mouse Sent: Tuesday, August 01, 2006 6:47 AM To: openssl-users@openssl.org Subject: RE: What does PEM mean? PEM = Privacy-Enhanced Mail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bo Xie Sent: Monday, July 31, 2006 20:08 To: openssl-users@openssl.org Subject: What does PEM mean? I know openSSL supports .pem format. But what does PEM mean? Persoanl Encrypto Management? Thanks! Best Regards, Xie, Bo __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RSAPublicKey causing compilation error
Hi All, I am trying to complie openssl.9.8a on HP-UX. I am getting errors ../../include/openssl/pem.h:610: parse error before `RSA' ../../include/openssl/pem.h:611: warning: return-type defaults to `int' pem_all.c: In function `DECLARE_PEM_write_fp_const': pem_all.c:133: storage class specified for parameter `pkey_get_rsa' pem_all.c:145: parse error before `{' pem_all.c:145: declaration for parameter `PEM_read_bio_X509_REQ' but no such parameter pem_all.c:133: declaration for parameter `pkey_get_rsa' but no such parameter ../../include/openssl/pem.h:675: declaration for parameter `ERR_load_PEM_strings' but no such parameter ../../include/openssl/pem.h:647: declaration for parameter `d2i_PKCS8PrivateKey_bio' but no such parameter ../../include/openssl/pem.h:646: declaration for parameter `i2d_PKCS8PrivateKey_nid_bio' but no such parameter ../../include/openssl/pem.h:642: declaration for parameter `i2d_PKCS8PrivateKey_bio' but no such parameter ../../include/openssl/pem.h:639: declaration for parameter `PEM_write_bio_PKCS8PrivateKey' but no such parameter ../../include/openssl/pem.h:636: declaration for parameter `PEM_write_bio_PKCS8PrivateKey_nid' but no such parameter ../../include/openssl/pem.h:631: declaration for parameter `PEM_write_bio_PUBKEY' but no such parameter ../../include/openssl/pem.h:631: declaration for parameter `PEM_read_bio_PUBKEY' but no such parameter ../../include/openssl/pem.h:630: declaration for parameter `PEM_write_bio_PrivateKey' but no such parameter ../../include/openssl/pem.h:630: declaration for parameter `PEM_read_bio_PrivateKey' but no such parameter ../../include/openssl/pem.h:611: declaration for parameter `PEM_write_bio_RSA_PUBKEY' but no such parameter ../../include/openssl/pem.h:611: declaration for parameter `PEM_read_bio_RSA_PUBKEY' but no such parameter pem_all.c:145: `bp' undeclared (first use in this function) pem_all.c:145: (Each undeclared identifier is reported only once pem_all.c:145: for each function it appears in.) pem_all.c:145: `x' undeclared (first use in this function) pem_all.c:145: `cb' undeclared (first use in this function) pem_all.c:145: `u' undeclared (first use in this function) pem_all.c:145: warning: return makes integer from pointer without a cast pem_all.c: In function `PEM_read_bio_RSAPrivateKey': pem_all.c:186: warning: implicit declaration of function `PEM_read_bio_PrivateKey' pem_all.c:186: warning: assignment makes pointer from integer without a cast pem_all.c: At top level: pem_all.c:203: parse error before `RSA' Please can one help me in debugging this error. Regards, Jaya. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: RSAPublicKey causing compilation error
--- Bhat, Jayalakshmi Manjunath [EMAIL PROTECTED] wrote: Hi All, I am trying to complie openssl.9.8a on HP-UX. I am getting errors ../../include/openssl/pem.h:610: parse error before `RSA' ../../include/openssl/pem.h:611: warning: return-type defaults to `int' pem_all.c: In function `DECLARE_PEM_write_fp_const': pem_all.c:133: storage class specified for parameter `pkey_get_rsa' pem_all.c:145: parse error before `{' pem_all.c:145: declaration for parameter `PEM_read_bio_X509_REQ' but no such parameter pem_all.c:133: declaration for parameter `pkey_get_rsa' but no such parameter ../../include/openssl/pem.h:675: declaration for parameter `ERR_load_PEM_strings' but no such parameter ../../include/openssl/pem.h:647: declaration for parameter `d2i_PKCS8PrivateKey_bio' but no such parameter ../../include/openssl/pem.h:646: declaration for parameter `i2d_PKCS8PrivateKey_nid_bio' but no such parameter ../../include/openssl/pem.h:642: declaration for parameter `i2d_PKCS8PrivateKey_bio' but no such parameter ../../include/openssl/pem.h:639: declaration for parameter `PEM_write_bio_PKCS8PrivateKey' but no such parameter ../../include/openssl/pem.h:636: declaration for parameter `PEM_write_bio_PKCS8PrivateKey_nid' but no such parameter ../../include/openssl/pem.h:631: declaration for parameter `PEM_write_bio_PUBKEY' but no such parameter ../../include/openssl/pem.h:631: declaration for parameter `PEM_read_bio_PUBKEY' but no such parameter ../../include/openssl/pem.h:630: declaration for parameter `PEM_write_bio_PrivateKey' but no such parameter ../../include/openssl/pem.h:630: declaration for parameter `PEM_read_bio_PrivateKey' but no such parameter ../../include/openssl/pem.h:611: declaration for parameter `PEM_write_bio_RSA_PUBKEY' but no such parameter ../../include/openssl/pem.h:611: declaration for parameter `PEM_read_bio_RSA_PUBKEY' but no such parameter pem_all.c:145: `bp' undeclared (first use in this function) pem_all.c:145: (Each undeclared identifier is reported only once pem_all.c:145: for each function it appears in.) pem_all.c:145: `x' undeclared (first use in this function) pem_all.c:145: `cb' undeclared (first use in this function) pem_all.c:145: `u' undeclared (first use in this function) pem_all.c:145: warning: return makes integer from pointer without a cast pem_all.c: In function `PEM_read_bio_RSAPrivateKey': pem_all.c:186: warning: implicit declaration of function `PEM_read_bio_PrivateKey' pem_all.c:186: warning: assignment makes pointer from integer without a cast pem_all.c: At top level: pem_all.c:203: parse error before `RSA' Please can one help me in debugging this error. Did you include openssl/rsa.h ? Regards, Jaya. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: RSAPublicKey causing compilation error
Hi please can any one tell me as RSAPrivateKey has a structure, RSAPublicKey is this a stucture? I am getting the parser error at line DECLARE_PEM_rw_const(RSAPublicKey, RSA). Regards, Jaya. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bhat, Jayalakshmi Manjunath Sent: Tuesday, August 01, 2006 12:25 PM To: openssl-users@openssl.org Subject: RE: RSAPublicKey causing compilation error Yes I tried including openssl/rsa.h, but it did not help Regards, Jaya. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Girish Venkatachalam Sent: Tuesday, August 01, 2006 12:24 PM To: openssl-users@openssl.org Subject: Re: RSAPublicKey causing compilation error --- Bhat, Jayalakshmi Manjunath [EMAIL PROTECTED] wrote: Hi All, I am trying to complie openssl.9.8a on HP-UX. I am getting errors ../../include/openssl/pem.h:610: parse error before `RSA' ../../include/openssl/pem.h:611: warning: return-type defaults to `int' pem_all.c: In function `DECLARE_PEM_write_fp_const': pem_all.c:133: storage class specified for parameter `pkey_get_rsa' pem_all.c:145: parse error before `{' pem_all.c:145: declaration for parameter `PEM_read_bio_X509_REQ' but no such parameter pem_all.c:133: declaration for parameter `pkey_get_rsa' but no such parameter ../../include/openssl/pem.h:675: declaration for parameter `ERR_load_PEM_strings' but no such parameter ../../include/openssl/pem.h:647: declaration for parameter `d2i_PKCS8PrivateKey_bio' but no such parameter ../../include/openssl/pem.h:646: declaration for parameter `i2d_PKCS8PrivateKey_nid_bio' but no such parameter ../../include/openssl/pem.h:642: declaration for parameter `i2d_PKCS8PrivateKey_bio' but no such parameter ../../include/openssl/pem.h:639: declaration for parameter `PEM_write_bio_PKCS8PrivateKey' but no such parameter ../../include/openssl/pem.h:636: declaration for parameter `PEM_write_bio_PKCS8PrivateKey_nid' but no such parameter ../../include/openssl/pem.h:631: declaration for parameter `PEM_write_bio_PUBKEY' but no such parameter ../../include/openssl/pem.h:631: declaration for parameter `PEM_read_bio_PUBKEY' but no such parameter ../../include/openssl/pem.h:630: declaration for parameter `PEM_write_bio_PrivateKey' but no such parameter ../../include/openssl/pem.h:630: declaration for parameter `PEM_read_bio_PrivateKey' but no such parameter ../../include/openssl/pem.h:611: declaration for parameter `PEM_write_bio_RSA_PUBKEY' but no such parameter ../../include/openssl/pem.h:611: declaration for parameter `PEM_read_bio_RSA_PUBKEY' but no such parameter pem_all.c:145: `bp' undeclared (first use in this function) pem_all.c:145: (Each undeclared identifier is reported only once pem_all.c:145: for each function it appears in.) pem_all.c:145: `x' undeclared (first use in this function) pem_all.c:145: `cb' undeclared (first use in this function) pem_all.c:145: `u' undeclared (first use in this function) pem_all.c:145: warning: return makes integer from pointer without a cast pem_all.c: In function `PEM_read_bio_RSAPrivateKey': pem_all.c:186: warning: implicit declaration of function `PEM_read_bio_PrivateKey' pem_all.c:186: warning: assignment makes pointer from integer without a cast pem_all.c: At top level: pem_all.c:203: parse error before `RSA' Please can one help me in debugging this error. Did you include openssl/rsa.h ? Regards, Jaya. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
ca format of index.txt. file
Hello All, Does anyone know where there is a definition of the format of the contents of the index.txt file used with the ocsp and ca commands ? (This file contains info on the revocation status of certificates). Thanks, Nick
Re: Query on RSAPublicKeyy
Hello, I am trying to compile openssl.9.8a on HP-UX. I am getting compilation Error as shown You are trying to compile OpenSSL or your program ? On what hpux version ? What command you execute ? Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Query on RSAPublicKeyy
Hi, Thanks for the reply. I have ported openssl.9.8.a on HP-UX. Now I am trying to build the openssl source files which I have ported. I am using /hppa-hpux11/bin/make to build source. I am trying to build the library for ARM processor. Regards, Jaya. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marek Marcola Sent: Tuesday, August 01, 2006 2:58 PM To: openssl-users@openssl.org Subject: Re: Query on RSAPublicKeyy Hello, I am trying to compile openssl.9.8a on HP-UX. I am getting compilation Error as shown You are trying to compile OpenSSL or your program ? On what hpux version ? What command you execute ? Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ca format of index.txt. file
Fitzsimons, Nick wrote: Hello All, Does anyone know where there is a definition of the format of the contents of the index.txt file used with the ocsp and ca commands ? (This file contains info on the revocation status of certificates). Thanks, Nick First of all the format of index.txt is undocumented. Probably because it might change sometime. Or it was a fast hack to get the demo application running. Or something like that. Having said this, it currently (openssl 0.9.8b) is a text database where a tab separates the columns and newline separates the rows. The columns are defined as #define DB_type 0 /* Status of the certificate */ #define DB_exp_date 1 /* Expiry date */ #define DB_rev_date 2 /* Revocation date */ #define DB_serial 3 /* Serial No., index - unique */ #define DB_file 4 #define DB_name 5 /* DN, index - unique when active and not disabled */ DB_type is defined as #define DB_TYPE_REV'R' /* Revoked */ #define DB_TYPE_EXP'E' /* Expired */ #define DB_TYPE_VAL'V' /* Valid */ 'E' is currently not used by openssl ca, I guess because it is redundant to DB_exp_date. So expired certificates still have status 'V' DB_file currently is always 'unknown' and not used by openssl ca. I guess the original idea was to store the filename of the generated certificate file here. The dates are in ASN1_UTCTIME-format. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
Re: How to verify signature data with RSA PKCS1
On Mon, Jul 31, 2006, k b wrote: Thanks Stephens, that worked. i'm just curious what if one uses #openssl rsautl -sign -inkey ./private/cakey.pem -in plain.txt -out signature.bin to create a signature, how would you verify it in a c. essentially what i mean is can u pass null in 2nd argument to the EVP_VerifyInit (md_ctx, null); indicating there is no hashing algo to be used. Is this right or is there some other way. No that wont work. You need to extract the RSA structure from the EVP_PKEY using EVP_PKEY_get1_RSA(). Then call RSA_public_decrypt() and compare the result to the contents of plain.txt. There is a newer API where you can call EVP_PKEY_verify() directly from the EVP_PKEY structure but that's supported in 0.9.9 only. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: ca format of index.txt. File - IT WORKS!
Hi, Well I finally worked out what I wanted to do so I thought I'd share it with anyone out there who might be trying the same thing themselves. The tie in between the certificate whose status I am seeking an ocsp response for and the index file supplied as a parameter to the ocsp command is the serial number of the certificate - as simple as that. The fourth column in the index file contains the serial number of certificates issues by a a particular CA. The first column (V(erified(, E(xpired) and R(evoked)) represents the status of that certificate. So I can now generate OCSP responses, with a status I choose, for any certificate which I choose. I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? Thanks to Ted fo his input on this query. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fitzsimons, Nick Sent: Tuesday, August 01, 2006 11:22 AM To: openssl-users@openssl.org Subject: RE: ca format of index.txt. file Hi Ted, Thanks for your reply. I see you are busy replying to several different request helps. :-) I am glad to hear that the reason I can't find the documentation is there isn't any. Your reply helps significantly. I hope you can bear with me for a follow up question. I use the following to generate an ocsp request for a cert : ocsp -issuer cacert.pem -cert cert.pem -reqout req.der I am then seeking to use the following to generate on OCSP response to the request I have just generated : ocsp -index index file -rsigner respondercert.pem -rkey responderkey.pem -CA CACert.pem -reqin req.der -respout resp.der -Cafile certchain.pem My understanding is that the contents of index file are use to check the status of the cert which is detailed in req.der. However no matter how I try to configure index file I always get a status Cert Status: unknown Given that the certificate whose status I am trying to ascertain has a Subject of : Subject: CN=Rick, O=Rick RI, L=Hamburg, C=DE what would I put in the index file to enable the ocsp command to find this certificate and return a status which I could set up in this index file ? As a first pass I have tried the following V 090705233205Z 041009233205Z 01 certs/0001 /CN=Rick V 090705233205Z 041009233205Z 02 unknown /CN=Rick/O=Rick RI/L=Hamburg/C=DE in the hope that ocsp would see the V for othe cert identified and return a status of valid. Thanks in advance if you can find the tiem to help. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Tuesday, August 01, 2006 11:01 AM To: openssl-users@openssl.org Subject: Re: ca format of index.txt. file Fitzsimons, Nick wrote: Hello All, Does anyone know where there is a definition of the format of the contents of the index.txt file used with the ocsp and ca commands ? (This file contains info on the revocation status of certificates). Thanks, Nick First of all the format of index.txt is undocumented. Probably because it might change sometime. Or it was a fast hack to get the demo application running. Or something like that. Having said this, it currently (openssl 0.9.8b) is a text database where a tab separates the columns and newline separates the rows. The columns are defined as #define DB_type 0 /* Status of the certificate */ #define DB_exp_date 1 /* Expiry date */ #define DB_rev_date 2 /* Revocation date */ #define DB_serial 3 /* Serial No., index - unique */ #define DB_file 4 #define DB_name 5 /* DN, index - unique when active and not disabled */ DB_type is defined as #define DB_TYPE_REV'R' /* Revoked */ #define DB_TYPE_EXP'E' /* Expired */ #define DB_TYPE_VAL'V' /* Valid */ 'E' is currently not used by openssl ca, I guess because it is redundant to DB_exp_date. So expired certificates still have status 'V' DB_file currently is always 'unknown' and not used by openssl ca. I guess the original idea was to store the filename of the generated certificate file here. The dates are in ASN1_UTCTIME-format. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: how can I create install client X.509 cert to be used as client decryption?
Many thanks - it does help and I will try it soon. Many thanks! --- Bernhard Froehlich [EMAIL PROTECTED] wrote: l Burnerheimerton wrote: [...] Ted - many thanks for your help. Just so I understand correctly, I generate a private key certificate using openssl to export it to a file that would then be imported into a browser. I can then use that server key to encrypt data that only those users for whom I have generated, and they have installed, a private certificate can decrypt. Is that right? Hmm, I'm not sure if we are really talking about the same thing... A client certificate used in a browser application is for authentication, so the server knows whom it is talking to. If the server uses HTTPS and only accepts connections from users who can authenticate with a certain kind of certificate (like those which were generated by your own CA) the result is, that someone, who does not have a cert, cannot talk with the server. Independent from a client certificate HTTPS assures that only the current user can decrypt the data sent by the server to him/her. If I understood you right this satisfies your needs, although your description is (technically) not exactly correct. Back to the procedure you need. First of all you'l have to set up a CA. One of many descriptions for this can be found in http://sial.org/howto/openssl/ca/ (top hit of a google search after setup openssl ca). Just check that your openssl contains nsCertType = client, email and keyUsage = nonRepudiation, digitalSignature, keyEncipherment for the certificates you are generating. Certificate generation is also described there, if you don't find better information on how to create keys and CSR http://www.openssl.org/docs/apps/req.html may help you. So let's assume you have set up the CA, your private key is in the file privkey.pem and mycert.pem contains your certificate. Then the following command should generate a PKCS#12 file mydata.p12 which can be imported by Mozilla and IE (I've tested with Firefox): openssl pkcs12 -export -out mydata.p12 -inkey privkey.pem -in mycert.pem To use the keys you'll probably also have to import your CA's cert into the browser and trust it to identify web sites and mail users. Note that this can be quite dangerous (from a security viewpoint) in a production environment if your CA's private key is not properly secured... Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ca format of index.txt. File - IT WORKS!
Fitzsimons, Nick wrote: [...] I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? The relevant code goes as this (apps/ocsp.c lines 1063 and following): inf = lookup_serial(db, serial); if (!inf) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_VAL) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_GOOD, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_REV) { ASN1_OBJECT *inst = NULL; ASN1_TIME *revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single; int reason = -1; unpack_revinfo(revtm, reason, inst, invtm, inf[DB_rev_date]); single = OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_REVOKED, reason, revtm, thisupd, nextupd); if (invtm) OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); else if (inst) OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); ASN1_TIME_free(revtm); ASN1_GENERALIZEDTIME_free(invtm); } while the status-defines are #define V_OCSP_CERTSTATUS_GOOD0 #define V_OCSP_CERTSTATUS_REVOKED 1 #define V_OCSP_CERTSTATUS_UNKNOWN 2 So to me this looks like the result is UNKNOWN if the serial is not found, GOOD if status is 'V' and REVOKED if status is 'R'. But I haven't had much experience with OCSP yet... Which version of openssl are you working with (i'm looking into the source of 0.9.8b)? BTW, if there is an unexpected status (like 'E') there seems to be no response. Is this really the way it should work? Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
RE: ca format of index.txt. File - IT WORKS!
Hi Ted, I can now get the Revoked status to work properly - I simply wasn't entering a date in the column for Revoked Date : I was only putting an R in the first column. I can't get E(xpired) to work but I can live without that for now. I always get an error of some sort when the first column is an E. This does seem like a bug. Your analysis of Unknown, Good and Revoked matches my experience with testing it. I am using the utility to generate OCSP responses which I can then import into my test harness to test a DRM agent I am working on. Using OpenSSL / ocsp (eventually!) looks like it gives more flexibility for negative testing than trying to persuade a real server to reply with the responses which my test cases require. I am using version 0.9.8b, as you are. Thanks for your input here. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Tuesday, August 01, 2006 3:13 PM To: openssl-users@openssl.org Subject: Re: ca format of index.txt. File - IT WORKS! Fitzsimons, Nick wrote: [...] I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? The relevant code goes as this (apps/ocsp.c lines 1063 and following): inf = lookup_serial(db, serial); if (!inf) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_VAL) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_GOOD, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_REV) { ASN1_OBJECT *inst = NULL; ASN1_TIME *revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single; int reason = -1; unpack_revinfo(revtm, reason, inst, invtm, inf[DB_rev_date]); single = OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_REVOKED, reason, revtm, thisupd, nextupd); if (invtm) OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); else if (inst) OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); ASN1_TIME_free(revtm); ASN1_GENERALIZEDTIME_free(invtm); } while the status-defines are #define V_OCSP_CERTSTATUS_GOOD0 #define V_OCSP_CERTSTATUS_REVOKED 1 #define V_OCSP_CERTSTATUS_UNKNOWN 2 So to me this looks like the result is UNKNOWN if the serial is not found, GOOD if status is 'V' and REVOKED if status is 'R'. But I haven't had much experience with OCSP yet... Which version of openssl are you working with (i'm looking into the source of 0.9.8b)? BTW, if there is an unexpected status (like 'E') there seems to be no response. Is this really the way it should work? Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Minimal compile
Hi all Can anyone explain to me how to do a minimal build of OpenSSL. We are using WinCE and want to take out any unnecessary stuff like BlowFish etc. I see in the code that it looks for #ifdef OPENSSL_NO_??? but where do I define that? Regards Alfred __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: SSL_load_error_strings()
Hello, Should I call SSL_load_error_strings() at the beginning of each thread? Or, can I call it once in the parent thread before any child threads are launched, so the strings are shared globally across all threads? Once in parent thread. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
TLS 1.0 + Firefox 1.5 not working
Hi folks I'm using openssl 0.9.8b to build a very small web server using TLS 1.0. The IE 6 and IE 7 Beta 3 connects and get pages from web server normally, but using Firefox 1.5.0.5 the TLS handshake fails with: error:1408F10B: SSL routines: SSL3_GET_RECORD:wrong version number Any tip ? Firefox is set to use TLS 1.0 Best Reagards Leandro Gustavo Biss Becker Engenheiro Eletrônico / Electronic Engineer __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
How do I register my own ca.crt in the default CA repository of openssl ?
Hello, I have created my personnal root ca using http://www.nyetwork.org/wiki/ssl_root_ca_new So I have got my myCa.crt file, kmail and firefox are happy with this certificate format when I load it from their security preferences menu. But I would like also to register my CA in the /etc/ssl/certs so as programs like wget could recognize certficates signed by my CA ? I try to play around with the /etc/ssl/certs because I think this is the directory where openssl based program are looking for the CA certificates, but just adding the myCa.crt in the directory is not enough : I still have wget complaining about being unable to to get local issuer certificate Do you know how to do this ? Regards -- Thomas Carrié http://www.gnu.org/philosophy/use-free-software.fr.html http://www.ubuntu.com/ http://www.lebars.org/sec/tcpa-faq.fr.html __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]