Re: Simple way to use PKI for larger data sets
snacktime wrote: [...] I could generate a random key for each request, encyrpt it, and stick it in the database with the request, but I was hoping for a simpler solution. Are there any asymmetric ciphers in openssl that don't have the same limitation on the amount of data that can be encrypted? The data still isn't that large, probably 20 times the key size at most, so I don't think performance would be an issue, or would it? The other way would be to encrypt your data in packets which are equal to the key size (like it is done with most symmetric protocols), but you indeed may run into performance problems. Usually the hybrid way of combining symmetric and asymertic ciphers is used because of performance reasons. And just to straighten out terminology: what you are talking about has nothing to do with PKI (Public Key Infrastrucure)... ;) Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
RE: How to retrive the delta CRL location and revocation reason?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson Sent: Sunday, August 27, 2006 4:03 AM To: openssl-users@openssl.org Subject: Re: How to retrive the delta CRL location and revocation reason? On Fri, Aug 25, 2006, [EMAIL PROTECTED] wrote: Hi Team, I am working on the CRL validation. I am seeing some issues in extracting the - delta crl distribution point and - reason for revocation. Could you please let me know your thoughts on how to access these two above mentioned information? Delta CRLDP is a bit messy because it isn't yet supported by OpenSSL directly. However you can add the OID manually using OBJ_create() and alias the extension to CRLDP and retrieve it that way. ANSWER#1: Could you please elaborate this please? Appreciate your help if you could provide any code snippet to extract the delta crl's destribution point. The CRL reason code is easier. You can retrieve it from the relevant X509_REVOKED structure using X509_REVOKED_get_ext_d2i(). ANSWER#2: Thank you. I got the status as per your suggetion. I followed the below mentioned logic: X509_REVOKED rtmp; int reason = -1; if (rtmp.extensions) //Extensions are available. { ASN1_ENUMERATED *asn= NULL; asn = X509_REVOKED_get_ext_d2i(rtmp, NID_crl_reason,NULL,NULL); if(asn != NULL) { reason = ASN1_ENUMERATED_get(asn); } ASN1_ENUMERATED_free(asn); } ** Thank you, -Surendra Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: How to retrive the delta CRL location and revocation reason?
How to retrieve the delta crl's CDP? Could you please elaborate the same? Thank you, -Surendra On Fri, Aug 25, 2006, [EMAIL PROTECTED] wrote: Hi Team, I am working on the CRL validation. I am seeing some issues in extracting the - delta crl distribution point and - reason for revocation. Could you please let me know your thoughts on how to access these two above mentioned information? Delta CRLDP is a bit messy because it isn't yet supported by OpenSSL directly. However you can add the OID manually using OBJ_create() and alias the extension to CRLDP and retrieve it that way. ANSWER#1: Could you please elaborate this please? Appreciate your help if you could provide any code snippet to extract the delta crl's destribution point. The CRL reason code is easier. You can retrieve it from the relevant X509_REVOKED structure using X509_REVOKED_get_ext_d2i(). ANSWER#2: Thank you. I got the status as per your suggetion. I followed the below mentioned logic: X509_REVOKED rtmp; int reason = -1; if (rtmp.extensions) //Extensions are available. { ASN1_ENUMERATED *asn= NULL; asn = X509_REVOKED_get_ext_d2i(rtmp, NID_crl_reason,NULL,NULL); if(asn != NULL) { reason = ASN1_ENUMERATED_get(asn); } ASN1_ENUMERATED_free(asn); } ** Thank you, -Surendra Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: What are the letter codes for SSL_state_string()
Hello, Hello, knows anyone the letter codes of the function SSL_state_string()? The the doc I only can read: RETURN VALUES Detailed description of possible states to be included later. :( This strings are build from first letters of SSL state and SSL version information. For example: SSL2_ST_SEND_REQUEST_CERTIFICATE_A 2SRC_A SSL3_ST_CW_CERT_D 3WCC_D SSL3_ST_CW_KEY_EXCH_A 3WCKEA Look in ssl/ssl_stat.c for more information. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
unable to get local issuer certificate
While atempting to establish SSL connection I got this OpenSSL error: Certificate Verification: Error (20): unable to get local issuer certificate Yes, I have read OpenSSL documentation and used Google to search for possible solution, but nothing matches my problem. I do have server issuer cert installed in my browser. What should I do? :( __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
Nils, Yes, 0.9.6b is the exact version. Please help! Nils Larsch [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/26/2006 06:23 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: Hi, I'm using openssl, (I think the slimmed down engine version), and openssl 0.9.6 ? since there's no separate engine verion for openssl = 0.9.7 attempting to support a program written by someone else. The server that I'm talking to recently moved to a new ISP and the program stopped working. It should be as simple as getting the server's new certificate and it should work. The problem is that I can't find ANY place where this program is using a keystore, (*.pem), so I can't add the new cert. All of the typical directories, (e.g. /certs), are empty, (and I mean all of them). In both production and the test environment, there are no certificate files off of any of the usual directories and the program itself doesn't open or use any keystore files in any of the SSL library calls. Normally, you'd just find the keystore and add the new certificate and all would be well. My question is this; since I don't see any place that this program is using a private key or a certificate store, how is it working? Where does it get a list of CA's etc.? Does openSSL provide an internal keystore in the libraries? It has to be getting this information from somewhere to complete the handshake process. Thanks in advance. perhaps the keys certs are hardcoded ... If you have the source code available the parameters of functions like SSL_CTX_set_cert_store() might tell you which certs are used. Cheers, NIls PS: Please don't send mails to openssl-dev _and_ openssl-users. One list should be sufficient (in this case openssl-users). __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: related license question
Ted Mittelstaedt wrote: - Original Message - From: David Schwartz [EMAIL PROTECTED] To: openssl-users@openssl.org Sent: Tuesday, August 22, 2006 2:04 PM Subject: RE: related license question Certainly. Nothing in the OpenSSL licenses requires you to allow redistribution of any derivative works you create. Wrong. See the following: ...The licence and distribution terms for any publically available version ^^ The question is, what this word means. or derivative of this code cannot be changed... http://www.openssl.org/source/license.html Yes, the OpenSSL does not explicitly require you to allow redistribution of any derivitave works you create. However, it explicitly requires you to not change the distribution terms of the derivitave work that you create, and since the redistribution terms are open, that forces you to also use open redistribution terms. If someone adds *own* code to OpenSSL and forbids redistribution of *his* code, the resulting package is imho no longer publically available and therefore the sentence cited above would no longer apply. Am i wrong? If i am wrong, the OpenSSL license would be infectious like the GPL, and my impression is, that the sentence cited above has been added to the license for preventing such infectiousity, but i may be wrong. Ciao, Richard -- Dr. Richard W. Könning Fujitsu Siemens Computers GmbH __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
[EMAIL PROTECTED] wrote: Nils, Yes, 0.9.6b is the exact version. Please help! hmm, did you read the rest of my mail ? Do you have the source code ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Unable to locate the keystore/certificate store or private key
Nils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he building his own in memory or using some other filename etc. I don't see how the program was ever getting a root cert to make it through the handshake process. I've searched for *.pem, *{hash}.0 files from root, (/), all to no avail. How it was ever working is beyond me. I kknow it has to be getting this from somewhere. Nils Larsch [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/28/2006 02:08 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: Nils, Yes, 0.9.6b is the exact version. Please help! hmm, did you read the rest of my mail ? Do you have the source code ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
Title: Message I don't see the execution platform given here. Perhaps you might consider doing an 'strace' (if linux)? Anything that is opened and "secretly" imported into the program should be discernible from this. Just a thought... rnd -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, August 28, 2006 2:55 PMTo: openssl-users@openssl.orgCc: openssl-users@openssl.org; [EMAIL PROTECTED]Subject: Re: Unable to locate the keystore/certificate store or private keyNils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he building his own in memory or using some other filename etc. I don't see how the program was ever getting a root cert to make it through the handshake process. I've searched for *.pem, *{hash}.0 files from root, (/), all to no avail. How it was ever working is beyond me. I kknow it has to be getting this from somewhere. Nils Larsch [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/28/2006 02:08 PM Please respond toopenssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: Nils, Yes, 0.9.6b is the exact version. Please help!hmm, did you read the rest of my mail ? Do you have the source code ?Cheers,Nils__OpenSSL Project http://www.openssl.orgUser Support Mailing List openssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
The platform is AIX. I don't think they've ever explicitly used a *.pem file. Somehow the app was able to communicate with an IIS server and complete the handshake process or at least communicate and get txn's across, (I'm not sure how). Diffenderfer, Randy [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/28/2006 03:23 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject RE: Unable to locate the keystore/certificate store or private key I don't see the execution platform given here. Perhaps you might consider doing an 'strace' (if linux)? Anything that is opened and secretly imported into the program should be discernible from this. Just a thought... rnd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 28, 2006 2:55 PM To: openssl-users@openssl.org Cc: openssl-users@openssl.org; [EMAIL PROTECTED] Subject: Re: Unable to locate the keystore/certificate store or private key Nils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he building his own in memory or using some other filename etc. I don't see how the program was ever getting a root cert to make it through the handshake process. I've searched for *.pem, *{hash}.0 files from root, (/), all to no avail. How it was ever working is beyond me. I kknow it has to be getting this from somewhere. Nils Larsch [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/28/2006 02:08 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: Nils, Yes, 0.9.6b is the exact version. Please help! hmm, did you read the rest of my mail ? Do you have the source code ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Unable to locate the keystore/certificate store or private key
The server side SSL is no longer terminated on the IIS server. It is being handled by Cisco 11500 series content switches and it the application will no longer work. Diffenderfer, Randy [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/28/2006 03:23 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject RE: Unable to locate the keystore/certificate store or private key I don't see the execution platform given here. Perhaps you might consider doing an 'strace' (if linux)? Anything that is opened and secretly imported into the program should be discernible from this. Just a thought... rnd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 28, 2006 2:55 PM To: openssl-users@openssl.org Cc: openssl-users@openssl.org; [EMAIL PROTECTED] Subject: Re: Unable to locate the keystore/certificate store or private key Nils, Yes. I read the entire e-mail. I can't find ANYWHERE where it's being fed to the application, (including the source code). As far as I can see, it's definitely not being used in an ssl_ library call nor is he building his own in memory or using some other filename etc. I don't see how the program was ever getting a root cert to make it through the handshake process. I've searched for *.pem, *{hash}.0 files from root, (/), all to no avail. How it was ever working is beyond me. I kknow it has to be getting this from somewhere. Nils Larsch [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/28/2006 02:08 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: Unable to locate the keystore/certificate store or private key [EMAIL PROTECTED] wrote: Nils, Yes, 0.9.6b is the exact version. Please help! hmm, did you read the rest of my mail ? Do you have the source code ? Cheers, Nils __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Simple way to use PKI for larger data sets
Hi, Can you use GPGME instead of OpenSSL? Perhaps it provides a High-Level Crypto API including hybrid encryption. Yoshiki FUKUBA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of snacktime Sent: Sunday, August 27, 2006 3:23 AM To: openssl-users Subject: Simple way to use PKI for larger data sets I have an application that processes credit cards. It uses a database to store the data. On a less secure (accepts outside connections to process requests) server I run a copy that only has the public key, which it uses to encrypt the cards after authorization. On another server that doesn't accept any incoming requests, I run a copy with the private key that captures the authorizations, decrypting the cards and sending the batch to the bank. Using rsa this works great for the cards themselves, but I also want to encrypt and store the raw transmission data we send for future auditing/debugging. Since rsa was only designed to encrypt the key and not the payload this presents a problem (data larger than key size). I'd rather not make the software any more complicated then it has to be. I could generate a random key for each request, encyrpt it, and stick it in the database with the request, but I was hoping for a simpler solution. Are there any asymmetric ciphers in openssl that don't have the same limitation on the amount of data that can be encrypted? The data still isn't that large, probably 20 times the key size at most, so I don't think performance would be an issue, or would it? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: related license question
Certainly. Nothing in the OpenSSL licenses requires you to allow redistribution of any derivative works you create. Wrong. See the following: ...The licence and distribution terms for any publically available version or derivative of this code cannot be changed... http://www.openssl.org/source/license.html I always assumed that publically available version meant an open source distribution and didn't apply to proprietary code where the source isn't made available at all. But now that you point it out, it's not clear at all exactly what that means. In any event, it doesn't compel you to make the source available, but it could mean that you can't prevent redistribution of the binaries. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]