What meams first byte '04' in EC public key?
Hello everybody I created EC keypair via JAVA with secp160r2 template. When I looked at text form of public key, I saw there this: 04666d59b1fb53c1c998c12c71731d3a36a37cd995cadeee96c156c8d7c7852b39b5fefd1fa3ce18c7 I know that last 40 bytes present x and y number of ec point but I don't know what means first byte 04. It's some compresion or what ? Does exist some rule for generating of this byte or it's constant value ?. In Java I created public key that menas I know ec point(x and y) and now I need to construct this array of 41 bytes Can somebody help me ? Thanks -- View this message in context: http://www.nabble.com/What-meams-first-byte-%2704%27-in-EC-public-key--tf4532762.html#a12935481 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl backward compatibility
Dr. Stephen Henson wrote: On Fri, Sep 28, 2007, jimmy bahuleyan wrote: Kaushalye Kapuruge wrote: Hi Listers, I'm having a problem shipping my (xml security)library, which is based on openssl crypto implementation. I have statically linked it with the ssl and crypto libraries (-lssl -lcrypto). Are you sure you have statically linked in the Openssl libraries? If it was, then I don't think you'd get link errors for these symbols. I also believe all versions of 0.9.x to be binary compatible for the same 'x'. Well backward binary compatible. So 0.9.8e may introduce features or include functions not in say 0.9.8d. Some macros were converted into functions in 0.9.8e so this will cause issues when attempting to use 0.9.8e compiled binaries against an earlier version of the library because those functions will not exist. So to answer the OPs question. Ideally users of older versions should upgrade in order to get bug and security fixes. If that isn't practical then compile and link your applications against the lowest version of OpenSSL you will need to be binary compatible with. That answered. :) I'm using 0.9.8e for the linking I guess. That gives the prefix @@OPENSSL_0.9.8 for the symbols. So better to go with a lower version like 0.9.8a. Thanks Steve for the help. Cheers, Kau Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] -- http://kaushalye.blogspot.com/ http://wso2.org/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl backward compatibility
jimmy bahuleyan wrote: Kaushalye Kapuruge wrote: Hi Listers, I'm having a problem shipping my (xml security)library, which is based on openssl crypto implementation. I have statically linked it with the ssl and crypto libraries (-lssl -lcrypto). Are you sure you have statically linked in the Openssl libraries? If it was, then I don't think you'd get link errors for these symbols. I also believe all versions of 0.9.x to be binary compatible for the same 'x'. Correction: It's not statically linked. :) My bad But why I'm getting this error even if its dynamically linked, on another machine with 0.9.8c? What's the meaning of 0.9.8e in OpenSSL 0.9.8c 05 Sep 2006 (Library: OpenSSL 0.9.8e 23 Feb 2007) when I issue %openssl version What possible actions I can take to ship my library so that it'll work on any 0.9.8x (rather than linking statically) ? Thanks for the reply. :) Cheers, Kau And my openssl version is OpenSSL 0.9.8c 05 Sep 2006 (Library: OpenSSL 0.9.8e 23 Feb 2007) When I compile and create binaries in my machine it simply won't work with another machine with the same openssl version 0.9.8.c. But in that machine I don't get the library version as 0.9.8e. And gives this error libomopenssl.so.0: symbol EVP_CIPHER_CTX_key_length, version OPENSSL_0.9.8 not defined in file libcrypto.so.0.9.8 with link time reference When I list symbols in my library as %nm libomopenssl.so | grep EVP_CIPHER_CTX I get U EVP_CIPHER_CTX_block_size@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_cleanup@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_init@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_iv_length@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_key_length@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_set_padding@@OPENSSL_0.9.8 But in the other machine I get U EVP_CIPHER_CTX_block_size U EVP_CIPHER_CTX_cleanup@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_init@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_iv_length U EVP_CIPHER_CTX_key_length U EVP_CIPHER_CTX_set_padding@@OPENSSL_0.9.8 Note that these symbols are different for EVP_CIPHER_CTX_key_length So, my question is, How do I make my library work with another machine with the same openssl version? What instructions I have to give? Should I ask them to use 0.9.8e? How's the backward compatibility of openssl? Cheers, Kaushalye -jb -- http://kaushalye.blogspot.com/ http://wso2.org/ __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl backward compatibility
Kaushalye Kapuruge wrote: jimmy bahuleyan wrote: Kaushalye Kapuruge wrote: Hi Listers, I'm having a problem shipping my (xml security)library, which is based on openssl crypto implementation. I have statically linked it with the ssl and crypto libraries (-lssl -lcrypto). Are you sure you have statically linked in the Openssl libraries? If it was, then I don't think you'd get link errors for these symbols. I also believe all versions of 0.9.x to be binary compatible for the same 'x'. Correction: It's not statically linked. :) My bad But why I'm getting this error even if its dynamically linked, on another machine with 0.9.8c? What's the meaning of 0.9.8e in OpenSSL 0.9.8c 05 Sep 2006 (Library: OpenSSL 0.9.8e 23 Feb 2007) when I issue %openssl version Well, if I understand things correctly here, that means your executable was built with 0.9.8c while the shared object available on the system is 0.9.8e. ($/openssl/apps/version.c). What possible actions I can take to ship my library so that it'll work on any 0.9.8x (rather than linking statically) ? Thanks for the reply. :) Cheers, Kau As far as my knowledge goes if your build didn't do anything esoteric, then 0.9.8x libraries are binary compatible. Check if your executable has the proper dependencies and the openssl library installed is proper. Or maybe someone else can throw some light on this problem ;) -jb -- No snowflake in an avalanche ever feels responsible. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Safe signed certificate generation during server installation ?
On Fri, Sep 28, 2007 at 08:37:12PM +0530, Urjit Gokhale wrote: considered as proposition to discussion. Real, secure programming should be based on existing, well checked protocols (which is possible in this case). The OP was going to embed his CA's private key in his installer. The OP was not thinking clearly about key management. My first response to the OP outlined what needs to be done for key-management (a human assisted enrollment process). Thank you all for all the responses and the discussion. I learn from this discussion, that for a complete secured system, I need to consider the key management in better fashion. I will definitely think over it. But for now, I would like you guys to comment if the scheme of allowing the admin to create certificate through installer work ? Turning security off works, shipping the CA private key to every machine turns off security. I am assuming that the admin will guard the installer (and hence the cert generation capability) well, so that no one else gets to create a CA signed cert. This assumption seems unwarranted, and with global distribution of the CA private key it only takes the compromise of one machine to break security globally. I'd be hard-pressed to endorsee this design. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl backward compatibility
On Fri, Sep 28, 2007, jimmy bahuleyan wrote: Kaushalye Kapuruge wrote: Hi Listers, I'm having a problem shipping my (xml security)library, which is based on openssl crypto implementation. I have statically linked it with the ssl and crypto libraries (-lssl -lcrypto). Are you sure you have statically linked in the Openssl libraries? If it was, then I don't think you'd get link errors for these symbols. I also believe all versions of 0.9.x to be binary compatible for the same 'x'. Well backward binary compatible. So 0.9.8e may introduce features or include functions not in say 0.9.8d. Some macros were converted into functions in 0.9.8e so this will cause issues when attempting to use 0.9.8e compiled binaries against an earlier version of the library because those functions will not exist. So to answer the OPs question. Ideally users of older versions should upgrade in order to get bug and security fixes. If that isn't practical then compile and link your applications against the lowest version of OpenSSL you will need to be binary compatible with. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Safe signed certificate generation during server installation ?
considered as proposition to discussion. Real, secure programming should be based on existing, well checked protocols (which is possible in this case). The OP was going to embed his CA's private key in his installer. The OP was not thinking clearly about key management. My first response to the OP outlined what needs to be done for key-management (a human assisted enrollment process). Thank you all for all the responses and the discussion. I learn from this discussion, that for a complete secured system, I need to consider the key management in better fashion. I will definitely think over it. But for now, I would like you guys to comment if the scheme of allowing the admin to create certificate through installer work ? I am assuming that the admin will guard the installer (and hence the cert generation capability) well, so that no one else gets to create a CA signed cert. Isn't this as if the installer itself is working as a CA tool, and the admin is acting as a local CA, issuing / creating certificates for the servers to use? I believe the MITM can be avoided with this, in the following way: The admin knows the name of the machine where he is installing the server. He will put this information in the certificate. The client will indeed verify this name as part of cert verification. We assume that acting as a local CA, the admin will not use installer to create incorrect certificates. BTW. I would like to know more about the finished messages David was talking about. Could someone point me to the documentation / article on this? Thank you once again. ~ Urjit DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
newbie question: sample s_server usage
Hi, I'm a newbie to openssl and openssl toolkit. i need to add support for tls to one java client including client authentication, and i've made the changes to the client and need to test it with server, so trying to use s_server. I have used keytool utility supplied with jdk1.4 to generate client/server public/private key certificates using rsa algo. how do i use these certificates in invoking and testing my client using s_server? any help is appreciated. thanks, deep -- View this message in context: http://www.nabble.com/newbie-question%3A-sample-s_server-usage-tf4533778.html#a12938503 Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl backward compatibility
Kaushalye Kapuruge wrote: Hi Listers, I'm having a problem shipping my (xml security)library, which is based on openssl crypto implementation. I have statically linked it with the ssl and crypto libraries (-lssl -lcrypto). Are you sure you have statically linked in the Openssl libraries? If it was, then I don't think you'd get link errors for these symbols. I also believe all versions of 0.9.x to be binary compatible for the same 'x'. And my openssl version is OpenSSL 0.9.8c 05 Sep 2006 (Library: OpenSSL 0.9.8e 23 Feb 2007) When I compile and create binaries in my machine it simply won't work with another machine with the same openssl version 0.9.8.c. But in that machine I don't get the library version as 0.9.8e. And gives this error libomopenssl.so.0: symbol EVP_CIPHER_CTX_key_length, version OPENSSL_0.9.8 not defined in file libcrypto.so.0.9.8 with link time reference When I list symbols in my library as %nm libomopenssl.so | grep EVP_CIPHER_CTX I get U EVP_CIPHER_CTX_block_size@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_cleanup@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_init@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_iv_length@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_key_length@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_set_padding@@OPENSSL_0.9.8 But in the other machine I get U EVP_CIPHER_CTX_block_size U EVP_CIPHER_CTX_cleanup@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_init@@OPENSSL_0.9.8 U EVP_CIPHER_CTX_iv_length U EVP_CIPHER_CTX_key_length U EVP_CIPHER_CTX_set_padding@@OPENSSL_0.9.8 Note that these symbols are different for EVP_CIPHER_CTX_key_length So, my question is, How do I make my library work with another machine with the same openssl version? What instructions I have to give? Should I ask them to use 0.9.8e? How's the backward compatibility of openssl? Cheers, Kaushalye -jb -- No snowflake in an avalanche ever feels responsible. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Intermediate CA
Hi everybody, I've been get some problems with WebService Client on HTTPS. I have 1 certificate and 2 intermediate CA´s to access this server. Testing my Browser, if i remove any one of the intemediate CA's, i get this: HTTP Error 403.7 - Forbidden: SSL client certificate is required. I Have the same error in my application. I've been tried include the Intermediate CA's using many ways, but without successful. Bool tSSLSocketAPI::SetCertificateFiles(mspchar ACertFile, mspchar AKeyFile) { if (ACertFile!= NULL) { // INTERMEDIATE CA DONT HAVE KEY if (AKeyFile == NULL) { FILE *fp; X509 *cert; if (!(fp = fopen(ACertFile, r))) { msprintf( OPS1unable to open certificate ); return false; } cert = PEM_read_X509(fp, NULL, NULL, NULL); if (cert==NULL){ msprintf( OPS2unable to read certificate ); return false; } fclose (fp); if (SSL_CTX_add_client_CA(sslCtx, cert) 1 ) return false; return true; } if( chkSSL( SSL_CTX_use_certificate_file(sslCtx, ACertFile, SSL_FILETYPE_PEM), ssl, sslErr ) = 0) { msprintf( unable to get certificate from '%s'\n, ACertFile); ERR_print_errors(sslErr); return false; } if (nOptions.PassPhrase) SSL_CTX_set_default_passwd_cb_userdata(sslCtx, nOptions.PassPhrase ); if (SSL_CTX_use_PrivateKey_file(sslCtx, AKeyFile, SSL_FILETYPE_PEM) = 0) { msprintf(unable to get private key from '%s'\n,AKeyFile); ERR_print_errors(sslErr); return false; } if (!SSL_CTX_check_private_key(sslCtx)) { msprintf( Private key does not match the certificate public key\n); return false; } if (nOptions.PassPhrase) SSL_CTX_set_default_passwd_cb_userdata(sslCtx, NULL); } return true; } . . I've been tried this functions : SSL_CTX_add_client_CA(...) SSL_CTX_add_extra_chain_cert(...) SSL_CTX_load_verify_locations(...) how add intermediate CA's using openssl ?? Thanks in Advanced. Ricardo G. Reis
Re: What meams first byte '04' in EC public key?
Hello, I created EC keypair via JAVA with secp160r2 template. When I looked at text form of public key, I saw there this: 04666d59b1fb53c1c998c12c71731d3a36a37cd995cadeee96c156c8d7c7852b39b5fefd1fa3ce18c7 I know that last 40 bytes present x and y number of ec point but I don't know what means first byte 04. This means that this octet string has EC point (x,y) without compression. It's some compresion or what ? This is information how to interpret following octets. Does exist some rule for generating of this byte or it's constant value ?. Yes, you may look at SEC1: Elliptic Curve Cryptography chapter 2.3.3, in short: 00 - point at inifinity 02 or 03 - compressed point (depending on EC point) 04 - uncompressed point In Java I created public key that menas I know ec point(x and y) and now I need to construct this array of 41 bytes If you are going to use uncompressed point then you should create octet string as 04|x|y (in hex). Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
recompile applications when upgrade openssl?
On my linuxserver many application rely on openssl: from apache over cyrus-imap to sendmail and many others like named. Now I'd finally like to upgrade openssl from 0.9.6 to 0.9.8e to fix some security-issues. (I know its about time). My question now is: do I need to recompile all applications that rely on openssl or is enough just to rebuild the new openssl and put the libs in the proper place? I use quite an old version of cyrus-imap for example and the server is running for many many years now. thnx, peter __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]