Re: How to get useful error messages?
No response yet :-( Please let me know if you guys need any more information in order to help me understand what is going wrong here. ERR_reason_error_string() and ERR_get_error() do not give me anything back. - Original Message - From: Urjit Gokhale To: Urjit Gokhale ; openssl-users@openssl.org Sent: Wednesday, October 03, 2007 8:27 PM Subject: Re: How to get useful error messages? Hello everyone, I modified my code to add the following two lines after initializing the ssl library with SSL_library_init(): --- RAND_write_file(prngseed.dat); RAND_load_file(prngseed.dat, -1); --- And this solved the problem on HPUX. Now I am facing the same connectivity problem on AIX box. Note that the above two lines are still there. strace on the AIX box doesn't give any output at all. I have no clue why the SSL_connect is failing. It will be great if anyone could suggest a way to figure out what is going wrong here. ~ Urjit - Original Message - From: Urjit Gokhale To: openssl-users@openssl.org Sent: Monday, September 24, 2007 1:48 PM Subject: How to get useful error messages? Hi, I am running an application on HPUX 11i. The application fails in SSL_connect(). I tried to print the error message with the following code snippet: == ret = SSL_connect(ssl) if (ret != 1) { char *m_file, *m_data; int m_line = 0 , m_flags = 0; printf(error code is %d,SSL_get_error(conn-sock-ssl, ret)); printf(errno is %d,errno); ERR_peek_error_line_data((const char**)(m_file), m_line, (const char**)(m_data), m_flags); printf(filename: %s\tline :%d\ndata: %s\nflags: %d,m_file,m_line,m_data,m_flags); printf(%s\n,ERR_reason_error_string(ERR_peek_error())); } == The error code is 5 (SSL_ERROR_SYSCALL) and errno is 2 (ENOENT). But the function ERR_peek_error_line_data() fails, and I dont get any filename / line number etc. I used tusc on HPUX to trace the calls, and found that SSL_connect fails to find a random number generator and hence errno is 2. Here is the relevent part of the trace generated by tusc: == open(/tmp/cacert.pem, O_RDONLY|O_LARGEFILE, 0666) ... = 5 ioctl(5, TCGETA, 0x7a005278) .. ERR#25 ENOTTY read(5, - - - - - B E G I N C E R T I .., 8192) ... = 1184 read(5, 0x4002a2c0, 8192) . = 0 getpid() .. = 21419 (21418) getpid() .. = 21419 (21418) getpid() .. = 21419 (21418) close(5) .. = 0 send(4, \0\0\006\0\f, 6, 0) . = 6 time(NULL) = 1190620890 getpid() .. = 21419 (21418) time(NULL) = 1190620890 time(NULL) = 1190620890 getpid() .. = 21419 (21418) getpid() .. = 21419 (21418) getpid() .. = 21419 (21418) open(/dev/urandom, O_RDONLY|O_NONBLOCK|O_NOCTTY, 0) . ERR#2 ENOENT open(/dev/random, O_RDONLY|O_NONBLOCK|O_NOCTTY, 040460) . ERR#2 ENOENT open(/dev/srandom, O_RDONLY|O_NONBLOCK|O_NOCTTY, 040460) ERR#2 ENOENT socket(AF_UNIX, SOCK_STREAM, 0)
Re: certificate withou private key
The rpoblem is, that the handling of the samrt card is a bit complicated in the state it is now, and I'm simply not sure, wether I am able to make the certificate without using the private key at all (that is without signing, too). cheers Mathias Am 01. Oct 2007, schrieb Mike Nelson: Yes. First you generate the private-public key pair in the smart card. Then you get the public key out of the smart card, into your computer's memory. You put your X.500 information, such as DN, etc., typically into a small text file on your HDD. Your application reads the info, and builds a pkcs10 certificate request, using the info and the public key. Finally you use the private key that lives in the smart card, to sign your p10 request. The cert request is submitted to a CA, which will issue a cert if it is happy with your request. How do you extract the public key from your card, and how do you tell the card to perform a signing operation on your p10 data? The smart card will have some sort of API, such as pkcs11, and you use that. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
PKCS12_parse - additional certificates
Hi, int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); If PKCS12_parse() is successful, the private key will be written to *pkey, the corresponding certificate to *cert and any additional certificates to *ca. 1. What is the use of additional certificates? 2. Whether they should be used as root CA certificates for that domain? If yes, then whether we should add them using SSL_CTX_load_verify_locations() OR SSL_CTX_set_cert_store(). 3. Whether they have any relationship with retrieved private key? Best Regards, Manish Jain GlobalLogic Inc. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
* Robert Butler wrote on Wed, Oct 03, 2007 at 17:43 -0400: That's right- nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, since everything is encrypted using TLS or SSL. Just for security I'd like to add a small concretion. (I know you know, but it cannot be stressed enough, otherwise by the time and some lazyness some default trust to TLS could occure, like it's TLS and thus secure, which of course is wrong). Encryption or SSL/TLS (as in HTTPS) by itself do help anything against MITM as long as the peer is not authenticated. This authentication should be made by the user (after establishing the SSL/TLS tunnel) by verifying the certified identity information (by checking the certificate subject values), which works as long as you can trust the system running the browser. If you get extremely lucky and catch the browser at the wrong moment, you can sniff the server key and browser key, but apart from that, it really depends on the strength of the server's key. I assume keys used in practice (except some US export restricted software, in case this restriction still exists) are always strong enough to make a brute force key attack much more expensive that other attacks (in which case IMHO the key strength is sufficient). What they do, is they spoof the certificate and point you to a hijacked webpage (us.etrade.com.mypaidhost.net), from which they can easily collect your login information. They can (and should) use a valid correct authentic certificate for *.mypaidhost.net which guarentees that the TLS tunnel is really established to mypaidhost.net. That is what TLS is for. If the authenticated peer (such as us.etrade.com.mypaidhost.net) is authenticated or not must be decided by the user (who usually should inspect the information of the certificate and other). Without the user inspecting the certificate, TLS does not help. Maybe in case of a valid certificate for the phishing site the institution that requested the certificate could be caugth because the CA should know, but I'm afraid in practice you can get certificates without this beeing guaranteed, such as a cacert.org certificate or whatever. oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
other libraries with openssl
Hello all, I should first say that I am not familiar with ssl issues. I have a question which maybe a dump one. But I would appreciate any explanations or correct pointers. I tried to execute openssl program on my ppc linux. It was version 0.9.7a compiled with eldk 3.1.1. Considering the embedded system constraints my system did not have many components, as well as none of the openssl related shared objects. So, in my first attempt, program exited saying shared object libssl is not found.OK, I thought copying this shared object to my system and loading it would solve the problem. But unfortunately it asked for a couple of more libraries. That was OK, what I did was ldd'ing the executable and copy and load each library and then executable was successfully executed. I wanted ask why these other libraries are really needed. In addition, is it possible to use openssl in my own application without any of these other libraries? Other libraries that openssl executable 0.9.7a compiled with eldk 3.1.1: libssl.so.0.9.7a libcrypto.so.0.9.7a libgssapi_krb5.so.2.2 libkrb5.so.3.1 libk5crypto.so.3.0 libcomm_err.so.3.0 libz.so.1.1.4 -- M u r at A r t u n, MSc. Design Engineer be conservative in what you do, be liberal in what you accept from others __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
// PURIFY directive
Hi all, I had a wonder hour debugging ECDSA unit test I made to verify subset of EC library after porting to ARM. I excluded(using compilation directive) time in RAND_seed and RAND_pool itself. After that signatures created by ECDSA became same every session. So I can check resulting signatures with stored values. But signatures created on PC and on device were different. But then I encounter with PURIFY Am I right thinking that PURIFY directive used initial output buffer content as kind of an entropy since output puffer could be not initialized ? __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: man in the middle attack over https
2007/10/3, Robert Butler [EMAIL PROTECTED]: That's right- nobody can do man-in-the-middle (that I've heard, anyway) on HTTPS, since everything is encrypted using TLS or SSL. Ehrmmm. MIMD over https slowly becomes a standard firewall functionality, Zorp being the first doing it (as in a lot of other things related to firewalling, like [tadaaam] having an ssh proxy). Of course it is designed for benign purposes, and correct certificate validation stops its evil uses, but who knows how an ordinary user reacts to the popup saying that the CA is unknown.
about linux version for openssl
Hello, all, could somebody tell me is there any version limitation for linux if I compile, install and run openssl latest version. thanks a lot in advance. Richard - Tonight's top picks. What will you watch tonight? Preview the hottest shows on Yahoo! TV.
How to create certificates and keys for WPA/WPA2
Hi everyone, I'm new to OpenSSL, I'd like to use it to implement WPA2 with my router. I can't seem to find a good How To on generating the required certificates, CA and keys for the server and client. My initial attempts all failed. Does any one have any good How To's? I assume I have to generate and sign my own CA, generate the server public and private keys and generate private keys for all the clients. Thanks in advance!
Re: How to create certificates and keys for WPA/WPA2
On Thu, Oct 04, 2007 at 10:59:30AM -0600, c4onastick wrote: I can't seem to find a good How To on generating the required certificates, CA and keys for the server and client. My initial attempts all failed. Does any one have any good How To's? I assume I have to generate and sign my own CA, generate the server public and private keys and generate private keys for all the clients. You can start with a minimal demo CA I put together. See attached PKI.tgz file. Run: ./ca.sh rsa 1024 to generate a CA key pair (myCA/cacert.pem and myCA/cakey.pem) and related files. Run: ./cert.sh rsa 1024 to generate a client/server key pair (myCA/rsacert.pem myCA/rsakey.pem). You can edit myCA/cert.cnf between runs to tweak the CN and other certificate attributes. The main benefit of this code is that everything (including the .cnf file) is stripped down to the bare essentials, so you can see exactly what each piece is doing. You can then extend this to meet your needs. -- Viktor. PKI.tgz Description: application/tar-gz
Re: other libraries with openssl
Hello, I tried to execute openssl program on my ppc linux. It was version 0.9.7a compiled with eldk 3.1.1. Considering the embedded system constraints my system did not have many components, as well as none of the openssl related shared objects. So, in my first attempt, program exited saying shared object libssl is not found.OK, I thought copying this shared object to my system and loading it would solve the problem. But unfortunately it asked for a couple of more libraries. That was OK, what I did was ldd'ing the executable and copy and load each library and then executable was successfully executed. I wanted ask why these other libraries are really needed. In addition, is it possible to use openssl in my own application without any of these other libraries? Other libraries that openssl executable 0.9.7a compiled with eldk 3.1.1: libssl.so.0.9.7a libcrypto.so.0.9.7a libgssapi_krb5.so.2.2 libkrb5.so.3.1 libk5crypto.so.3.0 libcomm_err.so.3.0 libz.so.1.1.4 You may try to rebuild OpenSSL with options no-krb5 and no-zlib: $ ./Configure no-krb5 no-zlib ... Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]