Problem with creating p12 file with chain
Hi All, I am attempting to create a p12 file which will include both intermediate and root CA certificates in addition to the key and server certificate. I keep getting Error unable to get local issuer certificate getting chain. I have checked the subject, issuer, AKI, and SKI for all certs and everything seems right (see below). Can someone please tell me what I'm missing here or what I should look at next in troubleshooting? Command: openssl pkcs12 -export -in ../testprod.pem -inkey ../testprod.key -out ../testprod.p12 -name tomcat -CAfile ../IssuingCA.pem -caname Issuing CA -CAfile ../RootCA.pem -caname Root CA -chain Subject/Issuer: C:\OpenSSL\binopenssl x509 -in ..\testprod.pem -issuer -noout issuer= /C=US/O=JTV /CN=ISSUING CA C:\OpenSSL\binopenssl x509 -in ..\IssuingCA.pem -subject -issuer -noout subject= /C=US/O=JTV /CN=ISSUING CA issuer= /C=US/O=ACN /CN=ROOT CA C:\OpenSSL\binopenssl x509 -in ..\RootCA.pem -subject -issuer -noout subject= /C=US/O=ACN /CN=ROOT CA issuer= /C=US/O=ACN /CN=ROOT CA AKI End Enitity - e3 65 a1 dc 05 53 7b 9c a3 86 80 a4 8f 71 38 79 f2 5e c9 7d JTV: 82 9f 24 f0 7e 1e d3 47 c2 0d 8f 01 00 2b 7e 9e c0 6b 0f bc ACN: 82 9f 24 f0 7e 1e d3 47 c2 0d 8f 01 00 2b 7e 9e c0 6b 0f bc SKI: End-Enitity: 47 23 7e 62 52 55 92 2c 3f aa e8 4c b3 54 e7 30 80 48 cc a1 JTV:e3 65 a1 dc 05 53 7b 9c a3 86 80 a4 8f 71 38 79 f2 5e c9 7d ACN: 82 9f 24 f0 7e 1e d3 47 c2 0d 8f 01 00 2b 7e 9e c0 6b 0f bc Thanks, Karen
Multiple host names in one cert
Hi, We have a few servers (openldap, apache) that are accessed via different host names, e.g.: Internal: *.client.isp_int.com External: *.client.isp_ext.com We use a self-generated CA to signed the certs. I am currently creating two certs - one for internal hostnames with CN=*.client.isp_int.com, and one for external host names with CN=*.client.isp_ext.com Is it possible to create and sign a certificate that contains both internal and external hostnames? I've looked into using subjectAltName to add a second host name to the cert but it doesn't seem to be present in the signed certificate. Can anyone tell me: a. Is it possible to do this? b. How to do this? Thanks, R. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem with creating p12 file with chain
Reinhardt, Karen - Contractor schrieb: Hi All, I am attempting to create a p12 file which will include both intermediate and root CA certificates in addition to the key and server certificate. I keep getting Error unable to get local issuer certificate getting chain. I have checked the subject, issuer, AKI, and SKI for all certs and everything seems right (see below). Can someone please tell me what I'm missing here or what I should look at next in troubleshooting? Command: openssl pkcs12 -export -in ../testprod.pem -inkey ../testprod.key -out ../testprod.p12 -name tomcat -CAfile ../IssuingCA.pem -caname Issuing CA -CAfile ../RootCA.pem -caname Root CA -chain You cannot specify multiple -CAfile arguments. Try to concatenate your CA certificates into one file. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
RE: Problem porting SSL on VDK OS
Hi All; Thanks to you for your suggestions. I followed your suggestion and removed ssl/ssl_task.c and compiled it but I got one problem which is as follows: crypto\sha\sha1s.cpp, line 72: cc0020: error: identifier GetTSC is undefined GetTSC(s1); You have no TSC, so this code is of no use to you. Eliminate this file from those you are compiling. Arguably, someone should add the following to this file: --- @@ -28,6 +28,8 @@ void GetTSC(unsigned long tsc) __asm mov a, eax; tsc=a; } +#else +#error This code requires an instruction cycle counter #endif #include stdio.h --- DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Compiling on a Mac
Can you share the code that you found, a link to it, or at least a hint as to which search engine you found it on? http://www.cs.odu.edu/~cs772/sourcecode/NSwO/compiled/encdec.c There you go. I'm curious -- do you understand what the code you are compiling is supposed to actually *do*? Because if my understanding is correct, it only makes sense if you have a source of a stream of bytes and a sink for the stream of bytes and are trying to interpose an encryption/decryption step in the middle. If you don't have these two things, the code will not work because it will have no idea where to get its input from and where to send its output to. At least, that's my understanding. If your understanding is different, share it. If you don't understand what the code is supposed to do, stop trying to make it work. You will have no way to know when you've succeeded. ;) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Compiling on a Mac
The source for incremental_send isn't in the book anywhere that I've seen. I'm using the first edition (June 2002). My code does call incremental_send, and the code I'm trying to compile is the example code provided in the book itself (in chapter 6 - see example 6-4). The book provides the code for incremental_encrypt as well as incremental_finish, so my assumption is that it is a method included in the bowels of the libraries provided. Are you saying that this is a method that I must construct myself? The book doesn't say that, so my assumption is that it is provided. I have run into books that claim to be good but the publisher leaves out critical stuff. Go to the publisher's site and look for errata and downloadable source files. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
compiling a ssl
I have downloaded openssl 0.9.8g source from the website. Its working fine. but i need the source code for my project and I got in openssl. when i compiled it in vc++ in windows, i got no errors. but i get an external reference error when linked. do i need to add any lib files ? please guide me detailly as i need it very soon. I had linked all lib files present in openssl thro' project-settings-link tab. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
possible SSL_write bug
Hi, I made a program that connects to a stunnel server. I am able to connect to the server, read, write, with no problems. The problem is that if I close the stunnel, I can handle the error correctly if I make an SSL_read, but not if I make an SSL_write. The SSL_write returns a positive value even if the stunnel is closed, and on next SSL_write the application closes suddently. So if I close the stunnel, and make two writes in a row in my application, my application dies. Is there a function I should call before the SSL_write to check the status of the connection? Thanks in advance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Problem in porting open ssl library
Hi all; I want to port open ssl on VDK(VDSP compiler, BF533 Processor).For that purpose I down load Open ssl from openssl.org (openssl-0.9.8g). Actually above project having so man folder like crypto, apps, cert, engine, demo, etc. Let me know which folder I will port in VDK(RTOS) for secure connection. Please reply me. Thnx. Regards; Ajeet Kumar Singh
RE: possible SSL_write bug
I made a program that connects to a stunnel server. I am able to connect to the server, read, write, with no problems. Good. The problem is that if I close the stunnel, I can handle the error correctly if I make an SSL_read, but not if I make an SSL_write. The SSL_write returns a positive value even if the stunnel is closed, and on next SSL_write the application closes suddently. The first part is typical. Depending on exactly how the tunnel was closed, a write may not detect it immediately. As for your application closing suddenly on the next SSL_write, this is abnormal. Most likely, it's a bug in your program. It could be a bad OpenSSL build or a bug in OpenSSL, but that's unlikely. So if I close the stunnel, and make two writes in a row in my application, my application dies. Figure out why. Get a core dump or attach a debugger and see why and where it's dying. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
is TLS-PSK already implemented in opensssl
is TLS-PSK already implemented in opensssl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Compiling on a Mac
Hi David, Yes indeed I do. I have seen that link before, but it doesn't contain the contents of incremental_send (this data is left hanging in limbo with nothing to do). My goal is to integrate this into a sockets application I'm using where there will indeed be a continuous stream of data. Thanks Joel On Feb 6, 2008 1:09 AM, David Schwartz [EMAIL PROTECTED] wrote: Can you share the code that you found, a link to it, or at least a hint as to which search engine you found it on? http://www.cs.odu.edu/~cs772/sourcecode/NSwO/compiled/encdec.chttp://www.cs.odu.edu/%7Ecs772/sourcecode/NSwO/compiled/encdec.c There you go. I'm curious -- do you understand what the code you are compiling is supposed to actually *do*? Because if my understanding is correct, it only makes sense if you have a source of a stream of bytes and a sink for the stream of bytes and are trying to interpose an encryption/decryption step in the middle. If you don't have these two things, the code will not work because it will have no idea where to get its input from and where to send its output to. At least, that's my understanding. If your understanding is different, share it. If you don't understand what the code is supposed to do, stop trying to make it work. You will have no way to know when you've succeeded. ;) DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: compiling a ssl
Hi Gopinath, I'm having the same issue (not in VC++ though) What symbols are causing external reference errors for you? What command-line string are you using to try and compile your project w/ OpenSSL? Did you link ssl/crypto into your project? On Feb 6, 2008 1:51 AM, gopinath ethiraja [EMAIL PROTECTED] wrote: I have downloaded openssl 0.9.8g source from the website. Its working fine. but i need the source code for my project and I got in openssl. when i compiled it in vc++ in windows, i got no errors. but i get an external reference error when linked. do i need to add any lib files ? please guide me detailly as i need it very soon. I had linked all lib files present in openssl thro' project-settings-link tab. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problem in porting open ssl library
Ajeet kumar.S wrote: Hi all; I want to port open ssl on VDK(VDSP compiler, BF533 Processor).For that purpose I down load Open ssl from openssl.org (openssl-0.9.8g). Actually above project having so man folder like crypto, apps, cert, engine, demo, etc. Let me know which folder I will port in VDK(RTOS) for secure connection. Please reply me. Thnx. Regards; Ajeet Kumar Singh I dunno about porting folders, but you might want to take a look at the files e_os.h and e_os2.h. It's very difficult to make out what you want from your mail. I would advise you to look at the documentation in Openssl (or those on the net) first. -jb -- I used to think I was indecisive, but now I'm not so sure. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: Compiling on a Mac
Hi David, Yes indeed I do. I have seen that link before, but it doesn't contain the contents of incremental_send (this data is left hanging in limbo with nothing to do). That is the contents of incremental_send. My goal is to integrate this into a sockets application I'm using where there will indeed be a continuous stream of data. It won't link until you do that. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: RSA_verify problem
Hello, I have tested the sample code and it runs without error however I am still using the default char N[], char E[] and msg[] values in the file. I am unclear what steps I need to take to convert the Modulus and Exponent strings from my XML into a format suitable for this function. In the code it seems that the N and E values are hexadecimal- should this be the hexadecimal conversion of my 128 byte base64 decoded modulus value from the XML and the equivalent for the exponent? I use hex form because BN_hex2bn() function is used here. In your case, you may use binary buffer (after decoding with base64) and function BN_bin2bn(). Also should the 'msg[]' character array be the pure xml string of the SignedInfo element? msg[] is not used, this is from my other examples, ignore it. You should put signature (after base64 decoding) to enc_bin buffer. In my example I test only decryption by creating buffer with all bytes set to 1: /* prepare encrypted data */ enc_len = RSA_size(rsa_pub); memset(enc_bin, 1, enc_len); In your situation, you should put real data here. Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Which folder and source files required to port for work on SSL
Hello, I am new user of open ssl.I am trying to port open ssl on VDK RTOS (Which is not VMS OS, Which is RTOS developed by Analog Devices).For porting OPEN SSL I got openssl-0.9.8g from http://www.openssl.org/. I am trying port whole project openssl-0. 9.8g but this project having so many folder and each folder having so many .c and .h file. So for that I am facing so many problems. Actually I want to know for secure connetion which folder I will port on VDK. Please reply me which folders I required to port on VDK i.e I can work on SSL. If you want SSL/TLS functionality then I think that the easiest way to port is to include all directories. You may easy extract some crypto algorithm (like AES or RSA) but SSL/TLS is requires many algorithms and OpenSSL utilities/tools (loging, threads, ...) You may also look at other, smaller implementations of SSL/TLS designed for easy porting and small resource usage (MatrixSSL is an example) Best regards, -- Marek Marcola [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
OpenSSL FIPS Object Module v1.1.1 patch (v1.1.2) now validated
I've just been informed that we have received the long awaited official approval of the vulnerability fix for the OpenSSL FIPS Object Module v1.1.1. The patched version of that product is now known as v1.1.2 with the new validation certificate number 918 and can be downloaded from http://www.openssl.org/source/openssl-fips-1.1.2.tar.gz. Please note that the DSA algorithm has been removed from the validation because the rules for DSA changed and the code didn't. I am keenly aware that the effective revocation of the earlier validation more than a month before this patch was approved caused significant disruption for some users of the FIPS validated OpenSSL module. This incident demonstrates both business and operational risks with validated software that I won't belabor now. It also demonstrates the need for a more efficient evaluation process that takes into consideration the open and transparent nature of products such as the OpenSSL crypto module. OSSI will continue to push the OpenSSL validation process. We will also continue to work with the CMVP and other government agencies to try and facilitate the development and adoption of more efficient means of evaluating these products. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: install openssl from source while rpm is their on RHEL 4
Hi I have a red hat ES 4 64 bit version installed server with openssl-0.9.7a-43.8 rpm installed. i need to install the openssl 0.9.8g from the source. If I use default prefix whcih is /usr/local/ssl to install config files and all default config options Will it remove any of the libraries which the previous server has installed ? or will it install all components inside --prefix directory. mostly appriciate your help on this cdemel
Re: is TLS-PSK already implemented in opensssl
Yes It is already implemented in openssl. Go to apps directory and see the example programs s_client.c and s_server.c. gopinath ethiraja [EMAIL PROTECTED] wrote: is TLS-PSK already implemented in opensssl __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] - Did you know? You can CHAT without downloading messenger. Click here