Re: crash from curl with pkcs12 certs and threads
On Thu, Jun 24, 2010, Brian Makin wrote: On Thu, 2010-06-24 at 15:22 +0200, Dr. Stephen Henson wrote: On Tue, Jun 22, 2010, Brian Makin wrote: snip Can you check to see if PKCS12_PBE_add() is called multiple times using the debugger? It is only supposed to be called once before threads are started but a bug means if it is called more than once you get multiple table entries per PBE algorithm (instead of no-op or replacing) and the subsequent sort operations can result in a race condition. I'll look into fixing that. OpenSSL 1.0.0 doesn't have this problem because the builtin PBE algorithms are in a static table. It appears the PKCS12_PBE_add is called many times in my test program. Please try the next snapshot or apply this patch and see if it fixes the problem: http://cvs.openssl.org/chngview?cn=19721 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
Hi, Please ignore if this question belongs else where but it looks like the OP is storing and retrieving SSL certificate from a Windows store. I have been looking for ways to use the Windows store to secure SSL certificates and keys and SFTP keys. Is windows or any other method recommended for storage of keys and certificates not created by Windows ? We just cut a CD with the keys and hand it over to the custodian as recommended by PCI but we want a storage server. I know that RedHat has a PKI server but we already have windows and the number of keys is less. Thanks, Mohan On Thu, Jun 24, 2010 at 9:45 PM, Harshvir Sidhu hvssi...@gmail.com wrote: Hey thanks all for the reply. Stephen: Yes i have to do client authentication, Is there some sample available that demonstrates how can i use capi engine for the same? Thanks. // Harshvir On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Jun 23, 2010, Harshvir Sidhu wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. Depends on what you want to do with the key. If you want to use it for SSL/TLS client authentication then you can use the CryptoAPI ENGINE to pick an appropriate certficate and key and use them directly. You just have to set the SSL client authentication ENGINE to capi. For other purposes you can load the private key from the capi ENGINE using ENGINE_load_private_key(). The string you pass by default is a substring of the certificate name e.g. if it has CN=steve then steve will do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Windows Certificate Store Private Key
On Sat June 26 2010, Mohan Radhakrishnan wrote: Hi, Please ignore if this question belongs else where but it looks like the OP is storing and retrieving SSL certificate from a Windows store. I have been looking for ways to use the Windows store to secure SSL certificates and keys and SFTP keys. Is windows or any other method recommended for storage of keys and certificates not created by Windows ? We just cut a CD with the keys and hand it over to the custodian as recommended by PCI but we want a storage server. I know that RedHat has a PKI server but we already have windows and the number of keys is less. A good, widely used, general storage for sensitive information is TrueCrypt: http://www.truecrypt.org/ Available for the most common operating systems. Mike Thanks, Mohan On Thu, Jun 24, 2010 at 9:45 PM, Harshvir Sidhu hvssi...@gmail.com wrote: Hey thanks all for the reply. Stephen: Yes i have to do client authentication, Is there some sample available that demonstrates how can i use capi engine for the same? Thanks. // Harshvir On Thu, Jun 24, 2010 at 7:29 AM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, Jun 23, 2010, Harshvir Sidhu wrote: Hi All, I am trying to read Certificates and Private Key from Windows Certificate Store and then using them in OpenSSL. I am able to read Certificates but i am having trouble with reading Private Key. Have anyone done this before, any pointers will be great. Thanks. Depends on what you want to do with the key. If you want to use it for SSL/TLS client authentication then you can use the CryptoAPI ENGINE to pick an appropriate certficate and key and use them directly. You just have to set the SSL client authentication ENGINE to capi. For other purposes you can load the private key from the capi ENGINE using ENGINE_load_private_key(). The string you pass by default is a substring of the certificate name e.g. if it has CN=steve then steve will do. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
