Why does my browser give a warning about a mismatched hostname
I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name OU = ISS O = Hewlett-Packard Development Company ST = Texas C = US In my CA certificate, witch I used to sign the request I've got: CN = in...@mycompany.com C = US ST = MyState L = myCity E = in...@mycompany.com OU = Infrastructure O = MyCompany SP zoo What should I do to connect to ilo without any warnings? To create my own CA i used: openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf To sign my certificate request i used: openssl ca -notext -in /etc/ssl/req.txt /etc/ssl/ilocert.pem My OpenSSL configuration file: # # Establish working directory. dir= /etc/ssl [ ca ] default_ca= CA_default [ CA_default ] serial= $dir/serial database= $dir/index.txt new_certs_dir= $dir/certs certificate= $dir/cacert.pem private_key= $dir/private/cakey.pem default_days= 3650 default_md= md5 preserve= no email_in_dn= no nameopt= default_ca certopt= default_ca policy= policy_match [ policy_match ] countryName= optional stateOrProvinceName= optional organizationName= optional organizationalUnitName= optional commonName= supplied emailAddress= optional [ req ] default_bits= 1024# Size of keys default_keyfile= key.pem# name of generated keys default_md= md5# message digest algorithm string_mask= nombstr# permitted characters distinguished_name= req_distinguished_name req_extensions= v3_req [ req_distinguished_name ] # Variable namePrompt string #- -- 0.organizationName= Organization Name (company) organizationalUnitName= Organizational Unit Name (department, division) emailAddress= Email Address emailAddress_max= 40 localityName= Locality Name (city, district) stateOrProvinceName= State or Province Name (full name) countryName= Country Name (2 letter code) countryName_min= 2 countryName_max= 2 commonName= Common Name (hostname, IP, or your name) commonName_max= 64 # Default values for the above, for consistency and less typing. # Variable nameValue # -- 0.organizationName_default= My Company localityName_default= My Town stateOrProvinceName_default= State or Providence countryName_default= US [ v3_ca ] basicConstraints= CA:TRUE subjectKeyIdentifier= hash authorityKeyIdentifier= keyid:always,issuer:always [ v3_req ] basicConstraints= CA:FALSE subjectKeyIdentifier= hash Can anyone help me? -- View this message in context: http://old.nabble.com/Why-does-my-browser-give-a-warning-about-a-mismatched-hostname-tp29237337p29237337.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Access Violation issue
Hello openssl users , We are facing a access violation issue , your thoughts/comments will be helpful .. Below are the details and sequence of events before the Access Violation occurs ... - myexe.exe calls myfunction() which loads and unloads mydll.dll at run time (LoadLibrary and FreeLibrary) - myexe.exe may call myfunction() multiple times in the same process - mydll.dll depends on SSL and CRYPTO dll - Since CRYPTO is already loaded into myexe.exe address space, the load/unload of mydll.dll only maps/unmaps SSL and mydll dlls. Now , - After myexe loads mydll, it calls myConnect() - myConnect() calls SSL_library_init() from SSL dll - SSL_library_init() calls EVP_add_digest_alias(SN_md5,ssl2-md5) - EVP_add_digest_alias() saves the address of the string defined in SSL dll into the names_lh hash in CRYPTO dll - myexe.exe unloads mydll.dll after it is done using it - SSL dll has been unloaded but, since CRYPTO dll is not unloaded, the hash in CRYPTO still has a reference to an address in the now invalid SSL address space - the next time myexe.exe loads mydll.dll, the SSL library may be loaded into a different address space - myexe.exe once again calls myConnect() which calls SSL_library_init() - SSL_library_init calls EVP_add_digest_alias(SN_md5,ssl2-md5) - EVP_add_digest_alias() tries to compare the new string against the old values stored in the names_lh hash - Access violation occurs Any Suggestions will be helpful Thanks Anil
Intermediate Cert
Hiya I installed a Cert (Signed by Comodo) for a client. On restarting the webserver, Firefox was complaining about the new cert, but IE and Safari was not. A friend of mine, said I should try by downloading the intermediate cert from Comodo. and add SSLCACertificateFile to apache. Lo and behold it worked. No more prompt from Firefox. The question I would like to ask is. If I run 'openssl x509 -text cert.crt', is there anything for me to make a note of that I need to require the intermediate cert. If anyone can shed some light it would be appreciated. Kind Regards Brent Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Why does my browser give a warning about a mismatched hostname
On 23-07-2010 10:58, michu162 wrote: I generated the ssl request, I signed it in my CA (openssl) and uploaded signed certificate back to device. I generated also ca.der and uploaded it to my Internet browser. When I trying open ilo my browser give a warning about a mismatched hostname. I'm accessing this device via IP address. I don't want add this addresses to my DNS. In certificate request was: CN = some-iLO-2-Subsystem-Name This CN value should be the DNS name of the device (as entered in the URL), or you should look at the independent subjectalternativename feature. For example if the URL is https://some-server-ilo.managementnet.yourcompany.example/hp_blue.gif Then the value in the certificate should be CN = some-server-ilo.managementnet.yourcompany.example __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Intermediate Cert
On 23-07-2010 13:54, Brent Clark wrote: Hiya I installed a Cert (Signed by Comodo) for a client. On restarting the webserver, Firefox was complaining about the new cert, but IE and Safari was not. A friend of mine, said I should try by downloading the intermediate cert from Comodo. and add SSLCACertificateFile to apache. Lo and behold it worked. No more prompt from Firefox. The question I would like to ask is. If I run 'openssl x509 -text cert.crt', is there anything for me to make a note of that I need to require the intermediate cert. Easy: The Issuer field is not Comodo, but the intermediary cert you need. Then when you got it, repeat the exercise with that certificate etc. until you get to the already trusted CA cert. Even easier, try using the openssl verify command against the certificate, it will complain about the missing cert if doesn't get it as an extra option. IE and Safari may have local copies of the extra cert or may implement code to do the download automatically based on a URL elsewhere in the certificate. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problems building 1.0.0a on 64-bit Windows XP Pro
On Thu, Jul 22, 2010 at 17:18, Kevin Layer la...@franz.com wrote: I searched the archives and didn't see anything like this. I can build on 32-bit XP with no problems. set ASM=ml64 /c /Cp /Cx /Zi perl crypto\md5\asm\md5-x86_64.pl tmp32dll\md5-x86_64.asm Use of uninitialized value $flavour in pattern match (m//) at crypto\md5\asm\md5-x86_64.pl line 115. ml64 /c /Cp /Cx /Zi /Fotmp32dll\md5-x86_64.obj tmp32dll\md5-x86_64.asm Assembling: tmp32dll\md5-x86_64.asm tmp32dll\md5-x86_64.asm(766) : error A2206: missing operator in expression tmp32dll\md5-x86_64.asm(767) : error A2206: missing operator in expression tmp32dll\md5-x86_64.asm(768) : error A2206: missing operator in expression tmp32dll\md5-x86_64.asm(775) : error A2206: missing operator in expression Microsoft (R) Macro Assembler (AMD64) Version 8.00.40310.39 Copyright (C) Microsoft Corporation. All rights reserved. NMAKE : fatal error U1077: 'ml64' : return code '0x1' Stop. googled your error message, found this: http://social.msdn.microsoft.com/Forums/en-US/vclanguage/thread/f4c79dbc-7048-4513-bd63-70352186512f d:\openssl.build\openssl-1.0.0a ml64 and perl versions: d:\openssl.build\openssl-1.0.0aml64 usage: ML [ options ] filelist [ /link linkoptions] Run ML /help or ML /? for more info Microsoft (R) Macro Assembler (AMD64) Version 8.00.40310.39 Copyright (C) Microsoft Corporation. All rights reserved. d:\openssl.build\openssl-1.0.0aperl --version This is perl 5, version 12, subversion 1 (v5.12.1) built for MSWin32-x64-multi-thread (with 3 registered patches, see perl -V for more detail) Copyright 1987-2010, Larry Wall Binary build 1201 [292674] provided by ActiveState http://www.ActiveState.com Built May 14 2010 00:22:26 Ideas? I __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Creating ASN.1 Set of Sets
Hello, so far, I've been using i2d_ASN1_SET to create a set of ASN1_INTEGER (to include it in a custom X509 certificate). The problem is, that I need to create a set of sets of ASN1_INTEGER now and I'd like to know whats the best way to do this. What I've tried is using a STACK of STACK of ASN1_INTEGER together with a i2d_of_void type function that encapsulates i2d_ASN1_SET so I can pass this function again to i2d_ASN1_SET but I haven't been successful with that so far. Can anyone point me to resources how I should write this code or give me hints? Thanks and best regards, Christian Holler smime.p7s Description: S/MIME Cryptographic Signature
RE: Intermediate Cert
If you cert is not signed by a cert that is trusted by popular browsers, you will have to include all certs with it in the apache server config, up to, (not necessarily including) one that browsers trust. Now, this would generally mean all intermediate certs up to a trusted (root) cert. What you did achieved that. Remember that, IIRC, some browsers may ALREADY have common intermediate certs, so it may not be necessary for them. Also, if the cert has appropriate AIA extensions, it MAY be able to indicate where to locate the intermediate certs necessary, so they could be retrieved, (and verified against trusted certs the browser already has) but most PKI libraryies (including openssl) will not do this automatically: it would have to be a client (e.g. browser) operation to help build the trust chain. So, best practice is for the apache server to send all intermediate certs up to, but excluding, the root CA cert. It would not be wrong to send the root CA cert as well, but would take some bandwidth to do so. -Original Message- From: owner-openssl-us...@openssl.org on behalf of Brent Clark Sent: Fri 7/23/2010 4:54 AM To: openssl-users@openssl.org Subject: Intermediate Cert Hiya I installed a Cert (Signed by Comodo) for a client. On restarting the webserver, Firefox was complaining about the new cert, but IE and Safari was not. A friend of mine, said I should try by downloading the intermediate cert from Comodo. and add SSLCACertificateFile to apache. Lo and behold it worked. No more prompt from Firefox. The question I would like to ask is. If I run 'openssl x509 -text cert.crt', is there anything for me to make a note of that I need to require the intermediate cert. If anyone can shed some light it would be appreciated. Kind Regards Brent Clark __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
I want to build a man in the middle proxy server application.
Sub : I want to build a man in the middle proxy server application. I have experimented so many methods to achieve this. But my application is failing when I tried to browse from the browser (IE 8 and Firefox 3.7). I have configured my browser proxy settings to '4433' port. My application is listening on this port, when I connect to this port from my browser, with the URL https://localhost:4433 is it working, only a certificate warning is there. When I try to connect to another secured site, the SSL_accept function is returning -1 and my error code is as follows. 2572:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:.\ssl\s23_srvr.c:391: I am not able to trace out the problem for many days and stucked at this point. Anybody please help he to trace out this issuenbsp;
RE: I want to build a man in the middle proxy server application.
You DO realize that you will have to resign the remote cert, with a CA your clients trust, right? [SHAMELESS PLUG] Or, buy a WatchGuard product that does HTTPS/DPI (Deep Packet Inspection). It's how we scan for malware and block sites inside of HTTPs connections. [/SHAMELESS PLUG]. -Original Message- From: owner-openssl-us...@openssl.org on behalf of rajmohan sk Sent: Fri 7/23/2010 4:29 AM To: openssl-users@openssl.org Subject: I want to build a man in the middle proxy server application. Sub : I want to build a man in the middle proxy server application. I have experimented so many methods to achieve this. But my application is failing when I tried to browse from the browser (IE 8 and Firefox 3.7). I have configured my browser proxy settings to '4433' port. My application is listening on this port, when I connect to this port from my browser, with the URL https://localhost:4433 is it working, only a certificate warning is there. When I try to connect to another secured site, the SSL_accept function is returning -1 and my error code is as follows. 2572:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:.ssls23_srvr.c:391: I am not able to trace out the problem for many days and stucked at this point. Anybody please help he to trace out this issue http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline@middle? winmail.dat
Re: I want to build a man in the middle proxy server application.
Le vendredi 23 juillet 2010 06:29:11, vous avez écrit : Sub : I want to build a man in the middle proxy server application. I have experimented so many methods to achieve this. But my application is failing when I tried to browse from the browser (IE 8 and Firefox 3.7). I have configured my browser proxy settings to '4433' port. My application is listening on this port, when I connect to this port from my browser, with the URL https://localhost:4433 is it working, only a certificate warning is there. When I try to connect to another secured site, the SSL_accept function is returning -1 and my error code is as follows. 2572:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:.\ssl\s23_srvr.c:391: I am not able to trace out the problem for many days and stucked at this point. Anybody please help he to trace out this issuenbsp; Are you aware of legal issues? if SO then contact me offline :) LD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Wildcard certs?
Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs?
Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Wildcard certs?
There's a company called StartCom (http://www.startssl.com/) who will do 2-year validity wildcard certs, upon verification of your identity and verification that you have control of the domain for which you are requesting certificates. Oh, and they're included in the latest Microsoft Root Certificate Update for Windows XP, and all later versions; Firefox recognizes them, they're part of Apple's certificate store, and it's pretty much only Opera who doesn't recognize them for whatever reason. -Kyle H On 7/23/10 6:24 PM, Mounir IDRASSI wrote: Hi, All major commercial CAs do provide wildcard SSL certificates and the price is usually high. Googling gives the following links for Comodo, Thawte and Verisign : - http://www.comodo.com/e-commerce/ssl-certificates/wildcard-ssl.php - http://www.thawte.com/ssl/wildcard-ssl-certificates/ - http://www.verisign.com/ssl-certificates/wildcard-ssl-certificates/ Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On 7/24/2010 2:02 AM, Luis Daniel Lucio Quiroz wrote: Just wondering who i must do request for a wildcard cert, for example to accept all the *.mydomain.com Regards, LD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org smime.p7s Description: S/MIME Cryptographic Signature
Re: I want to build a man in the middle proxy server application.
Typically, https is proxied with the CONNECT method, and as such Apache typically blocks requests for proxying that have https URLs. I believe you might be able to force it with mod_rewrite, with RewriteEngine on and RewriteRule (.*) $1 [P] or something like that, but I'm not a mod_rewrite god so don't quote me. What I do know is that you might^Wwill run into some issues with privacy and expected-to-be-encrypted communications, unless you're building this only for your own use. In the US, there's the Electronic Communications Privacy Act of 1986, and virtually every other country I know of has something much like it. In some areas, these rules don't apply if you explain as part of new-hire orientation that they have no expectation of privacy, and that everything can and will be monitored, even if they're trying to browse to their bank to figure out if they can afford a given business trip. It's possible that in some jurisdictions, these rights can't be waived. (Though the use of a company computer suggests that the user does so only with company permission, which is contingent on accepting the fact that you monitor everything... that's murky territory, and outside of my scope.) If you're trying to build this for your own benefit... I like your style. There's no inherent reason why everything a proxy caches has to be unencrypted, and there's no inherent reason why you shouldn't keep a copy of everything you've downloaded. or anything you've downloaded. -Kyle H On 7/23/10 4:29 AM, rajmohan sk wrote: Sub : I want to build a man in the middle proxy server application. I have experimented so many methods to achieve this. But my application is failing when I tried to browse from the browser (IE 8 and Firefox 3.7). I have configured my browser proxy settings to '4433' port. My application is listening on this port, when I connect to this port from my browser, with the URL https://localhost:4433 is it working, only a certificate warning is there. When I try to connect to another secured site, the SSL_accept function is returning -1 and my error code is as follows. 2572:error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request:.ssls23_srvr.c:391: I am not able to trace out the problem for many days and stucked at this point. Anybody please help he to trace out this issue http://sigads.rediff.com/RealMedia/ads/click_nx.ads/www.rediffmail.com/signatureline@middle? smime.p7s Description: S/MIME Cryptographic Signature