Certificate roll
Hi, Is there any material that shows how to roll to new certificates using OpenSSL ? I am looking for a test case to understand how this works. Anyone know about this ? Thanks, Mohan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
VC++ 2008 / Windows Mobile 6 build problem.
Greetings. I try to build OpenSSL libraries for WM 6 Pro SDK. I downloaded 1.0.0a, wcecompat. 1) WCECOMPAT variable is set. 2) vcvars32.bat from VC/bin folder is run (there is no similar .bat file in WM SDK). 3) OpenSSL is configured as VC-CE. 3) ms/do_ms.bat launched. But I do not see cedll.mak file :( What is wrong? Thank you :) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate roll
From: Mohan Radhakrishnan radhakrishnan.mo...@gmail.com Is there any material that shows how to roll to new certificates using OpenSSL ? I am looking for a test case to understand how this works. Anyone know about this ? Did you try to google something like generate certificate openssl or openssl certificates howto...? JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL pointer is NULL after BIO_get_ssl call
Hello, I am developing an client application using OpenSSL C API. I have an error in the this code: /* connection struct consists of SSL_CTX, SSL and BIO pointers */ ... connection-ctx = SSL_CTX_new(SSLv23_client_method()); if (connection-ctx == NULL) { DEBUG_MESSAGE(SSL_CTX_new failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } if (!SSL_CTX_load_verify_locations(connection-ctx, NULL, ../share/xclient/certificates/)) { DEBUG_MESSAGE(SSL_CTX_load_verify_locations failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } connection-bio = BIO_new_ssl_connect(connection-ctx); if (connection-bio == NULL) { DEBUG_MESSAGE(BIO_new_ssl_connect failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } BIO_get_ssl(connection-bio, connection-ssl); if (connection-ssl == NULL); { DEBUG_MESSAGE(BIO_get_ssl failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } SSL_set_mode(connection-ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(connection-bio, xapi_get_dsnp_server_name(xapi_get_http_server_name(uri))); if (BIO_do_connect(connection-bio) 1) { DEBUG_MESSAGE(BIO_do_connect failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } if (SSL_get_verify_result(connection-ssl) != X509_V_OK) { DEBUG_MESSAGE(SSL_get_verify_result failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } ... After BIO_get_ssl function call SSL pointer is NULL. If I comment out the return from the function after this error, BIO_do_connect fails with message: 3078686456:error:0200206F:system library:connect:Connection refused:bss_conn.c:269:host=localhost:33500 3078686456:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:273: This is my makefile: CC = gcc TARGET = ../../bin/xtool CFLAGS = -Wall -ansi -D_REENTERANT -DXCOMMON_DEBUG -I../ -I/usr/include/glib-1.2 -I/usr/lib/glib/include LIBS = -lcurl -lglib -lcrypto -lssl SOURCES = main.c\ ../xapi/api.c all: $(CC) -o $(TARGET) $(CFLAGS) $(LIBS) $(SOURCES) What I am doing wrong? Sincerely, Kyrylo. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
The best way to limit cipher strength
What is the correct way to limit cipher suite strength, as in get rid of weak ciphers? I am contemplating building an openssl version with no support for export ciphers, and no support for SSLv2 cipher suites. I tried the config args of no-ssl2 and no-export, and got half the intended result. The SSLv2 suites are gone, but the export strength remains. So, what's the right way to do this? Thanks, rnd
Check the private key
Hi, I've got private key file priv.key with the following contents -BEGIN RSA PRIVATE KEY- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMXxTv8clwKiAqHH oI3mn53v1VaH17K/o3toc040pF7+QYY+Pn1Vb53xQtb7zCe7DNPGyA5AylP4WoHi kBiolMASchWYDxyij3WpJuaginurwqAwYOB3XyxZqWP7xNaWLhLIdhLG72b7n8fX /vL+m3Xp7hxzjHVdXTjqVkk+S0/RAgMBAAECgYEAkAbjWhEteAb2L00X7+htH/hQ nOO++RskEzmPHMqFB3Gtr8Y+peeyjZPs9IzGoeoijT3Id0aBcdP11yhJfQe9IzOt Pad2M2xH16JbYlinBlsdo6do5On2i0u2FTs/xA2Pirs3zIzzf94ybDcPUFN9u8SQ Ry2MxXNW8D7OUO9H+DkCQQD3138OwwR9s2muVE9wpUfj1R/c3kCrmW2TvZZPMZIR +ENU1ZzsPd+2qpuqPWAUpaPHeN3e5aF8xFzfX1Yv7EHbAkEAzHVS5poKG7c1fNHQ UWXYsDW+6q7TiFN8r6U2xUEJlc9mc489V4f7oHd+sdKVnYNekluVqyrPn/r3AStp TcdSwwJAFzsk1r5i6mFp04Rlmdp0PZ/Zh7txdmRASCvqLewok/SgYxBO0DoQgS/G vZNZMTZBfs4OhfkiRO6nAe0OyBkuJwJBALyXX9+LqNVF2hWHZzMd0ZFAEhlhJ4dx EurlZy7tvcys4SCouHlb2jN65adaylzfR0WTKuwW8irsEBjJFToEKIcCQCBMjGBS lMpCMNwb7z0eX4SCQNElhL4eGDUP+UpaQBaw4o9bm8P8xecICrzw0boBS0cICGAV SICiwZgDVvyk2dw= -END RSA PRIVATE KEY- When I try to check key consistency I'am confusing with the following output RSA key ok 3076933256:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320: 3076933256:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:832: 3076933256:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:752:Field=n, Type=RSA 3076933256:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115: So, the first string says that key is ok, but what these error strings mean? Unfortunately, I don't know this private key format. Can I do this (is it PKCS#1, PKCS#12 or others)? And what do I need to do to disapear error strings? Thank you! -- View this message in context: http://old.nabble.com/Check-the-private-key-tp29475867p29475867.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
SSL pointer is NULL after BIO_get_ssl call
Hello, I am developing an client application using OpenSSL C API. I have an error in the this code: /* connection struct consists of SSL_CTX, SSL and BIO pointers */ ... connection-ctx = SSL_CTX_new(SSLv23_client_method()); if (connection-ctx == NULL) { DEBUG_MESSAGE(SSL_CTX_new failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } if (!SSL_CTX_load_verify_locations(connection-ctx, NULL, ../share/xclient/certificates/)) { DEBUG_MESSAGE(SSL_CTX_load_verify_locations failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } connection-bio = BIO_new_ssl_connect(connection-ctx); if (connection-bio == NULL) { DEBUG_MESSAGE(BIO_new_ssl_connect failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } BIO_get_ssl(connection-bio, connection-ssl); if (connection-ssl == NULL); { DEBUG_MESSAGE(BIO_get_ssl failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } SSL_set_mode(connection-ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(connection-bio, xapi_get_dsnp_server_name(xapi_get_http_server_name(uri))); if (BIO_do_connect(connection-bio) 1) { DEBUG_MESSAGE(BIO_do_connect failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } if (SSL_get_verify_result(connection-ssl) != X509_V_OK) { DEBUG_MESSAGE(SSL_get_verify_result failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } ... After BIO_get_ssl function call SSL pointer is NULL. If I comment out the return from the function after this error, BIO_do_connect fails with message: 3078686456:error:0200206F:system library:connect:Connection refused:bss_conn.c:269:host=localhost:33500 3078686456:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:273: This is my makefile: CC = gcc TARGET = ../../bin/xtool CFLAGS = -Wall -std=ansi -D_REENTERANT -DXCOMMON_DEBUG -I../ -I/usr/include/glib-1.2 -I/usr/lib/glib/include LIBS = -lcurl -lglib -lcrypto -lssl SOURCES = main.c\ ../xapi/api.c all: $(CC) -o $(TARGET) $(CFLAGS) $(LIBS) $(SOURCES) What I am doing wrong? Sincerely, Kyrylo. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate roll
Hi John, Yes. We do use SSL certificates. You can consider me a newbie. I am just trying to understand the ways to roll an intermediate or any other certificate that is going to expire soon without causing an outage. Is that possible at all ? (e.g) If a certificate is compromised I am trying to roll to a new certificate without bringing down my java application. Thanks, Mohan On Thu, Aug 19, 2010 at 2:11 PM, John Doe jd...@yahoo.com wrote: From: Mohan Radhakrishnan radhakrishnan.mo...@gmail.com Is there any material that shows how to roll to new certificates using OpenSSL ? I am looking for a test case to understand how this works. Anyone know about this ? Did you try to google something like generate certificate openssl or openssl certificates howto...? JD __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Check the private key
Hi Vladimir, $ openssl asn1parse thekey 0:d=0 hl=4 l= 631 cons: SEQUENCE 4:d=1 hl=2 l= 1 prim: INTEGER :00 7:d=1 hl=2 l= 13 cons: SEQUENCE 9:d=2 hl=2 l= 9 prim: OBJECT:rsaEncryption 20:d=2 hl=2 l= 0 prim: NULL 22:d=1 hl=4 l= 609 prim: OCTET STRING [HEX DUMP]:3082025D0.. The real key starts at offset 26. Use the following command to extract it: $ openssl base64 -d thekey | dd bs=1 skip=26 | openssl rsa -inform DER -text But I've never seen this format before. You don't want to use the key anymore, right ? Cheers Christian On Wed, Aug 18, 2010 at 01:47:16PM -0700, VladimirShushkov wrote: Hi, I've got private key file priv.key with the following contents -BEGIN RSA PRIVATE KEY- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMXxTv8clwKiAqHH oI3mn53v1VaH17K/o3toc040pF7+QYY+Pn1Vb53xQtb7zCe7DNPGyA5AylP4WoHi kBiolMASchWYDxyij3WpJuaginurwqAwYOB3XyxZqWP7xNaWLhLIdhLG72b7n8fX /vL+m3Xp7hxzjHVdXTjqVkk+S0/RAgMBAAECgYEAkAbjWhEteAb2L00X7+htH/hQ nOO++RskEzmPHMqFB3Gtr8Y+peeyjZPs9IzGoeoijT3Id0aBcdP11yhJfQe9IzOt Pad2M2xH16JbYlinBlsdo6do5On2i0u2FTs/xA2Pirs3zIzzf94ybDcPUFN9u8SQ Ry2MxXNW8D7OUO9H+DkCQQD3138OwwR9s2muVE9wpUfj1R/c3kCrmW2TvZZPMZIR +ENU1ZzsPd+2qpuqPWAUpaPHeN3e5aF8xFzfX1Yv7EHbAkEAzHVS5poKG7c1fNHQ UWXYsDW+6q7TiFN8r6U2xUEJlc9mc489V4f7oHd+sdKVnYNekluVqyrPn/r3AStp TcdSwwJAFzsk1r5i6mFp04Rlmdp0PZ/Zh7txdmRASCvqLewok/SgYxBO0DoQgS/G vZNZMTZBfs4OhfkiRO6nAe0OyBkuJwJBALyXX9+LqNVF2hWHZzMd0ZFAEhlhJ4dx EurlZy7tvcys4SCouHlb2jN65adaylzfR0WTKuwW8irsEBjJFToEKIcCQCBMjGBS lMpCMNwb7z0eX4SCQNElhL4eGDUP+UpaQBaw4o9bm8P8xecICrzw0boBS0cICGAV SICiwZgDVvyk2dw= -END RSA PRIVATE KEY- When I try to check key consistency I'am confusing with the following output RSA key ok 3076933256:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1320: 3076933256:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:832: 3076933256:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:752:Field=n, Type=RSA 3076933256:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115: So, the first string says that key is ok, but what these error strings mean? Unfortunately, I don't know this private key format. Can I do this (is it PKCS#1, PKCS#12 or others)? And what do I need to do to disapear error strings? Thank you! -- View this message in context: http://old.nabble.com/Check-the-private-key-tp29475867p29475867.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Man in the middle proxy - Not working
Hi I have created multiple threads for processing the multiple socket request. On each thread I am waiting on a processing a single socket request only May I attach my sample application along with my next posting so that you will get more idea about what I am doing and you can instruct me as well what went wrong in my application. Thanks, Raj Rajmohan SK - Original Message - From: David Schwartz dav...@webmaster.com To: openssl-users@openssl.org Sent: Thursday, August 19, 2010 5:51 AM Subject: RE: Man in the middle proxy - Not working Raj wrote: I have tried one more method to read the data from the socket, which was partially successful it is defined as follows do { dwReadDataLen = SSL_read(Serverssl,pBuff,iBufferSize); // Gets the data from the server side SSL_write(SourceSsl,pBuff,dwReadDataLen); // Writes the data back to the SSL } while(dwReadDataLen 0 ); This is the basic idea of how you proxy, but it can't work for a general HTTP proxy. For one thing, it assumes the end of a reply is marked by the close of a connection. This is true for some HTTP requests, but it's not true in general. You can write a proxy two different ways: 1) You can understand the protocol you are parsing and know when it changes directions. Based on this understanding, you can switch from proxying in one direction to proxying in the other. 2) You can avoid having to understand the protocol you are parsing. But in this case, you will not know which side is supposed to send data next, so you must always be ready to proxy in either direction. It seems you do neither of these two things. You try to proxy in only one direction at a time but you don't track the protocol. How do you even know when you've sent the entire request and can even enter this loop? How do you know when you've read the entire reply and can begin reading the next request? Your test condition, 'dwReadDataLen0' will be true so long as the connection is healthy. It will typically remain healthy even when the reply has been fully sent. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Create Cert Dynamically
Hi All Can anybody tell me how to create a Digital certificate and its key from an application, VC++ for Windows Thanks, Raj Rajmohan SK
Re: SSL pointer is NULL after BIO_get_ssl call
Sorry, first mistake was semicolon after if (connection-ssl == NULL); Hello, I am developing an client application using OpenSSL C API. I have an error in the this code: /* connection struct consists of SSL_CTX, SSL and BIO pointers */ ... connection-ctx = SSL_CTX_new(SSLv23_client_method()); if (connection-ctx == NULL) { DEBUG_MESSAGE(SSL_CTX_new failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } if (!SSL_CTX_load_verify_locations(connection-ctx, NULL, ../share/xclient/certificates/)) { DEBUG_MESSAGE(SSL_CTX_load_verify_locations failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } connection-bio = BIO_new_ssl_connect(connection-ctx); if (connection-bio == NULL) { DEBUG_MESSAGE(BIO_new_ssl_connect failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } BIO_get_ssl(connection-bio, connection-ssl); if (connection-ssl == NULL); { DEBUG_MESSAGE(BIO_get_ssl failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } SSL_set_mode(connection-ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(connection-bio, xapi_get_dsnp_server_name(xapi_get_http_server_name(uri))); if (BIO_do_connect(connection-bio) 1) { DEBUG_MESSAGE(BIO_do_connect failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } if (SSL_get_verify_result(connection-ssl) != X509_V_OK) { DEBUG_MESSAGE(SSL_get_verify_result failed\n); DEBUG(ERR_print_errors_fp(stdout)); return NULL; } ... After BIO_get_ssl function call SSL pointer is NULL. If I comment out the return from the function after this error, BIO_do_connect fails with message: 3078686456:error:0200206F:system library:connect:Connection refused:bss_conn.c:269:host=localhost:33500 3078686456:error:20073067:BIO routines:CONN_STATE:connect error:bss_conn.c:273: This is my makefile: CC = gcc TARGET = ../../bin/xtool CFLAGS = -Wall -ansi -D_REENTERANT -DXCOMMON_DEBUG -I../ -I/usr/include/glib-1.2 -I/usr/lib/glib/include LIBS = -lcurl -lglib -lcrypto -lssl SOURCES = main.c\ ../xapi/api.c all: $(CC) -o $(TARGET) $(CFLAGS) $(LIBS) $(SOURCES) What I am doing wrong? Sincerely, Kyrylo. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Getting info from SSL_CTX
Hi, I am trying to get info from SSL_CTX created through TCP connection, so that i can use that to encrypt/decrypt data and send through UDP. I am trying to authenticate and share keys using SSL_Connect handshake method, and then later extracting information from that CTX and encrypt data. Any pointers for this will be great. Thanks. - Harshvir
HowTo Check
Hi there I have some Problems with encrypted emails. A user sends me an encrypted mail where I have the corresponding certificate and Key. Unfortunately Mail (Apple) sais it cannot read that email and displays the smime.p7s file only. How can I check which certificate has been used to encrypt that email? Thanks Andre smime.p7s Description: S/MIME cryptographic signature
Re: Getting info from SSL_CTX
Harchvir, I am working on a similar problem, and from all I've seen the information you are looking for is not stored in the context, but rather in the actual SSL_SESSION object. There is a function SSL_SESSION_print(BIO* bio, SSL_SESSION * ses), and SSL_SESSION_print_fp(FILE* fp, SSL_SESSION * ses). This will print out all of the session information including the Master Key, which is what you need to create the session secret keys. You can look at the source for these functions (one calls the other) in ssl_txt.c starting at line 90 (for Openssl version 1.0.0a at least). The SSL_SESSION is just a struct that can be access like normal, i.e. ses-property Linked here: http://www.rsa.com/products/bsafe/documentation/mesuite21html/dev_guide/structssl__session__st.html#mcert is a pretty good outline of what the struct has in it. It's not from Openssl, so there is no guarantee that it is accurate, but I've found it to be correct for what I need. As for actually generating the session secret keys, and doing the decryption, I am at a loss for this as well. I am working on it right now, and would love to hear of any ideas you, or anyone else reading this email, have. I know that you have to then take the master secret, and generate the 4 keys (client/server MAC, and client/server session key) and then the two initialization vectors in order from this using the pseudo random function along with the client random bits, and the server random bits. Unfortunately I do not know where to access these random bits from. For SSLv3 it looks like there is a function ssl3_generate_key_block(SSL *s, unsigned char *km, int num) that is in ssl/s3_enc.c at line 160 that will generate the keys for you given the right parameters, and then there is a TLS equivalent function called tls1_PRF() found int ssl/t1_enc.c at line 230. This one takes a lot more parameters, but does not require the SSL structure like the first one does. I hope that this helps, and please let me know if you find anything else, or successfully generate the keys. Happy to help, Sam On Thu, Aug 19, 2010 at 8:10 AM, Harshvir Sidhu hvssi...@gmail.com wrote: Hi, I am trying to get info from SSL_CTX created through TCP connection, so that i can use that to encrypt/decrypt data and send through UDP. I am trying to authenticate and share keys using SSL_Connect handshake method, and then later extracting information from that CTX and encrypt data. Any pointers for this will be great. Thanks. - Harshvir -- Sam Jantz Software Engineer
Re: Create Cert Dynamically
For this you are going to need to use the Openssl C api, specifically the X509.h stuff. There are several functions that deal just with certificates, and everything you need to create one is there. As for the Key you will need to use EVP_PKEY which should come from the EVP family of functions. Since you are on Windows, you won't have the man pages handy, but http://www.tin.org/bin/allman.cgi is a site that lists the man pages online. As a starting place look into X509_new() and EVP_PKEY_new(). As for what to add to each, you might have to do some digging because I have never created them from scratch before. The Openssl binaries will create a certificate and private key for you, so it may be worth it to look into the source of those parts. Anyone one else who knows more feel free to chime in, I am still just a novice in this but I'm sharing what I can. It's no fun to have your question ignored, so I figured I would at least contribute what I knew. I hope this helps, and good luck! -Sam On Thu, Aug 19, 2010 at 7:34 AM, Raj rajmo...@codework-solutions.comwrote: Hi All Can anybody tell me how to create a Digital certificate and its key from an application, VC++ for Windows Thanks, Raj Rajmohan SK -- Sam Jantz Software Engineer
Fully UTF8 Subject line? UTF8 commonName?
Dear SSLers, Can someone point us to a hard example of encoding fields within a cert in UTF8? Specifically, we'd like to sign our CSRs with a UTF8-content 'subject' line. Essentially, we're ttying to be sure we spell our users' names correctly! We've already experimented with the UTF encoding switch in SSL but can't seem to get the correct characters encoded. Thanks! Lou
Re: Getting info from SSL_CTX
Sam, I will try this and incase have some questions then i will send an email. Thanks. - Harshvir On Thu, Aug 19, 2010 at 10:02 AM, Sam Jantz sjan...@gmail.com wrote: Harchvir, I am working on a similar problem, and from all I've seen the information you are looking for is not stored in the context, but rather in the actual SSL_SESSION object. There is a function SSL_SESSION_print(BIO* bio, SSL_SESSION * ses), and SSL_SESSION_print_fp(FILE* fp, SSL_SESSION * ses). This will print out all of the session information including the Master Key, which is what you need to create the session secret keys. You can look at the source for these functions (one calls the other) in ssl_txt.c starting at line 90 (for Openssl version 1.0.0a at least). The SSL_SESSION is just a struct that can be access like normal, i.e. ses-property Linked here: http://www.rsa.com/products/bsafe/documentation/mesuite21html/dev_guide/structssl__session__st.html#mcert is a pretty good outline of what the struct has in it. It's not from Openssl, so there is no guarantee that it is accurate, but I've found it to be correct for what I need. As for actually generating the session secret keys, and doing the decryption, I am at a loss for this as well. I am working on it right now, and would love to hear of any ideas you, or anyone else reading this email, have. I know that you have to then take the master secret, and generate the 4 keys (client/server MAC, and client/server session key) and then the two initialization vectors in order from this using the pseudo random function along with the client random bits, and the server random bits. Unfortunately I do not know where to access these random bits from. For SSLv3 it looks like there is a function ssl3_generate_key_block(SSL *s, unsigned char *km, int num) that is in ssl/s3_enc.c at line 160 that will generate the keys for you given the right parameters, and then there is a TLS equivalent function called tls1_PRF() found int ssl/t1_enc.c at line 230. This one takes a lot more parameters, but does not require the SSL structure like the first one does. I hope that this helps, and please let me know if you find anything else, or successfully generate the keys. Happy to help, Sam On Thu, Aug 19, 2010 at 8:10 AM, Harshvir Sidhu hvssi...@gmail.comwrote: Hi, I am trying to get info from SSL_CTX created through TCP connection, so that i can use that to encrypt/decrypt data and send through UDP. I am trying to authenticate and share keys using SSL_Connect handshake method, and then later extracting information from that CTX and encrypt data. Any pointers for this will be great. Thanks. - Harshvir -- Sam Jantz Software Engineer
Re: Certificate roll
Mohan, Unless the certificate is self-signed there is no way to change the information without having to invalidate it by signing it yourself anyway. You would either have to get a new certificate from the same (or other trusted) CA, and install that one, or (if it is self signed) generate a new certificate and sign it yourself with the same private key as before, and then start using the new one. So I am not familiar with the Java interface with SSL, but in c at least you would create this new cert using the X509 library. Hope this helps shed some light. -Sam On Thu, Aug 19, 2010 at 6:24 AM, Mohan Radhakrishnan radhakrishnan.mo...@gmail.com wrote: Hi John, Yes. We do use SSL certificates. You can consider me a newbie. I am just trying to understand the ways to roll an intermediate or any other certificate that is going to expire soon without causing an outage. Is that possible at all ? (e.g) If a certificate is compromised I am trying to roll to a new certificate without bringing down my java application. Thanks, Mohan On Thu, Aug 19, 2010 at 2:11 PM, John Doe jd...@yahoo.com wrote: From: Mohan Radhakrishnan radhakrishnan.mo...@gmail.com Is there any material that shows how to roll to new certificates using OpenSSL ? I am looking for a test case to understand how this works. Anyone know about this ? Did you try to google something like generate certificate openssl or openssl certificates howto...? JD __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Sam Jantz Software Engineer
RE: The best way to limit cipher strength
After further study, I have accomplished my immediate goal by rebuilding sendmail with FFR_TLS_1 enabled which gives me a CipherList option, and a quick 'man ciphers' sets me down the path to strong ciphers. So, I'm good to go. But, as a thought project, how would I do what I had originally asked - limit the library to just strong ciphers - most correctly? From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Diffenderfer, Randy Sent: Wednesday, August 18, 2010 12:43 PM To: openssl-users@openssl.org Subject: The best way to limit cipher strength What is the correct way to limit cipher suite strength, as in get rid of weak ciphers? I am contemplating building an openssl version with no support for export ciphers, and no support for SSLv2 cipher suites. I tried the config args of no-ssl2 and no-export, and got half the intended result. The SSLv2 suites are gone, but the export strength remains. So, what's the right way to do this? Thanks, rnd
RE: Error: relocations based on the ABS44 coding model can not be used in building a shared object
Hi Time, Iam still facing the same issue. Actually I need to have .so similar to libssl.so libcrypto.so but just single one. And also I need to have the same in 64 Bit. Iam still getting the same error: ld: fatal: relocation error: R_SPARC_H44: file ssl/s2_meth.o: symbolunknown: relocations based on the ABS44 coding model can not be used in building a shared object One more theing to mention while doing ldd s2_math.o Iam having the following error: GNM056 linus cd ssl GNM056 linus pwd /osp/sde/Icc50_mnt_V01_view/lib/velizy/standard/openssl2/openssl2-0.9.8o/ssl GNM056 linus ldd s2_meth.o warning: ldd: s2_meth.o: is not executable ld.so.1: /usr/lib/sparcv9/lddstub: fatal: relocation error: R_SPARC_H44: file ./s2_meth.o: symbol unknown: relocations based on the ABS44 coding model can not be used in building a shared object ldd: s2_meth.o: execution failed due to signal 11 (core dumped) GNM056 linus That's why I think there is some problem in compilation of openssl because of which Iam having this error in ldd. Please help me out. Thanks. From: Tim Hudson [mailto:tim.hud...@pobox.com] Sent: 19 August 2010 09:43 To: BISHT, SEEMANT (SEEMANT) Subject: Re: Error: relocations based on the ABS44 coding model can not be used in building a shared object On 19/08/2010 2:01 AM, BISHT, SEEMANT (SEEMANT) wrote: Hi Tim, Thank you very much. I moved forward using your suggestion. But again Iam stuck at one point. (1) Iam facing problem in creating my specific .so. Iam having error: ld: fatal: relocation error: R_SPARC_H44: file ssl/s2_meth.o: symbolunknown: relocations based on the ABS44 coding model can not be used in building a shared object Iam using makefile: INCSO += -lsocket -lnsl -ldl -lkstat -lsunmath -lm CFLAGS = -xO4 -xarch=v9 -xcode=abs64 -G export CFLAGS Remove the -xcode=abs64 (actually I'd remove most of your CFLAGS definition - you should not need it - except perhaps the -G) You are now dealing with build issues in your code and not openssl. ar t libssl.a shows the list of objects in libssl.a ar t libcrypto.a will show the objects in libcrypto.a which libssl.a needs I haven't built an openssl solaris shared library configuration in a while - so I'd have to power on some of my solaris machines to check 0 however I don't think it is anything to do with openssl. BTW I didn't get the direct email to t...@cryptsoft.commailto:t...@cryptsoft.com so I've switched to an address which you might find easier to reach. Tim
Re: Authenticode timestamp processing: error while parsing timestamp request
On 18-08-2010 19:41, Alessandro Menti wrote: Thanks for your help, Jacob. Where can I find your signing tools? A quick Google search revealed no useful links. Sorry, closed source in-house code only, tied heavily into other closed source code, anyway it was a client, not a server. Alternatively, can you suggest me how to complete the original ASN.1 structures so as to add the explicit [0] tag? I have already searched the official OpenSSL documentation for some clues, but I have found nothing of interest (moreover, this is the first time I use the OpenSSL library in one of my projects). Sorry, I don't know how to specify ASN.1 structures in OpenSSL, my own code contained its own mini-DER encoder limited to just the needed structures, and didn't use OpenSSL either at the time. Anyway, I am not sure if your notation is the old deprecated one or the new one (OpenSSL transitioned from one way of doing ASN.1 to another some time ago, and there was a FAQ entry about not using ASN1_SOME_EVIL_MACRO). Thanks in advance, Alessandro Menti - Original structures - typedef struct { ASN1_OBJECT *type; ASN1_OCTET_STRING *data; } TimeStampContentInfo; typedef struct { ASN1_OBJECT *countersignatureType; TimeStampContentInfo *content; } TimeStampRequest; ASN1_SEQUENCE(TimeStampContentInfo) = { ASN1_SIMPLE(TimeStampContentInfo, type, ASN1_OBJECT), ASN1_EXP_OPT(TimeStampContentInfo, data, ASN1_OCTET_STRING, 0) } ASN1_SEQUENCE_END(TimeStampContentInfo) DECLARE_ASN1_FUNCTIONS(TimeStampRequest) ASN1_SEQUENCE(TimeStampRequest) = { ASN1_SIMPLE(TimeStampRequest, countersignatureType, ASN1_OBJECT), ASN1_SIMPLE(TimeStampRequest, content, TimeStampContentInfo) } ASN1_SEQUENCE_END(TimeStampRequest) IMPLEMENT_ASN1_FUNCTIONS(TimeStampRequest) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Error: relocations based on the ABS44 coding model can not be used in building a shared object
As the first line of output from 'ldd s2_meth.o' says, the file is not an executable. Why are you running that command, and why are you expecting it to do anything useful? GIGO applies here, the output from the command is as meaningless as the command. I'd do a standard dynamic build of OpenSSL and carefully note the sequence of the commands and their parameters and order. Then set up your makefiles to do exactly the same commands except for including just the objects you want to include. Regards, jjf From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of BISHT, SEEMANT (SEEMANT) Sent: Thursday, August 19, 2010 7:36 AM To: Tim Hudson; t...@cryptsoft.com Cc: 'openssl-users@openssl.org' Subject: RE: Error: relocations based on the ABS44 coding model can not be used in building a shared object Hi Time, Iam still facing the same issue. Actually I need to have .so similar to libssl.so libcrypto.so but just single one. And also I need to have the same in 64 Bit. Iam still getting the same error: ld: fatal: relocation error: R_SPARC_H44: file ssl/s2_meth.o: symbolunknown: relocations based on the ABS44 coding model can not be used in building a shared object One more theing to mention while doing ldd s2_math.o Iam having the following error: GNM056 linus cd ssl GNM056 linus pwd /osp/sde/Icc50_mnt_V01_view/lib/velizy/standard/openssl2/openssl2-0.9.8o/ssl GNM056 linus ldd s2_meth.o warning: ldd: s2_meth.o: is not executable ld.so.1: /usr/lib/sparcv9/lddstub: fatal: relocation error: R_SPARC_H44: file ./s2_meth.o: symbol unknown: relocations based on the ABS44 coding model can not be used in building a shared object ldd: s2_meth.o: execution failed due to signal 11 (core dumped) GNM056 linus That's why I think there is some problem in compilation of openssl because of which Iam having this error in ldd. Please help me out. Thanks. From: Tim Hudson [mailto:tim.hud...@pobox.com] Sent: 19 August 2010 09:43 To: BISHT, SEEMANT (SEEMANT) Subject: Re: Error: relocations based on the ABS44 coding model can not be used in building a shared object On 19/08/2010 2:01 AM, BISHT, SEEMANT (SEEMANT) wrote: Hi Tim, Thank you very much. I moved forward using your suggestion. But again Iam stuck at one point. (1) Iam facing problem in creating my specific .so. Iam having error: ld: fatal: relocation error: R_SPARC_H44: file ssl/s2_meth.o: symbolunknown: relocations based on the ABS44 coding model can not be used in building a shared object Iam using makefile: INCSO += -lsocket -lnsl -ldl -lkstat -lsunmath -lm CFLAGS = -xO4 -xarch=v9 -xcode=abs64 -G export CFLAGS Remove the -xcode=abs64 (actually I'd remove most of your CFLAGS definition - you should not need it - except perhaps the -G) You are now dealing with build issues in your code and not openssl. ar t libssl.a shows the list of objects in libssl.a ar t libcrypto.a will show the objects in libcrypto.a which libssl.a needs I haven't built an openssl solaris shared library configuration in a while - so I'd have to power on some of my solaris machines to check 0 however I don't think it is anything to do with openssl. BTW I didn't get the direct email to t...@cryptsoft.commailto:t...@cryptsoft.com so I've switched to an address which you might find easier to reach. Tim