Re: get subjectAltName
Thank you Christian, it helped to decode the kerberos principal name . The code worked. Regards Naveen Christian Hohnstaedt wrote: On Wed, Sep 22, 2010 at 05:48:07PM +0530, Naveen B.N wrote: Thank you Christian, your suggestions helped us to get the position but as you mentioned the problem of resolving to kerberos principal name, i tried Google and added a piece of code but i am not getting the out put as shown below . #include stdio.h #include string.h #include openssl/sha.h #include openssl/hmac.h #include openssl/evp.h #include openssl/bio.h #include openssl/buffer.h #include openssl/x509.h #include openssl/x509v3.h #include sys/types.h #include sys/stat.h #include unistd.h #define CERT_INFO_MAX_ENTRIES 15 #define CERT_INFO_SIZE 10 /* http://www.h5l.org/manual/HEAD/info/heimdal/Setting-up-PK_002dINIT.html KRB5PrincipalName ::= SEQUENCE { realm [0] Realm, principalName [1] PrincipalName } Maybe this is already defined somewhere in OpenSSL - I didn't find it. */ typedef struct kdc_princname_st { ASN1_GENERALSTRING *realm; KRB5_PRINCNAME *princname; } KDC_PRINCNAME; ASN1_SEQUENCE(KDC_PRINCNAME) = { ASN1_EXP(KDC_PRINCNAME, realm, ASN1_GENERALSTRING, 0), ASN1_EXP(KDC_PRINCNAME, princname, KRB5_PRINCNAME, 1) } ASN1_SEQUENCE_END(KDC_PRINCNAME) IMPLEMENT_ASN1_FUNCTIONS(KDC_PRINCNAME) static char **cert_info_kpn(X509 *x509) { int i,j; static char *entries[CERT_INFO_SIZE]; STACK_OF(GENERAL_NAME) *gens; GENERAL_NAME *name; ASN1_OBJECT *krb5PrincipalName; printf(Trying to find a Kerberos Principal Name in certificate); gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); krb5PrincipalName = OBJ_txt2obj(1.3.6.1.5.2.2, 1); if (!gens) { printf(No alternate name extensions); return NULL; /* no alternate names */ } if (!krb5PrincipalName) { printf(Cannot map KPN object); return NULL; } for (i=0,j=0; (i sk_GENERAL_NAME_num(gens)) (jCERT_INFO_MAX_ENTRIES); i++) { name = sk_GENERAL_NAME_value(gens, i); if ( name name-type==GEN_OTHERNAME ) { /* test for UPN */ if (OBJ_cmp(name-d.otherName-type_id, krb5PrincipalName)) continue; /* object is not a UPN */ else { /* NOTE: from PKINIT RFC, I deduce that stored format for kerberos Principal Name is ASN1_STRING, but not sure at 100% Any help will be granted */ unsigned char *txt; ASN1_TYPE *val = name-d.otherName-value; ASN1_STRING *str= val-value.asn1_string; printf(Found Kerberos Principal Name ); unsigned char * p = str-data; KDC_PRINCNAME *pn = d2i_KDC_PRINCNAME(NULL, p, str-length); KRB5_PRINCNAME *princname = pn-princname; printf(Realm '%*s'\nNAMETYPE: %ld\n, pn-realm-length, pn-realm-data, ASN1_INTEGER_get(princname-nametype)); for (j=0; jsk_ASN1_GENERALSTRING_num(princname-namestring); j++) { ASN1_GENERALSTRING *gs = sk_ASN1_GENERALSTRING_value(princname-namestring,j); printf([%i] %*s\n, j, gs-length, gs-data); } Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problem with rsa_keygen
That's not the problem, I think, because if the only instruction of the function is: int rsa_keygen (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb) { return 1; } I get the segmentation fault when the rsa_keygen ends. But if I return 0 or -1 (errors) OpenSSL reports me error in genrsa and call ends ok (no segmentation fault or something like that). 2010/9/22 Christian Hohnstaedt christ...@hohnstaedt.de On Wed, Sep 22, 2010 at 03:41:30PM +0200, Nacho ?lvarez wrote: Hello everybody Several months ago I developed an OpenSSL PKCS#11 engine for Windows XP and it worked ok (it was compiled with MinGW). Now I'm trying to compile it on Linux (Debian 5 with GCC 4.3.1) but I have the next problem: In the overwritten function *rsa_keygen* (whose signature is *int rsa_keygen (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)*) always when the function ends (after the return instrucction) System reports me *Segmentation Fault*. You overwrote you return address on the stack most probably by accessing a locally declared array out of bounds. Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Problem with rsa_keygen
On Thu, Sep 23, 2010 at 10:08:40AM +0200, Nacho ?lvarez wrote: That's not the problem, I think, because if the only instruction of the function is: int rsa_keygen (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb) { return 1; } I get the segmentation fault when the rsa_keygen ends. But if I return 0 or -1 (errors) OpenSSL reports me error in genrsa and call ends ok (no segmentation fault or something like that). What about posting the relevant part of the code? And the gdb output. It would help a lot. Cheers Christian 2010/9/22 Christian Hohnstaedt christ...@hohnstaedt.de On Wed, Sep 22, 2010 at 03:41:30PM +0200, Nacho ?lvarez wrote: Hello everybody Several months ago I developed an OpenSSL PKCS#11 engine for Windows XP and it worked ok (it was compiled with MinGW). Now I'm trying to compile it on Linux (Debian 5 with GCC 4.3.1) but I have the next problem: In the overwritten function *rsa_keygen* (whose signature is *int rsa_keygen (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb)*) always when the function ends (after the return instrucction) System reports me *Segmentation Fault*. You overwrote you return address on the stack most probably by accessing a locally declared array out of bounds. Cheers Christian __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: LNK4078 and LNK4210 linking with x64 static libs
Hi, Thanks for your suggestion! But as far as I see, the assembler code in x86_64cpuid.asm _is_ the reference to OPENSSL_cpuid_setup! The runtime will call the functions given in the .CRT$XCU section before calling the main() entry. And it seems to me that the OPENSSL_cpuid_setup function in crypto/cryptlib.c does have useful code on Windows platforms, and so should be called, shouldn't it? It initializes a static variable with some processor specific info, whose value may be taken via the OPENSSL_ia32cap_loc() function. I tried printf(%lu, *OPENSSL_ia32cap_loc()), which prints out 0 using the x64 code, while printing 2951479295 using 32-bit code, indicating that OPENSSL_cpuid_setup has only been executed with the 32-bit code. What's the impact of this? Isn't it a bug? Cheers, Per Jack Zhang wrote: I had got the same problem. I just simply deleted that section EXTERNOPENSSL_cpuid_setup section.CRT$XCU ALIGN8 DQOPENSSL_cpuid_setup section.text code align=64 from the asm file because the extern OpenSSL_cpuid_setup is never referenced. Good luck On Tue, Sep 21, 2010 at 9:57 AM, perfry wrote: Hi, I've built 1.0.0a on Windows with VS2005, using nt.mak to get static libraries. With x64 I get warnings when linking applications, both openssl.exe and test programs like sha1test.exe. A snippet of output from nmake -f ms\nt.mak: link /nologo /subsystem:console /opt:ref /debug /out:out32\openssl.exe @C:\DOCUME~1\FRYKEN~1\LOCALS~1\Temp\nm3B3.tmp LIBCMT.lib(crt0init.obj) : warning LNK4254: section '.CRT' (6020) merged into '.rdata' (4040) with different attributes And when linking our own application on x64/Release platform: libeay32.lib(x86_64cpuid.obj) : warning LNK4078: multiple '.CRT' sections found with different attributes (60500020) libeay32.lib(x86_64cpuid.obj) : warning LNK4210: .CRT section exists; there may be unhandled static initializers or terminators The linker command can be deduced from the following: Creating temporary file c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp with contents [ /OUT:../deploy/execs/x64/Release/etnode.exe /INCREMENTAL:NO /MANIFEST /MANIFESTFILE:x64/Release\etnode.exe.intermediate.manifest /DELAYLOAD:oci.dll /DEBUG /PDB:../deploy/execs/x64/Release/etnode.pdb /SUBSYSTEM:CONSOLE /LTCG psapi.lib odbc32.lib odbccp32.lib WS2_32.LIB ADVAPI32.LIB GDI32.LIB USER32.LIB dbghelp.lib ../snibu/logging-log4cxx/msvc/lib/x64/Release/log4cxxs.lib ../snibu/openssl-1.0.0a/x64/Release/lib/ssleay32.lib ../snibu/openssl-1.0.0a/x64/Release/lib/libeay32.lib ../snibu/oracle/x64/instantclient_10_2/sdk/lib/msvc/oci.lib ../snibu/zlib/msvc/lib/x64/Release/zlibstat.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib DelayImp.lib .\x64\Release\CCcServApp.obj ... .\x64\Release\Bas4Bridge.obj ] Creating command line link.exe @c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp /NOLOGO /ERRORREPORT:PROMPT I've done the following to build openssl: cd /d C:\utv\snibu\openssl\x64\release\openssl-1.0.0a call C:\Program Files\Microsoft Visual Studio 8\VC\vcvarsall.bat x86_amd64 perl Configure VC-WIN64A --prefix=c:\appl\openssl-1.0.0a\x64\release ms\do_win64a.bat nmake -f ms\nt.mak nmake -f ms\nt.mak install And the file x86_64cpuid.asm mentioned in the warnings starts with the following: defaultrel EXTERNOPENSSL_cpuid_setup section.CRT$XCU ALIGN8 DQOPENSSL_cpuid_setup section.text code align=64 ... Could somebody help me solve this warning, it seems to me that OPENSSL_cpuid_setup will not be executed. Best regards, Per Frykenvall __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager majord...@openssl.org mailto:majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Self-signed CA problem for internal web application
Sure.. but please excuse me as this is the first time posting on this forum ~ post in plain text or does this system support attached files? Patrick Patterson wrote: Hi Chris: Can you post the certificates in question? My guess is that you don't have the various extensions set according to the PKIX standards that the Browsers are expecting. Thanks. Patrick. On 2010-09-22, at 2:57 PM, Chris Rider wrote: We have a client/server architecture based product that needs to allow SSL communication between our server (CentOS) and various clients' web browsers (and additionally, other devices, but that's beyond the scope of this post). We've been able to get SSL working in both of two different ways (self-signed certificate self-signed CA with certificates signed by that) -- so that is not the issue. Rather, our whole issue is that we don't want the end-users to confronted with a big scary browser message that says something akin to There's a Problem With Security! / Allow Exception, etc. If they must install a certificate or two, that would be acceptable, though. So I thought that creating my own CA to sign certificates with would be a solution apparently not. I'm now getting browser messages that say the certificate's issuer is not trusted!!! Very frustrating. So, as I said, I've created my own CA (using this link as a guide: http://www.g-loaded.eu/2005/11/10/be-your-own-ca/ ), and can sign my own certificates without problem. I then install the root certificate, followed by a server certificate signed by that CA. And, while I can click allow exception in the browser to make it all work, that is not the desired way. We just want to be able to have the end-user install a trusted root certificate and everything just work from there. Testing in IE and FireFox nets the same big scary warning message, no matter what combination of fields I use in the CSR, etc. We really don't want to go with a third party CA like VeriSign, for example -- not so much because of the cost, but we just don't want to deal with updating countless remote installations of our product whenever the certificate expires. Not to mention the support that would be associated with doing that! The other issue is that some/most of these installations do not have outside internet connectivity with which to query the CA's (for CRL's, or whatever). We really need to manage our own certificates, all in all but without these warning messages. Is it possible? If so, what am I missing? -- Chris Rider, Systems Architect MessageNet Systems chris.ri...@messagenetsystems.com __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Self-signed CA problem for internal web application
I think we're on to something here... thank you for your time and attention, btw! I still can't see anything about the AIA thing, but I took another go at the basicConstraints and keyUsage, and seem to have slightly better results. I changed basicConstraints to True (it was FALSE by default), so that makes sense. I also just tacked on certSign to the end of the keyUsage string. Now, when I generate the keys and install the CA's certificate on the client, even IE will automatically detect/install as a trusted root... which it wasn't before. So I think we're onto something with my CA. But now, when I go to sign the server certificate using my CA, I am getting the following errors: (using the exact same process -- scripted -- as before, so the only thing changed is the CA config file / CA keys) Error Loading extension section usr_cert 14488:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/etc/pki_MessageNet/CA/index.txt.attr','rb') 14488:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 14488:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197: 14488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=email_in_dn 14488:error:2206E068:X509 V3 routines:X509V3_get_value_bool:invalid boolean string:v3_utl.c:229:section:,name:CA,value:True 14488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=basicConstraints, value=CA:True What is the best way to include my file contents for you? (worried about posting something a mile long) Patrick Patterson wrote: Hi Chris: On 2010-09-22, at 4:13 PM, Chris Rider wrote: For now, I've just copied the CA's public .crt file to a public_html type directory and downloading on the client ~ from there, depending on whether I use FireFox or IE, I go into the respective certificates manager and import the one I downloaded. I've been very deliberate in making sure it actually gets installed under the root/trusted category, and not some other category. I haven't investigated the AIA field... (didn't even know about it) Would that be specified when creating the CA's keys? Is that best specified in my CA's cnf file somewhere? Yes - it would. Barring all else, it seems to me like the browser is hanging up on the fact that the CA's certificate is self-signed. (??) Things that would make the browser hang include: CA cert not including basicConstraints: CA=True, or keyUsage not including certSign. and User Certs that DO include either of those values. Also, what could be happening is a mismatch between AKI and SKI values in the CA and Server certs. That's why I requested you to send along a copy of the certs that you are using - the values need to be set correctly, just having one key signed by the other, which happens to be self signed, is not enough. Unless you have extensively edited your openssl.cnf file, you are probably not generating correct CA or end entity certs. Have fun. Patrick. -Chris Hugo Garza wrote: Hi Chris, how are you installing the root CA on the client machines? In windows once you double click the root certificate you get a message dialog box and click the install certificate button. On the following screen press next and on the next screen tell it to install the certificate to the Trusted Root Certificate Authorities, hit next then finish. You should get a Windows dialog warning saying that you are adding a root certificate, and you just say yes. Now the other possible problem is that on the server certificate that you created you aren't including the Authority Information Access (AIA) field. This is crucial so that your customers only have to install the root CA and implicitly trust any certificates signed by the root. On Wed, Sep 22, 2010 at 2:29 PM, Chris Rider chris.ri...@messagenetsystems.com mailto:chris.ri...@messagenetsystems.com wrote: We have a client/server architecture based product that needs to allow SSL communication between our server (CentOS) and various clients' web browsers (and additionally, other devices, but that's beyond the scope of this post). We've been able to get SSL working in both of two different ways (self-signed certificate self-signed CA with certificates signed by that) -- so that is not the issue. Rather, our whole issue is that we don't want the end-users to confronted with a big scary browser message that says something akin to There's a Problem With Security! / Allow Exception, etc. If they must install a certificate or two, that would be acceptable, though. So I thought that creating my own CA to sign certificates with would be a solution apparently not. I'm now getting browser messages that say the certificate's issuer is not trusted!!! Very frustrating. So, as I said, I've created my own CA (using this link
Re: LNK4078 and LNK4210 linking with x64 static libs
According to my understanding, that section is just a declaration of an external function. The section is needed to be there only if the function is called in the x86_64cpuid.asm. So, I don't think it will affect anything. In fact, my x64 version build runs perfectly. (I am using openssl 1.0.0 and then 1.0.0a) On Thu, Sep 23, 2010 at 7:12 AM, per fry kenvall per...@got.wmdata.sewrote: Hi, Thanks for your suggestion! But as far as I see, the assembler code in x86_64cpuid.asm _is_ the reference to OPENSSL_cpuid_setup! The runtime will call the functions given in the .CRT$XCU section before calling the main() entry. And it seems to me that the OPENSSL_cpuid_setup function in crypto/cryptlib.c does have useful code on Windows platforms, and so should be called, shouldn't it? It initializes a static variable with some processor specific info, whose value may be taken via the OPENSSL_ia32cap_loc() function. I tried printf(%lu, *OPENSSL_ia32cap_loc()), which prints out 0 using the x64 code, while printing 2951479295 using 32-bit code, indicating that OPENSSL_cpuid_setup has only been executed with the 32-bit code. What's the impact of this? Isn't it a bug? Cheers, Per Jack Zhang wrote: I had got the same problem. I just simply deleted that section EXTERNOPENSSL_cpuid_setup section.CRT$XCU ALIGN8 DQOPENSSL_cpuid_setup section.text code align=64 from the asm file because the extern OpenSSL_cpuid_setup is never referenced. Good luck On Tue, Sep 21, 2010 at 9:57 AM, perfry wrote: Hi, I've built 1.0.0a on Windows with VS2005, using nt.mak to get static libraries. With x64 I get warnings when linking applications, both openssl.exe and test programs like sha1test.exe. A snippet of output from nmake -f ms\nt.mak: link /nologo /subsystem:console /opt:ref /debug /out:out32\openssl.exe @C:\DOCUME~1\FRYKEN~1\LOCALS~1\Temp\nm3B3.tmp LIBCMT.lib(crt0init.obj) : warning LNK4254: section '.CRT' (6020) merged into '.rdata' (4040) with different attributes And when linking our own application on x64/Release platform: libeay32.lib(x86_64cpuid.obj) : warning LNK4078: multiple '.CRT' sections found with different attributes (60500020) libeay32.lib(x86_64cpuid.obj) : warning LNK4210: .CRT section exists; there may be unhandled static initializers or terminators The linker command can be deduced from the following: Creating temporary file c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp with contents [ /OUT:../deploy/execs/x64/Release/etnode.exe /INCREMENTAL:NO /MANIFEST /MANIFESTFILE:x64/Release\etnode.exe.intermediate.manifest /DELAYLOAD:oci.dll /DEBUG /PDB:../deploy/execs/x64/Release/etnode.pdb /SUBSYSTEM:CONSOLE /LTCG psapi.lib odbc32.lib odbccp32.lib WS2_32.LIB ADVAPI32.LIB GDI32.LIB USER32.LIB dbghelp.lib ../snibu/logging-log4cxx/msvc/lib/x64/Release/log4cxxs.lib ../snibu/openssl-1.0.0a/x64/Release/lib/ssleay32.lib ../snibu/openssl-1.0.0a/x64/Release/lib/libeay32.lib ../snibu/oracle/x64/instantclient_10_2/sdk/lib/msvc/oci.lib ../snibu/zlib/msvc/lib/x64/Release/zlibstat.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib DelayImp.lib .\x64\Release\CCcServApp.obj ... .\x64\Release\Bas4Bridge.obj ] Creating command line link.exe @c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp /NOLOGO /ERRORREPORT:PROMPT I've done the following to build openssl: cd /d C:\utv\snibu\openssl\x64\release\openssl-1.0.0a call C:\Program Files\Microsoft Visual Studio 8\VC\vcvarsall.bat x86_amd64 perl Configure VC-WIN64A --prefix=c:\appl\openssl-1.0.0a\x64\release ms\do_win64a.bat nmake -f ms\nt.mak nmake -f ms\nt.mak install And the file x86_64cpuid.asm mentioned in the warnings starts with the following: defaultrel EXTERNOPENSSL_cpuid_setup section.CRT$XCU ALIGN8 DQOPENSSL_cpuid_setup section.text code align=64 ... Could somebody help me solve this warning, it seems to me that OPENSSL_cpuid_setup will not be executed. Best regards, Per Frykenvall __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org mailto:openssl-users@openssl.org Automated List Manager majord...@openssl.org mailto:majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager
Re: Self-signed CA problem for internal web application
Sorry, I think I should make clear that I'm using two different setups... one for the CA and another for the end user certificate. For example, my CA is in /etc/pki_MessageNet/CA while my end-user is in /etc/pki_MessageNet/tls --- so when I generate my CA keys, it has its own config file / scope... and when I generate my end user CSR, it has its own config file / scope. I am, however, granting my CSR from within the scope of my CA and its configuration. In other words, I'm replicating a real world type situation -- or that is the hope! Chris Rider wrote: I think we're on to something here... thank you for your time and attention, btw! I still can't see anything about the AIA thing, but I took another go at the basicConstraints and keyUsage, and seem to have slightly better results. I changed basicConstraints to True (it was FALSE by default), so that makes sense. I also just tacked on certSign to the end of the keyUsage string. Now, when I generate the keys and install the CA's certificate on the client, even IE will automatically detect/install as a trusted root... which it wasn't before. So I think we're onto something with my CA. But now, when I go to sign the server certificate using my CA, I am getting the following errors: (using the exact same process -- scripted -- as before, so the only thing changed is the CA config file / CA keys) Error Loading extension section usr_cert 14488:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('/etc/pki_MessageNet/CA/index.txt.attr','rb') 14488:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125: 14488:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197: 14488:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=email_in_dn 14488:error:2206E068:X509 V3 routines:X509V3_get_value_bool:invalid boolean string:v3_utl.c:229:section:,name:CA,value:True 14488:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=basicConstraints, value=CA:True What is the best way to include my file contents for you? (worried about posting something a mile long) Patrick Patterson wrote: Hi Chris: On 2010-09-22, at 4:13 PM, Chris Rider wrote: For now, I've just copied the CA's public .crt file to a public_html type directory and downloading on the client ~ from there, depending on whether I use FireFox or IE, I go into the respective certificates manager and import the one I downloaded. I've been very deliberate in making sure it actually gets installed under the root/trusted category, and not some other category. I haven't investigated the AIA field... (didn't even know about it) Would that be specified when creating the CA's keys? Is that best specified in my CA's cnf file somewhere? Yes - it would. Barring all else, it seems to me like the browser is hanging up on the fact that the CA's certificate is self-signed. (??) Things that would make the browser hang include: CA cert not including basicConstraints: CA=True, or keyUsage not including certSign. and User Certs that DO include either of those values. Also, what could be happening is a mismatch between AKI and SKI values in the CA and Server certs. That's why I requested you to send along a copy of the certs that you are using - the values need to be set correctly, just having one key signed by the other, which happens to be self signed, is not enough. Unless you have extensively edited your openssl.cnf file, you are probably not generating correct CA or end entity certs. Have fun. Patrick. -Chris Hugo Garza wrote: Hi Chris, how are you installing the root CA on the client machines? In windows once you double click the root certificate you get a message dialog box and click the install certificate button. On the following screen press next and on the next screen tell it to install the certificate to the Trusted Root Certificate Authorities, hit next then finish. You should get a Windows dialog warning saying that you are adding a root certificate, and you just say yes. Now the other possible problem is that on the server certificate that you created you aren't including the Authority Information Access (AIA) field. This is crucial so that your customers only have to install the root CA and implicitly trust any certificates signed by the root. On Wed, Sep 22, 2010 at 2:29 PM, Chris Rider chris.ri...@messagenetsystems.com mailto:chris.ri...@messagenetsystems.com wrote: We have a client/server architecture based product that needs to allow SSL communication between our server (CentOS) and various clients' web browsers (and additionally, other devices, but that's beyond the scope of this post). We've been able to get SSL working in both of two different ways (self-signed certificate self-signed CA with certificates signed by that) --
Re: LNK4078 and LNK4210 linking with x64 static libs
Actually, that section (specifically, the DQ line) places a single pointer constant in a data section with the magic name .CRT$XCU. Background: The Microsoft linker, upon seeing a $ sign in a section name will merge this section with all other sections name .CRT or .CRT$whatever, but only after it has ordered the layout of that section alphabetically according to the non-truncated section name. Thus the constants in .obj section .CRT$XCU will be placed between anything in sections .CRT$XCT (or less) and anything in sections .CRT$XCV (or more). The Microsoft C runtime startup code contains declarations for dummy NULL variables in sections .CRT$XCA and .CRT$XCZ and a loop which treats the data between those sections (including the DQ placed there by this ASM file and any constructors for C++ global variables etc.) as an array of function pointers to be called before invoking main(). A similar method (with a different letter after X is used for functions to call after main() returns or during a call to exit()). The above description matches at least the C runtime in Visual Studio 2005 (look at the files VC\CRT\src\crt0init.c and VC\CRT\src\crt0dat.c). Error message analysis: The warning complains that something in section .CRT has been given the section attributes 0x6020 (meaning Read/Execute, contains code), even though the rest of the file section it ultimately goes into (.rdata) has attributes 0x4040 (meaning Read, contains initialized data). Thus my guess is that the line section.CRT$XCU is lacking some keywords to tell the assembler to mark that section as read-only data, not code. Unfortunately, I am not sure of the syntax to do that in the x86_64 version of MASM. On 23-09-2010 15:09, Jack Zhang wrote: According to my understanding, that section is just a declaration of an external function. The section is needed to be there only if the function is called in the x86_64cpuid.asm. So, I don't think it will affect anything. In fact, my x64 version build runs perfectly. (I am using openssl 1.0.0 and then 1.0.0a) On Thu, Sep 23, 2010 at 7:12 AM, per fry kenvall per...@got.wmdata.se mailto:per...@got.wmdata.se wrote: Hi, Thanks for your suggestion! But as far as I see, the assembler code in x86_64cpuid.asm _is_ the reference to OPENSSL_cpuid_setup! The runtime will call the functions given in the .CRT$XCU section before calling the main() entry. And it seems to me that the OPENSSL_cpuid_setup function in crypto/cryptlib.c does have useful code on Windows platforms, and so should be called, shouldn't it? It initializes a static variable with some processor specific info, whose value may be taken via the OPENSSL_ia32cap_loc() function. I tried printf(%lu, *OPENSSL_ia32cap_loc()), which prints out 0 using the x64 code, while printing 2951479295 using 32-bit code, indicating that OPENSSL_cpuid_setup has only been executed with the 32-bit code. What's the impact of this? Isn't it a bug? Cheers, Per Jack Zhang wrote: I had got the same problem. I just simply deleted that section EXTERNOPENSSL_cpuid_setup section.CRT$XCU ALIGN8 DQOPENSSL_cpuid_setup section.text code align=64 from the asm file because the extern OpenSSL_cpuid_setup is never referenced. Good luck On Tue, Sep 21, 2010 at 9:57 AM, perfry wrote: Hi, I've built 1.0.0a on Windows with VS2005, using nt.mak to get static libraries. With x64 I get warnings when linking applications, both openssl.exe and test programs like sha1test.exe. A snippet of output from nmake -f ms\nt.mak: link /nologo /subsystem:console /opt:ref /debug /out:out32\openssl.exe @C:\DOCUME~1\FRYKEN~1\LOCALS~1\Temp\nm3B3.tmp LIBCMT.lib(crt0init.obj) : warning LNK4254: section '.CRT' (6020) merged into '.rdata' (4040) with different attributes And when linking our own application on x64/Release platform: libeay32.lib(x86_64cpuid.obj) : warning LNK4078: multiple '.CRT' sections found with different attributes (60500020) libeay32.lib(x86_64cpuid.obj) : warning LNK4210: .CRT section exists; there may be unhandled static initializers or terminators The linker command can be deduced from the following: Creating temporary file c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp with contents [ /OUT:../deploy/execs/x64/Release/etnode.exe /INCREMENTAL:NO /MANIFEST /MANIFESTFILE:x64/Release\etnode.exe.intermediate.manifest /DELAYLOAD:oci.dll /DEBUG /PDB:../deploy/execs/x64/Release/etnode.pdb /SUBSYSTEM:CONSOLE /LTCG
Re: LNK4078 and LNK4210 linking with x64 static libs
I disagree; according to http://blogs.msdn.com/b/vcblog/archive/2006/10/20/crt-initialization.aspx .CRT$XCU is for setting up static initializers. Also, the text of the source file from which the assembler file is generated gives a hint that it is a call: .extern OPENSSL_cpuid_setup .section.init callOPENSSL_cpuid_setup And maybe the parts of openssl that you are using work perfectly, while there might be other parts relying on this initialization. (Unfortunately I can't run make test on 64-bit as I don't have any such box with Visual Studio). /Per Jack Zhang wrote: According to my understanding, that section is just a declaration of an external function. The section is needed to be there only if the function is called in the x86_64cpuid.asm. So, I don't think it will affect anything. In fact, my x64 version build runs perfectly. (I am using openssl 1.0.0 and then 1.0.0a) On Thu, Sep 23, 2010 at 7:12 AM, per fry kenvall per...@got.wmdata.se mailto:per...@got.wmdata.se wrote: Hi, Thanks for your suggestion! But as far as I see, the assembler code in x86_64cpuid.asm _is_ the reference to OPENSSL_cpuid_setup! The runtime will call the functions given in the .CRT$XCU section before calling the main() entry. And it seems to me that the OPENSSL_cpuid_setup function in crypto/cryptlib.c does have useful code on Windows platforms, and so should be called, shouldn't it? It initializes a static variable with some processor specific info, whose value may be taken via the OPENSSL_ia32cap_loc() function. I tried printf(%lu, *OPENSSL_ia32cap_loc()), which prints out 0 using the x64 code, while printing 2951479295 using 32-bit code, indicating that OPENSSL_cpuid_setup has only been executed with the 32-bit code. What's the impact of this? Isn't it a bug? Cheers, Per Jack Zhang wrote: I had got the same problem. I just simply deleted that section EXTERNOPENSSL_cpuid_setup section.CRT$XCU ALIGN8 DQOPENSSL_cpuid_setup section.text code align=64 from the asm file because the extern OpenSSL_cpuid_setup is never referenced. Good luck On Tue, Sep 21, 2010 at 9:57 AM, perfry wrote: Hi, I've built 1.0.0a on Windows with VS2005, using nt.mak to get static libraries. With x64 I get warnings when linking applications, both openssl.exe and test programs like sha1test.exe. A snippet of output from nmake -f ms\nt.mak: link /nologo /subsystem:console /opt:ref /debug /out:out32\openssl.exe @C:\DOCUME~1\FRYKEN~1\LOCALS~1\Temp\nm3B3.tmp LIBCMT.lib(crt0init.obj) : warning LNK4254: section '.CRT' (6020) merged into '.rdata' (4040) with different attributes And when linking our own application on x64/Release platform: libeay32.lib(x86_64cpuid.obj) : warning LNK4078: multiple '.CRT' sections found with different attributes (60500020) libeay32.lib(x86_64cpuid.obj) : warning LNK4210: .CRT section exists; there may be unhandled static initializers or terminators The linker command can be deduced from the following: Creating temporary file c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp with contents [ /OUT:../deploy/execs/x64/Release/etnode.exe /INCREMENTAL:NO /MANIFEST /MANIFESTFILE:x64/Release\etnode.exe.intermediate.manifest /DELAYLOAD:oci.dll /DEBUG /PDB:../deploy/execs/x64/Release/etnode.pdb /SUBSYSTEM:CONSOLE /LTCG psapi.lib odbc32.lib odbccp32.lib WS2_32.LIB ADVAPI32.LIB GDI32.LIB USER32.LIB dbghelp.lib ../snibu/logging-log4cxx/msvc/lib/x64/Release/log4cxxs.lib ../snibu/openssl-1.0.0a/x64/Release/lib/ssleay32.lib ../snibu/openssl-1.0.0a/x64/Release/lib/libeay32.lib ../snibu/oracle/x64/instantclient_10_2/sdk/lib/msvc/oci.lib ../snibu/zlib/msvc/lib/x64/Release/zlibstat.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib DelayImp.lib .\x64\Release\CCcServApp.obj ... .\x64\Release\Bas4Bridge.obj ] Creating command line link.exe @c:\utv\ccbas4\ccbase\x64\Release\RSP132444832.rsp /NOLOGO /ERRORREPORT:PROMPT I've done the following to build openssl: cd /d C:\utv\snibu\openssl\x64\release\openssl-1.0.0a call C:\Program Files\Microsoft Visual Studio 8\VC\vcvarsall.bat x86_amd64 perl Configure VC-WIN64A
Creating Extended Validation SSL Certificates
Can someone explain what is needed to create and EV (Extended Validation) Certificate? I have been trying to research this and have found limited information on this. Only one document that was of any help -àhttp://www.cabforum.org/EV_Certificate_Guidelines.pdf. My issue is with OpenSSL and adding the needed additional OIDs to the certificate. Thanks in advance, Gumbie
Re: Self-signed CA problem for internal web application
Thanks for the suggestion, but I've already tried that, more or less My web server config already has that mime type configured, and the client is capable of recognizing the properly served filetype. I've tried installing certificates through IE's wizard automatically in such a way... as well as manually in it and other browsers (downloading certificate and importing). My primary skills are that of webmaster (using that word should tell how long I've been in that game! grin), so I am aware of how much the browsers vary in doing things... which is why I tried every way of installing in every browser I have. I agree with you about the latest versions of MSIE and that stupid wizard they now use! I'm pretty sure it something in my generating keys, rather than client issues. John R Pierce wrote: On 09/22/10 11:57 AM, Chris Rider wrote: We have a client/server architecture based product that needs to allow SSL communication between our server (CentOS) and various clients' web browsers (and additionally, other devices, but that's beyond the scope of this post). We've been able to get SSL working in both of two different ways (self-signed certificate self-signed CA with certificates signed by that) -- so that is not the issue. Rather, our whole issue is that we don't want the end-users to confronted with a big scary browser message that says something akin to There's a Problem With Security! / Allow Exception, etc. If they must install a certificate or two, that would be acceptable, though. So I thought that creating my own CA to sign certificates with would be a solution apparently not. I'm now getting browser messages that say the certificate's issuer is not trusted!!! Very frustrating. take your selfsigned CA public certificate, name it something.cer, and place it on a web server, making sure the webserver understands that .cer is mime type application/x-x509-ca-cert give your clients the link to that .CER ... they have to accept it and add it to their trusted root certificate storage, the specifics of doing this vary by web browser (current versions of MSIE have made this harder than it should be) once that .cer is installed in the browsers trusted root authorities, then anything signed by that CA will be accepted. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
rsa key format
Hi I have generated a private key using the below command and want to extract the public key in a format that is compatible with sites using Java. openssl genrsa -out priv_key.txt 1024 Is there a command in openssl that will extract the public key for this private key in a cert file or xml format that is compatible with Java sites? Note: I have used below command to extract public key in default PEM format. But the vendor requires the key format to be one which is compatible with Java. openssl rsa -in priv_key.txt -out pub_key.txt -pubout Regards Vivek Panikulam
Re: Duplicate serial number
Great! Thanks for that information Patrick. :) Thanks, Andy Goktas Patrick Patterson ppatter...@carillonis.com 9/17/2010 6:11 AM Hi Andy: Well, aside from violating most of the standards around PKI, the main problem you will have is revocation - the way you revoke a certificate is to put it's serial number on a CRL. So if you have multiple certs with the same serial number, if you ever need to revoke one of those certificates, you will end up revoking them all. The reason that the standards are written that way is that the principle is that the tuple of the Issuer Name and Serial Number is able to uniquely identify any given certificate, which is important for any number of very good, trust related reasons. Have fun! Patrick. On 2010-09-15, at 4:34 PM, Andy GOKTAS wrote: Hello, Just curious if anyone knows, but what happens if I generate multiple server certs (using my self generated signing CA using openssl) that have the same assigned serial number? Does this create a conflict within the network and if users's end up accessing both certs, kabm? Is it merely a method of basic tracking on how many certificates a CA signs? Thanks, Andy Goktas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duplicate serial number
So using the -CAserial serial.srl might be a good idea to avoid this. Now this leads me to the next question: - Besides manually documenting a cross-reference for each certificate that I sign to a serial number, is there any way to have this scripted and for an appending log to the serial.srl file that's updated each time it's used? In short, a list of cert name (=CN perhaps) and serial number associated with it. ?? Thanks, Andy Goktas aerow...@gmail.com 9/19/2010 1:53 PM If you generate multiple certs with the same serial number, Firefox (and anything built with NSS) will absolutely refuse to have anything to do with those sites. There's no click 3 times to get access, it's a simple refusal to talk with a non-standards-compliant server. (Of course, this puts the owner of the site in a lurch, because he doesn't run the CA in the vast majority of circumstances.) Other TLS clients and browsers likely will do the same. I haven't checked though. -Kyle H On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS andy.gok...@state.or.us wrote: Hello, Just curious if anyone knows, but what happens if I generate multiple server certs (using my self generated signing CA using openssl) that have the same assigned serial number? Does this create a conflict within the network and if users's end up accessing both certs, kabm? Is it merely a method of basic tracking on how many certificates a CA signs? Thanks, Andy Goktas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL state and suspend/resume
How does one handle a suspend/resume power cycle when using OpenSSL? Specifically, suppose one is in the middle of a SHA-1 Init/Update/Final sequence when the suspend signal occurs? What happens to SHA_CTX? I know I can save and restore SHA_CTX by peering into the structure. I also know that OpenSSL won't guarantee that the structure will be fixed forever, so my code will be fragile. Is there a better alternative? I have a similar question regarding the RNG state, but I think I can reseed it after the resume. I don't see any other functions that keep internal or opaque state. Are there any I should be concerned with? I use only SHA-1, RSA, AES, lots of bignum functions, and the RNG.
2nd try : REGD : openssl vulnerability CVE-2010-2939 : double in ssl3_get_key_exchange
Would be great if I can get answers to the below questions thanks aparajita From: Aparajita Sood (apsood) Sent: Tuesday, September 21, 2010 11:54 AM To: 'openssl-users@openssl.org' Subject: REGD : openssl vulnerability CVE-2010-2939 : double in ssl3_get_key_exchange Hi OpenSSL Folks, I'm evaluating our product for this vulnerability. http://www.mail-archive.com/openssl-...@openssl.org/msg28049.html http://www.mail-archive.com/openssl-...@openssl.org/msg28049.html I have a few questions : 1. The vulnerability says You are right : there is a double free bug in the function *ssl3_get_key_exchange* which leads to crash if an error occurs. The bug is in line 1510 of s3_clnt.c where we forget to set the variable bn_ctx to NULL after freeing it and this leads to the double free error when BN_CTX_free is called a second time on line 1650. In 0.9.7d and prior I see no reference to bn_ctx or BN_CTX_free QUESTION: Since I do not see references to bn_ctx or BN_CTX_free in 0.9.7d can I assume that the vulnerability does not exist on that version? 2. The link says OpenSSL versions 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, are affected when Elliptic curve Diffie-Hellman (ECDH) is enabled QUESTION: Since I don't see BN_CTX_free being used in 0.9.7d and prior, do they mean that 7e, f , g have these definitions ? 3. I checked in the opensslconf.h file for #define OPENSSL_NO_ECDH to check if ECDH is enabled or not QUESTION: is this the correct way to find if ecdh is enabled or not? Would be great if I can get a response to these thanks aparajita
regarding binary size in OpenSSL 1.0.0a
Hi All, We are using OpenSSL (binaries built as static version) in our application. We are using the version 0.9.8i and the size of libeay32.lib (built in 32 bit windows) is 3.392 MB. We are thinking of updating to latest version of OpenSSL 1.0.0a. When we built the binaries for 1.0.0a (static version on 32 bit windows) from source code we are getting the size of libeay32.lib as 12.374 MB. Is there any reason for such a huge difference in size of libeay32.lib ? Or I am missing something while building the binaries ? Regards, Madhu Gowda
Re: [openssl-users] Creating Extended Validation SSL Certificates
Hodie IX Kal. Oct. MMX, Gumbie scripsit: Can someone explain what is needed to create and EV (Extended Validation) Certificate? I have been trying to research this and have found limited information on this. Only one document that was of any help -àhttp://www.cabforum.org/EV_Certificate_Guidelines.pdf. That's the only necessary document for technical issues. My issue is with OpenSSL and adding the needed additional OIDs to the certificate. Using OpenSSL and adding additional OIDs is not sufficient for a certificate to be EV with a green bar. You need your CA to be integrated in supported browsers as an EV-compliant one, and for this, you need to be audited, have correct validation procedures, have a correct facility, etc. -- Erwann ABALEA erwann.aba...@keynectis.com Département RD KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duplicate serial number
Hi Andy: If you use the OpenSSL CA scripts as shipped and documented both in the OpenSSL document, the book, or numerous places on the web, they already use index.txt as a list of all issued certificates. So no extra work is needed. Have fun. Patrick. On 2010-09-22, at 4:52 PM, Andy GOKTAS wrote: So using the -CAserial serial.srl might be a good idea to avoid this. Now this leads me to the next question: - Besides manually documenting a cross-reference for each certificate that I sign to a serial number, is there any way to have this scripted and for an appending log to the serial.srl file that's updated each time it's used? In short, a list of cert name (=CN perhaps) and serial number associated with it. ?? Thanks, Andy Goktas aerow...@gmail.com 9/19/2010 1:53 PM If you generate multiple certs with the same serial number, Firefox (and anything built with NSS) will absolutely refuse to have anything to do with those sites. There's no click 3 times to get access, it's a simple refusal to talk with a non-standards-compliant server. (Of course, this puts the owner of the site in a lurch, because he doesn't run the CA in the vast majority of circumstances.) Other TLS clients and browsers likely will do the same. I haven't checked though. -Kyle H On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS andy.gok...@state.or.us wrote: Hello, Just curious if anyone knows, but what happens if I generate multiple server certs (using my self generated signing CA using openssl) that have the same assigned serial number? Does this create a conflict within the network and if users's end up accessing both certs, kabm? Is it merely a method of basic tracking on how many certificates a CA signs? Thanks, Andy Goktas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Creating Extended Validation SSL Certificates
Hey there: Well, the first thing to do to be able to issue EV certs and have them recognised by the various browsers is to build a CA and issuance regime that will pass an audit according to the rules from the CABrowser folks, do a proper key ceremony, and then have that audit. And then, wait until your Root CA Cert and EV OIDs are accepted and shipped in a Browser update by the various Browser vendors. Just adding some OIDs to the server certificate is not enough. Have fun. On 2010-09-23, at 10:16 AM, Gumbie wrote: Can someone explain what is needed to create and EV (Extended Validation) Certificate? I have been trying to research this and have found limited information on this. Only one document that was of any help -àhttp://www.cabforum.org/EV_Certificate_Guidelines.pdf. My issue is with OpenSSL and adding the needed additional OIDs to the certificate. Thanks in advance, Gumbie --- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca tel: +1 514 485 0789 mobile: +1 514 994 8699 fax: +1 450 424 9559 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Duplicate serial number
Hi, The database file (an option in your openssl.conf) handles that perfectly. Cheers Pascal 2010/9/22 Andy GOKTAS andy.gok...@state.or.us So using the -CAserial serial.srl might be a good idea to avoid this. Now this leads me to the next question: - Besides manually documenting a cross-reference for each certificate that I sign to a serial number, is there any way to have this scripted and for an appending log to the serial.srl file that's updated each time it's used? In short, a list of cert name (=CN perhaps) and serial number associated with it. ?? Thanks, Andy Goktas aerow...@gmail.com 9/19/2010 1:53 PM If you generate multiple certs with the same serial number, Firefox (and anything built with NSS) will absolutely refuse to have anything to do with those sites. There's no click 3 times to get access, it's a simple refusal to talk with a non-standards-compliant server. (Of course, this puts the owner of the site in a lurch, because he doesn't run the CA in the vast majority of circumstances.) Other TLS clients and browsers likely will do the same. I haven't checked though. -Kyle H On Wed, Sep 15, 2010 at 1:34 PM, Andy GOKTAS andy.gok...@state.or.us wrote: Hello, Just curious if anyone knows, but what happens if I generate multiple server certs (using my self generated signing CA using openssl) that have the same assigned serial number? Does this create a conflict within the network and if users's end up accessing both certs, kabm? Is it merely a method of basic tracking on how many certificates a CA signs? Thanks, Andy Goktas __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
is there way to set default ciphers in openssl system wide?
Hi List, Is there way to set openssl default ciphers (“DEFAULT”), that all openssl enabled programs use by default? Without recompiling the openssl? br, -- Eero __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
where is the memory being held
Hi, I have an SSL apllication, that it suppose to run for a long time. After some time of running, I found the usage of the memory is growing. I stop all SSL connections and checked all SSL * has been freed but it could not release the memory back to the system. After some investigation, I found there is no memory leak, but seems lot of memory are unable to release back to system. mtrace found out there are quite a lot of fragmented memory being held by the SSL library. I would like to know what could I do to reduce the memory held by SSL library after all connections have been dropped? I am handling the SSL session through share memory myself and that part of the memory is allocated from the start. mallinfo() reports after some test and no connection for a while: system bytes = 28271952 in use bytes = 1809184 non-inuse bytes = 26462768 non-inuse chunks = 81 mmap regions =4 mmap bytes = 1773568 Total (incl. mmap): system bytes = 30045520 in use bytes = 3582752 releasable bytes = 462496 -- qun-ying __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: rsa key format
From: owner-openssl-us...@openssl.org On Behalf Of Panikulam Vivek Sent: Thursday, 23 September, 2010 10:53 I have generated a private key using the below command and want to extract the public key in a format that is compatible with sites using Java. openssl genrsa -out priv_key.txt 1024 Is there a command in openssl that will extract the public key for this private key in a cert file or xml format that is compatible with Java sites? For a certificate: you can't 'extract' a cert from a keypair because a cert contains much more information than the publickey. You can get a cert *containing* your publickey by several methods which are nearly equivalent in principle but different in detail: 1. generate a CSR (certificate signing request) with openssl req -new [-config $conf] -key priv_key.txt -out $req # uses default config (must exist) if you don't specify one # if you have your own config it can also specify the keyfile send CSR to a CA which issues a cert. Often this costs money. This cert can be imported to a Java truststore/keystore by standard keytool, IF either the CA is in the existing (shipped or customized) truststore, or the user decides (is persuaded) to trust it manually. For other programs that might read a cert, it depends on the program. 2. set up your own (basic) CA with openssl, generate a CSR as above, and use 'openssl ca' to issue a cert for it. This setup is a bit more complicated, more than I have time to check and type right now, but there's undoubtedly lots of webpages, some possibly correct. 3. create just a CA keypair and (selfsigned) CA cert with openssl (even more basic), generate a CSR as above, and openssl x509 -req -in $req [-CAkey $CAkey] -CA $CAcert -out $cert {[-CAserial $file] [-CAcreateserial] | -set_serial $hexnum} These two use a (pseudo)CA you create yourself, so to have its certs trusted automatically, you (or your users) must put your DIY CA cert in their Java's truststore(s), normally JRE/lib/security/cacerts . 4. create a CSR as above and self-sign it openssl x509 -req in $req -signkey priv_key.txt -out $cert or simpler 5. generate a self-signed cert directly openssl req -new -x509 -key priv_key.txt [-config $conf] -out $cert These self-signed certs must always be trusted manually. There are various extension data-items that can be included in a CSR to be copied in the cert at the choice of the CA, and/or directly put in the cert by the action of the CA. In case 2 you are the CA and can do both; in 3 and 4 you can put extensions in the cert (but AFAIK not copy); in 5 you can directly put extensions. Whether your 'Java site' needs any of these extensions depends on what your 'Java site' is. For SSL using default SSLSocket's (JSSE) to trust an issuer, IME no extensions are needed and a plain v1 cert works fine. Note: I have used below command to extract public key in default PEM format. But the vendor requires the key format to be one which is compatible with Java. openssl rsa -in priv_key.txt -out pub_key.txt -pubout Java, specifically the default SunRsaSign factory, is certainly able to handle X509-style publickeyinfo-RSA generated (and used) by openssl, in DER format, which you can easily create by adding -outform DER to that command (and changing the filename as appropriate). The mapping to and from PEM is (almost) orthogonal to the contents, and could easily be written separately, but I have not found exported by standard Java. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Creating Extended Validation SSL Certificates
On 9/23/2010 7:16 AM, Gumbie wrote: Can someone explain what is needed to create and EV (Extended Validation) Certificate? I have been trying to research this and have found limited information on this. Only one document that was of any help -àhttp://www.cabforum.org/EV_Certificate_Guidelines.pdf. My issue is with OpenSSL and adding the needed additional OIDs to the certificate. Thanks in advance, Gumbie Either request them from any CA that offers them or yourself make a CA that follows the EV guidelines. The whole point of EV certificates is that you cannot create them without going through extended validation. By design, there is no way to bypass this requirement. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: where is the memory being held
On 9/23/2010 11:42 AM, zhu qun-ying wrote: Hi, I have an SSL apllication, that it suppose to run for a long time. After some time of running, I found the usage of the memory is growing. I stop all SSL connections and checked all SSL * has been freed but it could not release the memory back to the system. After some investigation, I found there is no memory leak, but seems lot of memory are unable to release back to system. mtrace found out there are quite a lot of fragmented memory being held by the SSL library. I would like to know what could I do to reduce the memory held by SSL library after all connections have been dropped? I am handling the SSL session through share memory myself and that part of the memory is allocated from the start. mallinfo() reports after some test and no connection for a while: system bytes = 28271952 in use bytes = 1809184 non-inuse bytes = 26462768 non-inuse chunks = 81 mmap regions =4 mmap bytes = 1773568 Total (incl. mmap): system bytes = 30045520 in use bytes = 3582752 releasable bytes = 462496 -- qun-ying This all seems normal. Virtual memory is not normally considered a scarce resource and unless the consumption is really absurd, it's not worth worrying about. Unless your virtual memory use grows linearly with constant load, it's generally not worth worrying about. If it grows in an exponentially decreasing way with constant load or grows linearly with increasing peak load, I wouldn't worry about it at all. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Duplicate serial number
From: owner-openssl-us...@openssl.org On Behalf Of Pascal Delaunay Sent: Thursday, 23 September, 2010 12:00 The database file (an option in your openssl.conf) handles that perfectly. If you use 'ca'; or as Patrick Patterson said, the scripts which do so. Not 'x509 -req [-CAserial file]'; that stores only the (last-used) number. 2010/9/22 Andy GOKTAS andy.gok...@state.or.us So using the -CAserial serial.srl might be a good idea to avoid this. Now this leads me to the next question: - Besides manually documenting a cross-reference for each certificate that I sign to a serial number, is there any way to have this scripted and for an appending log to the serial.srl file that's updated each time it's used? In short, a list of cert name (=CN perhaps) and serial number associated with it. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org