Re: FIPS compliance question regarding openssl distributions

2011-03-07 Thread Kyle Hamilton 

In order to achieve compliance, you must follow the instructions in the 
Security Policy to the letter.

This means that you must:
- download and read the security policy
- download the openssl-fips-1.2.0.tar.gz
- verify its integrity according to the security policy
- follow the precise instructions to build it, from the security policy

You should also go to NIST and look at its certificate, to verify that it 
hasn't been revoked.

To use it, you must obtain sources for the latest 0.9.8 release and 
compile/link it against the fipscanister.  You may be able to do this from your 
ports tree -- the instructions and requirements apply only to fipscanister.o 
and several of its companion files.  As long as the requirements of the 
security policy are upheld, the implementation will be compliant.

Note that compliance cannot be truly determined programmatically.  So, it's 
also a good idea to generate multiple hashes (sha-1, sha-256, ripemd160, etc) 
over the fipscanister and associated files, print them out, and commit to them 
(physically sign them) as a statement of compliance with the build process.

-Kyle H

On Thu, Mar 3, 2011 at 9:19 AM, Alexander Sack  wrote:

Hello openssl-users:

I asked on the FreeBSD security list but perhaps this one is more
apropos.  Our company has been tasked to ship a FIPS compliant version
of openssl on top of our FreeBSD based product.  I am confused on what
distribution I am allowed to use to create a FIPS compliant release.

Here is what I don't understand after reading the FIPS 140-2 User Guide:

In the example of building the openssl FIPS *capable* distribution, it
seems one should take the distribution from the official
openssl.org/source website and validate it using PGP.  However,
FreeBSD ships openssl distribution within its source tree.

There is no tarball of openssl that I can validate it against.  The
source is already integrated in the official FreeBSD source trees.

However, its based on the openssl distribution found in the official
repos.  I have not done a complete diff, but there maybe small build
changes to incorporate the openssl distribution into the FreeBSD
*world* build.

So, can I build a FIPS compliant product using the FreeBSD openssl
distribution OR do I need to build the official openssl distribution
tarball (a la ports)?

If this has been answered before, I apologize.  Some basic Googling
got me mixed answers

Thanks!

-aps
__
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org





Verify This Message with Penango.p7s
Description: S/MIME Cryptographic Signature

RE: Installing a .cer file in IE

2011-03-07 Thread Jaquez Jr, Hector L. 
Yes created a CSR file using openssl.  If I recall I did create a key as well.  
However, when I received the CER file I thought all I would have to do is 
import it to IE.  So all I need to do is use the command below to get this to 
import correctly?


Sent from my Windows Phone

-Original Message-
From: Dave Thompson
Sent: Monday, March 07, 2011 4:38 PM
To: openssl-users@openssl.org
Subject: RE: Installing a .cer file in IE


>   From: owner-openssl-us...@openssl.org On Behalf Of Jaquez Jr, Hector
L.
>   Sent: Monday, 07 March, 2011 14:37

>   I created a .csr file and had my access control team create me
> a certificate since my original had expired.  I was under the assumption
> I could just import the cert in IE from the IE options and it would work.

> It is not working and I am still showing that my certificate is expired.
> I wanted to find out how to install a cert in IE via openssl command line.

> If you need any additional information please ask.

Do you mean you created a CSR and got a cert for a keypair created by,
or converted to, openssl? If so, IE* needs both privatekey and cert,
from a PKCS12 which openssl can create:
  openssl pkcs12 -export -in mycer -inkey mykey -out myp12

(* actually the Windows store, used by IE and possibly others)



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: SSL_ERROR_WANT_READ and SSL_ERROR_WANT-WRITE question

2011-03-07 Thread David Schwartz 

On 3/7/2011 4:19 PM, Yan, Bob wrote:

Thank you very much, David,



In general, if the application use "select/poll" system function to

> check the readable of underline BIO and invoke the SSL_read/SSL_write
> only if there are data available on the socket, can the deadlock still
> happened?

Not only can the deadlock I explained still happen, but many other 
deadlocks can happen. The design you are talking about is the complete 
opposite of how you correct use non-blocking sockets with OpenSSL.


You should call SSL_read/SSL_write any time you want to read or write to 
or from the SSL connection. You should call a 'select' or 'poll' 
function only when OpenSSL tells you to.




Specially, in your last statement "At step 3 above, the reader thread
is now blocking waiting for the renegotiation data to arrive on the
socket.  But that renegotiation data has already been received and read
by  the SSL engine.


So the thread will block indefinitely waiting for  something that has > already happened.", the question is that if the 

underline socket

is  non-blocking and the

> application is using select/poll to check the readable of SSL
> connection and then > invoke the SSL_write/SSL_read call, can this 
deadlock still happen?


Yes, that's precisely how the deadlock happens. It is easy to assume the 
SSL connection has both a 'read state' and a 'write state' because TCP 
connections do. But SSL does not. If 'SSL_write' returns WANT_READ, that 
invalidates any prior WANT_READ condition you may have gotten from 
'SSL_read' -- the SSL connection has one and only one state.


DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: OpenSSL on a multiilb system

2011-03-07 Thread Jan Steffens 
On Tue, Feb 8, 2011 at 8:42 PM, Jan Steffens  wrote:
> Hello,
>
> I help maintain the Arch Linux multilib repository and was wondering how
> OpenSSL should be built on a x86_64 multilib system. My approach so far has
> been this:
>
>  export CC="gcc -m32"
>  export CXX="g++ -m32"
>  export PKG_CONFIG_PATH="/usr/lib32/pkgconfig"
>  ./Configure linux-elf --prefix=/usr --openssldir=/etc/ssl \
>    --libdir=lib32 shared zlib enable-md2 -Wa,--noexecstack
>
>  make
>
> A user is getting crashes in Picasa that are fixed by replacing the OpenSSL
> libraries in lib32 with their versions from the Arch Linux i686 distribution.
> So I believe were doing something wrong when building OpenSSL for multilib.
> See https://bugs.archlinux.org/task/21248 .
>
> Also, a opensslconf.h is generated that's different from the 64-bit build.
> Do you have an opinion on how to handle this? I wanted to rename the different
> headers into opensslconf-64.h and opensslconf-32.h and create a opensslconf.h
> that includes the right one based on wordsize.
>
> So far we weren't aware of the header problem (We simply used the 64-bit
> headers), and I believe this could have been the cause of a crash in 32-bit
> wine, see https://bugs.archlinux.org/task/22045 . However, testing with the
> above method didn't fix the crashing. Still, I believe it would be the correct
> thing to do.
>
> The entire buildscript we are using for lib32-openssl is available at
> http://projects.archlinux.org/svntogit/community.git/tree/lib32-openssl/trunk/

Can I please have some input on this?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: SSL_ERROR_WANT_READ and SSL_ERROR_WANT-WRITE question

2011-03-07 Thread Yan, Bob 
Thank you very much, David,

In general, if the application use "select/poll" system function to check the 
readable of underline BIO and invoke the SSL_read/SSL_write only if there are 
data available on the socket, can the deadlock still happened?

Specially, in your last statement "At step 3 above, the reader thread is now 
blocking waiting for the renegotiation data to arrive on the socket. But that 
renegotiation data has already been received and read by the SSL engine. So the 
thread will block indefinitely waiting for something that has already 
happened.", the question is that if the underline socket is non-blocking and 
the application is using select/poll to check the readable of SSL connection 
and then invoke the SSL_write/SSL_read call, can this deadlock still happen?

Thanks
Bob


-Original Message-
From: David Schwartz [mailto:dav...@webmaster.com] 
Sent: Monday, March 07, 2011 3:43 PM
To: openssl-users@openssl.org
Cc: Yan, Bob
Subject: Re: SSL_ERROR_WANT_READ and SSL_ERROR_WANT-WRITE question

On 3/7/2011 2:45 PM, Yan, Bob wrote:

> My question is that if my Reader thread gets a SSL_ERROR_WANT_WRITE 
> error from SSL_read function call, can my Writer thread do the 
> SSL_write operation right after the Reader's SSL_read operation?

Yes.

 > Or, if my Writer
> thread gets a SSL_ERROR_WANT_READ error from SSL_write call, can my 
> Reader thread do the SSL_read just following the Writer's SSL_write 
> operation?

Yes.

 > Basically is that ok to mix the SSL_read and SSL_write
> function by two different threads regardless the returning error code?

Yes, there is one very important caveat though -- an SSL connection has one and 
only one state. So the following sequence of operations will get you in big 
trouble:

1) Reader thread calls SSL_write, gets WANT_READ.

2) Writer thread calls SSL_read, gets WANT_READ.

3) Reader thread (not knowing what happened in step 2) calls 'select' or 
similar function in response to the WANT_READ it got in step 1 and does not 
call SSL_write again until the socket is readable.

After step 2, the state of the SSL connection is 'data must be read from the 
socket in order to read from the SSL connection'. It is an error to assume that 
the WANT_READ returned in step 1 is still valid since step 2 may have 
invalidated it.

This can cause your code to deadlock in real world situations. For example, 
supposed the SSL connection is in the process of renegotiating:

At step 1 above suppose it has sent the last thing it needed to send to 
complete the renegotiation and now it just must read the last bit of 
renegotiation data before it can continue to make further forward progress. So 
it returns WANT_READ.

At step 2 above, the engine knows it needs to read from the socket to make 
further progress, so it does. Suppose the renegotiation data has all arrived 
and it reads all of it, but there's no application data to read, so it returns 
WANT_READ.

At step 3 above, the reader thread is now blocking waiting for the 
renegotiation data to arrive on the socket. But that renegotiation data has 
already been received and read by the SSL engine. So the thread will block 
indefinitely waiting for something that has already happened.

DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: how to use a preloaded certificate

2011-03-07 Thread ikuzar 
2011/3/7 Dave Thompson 

> >   From: owner-openssl-us...@openssl.org On Behalf Of ikuzar
> >   Sent: Monday, 07 March, 2011 10:00
>
> >   I have a function my_initialize( ) which initialize a lot
> > of thing before doing my_connect( ), my_accept( ), etc.
>
> >   In my_initialize( ), I call :
> >   - SSL_library_init();
> >   - SSL_load_error_strings();
>
> >   In my_connect( ), I set handshake:
> >   - meth = TLSv1_method( );
> >   - ctx = SSL_CTX_new(meth);
> >   - SSL_CTX_set_cipher_list( )
> >   - SSL_CTX_use_certificate_file( )
> >   - ...
>
> Presumably also (at least) use_PrivateKey (matching the cert)
> and ending with ssl = SSL_new (ctx).
> => That's OK
> >   - SSL_connect( )
>
> >   now, I have to load certificate in my_initialize( )
> > and not in my_connect( ). How must I tell SSL_connect ( )
> > that the certificate is already loaded in my_initialize( )
> > and it must use this certificate to process handshake ?
>
> Create and set-up ctx (SSL_CTX object) in initialize, and
> later use ctx to create an SSL object for the/each connection.
> This is exactly why SSL_CTX exists: to store, once and possibly
> in advance, the parameters for possibly multiple connections.
> => I exactly did it. But the guy who started developping the project had
> build a certmanager class. He loaded certificates into a cache in
> certmanager. He loaded certificates in my_initialize( ) and added them into
> certmanager... He did not use openssl, he simulated what openssl do. For the
> moment I have to continue his work and later, I 'll change it.
>
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: SSL_ERROR_WANT_READ and SSL_ERROR_WANT-WRITE question

2011-03-07 Thread David Schwartz 

On 3/7/2011 2:45 PM, Yan, Bob wrote:


My question is that if my Reader thread gets a SSL_ERROR_WANT_WRITE
error from SSL_read function call, can my Writer thread do the SSL_write
operation right after the Reader’s SSL_read operation?


Yes.

> Or, if my Writer

thread gets a SSL_ERROR_WANT_READ error from SSL_write call, can my
Reader thread do the SSL_read just following the Writer’s SSL_write
operation?


Yes.

> Basically is that ok to mix the SSL_read and SSL_write

function by two different threads regardless the returning error code?


Yes, there is one very important caveat though -- an SSL connection has 
one and only one state. So the following sequence of operations will get 
you in big trouble:


1) Reader thread calls SSL_write, gets WANT_READ.

2) Writer thread calls SSL_read, gets WANT_READ.

3) Reader thread (not knowing what happened in step 2) calls 'select' or 
similar function in response to the WANT_READ it got in step 1 and does 
not call SSL_write again until the socket is readable.


After step 2, the state of the SSL connection is 'data must be read from 
the socket in order to read from the SSL connection'. It is an error to 
assume that the WANT_READ returned in step 1 is still valid since step 2 
may have invalidated it.


This can cause your code to deadlock in real world situations. For 
example, supposed the SSL connection is in the process of renegotiating:


At step 1 above suppose it has sent the last thing it needed to send to 
complete the renegotiation and now it just must read the last bit of 
renegotiation data before it can continue to make further forward 
progress. So it returns WANT_READ.


At step 2 above, the engine knows it needs to read from the socket to 
make further progress, so it does. Suppose the renegotiation data has 
all arrived and it reads all of it, but there's no application data to 
read, so it returns WANT_READ.


At step 3 above, the reader thread is now blocking waiting for the 
renegotiation data to arrive on the socket. But that renegotiation data 
has already been received and read by the SSL engine. So the thread will 
block indefinitely waiting for something that has already happened.


DS

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How to disable SSL/TLS Renegotiation

2011-03-07 Thread Yan, Bob 
I have two questions regarding to SSL/TLS Renegotiation:

1) Can SSL/TLS Renegotiation happen automatically during the normal SSL_read 
and SSL_write operation on a SSL connection? Basically if the application 
doesn't invoke the SSL_renegotiate function, can SSL/TLS Renegotiation still 
happen automatically on a SSL connection?

2) Can the SSL/TLS Renegotiation be disabled? Such as if the peer requests the 
SSL/TLS renegotiation, the SSL_read or SSL_write will return an error but not 
SSL_ERROR_WANT_READ/WRITE?

Thanks
Bob

SSL_ERROR_WANT_READ and SSL_ERROR_WANT-WRITE question

2011-03-07 Thread Yan, Bob 
Thread are two threads in my application and one thread is called Reader and 
another one is Writer. The Reader thread calls the SSL_read function to receive 
the incoming data from the SSL socket connection; and the Writer thread invokes 
the SSL_write function to send out the data to the same SSL connection. In 
order to prevent Reader and Writer thread access the same SSL connection at the 
same time, I have placed a mutex to avoid this situation.

My question is that if my Reader thread gets a SSL_ERROR_WANT_WRITE error from 
SSL_read function call, can my Writer thread do the SSL_write operation right 
after the Reader's SSL_read operation? Or, if my Writer thread gets a 
SSL_ERROR_WANT_READ error from SSL_write call, can my Reader thread do the 
SSL_read just following the Writer's SSL_write operation? Basically is that ok 
to mix the SSL_read and SSL_write function by two different threads regardless 
the returning error code?

Thank you for your time!
Bob

openSSL

2011-03-07 Thread Roger Fernandes 
I am new to openSSL and wanted to port openSSL to an RTOS platform that does
not have the configure system.

The RTOS has its own file and network libraries .

The current use that I have for openSSL is to use it via libcurl .  I only
need support to do SSL  .

Which source files ( modules)  do I compile ?

Is there some documentation that explains installing openSSL on such systems
?


Regards
Rog.

RE: how to use a preloaded certificate

2011-03-07 Thread Dave Thompson 
>   From: owner-openssl-us...@openssl.org On Behalf Of ikuzar
>   Sent: Monday, 07 March, 2011 10:00

>   I have a function my_initialize( ) which initialize a lot 
> of thing before doing my_connect( ), my_accept( ), etc.

>   In my_initialize( ), I call :
>   - SSL_library_init();
>   - SSL_load_error_strings();

>   In my_connect( ), I set handshake:
>   - meth = TLSv1_method( );
>   - ctx = SSL_CTX_new(meth);
>   - SSL_CTX_set_cipher_list( )
>   - SSL_CTX_use_certificate_file( )
>   - ...

Presumably also (at least) use_PrivateKey (matching the cert)
and ending with ssl = SSL_new (ctx).

>   - SSL_connect( )

>   now, I have to load certificate in my_initialize( ) 
> and not in my_connect( ). How must I tell SSL_connect ( ) 
> that the certificate is already loaded in my_initialize( ) 
> and it must use this certificate to process handshake ? 

Create and set-up ctx (SSL_CTX object) in initialize, and 
later use ctx to create an SSL object for the/each connection.
This is exactly why SSL_CTX exists: to store, once and possibly 
in advance, the parameters for possibly multiple connections.



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Installing a .cer file in IE

2011-03-07 Thread Dave Thompson 
>   From: owner-openssl-us...@openssl.org On Behalf Of Jaquez Jr, Hector
L.
>   Sent: Monday, 07 March, 2011 14:37

>   I created a .csr file and had my access control team create me 
> a certificate since my original had expired.  I was under the assumption 
> I could just import the cert in IE from the IE options and it would work.

> It is not working and I am still showing that my certificate is expired.  
> I wanted to find out how to install a cert in IE via openssl command line.

> If you need any additional information please ask.

Do you mean you created a CSR and got a cert for a keypair created by, 
or converted to, openssl? If so, IE* needs both privatekey and cert, 
from a PKCS12 which openssl can create:
  openssl pkcs12 -export -in mycer -inkey mykey -out myp12

(* actually the Windows store, used by IE and possibly others)



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Inserting lib version in .so file

2011-03-07 Thread Gérald 

Hi,

  I've got an interrogation on .so file !

I'm compiling the 0.9.8r file of openssl using the config command with 
those  "threads shared zlib-dynamic" options ... All is going fine


 My question is :

 Why i'm not finding the version in the openssl/lib/libcrypto.so.0.9.8 
when i'm using the command : #objdump -p  openssl/lib/libcrypto.so.0.9.8 ?


My objdump -p result :

openssl/lib/libcrypto.so.0.9.8: file format elf64-x86-64

Dynamic Section:
  NEEDED   libdl.so.2
  NEEDED   libc.so.6
  SONAME   libcrypto.so.0.9.8
  SYMBOLIC 0x
  INIT 0x00069a68
  FINI 0x0011f428
  HASH 0x01b8
  GNU_HASH 0x56c0
  STRTAB   0x0001f7a8
  SYMTAB   0xba38
  STRSZ0xf4ff
  SYMENT   0x0018
  PLTGOT   0x0036caa0
  PLTRELSZ 0x08e8
  PLTREL   0x0007
  JMPREL   0x00069180
  RELA 0x00030780
  RELASZ   0x00038a00
  RELAENT  0x0018
  VERNEED  0x00030720
  VERNEEDNUM   0x0002
  VERSYM   0x0002eca8
  RELACOUNT0x25b5

Version References:
  required from libdl.so.2:
0x09691a75 0x00 05 GLIBC_2.2.5
  required from libc.so.6:
0x0d696913 0x00 04 GLIBC_2.3
0x0d696917 0x00 03 GLIBC_2.7
0x09691a75 0x00 02 GLIBC_2.2.5

When i executin an objdump -p on the libcrypto.so.0.9.8 of my 
distribution i have this :

openssl/lib/libcrypto.so.0.9.8: file format elf64-x86-64

Program Header:
LOAD off0x vaddr 0x paddr 
0x align 2**21

 filesz 0x00174aac memsz 0x00174aac flags r-x
LOAD off0x00175000 vaddr 0x00375000 paddr 
0x00375000 align 2**21

 filesz 0x00027e28 memsz 0x0002b898 flags rw-
 DYNAMIC off0x00180fa8 vaddr 0x00380fa8 paddr 
0x00380fa8 align 2**3

 filesz 0x01e0 memsz 0x01e0 flags rw-
NOTE off0x0190 vaddr 0x0190 paddr 
0x0190 align 2**2

 filesz 0x0024 memsz 0x0024 flags r--
EH_FRAME off0x0015315c vaddr 0x0015315c paddr 
0x0015315c align 2**2

 filesz 0x7304 memsz 0x7304 flags r--
   STACK off0x vaddr 0x paddr 
0x align 2**3

 filesz 0x memsz 0x flags rw-

Dynamic Section:
  NEEDED   libdl.so.2
  NEEDED   libz.so.1
  NEEDED   libc.so.6
  SONAME   libcrypto.so.0.9.8
  INIT 0x00073e38
  FINI 0x00132e48
  HASH 0x01b8
  GNU_HASH 0x5748
  STRTAB   0x0001fbc8
  SYMTAB   0xbb28
  STRSZ0xf6cb
  SYMENT   0x0018
  PLTGOT   0x003819d8
  PLTRELSZ 0xa230
  PLTREL   0x0007
  JMPREL   0x00069c08
  RELA 0x00030de8
  RELASZ   0x00038e20
  RELAENT  0x0018
  VERDEF   0x00030d50
  VERDEFNUM0x0002
  VERNEED  0x00030d88
  VERNEEDNUM   0x0002
  VERSYM   0x0002f294
  RELACOUNT0x225e

Version definitions:
1 0x01 0x0745b558 libcrypto.so.0.9.8
2 0x00 0x06692428 OPENSSL_0.9.8

Version References:
  required from libdl.so.2:
0x09691a75 0x00 06 GLIBC_2.2.5
  required from libc.so.6:
0x0d696913 0x00 05 GLIBC_2.3
0x0d696917 0x00 04 GLIBC_2.7
0x09691a75 0x00 03 GLIBC_2.2.5


As you can see there an "Version definitions" section that i don't have :

Version definitions:
1 0x01 0x0745b558 libcrypto.so.0.9.8
2 0x00 0x06692428 OPENSSL_0.9.8

How can i tell the configure to add the necessary option to the linker 
for obtaining this "Version References" Section ???


That's the same for the openssl/lib/libssl.so.0.9.8

Thanks in advance for your answer,

Gérald.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Installing a .cer file in IE

2011-03-07 Thread Jaquez Jr, Hector L. 
I created a .csr file and had my access control team create me a certificate 
since my original had expired.  I was under the assumption I could just import 
the cert in IE from the IE options and it would work.  It is not working and I 
am still showing that my certificate is expired.  I wanted to find out how to 
install a cert in IE via openssl command line.  If you need any additional 
information please ask.

Hector L. Jaquez Jr.
Data Security Analyst II
HQ AAFES, Information Technology
W 214-312-4449
BB 214-794-3641
jaqu...@aafes.com

Re: Compilation Error in application referencing FIPS Object Module using g++

2011-03-07 Thread Dr. Stephen Henson 
On Mon, Mar 07, 2011, raghib nasri wrote:

> Do you mean to say I should modify fipsld to use gcc for compiling
> fips_premain.c. Or is there any way to still use g++ for my application with
> minimal  change in fipsld.  Please suggest.
> 

Well two options, one is to change it to use gcc just for the compilation of
fips_premain.c, the other is to modify the part that embeds the signature so
it uses 40 characters instead of 40+1 null.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: how to load certificates into a share memory

2011-03-07 Thread ikuzar 
Hi,
for 2) it is OK
for 1) I do not understand ...
-- I 'd like to retrieve x509 certificate and store it into a X509 object. I
do not want to converts ANSO DER strings to X509 objects for the moment.
   I want something like this :
 x509* cert;
 cert =
SSL_get_certificate(/home/me/mywork/certificates/server_cert.pem);

-- what did you mean with "you can reference the source code..." ,
"...reference the SSL_use_certificate_file( ) ..." ?
I 'd like to load certificate apart from Handshake process.
Thanks.


2011/2/7 Aro RANAIVONDRAMBOLA 

> Thanks,
> I 'd like to know also if there is a way to duplicate certificate issued
> from handshake. In fact, I 'd like to store client certificate in my cache
> and use it later. ( => send it to another client ).
>
> 2011/2/7 lzyzizi 
>
> 1)All X509 operations are in the x509 module(folder).You may see the x509.h
>> for more details.To load a X509 object , you can use d2i_X509 which converts
>> the ANSI DER strings to X509 object(you can see the openssl doc for more
>> function details).
>> Also,you can reference the source code in ssl folder.I recommend you to
>> reference the "int SSL_use_certificate_file(SSL *ssl, const char *file, int
>> type)" function's  implementation,which will tell you how to load a x509.
>>
>> 2)To get the information from the X509 object, you should see the x509.h.
>> To get  "CN ,OU..." , you can use "X509_NAME *
>> X509_get_issuer_name(X509 *a);" or "X509_NAME *
>> X509_get_subject_name(X509 *a);"
>> To get a serial number , you can use "ASN1_INTEGER *
>> X509_get_serialNumber(X509 *x);"
>>
>>
>> At 2011-02-07 04:08:30,"Aro RANAIVONDRAMBOLA"  wrote:
>>
>> Hello,
>> I work with C++ language. I'd like to create a class named "certificate"
>> in which I 'll have a X509 object  and fonctions member like
>> verify_certificate.
>> 1) I would like to know how to load X509 certificate object, I do not see
>> any fonction in the API which can do it ( out of handshake fonctions ).
>> 2) Then How to parse this X509 certificate ( in pem format for example ).
>> I must retrieve "serial number", "cn" etc ...
>> Thanks for your help
>>
>>
>>
>>
>

Re: Compilation Error in application referencing FIPS Object Module using g++

2011-03-07 Thread raghib nasri 
Do you mean to say I should modify fipsld to use gcc for compiling
fips_premain.c. Or is there any way to still use g++ for my application with
minimal  change in fipsld.  Please suggest.

On Mon, Mar 7, 2011 at 9:15 PM, Dr. Stephen Henson wrote:

> On Mon, Mar 07, 2011, raghib nasri wrote:
>
> > Hi,
> >I am using FIPS Object Module and encountered an error while
> > compiling my application using g++.
> >?fips_premain.c:71: error: initializer-string for array of chars
> is
> > too long?
> >I cannot change fips_premain.c  since its part of FIPS validation
> I
> > guess.
> >Please suggest any sollution.
>
> Although you can't modify fips_premain.c you can modify fipsld: which
> doesn't
> have to the be the standard one as long as it follows the rules in the
> security policy.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   majord...@openssl.org
>

Re: Compilation Error in application referencing FIPS Object Module using g++

2011-03-07 Thread Dr. Stephen Henson 
On Mon, Mar 07, 2011, raghib nasri wrote:

> Hi,
>I am using FIPS Object Module and encountered an error while
> compiling my application using g++.
>?fips_premain.c:71: error: initializer-string for array of chars is
> too long?
>I cannot change fips_premain.c  since its part of FIPS validation I
> guess.
>Please suggest any sollution.

Although you can't modify fips_premain.c you can modify fipsld: which doesn't
have to the be the standard one as long as it follows the rules in the
security policy.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

how to use a preloaded certificate

2011-03-07 Thread ikuzar 
Hello,
I have a function my_initialize( ) which initialize a lot of thing before
doing my_connect( ), my_accept( ), etc.

In my_initialize( ), I call :
- SSL_library_init();
- SSL_load_error_strings();

In my_connect( ), I set handshake:
- meth = TLSv1_method( );
- ctx = SSL_CTX_new(meth);
- SSL_CTX_set_cipher_list( )
- SSL_CTX_use_certificate_file( )
- ...
- SSL_connect( )

now, I have to load certificate in my_initialize( ) and not in my_connect(
). How must I tell SSL_connect ( ) that the certificate is already loaded in
my_initialize( ) and it must use this certificate to process handshake ?

Thanks.